The results from our “Stickam’s Best Hacker” contest are in:  Everyone failed.  Not one of the contestants managed to access the server and deface a simple HTML page.  Meisbret, the owner of the server who oversaw all technical aspects of the contest, here reveals one vulnerability that contestants could have exploited:
 
With the most recent Stickam Hacker Challenge, there were some worries as to
whether the contest was rigged to prove no hackers were around by making it
impossible to do. This write-up is to make everyone aware of the process in
which it would have been possible to pull off of the attacks needed to
perform the challenge.
For those not aware, although I’m sure there are few that fall into this
category, the challenge was to modify a static HTML page to include the
“hackers” link to their Stickam Profile. The challenge, which started out
relatively easy, was mocked at by many of the hackers who claim presence on
the social networking site, so it was made progressively harder by blocking
out many of the vulnerabilities that were present on the server until known
vulnerabilities were down to a single one. While many attempted, very few
got close. From even the basic such as social engineering attacks that were
attempted, all the way up to a few slightly advanced users spending multiple
hours just trying to find a user account that existed on the server that
could be used to gain access, they all still ended up coming up short.
The known exploit that was present on the server, was used to complete the
task in under a half hour by what could be considered a seasoned vet to the
computer world, making it fully possible for someone willing to put in the
time and effort to pull off the attack to complete. The vulnerability lied
in the Apache Web Server. It’s a vulnerability that allowed an attacker to
execute code on the machine remotely. Apache was set up to be running as the
root user (as opposed to nobody), what would be considered an administrative
account in the Windows world. The remotely executed code in effect was used
to create an account, by adding the attacker’s user account to the “passwd”
on the server allowing the attacker to gain access to the servers shell.
Once access was granted to the shell, a quick look at configuration files
told the attacker where to look for the HTML file that needed to be
modified. The vulnerability in question is one that works against the
mod_rewrite module of the Apache Web Server. The vulnerability in question,
discovered and published about in 2006, (CVE-2006-3747) can be read about at
the following URL:
*http://www.securityfocus.com/bid/19204*<http://www.securityfocus.com/bid/19204>
.
The server was downgraded to a vulnerable version of Apache (2.0.63) and was
known to be currently vulnerable at the beginning of the competition. The
vulnerability has quite a bit of information regarding it all over the
internet and security websites, making it a relatively easy one to find out
about. An example of the attack, while not the one used, can be found on
milw0rm (along with other places)
*http://www.milw0rm.com/exploits/2237*<http://www.milw0rm.com/exploits/2237>
.
While it was a relatively advanced attack that needed to be pulled off, it
was fully possible if the right amount of time was devoted. The goal of this
challenge was not to defame the “hackers” of the social networking
community, as a few of them are rather intelligent in what they can do, but
merely point out that they aren’t on the level that many of the community
should fear the abilities that they possess and to encourage their learning
to continue.

64 COMMENTS

  1. Standard models of comparative advantage indicate that pushing specialization up the product scale in this fashion would be bad for an economyos health: it would simply distort production and create es ciency losses. ,

  2. Yep, Noticed that you had downgraded it. Performed a Retina audit — Didn’t really feel like installing ActivePerl or anything. I even took the liberty to attempt to Social Engineer hopone (your host provider), in decision of RyanRohypnol… If I stayed on the phone for “The reps assurance” I’d have opened that from that approach, however my stupid ass hung up — and thus, The rep’s “mentality came back to reality” and my Social Engineering magic fell short-stop.
    Motherfuck.
    xyr0x

  3. ^^^
    i’ve been saying this for DAYS and no one listens to me!
    seriously… Anthony can’t even pay for ramen without someone donating money… AND ITS ONLY LIKE $.15! how do you expect him to pay for someone to go to LA???

  4. Lawl stickydrama your retarded the banner information clearly said
    “Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at 66.36.243.121 Port 80”
    while the links to milw0rm say for apache 1.3.37, 2.0.59 and 2.2.3 while you were using Apache/2.0.63 wich is default in all cpanel systems and if ther was an exploit for that 4564765 sites would have been owned by now not to mention Csf/lfd (wich you had running on the box) wouldnt let you even run apache as root, meaning the contest was rigged

  5. bullshit.. if jon did what he said he was going to do with mikeyy it would of worked. unless he didn’t.
    shit was rigged.

  6. the fucks that are bagging on the contestants? Where the fuck were you guys in the contest? Funny how you are all knowing now. Should have put your money where your mouth is. And for the record i know nothing about hacking so JS

  7. Had this stayed private, and I hadn’t gotten a bill for around $700 for what effectively becomes owning an IP address that I can’t even use, it would still be happening. The server would still be online, and we would probably be on a whole new competition by now. However, just like chicks getting naked on stickam, there’s always one little shit that ruins it for everyone.

Comments are closed.