Krisler12™ Posted November 26, 2010 Report Posted November 26, 2010 Dear members and guests of InterN0T,The last three HaXx.Me #01 #02 and #03 wargames were a success and thereforeit is time for HaXx.Me #04! We've given you time to recover from the last challenge which included strange DNS queries, Custom Web Apps, Custom vHost requestsand much more! This time, we guarantee it will be even more mind blowing!Not only will the challenge contain Web Applications as per usual, but it willalso include insanity on a high level in form of pentesting ways, some of you may never have encountered nor tried before. Of course you may have heard of it, but one thing is theory, another is real life.The target will be announced here in this thread, on twitter and IRC, while the complete objectives will only be released here. There are a few rules (common sense) which hasto be followed as well, these are mentioned below.The challenge is "Capture The Flag" styled, as in completing the objective(s) first.WinnersThe contest is not over yet.. (the first five winners are announced here)Other participants who completed the contest:The contest is not over yet..DocumentationThe contest is not over yet..Rules- It is forbidden to intentionally cause DoS conditions.- It is strictly forbidden to try and break out of the Xen instance.- Attacking other servers on the same host or network is strictly forbidden.- You may only attack the IP and domain announced here.- Avoid altering the target to deny other contest participants access.- You may attack any service hosted on the target.- You may use any tool necessary to hack the target as long as you don't break the rules above.- Avoid automated vulnerability scanners. They won't help you and it may cause the server to become slow.- You are allowed to use NMAP, otherwise you won't be able to do this challenge. (Don't use the -A flag / switch.)Hints- There's a lot more to it, than just Web Application Security.- Check out twitter from time to time, hints may be revealed occasionally.- Read blogs and threads on InterN0T about Web Application Security.- Having completed the last 3 challenges or at least knowing how, is a plus.Contact- In case the server is down, contact Hestas or Rorok and inform them about this.- You can also send a PM to me or use our Contact Us form.TimelineThe challenge starts Friday the 26th November 2010 - 18:00 GMT+1 (12:00pm EST)The challenge ends roughly around Friday the 3rd December 2010.SubmissionsIn order for us to see how you managed to "crack" the server, we'd like youto provide some brief documentation. The layout overall doesn't matter butOne could look at the HSIYF documentation others made, to get an idea howsuch a thing could look like. Alternatively check out the previous documentationsfrom the last challenges!ChallengeThe target server may be restored from a backup each ~24 hours.HaXx.Me #04 TargetTarget: [Closed]Primary Objectives:Gain access to and read the contents of the "Winning-Key.txt" file in the root directory.Don't forget to have fun while you're doing this! If you fail, don't believe you're not good enough. Try Harder as the peoplefrom Offensive Security tend to say, or simply give up and wait for the fulldocumentation which usually includes a video from InterN0T.Best regards,MaXeTimelineThe challenge starts Friday the 26th November 2010 - 18:00 GMT+1 (12:00pm EST)The challenge ends roughly around Friday the 3rd December 2010.HaXx.Me #04 - Pentesting the Obscure - InterN0T - Underground Security TrainingCei de pe intern0t se afla la a 4-a competitie de acest gen (rezolvarile celor 3 de pana acum le gasiti pe forumul lor). Participarea este gratuita, inscreierea pe forum de asemnea.Haideti sa vedem asa care e mai bun ca asa oricine poate face un xss amarat sau sa faca un sqli la un site de doi bani gasit intamplator ! ORICINE poate asta !Daca va credeti hackeri adevarati sau vreti sa demonstrati asta atunci nu va ramane decat sa participati la aceasta competitie si numele vostru va fi facut public pe acel site la finalizarea competitiei.Ce e mai greu: sa spargi un site la gasit la nimereala sau sa cauti o vulnerabilitate intr-un site dinainte stabilit ca tinta ? Va las pe voi sa decideti.Nu fac nici un fel de reclama acestui forum si nu va obliga nimeni sa va faceti cont acolo. Puteti participa si fara sa va faceti cont insa problema e ca nu veti putea dovedi in nici un fel ca ati reusit sa spargeti situl respectiv, ptr. ca numai in acest fel idul/numele vostru va fi pus la "winners".Aveti timp o saptamana (pana pe 3 decembrie) sa va dovediti abilitatile deci nu se poate sa spuneti ca nu ati vazut/nu ati auzit.Bafta ! Quote
