How we hacked one of the worlds largest Cryptocurrency Website

Bug Bounty

One of the world’s largest cryptocurrency site was hacked by the Strynx team to find a flaw exposing multiple vulnerabilities that could to lead loss of millions of dollars. One of the team members shared his point of view on how we discovered such a critical issue involving data of millions of users.

Here’s on how we discovered it:

The testing began in two phases: Manual and Automated Recon.

The main purpose was for the discovery of an HTTP API, that could be accessed and exploited via a few commands. Manual recon is always preferred is because it allows people to be independent of different scripts and tools. Automated tools make things simple but consume a lot of time and throw out a lot of false positives. Whereas Manual Recon eliminates the possibilities of false positives and discovers issues much faster.

To begin, the website was behind Cloudflare. There are various methods on retrieving the actual server IP but Censys is generally preferred. Fast and accurate results make the recon process much faster. There are various tools used for automated recon and Censys is one of the best one to use. We’ll deep dive into some of these tools in the next blog. After obtaining the IP, port scanning was performed. Nmap was used to discover all open ports and services which could be potentially used to potentially take over the server or cause harm to the company. No special posts were found except for the port 443 used for website. The website was blockchain-based and It is always assumed that sites dealing with blockchain as usually secure and no harm can be done. But this is not the case here. A way is shown down how this server was exploited by using various methodologies including exploiting and chaining various issues.

On exploring the website, it was seen that each of the requests in the site was accompanied by a CSRF Token. For those who don’t know what a CSRF token is, it is a unique secret which has an unpredictable value that is generated server-side such that It cannot be guessed by users who make scripts which send a request on behalf of the target user. It is similar to a captcha which changes for every request. It was observed that there was an endpoint which was called to generate the CSRF Token. Thus, to automate the process of manually inserting new CSRF Token, A python script was developed. If you want to know how it was done, refer to this link: https://stackoverflow.com/questions/13567507/passing-csrftoken-with-python-requests. And it was time to deep dive.

Here is a short code snippet we used:

from cmd import cmd
import requests
from bs4 import BeautifulSoup

class Terminal(Cmd):
prompt = '>'

def __init__(self):
url = "url"
header = {}
cookies = {"PHPSESSID": "a1sw4s4e7s4s55w6s6sw8s5q2a"}

respose = requests.get(url, header=header, cookies=cookies)
soup = BeautifulSoup(respose.text, 'html.parser')
self.token = soup.find ('input', {'name': 'token'}) {'value'}
Cmd.__init__(self)

def default(self, args)
cmd = agrs
injection = "example" + cmd
print = (injection)
url = "example.coin"

header = {}
cookies = {"PHPSESSID": "a1sw4s4e7s4s55w6s6sw8s5q2a"}
data = {

"username" : "b"
"password" : "a"
"db" : "injection"
"token" : self.token,
"login" : ""
}


respose = requests.post(url, header=header, cookies=cookies, data=data)
soup = BeautifulSoup(respose.text, 'html.parser')

print(respose.text)
if "PDOException" not in respose.text
self.token = soup.find('input'. {'name' : 'token'}) ['value']

trminal = Terminal()
trminal.cmdloop()

The next thing was to look for hidden directories and paths of the webserver. Using tools like dirbuster and gobuster can be used. Along with this, a wordlist was used to enumerate. As rockyou4.txt and directory-list-2.3-*.txt are very well known, a wordlist was prepared with unknown terms. Usually, the wordlists are known to developers and Pen-testers, hence another one was made. The main focus would be to search for JS files with the help of jQuery. Different methods were also used to enumerate hidden files, but we’ll leave that for later on. After this, Burp was used to analyse all the requests. Various POST requests were observed to look out for any issues. Various Parameters were tampered to check the functionality of the site and how database connection is used. Turns out there was a lack of error protection in the site which leaked data when certain parameters were being tampered.

Protip#- Always tamper data to look out for any loopholes. Suppose the value of a parameter is 0, make it 1 to see what happens. Always contradict values of parameters to look out for any loopholes.

