no BS rooting.
there seems to be a lot of misconceptions regarding rooting in our community. furthermore, there also seems to be a great deal of interest on learning rooting, but sadly, we don't currently offer any rooting challenges (no really we don't) and there aren't many articles or tutorials on it on our site (i can recall a good one, but not many). this would be fine, but since there is so much interest about rooting, i think we should tap into it and help people learn this side of hacking.
this is a call to anyone who really knows what rooting is about and has experience with it. please write some articles, post some good posts, perhaps even help -cL and skunkfoot on making new challenges (if youve coding experience or good ideas) .
thanks
masta_hacks wrote: Hmmm, well at the moment I know more about rooting than he does, and I could not come close to creating a challenge that would be anything near helpful. I am sorry I was just simply correcting what you said or at least how I portrayed what you said.
I hate you so much. When and where did you get this ATTITUDE of yours?
@Folk Theory: You cannot simulate "rooting". It's simply impossible, there's just too many variables.
There's always going to be a different network structure, always a different local configuration, different services, different PEOPLE (people are as much targets as software ;D).
lesserlightsofheaven wrote: @Folk Theory: You cannot simulate "rooting". It's simply impossible, there's just too many variables.
There's always going to be a different network structure, always a different local configuration, different services, different PEOPLE (people are as much targets as software ;D).
I don't think that makes it impossible… it just makes it more difficult to make a comprehensive challenge. There are plenty of resources available in modern-day programming to accurately simulate a semi-realistic environment in which multiple solutions can be applied. It's just a question of effort, as is everything around here. Otherwise, we would have more quality articles.
masta_hacks wrote: What attitude??? Oh well what ever I don't think it matters what I say it will still get me flamed.
Have you ever actually stopped to think WHY that is? Instead of trying to fit whatever persona you feel gets the respect, you should try to better yourself and become someone that is respectable. Otherwise, you're just a poser, a loser, and someone that desperately needs to be banned for annoyance. That is motivation, and you better damn well pay attention if you ever want to be someone that can earn that respect.
And what have you ever payed attention to? Look I talk to alot of people from Hellbound Hackers and I have help ALOT of them, if you took the time to talk to me one on one with no one else's opinion I am sure you would have a greater respect for me. I am sorry I am not like everyone else who thinks, the best response is "google" I mean it is in someones sig, I forget who. But nontheless you can have your opinion and quite frankly I do NOT care what you think.
masta_hacks wrote: And what have you ever payed attention to?
The pursuit of knowledge and her pursuers. That is what really matters to the community; if you were a part of it, you might realize that.
Look I talk to alot of people from Hellbound Hackers and I have help ALOT of them, if you took the time to talk to me one on one with no one else's opinion I am sure you would have a greater respect for me.
I'm not so sure, actually. Your presence in the forums is less than constructive and your beneficiary qualities are… yet to be seen.
I am sorry I am not like everyone else who thinks,
We're sorry, too.
the best response is "google" I mean it is in someones sig, I forget who. But nontheless you can have your opinion and quite frankly I do NOT care what you think.
The best response is not always "Google"; however, if a person does not learn to find the majority of answers on their own, then they will never become more than a pet on a challenge site. Expanding beyond this is what really matters and, for those that are afraid to find their own answers, they will never realize this.
I know you don't care what I think… that is why you will remain as you are and, eventually, you will be banned. My opinion does not matter but, eventually, yours will.
I think when people say "google" it is in MOST cases i know that it is in mine that, Basicly the person doesnt really understand the basics of what they need to know in order to solve the problem. I remember some asking me about a SQL injection, They were using a Union command and then in the same url pluging an ORDER BY command at the end. Google!
masta_hacks wrote: Why dont you just go be a Politician, you can already take stuff out of context.
When you base your sole response off of a small portion of mine, then we all know that you're just grasping for straws. When you are able to form a coherent and constructive series of thoughts, then post. Otherwise, don't bother… you're just wasting your time and the time of the people that end up reading your useless prattle.
@ 'masta'_hacks:
seriously if i could convince an admin to ban you i would. Seconded!
masta_hacks wrote
if you took the time to talk to me one on one with no one else's opinion I am sure you would have a greater respect for me. I've talked to you on MSN; that is NOT the case. I have no respect for you because, wherever I've even heard reference of you, let alone communicated, you've been unhelpful, and, in fact, detractive from the community, myself, or anyone else around.
masta_hacks wrote
Just as a side note, Skunkfoot does not have the required skill to create a rooting challenge Quote from Battlefield Earth (1972, or some similar date, L. Ron. Hubbard): "Pointing to the mud on someone else's fins does not improve your own swimming." And since when have YOU of all people had any right to criticize another? Just do what everyone else tells you, and STFU (it's even in mr noob's avatar, omg!)
masta_hacks wrote
I don't think it matters what I say it will still get me flamed. If you can't even listen to zephyr then you're beyond help. It's your own freakin fault! Don't say anything if you don't have anything to say! You're about 1/10 as helpful as end3r! Just leave, why don't you? What good are you doing here?
masta_hacks wrote
I do NOT care what you think If you can't respect the people who've earned the respect, zephyr especially, then, again, why are you here? You just prove your immaturity over and over again by posts like these. And don't turn that back on me, calling all flamers hypocrites. I'll ask cheese to put up a new poll, who thinks 'masta'_hacks is an annoying immature little brat. I bet you we'd have more than just a few hundred people vote, and the poll results would not be surprising!
-•-•-•-•-•-•-•-•-•-•-•-•-•-•-
you're just wasting your time and the time of the people that end up reading your useless prattle.
Ah, but zephyr, I like reading his crap! It adds a bit of excitement to an otherwise boring day. Always nice to have someone to laugh at!
[/sarcasm]
Really, though, he's annoying as hell, and he won't go away. I doubt he's still following this thread, and if he is, he won't listen to you… that's obvious already.
I used to be somewhat like him, but that got fixed fast. He, however, has not changed since he joined. By the way, zephyr, why'd you change your sig? I lol'd every time I saw it, it's just that funny. And did you ever get your 5 dollars from zenrith?
"Wise men speak because they have something to say, fools speak because they have to say something" ;)
And as far as my rooting abilities, you're partially right: I don't really know anything about rooting a server, but that doesn't mean that I can't code a challenge…
btw, cL- and I are in the middle of a netbios rootin simulation challenge, it should be done and tested by this weekend at the latest.. :)
yeah, i agree masta_hacks. Why would anyone not want to be an idiot??? That just eludes me… I'm perfectly fine with a moderate level of maturity, OK social skills, and the ability to enter a forum without getting flamed day in day out. I'm perfectly fine not having hundreds of people hate me because I'm an annoying little immature brat that doesn't know when to keep quiet. I'm perfectly fine being capable of interacting on a high enough level to actually get something done, rather than simply talking to hear myself talk. And now, I'm beginning to sound a bit like Cassius. Enough repetition:
You act like a noob, so shut up and learn some manners. You're already defeated here, so leave with at least part of your dignity intact. If you have nothing else (intelligent or meaningful (to others) ) to say, then please, take your leave. I honestly don't know why you haven't been banned before… Guess there's nothing specifically about your actions in the rules, huh?
"I don't think that makes it impossible… it just makes it more difficult to make a comprehensive challenge. There are plenty of resources available in modern-day programming to accurately simulate a semi-realistic environment in which multiple solutions can be applied. It's just a question of effort, as is everything around here. Otherwise, we would have more quality articles."
Asides from actually having a box to put a vulnerable application on, a simulated "realistic" challenge is definitely impossible. You can give the user some simulated tools, like a basic port scanner, and etc, but that's not really realistic and kills the learning experience.
For example, with the port scanning again. Learning the scan types, finding what types of scans are noisy & stealthy, importance of finding the victim's operating system, that scanning most of the time will really take time, flooding logs with a mass of spoofed ip addresses, and etc. are vital to the learning process.
You can't just create a game like hacker evolution where you "scan" the victim's computer and can immediately find the open ports, how long the password is, and etc. You can't just use some tool and expect to bruteforce a protocol and be able to connect with some client that isn't even capable of connecting to the protocol you're trying to get into. This is why i see the rooting challenges as just fun little apps, nothing that could at all lead to learning.
Although i have rather enjoyed reading this because its rather ammusing. We may as well stop posting here seeing as what needed to be said has been said i think, its not really going anywhere from here anyways. If he continues to post just allow him to talk to himself. Just a suggestion of course do as you all please.
@Thor: There are not even 100 active members on HBH
Skunkfoot wrote: "Wise men speak because they have something to say, fools speak because they have to say something" ;)
And as far as my rooting abilities, you're partially right: I don't really know anything about rooting a server, but that doesn't mean that I can't code a challenge…
btw, cL- and I are in the middle of a netbios rootin simulation challenge, it should be done and tested by this weekend at the latest.. :)
I saw this after i posted. A netbios simulation might be somewhat successful. But you might need to provide support for a linux emulation and a windows emulation.
Also, is it going to be something simple like a netbios null session or are you going to get into actual enumeration of information and based on that be able to attempt a valid connection?
Simulated challenges for easy things like netbios null session are possible, but actual non-basic simulation is damned impossible for reasons I've mentioned above.
nights_shadow wrote: [quote]Skunkfoot wrote: "Wise men speak because they have something to say, fools speak because they have to say something" ;)
And as far as my rooting abilities, you're partially right: I don't really know anything about rooting a server, but that doesn't mean that I can't code a challenge…
btw, cL- and I are in the middle of a netbios rootin simulation challenge, it should be done and tested by this weekend at the latest.. :)
I saw this after i posted. A netbios simulation might be somewhat successful. But you might need to provide support for a linux emulation and a windows emulation.
