HitBTC Hacked

1. __ __
2. _/ |__/ |_ ______
3. \ __\ __\/ ___/
4. | | | | \___ \
5. |__| |__| /____ >
6. \/
7. _ _ _ ____ _ _
8. | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
9. | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
10. | _ | (_| | (__| < | |_) | (_| | (__| <|_|
11. |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
12.  
13. HitBTC.com Hacked
14. BTC GO HERE: 19XaeBdtQJw9P3eVCCHz6zfEjpwrqpq5Pu
15. htibtc_logger@protonmail.com (for now)
16. https://pastebin.com/raw/GNLtXRF3
17.  
18.  
19. ==========================================================================
20. --[1: Introduction]-------------------------------------------------------
21.  
22. Hello, all!
23. Just like wars, our initial tactic was to run fierce against both
24. hitbtc.com and forum.hitbtc.com, then do some sql queries , and lookups to find who stand behind the biggest scam exchange in the world.
25.  
26. --[2: Recon]--------------------------------------------------------------
27.  
28.  
29. You can see the output of fierce (post-hack, ips , users emails, admins , names , db passwords) and much more below:
30.  
31.  
32. They had several servers situated behind Cloudflare, which was a problem.
33. Cloudflare unfortunately has a pretty effective WAF that, while nowhere
34. near guaranteed to put an end to any fun, does almost guarantee that it'll
35. be a lot more difficult and require a lot of configuring any automated
36. tools to avoid setting it off. We had time, though, and looking at that
37. list, what hostname seems immediately interesting?
38.  
39. Yes, that's right. It's balancer02.fra1.hitbtc.net. Probably an admin panel.
40.  
41. Now that we had a target, it was time to go to work.
42.  
43. We tried some SQL injection on the login page [1]. We didn't get anywhere,
44. but this wasn't very surprising. It's not 2010 any more; SQL injection is a
45. widely-known attack, and most tutorials now teach people how to not end up
46. introducing simple vulnerabilities into software.
47. It still happens. You just can't rely on it.
48.  
49. So, out of boredom, we tried some common default credentials. admin:admin,
50. administrator:administrator, the usual culprits. Imagine our surprise when
51. test:test are not valid.
52.  
53. There's some functionality there that throws you into what appears to be
54. the customer interface over at hitbtc.com using some
55. oauth/single-sign-on functionality. There's also functionality for viewing
56. user details, looking at license details, and editing user details like
57. username, password, and so on.
58.  
59.  
60. Of course, because you are dealing with people concerned about security,
61. you can't just change the Id=1 to Id=2. And that'll show you another user's
62. details. And let you reset their password on the customer interface.
63. and that probably wasn't going to be enough to kill HitBTC.com
64.  
65. https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
66.  
67. --[3: Level 2]------------------------------------------------------------
68.  
69. Next, we decided to use nmap to scan their office ranges. We'd found these
70. through our earlier fierce scan, and you can see them below.
71.  
72. DigitalOcean
73. 46.101.123.211 balancer02.fra1.hitbtc.net
74. 139.59.131.238 balancer01.fra1.hitbtc.net
75.  
76.  
77. Finally, we decided to try the word-press blog.hitbtc.com . Amazingly, we were able to compromise
78. an administrator account using the password brute-force attak. From there, we were
79. able to manipulate certain module installation functionalities into,
80. eventually, letting us get remote code execution, and uploaded our shell.
81.  
82.  
83. --[4: poc]------------------------------------------------------------
84. Dir /var/lib/heather/forum/
85. database: forum_web
86. pwd : aekaeWi6mu1XXXXXXXXX
87. --[4: poc]------------------------------------------------------------
88. Admin User
89. HitBTC $P$Bhuazp2K.F7xVf9tyO1r......sha1
90. AuthenticationKey 944892627 HitBTC NULL b4a9010b1a363e70a63493..... md5
91. System W0YSGFE82BVMH2CC0T7G
92. --[4: poc]------------------------------------------------------------
93. admins
94.  
95. HitBTC
96. HitBTC_Support
97. Danko
98. lemonwoman
99. liinas142
100. davemerril
101. hitbtc_customer_dEep
102. hitbtc_customer_tc5
103. ....
104. ...
105. ...
106.  
107. Admin User
108. HitBTC $P$Bhuazp2K.F7xVf9tyO1r......sha1
109. AuthenticationKey 944892627 HitBTC NULL b4a9010b1a363e70a63493..... md5
110. System W0YSGFE82BVMH2CC0T7G
111.  
112. --[4: poc]------------------------------------------------------------
113. users
114.  
115. patboy_14@hotmail.com
116. peeterpoold@gmail.com
117. petargeorgiev1@gmail.com
118. pete@whatsitworf.uk
119. peter.minev@gmail.com
120. pfialho@hotmail.com
121. polumnamaria@outlook.com
122. pr@hitbtc.com
123. qxlee133@gmail.com
124. r9272342771@yandex.ru
125. radikalq3@gmail.com
126. rajaweise@gmail.com
127. realloc@realloc.spb.ru
128. relations@hitbtc.com
129. robik561@yandex.ru
130. roderickjons@googlemail.com
131. rongierlach@gmail.com
132. s.i.lentvalley38@gmail.com
133. salem642110@rambler.ru
134. sanicasa@bluewin.ch
135. scidi89@gmail.com
136. scorpion.lv@gmail.com
137. shzeidi@hotmail.com
138. slacknation@gmail.com
139. sotiris@thewebpower.com
140. sp_sid@inbox.lv
141. stevecookhk2@gmail.com
142. stream.elite@gmail.com
143. system@domain.com
144. tastybunns1@gmail.com
145. test@awesome-design.ru
146. toanpham2105@gmail.com
147. tonghuashao@gmail.com
148. ttoroie@vodafone.ie
149. ttwong112@gmail.com
150. tungpang-2009@hotmail.com
151. twilight.idea@gmail.com
152. umerrasi@gmail.com
153. user_21@deleted.email
154. useravi@yahoo.com
155. v_zff@yahoo.de
156. vasiliy361@mail.ru
157. vectornectar@gmail.com
158. williansmarcondes@hotmail.com
159. xmhtse@zetmail.com
160. y090413@yahoo.co.uk
161. yaabouki.r@gmail.com
162. yaaboukir@gmail.com
163. yazerski@gmail.com
164. zenkite@gmail.com
165. zigzagrus@webseo-gu.ru
166. ..
167. ...
168. ...
169. --[4: poc]------------------------------------------------------------
170. admin vpn ips
171. 46.228.6.34
172. 46.246.89.100
173. 46.246.89.103
174. 46.246.89.11
175. 46.246.89.112
176.  
177. admin real ip ( We reached our destination)
178. 62.63.139.71
179.  
180. Domain: 62.63.139.71 - Whois IP Lookup
181. IP Address: 62.63.139.71
182. Hostname: 62.63.139.71
183. IP Country: Latvia
184. IP Country Code: LVA
185. IP Continent: Europe
186. IP Region: Riga
187. IP City: Riga
188. IP Latitude: 56.95
189. IP Longitude: 24.1
190. Organization: Telia Latvija SIA
191. ISP Provider: Telia Latvija SIA
192.  
193. --[4: finally]-----------------------------------------------------
194. Full database backup for sale ---- 20BTC
195. BTC address 19XaeBdtQJw9P3eVCCHz6zfEjpwrqpq5Pu
196.  
197. Note : private keys + users passwords will be removed from database ( we don't steal people )
198. For Hitbtc Admin bugs for sale 30BTC (we will delete all data from our side in this case )
199. --[5: EXIT]--------------------------------------------------------