Disinformation Challenge

This is the place for ALL of the user submitted challenges. If you create a little challenge/mission/riddle/whatever, post it here.
Forum rules
Do not post missions that you did NOT create without proper citing.

Disinformation Challenge

Post by tgoe on Thu Sep 12, 2013 8:56 pm
([msg=77346]see Disinformation Challenge[/msg])

So I decided to whip together a challenge. :)

Imaginary background
Someone else on your "team" has gotten ahold of the source code to an anonymous article publishing website and shares it with you here: http://hts.io/1cvs7

Mission
Demonstrate that you could publish an "article" with an arbitrary user's credentials by sharing a technique to post as the "ADMIN".

There are 3 primary ways to accomplish this.
  • Crack the ADMIN tripcode. Show the plain-text.
  • Persistent XSS. Post your js.
  • Specially crafted serialized data. Post your code.

Info
You will need Python 2.7 and CherryPy to run the website locally.

Also
First-come, first-served. Post your answer(s) to this thread. I haven't tested on Windows so YMMV. Post if you have an issue.

Edit:
It has come to my attention that just getting Python setup on Windows can be a challenge. Try this distro of Python:
ActivePython

Also I want to point out that the XSS method of attack cannot produce a 100% complete forgery even if the source of the pages aren't viewed by a user of the site.
Last edited by tgoe on Fri Sep 20, 2013 12:30 am, edited 2 times in total.
User avatar
tgoe
Contributor
Contributor
 
Posts: 715
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Disinformation Challenge

Post by Goatboy on Thu Sep 12, 2013 10:56 pm
([msg=77348]see Re: Disinformation Challenge[/msg])

Cracked the admin trip right away. You might wanna try harder.

Found some XSS, working on a non-obvious script to use.

More interested in working on the serialized db object. ADD: This one's a real pickle.
Assume that everything I say is or could be a lie.
19JAW6GabFHqe9yD9rr26QL3W3V2pNitbD
User avatar
Goatboy
Expert
Expert
 
Posts: 2863
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Disinformation Challenge

Post by tgoe on Fri Sep 13, 2013 1:07 am
([msg=77354]see Re: Disinformation Challenge[/msg])

Goatboy: 1
Spectators: 0

Image

Uploaded with ImageShack.us
User avatar
tgoe
Contributor
Contributor
 
Posts: 715
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Disinformation Challenge

Post by Goatboy on Fri Sep 13, 2013 1:09 am
([msg=77355]see Re: Disinformation Challenge[/msg])

tgoe: 50

I asked for challenges like this somewhere around 2 years ago here. I wanted actual code with actual exploitable vulnerabilities. This is 100% what I was looking for. The fact that there is somewhat of a backstory and a loose set of guidelines makes it all the better.

Thank you.
Assume that everything I say is or could be a lie.
19JAW6GabFHqe9yD9rr26QL3W3V2pNitbD
User avatar
Goatboy
Expert
Expert
 
Posts: 2863
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Disinformation Challenge

Post by tgoe on Fri Sep 13, 2013 1:13 am
([msg=77356]see Re: Disinformation Challenge[/msg])

I'm so pink right now :oops:



Just curious. Anyone else working on this? Would a step-by-step walk through on the exploits be interesting?
User avatar
tgoe
Contributor
Contributor
 
Posts: 715
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Disinformation Challenge

Post by Goatboy on Wed Sep 18, 2013 7:00 am
([msg=77401]see Re: Disinformation Challenge[/msg])

I think it'd be interesting - although the security implications might be sketchy - to use Docker as a way of either distributing exploitable environments, or running *actual* vuln shit on HTS. I think the first option would be the best for HTS, reducing load and the likelihood of breaking out of the container. It would also make it easier for people to do just this sort of challenge, in case they can't get or don't have access to certain libs.
Assume that everything I say is or could be a lie.
19JAW6GabFHqe9yD9rr26QL3W3V2pNitbD
User avatar
Goatboy
Expert
Expert
 
Posts: 2863
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Disinformation Challenge

Post by tgoe on Fri Sep 20, 2013 12:41 am
([msg=77432]see Re: Disinformation Challenge[/msg])

Never heard of Docker. Wow. That looks awesome.
User avatar
tgoe
Contributor
Contributor
 
Posts: 715
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Disinformation Challenge

Post by mShred on Sun Sep 22, 2013 12:43 pm
([msg=77471]see Re: Disinformation Challenge[/msg])

Hrm hrm. This challenge looks pretty interesting... I'll definitely look more into this at the end of this week when my schedule frees up a shit ton.
For those about to hack, I salute you.
teehee
image
User avatar
mShred
Administrator
Administrator
 
Posts: 1899
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Disinformation Challenge

Post by tgoe on Wed Sep 25, 2013 7:24 pm
([msg=77496]see Re: Disinformation Challenge[/msg])

The first two methods are pretty straightforward and shouldn't take much time. The persistent XSS vector should be used to dynamically re-write the page to be abused in one of two ways. Either phish credentials as a replacement for the hash cracking or display a fake article. The third option may take a little time to get working, especially if you aren't familiar with Python.
User avatar
tgoe
Contributor
Contributor
 
Posts: 715
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)



Return to User Submitted

Who is online

Users browsing this forum: No registered users and 0 guests