LinkBack URL
About LinkBacks
Dear members and guests of InterN0T,
The last three HaXx.Me #01 #02 and #03 wargames were a success and therefore
it is time for HaXx.Me #04! We've given you time to recover from the last challenge
which included strange DNS queries, Custom Web Apps, Custom vHost requests
and much more! This time, we guarantee it will be even more mind blowing!
Not only will the challenge contain Web Applications as per usual, but it will
also include insanity on a high level in form of pentesting ways, some of you
may never have encountered nor tried before.
Of course you may have heard of it, but one thing is theory, another is real life.
The target will be announced here in this thread, on twitter and IRC, while the complete
objectives will only be released here. There are a few rules (common sense) which has
to be followed as well, these are mentioned below.
The challenge is "Capture The Flag" styled, as in completing the objective(s) first.
Winners
1st: VADiUM
2nd: Hawkje - Badjashackers
3rd: Xero with Team Fn0rd
4th: s3my0n
5th: Corelan Team
Other participants who completed the contest:
vndctv, sphyrath, flagitiouslogic, theologu, Saif, mohamed ramadan, 5M7X
Documentation
5M7X: http://vimeo.com/17421921 | Supplemental: http://vimeo.com/17473857
mohamed ramadan: http://blip.tv/file/4461732
sphyrath: http://intern0t.net/docs/sphyrath01.pdf
The_UnKn0wn: http://intern0t.net/docs/theunkn0wn01.pdf
InterN0T (LQ): http://intern0t.blip.tv/
InterN0T (HQ): http://rapidshare.com/files/435700651/HaXx.Me-04-2.mp4
Rules
- It is forbidden to intentionally cause DoS conditions.
- It is strictly forbidden to try and break out of the Xen instance.
- Attacking other servers on the same host or network is strictly forbidden.
- You may only attack the IP and domain announced here.
- Avoid altering the target to deny other contest participants access.
- You may attack any service hosted on the target.
- You may use any tool necessary to hack the target as long as you don't break the rules above.
- Avoid automated vulnerability scanners. They won't help you and it may cause the server to become slow.
- You are allowed to use NMAP, otherwise you won't be able to do this challenge. (Don't use the -A flag / switch.)
Hints
- There's a lot more to it, than just Web Application Security.
- Check out twitter from time to time, hints may be revealed occasionally.
- Read blogs and threads on InterN0T about Web Application Security.
- Having completed the last 3 challenges or at least knowing how, is a plus.
Contact
- In case the server is down, contact Hestas or Rorok and inform them about this.
- You can also send a PM to me or use our Contact Us form.
Timeline
The challenge starts Friday the 26th November 2010 - 18:00 GMT+1 (12:00pm EST)
The challenge ends roughly around Fridaythe 3rd December 2010.
Submissions
In order for us to see how you managed to "crack" the server, we'd like you
to provide some brief documentation. The layout overall doesn't matter but
One could look at the HSIYF documentation others made, to get an idea how
such a thing could look like. Alternatively check out the previous documentations
from the last challenges!
Challenge
The target server may be restored from a backup each ~24 hours.
HaXx.Me #04 Target
Target: [CLOSED]
Primary Objectives:
- Gain access to and read the contents of the "Winning-Key.txt" file in the root directory.
Don't forget to have fun while you're doing this!
If you fail, don't believe you're not good enough. Try Harder as the people
from Offensive Security tend to say, or simply give up and wait for the full
documentation which usually includes a video from InterN0T.
Best regards,
MaXe
Originally Posted by saif 
Bookmarks