Monday, February 18, 2008

BITSian Hackors@IOHC

I m here getting board with studies & Tests coming.So i thought lets pen down something which some of us never expected we could do.

Yeah we WON INTERNATIONAL ONLINE HACKING COMPETITION.
Telling you more about the event,its an annual event organized by Programming Club, IITK & is clubbed along with IOPC ( The programming version of it) & was sponsored by Yahoo Research & Development.

By We, i meant a team of three students from my campus i.e BITS, Pilani Goa Campus, which is an infant, since it has seen only 4 yrs & some of the walls haven't lost there first paint streaks.

Before coming to this competition, two of us, me(Ravemzsdin) & Gaurav (Nick : Fazor), participated in a hacking competition known as Binary Pirates at our college only in our techfest, It was a bit different in the sense that it was inspired by "Flag capturing" competitions which are generaly organised at hackrs conferences worldwide & involved much of cracking into systems & services rather den jus playin with codes.
After a nail biting finish dere, (hehe..We fiddled with a few things at d last moment :) but den crackrs ain't supposed to be ethical), we ended up first there.
In the break, while talking to another team we gave a thought to go for IOHC. We played it last year, and unluckily we ended up 4th i.e consolation level.
IOHC07 Was something like a normal hunt the vulneribility type where u had to play with sql injections, steganography etc etc...

Since, we needed a team of three for here. We picked up another member for the squad, a guy junior to us but in ways more trickier den us guys. Rohan Anil was the 3rd member(Nick :DarkSideHack()r ).
And Luckily the team cud be called Team GRAS ( Somethin lucky for us).

So we were all set to go for the competition which got delayed by a few hours. But den it started & we were amazed to see the change in d pattern followed dis year.
This time it wasn't the race, who"l reach d bugs fastest, it was more of HACKing den cracking.

Problem statement was that we were given a piece of source of a website(A Banking system), which was usinh php+sql & for the first round we had to make d site secure in the best way possible & den the cracking of each other sites will start.

Rohan was pro at PHP, so he started rite away & we hosted a dummy version at our webserver & i started to find vulneribilities on our syste, , u can call it penetration testing.
After some hours, when all d basic vulneribilites were covered, we also added some extra security by fiddlin with our cookies so that if smbdy conducts a XSS Attack or cookie theft attack, it wudnt be possible for him to get control of the system.
All 5 hrs , me nd rohan exchnged mane a mails with the organisers & was fun as they enjoyed replyin to the stuff. Some funny comments were exchanged too :P, since i was mailing, they had to be there.
After some tea+smoke breaks & some hard testing, we finally submitted the secured site.

It was 1:30 AM In the night, the best part i like about IOHC is that it goes on in the night & i think all the budding crackrs get enthued by dark n silence,although i have my headfones on all the time, so silence never a prob.

Then we were waiting for cracking to start and by the time, Gaurav was back too.So were all set to go & this was the part which we all wud enjoy, becoz it gvs so much happyness when u crack into something (hehe..DOUBLE Meaning). But after waiting for some hours & me wastin a couple of marlboro's, we got to know that some Fckr has tried to fiddle with the hosting servers & the competition would resume at 5 in the eve next day.
We din like it but den we were doing it for fun, So let the fun continue & We slept thinking lets DO THEM TOMMRW.

Let me tell u the rules of the contest, The team whos site will be most secure & would have least vulneribilities & would be functional as a banking system(U can't fiddle with the logic), that would win & incase of a tie, the team who has cracked into more no. of sites will win.

Next Day (5PM) :
We all again got back to our comps & we were already mailed our passwords for loggin into scoring server.
A Mail contaning the links to other teams sites were there too..
But them something happened that destroyed our mood.
The links were not working for us, We tried and tried but no result, as per the organisers it was some problem with our ISP's Cache that links were not processed.
We tried everythin we could, but still it did'nt work. After some hours, both organsrs nd us gave up on accesing the links.The competition was ON & Other teams were doing there work. we were here trying to open dem leave apart cracking into dem.

After about 4 hrs, when we had just 2 hrs left into the competition, we got a proxy created by organisers that tunneld us in.
So now we had only two hours to do the job while rest teams were already 4 hrs ahead of us.
But me & rohan thought, Lets do it for fun, Lets see wat other teams have instore for us.

& Then we started. And IT WAS LOL. A BIG LOL. that we found, there was a basic flaw in each system, i wont tell wat was dat :) But the whole competition was driven by that flaw & organisers din even know about it :)
I mailed them a list of usernames & passwords of teams & hence, it was all kind of over.
There were major flaws in some of the teams. Some of them played with the logic to the extent that sites were not functional.
Though we found some secure sites too, but den we gt into dem too...

But all the way, We helped the organisers, in disqualifyng teams & removing the major flaw which was there. & We cudnt even cmplete cracking into al systems, bcz time was too less, But i exchnged sm 30 odd mails with the organisers in the meanwhile.
It was fun to do all that..

The competition finally ended at 12:00 AM & we thought we cudnt be winning, as we got pretty less time to crack :( :( becoz of a fckin ISP.

The results were expected to be out the next day at 12 in d morning & we were expectin not even a consolation.

But then i saw the results, & Whoaa !!!! We are there on the top !!!!

I was like.. Ohhh myy godd.. WTF.. i called up gaurav dere only who had no idea wat had happened at the competition becoz of his Yahoo interview & stuff.
& The same rxn was there.. "WTF..LOL"
Then came rohan who gt to knw abt it in the evening and d same reaction.

But alls well that ends well!!! & Yeah it would end well with a prize of 400 USD For sure :)

PS:
I wont be telling, where we learned the tricks & tips of the business, becoz its smthin nobdy of us never learned, it came to us through groups,frends,google,chics(Yeah.. dey motivate Crackrs bcz u"l always want to knw dere secrets :P ) etc

All in ALL It was pur fun, nothin more !!!!