One of the world’s largest cryptocurrency site was hacked by the Strynx team to find a flaw exposing multiple vulnerabilities that could to lead loss of millions of dollars. One of the team members shared his point of view on how we discovered such a critical issue involving data of millions of users.
Here’s on how we discovered it:
The testing began in two phases: Manual and Automated Recon.
The main purpose was for the discovery of an HTTP API, that could be accessed and exploited via a few commands. Manual recon is always preferred is because it allows people to be independent of different scripts and tools. Automated tools make things simple but consume a lot of time and throw out a lot of false positives. Whereas Manual Recon eliminates the possibilities of false positives and discovers issues much faster.
To begin, the website was behind Cloudflare. There are various methods on retrieving the actual server IP but Censys is generally preferred. Fast and accurate results make the recon process much faster. There are various tools used for automated recon and Censys is one of the best one to use. We’ll deep dive into some of these tools in the next blog. After obtaining the IP, port scanning was performed. Nmap was used to discover all open ports and services which could be potentially used to potentially take over the server or cause harm to the company. No special posts were found except for the port 443 used for website. The website was blockchain-based and It is always assumed that sites dealing with blockchain as usually secure and no harm can be done. But this is not the case here. A way is shown down how this server was exploited by using various methodologies including exploiting and chaining various issues.
On exploring the website, it was seen that each of the requests in the site was accompanied by a CSRF Token. For those who don’t know what a CSRF token is, it is a unique secret which has an unpredictable value that is generated server-side such that It cannot be guessed by users who make scripts which send a request on behalf of the target user. It is similar to a captcha which changes for every request. It was observed that there was an endpoint which was called to generate the CSRF Token. Thus, to automate the process of manually inserting new CSRF Token, A python script was developed. If you want to know how it was done, refer to this link: https://stackoverflow.com/questions/13567507/passing-csrftoken-with-python-requests. And it was time to deep dive.
Here is a short code snippet we used:
from cmd import cmd
import requests
from bs4 import BeautifulSoup
class Terminal(Cmd):
prompt = '>'
def __init__(self):
url = "url"
header = {}
cookies = {"PHPSESSID": "a1sw4s4e7s4s55w6s6sw8s5q2a"}
respose = requests.get(url, header=header, cookies=cookies)
soup = BeautifulSoup(respose.text, 'html.parser')
self.token = soup.find ('input', {'name': 'token'}) {'value'}
Cmd.__init__(self)
def default(self, args)
cmd = agrs
injection = "example" + cmd
print = (injection)
url = "example.coin"
header = {}
cookies = {"PHPSESSID": "a1sw4s4e7s4s55w6s6sw8s5q2a"}
data = {
"username" : "b"
"password" : "a"
"db" : "injection"
"token" : self.token,
"login" : ""
}
respose = requests.post(url, header=header, cookies=cookies, data=data)
soup = BeautifulSoup(respose.text, 'html.parser')
print(respose.text)
if "PDOException" not in respose.text
self.token = soup.find('input'. {'name' : 'token'}) ['value']
trminal = Terminal()
trminal.cmdloop()
The next thing was to look for hidden directories and paths of the webserver. Using tools like dirbuster and gobuster can be used. Along with this, a wordlist was used to enumerate. As rockyou4.txt and directory-list-2.3-*.txt are very well known, a wordlist was prepared with unknown terms. Usually, the wordlists are known to developers and Pen-testers, hence another one was made. The main focus would be to search for JS files with the help of jQuery. Different methods were also used to enumerate hidden files, but we’ll leave that for later on. After this, Burp was used to analyse all the requests. Various POST requests were observed to look out for any issues. Various Parameters were tampered to check the functionality of the site and how database connection is used. Turns out there was a lack of error protection in the site which leaked data when certain parameters were being tampered.
Protip#- Always tamper data to look out for any loopholes. Suppose the value of a parameter is 0, make it 1 to see what happens. Always contradict values of parameters to look out for any loopholes.
