Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
AppSec Research X-mas Challenge
Posted by: holiman
Date: December 21, 2009 07:47AM

New challenge posted. From the OWASP wiki (http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden ) :
---
Merry Christmas everyone!
It's the 21st and a new AppSec Research Challenge is posted.

Setting up the AppSec Research 2010 X-mas Challenge was a cooperative effort by the winner of AppSec Research Challenge 3, Mario Heiderich, and Martin Holst Swende. It is a multi-step challenge which involves finding a vulnerability in a web application and locating a hidden message. Start by subscribing to the conference mailing list. Then check the simple rules below and get going.

Rules:

* Please do not perform any resource-intensive tests, as the machine is pretty low-end and can be DoS:ed without much effort.
* The computer at the given IP address is the only system involved in this challenge, so please do not perform any tests of neighboring systems.
* Otherwise, you are free to hack away!

Challenge-page: 66.249.7.26

Discussions, QnA and reports about how far you have made it is welcome at the official sla.ckers thread.

Good luck and happy holidays! (And don't forget the submission deadline for the conference -- February 7)
---



Edited 1 time(s). Last edit at 12/21/2009 10:25AM by holiman.

Options: ReplyQuote
Re: AppSec Research X-mas Challenge
Posted by: Thrynn
Date: December 21, 2009 04:28PM

Where do we submit the secret string? I have several that may be it.. database name, username, the margue and even the weird one that appears every few tries.

Options: ReplyQuote
Re: AppSec Research X-mas Challenge
Posted by: ManJIT
Date: December 21, 2009 05:24PM

You can email martin.holst_swende at owasp dot org.

/ManJIT (aka John the conf chair)

Options: ReplyQuote
Re: AppSec Research X-mas Challenge
Posted by: holiman
Date: December 22, 2009 03:49AM

The correct answer is *not* "The magic parenthesis of Antiochia!"



Edited 1 time(s). Last edit at 12/22/2009 04:21AM by holiman.

Options: ReplyQuote
Re: AppSec Research X-mas Challenge
Posted by: Thrynn
Date: December 22, 2009 10:45AM

Well, I've got *some* sql injection working. Enough to pull the database name, username, version..but haven't been able to pull tables, rows, data, etc. Output to file failed. I'll try some more later.

Options: ReplyQuote
Re: AppSec Research X-mas Challenge
Posted by: OMG_
Date: December 23, 2009 03:30PM

For those of you who haven't seen the solution, it is out there:

http://pastebin.com/m3282b1e7

Great work, who ever did it.

/ OMG_

Options: ReplyQuote
Re: AppSec Research X-mas Challenge
Posted by: holiman
Date: December 24, 2009 04:15AM

We planned to announce the winner and release the solution after the holidays, but since it is out in the open anyway now; Yes, we have a winner: Andreas Fobian, who also graciously wrote the walkthrough mentioned above.

Congratulations! I am impressed by how quick it was solved!

Options: ReplyQuote


Sorry, only registered users may post in this forum.