Odyssey Market hacked

EDIT Aw they took down the market before anyone could see my colorful defacement page

Hey guys, I took a break from things, but I'm back and fighting the good fight once again. There were a couple of markets that launched during my absence so I've been having a look into them, I'm currently running initial automated scans and will look further into each within the next few days.

My first project was Odyssey, especially since I came across a post regarding them using a pre-made script, which is my favorite kind of project! Within 2 minutes of sign up, I realized they were completely lying about rewriting the script or just using the same stylesheet, the system is almost completely a mirror image of the original with some additions and no security fixes for my regular entry points, which is present in every version of the script that was used and has been used by many past markets.

http://odysseygk3f6ugfc.onion/

Findings:

This is one of the more worrying markets I've saw appear, clearly an amateur in both development and network management/security.

Odyssey is now closed as of this post, we don't need markets like this being available to be hacked by the wrong person/organization, it puts everyone at risk, including themselves.

Anyone working on a market, get in touch for free advice and a pre-launch pen test. I will only post publicly if the security is this shit. If I see potential and you know what you are doing, the slip ups can be made up for with fixes and on-going testing before and after launch.

Bye!


Comments


[1 Points] savingfluffybunnies:

Can confirm that the market was defaced before being offline.


[32 Points] ForLOLSerious:

Nice work! Try r/OmegaMarket and r/OlympusDNM next! I hate markets that start with O!

Have you ever poked around on Dream?

Odyssey is now closed as of this post, we don't need markets like this being available to be hacked by the wrong person/organization, it puts everyone at risk, including themselves.

Totally agree. Thank you! 😍


[20 Points] wombat2combat:

thanks for all the work you do for the community.

I will only post publicly if the security is this shit. If I see potential and you know what you are doing, the slip ups can be made up for with fixes and on-going testing before and after launch.

this is the way to go in my opinion. if a market is too broken and there is no sign that they would do better even if they fix the discovered flaws, then they should be exposed so that users do not continue to use these markets.


[17 Points] burden_of_boof:

u/HugBunter you are doing gods work and I swear if I wasnt poor AF I would shower you with gifts. I don't think many people realize the value of your work. Both figuratively and literally. Vulnerability testing & offering remediation assistance/counsel. For the good of the community. Thank you.

EDIT: I don't see the haters testing or doing anything productive. shrugs At least HugBunter is doing something. And, no offense to bughunter, LE has plenty of their own shall we say "hackers" who specialize in this. Amirite, feds who are watching this sub? I seriously doubt there'd be any ties either way.


[17 Points] GurningDownTheHouse:

lol absolute legend.


[12 Points] lamarrotems:

I love the DNMS


[10 Points] MSAurelius:

Oof. Zion next.


[11 Points] eydirect:

If you're interested and have some spare time, care to take a look at our private vendor store? https://www.reddit.com/r/EYDirect/comments/7rqyus/we_now_accept_xmr_ltc_doge_btc_bch_dcr_use_tor/


[6 Points] SloppyJoeLieberman:

Thank you for disclosing this publicly.


[6 Points] EdwardNorton_s903:

Cheers bruv. You're a true and nobel lad


[6 Points] OlympusMarket:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Just to clarify, Olympus Market isn't affiliated with any market out there and has nothing to do with Odyssey.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEQbrUPMi3X9rGUBsfdB8axpKgDWYFAlpi6RkACgkQdB8axpKg
DWb4hhAAh5wU2UjgJqk0sFx69YKZrWHglDQBKUDmrtVIx/MR0a2XH5S8UahjlMUo
l3FEiCzFs5lDts1mDOUbSlE/777WmDj0fOt5l2jQxw9TBLwI0eK1COyw9QKAAiwb
VCWae0SvH653tk6QP8Dd3VHyggn2HI3C3vJcUcWAR/FumuUFSIm4jGvCvc2p7OHd
Cakii+ATtCD9B5Q6A7eKI+xsNGHLTsH/KpM3lDzm4lfYahR5kzOQZthiFHZrkpBz
CSIArEpd2hkWHdXHo2/C/T2HKA7ilAwvSsr/R1cUOYPgSLe/84/8RwWiDveUXqx0
B8vOjRd5rY6GciHHQJwXNp/FlPiizZj0s0MsHu3n/EFVybrJxzvCnFPnQJSNvOX0
CMCLdfkO8oLA76Jiv6rLh5jktCec9KguFwqwHMY8/NbIrUf7mybw/ptPKi6PYNZX
nHsY/P0kx15JBv2BvOQPjAMRgw6LcM22sl0g28U3bDLdzm2gQ/NmVb2ihjgXppkc
HmT7wXH7gcMTlapt9mv8D7oFEiSf0jSrnxkKLCJ9ofotFHUPheQ7R2S3fsF0ptsu
CbiBV8W2szqDvqngVHeIBn08Q/5OvPT7Yxh9PFwarVRNLY27Uk37Qd3Ahw/po6EZ
rBTWQsmAPzFMrcvYGDy7h7Y/0RGTrTLs6cH5TPLbv9lKmzWYNIA=
=AeWu
-----END PGP SIGNATURE-----


[5 Points] Darknet_Retard:

So is this just some college student with programming knowledge setting up a site to try to cash out on an exit scam, or what?