On analysing the server (looking into JS files and the error messages) multiple occurrences of hidden parameters were found along with some sensitive information of the internal functions used by the website. These functions helped the site to give more user experience but turned out to be the worst nightmare. Various types of injections did work but we will focus on one of these in much depth. On observing the communications, it was noted that the application did accept some SQL special elements. Thus, it was time to search for SQL Injections. On testing one of the hidden parameters, it was observed that there was an error based SQLi. The working of the parameter wasn’t understood at it wasn’t making any observable changes on the page. Although, the parameter still made calls to the database. Hence it was maybe some functionality which was used for testing but the code wasn’t removed after sending the site to production.  

PDO Exception #1
PDO Exception #2

Here are some of the PDO Exceptions we found. If you don’t know what PDO Exceptions are stay tuned for upcoming blogs. We would write about this in the blogs such that if you find exceptions of this kind, you will learn how to exploit it.

An example of a hidden parameter would be as:

Suppose in JS Files, something like document.getElementById(‘id’) is mentioned. If the JS file is called to some Html page, the parameter can be called from the URL as: example.com/index.php?Id=somevalue. Thus, in some other ways including this, hidden parameters can be found.

The parameter was also tampered to search for code injections such as ‘;id’ or ‘;pwd’ to see if these values delivered any output or throw some error which can be useful for us in understanding the application. But this didn’t work so the next step was to exploit the SQLi found before.

There are various methods to find or exploit SQLi, for that, you can refer to any cheat sheets available online, as too much content is to be delivered. If another blog is needed for this please write in the comments so that we can blog about it later on. Various data from the database was extracted and the juiciest credentials were the database login credentials. If you know, the credentials are usually hashed by default, hence the next job was trying to decrypt these hashes. The hashes were decrypted easily as it was using one common password from public wordlists. It was like Ummm… Such critical site such less protection.

Ok, we got SQL access. What next?

It’s time for RCE.

If you know, after getting SQL remote access to the database, it is possible to upload a PHP shell if the database had executable permissions. To a surprise it did. It was possible to upload a shell to var/www/html directory which created a PHP shell in the root directory of the website. But this wasn’t as easy.

Hurdles don’t ever stop

Turns out there was a filter on the parameter searching out for tags. (XSS Prevention :P). This was bypassed by using double encoding which allowed malicious PHP files to be uploaded on the system. For those who don’t know about how to get a shell from SQLi, please try out Sqlmap to learn about this more. SQLmap does have a function which allows us to get a PHP shell on the webserver. It checks if it has permissions to upload to the web directories and creates a PHP file, which when opened, has options to upload our malicious web shells to the server. From the web shell, we were able to get a reverse shell to the system and hence RCE!

After this, the report was submitted using screenshots and proper POC via secure channels. Within one hour a reply was obtained back acknowledging the report and asking to provide personal details to receive a bounty. To my surprise, a 5-digit bounty was rewarded by the company for this effort. Appreciate the response and the fix time for the company as it was fixed in just 2 hours. Everything from the error codes to the database names was fixed in no time. Kudos to the company!

Please leave down any comments or any suggestions for this blog and any further blogs which you would like to read. We provide services to companies who would like their products to be tested. If you’re a company who wants us to perform complete testing of your site, please use the Contact Us page to drop a message or info(at)strynx.org. We would try to reply at the earliest.

23 thoughts on “How we hacked one of the worlds largest Cryptocurrency Website”

  1. Nick December 24, 2019 8:40 pm

    the write-up is much much better than other I attended. Admin shows only those vulnerabilities that are truly exploitative and no any rubbishy 🙂 its superb! Heads up🙌🙌🙌🙌

  2. cichy-marzyciel.tumblr.com December 25, 2019 3:37 pm

    Pretty great post. I simply stumbled upon your blog and wanted to say that I’ve really enjoyed surfing around
    your blog posts. After all I will be subscribing ffor yokur rss feed annd I’m hoping yyou write
    once more soon!

  3. kiet giang melbourne December 25, 2019 6:30 pm

    hi!,I really like your writing so so much! proportion we
    communicate extra about your article on AOL? I require an expert in this space to unravel my problem.
    May be that’s you! Looking forward to look you.

  4. https://hangtalan-szavakkal.tumblr.com December 25, 2019 11:00 pm

    Wow, this article is nice, my younger sister is analyzing such things, thnus I am
    going to let know her.

  5. agencia digital December 26, 2019 4:53 am

    Porém não só de net vive Marketing Digital.

