Why so trusting?

Quick Context: Okay, so recently, we come across some fancy NFT project wherein “Students” are invited to join “Quizzes” and “Projects” to “Graduate”.

A “Graduate” means whitelisted for the mint of the NFT collection.

Our Goal

Our goal is to get into the top leaderboard so we can ensure our whitelist slot. And we want this by all means, so we use our hacker instinct to get advantage on the quiz.

However, we wouldn’t wanna overkill the contest. We didn’t spawn bots to automatically answer the quizzes (which is easy to do), so we just sticked with our bare hands, manually answering the quizzes. And we just stick to one-to-one account to human. We don’t want to disrupt the experience of other people.

The quiz

The quiz is a client sided web app. Meaning, all of the password for the quiz and questions are given to client without levels of authorization. Below are the steps of our reconnaissance and enumeration to extract the password and the set of question for a quiz.

Cracking the Password

Every quiz has different password. And our goal is to crack the password before the quiz starts (hours before the quiz so we have the chance to crack it).

Upon logging-in and browsing to /quiz page, we could see a web api requests. We can see that a request has a response that includes juicy information. We saw a json response that includes quiz details and we write down the _id and the password to our notes.

$2a$10$msFPZnG.NKHaCcVupGsQyuvpB8IwtZ7v3UxPBwf3fXe8hGdCMEwsu

The password is a bcrypt hash.

The first thing we did was to list all possible passwords and try to compare them against the hash.
But sadly, we didn’t got any “possible password” correct.

What is Bcrypt?

The input to the bcrypt function is the password string (up to 72 bytes), a numeric cost, and a 16-byte (128-bit) salt value. The salt is typically a random value. The bcrypt function uses these inputs to compute a 24-byte (192-bit) hash. The final output of the bcrypt function is a string of the form:

$2<a/b/x/y>$[cost]$[22 character salt][31 character hash]

For example, with input password abc123xyz, cost 12, and a random salt, the output of bcrypt is the string

$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW
\__/\/ \____________________/\_____________________________/
Alg Cost      Salt                        Hash

Where:

  • $2a$: The hash algorithm identifier (bcrypt)
  • 12: Input cost (212 i.e. 4096 rounds)
  • R9h/cIPz0gi.URNNX3kh2O: A base-64 encoding of the input salt
  • PST9/PgBkqquzi.Ss7KIUgO2t0jWMUW: A base-64 encoding of the first 23 bytes of the computed 24 byte hash

The base-64 encoding in bcrypt uses the table ./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789,[9] which is different than RFC 4648 Base64 encoding.

Back to our discussion

So now we know the basics of bcrypt, we could now start attacking the password hash.

Well, luckily, we got a tool named hashcat.
Without having any more ideas about the password, we can now use the bruteforce technique.
We also know that the password only contains numbers.
So we could go bruteforce increment from ZERO until 10^n. Where n is the number of digits.

hashcat.exe -a 3 -m 3200 --increment --increment-min 1 --increment-max 8 $2a$10$msFPZnG.NKHaCcVupGsQyuvpB8IwtZ7v3UxPBwf3fXe8hGdCMEwsu ?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d

Here, we tell hashcat that our attack mode is Brute-force (-a 3), increment each password iteration (–increment), start from 1 digit (–increment-min 1), end the iteration with maximum of 8 digit (–increment-max 8), password hash that we found earlier ($2a$10$msFPZnG.NKHaCcVupGsQyuvpB8IwtZ7v3UxPBwf3fXe8hGdCMEwsu) and the pattern that we want our hashcat to follow (?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d).

To know more about hashcat, check this out: https://hashcat.net/wiki/doku.php?id=hashcat

And after some couple of minutes, we cracked the hash!

It took only 8 minutes for my GTX1050 to crack a 5-digit password. But it would definitely lasts more longer if the password was longer than 5-digit.
Luckily, the password for this quiz is shorter than the first set of quizzes so we are able to bruteforce this in a very small amount of time.

Extracting Questions

We found a page where we can browse the quiz. We just enter the password that we found for this quiz.

The web app then make a request to the web api and we could see a juicy information here that includes the quiz questionnaires (testData).

We just parse the testData. And boom! Successfully extracted the PASSWORD and the QUESTIONS.

Conclusion

I understand the intention of the developer that they don’t want the participants kinda “DDoS” their servers by having a lot of authentication and authorization though their servers. They just give all their password and quiz data to the client because they want the validation to be on client’s side and not having loads to their server.

The web app’s architecture, does not really abide the Zero Trust Security because they just make the client’s authorized themselves and “trusts” them without proper validation.

Thanks for reading this short writeup!
I hope you enjoy and see you on my next writeup!

Beginners guide: GFT x NFT

So what are NFTs?

