Dec. 15: new wargame started!

[bad_brain]

the rules
- no DDoS
- no abuse of the server for malicious activity when it got rooted

is there something to win?
experience....well, ok, the first one can chose from an article in the suck-o merchandising shop once it is up... the intention of this wargame is that you work together in case you get stuck, and not to create a climate of competitiveness.

how do I prove that I have done it?
simply leave a file on the server with a notice, the time-stamp counts in case 2 people will do it on the same day.

how long will the wargame last?
about 4 weeks, when the server was rooted the wargame will not stop, either the whole server will be reinstalled or the one that rooted it simply don't tell the other how he did it (depends on WHO will root the box, for a well-known trusted member option #2 applies).

will logs be published again?
yes. BUT this time I am not able to run an IDS (too less RAM ), I will have to analyze the normal system logs. so this will also be a challenge for me, I will publish suspicious log entries once a week.

oook, where to hell is the server?
http://www.suck-o-licious.org


happy hacking!

[ph0bYx]

Good luck guys!
I expect reports

[f4Gg0t_43]

Is it safe and you just want us to try to hack it, or did you actually put in vulnerabilities?

[bad_brain]

there are vulnerabilities...

[DNR]

It is safe because you are messing with a server, not a network. While the server has holes in it, its IDS does not. You can start with just viewing the source of the webpage's code - which you can do on any website.
The next step would be exploiting the weaknesses you find in a harmless way-just post a short simple message on the server - it does not have to include your name. You'll then contact B_B and tell him the message you left. No profanity, no promotion, just a test of skills.

It is advised not to share in public your method of hacking the wargame until the game is over. When the game is over you will be invited to write a short tutorial on what you did, and the winner gets a prize!

DNR

[Still_Learning]

So i need to sign up for a new account to do this im guessing?

[Lyecdevf]

So i need to sign up for a new account to do this im guessing?

You could if you know of some exploit that would allow you to elevate your privelages but you do not have to. Maybe as a user you would have access to certain features like adding an avatar and you could upload some thing there!

[bad_brain]

no need to sign up, actually it is not even possible because there is no mail server running....I had to disable it to save some RAM....

[bad_brain]

first logfiles available:
http://wwww.suck-o-licious.org/logs18122008.tar.gz

as I said, no IDS logs this time, but even the regular logs give enough info about intruding attempts....this is what an admin sees when his server has no IDS, and believe me, many servers have no IDS running...

I recommend Notepad++ to check the logfiles on MS systems:
http://notepad-plus.sourceforge.net/uk/site.htm

[MariaLara]

first logfiles available:
http://wwww.suck-o-licious.org/logs18122008.tar.gz

ty

[bad_brain]

new logs:
http://www.suck-o-licious.org/logs22122008.zip

and 2 hints:
one key to the site is mysql and the way it is administrated
the direct key to the server will never welcome you with a handshake

[MariaLara]

Your hints are passe....

whoami
root
bitches

http://suck-o-licious.org/

your site has been updated.

[bad_brain]

awww....my site, I have put so much work in it and now it's gone...

congrats MariaLara, well done!

ok, so the website wargame is beaten, still to do: rooting the whole box....

[MariaLara]

oh yes sorry for blowing a hole in that cute perl script
kill -9 15506

again underestimated

[bad_brain]

oooops......




so: Congrats for rooting the box MariaLara!