I also did the Fortify [Web] Hacking Challenge last week. Their challenge was refreshingly different, fun, and relaxing compared to the other web hacking challenges I’ve done. I really enjoyed playing in it even if it only lasted a short time. Here’s the official description of the contest:
The link below will take you to a Web site which contains numerous vulnerabilities but is being defended by the Fortify Real-Time Analyzer (RTA). When you conduct an attack, Fortify RTA will block your efforts and redirect you to a separate page. However, if you conduct a particularly impressive attack, Fortify RTA will redirect you to a different page, with a code word. There are three code words available.
Fortify RTA had a tight lock on that website! I probably came up with a hundred separate attacks against their website, but they were only looking for a very specific 3. Every so often, I’d come up with what I thought was an impressive attack but it wouldn’t give me any points! Here’s one example:
I found an authorization problem when viewing account details that let me enumerate the database for and grab the account details of every client in the bank. I used Burp Intruder to automate harvesting this data, making over 10,000 requests to the server to gather the info. Then I manipulated client-side parameters on the ‘transfer funds’ page to steal money from other clients and deposit it into my account. This wasn’t an attack they were looking for and didn’t get me any points! Grrr..
I took screenshots of all the actual attacks below.
Continue reading ‘Fortify Hacking Challenge’
Thanks to Aleksey and Phn1x for dealing with my constant stream of questions while reversing this. You’d think it was the first time I opened a debugger!
The level 1 challenge was a binary that asked for input and, if your input was correct, printed out an e-mail address you could use to get the level 2 binary. The Khallenge is a contest of speed, so the first person to get to and beat level 3 wins. Unfortunately, I solved level 1 after the contest ended and the level 2 and 3 binaries aren’t online yet, so no prizes and no info on those.
Continue reading ‘F-Secure Khallenge Level 1′
ISIS Lab is organizing NYU-Poly’s 5th annual Cyber Security Awareness Week (CSAW) where students can compete and win prizes in a variety of information security challenges. There will be door prizes, raffles for participating, and bonus prizes for undergrad and high school participants. Qualified finalists will receive a travel scholarship to attend the awards ceremony in New York City.
Our website with descriptions of the contests as well as winning entries from previous years is located here: http://isis.poly.edu/csaw
Also to note: many of the makers and hardware hackers in this crowd will be happy to know that we have a new embedded systems challenge this year. Check it out!
Of all the things that happened this weekend, I didn’t expect this! I registered but I probably wouldn’t have played if Tom Brennan hadn’t frantically raced up to me at about 6:30 on Friday to tell me that I had to =). Thanks Tom!
I’ll talk about some of the challenges I went through, but if you’re really interested in these kinds of things you should compete in one of the capture the flag competitions that I developed for these upcoming events:
- NYU-Poly’s Cyber Security Awareness Week – A yearly event for students that our lab puts on. Compete in 7 different information security competitions for prizes! If you win, we’ll pay for you to come to NYC and collect your prize!
- OWASP AppSec NYC – A 2-day web application security conference taking place downtown this September. There will be a web capture the flag contest, also with prizes. Everyone is welcome to play and challenges will be accessible to beginners and experts alike!
Now about HOPE/Packetwars CTF… Continue reading ‘I won HOPE/Packetwars CTF!’
Seriously.
I had a very, very quick talk with someone at NYSec tonight and we highlighted the Social Responsibility panel at Shmoocon that wrapped it up as one of the biggest letdowns of the weekend. It’s a panel that should symbolize all the hopes and dreams our entire community wants to accomplish but instead time was wasted debating the meaning of the word ‘hacker’ and what constitutes “our” “community”. I think Toby summed it up best when he threw a Shmoo Ball and said (paraphrasing) “We’ve debated what the word hacker means for 20 years and we’ll do it 20 more. We need to move on to talk about more important topics.”
Toby is exactly right, but his comments didn’t prevent the conversation from getting derailed again just a few short minutes later…
Continue reading ‘NYSec > ShmooCon’
ShmooCon has taken a nosedive. I don’t know where it went wrong, maybe this year was just a horrendously bad year, but the presentations did not meet my expectations. I can’t wait for the videos to go online in 60 days so I can watch myself hitting Simple Nomad in the face with a Shmoo Ball and being the first one to call him out on the poor quality of his presentation or the small businesses talk where Strat and I took turns dismantling all the presenter’s points.
This is the second time I’ve felt like this (the last time was after HOPE). I can’t sit here and complain anymore. If I disliked the presentations so much at ShmooCon, then I should present something myself to make up for it.
Who’s with me? HOPE/ISIS Con ‘08!
At ShmooCon ‘08 Simple Nomad heavily advertised the cause of forensiclicensing.com. Unknown to me and many others, many states are requiring that all practitioners of computer forensics become licensed, in this case by becoming a licensed Private Investigator. Simple Nomad described this as one of the greatest threats currently facing our community, however, I contend that this is not necessarily such a bad thing.
Continue reading ‘Forensic licensing isn’t that bad’
While I’ve been sitting at home, sick for the last few days, I’ve been trying to keep my mind at least somewhat sharp by watching some light videos here and there. The usual stuff, some TED, some 30 Rock, and I came across this gem I thought many people on this list might be interested in:
Crouching Powerpoint, Hidden Trojan: An analysis of targeted attacks from 2005 to 2007
Presented by Maarten Van Horenbeeck of the SANS ISC at the 24th Chaos Communication Congress
http://events.ccc.de/congress/2007/Fahrplan/events/2189.en.html
See the links at the bottom for presentation materials including a PDF, video, and analysis of actual targeted exploits. I highly recommend the video, the torrent was extremely fast.
Enjoy 
The UbuCon is an unconference for Ubuntu users, developers, and sysadmins taking place on February 16th at the new Google offices in Manhattan. A few people from ISIS will be there to represent the interest of security in Ubuntu’s future development and hopefully moving improvements like GCC proactive security measures, encrypted LUKS partitions, and main inclusions of Seahorse and gaim-otr up to a higher development priority. If you’d like to join us add your name to the RSVP list and we’ll see you there (it’s free!).
This is a little late (registration is over), but no less than 7 of us are going to ShmooCon in Washington DC this March 23-25. If you were lucky (and smart!) enough to get a ticket, we’ll see you there!
Recent Comments