• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Hack IIS6 Contest - win an Xbox

#1
Beginning May 2nd and running until June 8th, this server (located at http://www.hackiis6.com) will welcome hackers to attack it. If you are the first person to deface the Web site or capture the "hidden" document, you win an X-box! Read the contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack and in mimicking a basic HTML and ASP.NET web site.

For the most part, almost anything reasonable constitutes a successful attack except for a massive network denial of service (DoS) attack against the Internet Information Services (IIS) 6.0 box or its host provider. We want to test the security of Windows Server 2003, IIS, and other Microsoft applications. So, please, respect this rule of the contest so everyone can have a chance at claiming the prize.

This server is running Windows Server 2003, Service Pack1, with all current publicly released patches and hotfixes installed (we ran Windows Update and MBSA just like you would do). We installed IIS 6.0, and then we followed Microsoft's basic recommendations (http://www.microsoft.com/technet/security/prodtech/IIS.mspx). I added a few tweaks here and there to put my personal mark on the site, but nothing extraordinary.

We want this contest to test Microsoft software, and so the only third-party software we used is the host's router/firewall, which would be normal in most environments.
http://www.hackiis6.com/default.htm

Haha, let's see how this goes. :up:
 

Eagle710

OSNN Senior Addict
#4
lol saudi.......looks interesting to bad i dont know the slighest thing about hacking maybe mafia or somone can hook me up with some info on doing so
 

Kush

High On Life!
#5
haha, not me, i stopped even trying to look down that path, two reasons, i suck, and theres always someone better than you, and i think that trojans/backdoor programs are pathetic, used it once thought it was cool, got over it!
 

vern

Dominus
Political User
#6
Hopefully all the mofos who have been bashing IIS all over the internet will come and show up and prove their rhetoric without due credence. I also hope that the people who are setting this up are geniunely curious and doing this objectively (hardening the box with reasonable security measures), instead of just conceding IIS is not secure.
 
#7
vern said:
Hopefully all the mofos who have been bashing IIS all over the internet will come and show up and prove their rhetoric without due credence. I also hope that the people who are setting this up are geniunely curious and doing this objectively (hardening the box with reasonable security measures), instead of just conceding IIS is not secure.
Exactly my thoughts. :)
 

j79zlr

Glaanies script monkey
Political User
#8
Interesting, the site was running Win2k and IIS 5.0 until a couple days ago, and now on 2k3 and IIS 6.0. Maybe they are afraid that IIS 5 and Win2k are insecure? BTW, this is run by Microsoft, do you really think they are going to admit it when their server gets compromised? I'll thow a Code Red/Nidma at it :p

I portscanned the server, they only have port 80 open, now if they were running the remote web administration I think I'd atleast try it, since there are some XSS vulnerabilities in IIS 6.0 that have gone unpatched for almost two years ;)
 
Last edited:
#9
j79zlr said:
BTW, this is run by Microsoft, do you really think they are going to admit it when their server gets compromised?
The contest is actually being organized by Windows IT Pro, a magazine that isn't affiliated with Microsoft.
I'll throw a Code Red/Nidma at it :p
Less talk, more action. ;)
 
Last edited:

Perris Calderon

Administrator
Staff member
Political User
#10
/love the idea, but win an x box?

they are going to get millions of dollars worth of r and d...anyone that will be able to crack this is site I don't think wants an x box...though they'll do it for the fame
 

vern

Dominus
Political User
#11
j79zlr said:
Interesting, the site was running Win2k and IIS 5.0 until a couple days ago, and now on 2k3 and IIS 6.0. Maybe they are afraid that IIS 5 and Win2k are insecure?
This is irrelevant to the goal of the project.

BTW, this is run by Microsoft, do you really think they are going to admit it when their server gets compromised? I'll thow a Code Red/Nidma at it :p
Like Netryder has already said, the organizers are not affiliated with Microsoft. Just as there are *nix magazines, there are Windows magazines.

