HaXx.Me #02 - Web Application Security, Again!

[MaXe]

Dear members of InterN0T,


The last HaXx.Me #01 challenge aka wargame went smoothly with a lot of
trial and error, success and failure. Now it's time for the second challenge,
featuring more Web Application Security in order to teach you what you may
encounter in real life scenarios as a Penetration Tester!

The target will be announced here in this thread, on twitter and IRC, while the complete
objectives will only be released here. There are a few rules (common sense) which has
to be followed as well, these are mentioned below.

Winners
1st Place: 0daydevilz!
2nd Place: ande & IFailStuff!
3rd Place: sh4ka!
4th Place: bik3te
5th Place: Norph

Documentation
InterN0T:
[1] http://bit.ly/diSgY9 (password: www.intern0t.net )
[2] http://intern0t.blip.tv/file/4108786/



Rules
- It is forbidden to intentionally cause DoS conditions.
- It is strictly forbidden to try and break out of the Xen instance.
- Attacking other servers on the same host or network is strictly forbidden.
- You may only attack the IP and domain announced here.
- Avoid altering the target to deny other contest participants.
- You may attack any service hosted on the target.
- You may use any tool necessary to hack the target as long as you don't break the rules above.


Hints
- Some passwords in this wargame, may be vulnerable to dictionary attacks.
- Check out twitter from time to time, hints may be revealed occasionally.
- Read blogs and threads on InterN0T about Web Application Security.


Contact
- In case the server is down, contact Hestas or Rorok and inform them about this.
- You can also send a PM to me or use our Contact Us form.


Timeline
The challenge starts some time at the 1st September 2010 (GMT+1).
The challenge ends around the 8th September 2010 (GMT+1).


Submissions
In order for us to see how you managed to "crack" the server, we'd like you
to provide some brief documentation. The layout overall doesn't matter but
One could look at the HSIYF documentation others made, to get an idea how
such a thing could look like.


Challenge
The target server will be restored from a backup each ~24 hours.



HaXx.Me #02 Target
Target: [The Contest is Over!]

Objectives:

• Gain shell access to the server and find the winning key in the root directory.

Don't forget to have fun while you're doing this!

If you fail, don't believe you're not good enough. Try Harder as the people
from Offensive Security tend to say, or simply give up and wait for the full
documentation which may include a video from InterN0T, again!



Best regards,
MaXe

[LeXeL]

the time have come i will not sleep to finish this one ;D

[Krisler12]

I want to participate too. :D
I hope i win !

[MaXe]

The challenge has begun! Good luck to all of you!

[l0cus]

We'll see what i can do, I am doing this for fun and fun only...some education too :P

[MaXe]

Good luck l0cus! I look forward to see how everyone does

Can't wait to see someone pwn it and tell me how they did it

[TheXero]

When you say get shell access, do you mean break into the server, or the web application?

[MaXe]

When you say get shell access, do you mean break into the server, or the web application?

I mean break into the server by any means possible and go to the /root
directory and find the winning key ;-) (A file with instructions)

That's basically it

[TheXero]

Now I've got my Internet on my desktop again, I'll have a go tonight :D

Don't know how much I'll be able to get done though, I'm making videos :P

[Jragon]

Can you do a tutorial on how you hacked number1. Then once youve finished can you show me how you did number 2