On analysing the server (looking into JS files and the error messages) multiple occurrences of hidden parameters were found along with some sensitive information of the internal functions used by the website. These functions helped the site to give more user experience but turned out to be the worst nightmare. Various types of injections did work but we will focus on one of these in much depth. On observing the communications, it was noted that the application did accept some SQL special elements. Thus, it was time to search for SQL Injections. On testing one of the hidden parameters, it was observed that there was an error based SQLi. The working of the parameter wasn’t understood at it wasn’t making any observable changes on the page. Although, the parameter still made calls to the database. Hence it was maybe some functionality which was used for testing but the code wasn’t removed after sending the site to production.
Here are some of the PDO Exceptions we found. If you don’t know what PDO Exceptions are stay tuned for upcoming blogs. We would write about this in the blogs such that if you find exceptions of this kind, you will learn how to exploit it.
An example of a hidden parameter would be as:
Suppose in JS Files, something like document.getElementById(‘id’) is mentioned. If the JS file is called to some Html page, the parameter can be called from the URL as: example.com/index.php?Id=somevalue. Thus, in some other ways including this, hidden parameters can be found.
The parameter was also tampered to search for code injections such as ‘;id’ or ‘;pwd’ to see if these values delivered any output or throw some error which can be useful for us in understanding the application. But this didn’t work so the next step was to exploit the SQLi found before.
There are various methods to find or exploit SQLi, for that, you can refer to any cheat sheets available online, as too much content is to be delivered. If another blog is needed for this please write in the comments so that we can blog about it later on. Various data from the database was extracted and the juiciest credentials were the database login credentials. If you know, the credentials are usually hashed by default, hence the next job was trying to decrypt these hashes. The hashes were decrypted easily as it was using one common password from public wordlists. It was like Ummm… Such critical site such less protection.
Ok, we got SQL access. What next?
It’s time for RCE.
If you know, after getting SQL remote access to the database, it is possible to upload a PHP shell if the database had executable permissions. To a surprise it did. It was possible to upload a shell to var/www/html directory which created a PHP shell in the root directory of the website. But this wasn’t as easy.
Hurdles don’t ever stop ☹
Turns out there was a filter on the parameter searching out for tags. (XSS Prevention :P). This was bypassed by using double encoding which allowed malicious PHP files to be uploaded on the system. For those who don’t know about how to get a shell from SQLi, please try out Sqlmap to learn about this more. SQLmap does have a function which allows us to get a PHP shell on the webserver. It checks if it has permissions to upload to the web directories and creates a PHP file, which when opened, has options to upload our malicious web shells to the server. From the web shell, we were able to get a reverse shell to the system and hence RCE!
After this, the report was submitted using screenshots and proper POC via secure channels. Within one hour a reply was obtained back acknowledging the report and asking to provide personal details to receive a bounty. To my surprise, a 5-digit bounty was rewarded by the company for this effort. Appreciate the response and the fix time for the company as it was fixed in just 2 hours. Everything from the error codes to the database names was fixed in no time. Kudos to the company!
Please leave down any comments or any suggestions for this blog and any further blogs which you would like to read. We provide services to companies who would like their products to be tested. If you’re a company who wants us to perform complete testing of your site, please use the Contact Us page to drop a message or info(at)strynx.org. We would try to reply at the earliest.

the write-up is much much better than other I attended. Admin shows only those vulnerabilities that are truly exploitative and no any rubbishy 🙂 its superb! Heads up🙌🙌🙌🙌
Pretty great post. I simply stumbled upon your blog and wanted to say that I’ve really enjoyed surfing around
your blog posts. After all I will be subscribing ffor yokur rss feed annd I’m hoping yyou write
once more soon!
hi!,I really like your writing so so much! proportion we
communicate extra about your article on AOL? I require an expert in this space to unravel my problem.
May be that’s you! Looking forward to look you.
Wow, this article is nice, my younger sister is analyzing such things, thnus I am
going to let know her.
Porém não só de net vive Marketing Digital.