I portscanned the server, they only have port 80 open, now if they were running the remote web administration I think I'd atleast try it, since there are some XSS vulnerabilities in IIS 6.0 that have gone unpatched for almost two years ;)
I'm almost inclined to assume that that is conceding defeat. Must people wait until for someone else to publish an exploit before going forward?
 

j79zlr

Glaanies script monkey
Political User
#12
Well they restrict Microsoft employee's from participating, so I would assume that they are affiliated. I am not a hacker/cracker whatever, all I was saying is that if they had allowed the remote web administration open, there are some easy break in's, or is fundamental english not required with the microsoft fanboy newsletter?
 

vern

Dominus
Political User
#14
j79zlr said:
all I was saying is that if they had allowed the remote web administration open, there are some easy break in's, or is fundamental english not required with the microsoft fanboy newsletter?
There is a difference between being a fanboy and giving credence to the operating systems without prior anti-MS fanboy membership. It almost seems like you are saying that ... yes Windows Server is an easy target, but only if they had this or this running ... but not when capable admins reasonably secure it.
 

SPeedY_B

I may actually be insane.
#15
If the o/s is really insecure, then the server will be hacked. Unless someone steps up to put their money where their mouth is, any argument is pretty pointless :D
 

Perris Calderon

Administrator
Staff member
Political User
#16
SPeedY_B said:
If the o/s is really insecure, then the server will be hacked. Unless someone steps up to put their money where their mouth is, any argument is pretty pointless :D
I'm thinking the server would get hacked even if it has greater security then other os's...everything is relative to the effort invested

the real test is to put all os's up to the same competition, and then the os to get hacked with the fewest resources, and fewest hours invested in the effort is the looser

even that wouldn't be fair becuase more people would have allready invested more time hacking microsoft products and ms would start any competition like that a leg down

still this would be accurate, since practically it would still be less secure regaredless of the reason that might be so
 
Last edited:
#17
perris said:
I'm thinking the server would get hacked even if it has greater security then other os's...everything is relative to the effort invested

the real test is to put all os's up to the same competition, and then the os to get hacked with the fewest resources, and fewest hours invested in the effort is the looser

even that wouldn't be fair becuase more people would have allready invested more time hacking microsoft products and ms would start any competition like that a leg down

still this would be accurate, since practically it would still be less secure regaredless of the reason that might be so
The problem with this type of compitition is not that everyone has put more time into hacking MS products. The problem would be finding equal admins for each OS and being able to setup each with the same exact specs.

Also in the "real world" it often matters what else is running on the server in addition to a web server. Also how the web server is configured (ie does it run php, asp, cgi, ect.).
 

j79zlr

Glaanies script monkey
Political User
#18
There is webmin for *nix servers, which is relatively secure, as in you can't really have a server be remotely administrated without any vulnerabilities. The problem with the remote web administration for IIS is that you can use session spoofing to gain administrative rights because of an exploit left in by Microsoft on purpose, in order to allow an administrator to reboot the machine remotely but still continue the remote administrative session without logging back in. It should also be noted that this server is not running anything, just IIS, not ASP, no database, email, ftp or anything, just IIS; also it is running behind a pretty powerful UNIX firewall ironically enough, as pointed out on /.

As noted in many other discussions on this, the prize of an XBOX is basically nil, considering a true exploit found in a "secured" IIS server would be worth a hell of a alot more than a $150 XBOX.
 

Perris Calderon

Administrator
Staff member
Political User
#19
j79zlr said:
As noted in many other discussions on this, the prize of an XBOX is basically nil, considering a true exploit found in a "secured" IIS server would be worth a hell of a alot more than a $150 XBOX.
the prize should be a position in some security firm, with a generous salary guaranteed for a year and a bonus like half that salary

that's when you'd find the real hackers crackers come out of the woodwork
 
#20
perris said:
the prize should be a position in some security firm, with a generous salary guaranteed for a year and a bonus like half that salary

that's when you'd find the real hackers crackers come out of the woodwork
I think alot of the ones that actually have skill (ie not script kiddies) do it for the thrill/fun of it, not for $/reward.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,962
Messages
673,247
Members
89,018
Latest member
debbieherrin