In the simplest terms, NFTs transform digital works of art and other collectibles into one-of-a-kind, verifiable assets that are easy to trade on the blockchain.
Well, there are lot of many articles online to read regarding the NFTs, kindly check out here: https://www.theverge.com/22310188/nft-explainer-what-is-blockchain-crypto-art-faq

This article will be then subdivided into 3 main parts: theoretical, technical and proof-of-concept.

Theoretical

Your main goal is to double, triple, quadruple (or even higher) your money in the shortest time possible with little or no risk at all.

Now lets breakdown some thoughts in the sentence above.

  1. The keyword is double, triple, or quadruple, meaning, you still need some capital to start with. The capital will be used in: gas fees, minting fee, and other matters. So yeah, this is not free money after all.
  2. Shortest time possible, there are lot of options in the crypto space but what we are interested is the shortest and fastest way to gain money. In the crypto space, you can have many perspectives such as: Developer, Artist, Long-term Investor, DAO, Flipper, and etc. We will be focusing on the perspective of Flipper as it doesn’t much require technical skills to be one.
  3. Little or no risk at all, because what we want is to position ourselves with little or zero risk at all so you can be comfortable with your investment positions.

Flipping

The basic concept of flipping is to buy low, sell high without holding your NFT for long. The basic 4 steps for flipping is as follows:

  1. Find a project with great hype potential
  2. Get Whitelisted in that project
  3. Mint your NFTs
  4. Sell them in Secondary market with great markup

Sounds easy, right? Well, not at all. Finding a project with less people with great potential is life finding a needle on the haystack. There are lot of NFT projects out there and you need to find where the traffic might be. The basic rule of a project is that, you cannot make quick money if hype is low.

Whitelist

Whitelisting is the act of securing your spot to have a sure allocation for you. The early you get on the project, the more chances of having wl because you have advantage over other people that are just starting to join the project. The common tasks on projects to get wl are: Inviting users on the discord server, leveling up on the discord server by having a meaningful conversation, participating on games and events, being socially active in sharing the project, submitting fan arts, and etc. If you find yourself in the middle of a project that is almost halfway on its preparation date before launch, it might take some work to be part of whitelist. The spots are limited, once they are full, you cannot be wl anymore, you can still join the public sale tho, but you don’t want to join public sale because of the gas war.

Mint your NFTs

The purpose of having wl, is to secure your mint. Minting is an act of buying an NFT directly from the creator or owner of the project. Usually the NFTs have a total supply, once the total supply is consumed, then you cannot mint anymore. For example, the project BAYC is a collection of 10k pieces of art. No new BAYC can be minted anymore. Imagine having an item that is limited edition, it is so cool, right?

Reselling

You can always resell your NFTs on secondary markets. As soon as you finished your mint, you can immediately resell it to secondary markets. You can list it on a certain price and just wait for someone to buy it. The basic rule is to always check the flooring price and decide a realistic price. If the price flooring is going up, you might want to list it a little bit higher. When price flooring goes down, you might want to list it with the same price of price flooring.

Risks

  • Rug pulls – projects that are abandoned by the owners/creators/developers that initially started the project after making money. Usually in flipping, you can still make money before the team decided to make a rug pull, because flipping is a very short span of time, you can exit immediately before the project goes down. Mint, then immediately list your item with realistic price so that it can be bought fast.
  • Failure to deliver promises – some project are failing to deliver their promises on-time which might make the investors pull out their investments. But usually, this is for long term holding which a flipper do not need to think of.
  • Low Hype – some projects have a low fanbase. If a project has a low hype, then the project might not have traffic at all. If you have projects that are already wl, make sure to check the hype first before minting, don’t be easily FOMOed, check the bigger picture first.

The more hype to the project, the more Greatest Fool Theory in action ?

Technical

You don’t need to know technicalities of the blockchain, but it will greatly help you to make more wise decisions, if you are not interested, you can just skip this part.

Usually the NFTs are erc721 standard. And most projects are in eth blockchain and can be analyzed by etherscan.

The most important functions for erc721 are:

function setApprovalForAll(address _operator, bool _approved) external

and

function totalSupply() external view returns (uint256)

Without that functions, you cannot transfer an erc721 token from one holder to another, so its best to check and review the code first. Also the totalSupply tells the number of tokens that are currently minted, you can gauged how much more remaining tokens that are not yet minted so you can have wise decisions based from that.

Maybe let’s deep dive on the technicalities on my next blogs.

Proof-of-Concept

[REDACTED]

Bonus: Tax

[REDACTED]

Conclusion

Right now, flipping is the best option in crypto to gain fast without much risks. But as we always say, you should still do your own research before anything else. I am not a financial expert nor advisor. All content of this article are just purely on my experience.

I hope you enjoy reading this article! Goodluck and have a nice day ?