Without any further delay, we would like to congratulate the official winners of HSIYF 2 for charity:

1st place – Sinn3r

2nd place – TecR0c

You can read their solutions here and here.

We would also like to thank EVERYONE who helped and participated in this event. Till next time!

The cyber hacking challenge – “How Strong is your Fu for Charity” is about to begin! All contestants have received emails with login credentials, and should download the VPN certificates from their control panel page. You can log in to the control panel using the same credentials. The gates will soon be opened!

General info:

• The tournament will last for 48 hours.
• There are 5 machines in each challenge room, each machine contains a “proof.txt” file on the administrator or root desktops. Discovery of each proof file provides 20 points.
• The first to reach 100 points wins a free BlackHat Vegas ticket. The second to reach 100 points wins an online CTP course.
• Attendees, please join our IRC channel on freenode – #HSIYF.

Challenge rules:

• Respect your fellow hackers – do not change configurations of machines once compromised.
• This includes changing of passwords, deleting files or otherwise making the challenge machines unavailable to others.
• You may not change your VPN IP address
• You may not ARP spoof or preform any layer 2 attacks
• Avoid bruteforce attacks, they will get you nowhere.

We would like to thank you all for registering to this tournament and contributing to the HFC. We wish you all an enjoyable and challenging event!

Our second cyber hacking challenge from Offensive Security is on it’s way. Registration to “How Strong is your Fu – For Charity” has begun! Offsec has teamed up with the crew at Hackers For Charity and the world’s premier Hacker Con – BlackHat, to provide another amazing Cyber Hacking Challenge with a whole new level of pain.  Our goal is to raise $5000 for HFC as well as provide a world class cyber hacking event. The prizes? 1st place gets a BlackHat Vegas Conference Ticket (no travel included) , 2nd place gets a CTP Online Course from Offensive Security. Wowz!

Unlike our previous challenge, seats to this tournament will be limited, and require a registration fee of 49.00 $US. All proceeds from this event go to the HFC, and their efforts in East Africa.

What to expect?

The event will take place on June 19th, 2010 and will last for 48 hours. Since this contest is not for all the public, we have sent the n00b filter to a retirement facility in the deep south and set up a new level of challenge for you.  Contestants will have to combat with hardened web applications, fuzz unknown protocols and programs and write custom exploits.  This is just scratching the surface of what you will face to win the awesome prizes!

The Registration Process

Once payment is approved, you will receive a confirmation mail from PayPal and your registration will be complete. On the 18th of June, you will receive a VPN connectivity pack to our Tournament servers by email. On June 19, our blog will announce the beginning of the tournament (around 14:00 GMT), and all hell will break loose.

Please note that the connectivity packs will be sent to your PAYPAL email address (the one used by your PayPal account).

REGISTRATION CLOSED!

• snowytoxa (14:52 h)
• kyprizel (14:53 h)
• touzoku (15:13 h)
• vadium (15:26 h)
• depth (25:45 h)
• dnet (25:51 h)
• woff (34:29 h)
• painsec (38:18 h)
• raph0×88 (40:14 h)
• ipax (40:14 h)
• ace1 (41:46 h)

Introduction

A couple of weeks ago, we decided to create a unique Hacking Tournament under the name “How Strong is your Fu” (HSIYF). We decided to use new vulnerable images we created for our PWB online course labs, and have the hacking community play with them. After a quick brainstorming session, we took a week to (re)discover our dark side and created the HSIYF challenge machines, noob-filter, ghost and killthen00b. This document will provide an overview of the challenge and describe possible attack vectors for each of the challenges presented.

