Comments on: HSIYF Offensive Security Report – 1 of 3 http://www.information-security-training.com/news/offsec-hsiyf-report-part1/ Tactical Network Security Courses and Certifications Wed, 16 Jun 2010 10:48:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: adminhttp://www.information-security-training.com/news/offsec-hsiyf-report-part1/comment-page-1/#comment-156 admin Thu, 13 May 2010 04:32:28 +0000 http://www.information-security-training.com/?p=752#comment-156 @5M7X - yeps...their site updated a couple of days after the tournament... @5M7X – yeps…their site updated a couple of days after the tournament…

]]> By: iconicfluxhttp://www.information-security-training.com/news/offsec-hsiyf-report-part1/comment-page-1/#comment-151 iconicflux Thu, 13 May 2010 01:52:50 +0000 http://www.information-security-training.com/?p=752#comment-151 I would have to agree with dr_ide. At one point, I got the n00bSecret.txt contents and submitted it within 30 seconds but the system told me it was invalid. I simply had to rerun my requests but just rerunning the requests took about 2 hours because of the slowness being experienced. I do find it interesting that you think using the XSS was the best option for executing the deletesite function. Personally, I found the easiest way was just guessing passwords to get access to the interface. But then... I'm lazy. :-) I would have to agree with dr_ide. At one point, I got the n00bSecret.txt contents and submitted it within 30 seconds but the system told me it was invalid. I simply had to rerun my requests but just rerunning the requests took about 2 hours because of the slowness being experienced.

I do find it interesting that you think using the XSS was the best option for executing the deletesite function. Personally, I found the easiest way was just guessing passwords to get access to the interface.

But then… I’m lazy. :-)

]]> By: 5M7Xhttp://www.information-security-training.com/news/offsec-hsiyf-report-part1/comment-page-1/#comment-148 5M7X Wed, 12 May 2010 22:45:32 +0000 http://www.information-security-training.com/?p=752#comment-148 *sorry for the doublepost* but if somebody wants to download the dotdefender-waf he should not go for the vendors homepage since you get only a v4-trial there but you can find a copy of the vuln software as an rpm e.g. there -> http://www.download3k.com/Install-dotDefender-Monitor.html *sorry for the doublepost* but if somebody wants to download the dotdefender-waf he should not go for the vendors homepage since you get only a v4-trial there but you can find a copy of the vuln software as an rpm e.g. there -> http://www.download3k.com/Install-dotDefender-Monitor.html

]]> By: 5M7Xhttp://www.information-security-training.com/news/offsec-hsiyf-report-part1/comment-page-1/#comment-147 5M7X Wed, 12 May 2010 22:43:34 +0000 http://www.information-security-training.com/?p=752#comment-147 1) POST requests to admin.cgi were blocked by the IDS. <-- funny i did my code injects via just manupulating the POST-requests via tamper-data ^^ well okay it took a while but it worked. :D *now i know why it was so slow, thx!* 1) POST requests to admin.cgi were blocked by the IDS. <– funny i did my code injects via just manupulating the POST-requests via tamper-data ^^ well okay it took a while but it worked. :D *now i know why it was so slow, thx!*

]]> By: How I Beat the Offensive Security Challenge « Spare Clock Cycleshttp://www.information-security-training.com/news/offsec-hsiyf-report-part1/comment-page-1/#comment-140 How I Beat the Offensive Security Challenge « Spare Clock Cycles Wed, 12 May 2010 18:09:58 +0000 http://www.information-security-training.com/?p=752#comment-140 [...] 05/12/10: The Offsec guys have just posted a response to some of the issues I raised here on their blog. The password was apparently not necessary, as [...] [...] 05/12/10: The Offsec guys have just posted a response to some of the issues I raised here on their blog. The password was apparently not necessary, as [...]

]]> By: adminhttp://www.information-security-training.com/news/offsec-hsiyf-report-part1/comment-page-1/#comment-136 admin Wed, 12 May 2010 15:56:35 +0000 http://www.information-security-training.com/?p=752#comment-136 @Dantevios some answers to your questions: 1) POST requests to admin.cgi were blocked by the IDS. 2) Why were people compelled to log into the WAF admin interface? Again, not required for the exploit. 3) Yes, using a POST request to index.cgi, or using the XSS + auth reflection described in our solution. 4) Answered by 1) 2) and 3). Thank you! @Dantevios some answers to your questions:
1) POST requests to admin.cgi were blocked by the IDS.
2) Why were people compelled to log into the WAF admin interface? Again, not required for the exploit.
3) Yes, using a POST request to index.cgi, or using the XSS + auth reflection described in our solution.
4) Answered by 1) 2) and 3).

Thank you!

