Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- __ __
- _/ |__/ |_ ______
- \ __\ __\/ ___/
- | | | | \___ \
- |__| |__| /____ >
- \/
- _ _ _ ____ _ _
- | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
- | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
- | _ | (_| | (__| < | |_) | (_| | (__| <|_|
- |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
- HitBTC.com Hacked
- BTC GO HERE: 19XaeBdtQJw9P3eVCCHz6zfEjpwrqpq5Pu
- htibtc_logger@protonmail.com (for now)
- https://pastebin.com/raw/GNLtXRF3
- ==========================================================================
- --[1: Introduction]-------------------------------------------------------
- Hello, all!
- Just like wars, our initial tactic was to run fierce against both
- hitbtc.com and forum.hitbtc.com, then do some sql queries , and lookups to find who stand behind the biggest scam exchange in the world.
- --[2: Recon]--------------------------------------------------------------
- You can see the output of fierce (post-hack, ips , users emails, admins , names , db passwords) and much more below:
- They had several servers situated behind Cloudflare, which was a problem.
- Cloudflare unfortunately has a pretty effective WAF that, while nowhere
- near guaranteed to put an end to any fun, does almost guarantee that it'll
- be a lot more difficult and require a lot of configuring any automated
- tools to avoid setting it off. We had time, though, and looking at that
- list, what hostname seems immediately interesting?
- Yes, that's right. It's balancer02.fra1.hitbtc.net. Probably an admin panel.
- Now that we had a target, it was time to go to work.
- We tried some SQL injection on the login page [1]. We didn't get anywhere,
- but this wasn't very surprising. It's not 2010 any more; SQL injection is a
- widely-known attack, and most tutorials now teach people how to not end up
- introducing simple vulnerabilities into software.
- It still happens. You just can't rely on it.
- So, out of boredom, we tried some common default credentials. admin:admin,
- administrator:administrator, the usual culprits. Imagine our surprise when
- test:test are not valid.
- There's some functionality there that throws you into what appears to be
- the customer interface over at hitbtc.com using some
- oauth/single-sign-on functionality. There's also functionality for viewing
- user details, looking at license details, and editing user details like
- username, password, and so on.
- Of course, because you are dealing with people concerned about security,
- you can't just change the Id=1 to Id=2. And that'll show you another user's
- details. And let you reset their password on the customer interface.
- and that probably wasn't going to be enough to kill HitBTC.com
- https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
- --[3: Level 2]------------------------------------------------------------
- Next, we decided to use nmap to scan their office ranges. We'd found these
- through our earlier fierce scan, and you can see them below.
- DigitalOcean
- 46.101.123.211 balancer02.fra1.hitbtc.net
- 139.59.131.238 balancer01.fra1.hitbtc.net
- Finally, we decided to try the word-press blog.hitbtc.com . Amazingly, we were able to compromise
- an administrator account using the password brute-force attak. From there, we were
- able to manipulate certain module installation functionalities into,
- eventually, letting us get remote code execution, and uploaded our shell.
- --[4: poc]------------------------------------------------------------
- Dir /var/lib/heather/forum/
- database: forum_web
- pwd : aekaeWi6mu1XXXXXXXXX
- --[4: poc]------------------------------------------------------------
- Admin User
- HitBTC $P$Bhuazp2K.F7xVf9tyO1r......sha1
- AuthenticationKey 944892627 HitBTC NULL b4a9010b1a363e70a63493..... md5
- System W0YSGFE82BVMH2CC0T7G
- --[4: poc]------------------------------------------------------------
- admins
- HitBTC
- HitBTC_Support
- Danko
- lemonwoman
- liinas142
- davemerril
- hitbtc_customer_dEep
- hitbtc_customer_tc5
- ....
- ...
- ...
- Admin User
- HitBTC $P$Bhuazp2K.F7xVf9tyO1r......sha1
- AuthenticationKey 944892627 HitBTC NULL b4a9010b1a363e70a63493..... md5
- System W0YSGFE82BVMH2CC0T7G
- --[4: poc]------------------------------------------------------------
- users
- patboy_14@hotmail.com
- peeterpoold@gmail.com
- petargeorgiev1@gmail.com
- pete@whatsitworf.uk
- peter.minev@gmail.com
- pfialho@hotmail.com
- polumnamaria@outlook.com
- pr@hitbtc.com
- qxlee133@gmail.com
- r9272342771@yandex.ru
- radikalq3@gmail.com
- rajaweise@gmail.com
- realloc@realloc.spb.ru
- relations@hitbtc.com
- robik561@yandex.ru
- roderickjons@googlemail.com
- rongierlach@gmail.com
- s.i.lentvalley38@gmail.com
- salem642110@rambler.ru
- sanicasa@bluewin.ch
- scidi89@gmail.com
- scorpion.lv@gmail.com
- shzeidi@hotmail.com
- slacknation@gmail.com
- sotiris@thewebpower.com
- sp_sid@inbox.lv
- stevecookhk2@gmail.com
- stream.elite@gmail.com
- system@domain.com
- tastybunns1@gmail.com
- test@awesome-design.ru
- toanpham2105@gmail.com
- tonghuashao@gmail.com
- ttoroie@vodafone.ie
- ttwong112@gmail.com
- tungpang-2009@hotmail.com
- twilight.idea@gmail.com
- umerrasi@gmail.com
- user_21@deleted.email
- useravi@yahoo.com
- v_zff@yahoo.de
- vasiliy361@mail.ru
- vectornectar@gmail.com
- williansmarcondes@hotmail.com
- xmhtse@zetmail.com
- y090413@yahoo.co.uk
- yaabouki.r@gmail.com
- yaaboukir@gmail.com
- yazerski@gmail.com
- zenkite@gmail.com
- zigzagrus@webseo-gu.ru
- ..
- ...
- ...
- --[4: poc]------------------------------------------------------------
- admin vpn ips
- 46.228.6.34
- 46.246.89.100
- 46.246.89.103
- 46.246.89.11
- 46.246.89.112
- admin real ip ( We reached our destination)
- 62.63.139.71
- Domain: 62.63.139.71 - Whois IP Lookup
- IP Address: 62.63.139.71
- Hostname: 62.63.139.71
- IP Country: Latvia
- IP Country Code: LVA
- IP Continent: Europe
- IP Region: Riga
- IP City: Riga
- IP Latitude: 56.95
- IP Longitude: 24.1
- Organization: Telia Latvija SIA
- ISP Provider: Telia Latvija SIA
- --[4: finally]-----------------------------------------------------
- Full database backup for sale ---- 20BTC
- BTC address 19XaeBdtQJw9P3eVCCHz6zfEjpwrqpq5Pu
- Note : private keys + users passwords will be removed from database ( we don't steal people )
- For Hitbtc Admin bugs for sale 30BTC (we will delete all data from our side in this case )
- --[5: EXIT]--------------------------------------------------------
Add Comment
Please, Sign In to add comment