Security Challenge II

h57xiucj2z946q

Sorry about the delay, was on holidays for a while. Plus its a bit challenging to come up with a tricky, but fun challenge that haven't been done before, that is suitable for these kind of war games, and yet realistic at the same time.

Anyways, the second challenge is up. A bit more tricky than last time.

Some people may see what to do straight away. Some people may be able to do what they see straight away, that's why there is a further challenge to get onto the hall of fame. So you will have to do two different kinds of security analysis/hacking in this one!

As usual...

Aim:

Find weaknesses and flaws in the website design.

Find a way to enter your name on the hall of fame based on these weaknesses and flaws.

This challenge has two different areas for you hack before you can get onto the hall of fame.

Rules:

Try to

NOT leave traces of your actions that may give away hints to others.

This server is hosted on a home ADSL line, so it has a very slow uplink. So do not abuse/dos the server. Doing so will slow it down and ruin the fun for everyone.

Do

NOT hammer the web-server, there is no need to run port/vulnerability scanners or web brute forcers against the server. It's not needed and won't help for this challenge.

Any abusing the challenge will result in it been took offline.

On with the challenge: http://damo.dyndns.info
Enjoy.

h57xiucj2z946q

How is everyone finding it ?
Some guy called "Cheesecake Monster" was successful. Congrats!

dlofnep

Thanks Damo - I gave it a quick peek there, will give it a bash later on today.

h57xiucj2z946q

Going through some of the logs, some seem to be a bit lost as to the direction to take, especially on the 2nd part.

There is no trial and error stuff here. There is no tedious guess work. Just sit back and think, and ideas will come to you.

dlofnep

Got it

Feck that was difficult. The first 90% was a breeze. The last part stumped me

DonkeyStyle \o/

Mason Millions Organist wrote: »

Going through some of the logs, some seem to be a bit lost as to the direction to take, especially on the 2nd part.

I was thinking a few times: "Shít, I hope he's not seeing all this and laughing at me."
Had a blast and learned a few things though, thanks for doing it.

dlofnep

Thanks for taking the time out to create the challenge BTW Damo. I really enjoyed it.

h57xiucj2z946q

DonkeyStyle \o/ wrote: »

I was thinking a few times: "Shít, I hope he's not seeing all this and laughing at me."
Had a blast and learned a few things though, thanks for doing it.

Nah no laughs. Interesting to see how people piece it together. Its all about the fun and learning something at the same time.

h57xiucj2z946q

I will leave it up for about a week.

I will then upload all the source code, and server configurations/security hardnings I used if anyone wants to try host similar.

h57xiucj2z946q

To the guy running w3af, kindly read the rules again, thanks.

dlofnep

I don't see the point of running automated programs for these challenges. Defeats the purpose of the challenge.

h57xiucj2z946q

Haha I can flag them in the hall of fame :-)

h57xiucj2z946q

Sorry 87.198.60.??? , you kept it up. Your blacklisted now.

SunnyMonday

Mason Millions Organist wrote: »

Sorry 87.198.60.??? , you kept it up. Your blacklisted now.

My bad
I'm still coming to grips with w3af...

Apologies if she went pear shaped.

h57xiucj2z946q

Its ok, I will remove the block now.

Edit: done, you can continue now.

SunnyMonday

Mason Millions Organist wrote: »

Its ok, I will remove the block now.

Edit: done, you can continue now.

Cheers !

h57xiucj2z946q

People seem to be finding this one tougher.. may have to start dropping some hints!

I also remind people to clean up after themselves. People may get hints/spoilers from what you leave behind.

h57xiucj2z946q

93.96.173..?? running that automated scan ain't gonna help you.

ifah

damo2k

if you're hinting - can you put spoilers on it .... just started looking at this for a couple minutes last night but work caught up with me .... will have a go over next couple of days.

ta

btw - i think i have my attack figured out - nothing like a good spin on a motorbike to clear the head and give you time to think!!

h57xiucj2z946q

How is everyone getting on? Have people given up?

