18 out of 27. Fantastic achievement. LOL.
Represent UTP with the name of d0t, here come m0d0 (me), wadefak and zeff. We participated in Hacking & Defence categ. So, from the close source, this hacking & defence is totally different from previous H&D. This time, each team have a server where they need to defend it (prevent from attackers to get the flag) and at the same it, the need to attack other servers (get others flag) in order to get the point.
The whole system was based on topup system. Where to gain something, u need to buy. Initially, we have Y (yen)3000 to start with. 1st thing we bought was user password in our server in order to start daemons.
We have 3 daemons :
backdoor
echo
apache2
All daemons must be running while the scoreboard will check the service. Point will be deduct if the daemon is down. To make it short, in our server, we have jobberbase as a webpage. There is a flaw, which is in the upload section for applying jobs. Race condition.Google "php race condition".
However, we did try something about it but we did not aware of the race condition flaw. As matter of fact, most of the team did not aware of it. Exception to darkc0de,w0nderpets. Maybe?
Stegno was very effing hard. Kot? Hahaha. But, several guys manage find a way to solve it, and maybe miss two or 3 steps. Kudos to them.
Anyway, it was a very good competition. Fair enough to the committee, I guess. Just, we when ask something, they will reply "Jap eh, nak tanye org dulu". Y lar dat thing happen. I will happily to interact with the "org" directly. Just like previous i-Hack where all team were place in one big cold hall, and straight away we can see the sifus (SCAN) yang buat soalan.
As a team members, I will partially take the blame on the fall of the UTP legacy (lol). So, I did realize my mistake where I did not directly engage with the organizer after there were numerous time of our box is down. Kene attack ke? I don't think so.
Ni silap die, bile box tu down, on my behalf, aku x straight away put my hands up high in the air and asking them about the box (reboot ke..) . Yet, for the last 3 hours, I remain calm as buaya in the sungai waiting for food because lapar kaw2.
------------------------------------------------------------------------------------------------
As for the committee, I believe, there are significant things that you can learn from it. Aku rase, kalau taruk sume team dalam hall lagi better kot. Comfortable. Anyway, hacking and defense. LOL.
2nd, i believe, previous ihack ade buat name tag dekat participant punye card. apsal xtaruk dah? isk. kang sonot ade name situ. xde la tulis participant je. tulis la n00bies ke ape ke.
3rd, my teammate, teng aka wadefak, have serious problem with his connection. Switch problem ke, cable problem ke. This things happen byk kali throughout the fasting 12 hours. Kerepek sedap.xpe dimaafkan.
4th, 12 hours is too long la bang. sakit kepale den don tenung lappy tu. previous buat 2 days, sronok kot. maybe defcon macam tu. xtau la. tapi, if 2 days best sikit kot?
-------------------------------------------------------------------------------------------------
Conclusion, good event. Matlamat korang utk event maybe tercapai, maybe x, who cares. We as the participants, enjoy it. Good job.
For UTP team, GG :P
*stegno susah wei. (sebab n00b)
**mase mule2 ade network, sume pasang backtrack. haha. pakai ke backtrack tu for the H&D? tapi sounds bt cool lah. sebab ramai2 boot :P
Adios
4 comments:
Hi
Awal post bro? :)
I think most of teams that participating feel the network problem impacts. Even our server has been hard reboot at least 3 times. Ping loss 100%. And scoreboard error that deduct our points if server 5 is being pawned. How we realise it? When we try to submit server 5 flag, "You cannot submit your own flag." LOL. However, thanx to all scannerz that solved the issue quickly.
Where is wadefak in that picture. I want to know him in reality instead of virtually. ahaha.
-192.168.4.1-
Hi there,
Awal post sebelum tlupe ape nk di katekan haha. :D
Anyway, good competition lah overall. If xde network problem, sure best. N yet, several team je dpt flag. Lain2, tgu credit auto topup. haha.
wadefak, at the right side. zeff, modo, wadefak. :D
we should hang around later on. heh.
Ada 4 vulnerability actually for each server:
i) Jobberbase - Race condition for upload file .. ada global overwrite jugak to help fake ip etc etc...
ii)Echo daemon - This is very simple stack overflow. should be very easy to exploit.. but it is windows application running on wine. Very easy to get shell using "jmp esp" etc etc.. But the problem maybe you will not able to run /daemon/bin/getflag cause you will get cmd shell. So maybe you can create php backdoor at /var/www/uploads etc... there is several directory have permission 777.
iii) backdoor - this backdoor have been backdoored where remote user can guess the password. The password located in /daemon/backdoor/etc/.bdpwd. User have permission to change this password. if you use sniffer everytime you guess for right character it will send NULL byte to you .. Example: if your first character is right it will send 1 null. if 1st and second character is right, it will send 2 null byte.. etc .. etc...
iv) last vulnerability is /cgi-bin/info.cgi - there is format string in http request header .. Since va randomization is off.. should be easy to overwrite plt.. dtor ..etc.. etc to get remote shell..
http://www.tbd.my/v2/thread-5481-page-4.html
Post a Comment