Hack TLS with cash prize

    Developers TLS-implementation of the language of OCaml announced a contest BTC Piñata, in order to prove the reliability of his defense. It is known that contests cannot be real proof, but this one is very funny, and even with a small cash prize.

    So, two hackers opened their ownme.ipredator.se demo server .

    On the server is the key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh . The server will give us the key if we present a certificate.

    The organizers have provided a MiTM mechanism for us. We can pass traffic through BTC Piñata virtual machines (TLS server and TLS client). As you know, this traffic contains the required certificate, you only need to extract it in some way.

    The TLS server interface is on port 10000, the TLS client on port 10002, and port 10001 is used to forward traffic to us on 40001.

    So, we initiate communication between the server and the client and listen to port 40001.

    For example, on Node.js this is done with such a script :

    var net = require("net");
    var server = net.connect({ host: 'ownme.ipredator.se', port: 10002 });
    var client = net.connect({ host: 'ownme.ipredator.se', port: 10000 });
    server.on('data', console.log.bind(console, 'server'));
    client.on('data', console.log.bind(console, 'client'));

    Now we record and analyze traffic.

    The contest organizers themselves acknowledge that there are no additional conditions. In theory, you can try to lure the key from them in another way: phishing, social engineering, rectal cryptanalysis (in the figurative sense) or some other tricky trick.

    Code and BTC Piñata libraries are open .
    List of installed software on the demo server .

    Also popular now: