Government Security
Network Security Resources

Jump to content

Photo

War Games Server Rules & Intro

- - - - -
  • Please log in to reply
20 replies to this topic

#1 Blake

Blake

    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 07 July 2005 - 01:19 PM

Rules

1. No scanning of the server! The server only has a single port open on it in the first place and that is the web port.

2. Defacing the board via the admin control makes no sence and proves no vulnerabilities since you have the password to it.

3. The goal is to find flaws in phpbb not in the server! So don't destroy the box!

4. Post your findings in the Forum and inform me if you have found a vulnerability such as XSS, SQL Injection or Session Hijacking.

5. If you hack the board tell me via pm, and take a screen shot because the server will reset every hour.

If you want to know what time is on the server look here http://www.governmen...org:81/time.php


What This Is


GSO will be hosting a web application that you will be able to experiment with and exploit.

The way this works is, suggestions will be taken as to what application will be loaded. As of this time it will be applications running on apache - MYSql- and php.

Once an application is loaded the admin password for the application will be published in the war games forum.

Users can do whatever they want inside of the application within limits. The limits will be published in the above rules when we determine them. This is still a work in progress.

Users will post what they are doing and what holes they have found. If they are working in a specific section they should post it in this forum and users should not disturb what they are working on.

Every hour the database will refresh itself to a fresh install, allowing people to work on a clean system every hour.

Login Credentials

http://www.governmen....org:81/phpBB2/

username= test1
password= test1

username= test2
password= test2

username= test3
password= test3

Admin Account = admin
password = admintest

#2 myth

myth

    Staff Sergeant

  • Members
  • 408 posts

Posted 07 July 2005 - 02:12 PM

Ummm, maybe something a little too much to ask for, depending on who's actually hosting the application.... But are we also able to play with Snort ?

Or atleast get Snort up and running, and use acidlab or similar to monitor progress ?

Working on snort - theres something about debian and snort that doesnt quiet work together - on my home comp and would love to see it up and running on a war games server...

Using the snort rules, we can detect php* sploit attempts, shell code that was uploaded etc

Yay ? Nay ?

#3 Stephen

Stephen

    Commander In Chief

  • GSO Management
  • 1,806 posts

Posted 07 July 2005 - 02:22 PM

I like that idea a lot myth, it would be good to know what can be accomplished while avoiding detection.

I second this notion :)
Posted Image

#4 Blake

Blake

    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 07 July 2005 - 03:22 PM

Hmm, thats not a bad idea. How about this first I am going to start with publishing the apache logs weekly for you analysis types. (IP's removed of course) Then I will work on getting a full copy of Snort UP. With the acid interface.

#5 Axl

Axl

    Staff Sergeant

  • Sergeant Major
  • 338 posts

Posted 07 July 2005 - 06:17 PM

wow ! great idea !
looking farward to it m8 !!!!

#6 Gelu

Gelu

    Private First Class

  • Members
  • 47 posts

Posted 09 July 2005 - 10:19 AM

indeed, this is a very good idea. hopefully we will be able to produce some nice exploits. good idea gso

#7 Guest_blahplok_*

Guest_blahplok_*
  • Guests

Posted 09 July 2005 - 12:45 PM

Every hour the database will refresh itself to a fresh install, allowing people to work on a clean system every hour.


is this not too fast? I think 2 or 3 hours would give us time to do more..

by the way this ide is nicely...

#8 Blake

Blake

    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 10 July 2005 - 03:45 PM

Ok the server is done, I am taking a final backup and then the server will be turned on and ready to go. Enjoy just one more great resource provided to you from GSO!

#9 Guest_FLX_*

Guest_FLX_*
  • Guests

Posted 11 July 2005 - 05:14 PM

is there a way to see how much time is left till the next cleaning?

FLX

#10 Blake

Blake

    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 11 July 2005 - 07:14 PM

go to http://www.governmen...org:81/time.php this is the clock on the server. It resets at the top of every hour.

#11 Guest_FLX_*

Guest_FLX_*
  • Guests

Posted 11 July 2005 - 11:42 PM

thanks :)
one thing tho: what is so war game about it when we know the admin pass?
would'nt it be way more fun if we dont know any pass and we need to deface it?

FLX

#12 Blake

Blake

    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 12 July 2005 - 01:13 AM

Nah, the whole purpose is not to be able to deface the site that way. The idea is a place where guys can practice there security and exploit engineering skills. A place that they can use safely to discover more exploits. I understand that phpbb may be a bit more difficult for the new guys to discover any vulnerabilities. So in the near future I will start to add additional weaker applications.

#13 Jeremy

Jeremy

    Commander in Chief

  • Retired Admin
  • 2,459 posts

Posted 12 July 2005 - 01:57 AM

Nah, the whole purpose is not to be able to deface the site that way.  The idea is a place where guys can practice there security and exploit engineering skills.  A place that they can use safely to discover more exploits.  I understand that phpbb may be a bit more difficult for the new guys to discover any vulnerabilities.  So in the near future I will start to add additional weaker applications.

<{POST_SNAPBACK}>

Like Coppermine :)

#14 tibbar

tibbar

    First Sergeant

  • Members
  • 1,423 posts

Posted 12 July 2005 - 03:14 AM

i have a feeling something nasty might be possible by doing a restore database with something dodgy - perhaps a stored procedure that will execute on a certain table event?
If you want to read more about my security research, visit Tibbar.org

#15 myth

myth

    Staff Sergeant

  • Members
  • 408 posts

Posted 12 July 2005 - 03:41 AM

i have a feeling something nasty might be possible by doing a restore database with something dodgy - perhaps a stored procedure that will execute on a certain table event?

<{POST_SNAPBACK}>


Once the servers operational and we got snort running on it, thats on the list of snort rules to monitor that type of activity... But that may not be operational for up to another two weeks... Hopefully no more...