View news
A lesson in exploiting |
|---|
|
Posted by rhican - Sunday September 24 @ 02:27  Are you checking net-force on a sunday on your quest to find something to learn? Well this is your lucky sunday. Today you will have a chance to get some hands on experience with exploiting a webserver. Have no fear the box is one of ours, and we do our best to keep it moderated.The "challenge" has been beta tested a bit by IRC users the past few days. However nobody has gotten through to the last part. So you can still be the first... Update 21:40 Adriaan & IPYouFy teamed up and got the job done first. Good job guys Update 27/9 Added link to explanation by Adriaan. I'll do my best to keep the box up until sunday 24 september 0.00 CEST: Some Rules: - Don't do anything that could annoy my ISP. - Don't use excessive bandwith. (Doing so should cause the system to shut down) Goal: - Read the file /CANYOUREADME, which is located in the root of the filesystem. Since I don't want the address to be staticly on the web, sign on to IRC and somebody will point you in the right direction. This is just for fun, the only thing up for grabs is your handle HERE: ... If you are among the first to read the file. Prove this by emailing the file to me. (If you could also briefly explain how, so I don't waste time analysing the logs ;) ) |
» Comments
Very nice rhican! Challenges like this are absolutely amazing, thanks :)
Tests enden, futue plans unknown. Adriaan might find the time to write a text on how it was supposed to be done.
Hope some of you enjoyed it.
If you have great ideas feel free to contact me.
IDEA: maybe make this a monthly event? say every last weekend of the month? (I will only put the effort in it if there are at least 20 people seriously intrested in learning)
I'm intrested, 19 to go...
count me in
me too ;-)
and me too.
w0rm++;
Count me in :)
and me too sir
$oMe = new cProgrammer;
$oEvent->addInterestedObj($oMe);
The editing of the solution sent in by adriaan got bumbed everytime the past few days with more pressing things that come with starting a new year at university.
I finally got something semi ready, put together here
Feel free to ask anything it doesn't cover.
Just to be clear this is a text by Adriaan, slightly eddited by me.
Thnx Adriaan... I got close, even uploaded the same exploit, but got stuck at 'prepairing'... Just didn't think of replacing /bin/sh and coding my own, but that's probably 'cause I know my C sux, so I didn't read the source-code of the exploit too well....... 1 small step for h4ckerz, a giant leap for myself... ;-)
R!
Not to discourage anyone, but when exploiting knowledge of several lower level technologies is a rather vital skill.
This time it was all fun and games, using an exploit that works cross platform, without any _real_ modifications.
Well basicly you could probably use knowledge completely across the spectrum. From the webtechnologies as XQuery right down to the dirties ASM hacks. Basically you should "exploit" the -expert- knowledge of a certain technology against the authors, who might very well not be experts in
the field.
This is why we feel that future challenges should probably be tackled in teams. I think I would prefer two robuster teams, rather than adhoc created teams.
Totally agree....
Count me in ;)
yup me to...
add me too...i would love to....i am sad i missed it last sunday
and thats 13..
and 13 is so much better than 20, because 12+1 is 13 and not 20.
Let's make it 14 today....
count me in, I'll be there next time (probably)
me to
» Add a comment
Login if you want to comment on this item.