Cantina Marketplace PWND: Admin Password was: “Password1” ?!

Posted by: DeepDotWeb

January 29, 2014

You are not going to believe the horror you are about to witness in this post – Proceed with caution!

Our thanks goes to: sniok , The_avid, and everyone else who helped us prove to the users to avoid this miserable failure, while at the same time, keeping everyone amused!

It was just last week when we reported here about a market popping up with a design 100% similar to the biggest scam market that ever existed, the “Sheep Marketplace”. It is called Cantina marketplace. We got a few comments about this market and basically just wrote if off as another scam attempt from the same group the Sheep Marketplace. At the time, we had no idea that this market was about to become the biggest example ever to have every security hole imaginable, and built in a way that made Drugslist (You remember the fiasco that was just couple of days ago, right?) look like the Fort Knox of the deep web marketplaces.

Once again, we will put the things into place in a form of a timeline. Since this party is still going, we will update later if needed:

1. It all started when the user cantina_marketplce started posting threads on Reddit announcing that a new marketplace was opened named Cantina. Now, lets ignore for a second the obvious question: How dumb are you to create a marketplace that looks exactly like Sheep Marketplace? On top of that, make it a normal escrow marketplace and focus on the fact that like most marketplaces, they started making claims about security that they couldn’t backup. Take for example: “being the safest marketplace out there ?!” – read the thread here

2. I felt like I just had Déjà vu for the second time in just 2 days! When user called the_avid posted, and told Cantina not to make such claims about being secure unless they are going to back it up with some technical explanations:

3. Once again instead of explaining / admitting, the marketplace admin chooses to argue by posting a bold statement: “We have designed the site so it is completely safe from hackers and LE who may try various data extraction techniques to get sensitive data such as order information, user list, messages, etc.” Well said Cantina! Market owners should make a short search of the forums / Reddit before making the same dumb mistakes over and over again.

4. Now this is where our story start to get interesting. In the background, a user named sniok found a security hole on the site that lets you place orders without actually depositing any money into the site. This is what he told us: “The first security hole that i found was just absurd. Simply put negative quantity when ordering stuff and you ‘steal’ money from vendor. Withdraws of that money didn’t come because all withdraw system was completely broken.” At a later point, he post this in this thread:

I wanted to show a screenshot, but at this point, all listings were deleted from the market.

5. Then in another thread posted in Silk Road sub Reddit, another user found some SQL injection in the site code:

6. You would think that the Drugslist lesson was learned, but nope. AGAIN, instead of taking responsibility and trying to fix the problem by contacting the user in private and asking for details, the owner offers a 5BTC bounty to anyone who can find security vulnerabilities on the market. They make a bold statement that the marketplace is 100% secure and deny the SQLI injection problem:

7. From now on there is no clear timeline since everything happens around the same time. First, we received the following mail:

You are wrong about Cantina (note: meaning our accusation that they are the same as Sheep). The backend codebase is absolutely different.
They just implemented fronted same as SMP. That kid thinks it could attract people somehow.

Anyway, I am applying for 5BTC bounty for pentesting Cantina. That site is absolutely amateur unsecure php-newbie project. I would bring you some exclusive report, when admin will reply and do his word about bounty.

8. Five minutes later we find these unrelated posts from The_avid and sniok on the same bounty thread:

Now you would think that this is where the story ends, right? No.</p>

I will make a long story short. The_avid starts dumping the Cantina marketplace DB. So do sniok and who knows how many more people at the time of the post. There were about 5 different threads on the Darknetmarket sub from people who hacked Cantina. All were claiming the 5BTC prize that they will probably never receive. I can only guess because the admin is hours away from shutting down the market (I also smell a doxx?). This is not before sniok posts that the passwords from the marketplace are in MD5 form, and the pin numbers are not encrypted at all. It was posted in this thread:

The last treat is brought to you by sniok as he described how it went:

“I don’t really try that before because it is such basic security thing. Almost every form was able to be injected. In a couple minutes I had access to database. Passwords were stored in md5 hash. I tried to crack admin’s password with online md5 cracker and result was “Password1”. Very strong password :D I logged in admin control panel and there was nothing interesting. About 680 users and 60 vendors registered. Zero withdraws and a lot of empty wallets. Can’t open them though, system is completely broken.”

There are two admin accounts. 1 for market and 1 for control panel. Market- admin:Password1 , Panel – admincantina:AAAaaa111

Here is the site users list that was posted by the_avid: https://gist.github.com/anonymous/f9f58b21d370a5564f6d

Here is a screenshot of the admin inbox sniok provided to us while he was logged in as the admin user:

High Quality Screenshot – note the PM’s claiming the 5BTC bounty and the fact that known vendors are trying to get verified on this marketplace:

Cantina, you should thank them. They did you a favor. At least you were not hacked by LE.

Updated: 2014-01-29