Security Challenge II

h57xiucj2z946q

Sorry about the delay, was on holidays for a while. Plus its a bit challenging to come up with a tricky, but fun challenge that haven't been done before, that is suitable for these kind of war games, and yet realistic at the same time.

Anyways, the second challenge is up. A bit more tricky than last time.

Some people may see what to do straight away. Some people may be able to do what they see straight away, that's why there is a further challenge to get onto the hall of fame. So you will have to do two different kinds of security analysis/hacking in this one!

As usual...

Aim:

Find weaknesses and flaws in the website design.

Find a way to enter your name on the hall of fame based on these weaknesses and flaws.

This challenge has two different areas for you hack before you can get onto the hall of fame.

Rules:

Try to

NOT leave traces of your actions that may give away hints to others.

This server is hosted on a home ADSL line, so it has a very slow uplink. So do not abuse/dos the server. Doing so will slow it down and ruin the fun for everyone.

Do

NOT hammer the web-server, there is no need to run port/vulnerability scanners or web brute forcers against the server. It's not needed and won't help for this challenge.

Any abusing the challenge will result in it been took offline.

On with the challenge: http://damo.dyndns.info
Enjoy.

h57xiucj2z946q

How is everyone finding it ?
Some guy called "Cheesecake Monster" was successful. Congrats!

dlofnep

Thanks Damo - I gave it a quick peek there, will give it a bash later on today.

h57xiucj2z946q

Going through some of the logs, some seem to be a bit lost as to the direction to take, especially on the 2nd part.

There is no trial and error stuff here. There is no tedious guess work. Just sit back and think, and ideas will come to you.

dlofnep

Got it

Feck that was difficult. The first 90% was a breeze. The last part stumped me

DonkeyStyle \o/

Mason Millions Organist wrote: »

Going through some of the logs, some seem to be a bit lost as to the direction to take, especially on the 2nd part.

I was thinking a few times: "Shít, I hope he's not seeing all this and laughing at me."
Had a blast and learned a few things though, thanks for doing it.

dlofnep

Thanks for taking the time out to create the challenge BTW Damo. I really enjoyed it.

h57xiucj2z946q

DonkeyStyle \o/ wrote: »

I was thinking a few times: "Shít, I hope he's not seeing all this and laughing at me."
Had a blast and learned a few things though, thanks for doing it.

Nah no laughs. Interesting to see how people piece it together. Its all about the fun and learning something at the same time.

h57xiucj2z946q

I will leave it up for about a week.

I will then upload all the source code, and server configurations/security hardnings I used if anyone wants to try host similar.

h57xiucj2z946q

To the guy running w3af, kindly read the rules again, thanks.

dlofnep

I don't see the point of running automated programs for these challenges. Defeats the purpose of the challenge.

h57xiucj2z946q

Haha I can flag them in the hall of fame :-)

h57xiucj2z946q

Sorry 87.198.60.??? , you kept it up. Your blacklisted now.

SunnyMonday

Mason Millions Organist wrote: »

Sorry 87.198.60.??? , you kept it up. Your blacklisted now.

My bad
I'm still coming to grips with w3af...

Apologies if she went pear shaped.

h57xiucj2z946q

Its ok, I will remove the block now.

Edit: done, you can continue now.

SunnyMonday

Mason Millions Organist wrote: »

Its ok, I will remove the block now.

Edit: done, you can continue now.

Cheers !

h57xiucj2z946q

People seem to be finding this one tougher.. may have to start dropping some hints!

I also remind people to clean up after themselves. People may get hints/spoilers from what you leave behind.

h57xiucj2z946q

93.96.173..?? running that automated scan ain't gonna help you.

ifah

damo2k

if you're hinting - can you put spoilers on it .... just started looking at this for a couple minutes last night but work caught up with me .... will have a go over next couple of days.

ta

btw - i think i have my attack figured out - nothing like a good spin on a motorbike to clear the head and give you time to think!!

h57xiucj2z946q

How is everyone getting on? Have people given up?

900913

Great challenge. loved every minute of it,

Gonna give it a try again.

It took over 5 hours the last time.

Hopefully I will be quicker this time.

900913

damo

did you harden it.

I'm asking cause I had another go at it, drunk, and I cant get past part 1.

Its probable that my brain got softened due to the alcohol .

I learned loads from part 2,

Great learning app,

Can't wait for the next one..

h57xiucj2z946q

900913 wrote: »

damo

did you harden it.

I'm asking cause I had another go at it, drunk, and I cant get past part 1.

Its probable that my brain got softened due to the alcohol .

I learned loads from part 2,

Great learning app,

Can't wait for the next one..

Nope, server is same as before. You should be able to do your attack as before.

Pygmalion

Whoops, accidentally added myself to the list twice, pretty cool challenge, first part took me a good bit longer than it should have, made a fairly incorrect assumption about what was happening when I uploaded a file :P.

Second part was pretty unexpected, I was expecting that once I got the first part it'd be trivial to add myself to the list, was wondering what you could've had planned for it :P, pleasantly surprised.

h57xiucj2z946q

Pygmalion wrote: »

Whoops, accidentally added myself to the list twice, pretty cool challenge, first part took me a good bit longer than it should have, made a fairly incorrect assumption about what was happening when I uploaded a file :P.

Second part was pretty unexpected, I was expecting that once I got the first part it'd be trivial to add myself to the list, was wondering what you could've had planned for it :P, pleasantly surprised.

No problem, congrats.

Fixed the hall of fame for ya.

syklops

My web app hacking skillz suck, but I need to improve as part of my job so I thought I would try this but I have to say, I am finding it a bit tough. Any chance of a hint?

h57xiucj2z946q

syklops wrote: »

My web app hacking skillz suck, but I need to improve as part of my job so I thought I would try this but I have to say, I am finding it a bit tough. Any chance of a hint?