Mặt nạ là phần đầu tiên khi bạn vệ sinh máy. http://www.qhnbld.com/UserProfile/tabid/57/userId/12666936/Default.aspx
Hi there, its fastidious piece of writing regarding media print, we all understand media is a wonderful source of information.
it would be great if you elaborate/explain the steps you took to Xploit SQLi and RCE. After all exploiting steps are main part in hacking.
If some one wants to bbe upfated with hottest technologies after that he musst be
paay a visit this web page and be up to date efery day.
Ԍreat goods fгom you, man. I hаvе understand yoᥙr stuff
previous tօ and yⲟu are just toⲟ grеat. I really like wwhat y᧐u’ve acquired һere, cеrtainly ⅼike
wһat yoս ɑre stating annd tһe way iin ѡhich
ʏou saу іt. Y᧐u mаke іt enjoyable and you ѕtill care for to keep iit ѕensible.
I can’t waijt to reаd far mⲟгe from y᧐u. Тhis is
actuaⅼly a gгeat website.
Bounty is 31337$ thats great keep it going dude
What’s uup to all, it’s genuinely a pleasant for me too go to see this website,
it includes priceless Information.
Hey there! I just wanted to ask if you ever have any problems with hackers?
My last blog (wordpress) was hacked and I ended up losing a
few months of hard work due to no backup. Do you have any solutions to stop hackers?
It’s truly very difficult in this full of activity life to listen news on Television, thus I simply use
web for that reason, and get the latest news.
Someone necessarily lend a hand to make critically articles I might state.
That is the first time I frequented your web page and up to now?
I amazed with the analysis you made to create this actual put up amazing.
Wonderful process!
Right away I am going to do my breakfast, after having my breakfast coming over
again to read further news.
Have you ever considered creating an ebook or guest authoring on other websites?
I have a blog based on the same topics you discuss and would really like to have you share some stories/information. I know
my viewers would appreciate your work. If you’re even remotely interested, feel free to shoot me
an e mail.
I think what you composed was very reasonable. However, think about this,
what if you wrote a catchier post title? I am not saying
your information is not solid, however suppose you added a post title that makes people desire more?
I mean How we hacked one of the worlds largest Cryptocurrency Website
– Strynx is a little plain. You could look at Yahoo’s front
page and watch how they create post titles to grab people interested.
You might add a video or a related picture or two to grab people excited about what you’ve written. In my opinion, it could make your website a little livelier.
I am genuinely grateful to the owner of this web page who has
shared this enormous paragraph at at this place.
Nice post. I learn something new and challenging on websites I stumbleupon everyday.
It will always be useful to read articles from other
writers and practice something from other websites.
At this time it seems like Drupal is the preferred blogging platform out there
right now. (from what I’ve read) Is that what you are using on your blog?
It’s really very difficult in this full of activity life to listen news on Television,
therefore I only use web for that purpose, and get the most up-to-date
news.
Hey would you mind letting me know which webhost you’re
using? I’ve loaded your blog in 3 completely different internet browsers and I must say this blog loads a lot faster then most.
Can you suggest a good web hosting provider at a fair price?
Thanks, I appreciate it!
What a material of un-ambiguity and preserveness of precious
knowledge concerning unpredicted feelings.
great issues altogether, you simply won a new reader. What might you suggest in regards to
your publish that you simply made some days ago?
Any sure?
Aw, this was an extremely nice post. Spending some time and actual effort to generate
a superb article… but what can I say… I hesitate a whole lot and never manage to get anything done.
Pretty! This has been a really wonderful post. Thank you
for providing these details.
It is appropriate time to make some plans for the longer term
and it’s time to be happy. I have learn this publish and if I could I desire to suggest you few attention-grabbing things or suggestions.
Perhaps you could write subsequent articles referring to this article.
I wish to learn even more things approximately it!
It’s actually a great and useful piece of information. I’m glad that you simply shared this useful information with us.
Please stay us up to date like this. Thanks for sharing.
