CerberHost Spring Challenge

A very high security Cloud

We do not want to propose a Cloud only secured “on the paper”, based on the Coué method of autosuggestion and supported by a PowerPoint presentation that states that “it’s secured”.

After a major investment in R&D, we think that NBS System offer, through CerberHost, the most secure hosting option available today and we intend to prove it. This contest aims to challenge a bit more our systems, which have already been solidly tested before.

After stopping thousands of attacks that have been launched against Charlie Hebdo’s website, after a Penetration Test carried out by the HSC society on a Damn Vulnerable Web Application, CerberHost has still never been breached as of today. However, nothing is impossible and our team’s biggest wish is to keep advancing.

This is where you step in! You, security experts, pen-testers, genius or occasional hackers, erudite IT engineers who are interested in IT security matters, this contest is open to everybody.

The CerberHost Spring Challenge (CSC)

Contents of the test website

This contest consists in managing to break in on a flawed by design, training platform named “Damn Vulnerable Web Application”. This software is deliberately “full of holes” so as to allow testings of different tools, candidates or intrusion methods and it contains numerous flaws of different types.

The source code of this testing website will be available for the participants, who will be able to audit it locally on their machines. The production code on the tested servers will be exactly the same.

Configuration of the Security of the procedure

All the CerberHost security layers will be active, except the IP reputation based firewall.

In fact CerberHost uses an IP reputation system that bans progressively, in hardness and duration in time, and applies the filter to IPs that violates the Security rules. In the contest the registered IPs will be whitelisted but will still be banned in a smoother way the system would have normally done. Just to make it clear, when an IP scans some ports, it has an abnormal behaviour towards the hosted platform and this IP is progressively banned more and more strongly (in terms of duration especially, but also in terms of IP rows or types of responses, rejection, drop, tarpit, etc.). In the end, this device by itself would slow down the experts in their work so it is of no interest within this contest.

The DVWA will be configured in the lowest security mode (all the faults will be wide open/active).

For the rest, the used CerberHost procedure will be absolutely standard, but the methodology will be a bit less “strict” than the one of which our clients dispose. During a normal deployment of a CerberHost client, we carry out a quick audit and we set up a few additional specific rules, compared to the standard protections. Here, the process will be the same but there will be no specific additions dedicated to the website, no additional protection or particular devices, it will be the opposite as we want to open the challenge and put ourselves in the worst possible situation, with a website full of holes and reduced defences.

Duration of the game

The game will be on from March 25th ,2013 to June 21st, 2013.

In case of a participant’s victory or partial victory (see definition below) the game will stop when the proof of the victory will be given and confirmed by the Jury.

Jury

The jury is composed by:

  • Ms Diane Mullenex (associate of the Ichay & Mullenex law firm)
  • Nicolas Ruff (researcher in the EADS society)
  • Philippe Humeau (CEO of NBS System)

The Jury will confirm the potential victories of the candidates.

Objectives

Victory

A victory will be attributed to the 1st participant to:

  • either obtain a command invite (« shell ») (not root) on one of the intermediary machines: Firewall, Reverse Proxy.
  • or create a file in the root account of the machine that hosts the website, named with his ID and containing his contact e-mail and IP address from where the intrusion on the website was made.

These conditions are independent: meeting one of them is enough to obtain a Victory. A Victory is unique and puts an end to the Game.

Partial Victory

If a vulnerability was found on the Website, that would not be considered as a Victory but allowed to:

  • Either collect the content on the “SECRET” table that is stored in the same database, on the same MySQL instance, as the other data of the Website. The copy should be realized by exploiting one of the SQL injections available on the Website;
  • Either get to execute PHP code (via the vulnerabilities of the inclusion files or upload files on the website). (Example: execution of a PHP file that contains a “phpinfo” call and a “sleep”);
  • Either manage to realize a cross site scripting (i.e. display of the cookie in a JavaScript popup), by exploiting one of the cross-site scripting vulnerabilities on the website;
  • Either get to obtain a persistent non-privileged (non root) “shell” on the machine (via the exploitation of a vulnerability in a third-party daemon or in PHP).

Then a Partial Victory would be granted. These five conditions are independent. Satisfying one of these is sufficient to obtain the Partial Victory.

