Security Challenge II (Web Hacking Intermediate)

dlofnep · 11-05-2011 1:23am #1

Rules.

No need for brute forcing or exploits. No DoS attacks, or attacks on the network. Will be monitoring logs - anyone going outside the challenge will be blacklisted.

Challenge: http://republicofhack.dyndns.org/

Best of luck. I'd estimate the challenge to be of medium difficulty, more difficult than my previous challenge - but not as difficult as Damo's last challenge.

h57xiucj2z946q · 11-05-2011 9:14am

Sweet, will take a look at it after work.

dlofnep · 11-05-2011 11:28am

Cool

Also can I add, there is no need for any automated scanners. This challenge is doable manually, and requires nothing beyond a few browser addons.

syklops · 11-05-2011 12:43pm

Is it still up? Im getting connection timed out.....

dlofnep · 11-05-2011 1:31pm

Server is backup, sorry about that.

dlofnep · 11-05-2011 2:57pm

1 completed so far

syklops · 11-05-2011 3:19pm

Stuck on the login screen

dlofnep · 11-05-2011 3:25pm

syklops wrote: »

Stuck on the login screen

You'll need to figure out how it's validated and what exactly is validating it

.

h57xiucj2z946q · 11-05-2011 4:19pm

done and done, nice challenge! :-)

dlofnep · 11-05-2011 5:40pm

Congrats Damo

Glad you liked it.

h57xiucj2z946q · 11-05-2011 11:11pm

Anyone else trying this?

Redshift · 11-05-2011 11:12pm

Is it possible to get SQLi through the WAF? I've tried various ways of encoding it

it's detected when plain but when encoded I cant determine if anything is being executed becuase I cant see any feedback

syklops · 11-05-2011 11:19pm

Redshift wrote: »

Is it possible to get SQLi through the WAF? I've tried various ways of encoding it it's detected when plain but when encoded I cant determine if anything is being executed becuase I cant see any feedback

RedShift:

I believe that SQLi is not necessary. Its something else...

h57xiucj2z946q · 11-05-2011 11:19pm

Redshift wrote: »

Is it possible to get SQLi through the WAF? I've tried various ways of encoding it it's detected when plain but when encoded I cant determine if anything is being executed becuase I cant see any feedback

If you stuck on the WAF itself, try the most basic query and narrow it down until you find how its detected. You won't have to do complicated encodings.

dlofnep · 11-05-2011 11:55pm

Redshift:

You're doing well, it's not a tough WAF - I promise. Google WAF evasion and see if you can find anything.

Redshift · 12-05-2011 1:12am

Am I right in saying that I can't use union at all as it's filtered and instead of going after password hashes I should try for a file using another keyword which is not filtered.

Sorry if i'm not making sense.

Will have another look tomorrow, have to get up for work

chuckleberryfin · 12-05-2011 1:20am

Thanks for this, spent a bit too much time on

checking the tables

but was fun.

dlofnep · 12-05-2011 1:36am

Redshift wrote: »

Am I right in saying that I can't use union at all as it's filtered and instead of going after password hashes I should try for a file using another keyword which is not filtered.
Sorry if i'm not making sense.

Will have another look tomorrow, have to get up for work

You can use it but you need to evade the filter

After that, there's another part - you'll see when you get there

dlofnep · 12-05-2011 1:38am

chuckleberryfin wrote: »

Thanks for this, spent a bit too much time on
checking the tables
but was fun.

congrats!

dlofnep · 12-05-2011 2:13am

Server will be down for a few hours.

dlofnep · 12-05-2011 12:41pm

Back up again

syklops · 12-05-2011 2:42pm

Its no good now, is it? Where was it at 8am this morning when I had time to throw sh1t at it? :mad:

Seriously though its a great challenge. If I could only figure out where the Womens auxiliary air force came into it.

12-05-2011 2:57pm

Great challenge. I found one part really difficult.

dlofnep · 12-05-2011 3:07pm

900913 wrote: »

Great challenge. I found one part really difficult.

Msg me which part

And congrats!

Pygmalion · 12-05-2011 4:57pm

chuckleberryfin wrote: »

Thanks for this, spent a bit too much time on
checking the tables
but was fun.

Same, I spent pretty much all last night trying to

Find usernames/passwords in the SQL database

, had a look at the

WAF evasion

today and got it within a few minutes :P.

Also, apologies if my method of getting table and column names counted as brute-forcing or was a bit excessive, that was before I had a look at the WAF evasion and that was the only way I could think of to get them :P

Also since 900913 is down as "900913 cheated" in the HoF, is there an interesting story behind this or something?
Would be interesting to see how he did it if so :P

dlofnep · 12-05-2011 5:05pm

I sent him a message asking about that, I'm awaiting a response

12-05-2011 5:08pm

I used an application(acunetix http editor) instead of a firefox plugin to postdata

dlofnep · 12-05-2011 6:59pm

There is some server abuse, if it continues I will take it offline. This is the only warning. I hosted this challenge for people to have fun, and not to abuse it.

dlofnep · 12-05-2011 7:14pm

Server offline on account of misbehaviour. Will be examining the logs and certain people will be blacklisted from future events.

Successfully completed challenge:

sk
Damo2k
netjester
chuckleberryfinn
900913
Pygmalion

Redshift · 12-05-2011 7:18pm

Arrgh, just had that excited feeling of I think I know how to do this and just as I hit submit Bam Server gone.
Damn you whoever was fooling about:mad:

jim_bob · 12-05-2011 7:23pm

me too, although i doubt i was as close:o

any chance of bring it back

Security Challenge II (Web Hacking Intermediate)

Comments