Pages:
Author

Topic: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started (Read 6590 times)

full member
Activity: 168
Merit: 100
The funny thing, is you believe you have a secure server because it's behind a firewall.

In some point, you will need to change that firewall configuration, because if the people cant ping the server there will be null comunication. In that moment you will need to expose some ports for comunication, but expose a port is not always a vuln.

I wish you the best with this project, and i will wait that Nuovocards to prove you it can be hacked.

We will start another challenge soon and you can try to hack then but yes, all ports in our app server will be closed. The first challenge would always be to find the IP of the server. Will announce the new challenge soon. Thanks for your wishes.

If ports will be closed how the customers will make the comunication between the App and the server?

All this security test, has no sense. Because you are not using the real configuration on the server that you will use to comunicate the app with the server.

And now you will start another challenge, again to search a "No-ping" IP... please let me LOL hard. You realy know what are you playing?

Have fun with this, at last this will not proof if your app its secure or not, this only will proof the comunication between the app and server its null with the current configuration.
This time I will post a challenge when the whole platform is up and running. I hope you find something this time around. Like I have said before, its not that the ports are permanently closed, the ports are only opened as per the apps requirement.  Lastly, the real configuration of the server was used. We are not here to waste time and effort of people.
legendary
Activity: 3346
Merit: 3130
The funny thing, is you believe you have a secure server because it's behind a firewall.

In some point, you will need to change that firewall configuration, because if the people cant ping the server there will be null comunication. In that moment you will need to expose some ports for comunication, but expose a port is not always a vuln.

I wish you the best with this project, and i will wait that Nuovocards to prove you it can be hacked.

We will start another challenge soon and you can try to hack then but yes, all ports in our app server will be closed. The first challenge would always be to find the IP of the server. Will announce the new challenge soon. Thanks for your wishes.

If ports will be closed how the customers will make the comunication between the App and the server?

All this security test, has no sense. Because you are not using the real configuration on the server that you will use to comunicate the app with the server.

And now you will start another challenge, again to search a "No-ping" IP... please let me LOL hard. You realy know what are you playing?

Have fun with this, at last this will not proof if your app its secure or not, this only will proof the comunication between the app and server its null with the current configuration.
full member
Activity: 168
Merit: 100
The funny thing, is you believe you have a secure server because it's behind a firewall.

In some point, you will need to change that firewall configuration, because if the people cant ping the server there will be null comunication. In that moment you will need to expose some ports for comunication, but expose a port is not always a vuln.

I wish you the best with this project, and i will wait that Nuovocards to prove you it can be hacked.

We will start another challenge soon and you can try to hack then but yes, all ports in our app server will be closed. The first challenge would always be to find the IP of the server. Will announce the new challenge soon. Thanks for your wishes.
legendary
Activity: 3346
Merit: 3130
The funny thing, is you believe you have a secure server because it's behind a firewall.

In some point, you will need to change that firewall configuration, because if the people cant ping the server there will be null comunication. In that moment you will need to expose some ports for comunication, but expose a port is not always a vuln.

I wish you the best with this project, and i will wait that Nuovocards to prove you it can be hacked.
full member
Activity: 168
Merit: 100
Hey Guys, The contest is finally over and we are happy to announce that there were no winners.

We will be starting a bounty program soon to test our complete platform soon. We are adding a couple of new features in our platform which no one in the crypto world is currently providing and hope to launch a test platform soon.

For all the people who took part in our contest, please pm us your email address and if and when you sign up for Nuovocard, as a thank you we will give you a credit of $100 which can be utilized against any transaction and withdrawal fee on our platform.
legendary
Activity: 1064
Merit: 1000
lol need to learn how to hack, seems to be a high paying hobby.

haha I agree
hero member
Activity: 742
Merit: 500
lol need to learn how to hack, seems to be a high paying hobby.
full member
Activity: 168
Merit: 100
Hey Guys, last couple of days left. I was wondering if anyone is still working on this. Please let me know. Thanks.
full member
Activity: 168
Merit: 100
How their system is designed makes it difficult to attack but for sure its not impossible.

The first bounty:
Has shown how difficulty it is to find the application server. I have an experiment running in form of a tor entry node where I get an email once someone would use my tor entry node to connect to the global tor network and who would got an ip starting 5 (could even be 54 accordingly to the list) and would ending up with 13.