900913

Great challenge. loved every minute of it,

Gonna give it a try again.

It took over 5 hours the last time.

Hopefully I will be quicker this time.

900913

damo

did you harden it.

I'm asking cause I had another go at it, drunk, and I cant get past part 1.

Its probable that my brain got softened due to the alcohol .

I learned loads from part 2,

Great learning app,

Can't wait for the next one..

h57xiucj2z946q

900913 wrote: »

damo

did you harden it.

I'm asking cause I had another go at it, drunk, and I cant get past part 1.

Its probable that my brain got softened due to the alcohol .

I learned loads from part 2,

Great learning app,

Can't wait for the next one..

Nope, server is same as before. You should be able to do your attack as before.

Pygmalion

Whoops, accidentally added myself to the list twice, pretty cool challenge, first part took me a good bit longer than it should have, made a fairly incorrect assumption about what was happening when I uploaded a file :P.

Second part was pretty unexpected, I was expecting that once I got the first part it'd be trivial to add myself to the list, was wondering what you could've had planned for it :P, pleasantly surprised.

h57xiucj2z946q

Pygmalion wrote: »

Whoops, accidentally added myself to the list twice, pretty cool challenge, first part took me a good bit longer than it should have, made a fairly incorrect assumption about what was happening when I uploaded a file :P.

Second part was pretty unexpected, I was expecting that once I got the first part it'd be trivial to add myself to the list, was wondering what you could've had planned for it :P, pleasantly surprised.

No problem, congrats.

Fixed the hall of fame for ya.

syklops

My web app hacking skillz suck, but I need to improve as part of my job so I thought I would try this but I have to say, I am finding it a bit tough. Any chance of a hint?

h57xiucj2z946q

syklops wrote: »

My web app hacking skillz suck, but I need to improve as part of my job so I thought I would try this but I have to say, I am finding it a bit tough. Any chance of a hint?

Google:
file upload exploits
image upload exploits
image php injection

Redshift

syklops wrote: »

My web app hacking skillz suck, but I need to improve as part of my job so I thought I would try this but I have to say, I am finding it a bit tough. Any chance of a hint?

Me too, my attempts a slipping in some code are either detected or dont work, this is probably beyond my abilities right now but its fun trying:)

900913

Hint 1: Avoid alcohol on this challenge

Hint 2: You cant cheat at part 2 of this challenge,

I tried and failed.

@Damo2k

For a possible hint for other users you could tell them, The message on the server that you left me, it got me thinking in the right direction and wasn't really aiding me.

h57xiucj2z946q

900913 wrote: »

Hint 1: Avoid alcohol on this challenge

Hint 2: You cant cheat at part 2 of this challenge,

I tried and failed.

@Damo2k

For a possible hint for other users you could tell them, The message on the server that you left me, it got me thinking in the right direction and wasn't really aiding me.

Hehe 900913, I was going to put that into the bloopers at the end of the challenge along with the solution. There had been 1 or 2 other bloopers :-)

900913

@damo
At that time I was actually going back in to add characters from the following names in the halloffame.

[FONT=Fixedsys,Courier New]CheeseCake_Monster
DonkeyS
peann
ack_
Phlux

And the only work I think I could of got was:

he[/FONT][FONT=Fixedsys,Courier New]l[/FONT][FONT=Fixedsys,Courier New]P

2nd and 3rd character of CheeseCake_Monster

3rd character of [/FONT][FONT=Fixedsys,Courier New]Phlux

and 1st character of [/FONT][FONT=Fixedsys,Courier New]Phlux

--

Damo would that have spelt [/FONT][FONT=Fixedsys,Courier New]"he[/FONT][FONT=Fixedsys,Courier New]l[/FONT][FONT=Fixedsys,Courier New]P" on the halloffame wall[/FONT].

or would it have been just jibberish like my //900913 attempt
[FONT=Fixedsys,Courier New]

[/FONT]