Security Challenge

Just an update, some people seem to be going in the right direction, just not but not thinking why their approach isn't working for them, or not fully reading the apache/php error messages as to why their approach may not be working.

Do people feel its too hard?

lithiumoxide wrote: »

It's tough alright, but probably just because I don't have much of a background in computers! It's forcing me to learn a few things and I'm getting some decent guidance on various topics from others. Think I'm near the end, would like to see more of these. Thanks!

If that's you at the server at the minute, your on the right track :-)

How is everyone getting on?

Seems to be a nice bit of activity on the server this evening.

Cool. there might be some other stuff viewable alight. Not deliberately however hehe. I didn't put much effort into hard'ning the system.

lithiumoxide wrote: »

Not bad. Don't want to say too much, but I reckon this (last??) step will take some time!

consider a rule of thumb, always try the quicker approach first to save yourself possible time.

lithiumoxide wrote: »

Success!

Great challenge, highlighted lots of security issues, and a very good learning experience. Would love to see more!

Thank you, and thanks to those who gave me some gentle direction

Fair play.

Procasinator wrote: »

Hmm, I seem to be getting stuck:

My first instinct would have been to brute force the .htpasswd file for the moderator password (retrieved by path traversal), but it's taking a long time. Am I on a wild goose chase?

refer to post 18. best of luck.

Procasinator wrote: »

Done.

Well done Procasinator :-)

trout wrote: »

I skipped lunch and gave it bash ... nice

Any more ?

Im trying to come up with ideas.

These ideas must also follow..

1. A type of challenge where many people can participate and not interfere with each other. e.g NOT a once only hack where the system has to be reset or the challenge config reset after someone was successful or a hack that messes up the challenge for other people.

2. A challenge that doesn't leave foot prints of previous users that gives the challenge away. e.g. Imagine people in this challenge could read the /var/log/apache2/access.log, they would have had an easier time! (by the way, many tried!)

3. A challenge that is not prone to abuse from people. Even though the rules were clearly stated, some people insisted on running vulnerability scanners which more or less brute force all known exploits against the server. Some ran Nessus, some ran a Nikto which tries almost every webserver attack one after another, and many tried to brute force a login for ssh over the internet! This will hog my bandwidth for other people who genuinely want to do the challenge. I have your IP's you's feckers!

Port scans with the likes of nmap are ok. They are pretty lightweight. Sometimes you need to identify the services on a server. My default router config can pick up less advanced port scanners anyway.

4. A challenge that doesn't compromise my home network, since the VM has internet access, and is able to accept incoming connections, it is able to view home network. I haven't found a way to sandbox the VM while maintaining incoming connections or allowing outgoing connections. While I feel most people here would only be interested in the challenge, it only takes one or two people to spoil the fun for everyone.