Fortify Hacking Challenge

Published on August 15, 2008 in CTF, Conferences, Events and Web. 1 Comment

I also did the Fortify [Web] Hacking Challenge last week. Their challenge was refreshingly different, fun, and relaxing compared to the other web hacking challenges I’ve done. I really enjoyed playing in it even if it only lasted a short time. Here’s the official description of the contest:

The link below will take you to a Web site which contains numerous vulnerabilities but is being defended by the Fortify Real-Time Analyzer (RTA). When you conduct an attack, Fortify RTA will block your efforts and redirect you to a separate page. However, if you conduct a particularly impressive attack, Fortify RTA will redirect you to a different page, with a code word. There are three code words available.

Fortify RTA had a tight lock on that website! I probably came up with a hundred separate attacks against their website, but they were only looking for a very specific 3. Every so often, I’d come up with what I thought was an impressive attack but it wouldn’t give me any points! Here’s one example:

I found an authorization problem when viewing account details that let me enumerate the database for and grab the account details of every client in the bank. I used Burp Intruder to automate harvesting this data, making over 10,000 requests to the server to gather the info. Then I manipulated client-side parameters on the ‘transfer funds’ page to steal money from other clients and deposit it into my account. This wasn’t an attack they were looking for and didn’t get me any points! Grrr..

I took screenshots of all the actual attacks below.

You had to recognize that they set an AuthType cookie when you logged in. Changing this cookie to 0 let you view and access a hidden admin panel.

Once in the admin panel, RTA triggered on a command injection vulnerability:

… and on cross-site-scripting the other admins:

The last attack was a SQL injection on the account details page:

My biggest problem was that I overthought the attacks they were looking for. Once I calmed down and stopped trying to become a millionaire/root-shell-0wner I realized they were probably looking for the basic web vuln trifecta: command injection, xss, and sqli. All in all, a really fun challenge. Thanks Fortify!

  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • E-mail this story to a friend!
  • LinkedIn
  • Print this article!
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • TwitThis
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution 3.0 United States License.

1 Responses to “Fortify Hacking Challenge”

Feed for this Entry Trackback Address
  • gaurav
    October 20, 2008 at 10:25 pm

    Sir
    i am into my 3rd year of computer engineering
    i want to learn basic n simple hacking …
    can u tell me some ways to hack..

Leave a Reply