Here are some facts about the games.
War-game
The game was very difficult, consisted of different servers, and one had to become root on them. There were 3 warm-up stages, which happened to be very difficult for most of the people.
I solved the first two warm-up stages with SQL injection.
There was only one text box and a submit button. The task was to retrieve the administrator password. I tried different input string, and it gave different answers for “1”, “2”, “3”, “4”, and an “ERROR” for everything else except the string “id”. I decided: this should be an SQL injection kind of problem. I tried to make a “1 or 1=1”, “1 and 1=1”, “1 AND 1=2” all of them worked as expected. I tried to make a UNION SELECT and the server consequently answered: “Page cannot be accessed”. Fortunately, I tried a second sql statement injection into the parameter, which happened to be ok. I found that the database was PostgreSQL which I had no experience with before, but that's the reason why I try to act like a hacker. I googled for injection strings, found the admin table, listed the columns and found the column names. The problem was that the length of the string I was able to retrieve on the page was maximized in some few characters, so the substring function was the solution for that. I retrieved the password, and gained 10 points.
Some remarks for myself: PostgreSQL uses “limit X offset Y”, concatenates with “||”, not trivial to retrieve column names, table names.
The second stage was SQL blind injection.
At first there was only a link on the page “click here for hints”. When I opened the link, I got a POST-ed “q=1” value, and a sting on the page: “ID exists”. The task was to retrieve the password for haxor.
With different kind of SQL injection vectors I could retrieve the SQL error with the SELECT statement hard-coded into the page source, it was something like this “SELECT id,txt FROM fake WHERE id=1...ERROR:....”. After some testing I could find the same anomaly as it was in the first stage. I tried to make a UNION SELECT and the server consequently answered: “Page cannot be accessed”, but the SQL command injection like this “1;SELECT 1” worked well. I don't like to do blind SQL injection manually, so I used SQLMAP. I really like this tool for most cases, but there are some very simple cases when I cannot make it work, however I know a trivial injection vector. Fortunately in this case it worked pretty well. I dumped the request from Firefox with the Live-http headers plugin, and copied it into a text file for sqlmap. It was a piece of cake to dump the database and get the password for haxor.
The third stage was a login page and the task was to retrieve the password or whatever, I don't remember exactly. It was easy to determine that it will be an XML or XPATH injection, because an injected “ ' “ generated some error messages with XML errors. I have no experience with XML injections, so I thought it won't worth the time to learn it now for only 10 points, because hacking a whole server worth 50 points and other people already had 10, 20 and perhaps one or maximum two with 30 points.
These were the warm-ups, and I tell you in advance that only one guy could hack a whole machine, my colleague, whom with I work and learn a lot from him about hacking.
I reserved the remaining time for hacking a server to earn enough point to be in the top 3.
An IP address range was given to search for vulnerable servers. I scanned them for open ports and found 5 servers. I ran some basic scans on them like Nessus, Spider and Analysis with Paros but found nothing interesting at first, but for one of them generated several medium level risks so I chose that one with LemonCMS on it. I ran a DirBuster with minimal dictionary and it gave me some defaults with nothing interesting. After some scans I tried the medium dictionary and found a directory with server status info and PHP session ID-s. I changed my session ID to one of those I found and I became somebody who is able to upload files to the web root. I uploaded a PHP shell and did some default searches, nothing interesting found. I opened a port on my laptop and made a reverse shell connection. I pulled up my local apache server and put some files on it to download to the server. Unfortunately I have no Linux local root exploits so I could not hack the machine, this was the last step to solve. But I am happy because my colleague made it somehow and he won the first prize: a laptop. Congratulations!!!
Capture The Flag (CTF)
I don't know much about the CTF game, there were like 2 servers to hack and defend from other teams. Maybe next year our company will also take part in this kind of challenge.
Hack The Vendor (HV)
This game was a simple one. A Checkpoint IronPort content filtering machine was set up, only a few web pages were available through it. The task was to access any other site through it. Nobody could do it.
Some interesting facts about the event:
- There were like 1000 people on the event.
- There were different kinds of broadcasting corporations like: Czech, Chinese, Aljazeera...
- There were international security experts: Bruce Schneier, Alexander Kornbrust and Felix "FX" Lindner.
- There were Hungarian security experts with interesting talks.
- There were hacking games.
Thats all about the Hacktivity 2010.