So far this did not happened but this also can be because of the huge amount of servers and per default a new circuit is just created every 10 minutes which leads to ~ 6 connections/hour or 144/day. For sure if they have made a special setup things can be different here.

This shows how difficulty it is to find the application server also knowing some parts of the ip. In case of not knowing this information it becomes really worse. You then would need some thousand tor nodes (entry, middle, exit) and probably a couple of weeks/months to find them.

The 2nd bounty:
Here you need for example some kind of exploit either an already existing one or you would inject one by a successfully malicious pull request to bitcoin/armoryd or you need to directly work for amazon or the state with the right access levels for sure. But these are just theoretical principles.
In general I can congratulate you.
A successfull hack in the future would probably be based on human errors like someone would hack you personally or some other guys of your company and then install some kind of trojan. Thats probably much more easier than to get directly into the server. Therefore you should have the same cold/hot wallet policy that also exchanges have got.

Thanks Gitju for your remarks. We already have designed the service around Armory Cold Wallet and all the deposits will come to an armory address(cold) and we will transfer it to hot wallet as per demand.
full member
Activity: 168
Merit: 100
ANY TAKERS FOR THE IP???

No. Chance to find a vulnerability is too low to waste time on that.

She has made an iron door for her bamboo cottage and asking everyone not to brute force the bamboo wall, but to break in the iron door. Once people fail to do that, she'll boast it everywhere that how secured her system is. I feel pity for her customers, as they're gonna lose everything so fast !!!

You talk too much. If you have any sort of skills, prove it. Help me not boast it. Otherwise....let it be.
sr. member
Activity: 313
Merit: 250
i ♥ coinichiwa
ANY TAKERS FOR THE IP???

No. Chance to find a vulnerability is too low to waste time on that.
full member
Activity: 168
Merit: 100
To be honest I didn't completely read what your company is about. But if I understand it correctly you can pay at a store with a card through some mobile application. There must be communication in some way there? How can it not write something to any server? How will it save transactions then?

So basically I agree with 'hardcode' that I would like to know more about the API or whatever. And I cannot imagine it's a "read only" API, but even if it is, shouldn't we focus on trying to hack that (too)?

Trying to hack the server is great, but IMO a lot of times the vulnerabilities are in the actual API or site interaction.

You will get that opportunity in very near future also. But like I said, the app server goes and fetches data from the database which the api server has entered. Then processes the transaction, and puts it in a different database which the api server queries to get the transaction approval or denial. No interaction between the API Server and the APP Server at all. There is a RDS SERVER in the MIDDLE. YOU REALLY CANT GET TO THE ACTUAL DATABASE OR CHANGE A TRANSACTION. ALSO, Everytime you swipe, the OTP with the Amount goes in your EMAIL, so MITM attack is also difficult if not impossible.

ANY TAKERS FOR THE IP???
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
To be honest I didn't completely read what your company is about. But if I understand it correctly you can pay at a store with a card through some mobile application. There must be communication in some way there? How can it not write something to any server? How will it save transactions then?

So basically I agree with 'hardcode' that I would like to know more about the API or whatever. And I cannot imagine it's a "read only" API, but even if it is, shouldn't we focus on trying to hack that (too)?

Trying to hack the server is great, but IMO a lot of times the vulnerabilities are in the actual API or site interaction.
full member
Activity: 168
Merit: 100
PHASE 2 STARTS. TO GET THE IP, PM ME.

ONE REQUEST : DO NOT RUN MORE THAN A COUPLE OF THREADS/CONNECTIONS TO THE SERVER AND TO CHECK WHETHER THE SERVER IS UP OR NOT, SEND AN EMAIL.
full member
Activity: 168
Merit: 100
something its wired, if that ports are open, why i dont see it when i scan the 2000 ip's list?

If i use a "while" in that code i can send you more than 1000 msg in les than 5 min.

I give up with the IP, if i cant recognize the server from the port, i dont know what im seaching.

By the way, congrat, you hide very well that IP.

Yeah the initial pentesting for the site revealed that but we have not strengthened the security of the webserver yet. Will do it once we get down to the Mobile API's. Thanks for pointing it out though.

