Please take a moment to read, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange //

Please consider donating:


HaXx.Me #3 – Corelan Team documentation

Last week (oct 17 2010), Lincoln (one of the Corelan Team members) informed the other team members about an ongoing hacking challenge (HaXx.Me #03) organized and hosted by MaXe (@intern0t).

When I saw his message, it was already Sunday night and I knew I had to get up early the next day. Nevertheless I chose to have a bit of fun before going to sleep.

So let the fun begin…

The target

Let’s browse the target


Ok… After few seconds looking around and trying to spot any hint in the picture I decided it’s time to see if the source can tell something useful.

with version information in the chaos domain can reveal your next step. Services, services, services –>

A quick search on Google revealed the following interesting OSVDB entry :

OK, let’s try on our target:

root@bt:~# nslookup -q=txt -class=chaos version.bind
version.bind text = "So you finally figured it out.. You need to use me as a nameserver and then browse to in order to continue your journey."

I followed the advice and got this page:


Whoa, very interesting… Few more attempts, then time to bed. The challenge must wait until the next day. The next day Fancy joined us and we figured out we need to play with http requests so we used Burp to intercept them…


After changing the host parameter, we got this :


The link led us to :

The real target


Oops, not that easy :P… We had to bypass the login page. A quick look at the source code gave us another hint:

So, we grabbed the source.tar.† With the source code in our hands we tried to bypass the login page. We used burp suite again to intercept our request and see how data is being transmitted…

Hey wait! What happens if we change the login=false to login=true ? :P



Bingo!!! Successfully logged in!!! :D

Now how could we make it more useful?

Going back to request there was another parameter "data" and changing it a bit we could see that it was vulnerable to LFI and playing a bit with param we discovered that it was vulnerable to RFI too. This means even more fun :D




Time to get a shell…

Thanks to Nullthreat for providing the php reverse shell. We set up a listener, included it in the data parameter and wondered if the shell will show up.


Forwarding the request….


Woot… we are in :D

The next step is to find the key, obviously we didn’t have permission to read the file, so poking around a bit we found a file called localbackdoor in /home/scripts, it was a listener to port 51 owned by root.



Boom.. root :D

So let’s read the key and complete the challenge…


The message says: I won the HaXx.Me #03 competition and I should be proud!


nullthreat made a nice video about the steps Corelan Team took to complete the challenge : nr 3

or click this link

A documentation video, made by intern0t, can be found here :

Conclusion & Thanks to

Nice wargame, good exercise & congrats to the winners of the challenge !

Thanks to :

  • MaXe for providing the challenge
  • Corelan Team for working together to complete the challenge

††Copyright secured by Digiprove†© 2010 Peter Van Eeckhoutte

© 2010, Corelan Team (rick2600). All rights reserved.

Related Posts:

Comments are closed.

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
Read the full document at and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.


Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?

Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)