Topic: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started (Read 6542 times)

If ports will be closed how the customers will make the comunication between the App and the server?

All this security test, has no sense. Because you are not using the real configuration on the server that you will use to comunicate the app with the server.

And now you will start another challenge, again to search a "No-ping" IP... please let me LOL hard. You realy know what are you playing?

Have fun with this, at last this will not proof if your app its secure or not, this only will proof the comunication between the app and server its null with the current configuration.

We will start another challenge soon and you can try to hack then but yes, all ports in our app server will be closed. The first challenge would always be to find the IP of the server. Will announce the new challenge soon. Thanks for your wishes.

The funny thing, is you believe you have a secure server because it's behind a firewall.

In some point, you will need to change that firewall configuration, because if the people cant ping the server there will be null comunication. In that moment you will need to expose some ports for comunication, but expose a port is not always a vuln.

I wish you the best with this project, and i will wait that Nuovocards to prove you it can be hacked.

lol need to learn how to hack, seems to be a high paying hobby.

How their system is designed makes it difficult to attack but for sure its not impossible.

The first bounty:
Has shown how difficulty it is to find the application server. I have an experiment running in form of a tor entry node where I get an email once someone would use my tor entry node to connect to the global tor network and who would got an ip starting 5 (could even be 54 accordingly to the list) and would ending up with 13.

So far this did not happened but this also can be because of the huge amount of servers and per default a new circuit is just created every 10 minutes which leads to ~ 6 connections/hour or 144/day. For sure if they have made a special setup things can be different here.

This shows how difficulty it is to find the application server also knowing some parts of the ip. In case of not knowing this information it becomes really worse. You then would need some thousand tor nodes (entry, middle, exit) and probably a couple of weeks/months to find them.

The 2nd bounty:
Here you need for example some kind of exploit either an already existing one or you would inject one by a successfully malicious pull request to bitcoin/armoryd or you need to directly work for amazon or the state with the right access levels for sure. But these are just theoretical principles.
In general I can congratulate you.
A successfull hack in the future would probably be based on human errors like someone would hack you personally or some other guys of your company and then install some kind of trojan. Thats probably much more easier than to get directly into the server. Therefore you should have the same cold/hot wallet policy that also exchanges have got.

She has made an iron door for her bamboo cottage and asking everyone not to brute force the bamboo wall, but to break in the iron door. Once people fail to do that, she'll boast it everywhere that how secured her system is. I feel pity for her customers, as they're gonna lose everything so fast !!!

To be honest I didn't completely read what your company is about. But if I understand it correctly you can pay at a store with a card through some mobile application. There must be communication in some way there? How can it not write something to any server? How will it save transactions then?

So basically I agree with 'hardcode' that I would like to know more about the API or whatever. And I cannot imagine it's a "read only" API, but even if it is, shouldn't we focus on trying to hack that (too)?

Trying to hack the server is great, but IMO a lot of times the vulnerabilities are in the actual API or site interaction.

something its wired, if that ports are open, why i dont see it when i scan the 2000 ip's list?

If i use a "while" in that code i can send you more than 1000 msg in les than 5 min.

I give up with the IP, if i cant recognize the server from the port, i dont know what im seaching.

By the way, congrat, you hide very well that IP.

Why do you only offer a email which interacts with the API? If your mobile app is released and is communicating with your appserver, getting the IP is easy..
If your server IP is only interacting with the API and the bitcoin network, its not like people will find your server, without guessing.

Also, why would you use email? If its not going to be used anyway in the future...

So confusing, just like the thread and the site content.

Is it allowed to spam the email: [email protected] ?

Regards

Nico