Pre-challenge Preparations

Registration to the challenge was opened a couple of weeks before the challenge and the amount of sign-ups was overwhelming – way more than we expected. We didn’t want to disappoint the masses, and decided to design our challenges in a way that everyone would be able to participate – and so was born – “noob-filter.com”. The main concept behind the “noob filter” machine was to thin out all the registrations – only people whom could hack this challenge machine would be admitted into our VPN labs. Obviously, we immediately saw the flaw in this design – having over 1000 hackers run their favorite vulnerability scanner on this machine would spell doom to the initial challenge. We decided to deal with this in a nasty way – we installed a sensitive IPS, which would be triggered by such scanners. The IPS was configured for a 5-minute ban on the offending IP. This phase of the challenge was dubbed “Phase 1”.

HSIYF Event Overview

As the event started, we quickly realized we hadn’t taken into account several details:

• Sending over 1000 emails using a Google Premium account:

Our initial mail blast took over 3 hours to send – many people got their mails late. We attempted to help those who contacted us by providing them the information via IRC.

• Expecting 1000 hackers to read the instructions from beginning to end:

In hindsight – an unrealistic expectation. Some participants were not native English speakers, while others simply didn’t RTFM.

• Expecting 1000 hackers to abide by our rules:

Our “please do not damage the challenge machines” plea fell on deaf ears. We believe there was a general sense of “lack of accountability” – meaning that many participants did not care about leaving challenge machines in tact for others to enjoy.

• Ignoring Mother’s day:

Some participants’ efforts were hampered by “Mothers day”…

Thankfully, each of these oversights was managed in real time, with minimal impact to the tournament. No mothers were harmed during this tournament.

Main difficulties encountered by contestants

The most overwhelming initial difficulty encountered by participants was the n00b filter IPS. The IPS threw almost everyone off, bringing up claims that “the servers were down” or that “the servers were real slow”. Neither of these observations was true. Eventually, people caught on, and started being more careful with traffic sent to the n00b filter machines. Generally speaking, we noticed a “sheep herd effect”, where a single wrong observation was reported in the IRC channel, and then repeated by others continuously, misleading the main mass of the contenders.

Challenge Solutions

The part you’ve all been waiting for – solutions to our challenge boxes.

Noob filter

Our noob filter box was running Fedora 12, fully patched. Although the index page contained a login form, the machine itself was not running MySQL or PHP. The server was also running a vulnerable version of DotDefender – a WAF which contained an unpatched remote command execution vulnerability, described here: http://www.exploit-db.com/exploits/10261

The described vulnerability is a POST authentication vulnerability, leading many to believe they needed to administrative password in order to exploit it. Our configured password was “password”, which we expected to be cracked and changed relatively quickly. In accordance to our expectations, this happened very fast, leaving other contestants “stranded”, complaining that “the password was changed” and therefore the vulnerability was “unavailable for them to exploit”.

A quick examination of the DotDefender software (in a local lab…. did anyone download the software locally and try it out? Tsk Tsk …) should have revealed a 0day XSS vulnerability in the “Host Header” field of the HTTP request, allowing to create a “one two punch combination” resulting in unauthenticated remote command execution. Check out sample code here. We will post part 2 and three in the next few days.

HSIYF Tournament Winners

After a couple of days of reading through submitted documentation, we are happy to announce the winners of the HSIYF Hacking Tournament #1. We did NOT have an easy time deciding the winners, as there were several elements factored in the results. The two main elements factored in were speed of completion (of all the challenges) and the presentation of the results.

So, without further ado we would like to announce Vadium and Woff as the final winners of HSIYF #1. We will shortly publish our own review of the challenge. We would like to personally thank all those who participated and sent their results in.

The tournament will end officially on Monday 14:00 GMT, when all servers will be shut down except for the scoreboard.

You will have 24 hours once the tournament ends to submit your documentation to our judge panel – fu-at-offsec-dot-com.

The scoreboard will be updated as we evaluate the documentation. If you choose to blog about your solution, we suggest you password protect your post, so that others wont mooch your solutions. Don’t forget to send us both the blog link and the password.

“Phase 1″ – you must hack our noob filter machine and extract a file called n00bSecret.txt from the local filesystem. Once you have the key, you have 10 minutes to submit it into the control panel.

