No announcement yet.

Whack a Box

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Whack a Box

    So ive been playing with the idea of running a whackabox during the con. Basically it will be a computer sitting on the wireless which can be hacked on. However there is a bit of a twist.

    The box will be running a basic webpage which will announce that it is indeed the whackabox and its OK to attack. It will also have links to the source code for 2 of the 5 hackable services running on the box. The binary of the third service will also be available.
    Along with the links to the services software will be some code for a basic egg and information on how to assemble and use it. IT will be left up to the hackers to figure out how and when to inject it.

    The ports of the services will NOT be listed and will need to be discovered!

    Not all of the services will be hackable by getting shell - IE the first service may be just be running bad rules that let you get to some of the files its hosting.

    The final goal is to find and modify the graffiti file by putting you handle in it.
    echo "yourhandle" > graffiti
    Is all you need to do. HOWEVER, it MAY be a good idea to look around a bit - who knows what information I may have accidentally left in there...

    Once you have modified the file the system will disconnect you and log that you have broken through that specific service. The first people to break through each service may receive fabulous prizes with the grand prize to the fist person to break through the 5 and hardest service. Prizes can be anything from pocket lint to fabulous fabulous booz! (21 and over)

    Some of you may be wondering is the whole box hackable!? - No its not. You can try but I highly doubt it is going to happen. Each sub program is ran in a jail after being setuid to a very very restricted user. the only file that can be written is the graffiti file and its not a real file (fuse) and once written will close the service instance you have hacked. NOTE it will only accept 1024 characters - any more will be truncated so don't try being stupid and dumping a gigabyte into it. You will have access to cat and echo and thats about it... good luck using them!

    All of the services are managed by the whackabox program which handles starting each service when it gets a connection on the port for the service and then piping the socket io into it. It also manages the score and the fuse files. This means that each person gets their own fresh instance of a service. However for the sake of sanity there is a 10 min limit before it will kill your instance so work fast.

    If anyone is interested please contact me and if I get enough Ill finish setting the box up.


  • #2
    Re: Whack a Box

    Isn't this what Capture The Flag already is? am I missing something here?

    I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me


    • #3
      Re: Whack a Box

      The box will be running a basic webpage which will announce that it is indeed the whackabox and its OK to attack
      The DC wireless network being what it is, announcing that its okay to attack your box seems about as pointless as standing in a thunderstorm saying its okay if you get rained on.

      Between CTF and oCTF, the competition part of this idea is already in place. There are also more than enough computers sitting on the network with unsecured services that any ol' script kiddie can play with.

      I'm not really saying that you shouldn't do it, just that its already been/being done. In the past I have seen networks and machines that happily broadcast "Hack Me", or even "Cant Hack Me", just trying to get people to mess with em.
      Of course its fully cooked... we had it set on "linen".


      • #4
        Re: Whack a Box

        Yeah, if you have a box idea, check with the OC guys....maybe they would put your box on their network or something...

        The fear is that you are just reinventing the wheel- (I could tease the geochallenge guys here but I won't ;)

        But hey, do what you want :)


        • #5
          Re: Whack a Box

          True, this does seem a lot like CTF and that sorta was the point. At least in years past to do CTF you needed a team and a lot of work to participate along with a reasonable skill set. I'm trying to target a more noobish audience - think of it as CTF lite. Part of the goal of the contest is to introduce people to some of the concepts involved with security flaws commonly found in software and methods of exploiting it. Its more of a learning experience then a contest.


          • #6
            Re: Whack a Box

            Originally posted by ic434 View Post
            ... I'm trying to target a more noobish audience - think of it as CTF lite. ...
            Isn't what you just described covered by "Amateur CTF/Open CTF"?
            "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird