Hacking Crypto Ground Games After Not Getting Into One

Date — 12/25/2018

Back story, a friend filled some random form for me, it was a college competition over cryptos. Okay no big deal, everybody loves cryptos, right?

It all started at night while I was watching Mr. Robot — Season 2 while a message arrived that I was added to a group. My head was banging in full swing after watching the Ep 3. So I took a little nap and then tried to enter the competition at 2 AM. Not a good excuse? Okay! Geez, yeah, I get excessively lethargic sometimes.

By the way, Mt. Robot’s Season 2 and 3 are beautifully crafted, at-times haunting/disturbing. Right?

Back in my mind, I passively started thinking how can I win the competition by building a bot, so after watching and before sleeping, I read a little about algorithmic trading and well, it was um, yeah, alluring.

2:00 AM: I tried to login and soon learnt that after a set time, you can’t enter.

And well, that “set time” was already passed. Oh well.

At first, I started looking into the hood and I found that the website was using lots of services, but to get the coin data, the crypto-counter, it was using an API and so, seemed like the bot thing was good to go.

But… I was angry!

I started fiddling around and boom, I found a function. An interesting function.

The function took a string of preset date then using moment.js, calculates the offset, or say the end-time. It then sends a request via GET when the counter comes down to zero. The endpoint which the function pointed to was —

https://cryptoground.com/game/{game-id}/deActivate

It was the function to end the game.

I said to myself okay if I can intercept and tamper the time counter, I can close any event at my will? Mmm.

I don’t have the payload nor I remember the procedure I used to bring chaos on the website, so, I am gonna go now leaving you all with a screenshot from that time.

Sorry if y’all find this post half-assed, the thing is, I’m trying to clean up my residue drafts in 2021.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Piyush Raj ~ Rex

Piyush Raj ~ Rex

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website: https://0x48piraj.com