Topic: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started - page 6. (Read 6573 times)

They are testnet transactions, so you need to use a testnet block explorer

http://blockexplorer.com/testnet/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa

Nothing is getting deposited to https://blockchain.info/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa and blockchain.info is showing that the Tx hash u have sent does not exist. Is the App properly configured on your app server ?

That's what he is asking you to do...I'm going to give this a shot!

Hi Neha, HappY Independence Day

You have chosen a great day to kickstart the hackathon. As I understand, u dont want us to find where Nuovocard.com is running, i.e. the web server. U want us to find out the server IP from where the mail is originating. Am I wrong ?

Nope. Thats Google I think.

Update : Yeah that is google. http://64.233.166.121.ipaddress.com/.

Please check who does the IP belong to before you post. Our server currently is not on Google.

IP is: 64.233.166.121

Location:
City:   Mountain View
Country:   United States
State: California

Am I right?

Hey, remember the challenge is not to hack the webserver. If you are able to hack the app server...make sure you leave a text file in the home folder with you email address.

Awesome, make sure you review the instructions of sending the email and communicating with the server. The only way you can reach the server is to send an email to [email protected] with subject as 'transfer' and you will get a Testnet Transaction ID back.

Also, currently we have the server set to check mail every 30 seconds as we dont expect too much traffic. So please wait for 30 seconds to get a reply.

Challenge accepted, been looking for a place to hone my skills

Nope. You are trying to find the IP of the Webserver where as the contest is about the App Server. They are on completely different networks and they dont communicate with each other.

Is it 104.28.3.120 ??

We hope someone hacks the server and tells us exactly. We have even made it easy for people as if no one is able to find the IP address of the server, we will give it away. Theoretically, if no one finds the IP, they cant hack but in the worst case scenario that someone finds the IP and tries to hack, we are simulating that event by giving away the IP. And ofcourse we are confident and ofcourse we had pen test done and ofcourse to your other comment.

Moreover who says that hackers are not security consultants specially when we can have multiple for only $3000???

Also, shouldn't we do everything possible to ensure that customer funds are always safe with us??? Do you really want another example of a Bitcoin Service getting Hacked?

Hello Guys. Just to inform everyone that the contest is now Live. We wish all the testers good luck.

The Contest is on our website also. Be rest assured that we are not hacked yet on this forum and also an official press release is going out today.


Regarding escrow, Escrow would make sense if we want to hide our identity or if we are an individual. We are a part of a big group. Moreover, the first part of the challenge is $200. Do you want me to put $200 in escrow? Moreover, we will not destroy our reputation for only $3000 when we have alot more invested in this venture.

Are you willing to escrow the prize?



He already have control of the website. http://www.nuovocard.com/hacking-challenge/

Yeah...will reply on 15th when the contest starts.

[email protected]

Doesn't reply.  tried on normal email app, and telnet .. nothing

The challenge is announced 3 days before just to answer all the queries so that people can get to work on the day it starts.


First, this is completely legal and there is no threat to anyone hacking as Amazon will not go after them, its the company who has rented the server goes after people who hack. In this case, we are the company.

Secondly, I made it very clear on how to communicate with the server


This is the only way to communicate and try to find the IP which is the first step. After this, its upto you. Doing a DOS attack does not make sense as you need to get into the server and its not like we are trying to prevent you that you need to block our access. Also, all ports are closed other than the ports that the app opens and closes automatically. Just to help everyone out, that port range is 32768-61000.

If you wish to try without using our server, I would advise you to setup your own server and I will provide a simple Jar that can talk to gmail. You can do this in your own house and then send us instructions on how to hack and if it works, you win.

Also, there are a couple of firewalls in place before the server, we will test your method with the firewalls and without your firewalls and award you full amount if you break with the firewalls. If your instruction leads to a hack without the firewalls, we will award you $1000. If you anyone wants to try it this way, let me know and I will reveal the server configuration after the part 1 is over.

Questions?

173.194.68.26

This is not the IP.


Yes. The Application Server will have:-

1. Bitcoind
2. Armoryd
3. Java App
4. Tor Client

Database Server - Mysql 5.6