Tweet
So ive been playing with the idea of running a whackabox during the con. Basically it will be a computer sitting on the wireless which can be hacked on. However there is a bit of a twist.
The box will be running a basic webpage which will announce that it is indeed the whackabox and its OK to attack. It will also have links to the source code for 2 of the 5 hackable services running on the box. The binary of the third service will also be available.
Along with the links to the services software will be some code for a basic egg and information on how to assemble and use it. IT will be left up to the hackers to figure out how and when to inject it.
The ports of the services will NOT be listed and will need to be discovered!
Not all of the services will be hackable by getting shell - IE the first service may be just be running bad rules that let you get to some of the files its hosting.
The final goal is to find and modify the graffiti file by putting you handle in it.
echo "yourhandle" > graffiti
Is all you need to do. HOWEVER, it MAY be a good idea to look around a bit - who knows what information I may have accidentally left in there...
Once you have modified the file the system will disconnect you and log that you have broken through that specific service. The first people to break through each service may receive fabulous prizes with the grand prize to the fist person to break through the 5 and hardest service. Prizes can be anything from pocket lint to fabulous fabulous booz! (21 and over)
Some of you may be wondering is the whole box hackable!? - No its not. You can try but I highly doubt it is going to happen. Each sub program is ran in a jail after being setuid to a very very restricted user. the only file that can be written is the graffiti file and its not a real file (fuse) and once written will close the service instance you have hacked. NOTE it will only accept 1024 characters - any more will be truncated so don't try being stupid and dumping a gigabyte into it. You will have access to cat and echo and thats about it... good luck using them!
All of the services are managed by the whackabox program which handles starting each service when it gets a connection on the port for the service and then piping the socket io into it. It also manages the score and the fuse files. This means that each person gets their own fresh instance of a service. However for the sake of sanity there is a 10 min limit before it will kill your instance so work fast.
If anyone is interested please contact me and if I get enough Ill finish setting the box up.
Cheers!
The box will be running a basic webpage which will announce that it is indeed the whackabox and its OK to attack. It will also have links to the source code for 2 of the 5 hackable services running on the box. The binary of the third service will also be available.
Along with the links to the services software will be some code for a basic egg and information on how to assemble and use it. IT will be left up to the hackers to figure out how and when to inject it.
The ports of the services will NOT be listed and will need to be discovered!
Not all of the services will be hackable by getting shell - IE the first service may be just be running bad rules that let you get to some of the files its hosting.
The final goal is to find and modify the graffiti file by putting you handle in it.
echo "yourhandle" > graffiti
Is all you need to do. HOWEVER, it MAY be a good idea to look around a bit - who knows what information I may have accidentally left in there...
Once you have modified the file the system will disconnect you and log that you have broken through that specific service. The first people to break through each service may receive fabulous prizes with the grand prize to the fist person to break through the 5 and hardest service. Prizes can be anything from pocket lint to fabulous fabulous booz! (21 and over)
Some of you may be wondering is the whole box hackable!? - No its not. You can try but I highly doubt it is going to happen. Each sub program is ran in a jail after being setuid to a very very restricted user. the only file that can be written is the graffiti file and its not a real file (fuse) and once written will close the service instance you have hacked. NOTE it will only accept 1024 characters - any more will be truncated so don't try being stupid and dumping a gigabyte into it. You will have access to cat and echo and thats about it... good luck using them!
All of the services are managed by the whackabox program which handles starting each service when it gets a connection on the port for the service and then piping the socket io into it. It also manages the score and the fuse files. This means that each person gets their own fresh instance of a service. However for the sake of sanity there is a 10 min limit before it will kill your instance so work fast.
If anyone is interested please contact me and if I get enough Ill finish setting the box up.
Cheers!
Comment