The fifth new market I have completed rooted because of incompetent admins, but these guys are the worst and putting all of their users at risk.
http://omegannu2zxrxcdt.onion/css/directory.php
Hopefully this will serve as the end of their time here.
Within 2 minutes of signing up after their announcement last week, I was able to exploit the market with some simple tactics, similar to what I used to attack Place Market and The Open Road, see my post here: https://pay.reddit.com/r/DarkNetMarkets/comments/6f0ju5/open_road_market_and_place_market_exploits/
Just a few hours later, I was then able to find their IP. I am going to leave details out to make sure I don't promote any sort of doxxing.
By far, these guys are the worst market admins I have come across. They told me they were "upset" after I hacked the market and I found tonnes of basic security flaws. To name some of the worrying ones...
Security mnemonics were un-encrypted in the database, they have since updated this and gave users new ones.
PINs were unencrypted, same deal
My first attempt at rooting it worked immediately, with the most basic of vulnerability tests.
Apache server 'nuff said
PHPInfo, exec and many more functions were enabled
PHP exceptions were enabled, revealing server details, OS details and directory structures
File permissions allowed me to navigate anywhere and write shells wherever I wanted
After moving server, they failed to find the shells so they remained
I was even told by their head admin, details such as being the main provider for his family, so he's putting them at serious risk by running this market and I hope he doesn't do so again for his own and his families sake.
Also, I stole your Bitcoin... yep all $2 of it.
R E K T