Monday, 4 August 2008

Farewell to Scortile

Our fellow challenger, Scortile, passed away last month in a car accident, at a young age of 23. The sad news was delivered to Gizmore by his brother. An article of the accident is available here: http://www.ad.nl/utrecht/2466511/Ongeluk_met_dodelijke_afloop.html

Scortile had been around in the challenger world since 2003. He was active in many popular challenge sites, among which are TheBlackSheep, HackQuest, Rankk, and of course WeChall. He was especially skillful in cracking, with 63.46% crackits solved at TBS. And he is currently holding the record of achieving the quality of 82% for fuzzy fingerprinting attack against an SSH private key, as part of a challenge at WeChall.

It was just a year ago that Scortile expressed his desire to compete with rhican and pvcuong on the race to the top. But now he's gone. Forever.

Farewell to him! May he rest in peace!

Saturday, 26 April 2008

Net-Force

I guess it's time to promote another challenge site: Net-Force.

Net-Force is a dutch challenge site with challenges divided into categories similar to TheBlackSheep and HackQuest. The challs are mostly in English, however.

At Net-Force you are ranked according to the ancient Roman empire, from slave to general. At the moment using some magic rhican is the second general there, having solved all the challs :O

And as promised by ilias, Net-Force will be a new member of the WeChall network "pretty" soon.

Friday, 21 March 2008

Hacking school

Most challenge sites have a ranking, where people can compare themselves with other challengers. It is a great source of motivation, but also on the other hand, the root of all evil. Many people have been competing dishonestly by trading solutions, begging for hints and cheating. A true challenger would not want to see that other side of the challenger world. And as a result, a group of topgamers, among which relee, rayden5, bb and chrisi, worked together and finished a cool project - the hacking school.

The main purpose of the hacking school was to create an educational challenge site where people can learn and grow their skills, and especially, cheating and solution trading are prevented. The challenges are reviewed by the "group leaders" for quality assurance, so that only good ones are published. The solutions are different for each user, and all solution attempts are monitored, so that "swapping answers" will not work.

Hacking school was built over 2 years, but in the end for an unknown reason only a framework was released. The framework was hosted at http://www.hacking-school.org, but for an unknown reason it is down for now. You can still have an overview of the site from the Wayback Machine, and if you want a copy of the framework, feel free to contact me.

Tuesday, 26 February 2008

Nature of a challenge site

Challenge sites have been around for quite a while. The first one that this writer knows is Cyberarmy's Zebulun, which was started around 1999, at about the time the browser market was dominated by Internet Explorer and Netscape. Over the years, many have sprung up in different corners of the web. Some have survived the changing face of the Web and are doing well, some have been neglected by their founders while others have faded away. New ones have been born and as I write, even newer ones are being conceptualised and coded.

This article is an attempt to describe the characteristics of a challenge site according to the writer's best knowledge. Feel free to share your thoughts :)

1) Single vs multiple domains

Some challenge sites offer challenges based on a single domain, be it mathematics, programming or hacking. Sites in this category include Electrica and Project Euler. Others offer a mixture of domains, from logic to programming to hacking to cryptology to stenography.

2) The need to register

Most challenge sites require you to sign up, but some, such as notpron, don't. The former has the advantage of identifying the solvers persistently so that when they return weeks or months later, they are still recognised.

3) Challenge presentation

The challenge is presented on a web page and is usually accompanied by an input field for solution submission. Typically the same challenge is presented to the solvers with a single, unchanging solution (though this solution may be periodically changed to foil cheating). However, it's also possible for the same challenge to be presented but with different inputs to make the solution unique for everybody.

4) Method of solving

There are two types:

a) Static
The challenge is presented and the solver can take any amount of time to solve it. He then submits the solution via an input field and gets a feedback instantaneously.

b) Dynamic
The challenge changes with every access and has to be "understood" and solved by a script. Usually there's a time limit on solution submission, like within 2 seconds. Challenges of this nature are harder to "cheat".

5) Hall of Fame or Ranking

Most, if not all, challenge sites implement a Hall of Fame (HOF) page to give the solvers an idea of how they are fairing relative to the others. Typically, the HOF lists the solvers and their challenge completion statistics in a hierarchical manner. It helps to inject a competitive element and is a source of motivation to the solvers.

