HaXx.Me #03 - Web App Sec for Pro's

**MaXe** · 18th October 2010, 00:00

Dear members of InterN0T,

The last two HaXx.Me #02 challenge and HaXx.Me #01 challenge wargames
were quite a success and therefore we give you, HaXx.Me #03 !!! This challenge is
far out and is not very close to reality, however it is made to teach you to be innovative
in the hacking you may perform as a hobby or as a professional.

The target will be announced here in this thread, on twitter and IRC, while the complete
objectives will only be released here. There are a few rules (common sense) which has
to be followed as well, these are mentioned below.

Winners
1st Place: sh4ka
2nd Place: 0daydevilz
3rd Place: s3my0n
4th Place: ande
5th Place: Aodrulez

Other participants which completed the contest:
DRaid, Corelan Team, Saif

Documentation
ande: http://bit.ly/ci403c
Corelan Team: http://bit.ly/baCpxp
InterN0T: InterN0T on blip.tv (Alternative Link by 0daydevilz: YouTube - InterN0T HaXx.Me #03 Documentation (AudioSwap Music!))
s3my0n: http://py1337.team-xpc.com/haxxme3.zip

Rules
- It is forbidden to intentionally cause DoS conditions.
- It is strictly forbidden to try and break out of the Xen instance.
- Attacking other servers on the same host or network is strictly forbidden.
- You may only attack the IP and domain announced here.
- Avoid altering the target to deny other contest participants access.
- You may attack any service hosted on the target.
- You may use any tool necessary to hack the target as long as you don't break the rules above.
- Avoid automated web scanners. They won't help you and it may cause the server to become slow.

Hints
- There's a lot more to it, than just Web Application Security this time.
- Check out twitter from time to time, hints may be revealed occasionally.
- Read blogs and threads on InterN0T about Web Application Security.
- If you're a former member of Teh Unkwon, you may have an advantage.

Contact
- In case the server is down, contact Hestas or Rorok and inform them about this.
- You can also send a PM to me or use our Contact Us form.

Timeline
The challenge starts right now the 18th October 2010 (GMT+1).
The challenge ends around the 23rd October 2010 (GMT+1).

Submissions
In order for us to see how you managed to "crack" the server, we'd like you
to provide some brief documentation. The layout overall doesn't matter but
One could look at the HSIYF documentation others made, to get an idea how
such a thing could look like.

Challenge
The target server may be restored from a backup each ~24 hours.

HaXx.Me #03 Target
Target: [Closed]

Objectives:

Gain shell access to the server and find the winning key in the root directory. (Sound similar to HaXx.Me #02?)

Don't forget to have fun while you're doing this!

If you fail, don't believe you're not good enough. Try Harder as the people
from Offensive Security tend to say, or simply give up and wait for the full
documentation which may include a video from InterN0T, again!

Best regards,
MaXe

**0daydevilz** · 18th October 2010, 15:44

Great work! MaXe

I have started it and completed! ...
Very fun! and get more exp! Thanks MaXe for wargame!

**MaXe** · 22nd October 2010, 17:46

Thanks 0daydevilz

The thread has been updated with the winners and those who completed the contest
but weren't one of the first five to complete it. (The contest is like Capture the Flag.)

Documentation will soon be public.

Thread updated with documentation.

**Krisler12** · 25th October 2010, 11:52

Originally Posted by MaXe

Thread updated with documentation.

How you know all of these ? Are you a security engineer or something like this, ... else how have you learned all these ? I want to learn to do this too but it seems to be more advanced for me, also you look very professional that is why I am asking about your knowledge.

What else ?... Let's see...

Great work ! Keep it up !

One more thing about: I didn't know about it until the documentation has finished. I am a quite bit sad because i didn't give a try. Maybe next time !

Is there any schedule for these competitions ? How I could know when it will be the next one ? I am asking you this because i do not want to mess the next one too.

Thank you in advance !

PS: Why you don't keep the challenge hosted anymore ? I want to practice on it following the documentation.

**MaXe** · 26th October 2010, 16:04

Updated with s3my0n's documentation!

Krisler: I started with HTML, CSS and JS many years ago, then I learned Linux, PHP,
Python and kept on learning while having fun. When I am in doubt of something or if
I am curious about something I don't know, I take some time to study and learn it.
(Sometimes I just learn whatever I am curious about briefly, but I do like checking RFC's.)

The next HaXx.Me #04 challenge is scheduled to begin in around 1 month.

Just check this section and twitter ( MaXe (InterN0T) on Twitter ) for updates occasionally

The server is used for other purposes now and whenever the challenge is up I need
to use a lot of time checking it is actually running and that no one is abusing the rules
as in e.g. using all the bandwidth with automated scanners and thereby causing a small "DoS".

This takes a lot of my personal time to study and educate myself, but also to keep
track of the forums, keep in touch with (hacker) friends, affiliates of InterN0T and
of course a lot more.

Though I encourage anyone interested in hacking to participate in the next HaXx.Me challenge!

It will hopefully, be as mind breaking like this one. If not, even more