It’s very easy to find out any matter on web as compared to books, as
I found this piece of writing at this site.
You’re so cool! I don’t suppose I have read through something like
this before. So great to discover someone with some original thoughts on this subject.
Seriously.. thanks for starting this up. This website is something that’s needed on the internet, someone with a little originality!
Hi, its good article concerning media print, we all be aware
of media is a enormous source of facts.
Every weekend i used to pay a visit this site, for the reason that i wish for enjoyment, for the reason that
this this web page conations actually good funny information too.
You really make it seem so easy with your presentation but I
to find this topic to be really one thing which I believe I might
by no means understand. It sort of feels too complex and very large for me.
I am taking a look ahead on your subsequent put up, I will try to get the dangle of
it!
I was more than happy to find this site. I want to to thank
you for your time due to this wonderful read!! I definitely appreciated every little bit of it and i
also have you book-marked to see new things on your website.
Hello mates, pleasant article and good urging commented here, I am really enjoying by these.
When some one searches for his vital thing, therefore he/she wants to
be available that in detail, thus that thing is maintained over here.
This paragraph will help the internet viewers for setting up new website or even a weblog from start
to end.
If you are going for best contents like I do, only go to see this website everyday
because it offers quality contents, thanks
진해바카라 배팅법
진해바카라 배팅법
진해바카라 배팅법
의정부솔레어카지노
I have been surfing online more than 3 hours today, yet I
never found any interesting article like yours. It’s pretty worth enough
for me. In my view, if all webmasters and bloggers made good content as you did,
the net will be a lot more useful than ever before.
Hello There. I found your blog using msn. This is an extremely
smartly written article. I will make sure to bookmark it
and come back to learn extra of your helpful information. Thank you for the post.
I will certainly comeback.
you’re in reality a just right webmaster. The website loading pace is amazing.
It sort of feels that you’re doing any unique trick.
Furthermore, The contents are masterwork. you have performed
a fantastic activity on this matter!
Hi! Do you know if they make any plugins to help with Search
Engine Optimization? I’m trying to get my blog to rank for
some targeted keywords but I’m not seeing very good gains.
If you know of any please share. Appreciate it!
Hmm is anyone else encountering problems with the images on this
blog loading? I’m trying to figure out if its a problem on my end or if it’s the blog.
Any responses would be greatly appreciated.
After looking into a few of the articles on your website, I honestly like
your way of blogging. I added it to my bookmark website
list and will be checking back in the near future.
Please visit my website too and let me know how you feel.
Hello, i read your blog from time to time and i own a similar one and i was just curious if you get a lot of spam remarks?
If so how do you reduce it, any plugin or anything you can recommend?
I get so much lately it’s driving me insane so any help
is very much appreciated.
Hey There. I found your weblog the usage of msn. This is
a very smartly written article. I will make sure to bookmark it
and return to learn extra of your helpful information. Thank you for the post.
I’ll definitely return.
Hey there! I’ve been reading your web site for a long time now and finally got the courage to go ahead and
give you a shout out from New Caney Tx! Just wanted to mention keep up the good work!
I always used to read piece of writing in news papers but
now as I am a user of net therefore from now I am using net for content,
thanks to web.
Hello would you mind sharing which blog platform you’re using?
I’m planning to start my own blog in the near future but I’m having a hard time
deciding between BlogEngine/Wordpress/B2evolution and Drupal.
The reason I ask is because your design and style
seems different then most blogs and I’m looking
for something completely unique. P.S Sorry for getting off-topic but I had to ask!
I’m extremely impressed together with your writing talents
as neatly as with the structure on your weblog.
Is this a paid subject matter or did you modify it yourself?
Anyway stay up the excellent quality writing, it is rare to see a nice blog like this one these days..
There is certainly a great deal to know about this subject.
I like all the points you’ve made.
Hello mates, its fantastic paragraph about tutoringand completely defined, keep it up all the time.
WOW just what I was searching for. Came here by searching for ways
to make money online