Jump to content











Photo

Challenge #20 - Realistic Web Challenge


  • Please log in to reply
16 replies to this topic

#1 florin91

florin91

    Frequent Member

  • Team Reboot
  • 197 posts
  •  
    European Union

Posted 06 January 2012 - 06:44 PM

Hi!

I have set up an interesting challenge based on what I discovered. So here is the link I set up where I used a free hosting site and I picked an appropriate subdomain name: http://www.vuln.host.org

What you need to do is find all the vulnerabilities you can :) .

LE: Now, why I named it realistic? Because some "parts" of this community also shares the same script and I think It will be a good thing if Nuno sees this thread and solves it. Of course, that directory listing outside the script was because the free host did not allowed me to modify .htaccess .

@Icecube: Now having all this, you could find on the internet what vulnerabilities are on this particular script version. You could find another one, although not going to be exploited. :) And you cound find other links that have the same script, especially related to our forum.

@Holmes.Sherlock: Yeah, it's ok to modify the title to whatever number you want :D

LE: Solvers:
Icecube
AceInfinity

#2 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1063 posts
  •  
    Belgium

Posted 06 January 2012 - 10:06 PM

What you need to do is find all the vulnerabilities you can :) .

I only found 2 vulnerabilities so far. I can't exploit the third one yet. How many vulnerabilities are there?

I found a third one now and could exploit it :2nd: .

Found most vulnerabilities, I guess. I will post my findings later, so other people can try it first.

#3 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 07 January 2012 - 12:48 AM

Not sure, i'm just following along in this thread to see if I can learn something :)

#4 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 07 January 2012 - 07:06 AM

@My Romanian friend,
Going by the convention of naming challenges we were following earlier, I have renamed the topic title. I hope you won't mind.

#5 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1063 posts
  •  
    Belgium

Posted 07 January 2012 - 01:38 PM

@ florin
Found the other vulnerability.

#6 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 07 January 2012 - 01:40 PM

Congrats Icecube :1st:

#7 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 07 January 2012 - 10:34 PM

I found this:
Spoiler


Ahh! found one :)
Spoiler


#8 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 08 January 2012 - 03:06 AM

@To all of them who have been able to solve the challenge even partially,

A request to you: http://reboot.pro/14...post__p__137220

#9 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 08 January 2012 - 04:25 AM

lol, now that I posted that XSS script, I can't edit my post... hahah...

Says "invalid title" or something like that when I hit "Save Changes".

Spoiler


Don't entirely know too much about all the rest of the vulnerabilities, but I believe I have another one. Just not sure how to exploit it...

#10 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 08 January 2012 - 04:36 AM

lol, now that I posted that XSS script, I can't edit my post... hahah...

You have 122 posts right now. I believe that you should have faced no problem to edit your posts.

#11 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 08 January 2012 - 04:54 AM

I know, but for some reason I think the script I copied out conflicts with the content being sent in to post, I can't edit the post, and I can't go into Full Edit with the post for some reason, and when in edit mode I can't use the "cancel" button to close my post either. Odd...

Here's proof of what I get:
Posted Image

#12 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 08 January 2012 - 04:58 AM

Can initnull/tachyon be used?

#13 florin91

florin91

    Frequent Member

  • Team Reboot
  • 197 posts
  •  
    European Union

Posted 08 January 2012 - 09:20 AM

@Ace: Maybe the forum has anti-xss measures, or it's based too much on javascript. And, I think it's a good ideea if you use NoScript for firefox.

@Holmes.Sherlock: That is a scanning script for finding vulnerabilities, I gues. It will depend on your bandwidth, as well as free hosting site bandwidth. And it requires to install tor to use a proxy for hiding your real ip. IMHO, I am not capturing your ip's.
From my part, you can try it to see if it discovers another vulnerabilities, but I doubt because the script is old and these are the only ones I found on the Internet.
But in real challenges, I do not think it is good to use automating scripts not knowing what they do, they (should) have automate banning systems, and do not think 0-days flaws where discovered automatically. Advisable would be to see what that script is doing before using it, and making that job manually would be almost impossible in some cases ( I remember the challenge with that space craft :)) - space invaders like - enjoyed it very much)

Now, assuming you all know the source, what I need to modify to make it safer? The short answer would be "upgrade to the last version", but I am starting to learn php and would be interesting to see what code produces that output or what code is missing to not produce the desired output.

#14 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 08 January 2012 - 09:30 AM

@Ace: Maybe the forum has anti-xss measures, or it's based too much on javascript. And, I think it's a good ideea if you use NoScript for firefox.

@Holmes.Sherlock: That is a scanning script for finding vulnerabilities, I gues. It will depend on your bandwidth, as well as free hosting site bandwidth. And it requires to install tor to use a proxy for hiding your real ip. IMHO, I am not capturing your ip's.
From my part, you can try it to see if it discovers another vulnerabilities, but I doubt because the script is old and these are the only ones I found on the Internet.
But in real challenges, I do not think it is good to use automating scripts not knowing what they do, they (should) have automate banning systems, and do not think 0-days flaws where discovered automatically. Advisable would be to see what that script is doing before using it, and making that job manually would be almost impossible in some cases ( I remember the challenge with that space craft :)) - space invaders like - enjoyed it very much)

Now, assuming you all know the source, what I need to modify to make it safer? The short answer would be "upgrade to the last version", but I am starting to learn php and would be interesting to see what code produces that output or what code is missing to not produce the desired output.


I always use Firefox lol :) One of my favorite web browsers.

I created my own fully fledged theme for 3.5 which was compatible with 4, but being that they went into such rapid development I quickly let it become obsolete as now it doesn't work on the newer versions of Firefox they came out with. Also plugins that i've developed for Firefox, but things have changed.

To answer your question though I personally think that some vulnerabilities reside on the server side, which in that case there isn't much you can do. Otherwise I only have gained much knowledge in SQL injection protection from a PHP standpoint. Which doesn't really help in this case because there's no database.

#15 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1063 posts
  •  
    Belgium

Posted 08 January 2012 - 10:03 PM

Here is the things i found, when I send the solution via PM:

Go to http://www.vuln.host.org/

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler

Spoiler


Spoiler


#16 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 09 January 2012 - 06:00 AM

What I observerd is, when it comes to documenting, Icecube is one of the "best"s.

#17 florin91

florin91

    Frequent Member

  • Team Reboot
  • 197 posts
  •  
    European Union

Posted 09 January 2012 - 05:43 PM

ignore this, testing, trying to recreate error

Spoiler


Spoiler





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users