Also, is it going to be something simple like a netbios null session or are you going to get into actual enumeration of information and based on that be able to attempt a valid connection?
Simulated challenges for easy things like netbios null session are possible, but actual non-basic simulation is damned impossible for reasons I've mentioned above.[/quote]
Well, it's a simple netbios sim atm, and I only made a windows simulation, but all that can be changed if necessary…although that might take a bit longer :P
nights_shadow wrote: Asides from actually having a box to put a vulnerable application on, a simulated "realistic" challenge is definitely impossible. <huge snip>
All of that, of course, is based upon the assumption that a realistic challenge would have to be hard-coded with a single path and a single solution. It would be more effective to code the backbone rather than the method. ;)
<OT> Nope, didn't get the 5 bucks, Thor. FSH got his other two names banned, so I figured it was time to stop changing my sig to match his recent name. :P </OT>
Skunkfoot wrote: I have a spare box that I could set up if that's what you want…
It won't help… this is the ages-old "rooting challenges can't be simulated" argument. Real boxes never get used. The argument dies down until another poor soul complains about the rooting challenges. I feel like I'm stuck watching re-runs.
Zephyr_Pure wrote:
All of that, of course, is based upon the assumption that a realistic challenge would have to be hard-coded with a single path and a single solution. It would be more effective to code the backbone rather than the method. ;)
I don't get what you're trying to say. It's not the exploit that's in question, one or a million different ways to get in doesn't matter.
Having a box with a vulnerable program on it would be awesome. Have some sort of exploitable program with some type of buffer overflow where the shellcode isn't anything that can be damaging to things outside the program. You're obviously going to have the assholes probably shutting down the app, but if people make an attempt to check it out every once and a while to make sure: 1.) the app/box is still up 2.) It hasn't been updated 3.) the port is still open and…whatever else you might think of. This way you can learn how to scan the target for open ports, find the operating system (otherwise you're just running wrong shellcode (unless it's universal)), and etc. It might be called skript kiddy by some, but it's a very great way to learn for beginners.
In my opinion a real box will be 3x as good as a simulated challenge.
And I'm not sure if skipping over the basics is the best idea. Maybe make two challenges, one harder than the other, but going more in depth?
And maybe write an article with it, not like a 'rooting 4 article' but a 'netbios attacks article' because as already mentioned our community is ignorant in the field of rooting.
nights_shadow wrote: I don't get what you're trying to say. It's not the exploit that's in question, one or a million different ways to get in doesn't matter.
Okay, let me rephrase it:
Why hard-code a solution when you can code the framework as it would logically be in real-life? Need to use CLI? Code an interpreter! Sure, it's hard work, and it will never happen on this site; realistically, though, it has to be the best way to simulate rooting. The easy way would be to just set up a box to get rooted, of course.
I'm gonna try and set up DVL on my spare laptop…anyone who wants to practice on it is allowed to. Also, don't mess anything up on it when I get it set up…I mean, it won't really matter, I can just reinstall DVL if you do, but why ruin the practice for everyone else? that's not cool… :P
I'll post updates soon :)
Zephyr_Pure wrote: Okay, let me rephrase it:
Why hard-code a solution when you can code the framework as it would logically be in real-life? Need to use CLI? Code an interpreter! Sure, it's hard work, and it will never happen on this site; realistically, though, it has to be the best way to simulate rooting. The easy way would be to just set up a box to get rooted, of course.
You're essentially making a program that simulates a possibly exploitable environment/simulated OS? The problem is it's still simulated. Many real variables are still killed, like speed and effectiveness of certain things.
You wouldn't have to root the box in order to learn. Exploiting a protocol is a great way to learn.
nights_shadow wrote: You're essentially making a program that simulates a possibly exploitable environment/simulated OS? The problem is it's still simulated. Many real variables are still killed, like speed and effectiveness of certain things.
You wouldn't have to root the box in order to learn. Exploiting a protocol is a great way to learn.
I agree that it could never be as effective as an actual box to root… however, I think that people tend to exaggerate exactly how "impossible" a simulated challenge can be in meeting the requirements of most people on here. While a simulated challenge would be lacking in the realism and variety of the variables, it would serve its purpose: to instruct those that are learning technique. Anything more should be part of a wargame, not a challenge.
At this point, it looks as if we're just pushing for different levels of "challenge" and, somewhere in the middle, we manage to agree on key points. I would love to see some rooting boxes go up but, at the same time, I would also love to see some effective challenges that can help to increase the prowess of some members on this site.
-cL wrote: Ahh, NetBIOS. It is pretty easy (if you know the NetBIOS exploit)
But yeah, it will be better than the "other rooting" challenges. Because this challenge isnt really about changing directories. It is about how you get in, where you change the directories xD
FFS. FFS FUCKING FUCK FUCK
edit: look at the thread title[/end]