]]> By: dr_idehttp://www.information-security-training.com/news/offsec-hsiyf-report-part1/comment-page-1/#comment-134 dr_ide Wed, 12 May 2010 12:48:14 +0000 http://www.information-security-training.com/?p=752#comment-134 I think the problem was actually with the dotDefender application itself and the "server" per se. Once it became common knowledge that this particular exploit existed it seems as though the WAF became overwhelmed with attempts. It took me almost 2.5 hours to finally get my commands to run even though I had the solution in hand the entire time. Between the IPS, congestion and lamers changing the password. Still, hats off to the crew for a great event, we appreciate the hard work. I think the problem was actually with the dotDefender application itself and the “server” per se. Once it became common knowledge that this particular exploit existed it seems as though the WAF became overwhelmed with attempts.

It took me almost 2.5 hours to finally get my commands to run even though I had the solution in hand the entire time. Between the IPS, congestion and lamers changing the password. Still, hats off to the crew for a great event, we appreciate the hard work.

]]> By: Dantevioshttp://www.information-security-training.com/news/offsec-hsiyf-report-part1/comment-page-1/#comment-129 Dantevios Wed, 12 May 2010 10:18:20 +0000 http://www.information-security-training.com/?p=752#comment-129 I have a few questions about the n00b filter. I also wrote in detail about my experiences in trying to hack the n00b filter in my blog. You can read about my difficulties with the dotDefender application to get a better idea of what I'm talking about if you would like. You say: "The most overwhelming initial difficulty encountered by participants was the n00b filter IPS. The IPS threw almost everyone off, bringing up claims that “the servers were down” or that “the servers were real slow”. Neither of these observations was true. Eventually, people caught on, and started being more careful with traffic sent to the n00b filter machines." 1. Was it your intention for you IPS to prevent users from logging into the remote Site Management dotDefender application to use the exploit (http://www.exploit-db.com/exploits/10261) ? 2. Once users actually logged onto the Site Management for dotDefender are you claiming that it was supposed to trip the IPS if they used tools like burpsuite to craft the POST request to send to your server? 3. If so was there a way to use this exploit and not trip the IPS and what was that method? 4. Otherwise are you claiming the only way to avoid your IPS was to use the 0day or deal with the pain of the slowness from going down the route of the exploit found on exploitdb? I believe this is the alleged lag issue everyone was experiencing that I wrote about in my blog. I would really appreciate it if you could answer these questions and clarify for us what the intentions of your IPS were. I know several people told me they went down the pain route and fought using the exploit on exploitdb. I am wondering if everyone experienced this same delay. Thank you! Dantevios I have a few questions about the n00b filter. I also wrote in detail about my experiences in trying to hack the n00b filter in my blog. You can read about my difficulties with the dotDefender application to get a better idea of what I’m talking about if you would like.

You say:
“The most overwhelming initial difficulty encountered by participants was the n00b filter IPS. The IPS threw almost everyone off, bringing up claims that “the servers were down” or that “the servers were real slow”. Neither of these observations was true. Eventually, people caught on, and started being more careful with traffic sent to the n00b filter machines.”

1. Was it your intention for you IPS to prevent users from logging into the remote Site Management dotDefender application to use the exploit (http://www.exploit-db.com/exploits/10261) ?

2. Once users actually logged onto the Site Management for dotDefender are you claiming that it was supposed to trip the IPS if they used tools like burpsuite to craft the POST request to send to your server?

3. If so was there a way to use this exploit and not trip the IPS and what was that method?

4. Otherwise are you claiming the only way to avoid your IPS was to use the 0day or deal with the pain of the slowness from going down the route of the exploit found on exploitdb?

I believe this is the alleged lag issue everyone was experiencing that I wrote about in my blog. I would really appreciate it if you could answer these questions and clarify for us what the intentions of your IPS were. I know several people told me they went down the pain route and fought using the exploit on exploitdb. I am wondering if everyone experienced this same delay.

Thank you!
Dantevios

]]> By: dr_idehttp://www.information-security-training.com/news/offsec-hsiyf-report-part1/comment-page-1/#comment-124 dr_ide Wed, 12 May 2010 08:02:08 +0000 http://www.information-security-training.com/?p=752#comment-124 I posted my versions of the solutions on my blog for anyone that wants to check them out. Can't thank offsec enough for this great challenge and congrats to everyone that played along at home. I posted my versions of the solutions on my blog for anyone that wants to check them out. Can’t thank offsec enough for this great challenge and congrats to everyone that played along at home.

]]> By: Paul Maaouchyhttp://www.information-security-training.com/news/offsec-hsiyf-report-part1/comment-page-1/#comment-121 Paul Maaouchy Wed, 12 May 2010 07:15:11 +0000 http://www.information-security-training.com/?p=752#comment-121 Waiting Video Too From The Begin How He Hack This Machine :D Waiting Video Too From The Begin How He Hack This Machine :D

]]>