CORDIAL MINUET ENSEMBLE

??????

You are not logged in.

#1 2015-01-23 04:08:57

Illuminati
Member
Registered: 2015-01-12
Posts: 15

Hacking Challenges

Have all the hacking challenges been completed?
http://cordialminuet.com/hackingChallenge.php

Just wondering, I have a large arsenal that can be of great use. Didn't pick this username for nothing!

Offline

#2 2015-01-23 04:26:20

sjon03
Member
Registered: 2015-01-12
Posts: 24

Re: Hacking Challenges

I don't think any of them have been completed. Go for it and deposit the $3000 into the game!

Offline

#3 2015-01-23 16:56:47

computermouth
Member
Registered: 2014-12-27
Posts: 134

Re: Hacking Challenges

I poked around at the few PMA vulnerabilites I've read about over the years(but can't actually find his PMA location(if he even uses it)), some of the source code, and packet injection. You might be surprised how much of it JR has clearly thought out once you start digging around.

Last edited by computermouth (2015-01-23 16:59:55)


Try Linux, get free. #!++ (CrunchbangPlusPlus) is a stable distribution based on Debian 8. Keep it fast, keep it pretty.

Offline

#4 2015-01-27 05:16:04

jasonrohrer
Administrator
Registered: 2014-11-20
Posts: 802

Re: Hacking Challenges

Yeah, I don't use PHPMyAdmin.... but, it's installed as part of cPanel.

Which reminds me, I usually leave all those web-admin (cpanel, etc) ports blocked by apf.

When I need to use web admin stuff, I log in via SSH (using YubiKey authentication) and then temporarily open those ports, and close them after I'm done.

But I had gotten lazy and just left those ports open.  Just closed them off.

The original concern wasn't even Cpanel vulnerabilities, but instead the simple fact that cPanel login is password-only and doesn't support 2-factor authentication.

Offline

#5 2015-01-27 06:14:54

computermouth
Member
Registered: 2014-12-27
Posts: 134

Re: Hacking Challenges

Probably for the best. I've only recently started dipping my toes in webdev stuff, but I've already heard a bit to convince against using cpanel. Sounds like you've got it covered though. I'll cross web-logins of the list of possible weakspots!

I've gotten to a few YubiKey prompts poking at your server. It's a pretty neat idea. But how does it really work? Is it phoning home to check the code? Or are the codes relative to some installed key?


Try Linux, get free. #!++ (CrunchbangPlusPlus) is a stable distribution based on Debian 8. Keep it fast, keep it pretty.

Offline

#6 2015-01-27 07:03:02

jasonrohrer
Administrator
Registered: 2014-11-20
Posts: 802

Re: Hacking Challenges

YubiKey is one of the coolest security things I've seen.

Unlike other one-time password generators, you don't have to manually type the password in.  YubiKey plugs into your USB port and behaves like a keyboard.  You press the button on it, and it types in the next generated password.

There's a simple web API for pinging YubiKey inc to verify that the generated code is correct, has never been used before (each one can only be used once, as it contains an ever-incrementing counter), and matches the account it's supposed to match.  Internally, the YubiKey device is generating the pass code using a shared secret AES key that is embedded within it and known to YubiKey inc as well.

Thus, only if you have the physical YubiKey in your possession can you log in.  Even if there's a key-logger installed on your machine, the passcode generated is blocked after being used once.

And if you lose your YubiKey, you just remove that one from the list of Keys that your server accepts.  I have two backup keys that are also accepted by my server but that I never carry with me (one at home, one in a deposit box safe from fire), so even if I lose one key, I won't be locked out.

I found out about it because Fastmail supports it.

I just saw the movie Blackhat today (not a very good movie), and there was a YubiKey used in the movie!  (Though they called it a fingerprint scanner, which it is not.)

Offline

#7 2015-01-27 13:36:50

computermouth
Member
Registered: 2014-12-27
Posts: 134

Re: Hacking Challenges

CooOoOooOool.

I saw that they had it embedded into a Windows login too. But how do you use it with ssh? Server script to authenticate, then open ssh port?

That's a bummer about Blackhat, I'd heard it was less hollywood-hackery than most movies. Also, check this out. It's a movie hacker (distro thingie?) running an absurd UI like you see in the movies, but with Linux under it and a usable terminal.


Try Linux, get free. #!++ (CrunchbangPlusPlus) is a stable distribution based on Debian 8. Keep it fast, keep it pretty.

Offline

#8 2015-01-27 16:11:40

jasonrohrer
Administrator
Registered: 2014-11-20
Posts: 802

Re: Hacking Challenges

The Linux PAM module that supports YubiKey simply expects the Key to be appended to your password.

So, you ssh in, and the interactive password prompt comes up.  Type your password, then press the button on the YubiKey to append the Key.  Smartly, the YubiKey always includes an ENTER key press at the end of the key string, and in you go.

Cool UI there!

Well, thankfully there wasn't stuff like THAT in Blackhat, mostly.  There was lots of real Linux in there, and the only hack that was done in the whole movie was done through a key logger and social engineering.

There was one other bogus thing, where they used the NSA's "Black Widow" top secret software to recover data from a corrupted hard drive.  But they did it by copying the corrupted file from the HD and taking it with them somewhere else (the HD required a contamination suit to handle), and then applying Black Widow to the file without the original HD present.

I'm happy with the realism of the computer hacking in the film.  I just think it wasn't a very good film.  There were times when I was about to fall asleep.  Dialog was classic Hollywood BS.

Offline

#9 2015-01-27 17:48:50

computermouth
Member
Registered: 2014-12-27
Posts: 134

Re: Hacking Challenges

Oh, huh, interesting. I didn't know anything like that existed. Leave it to Unix hardcores to invent something cool 30 years before you hear about it!


Try Linux, get free. #!++ (CrunchbangPlusPlus) is a stable distribution based on Debian 8. Keep it fast, keep it pretty.

Offline

Board footer

Powered by FluxBB