“Phase 2″ – The control panel will provide you with VPN files. Your VPN account will be automatically activated once you submit a correct “Phase 1″ secret key. It will take 5 minutes for your account to get activated.

Due to the huge number of participants, we have currently enabled TWO noob filter machines for extra redundancy. Only the first 100 contestants to hack our noob filters will be allowed to proceed with Phase 2.

Tournament Info:

• The tournament IRC Channel can be found at #HSIYF on freenode.
• Penetration of the boxes accounts for 60% of the score.
• Documentation of the attacks accounts for 40% of the score.
• The noob filter secret key is called n00bSecret.txt
• Once key is found, you have 10 minutes to submit it in the control panel.
• The scoreboard will show the current status of the contestants.
• Victim machines will be reverted every 30 minutes.
• The vulnerabilities are “real world”, we wont be hiding passwords in javascript, images etc, just as network admins wouldn’t.

Tournament Rules:

• Do not attack the scoreboard!
• Do not attack any ips NOT listed below!
• No DOS, ARP spoofing or defacing – do not spoil the challenge for others.
• No disruptive attacks please – the aim is that everyone gets to enjoy the tournament.
• Anyone found disregarding these rules will be disqualified and banned.

Tournament IPS and URLS:

• Your attacks MUST BE CONFINED to the following IP’s / URL’s:
• Noob filter 1 – http://www1.noob-filter.com (67.23.72.4)
• Noob filter 2 – http://www2.noob-filter.com (67.23.72.5)
• NO OTHER ROUTABLE MACHINES SHOULD BE ATTACKED.
• No disruptive attacks please – the aim is that everyone gets to enjoy the tournament.
• Anyone found disregarding these rules will be disqualified and banned.

Submitting your Documentation:

Once you have completed the event, you have two options for document submission:

• EITHER : A writeup on a blog, website, etc. We will need a link to the post, as well as your nick and tournament email.
• OR : Send us a PDF file describing your attack – we may publish these.
• Ideally, try to organize your notes as a penetration test report – screenshots and explanations of your attacks are required.
• Once the tournament is over, it will take us 48 hours to evaluate the documentation and announce the winner.

Hints and Help:

• FTP Credentials are : devil / killthen00b
• Internal VPN IP’s – 192.168.6.66/67/68 (all same) and 192.168.6.70/71/72 (all same).
• Follow our TWITTER feeds…
• Try harder
• Don’t forget the IRC channel.
• Online bruteforce attacks will not get you far, avoid them.
• Some machines have protection mechanisms installed. Making too much noise will activate them…5 minute cooling periods will be enforced!

Final Notes:

Please play nice. We all want to have a good time and enjoy the tournament, and not have to deal with malicious attacks outside the scope of the challenges. Remember – all the vulnerabilities are “real world”, we don’t play games.

What to Expect:

• The challenge will be built of two Phases, appropriately called “Phase 1″ and “Phase 2″. Phase one is also humorously called “The noob filter”, as only the first 100 people who hack their way past this machine will pass on to “Phase 2″. Please do not be offended by the choice of machine names, it’s all done in humor. Once “Phase 1″ is hacked by an attendee, they will find instructions on how to proceed to “Phase 2″.
• “Phase 2″ will involve VPN access to an internal lab, with several additional machines which are trembling with anticipation for the taunting session hacking tournament.
• All registered attendees will get an email on the 8th of May, around 14:00 GMT (that means around 10am EST) with further instructions, attack adresses, etc. We have around 120 people who have not verified their registration – those will not be included in the list. If you did not get a confirmation email, re-register, or contact Offsec Staff (figure out how).

The Hacking tournament machines will be implemented in our PWB labs once the tournament is over. As we refresh our lab machines every so often… perhaps this could turn into a tradition ? We are really looking forward to the hacking tournament, with some really slick victim machines set up…. we will be waiting for your pings.