6) Private Message

At some point during their stay, solvers will need to communicate with fellow solvers privately. Sometimes, it's just for getting to know the other person, while at other times, and perhaps more commonly, it's to seek "enlightenment" on a challenge. While not strictly necessary, it is nevertheless a popular feature amongst challenge sites.

7) Forum

The forum brings all the solvers together and is usually the first place to look for hints or to seek clarifications on a challenge. It's also the place to chill, to post congratulatory messages, or to whine about a challenge.

8) Challenge rendering

This is the meat of a challenge site. It is where the challenges are presented. There are different flavours:

a) Strictly linear
In this scheme, the challenges are accessible one at a time and in order of difficulty, from easy to difficult. You solve the current challenge and move on to the next (presumably) harder challenge. The old Cyberarmy, which enjoyed a phenomenal success during its peak, was implemented in this way. Others, such as Mod-x, are also modelled after this scheme.

b) Scatter or non-linear
In a scatter scheme, all the challenges are accessible to the solver, without any restriction on the order of solving. You can solve the easy challenges or the harder ones at any point in time. This is quite a popular model to present the challenges. Hackquest and TheBlackSheep, to name but a few, are modelled after this scheme.

c) A Hybrid
As the name suggests, this scheme is a cross-breed of the strictly linear scheme and the scatter scheme. For this scheme to work, the challenges are organised into levels, with a fixed or variable number of challenges at each level. It is linear in the sense that the solver needs to complete all or a certain number of challenges in a level to progress to the higher level. It is scatter in the sense that, in each level, the solver can freely attempt the challenges in any order. Slyfx and Rankk use the hybrid scheme.

9) Profile

Most challenge sites have a profile feature. This page displays the solver's personal information, such as country, age, hobbies and so forth, along with challenge completion statistics. It is like the solver's resume, if you like, acting as an informational link between the solver and the outside world.

Monday, 18 February 2008

WeChall goes beta

Finally! The WeChall project has entered the beta stage, all thanks to Kender who generously provided the host and domain. Now you can have a quick glance of the project at http://www.wechall.net.

As I probably have mentioned in the previous posts, the main purpose of WeChall is to provide a universal challenger tracker. There you can create an account, link it to other challenger accounts on other sites, see how you are ranked among the top challengers around the world, and of course discover cool new challenge sites.

For now we have successfully linked to 3 of the most popular challenge sites: TheBlackSheep, HackQuest and Rankk. Linking to the fourth challenge site, Net-Force, will be done soon. And we are always looking forward to expand our network. If you are a challenge site owner and want to join the WeChall network, follow this guide and contact either me or Gizmore :)

The project is still at an early stage, and we encourage challengers to sign up, link to their challenger accounts and help improve the site. At the moment we are working to create a cool and unique design for the site. If you have any idea or would like to contribute, feel free to contact us :)

Thursday, 14 February 2008

Project Euler

Hey guys,

As I mentioned Project Euler in the last post, I guess it's now time to write something about it :P

Project Euler is a site mainly focused on Maths. There you can find a series of Math-related problems, most of which require some Maths knowledge and programming skills. All problems have been designed so that after some research and analysis, you can optimize your program to get the solution in less than one minute.

With new problems added weekly, Project Euler now has more than 180 problems and has attracted more than 19000 mathematics enthusiasts from all over the world.

Have a taste of Project Euler!

Sunday, 13 January 2008

The rhican rampage

Yeah, that's surely the right word for the recent challenge site pwnzor incidents. Within just a few months, rhican was able to find exploits in almost all big challenge sites, where security had been taken into consideration by the site administrators.

Everything started with the soft-hyphen bug that rhican found on Electrica and HackQuest. Then rhican mysteriously found a way to pwnzor flamecruiser's account at HackQuest. Next he found an XSS bug on rankk. Then again he mysteriously found a way to eavesdrop the conversation between Inferno and alt3rn4tiv3 at TBS. It was kinda cool back then, when things like that were thought to be impossible.

The topic became hot once again in late 2007 when rhican published an SQL injection on Electrica, which put every account in danger of being compromised. Things became chaos when rhican posted whiteboy's challenger password to the public, and even gave noobs free access to all the solutions. That put an end to the site - after a long period when noobs rushed their ways to the top, today the database was inaccessible, not sure if it was taken down for maintenance by Caesum or pwnzored by a noob.

