The “How Strong is your Fu” hacking tournament has officially begun. The hacking tournament will last for 48 hours – we wish you good luck! Everyone registered will get a chance to participate in “Phase 1″ of the tournament. Please read the following very closely in order to make the best out of your experience :
“Phase 1″ – you must hack our noob filter machine and extract a file called n00bSecret.txt from the local filesystem. Once you have the key, you have 10 minutes to submit it into the control panel.
“Phase 2″ – The control panel will provide you with VPN files. Your VPN account will be automatically activated once you submit a correct “Phase 1″ secret key. It will take 5 minutes for your account to get activated.
Due to the huge number of participants, we have currently enabled TWO noob filter machines for extra redundancy. Only the first 100 contestants to hack our noob filters will be allowed to proceed with Phase 2.
Tournament Info:
- The tournament IRC Channel can be found at #HSIYF on freenode.
- Penetration of the boxes accounts for 60% of the score.
- Documentation of the attacks accounts for 40% of the score.
- The noob filter secret key is called n00bSecret.txt
- Once key is found, you have 10 minutes to submit it in the control panel.
- The scoreboard will show the current status of the contestants.
- Victim machines will be reverted every 30 minutes.
- The vulnerabilities are “real world”, we wont be hiding passwords in javascript, images etc, just as network admins wouldn’t.
Tournament Rules:
- Do not attack the scoreboard!
- Do not attack any ips NOT listed below!
- No DOS, ARP spoofing or defacing – do not spoil the challenge for others.
- No disruptive attacks please – the aim is that everyone gets to enjoy the tournament.
- Anyone found disregarding these rules will be disqualified and banned.
Tournament IPS and URLS:
- Your attacks MUST BE CONFINED to the following IP’s / URL’s:
- Noob filter 1 – http://www1.noob-filter.com (67.23.72.4)
- Noob filter 2 – http://www2.noob-filter.com (67.23.72.5)
- NO OTHER ROUTABLE MACHINES SHOULD BE ATTACKED.
- No disruptive attacks please – the aim is that everyone gets to enjoy the tournament.
- Anyone found disregarding these rules will be disqualified and banned.
Submitting your Documentation:
Once you have completed the event, you have two options for document submission:
- EITHER : A writeup on a blog, website, etc. We will need a link to the post, as well as your nick and tournament email.
- OR : Send us a PDF file describing your attack – we may publish these.
- Ideally, try to organize your notes as a penetration test report – screenshots and explanations of your attacks are required.
- Once the tournament is over, it will take us 48 hours to evaluate the documentation and announce the winner.
Hints and Help:
- FTP Credentials are : devil / killthen00b
- Internal VPN IP’s – 192.168.6.66/67/68 (all same) and 192.168.6.70/71/72 (all same).
- Follow our TWITTER feeds…
- Try harder
- Don’t forget the IRC channel.
- Online bruteforce attacks will not get you far, avoid them.
- Some machines have protection mechanisms installed. Making too much noise will activate them…5 minute cooling periods will be enforced!
Final Notes:
Please play nice. We all want to have a good time and enjoy the tournament, and not have to deal with malicious attacks outside the scope of the challenges. Remember – all the vulnerabilities are “real world”, we don’t play games.
Can you please publishing the questions and answers for this tournament after end ?
I would like to thank Offensive-Security for hosting this contest. I was very pleased. :)