HackCrew - Proposal

Discussion in 'OT Technology' started by Thadius, Oct 10, 2004.

  1. Thadius

    Thadius Too depressed for his own good

    Joined:
    May 4, 2004
    Messages:
    311
    Likes Received:
    0
    Location:
    Perth / Australia
    **edit** - This is not a Hack request, this is a request for anyone who thinks they're up to the task of testing one my systems vunerabilities. The machine has no live data and no charges will be pressed against anyone successful.

    I work for a webhosting/domain company

    The deal is that we're in the process of commisioning a new server and due to the nature of the data that will be on the server we want to test the security of it.

    I've said to my boss that I'm confident it's secure enough to go live and willing to stake $500AUD on it..

    What I'm asking is if anyone is up to it and wants to give it a go I'll provide you with an ip address and set of instructions regarding the machine (i.e what you have to do to prove you got in)

    If you can do this then we will gladly paypal you the money.. As for proof that I administer the box then i'll provide a webpage on the domain with the instructions as well..

    PM me and I'll provide the details..

    Regards
    James
     
    Last edited: Oct 10, 2004
  2. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
  3. Thadius

    Thadius Too depressed for his own good

    Joined:
    May 4, 2004
    Messages:
    311
    Likes Received:
    0
    Location:
    Perth / Australia
    *shrugs* close the post if you want.. But i'm legit....

    the main catch is it has to be an exploit on the system.. not a immature and crappy ddos attack...

    i.e have to be able to create a file on the system drive or something like that :)
     
    Last edited: Oct 10, 2004
  4. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    $500 US and a get out of jail free card and i will do a vulnerability assessment next weekend
     
  5. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    I never questioned the legitity (is that a word?)..

    I was contemplating on taking you up on the offer. ;)
     
  6. Dark-Hawk

    Dark-Hawk New Member

    Joined:
    Nov 28, 2003
    Messages:
    347
    Likes Received:
    0
    Location:
    Connecticut
    I'd be down to doing it so long as you could 100% prove to me that the box is yours.
     
  7. Thadius

    Thadius Too depressed for his own good

    Joined:
    May 4, 2004
    Messages:
    311
    Likes Received:
    0
    Location:
    Perth / Australia
    Well give me an example of how you want me to prove it?

    A file hosted on the IP via apache (rather than a host name as to prove it's not just a vhost)

    Like i said. Anyone thats interested PM me and i'll provide the details. The money is payable only upon succesful exploit

    Regards
    James
     
  8. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    now that i reread this, i see you don't just want a vuln assessment, but a full pentest. nevermind :)
     
  9. ins3cure

    ins3cure Old School Noob

    Joined:
    Sep 30, 2003
    Messages:
    155
    Likes Received:
    0
    Are you willing to do some paperwork attesting to the waiver of liability? Also are you familiar with Australian law regarding this matter including any agreement/policy with the U.S. ? If everything is cool i'll have a go at it.
     
  10. SL1200MK4

    SL1200MK4 New Member

    Joined:
    Sep 27, 2003
    Messages:
    1,552
    Likes Received:
    0
    Costs a lot to hire a good tiger team, which is something that your boss should do. Probably well over $500AUD though...

    Due to legal concerns, I cant' do the much for you. But will advice you that the physical security and verious of other aspects of security should be checked and taken into consideration.

    Assuming that you have a good standalone firewall, and the server is placed in the DMZ (IT BETTER BE!), and you have no other services avaliable (e.g. ssh, ftp, smtp..etc.) then I will look into any scripts that run along with apache...
     
  11. IAMwhitey

    IAMwhitey New Member

    Joined:
    Nov 8, 2001
    Messages:
    1,010
    Likes Received:
    0
    Location:
    Pittsburgh, PA
    intercontinental hacking.... hmmmmm. um yah right

    unless there is a waiver involved
     
  12. Thadius

    Thadius Too depressed for his own good

    Joined:
    May 4, 2004
    Messages:
    311
    Likes Received:
    0
    Location:
    Perth / Australia
    Basically I've had a few other people try it. They're gotten no where at all. I'm not really looking for an assessment more a test of if it's good enough to keep out most people...

    Available services are
    ftp
    smtp
    dns
    http
    https
    pop3

    Server is redhat 9.0 (not my choice) with a custom 2.4 kernel with grcsec patch along with a combination of snort/iptables/custom perl scripts which generate the rules in real time to block out people when people attempt to gain more access to the machine then they should.

    For the testing purposes hosts.allow will allow all hosts..

    It's basically a reward of $500aud for anyone that can actually gain access to the machine.

    Ass for the waiver - Ask and you shall recieve we'll fill out any documentation that you want and also forward a copy to a 3rdparty of your chosing to safe guard yourself
     

Share This Page