And the rhican pwnage doesn't seem to have come to an end. A few days ago, yet another SQL injection was found and published by rhican. This time the victim was slyfx. Everyone in the challenger world was driven to the same feeling: all challenge sites are insecure, and will be pwned by rhican someday. Now the question is, what will be rhican's next target? I myself would be excited to see he pwning hackits.de or hackthissite.org, the sites with many script kiddies thinking of themselves as 1337-h4x0r5.

Now if you are feeling sorry for those challenge sites and wondering what's the world going to become, I'll let you in for some good news. You know, nothing in life is entirely good nor bad. Thanks to hacking, bugs have been fixed to make life better. A brand new challenge site is being developed by whiteboy and probably will be popular soon. And whiteboy is taking every consideration to make sure it's rhican-proof :) I'll be one of the beta testers, so be sure to tune in on for the next chapter :)

Update: TBS, or rather altn3rn4tiv3, fell victim to rhican again. This time using an old CSRF bug that hasn't been fixed for years, rhican was able to borrow alt3rn4tiv3's hands to wipe away the biggest spam topic on TBS - "Let's count... The number topic" by BaRa. I'd say it's an achievement to get rid of this big waste of time and space :)

Sunday, 6 January 2008

Vulnerabilities in challenge sites

Many challenge sites are about internet security, and probably that's the most interesting part of them. Beginners refer to them as hacker games, and think that by joining them you'll become a very 1337 h4x0r. And of course the sites should be very secure, and the admins must be experts in computer security. Well, that is not always true.

Security is a complicated subject. Although the theory is relatively easy to grab, in practice, it is almost impossible to achieve absolute security. Many techniques, frameworks and tools have been created to make security easier to achieve, but as challenge sites have been around since the 90s, most of them are still developed on old systems and do not employ the latest (and heavyweight) technology needed to build a secure system. And no matter how much you try, it is still very easy to make human mistakes that will lead to disasters.

Today I will give a brief review of vulnerabilities in challenge sites I have played, some of which are minor, some of which are serious which lead to total pwnage of the whole site.

The oldest vulnerability I know of was at Ma's Reversing. Being developed on an old technology, it used url rewriting for session tracking. The session id was included in the url as a GET variable. Normally this is only a serious problem in case of shared computers, as the session id is exposed in the browser history. But the site was also using an external visitor tracker, ExtremeTracking, which logged the http referer header of the visitor. The session id was exposed to public, and Harlequin successfully used this to get access to another user's account.

Another challenge site that suffered from insecurity was HackQuest. In 2004, a hacker pwnzored skyflash's account by exploiting a bug in phpbb. And last year multiple XSS vulnerabilities were found and exploited in the wild (I myself was able to collect some cookies too :P). Not to mention the soft-hyphen bug found by rhican.

TheBlackSheep, one of the most popular sites, was not that secure either. In 2004 when the forum search feature was introduced, Erik got many PMs reporting about SQL injection bugs (one of which was mine :P). And recently, rhican found a way to read PMs between Inferno and alt3rn4tiv3 (how he did it is still a mystery :P). And there's an XSS bug in one of the challenges that put everyone in danger too.

But things could have gone worse than that. Electrica, a challenge site by Caesum, was vulnerable to SQL injection, although the owner had tried his best to filter everything. rhican has totally infiltrated the site, hijacked some famous accounts, and even published the injection that gives away the solutions to all the challenges. The worst thing a site owner could have experienced in his whole life.

Want more? I myself have found some XSS bugs at spy-games, DareYourMind, and even project Euler. Another XSS bug at rankk was found and reported by rhican. And just a few days after I joined HellBoundHackers my account got deleted by a hacker who even pwnzored the whole database.

So what's the lesson? Do not reuse the same password for multiple accounts - every security researcher would want to say that, but it's easier said than done. Anyway, just choose a software that you find the most suitable with, and if none suits your needs, invent a solution for yourself :P

And before I forget to mention, you should have a look at this cool challenge site for a quick laugh: pardio.net. Probably that's the worst challenge site ever. There you can find every noob vulnerability, which could even give you the FTP password. I and cryptodoggy infiltrated this site a few years ago, but the site owner hasn't discovered until now, and hasn't even changed the password either :D