As its name suggests, Panhac 2 (Hacking) Online Competition, you’ll think about exploiting web applications or compromising remote server. For web appliation, i prepare some tools (some are papers and manuals) related to SQL Injections, XSS and The Metasploit Framework. To panetrate remote server i just create fast shortcut to Nmap and Metasploit Framework and noted some useful arguments (for Nmap). OK, These are my tools that i prepared before:

1. Firefox Browser with additional add-ons (plugins) which may help such as Web Developer toolbar, User Agent Switcher, Live HTTP Headers, Modify Header, IP2Location Geolocation Lookup, Header Spy, HackBar and FoxyProxy,
2. Nmap,
3. Metasploit Framework,
4. Papers, manuals (js and SQL) and tools (too long to be listed here) related to SQL Injection & XSS,
5. JTR.

Bad news, none of above tools were used during the Panhac 2 Online Competition. Only Google search bar i’ve used so far to find the answer, lol. So everyone could answer all questioners (1-14) easily and fastly with good connection. Wikipedia always a goodplace to looking for. I really, really shocked when level 1 was shown. What a subnet for a given IP?? This is my weakness dude!! How they knew? Luckly, my answer is right. Then, level 2 and the next level i just googling for answers. I don’t know what the mission in level 14 and above means. It just shows ‘a clue’ Basic PHP Security within md5 named php file (i thougt). Also, current directory lists other files (i thought they are MD5ed for naming or file created by session, CMIIW) which if you open (request to server) then you post wrong answer. Fortunately, i request (I don’t know what is inside the data being passed along at that time) a php file which cached in my url bar (this is the file used by level 1 – 14 to post your answer). The reasons (to be weird) maybe : 1) I’m just a **** ^_^. 2) They just set up the right thing, but I took it seriously. 3) They misconfiguration at my luckly time. 4) Someone has succesfully compromised the remote server. Or 5) do you have better answers?

[To Be Continued..]

This is the first online competition performed in annual Panhac (and this is the first time i know about Panhac), i little bit too late registering my self when onay told me about this competition. He said that this online competition is the resemble of HTS challenges. But what onay’s said is a big f*ck*ng bullshit. I registered my real identity which usernamed mankQ (a big mistake i’ve ever do), i also registered these five fake accounts k4rn0, set4n, m1tn1ck, m2nk, doktafia ^_^. Three of them were level 19, which i thought have completed all levels. In 20th Jul 2007, the stat listed in panhac shows 5 users were completed level 19 and 3 users for level 20. In 21 Jul 2007, i (unintentionally) finished level 20 for mankQ, k4rn0, and set4n. Then the stat was changed, it displays 8 users for level 19 and 6 users for level 20. As you might compare from last stat then i thought it was my accounts attempting to populate last level. So where is the f*ck*ng weird, weirdo? Ok, i can’t tell you ALL right now, as the competition is not over yet. Firstly, how they count (keep) the duration? It just, maybe, from the session after authenticated. But it is totaly weird if someone attempting to complete all level in 10 days, 23 hours which you might sum duration in 10 cities (30 minutes for each city), the total is 5 hours. So how the hell 10 days coming from? Just like the rule says, the server is going offline after 30 minutes. So, IMO, this will clear the cookies or destroy the session. FYI, I also deleted cleared my cookie after at the end of competion and when my account was frozen (to minimize server counts). Secondly, from the questions (level 1-14) i figured out that this is not a hacking competition (what i figure out) but a luckly lucky guess and googling competition. From five fake accounts i used, i copied some of questioners which i’ll show here later (when the comptition is over). Third, user who has completed all levels (until 20) never shown as ’20′ in completed level’s column, CMIIW. If those users categorized as ‘level 19 completed so far’, why the total is different. This is taken from last stat (only level 19 and 20) :

…

Level 19 : 8 peserta

Level 20 : 6 peserta

[To Be Continued..]

Buat yang sedang merasa bosan dan suka tantangan (geek), bisa coba bermain ke situs-situs berikut :

• HTS
• HBH
• Net-Force
• PullThePlug (required : know socket programming)
• hackits.de
• Elctrica The Puzzle Challenge (Puzzle matematik, kriptografi, dan logic programming)
• hackr
• Mod-x
• Hack-Test
• Dsb. Masih banyak sebenarnya. Ada beberapa situs lama yg sering gw kunjungin dulu, tapi dah down.

Dulu, waktu masih di nabila & kober, gw sempet develop similiar web (pake modified phpfusion, kyk HBH) versi id. Tapi gak kesampaian untuk mempublish nya (dana & volunteers). Kalo shared host, takutnya membahayakan tetangga satu rumah dan juga aturan TOS yg lebih ketat. Ya dedicated server tau sendiri brp budgetnya. Gw baru tahu, baru-baru ini, ternyata sudah ada versi web hacking challenge versi indonesia, yaitu boleh-hacking. Kewl.