The results from our “Stickam’s Best Hacker” contest are in:  Everyone failed.  Not one of the contestants managed to access the server and deface a simple HTML page.  Meisbret, the owner of the server who oversaw all technical aspects of the contest, here reveals one vulnerability that contestants could have exploited:
 
With the most recent Stickam Hacker Challenge, there were some worries as to
whether the contest was rigged to prove no hackers were around by making it
impossible to do. This write-up is to make everyone aware of the process in
which it would have been possible to pull off of the attacks needed to
perform the challenge.
For those not aware, although I’m sure there are few that fall into this
category, the challenge was to modify a static HTML page to include the
“hackers” link to their Stickam Profile. The challenge, which started out
relatively easy, was mocked at by many of the hackers who claim presence on
the social networking site, so it was made progressively harder by blocking
out many of the vulnerabilities that were present on the server until known
vulnerabilities were down to a single one. While many attempted, very few
got close. From even the basic such as social engineering attacks that were
attempted, all the way up to a few slightly advanced users spending multiple
hours just trying to find a user account that existed on the server that
could be used to gain access, they all still ended up coming up short.
The known exploit that was present on the server, was used to complete the
task in under a half hour by what could be considered a seasoned vet to the
computer world, making it fully possible for someone willing to put in the
time and effort to pull off the attack to complete. The vulnerability lied
in the Apache Web Server. It’s a vulnerability that allowed an attacker to
execute code on the machine remotely. Apache was set up to be running as the
root user (as opposed to nobody), what would be considered an administrative
account in the Windows world. The remotely executed code in effect was used
to create an account, by adding the attacker’s user account to the “passwd”
on the server allowing the attacker to gain access to the servers shell.
Once access was granted to the shell, a quick look at configuration files
told the attacker where to look for the HTML file that needed to be
modified. The vulnerability in question is one that works against the
mod_rewrite module of the Apache Web Server. The vulnerability in question,
discovered and published about in 2006, (CVE-2006-3747) can be read about at
the following URL:
*http://www.securityfocus.com/bid/19204*<http://www.securityfocus.com/bid/19204>
.
The server was downgraded to a vulnerable version of Apache (2.0.63) and was
known to be currently vulnerable at the beginning of the competition. The
vulnerability has quite a bit of information regarding it all over the
internet and security websites, making it a relatively easy one to find out
about. An example of the attack, while not the one used, can be found on
milw0rm (along with other places)
*http://www.milw0rm.com/exploits/2237*<http://www.milw0rm.com/exploits/2237>
.
While it was a relatively advanced attack that needed to be pulled off, it
was fully possible if the right amount of time was devoted. The goal of this
challenge was not to defame the “hackers” of the social networking
community, as a few of them are rather intelligent in what they can do, but
merely point out that they aren’t on the level that many of the community
should fear the abilities that they possess and to encourage their learning
to continue.

64 COMMENTS

  1. Standard models of comparative advantage indicate that pushing specialization up the product scale in this fashion would be bad for an economyos health: it would simply distort production and create es ciency losses. ,

  2. Yep, Noticed that you had downgraded it. Performed a Retina audit — Didn’t really feel like installing ActivePerl or anything. I even took the liberty to attempt to Social Engineer hopone (your host provider), in decision of RyanRohypnol… If I stayed on the phone for “The reps assurance” I’d have opened that from that approach, however my stupid ass hung up — and thus, The rep’s “mentality came back to reality” and my Social Engineering magic fell short-stop.
    Motherfuck.
    xyr0x

  3. ^^^
    i’ve been saying this for DAYS and no one listens to me!
    seriously… Anthony can’t even pay for ramen without someone donating money… AND ITS ONLY LIKE $.15! how do you expect him to pay for someone to go to LA???

  4. Lawl stickydrama your retarded the banner information clearly said
    “Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at 66.36.243.121 Port 80”
    while the links to milw0rm say for apache 1.3.37, 2.0.59 and 2.2.3 while you were using Apache/2.0.63 wich is default in all cpanel systems and if ther was an exploit for that 4564765 sites would have been owned by now not to mention Csf/lfd (wich you had running on the box) wouldnt let you even run apache as root, meaning the contest was rigged

  5. bullshit.. if jon did what he said he was going to do with mikeyy it would of worked. unless he didn’t.
    shit was rigged.

  6. the fucks that are bagging on the contestants? Where the fuck were you guys in the contest? Funny how you are all knowing now. Should have put your money where your mouth is. And for the record i know nothing about hacking so JS

  7. Had this stayed private, and I hadn’t gotten a bill for around $700 for what effectively becomes owning an IP address that I can’t even use, it would still be happening. The server would still be online, and we would probably be on a whole new competition by now. However, just like chicks getting naked on stickam, there’s always one little shit that ruins it for everyone.

  8. I agree with Anti, if they dedicated all 2 days, it could have been done. But when people have lives other than trying to win a contest, Its not enough time.

  9. lol dont be so hard on urself jeru. also @ rofl cunts, noone gives a shit about your hacker groupie magazines, and your e penis. all jon did was try to putty then he got stoned and passed out im p sure correct me if im wrong jon. and in my opinion, i think there was enough time, and given enough effort i think 1 or 2 people could have done it if they had researched as much as possible.

  10. fake ass contest wasn’t shit on there to really exploit – me and mikeyy knew of almost every “so-called” vuln that might work but idk…
    i r teh failest of faiL lulz

  11. LOL @ You guys using BackTrack and other people’s tools.
    Fuckin n00bs, i bet you can’t even write a socket in C

  12. I’m not going to lie, I’m pretty much stumped. Even if some people aren’t SUPAHAMAZINGGOOD, I know that it probably takes time to learn most of that stuff and I lack patience so kudos to anyone who tried.

  13. Stupid Cunt, I think you failed to realize something.
    If “old ass niggas” were so against skiddies, why RELEASE there shit, or have their shit in a situation where it can be released….
    Getgood. thanks.

  14. lol i found the server’s ip on 15 forums, its cute how far this conest got
    but yeah reading through all this its quite apparent that the allowed time to have accomplish the hack wasn’t enough… if i were to state anything it would be a repeat, but yeah good job to all, i def learned something

  15. lol @ using something public and none of you can do it, pretty sure I referenced reading SecurityFocus and FullDisclosure the day the “contest” was announced.
    lol backtrack. lol at not having your own resources/tools at the ready. BackTrack is used best as a local means to doing things, unless you’re completely new and need a central source for resources.
    My recommendation: Learn to how build a kernel, and setup your own. *Nix makes it extremely easy to piece together a kernel, and there’s already sandbox kernel distros in existence. Setup your makefile with the right params, make a copy of the GENERIC kernel config, check make.conf for any settings you may want to change…
    You can easily google all of this. These are all crucial things you should learn. Also, learn how to rebuild BSD’s world from sources, or to upgrade.
    Kudos to Jon.
    OSHIT MYK YOU SURE CALLED PEOPLE OUT. LOL WHAT’S AN HTACCESS?
    I could cite random ass shit to you too, and you’d look like the fool.
    Frankly, most of you should honestly punch yourself in the face for being such a skiddie. And LOL at the attempts to define script kiddy / hacker.
    Sorry, Mikey, coding a few “auto adders” and bullshit like that doesn’t make you a non kiddie. You need to write your own tools, your own resources, and your own exploits. That’s how the big names of hacking got recognition. That’s why ShdwKnight and other old ass niggas were the best, and the name script kiddies was made for those who could barely code, and used other peoples shit. Try reading some of the Phrack e-zine’s — that is the writing of a real hacker. Nynaeve.net is a good resource if you’re a Windows coder.
    Frankly, Bret could’ve used a more interesting approach.

  16. Actually after taking a second look at Mikeyys post, He took advantage of the GET request, which I was talking to Anti about earlier.
    So if you people think that the “hackers” just talk alot of game and can’t do shit. Let’s see you do 1/10 of anything they can do.
    Im sure 80% of you people who now shit talk because a page could not be edited, Don’t even know what an Apache server is, what a mod_rewrite is, what a .htaccess is, or even a GET /. So please. Realize how stupid you make yourself look.
    kty.

  17. Seems as if Mikeyy did the same thing I suggested that could have been done. Scanning the server for all possible Vulns.
    But for the 2 days I saw the server actually up, Isnt really enough time when half the people who “joined” the contest have real lives and arent on all day long..
    Noted the actuall attack would take 30 minutes as Bret stated in the post, but thats if you know EXACTLY what methods and vulns to use.
    So to make a long story short, Not enough time IMO .