  6. Cách tự vệ sinh máy lạnh Panasonic December 28, 2019 1:47 am

    Mặt nạ là phần đầu tiên khi bạn vệ sinh máy. http://www.qhnbld.com/UserProfile/tabid/57/userId/12666936/Default.aspx

  7. kiet giang December 28, 2019 6:17 am

    Hi there, its fastidious piece of writing regarding media print, we all understand media is a wonderful source of information.

  8. Yunus Ahmed January 2, 2020 12:25 pm

    it would be great if you elaborate/explain the steps you took to Xploit SQLi and RCE. After all exploiting steps are main part in hacking.

  9. Frank January 9, 2020 10:13 pm

    If some one wants to bbe upfated with hottest technologies after that he musst be
    paay a visit this web page and be up to date efery day.

  10. buy credit card January 10, 2020 2:16 am

    Ԍreat goods fгom you, man. I hаvе understand yoᥙr stuff
    previous tօ and yⲟu are just toⲟ grеat. I really like wwhat y᧐u’ve acquired һere, cеrtainly ⅼike
    wһat yoս ɑre stating annd tһe way iin ѡhich
    ʏou saу іt. Y᧐u mаke іt enjoyable and you ѕtill care for to keep iit ѕensible.
    I can’t waijt to reаd far mⲟгe from y᧐u. Тhis is
    actuaⅼly a gгeat website.

  11. 31337$ January 15, 2020 7:34 pm

    Bounty is 31337$ thats great keep it going dude

  12. Edwardo January 16, 2020 9:48 pm

    What’s uup to all, it’s genuinely a pleasant for me too go to see this website,
    it includes priceless Information.

  13. pizza in provo utah January 27, 2020 10:44 pm

    Hey there! I just wanted to ask if you ever have any problems with hackers?
    My last blog (wordpress) was hacked and I ended up losing a
    few months of hard work due to no backup. Do you have any solutions to stop hackers?

  14. Jerri February 1, 2020 3:41 pm

    Someone necessarily lend a hand to make critically articles I might state.
    That is the first time I frequented your web page and up to now?
    I amazed with the analysis you made to create this actual put up amazing.
    Wonderful process!

  15. www.united-el.com February 5, 2020 9:19 am

    It’s actually a great and useful piece of information. I’m glad that you simply shared this useful information with us.

    Please stay us up to date like this. Thanks for sharing.

  16. www.kzp.co.com February 5, 2020 9:45 am

    You really make it seem so easy with your presentation but I
    to find this topic to be really one thing which I believe I might
    by no means understand. It sort of feels too complex and very large for me.
    I am taking a look ahead on your subsequent put up, I will try to get the dangle of
    it!

  17. girls naked on webcam February 6, 2020 5:54 pm

    I’m extremely impressed together with your writing talents
    as neatly as with the structure on your weblog.
    Is this a paid subject matter or did you modify it yourself?

    Anyway stay up the excellent quality writing, it is rare to see a nice blog like this one these days..

  18. Addie February 6, 2020 6:17 pm

    There is certainly a great deal to know about this subject.
    I like all the points you’ve made.

  19. Personal Trainer February 6, 2020 6:18 pm

    Hello mates, its fantastic paragraph about tutoringand completely defined, keep it up all the time.

  20. no cvv shops February 7, 2020 3:32 pm

    I feel that is one off tһе so much siɡnificant informatipn for
    me. Аnd i am satisfied studuing yoyr article. Butt wanna statement ߋn feew basic things, The website taste is ideal,tһe articles is in point
    of fɑct greаt : D. Good task, cheers

  21. cat grooming February 15, 2020 2:03 am

    Please let me know if you’re looking for a author for your blog.
    You have some really good articles and I believe I would be a good asset.
    If you ever want to take some of the load off, I’d really like to write some content for
    your blog in exchange for a link back to mine. Please blast me
    an e-mail if interested. Thanks!

  22. WilliamsBof February 23, 2020 6:04 pm

    rehab toledo ohio treatments substance rehabilitation 28 day rehab programs in new york

  23. mobile legends February 25, 2020 7:06 am

    Very rapidly this site will be famous among all blogging viewers, due to
    it’s nice posts

Post a Comment

Your email address will not be published. Required fields are marked *

*