Clearly with this many problems, admin is no professional


[4 Points] throwahooawayyfoe:

Well that was fucking quick...


[4 Points] Vendy_McVendface:

God dammit. I spent three hours today, finally, putting up all my listings. You did this like two hours after I finished. Why couldn't I have been a day lazier?


[4 Points] the_squee:

thank you for what you are doing. being a professional pen tester is my dream job.


[3 Points] XmarieZ:

Hahaha you are THE man!!!


[3 Points] HardC0r3:

Didnt last long. Good work


[3 Points] korbysage:

Ha called it those morons


[3 Points] princess-peach-uk:

Besides Dream are there any marketplaces which have good uptime and no security flaws?!


[3 Points] DJWalnut:

as a CS student, what did they do wrong and what are the fixes? I'm not intrested in running a DNM, but the advice would come in handy for developing other types of websites


[2 Points] obtuseusedmoose:

BLOWN THE FUCK OUT


[2 Points] ThePrinceOfFrance:

Idk why, but I was intrigued by a deepdot article about this new market called paradise. A skinny on them would be tight. When you have the chance, of course. Keep up the good work.

http://deepdot35wvmeyd5.onion/2018/01/09/stick-philosophy-minimalism-says-paradise-market-admin/


[2 Points] Intergalactic_Reborn:

Not even a month, I expected at least a month or two, but hey better you then law enforcement.


[2 Points] pingobingodingo:

/u/British_Dragon HugBunters services could be of use to you.


[2 Points] BlackGoatSemen:

God I love it when you do this! A seriously great service to the community.

Huzah!


[1 Points] ShadowClones:

shit u should just make your own market.


[1 Points] BugHumper:

Reason I was away is because I have been working with the feds. Once they scene I could install Windows 98, they immediately hired me


[1 Points] NoobWithB00bs:

Great job, did you manage take some sweet BTC from this shit market?


[1 Points] TooleyT:

u/British_Dragon


[0 Points] Odyssey_Market:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

We would like to make an official response to /u/HugBunter Allegation.
All his claims are false and did not happen!
We experienced a strong DDoS attack made by HugBunter because he works for Libertas Market!
We will release proof of it later but for now we would like to calm our users and vendors!

Odyssey Market will come back stronger than ever!!!!
While goverments exits we will as well!!!!
FEAR NOT BECAUSE ODYSSEY IS COMING BACK SOON!!!!!
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEtNbjJUfTGfouYjmmduHJQwRd05IFAlplXIwACgkQduHJQwRd
05IsJgf/QwFSe1luAqcUJR1YiJEDlF2OjP8cMSD0TfgNGkZ8NkMIdZ5ffKUOqbaF
Y1iMBUPdI+aKRfDSY7LpLCxggrHjH+w5qacMQpXfEdJSgnfXjIicemKtqPaOrDr8
76mQmdZ0aK0rQ4hu17IRAMfwqn/4u9cT19fqJYdjrparmSNv9R9jm2pC3jBuQU0O
p+CNjZMBrpEUsflhB5O+/EpTE0lMyFzXCgd6lFVeN5wsy4CFTwxngclMCoCMyR1X
Jex7sl5dJ4tHGW4l7FoCfFKBMCoL3K7ChjeNT93/6YI166rjDyOFbDhwmCod1Tof
hcJ1g8gp5Mxu8hOhSaeLuT80F0hvgg==
=b2wY
-----END PGP SIGNATURE-----


[0 Points] Peter-Lustig0:

Why is Odyssey Market gone. why has HugBunter closed it, what does it have to do with it. If you have seen that the market is not safe or prone to attack it did not help it to make a safe market. I know that the admin worked on putting the market on the super list. He was told by the admin that he has to do one thing and others more safely. pettiness then you come and make him tight. how do you do. think it's a shit action you once wrote down the admin of odyssey, certainly not just made tight though it was his turn to come to the superlist


[-1 Points] pingpongsongs:

You are cancer worse than LE.


[-2 Points] figurethirst:

LoL why hack a useless market that had 0 vendors, 0 users and 0 sales?

How about you hack one of the markets that is on super list or deep.web list?

Seriously, braging about hacking a "market" that was bought for 100$ and run by what seemed to be a 14 year old is not that of an accomplishment, Nobody hacked it beacuse it was a fake market which no one uses and no one cared about.

Hack Dream, Zion, Tochka, Wall Street or Libertas Market and then you will be able to brag about your "skills", but it will probably require more skill than using kali automated hacking tools.


[-14 Points] None:

[removed]