Only one Partial Victory will be granted for each attack method used to satisfy one of the five conditions. So a Participant that uses the same method used within a Partial Victory that was already assigned (even if it’s still in the process of validation by the jury), could not claim a Partial Victory.

A Partial Victory does not put an end to the Game. The Partial Victories will be published within 72 hours of the validation of the Jury.

Meritorious efforts (or praiseworthy effort)

If a vulnerability was detected, that would not be considered neither as a Victory, nor a Partial Victory, but would allow to:

  • Compromise data or change the Website’s homepage (defacing),
  • Get to write in the /challenge_EM repertory at the root of the machine, whose owner will be the user that made the Apache daemon run on the machine.

In order to identify his Meritorious Effort, the person will need to write his contact e-mail and IP address from which the intrusion was carried out, in a file named with his ID. Then a Meritorious Effort will be attributed.

These two conditions are independent. Satisfying one of these is sufficient to obtain the Meritorious Effort.

Only one Meritorious Effort will be granted for each attack method used to satisfy one of the two conditions. So a Participant that uses the same method used within a Meritorious Effort that was already assigned (even if it’s still in the process of validation by the jury), could not claim a Meritorious Effort.

A Meritorious Effort does not put an end to the Game. The Meritorious Efforts will be published within 72 hours of the validation of the Jury.

Validity of the Victory, Partial Victory or of the Meritorious Effort

The confirmed Victories, Partial Victories or Meritorious Efforts must be carried out by people registered to the contest through the form available below in this e-mail and that possess a valid ID. The compromising attack must be explained and repeatable. Nevertheless the potential source code of the attack cannot be spread.

Rewards

To a potential victory, we would grant:

  • A prize money of 5 000 €
  • A blog post on our company blog under the form of an exchange between the winner and our experts
  • An authorization to communicate privately on this realization (IE for a curriculum vitae)
The exploited vulnerability can be described without being totally uncovered technically to the public

To a partial victory, we would grant:

  • A prize money of 500 €
  • A blog post on our company blog under the form of an exchange between the winner and our experts
  • An authorization to communicate privately on this realization (IE for a curriculum vitae)
The exploited vulnerability would have to be totally explained and uncovered.

To a praiseworthy Effort, we would grant:

  • A blog post on our company blog under the form of an exchange between the winner and our experts
The exploited vulnerability would have to be totally explained and uncovered.

Limits & allowed hacking methods

The D.O.S and D.D.O.S (Denial of Service and Distributed Denial of service) are not welcome in this test. We are testing the resilience of Cerberhost to hacking, not of this part of our network to cope with Network floods. (Later on, we will put together a test to generate tens of Gb/s of network transfers to test this precise point)

The CSRF & applicative bruteforce does not contitute a victory or praiseworthy effort either since we can’t secure the third parties in the CSRF case and the DVWA password is anyway given. Physical attempts and social engineering are not either authorized.

Other methods to compromise and attack the site, like Cross Site Scripting, SQL Injection, overflows, etc are all allowed and valide. We don not accept physical attemps as well as social engineering not to decline the challenge but we don’t want things to spin out of control and get our private lives meaninfully touched by this Challenge.

The one and only server allowed to be tested is the one hosting the DVWA, answering to the FQDN : challenge.cerberhost.com with its associated IP. ALL OTHER SERVERS / IP / Services are out of the scope, except if they contribute to the safety of this DVWA server, meaning its firewall or Reverse Proxy.

No other tests are allowed on no other zone / service or machines or our network, classical legal actions could be taken against offenders.

Participant identification & registration

The participant can be anonymous as long as they provide a valid IP they will attack from. This IP will be registered in our Firewall to make the filtering far lighter than it usually is on a Cerberhost environment. A potential winner will have to reveal its name and coordinates so that the prize money can be granted. The winner name can still remain anonymous toward public if the winner is willing to keep it private.

Every participant must fill the form below and provide a valid email address so we can establish contact and send the unique participant ID. Those coordinates will stay strictly private and won’t be revealed to anyone. You can find the registration form below:

[Form id="7"]

Contest Full regulation

The full contest regulation can be found here.

Philippe Humeau
Philippe Humeau
Philippe co-founded NBS System in 1999. After a focus on cybersecurity, which he never gave up, he discovered a passion for e-commerce from 2008 on. Pentester, CTO, CCO then CEO, Philippe’s multifaceted profile drove him to becoming OT Group’s Marketing and Strategy Director.