Why do you only offer a email which interacts with the API? If your mobile app is released and is communicating with your appserver, getting the IP is easy..
If your server IP is only interacting with the API and the bitcoin network, its not like people will find your server, without guessing.

Also, why would you use email? If its not going to be used anyway in the future...

So confusing, just like the thread and the site content.

hardcode - no-one can access the app server unless it is through email or unless the app server goes and looks for the data itself. I really dont want to give more info about the architecture but to sum it up, the webserver i.e. the api server will never be able to manipulate data in the actual database because it wont have and write/update or any sort of permission to change data.
newbie
Activity: 12
Merit: 0
Why do you only offer a email which interacts with the API? If your mobile app is released and is communicating with your appserver, getting the IP is easy..
If your server IP is only interacting with the API and the bitcoin network, its not like people will find your server, without guessing.

Also, why would you use email? If its not going to be used anyway in the future...

So confusing, just like the thread and the site content.
legendary
Activity: 3346
Merit: 3130
something its wired, if that ports are open, why i dont see it when i scan the 2000 ip's list?

Any way, i found in your page, in the contact page you dont have a Captcha.
http://www.nuovocard.com/contact-page/

Its important implement a captcha there, because with the next iMacros code i cand send you an automate contact message:

Code:
TAB T=1
URL GOTO=http://www.nuovocard.com/contact-page/
TAG POS=1 TYPE=INPUT:TEXT FORM=ACTION:/contact-page/#wpcf7-f2566-o1 ATTR=TYPE:text&&ARIA-INVALID:false&&ARIA-REQUIRED:true&&CLASS:wpcf7-form-controlwpcf7-textwpcf7-validates-as-required&&SIZE:40&&VALUE:&&NAME:your-name CONTENT=anon
TAG POS=1 TYPE=INPUT:EMAIL FORM=ACTION:/contact-page/#wpcf7-f2566-o1 ATTR=TYPE:email&&ARIA-INVALID:false&&ARIA-REQUIRED:true&&CLASS:wpcf7-form-controlwpcf7-textwpcf7-emailwpcf7-validates-as-requiredwpcf7-validates-as-email&&SIZE:40&&VALUE:&&NAME:your-email [email protected]
TAG POS=1 TYPE=INPUT:TEXT FORM=ACTION:/contact-page/#wpcf7-f2566-o1 ATTR=TYPE:text&&ARIA-INVALID:false&&CLASS:wpcf7-form-controlwpcf7-text&&SIZE:40&&VALUE:&&NAME:your-subject CONTENT=test
TAG POS=1 TYPE=TEXTAREA FORM=ACTION:/contact-page/#wpcf7-f2566-o1 ATTR=ARIA-INVALID:false&&CLASS:wpcf7-form-controlwpcf7-textarea&&ROWS:10&&COLS:40&&NAME:your-message CONTENT=test
TAG POS=1 TYPE=INPUT:SUBMIT FORM=ACTION:/contact-page/#wpcf7-f2566-o1 ATTR=TYPE:submit&&CLASS:wpcf7-form-controlwpcf7-submit&&VALUE:Send

If i use a "while" in that code i can send you more than 1000 msg in les than 5 min.

I give up with the IP, if i cant recognize the server from the port, i dont know what im seaching.

By the way, congrat, you hide very well that IP.
full member
Activity: 168
Merit: 100
Is it allowed to spam the email: [email protected] ?

Regards

Nico

Yes ofcourse. I am giving you permission to hack this email address, ofcourse you can spam it as much as you like.

Latest netstat:-

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:58623         localhost:9050          ESTABLISHED
tcp        0      0 localhost:9050          localhost:58600         ESTABLISHED
tcp        0      0 localhost:9050          localhost:58605         ESTABLISHED
tcp        0      0 localhost:9050          localhost:58623         ESTABLISHED
tcp        0      0 localhost:58600         localhost:9050          ESTABLISHED
tcp        0      0 localhost:58605         localhost:9050          ESTABLISHED
full member
Activity: 130
Merit: 100
Can you give us the last netstat please =?

Regards

Nico
member
Activity: 118
Merit: 100
Really nice contest someone paying to hack their application server.
Pages:
Jump to: