Announcement

Collapse
No announcement yet.

OTB @ DC16: Sanitized for your protection

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OTB @ DC16: Sanitized for your protection

    [ As posted to Full-Disclosure and ISN like two weeks ago, sorry I didn't add it here yet. ]

    [Where? When? Neil added it to the schedule. As below, we share space with OCTF this year (thanks DC949!) and run all day Saturday. Meet up in the contest area around 10 when they open the doors, or grab me sometime Friday. I'll be wearing a priest collar that day and should be easy to spot.]

    OWN THE BOX@DC16: PWNING FOR DOLLARS.

    Own The Box, now in year 0x01, continues its hallowed tradition of creating temporary autonomous zones of random people asking to be haxored. We're a defender contest, of sorts, which means the following:
    • Contestants bring an IP-enabled device, running some services
    • We invite all DefCon attendees to attack these services
    • ????
    • PROFIT


    # NEW YEAR, NEW RULES

    This year, we made some changes to the format: Instead of asking defenders to offer up their hardware to successful attackers, we're glomming on to the Vegas spirit and making this a contest of cold, hard cash.

    Defenders pay a nominal entry fee, matched by contest organizers, the Cosa Nostra, and Dan Kaminsky's grandma. The winning entry, based on services uptime and our patented PwnOMeter(tm), gets the cash, as a tab at the Splash bar, on Sunday afternoon.

    We're also partnered up with the good folks of OCTF, so entries will be targets in their event, and given varying point levels in OCTF throughout con, guaranteeing a dedicated pool of attackers to bring the love.


    # OFFICIAL CALL FOR BOXEN:

    If you've followed the DC forums, you know the drill. Services this year will need to do $SOMETHING, specifically our scorebot will be sending you a Base64 token, every five minutes, to check your service is functioning. We can get the token to you just about any way you like, though HTTP(s), SMTP, (s)FTP, TFTP, etc, just give us fair warning what you have in mind.

    You'll also receive tokens to install locally for each service, and one readable by root / admin / sysopr / etc.

    Beyond that, show up, buy us beer, and come have fun. Mail ownthebox [at] cipherpunx [dot] org with questions, comments, ridicule, derision, and pics of your Mom.
    7
    More fun than should be legal in most states
    85.71%
    6
    Epic fail with occasional bright moments
    0.00%
    0
    A lot bigger than any of us expected
    14.29%
    1
    I am Theo, and I am bringing a box
    0.00%
    0
    "Raise a toast to ... I think he might have been our only decent ."

  • #2
    Re: OTB @ DC16: Sanitized for your protection

    Guys/Gals,

    Unfortunately I will have to deploy at the next group event.

    One of my partners who was building several components has backed out, due to job change, with a physical move several states away, and a house to sell in today's market. Sort of a 'burn notice' type of deal, but not much choice.

    How about this? I'd like to change the terms of my entry in the contest. I will outline the design here, now, and you tell me how you would approach exploiting this machine. If you have a viable approach, and can reasonably explain it, I will give you (first come, first serve, of course), my half of the original stake, which was going to be 500 something. My share was 200, so I'll put that up for something easier. But you have to have a real approach, based on some real target research, no 'punch and pray'/'spray the target', crack, smack 'n jack session. No active sonar, and zero footprint. Has to be tailored and viable, tadpole.

    The machine is a standard Dell minitower, Optiplex with a 2.4 G X86 chip, 4 Gb main memory. The network card is a Killer NIC, running a custom linux kernel with inline snort that is filtering out known sigs and replacing with pad. It feeds a Windows XP instance locked down with the standard desktop secure workstation registry settings template. On top of the XP is a copy of gsx server, running two VMs, one Sol 9, and one Centos 5, with se extensions. The 9 server is locked down iaw cis guide, runs a copy of Bea 10 and hosts a minimal web site. The Centos VM hosts a copy of Apache. The two VMs run sshd's that send regular traffic to each other (files via sftp, and log into each other to run a few maintenance simulation scripts). There is OVO running on the 2.6 machine and the 9 has CSA on it, blocking most all of the standards. The console is down on the XP load, so the ssl is from the VM to the host OS for CSA. OVO is receiving traffic via a piece of code running on the 2.6 that is simulating a MOM server. The host XP has a copy of twire running that is sending messages to a windows service acting as a mailer, but is just a program that initiates a release / renew to the network card connection should any of the files not match each time it runs, and then it kicks off an AV run of a standard, enterprise wide AV engine with current sigs over the base. Most of the daemons have keep alives in the form of restart scripts that ensure robustness; resource exhaustion is not really viable with this build. Think more about active protocol exploitation, via standard paths. Not by strength, by guile.....

    That's about it. I have the base up, but no VMs, and no time to finish it on my own, at the last minute. Sorry for the wuss-out, but I am not good enough to build, test, and deploy a perfect box in two days. I'll bring out something similar next venue, this has been too much fun so far to quit now. Again, apologies, and it will be at the next event with a like contest.

    Now that's the target. Oh yeah, one more thing. You have to figure out who to present your solution to at DC. Test of your social skills. I'll be around, and I promise not to clear leather at anyone's approach. Your pass 'phrase that pays' is something Bruce Campbell might say, and claim he said it, 'mostly', of course.....

    Best, H
    ZZ

    Comment


    • #3
      Re: OTB @ DC16: Sanitized for your protection

      Skoot,

      My box is on the way... TSA said no way lol... but I have other means.

      I will meet it there tommorrow night. Do we need to notify you of the method for uploading keys? I need to probably talk to you about it before hand.

      Plus I am getting in on Thursday night (only flight I could find) at like 2200hrs, am I gonna be able to still get in? I'd hate to be sitting outside because there are no more tickets left. How late can I buy admission on Thurs?

      Thanks man, can't wait to meet ya.

      Homeslice (tm)

      Comment

      Working...
      X