Google:
file upload exploits
image upload exploits
image php injection

Redshift

syklops wrote: »

My web app hacking skillz suck, but I need to improve as part of my job so I thought I would try this but I have to say, I am finding it a bit tough. Any chance of a hint?

Me too, my attempts a slipping in some code are either detected or dont work, this is probably beyond my abilities right now but its fun trying:)

900913

Hint 1: Avoid alcohol on this challenge

Hint 2: You cant cheat at part 2 of this challenge,

I tried and failed.

@Damo2k

For a possible hint for other users you could tell them, The message on the server that you left me, it got me thinking in the right direction and wasn't really aiding me.

h57xiucj2z946q

900913 wrote: »

Hint 1: Avoid alcohol on this challenge

Hint 2: You cant cheat at part 2 of this challenge,

I tried and failed.

@Damo2k

For a possible hint for other users you could tell them, The message on the server that you left me, it got me thinking in the right direction and wasn't really aiding me.

Hehe 900913, I was going to put that into the bloopers at the end of the challenge along with the solution. There had been 1 or 2 other bloopers :-)

900913

@damo
At that time I was actually going back in to add characters from the following names in the halloffame.

[FONT=Fixedsys,Courier New]CheeseCake_Monster
DonkeyS
peann
ack_
Phlux

And the only work I think I could of got was:

he[/FONT][FONT=Fixedsys,Courier New]l[/FONT][FONT=Fixedsys,Courier New]P

2nd and 3rd character of CheeseCake_Monster

3rd character of [/FONT][FONT=Fixedsys,Courier New]Phlux

and 1st character of [/FONT][FONT=Fixedsys,Courier New]Phlux

--

Damo would that have spelt [/FONT][FONT=Fixedsys,Courier New]"he[/FONT][FONT=Fixedsys,Courier New]l[/FONT][FONT=Fixedsys,Courier New]P" on the halloffame wall[/FONT].

or would it have been just jibberish like my //900913 attempt
[FONT=Fixedsys,Courier New]

[/FONT]

h57xiucj2z946q

haha, yeah there is no need to do any cipher work in this challenge.

900913

Well
Damo

Using them names in the halloffame

[FONT=Fixedsys,Courier New]CheeseCake_Monster
DonkeyS
peann
ack_
Phlux[/FONT]

I could of added myself as too as

CheeSey_PuSSy_PhuCkS_Monster_DyCkS

I had no chance of getting two 9's two 0's and a 1 and a 3.

900913

h57xiucj2z946q

900913 wrote: »

Well
Damo

Using them names in the halloffame

[FONT=Fixedsys,Courier New]CheeseCake_Monster
DonkeyS
peann
ack_
Phlux[/FONT]

I could of added myself as too as

CheeSey_PuSSy_PhuCkS_Monster_DyCkS

I had no chance of getting two 9's two 0's and a 1 and a 3.

900913

Or reverse the cipher, and you can add anything :-)

Only thing now is, you won't find the hall of fame file so easily now ;-)

900913

If its writable I'll find it.

Can you hide it from the halloffame script.

h57xiucj2z946q

900913 wrote: »

If its writable I'll find it.

Can you hide it from the halloffame script.

Maybe not with -r+wx on the dir ;-)

Yeah, without giving too much away for others, the halloffame script doesn't directly access it.

dlofnep

The first part of the challenge: Firebug & Tamper Data for Firefox will be extremely useful.

h57xiucj2z946q

dlofnep wrote: »

The first part of the challenge: Firebug & Tamper Data for Firefox will be extremely useful.

People with no-script already installed may not have even noticed the very very first part

dlofnep

True.

h57xiucj2z946q

Or they could just disable something in their browsers for that very first part.

900913

damo

I have noscript installed, what did i miss

h57xiucj2z946q

900913 wrote: »

damo

I have noscript installed, what did i miss

Disable it, and attempt the challenge again and you'll see :-)

900913

Mason Millions Organist wrote: »

Disable it, and attempt the challenge again and you'll see :-)

I can't, Im still too drunk, I'll have a look now

dlofnep

900913 wrote: »

I can't, Im still too drunk, I'll have a look now

Less beer, more coffee.

h57xiucj2z946q

People that were having trouble should be able to follow the hints here now to send them on the right track to get past the first part.



Sunny tomorrow, BBQ, Beers and bass in the garden :-)

900913

This wont help!

you set the file attributes to d-wx-wx-wx and hid it in /var/tmp/[]
It was the "MAX_FILE_SIZE" that was catching me lastnite[/ when I was more drunk.

hint:

On part 2 you sort of gave me a hint, You said you HAVE TO USE the tool, So I used the tool

I've tried realistic type challenges, but this is like real world.

When is the next challenge.

dlofnep

Too much spoilers I think dude I'd remove the link just incase.

900913

dlofnep

The 900913.php , It's password protected.


@damo

Is it ok if I post a pastebin link to a small script .

It's got command exec,file uploader and zorback backconnect on it.

It's only 3kb and it's plain text. The backconnect don't work on this challenge.

It's on your server if you want to look.

h57xiucj2z946q

Yeah I don't mind. The challenge is only for fun. Not a competition :-)

h57xiucj2z946q

900913 wrote: »

dlofnep
The backconnect don't work on this challenge.

Hehe that deliberate.

900913

The zorback normally works. http://packetstormsecurity.org/files/view/82859/connect-back.php.txt

This script is zorback that I edited/copyed`n`pasted a file uploader and a shell_exec command to.

It's only 3kb but after base64 encoding it's only 2kb.

http://pastebin.com/8KkisxMy