And We’re Off! Challenge 2 Underway
For those of you who are interested, the second ha.ckers.org challenge is underway. Click here to begin the challenge. Every thing you need is under that directory, and even after the contest is finished you are still able to participate, for those of you who don’t like the pressure of doing something in a certain timeframe. The forum is open for people who want to chat about this while they work. For everyone else, good luck!
Update: And the results are in! Pretty amazing times for the first several winners, and I’ll have to post on our “special winner” Stefan who managed to actually hack the test. Congrats to everyone who won! A spoiler is now live for anyone who is completely stumped.
2:04:53: NoS (Sergey Novotarskiy)
2:06:51: Stefan Esser
2:17:50: AviD
2:20:31: Mario Heiderich
2:21:00: christ1an
3:13:14: kuza55
3:17:22: Jibbler
4:32:43: barbarianbob
5:58:31: David Lindsay
6:22:45: fidels
And since he asked so nicely to be mentioned, Jesper came in 11th with a time of 6:28:05. DoctorDan followed at 6:52:11.
August 20th, 2007 at 2:17 pm
wtf….i dont knows english units of length… don’t understand the meaning of the question!!!!
!! f**k!!
August 20th, 2007 at 2:32 pm
I suggest you look in the forums: http://sla.ckers.org/forum/read.php?11,14714
August 20th, 2007 at 3:35 pm
Very nice one
I am very looking forward for round 3…
August 20th, 2007 at 3:52 pm
Congratulations to the first winners. I didnt make it further than the “Sesame” yet - going to bed now
August 20th, 2007 at 4:10 pm
For the next round it would be cool if it was more web application security related.
August 20th, 2007 at 4:15 pm
I’m open to suggestions on what kinds of things you’d like to see. I’m wary about making the site exploitable directly, so anything I allowed you to do would have to be in the context of your own user only. Makes it tougher. But this did tie in a number of webappsec concepts. States, stupidly hard CAPTCHAs, cookie tampering, etc… You’re just so familiar with these concepts that it’s doesn’t seem like a stretch for you. Trust me, we have some interesting concepts up our sleeves for future versions. If anyone has interesting suggestions email me offline, and I may add some of it in, or parts of the ideas.
August 20th, 2007 at 4:26 pm
What isn’t there webappsec about it christ1an? I think it’s a cool one, and pretty much on the spot.
August 20th, 2007 at 4:42 pm
Well, its not even described as a webappsec challenge Ronald. However I’d wish some more relation to it.
It is fun to play with if one is bored or needs some clothes for free. I can answer your question better after it’s finished.
August 20th, 2007 at 4:50 pm
Funny, we were actually thinking about moving away from webappsec only and bringing in some other concepts. We’ll have to buy a domain specifically for that to work, but I think it would be worth it if you all would like to try your hand at some completely different concepts.
August 20th, 2007 at 5:33 pm
That would be cool RSnake, have you thought about some really tough stuff? I mean really hard? stuff that takes a week or something, instead of 30-60 minutes
haha, still good stuff.
August 20th, 2007 at 5:41 pm
Well the stuff that takes weeks generally requires enumeration, iteration or tedious trial and error. I think most people would pull their hair out well before a week’s time. I dunno, I think I’ll slowly crank up the hardness scale until it’s more like a day’s time before we get all ten winners. Right now it’s still been 4 hours and 30 minutes and we still don’t have all ten winners. That means I cranked the hardness knob in the right direction. I also wanted to make sure people had something to play with. Last time there wasn’t enough interactivity. This time it’s got a lot more, but I’d like it to be even more over time. But I think there’s interesting ways to make it take longer without it being ultra-tedious. There’s a lot to web apps so there’s lots of techniques to build on.
August 20th, 2007 at 5:51 pm
Well, what about opening your telnet port?
Yes, indeed I really like this one. But, it does require controle over certain “features” of the browser. I’m not sure everyone knows about this, but it’s a great learning curve. That’s for sure, I hit the last clue in under 40 minutes and a beer, it could have been found way faster with some reasoning though. It’s too late here, have to catch some sleep.
Enjoy everyone!
August 20th, 2007 at 8:29 pm
Hey RSnake — doesn’t the HTTP RFC specify that cookie names and values cannot contain whitespace, commas, or semi-colons, unless they are URL-encoded? That has always been my understanding. Only after you posted the spoiler did I realize that I was encoding the cookie properly, but the challenge expected it to be submitted in a non-compliant format! Any thoughts?
August 21st, 2007 at 6:44 am
@Chris - yes but there are a number of things in both this test and the last one that aren’t exactly RFC compliant or normal. In the JavaScript source I said admin=”bobs your uncle” not “bobs%20your%20uncle”.
Some people also noted that some browsers didn’t encode the single quote in the URL. It totally depends on the browser you are using. I intentionally made the script as stupid as possible so I did exact string compares, rather than the proper decoding of URL encoded strings. I don’t think I’ll ever make the challenge completely RFC compliant though, because there’s lots of interesting things within the HTTP headers that aren’t compliant that can be used to fingerprint webservers for instance.
August 21st, 2007 at 7:26 am
@RSnake — It was just an observation, and you raise a valid point on the server fingerprinting. The main reason I brought up the notion of RFC compliance is that one of your motivations with the challenges (I think) is to help teach people about web application security. So while you might not go so far as to disallow the non-compliant versions of the cookie, I would probably try to handle basic things such as URL encoding since it’s easy to reproduce. Fun challenge though, and at the very least you’ve probably introduced some people to the idea of cookie poisoning.
August 21st, 2007 at 8:35 am
I know the challenges are meant for people that know something about webappsec, but I was wondering if it was possible to get slightly more detailed spoilers for those of us without a clue, as a means of learning.
August 21st, 2007 at 12:44 pm
I know the challenges are aimed at people that know webappsec, but is there any chance that slightly more detailed spoilers could be posted for people just starting out?
August 23rd, 2007 at 9:28 am
@Dhubh
I think it’s important to have the right tools, it can make things easier. Firefox has good extensions which allow you to work from your browser instead of a terminal, netcat or telnet.
A few I used:
- Cookie editor
- Tampter data
- Firebug (most important)
With Firebug all scripts become visible without even accessing them. Tampter data allows to modify the request, and cookies also. I found the first two clues with these tools under 5 minutes. Without them I probably be stuck on the first one.
For me, these are really important tools in websecurity.
Hope it helps
August 23rd, 2007 at 9:29 am
Tamper data
sorry I was typing with one hand and watching outside girls
August 24th, 2007 at 8:41 am
Thanks Ronald,
I will mess around with them and see if I can make it any further.
ps. Sorry for the double post, when I looked back a few hours later and didn’t see my 1st post I figured something messed up
August 28th, 2007 at 3:48 pm
Hey, wassup with our prizes…?
AviD
August 28th, 2007 at 3:56 pm
I sent all the winners an email to give me their info, didn’t you get it? Check your spam bucket from a few days ago.
August 31st, 2007 at 1:28 am
Nope.
Not in spam bucket either…. can you send me again?
Thanks…
Can’t wait to get that t-shirt!!