  18. Okay, so in my half dead write-up I had the versions wrong, however the vulnerability still existed. My server has been down and offline for a few days now because of the IP being listed on pretty much every hacker forum known. Regardless of which, the server was still vulnerable to that attack, and could have been exploited by any one, and was by the person who tested it.

  19. mikeyy werent you working on the guestbook exploit? and daniel, is full version of 4 out already? or just the beta

  20. Actually, I agree with Daniel..
    Here were my logs from my crawler:
    —————————————————————————
    —————————————————————————
    + Target IP: 66.36.243.121
    + Target Hostname: 66.36.243.121
    + Target Port: 80
    + Start Time: 2009-03-09 17:39:43
    —————————————————————————
    + Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    – Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
    + OSVDB-877: HTTP method (‘Allow’ Header): ‘TRACE’ is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
    + Apache/2.0.63 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current.
    + mod_ssl/2.0.63 appears to be outdated (current is at least 2.8.31) (may depend on server version)
    + OpenSSL/0.9.8b appears to be outdated (current is at least 0.9.8g) (may depend on server version)
    + FrontPage/5.0.2.2635 appears to be outdated (current is at least 5.0.4.3) (may depend on server version)
    + mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0082.
    + FrontPage – http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html
    + OSVDB-637: GET /~root – Enumeration of users is possible by requesting ~username (responds with ‘Forbidden’ for users, ‘not found’ for non-existent users).
    + OSVDB-0: GET /cgi-sys/formmail.pl : Many versions of FormMail have remote vulnerabilities, including file access, information disclosure and email abuse. FormMail access should be restricted as much as possible or a more secure solution found.
    + OSVDB-0: GET /cgi-sys/guestbook.cgi : May allow attackers to execute commands as the web daemon.

  21. On day #1 i attempted @ it for about an hour with backtrack
    this is the apache info and mods running:
    Apache/2.0.63 (Unix)
    mod_ssl/2.0.63
    OpenSSL/0.9.8b
    mod_auth_passthrough/2.1 mod_bwlimited/1.4
    FrontPage/5.0.2.2635
    note, apache was not 2.2.2

  22. Yes, no one was successful at gaining any access to the server. I added robs link saying “Sucks Bret/Sticky Off” as a joke. It was something quick and retarded. No one ever gained any access.

  23. No non-contestant successfully accessed the server except Bret himself. Bret added his friend Rob’s name on the index page as a joke, and quickly removed it.

  24. I think it’s really funny, it just proves that all these stupid wannabe hackers are not REAL hackers, they are just stupid little kids that get the password to someone elses account.

  25. Yeah someone did change the page but sticky removed him. Even if he wasn’t a contestant and since no-one successfully ‘hacked’ in, it would be right and good for stickydrama to write his Name.

  26. AT ITT TECHNICAL INSTITUTE OF INTERNET, I RECEIVED THE TRAINING I NEEDED TO BECOME A SUCCESSFUL HACKER!

  27. o and im rly suprised someone didnt use backtrack or anything like that, even though that wouldve been cheap to use it still wouldve been better than failing completely

  28. lol most of the fucks got banned immediately for portscanning and bruteforcing. noone even had enough sense to get the os fingerprint, OR scan for services which is fucking common sense to do when youre looking for an exploit. none of you that tried html based attacks got ANYWHERE close, ie trying to get into the mail.bretcraven.com account. even funnier, the server you were trying to access through that was the wrong one rofl. owned imo

  29. Tbh, Half of that shit is just retarded. It could have been much simpler trying to attack mail.bretcraven.com or even t35.com. When I scanned the server, It was not running Apache 2.2.2 as Sticky claims. A good attempt to a few people who entered. I simply laughed at the entire thing.
    Im very suprised noone tracerouted the server, scanning each hop with a TON of available programs (via google) that will show or reveal vulns on the Apache Server.
    I am ashamed at people who entered. I thought atleast 1 or 2 would be able to complete the task.
    I myself did not actually try but did scan for available vulns.

  30. the fact is that someone DID get into it and leave their link but the link was removed (i’m guessing because it was not a contestant)

  31. Hey0oxjon stop bragging you posted a picture in the other thread and made sure to scroll up to where it said ” you got the closest” Who gives 2 shits you still failed hard

Comments are closed.