Lately we did set up a pre-hackbattle, which is supposed to end on 14th Feb 2012. I have given the participants clues and hints on breaking into this infrastructure on my tweeter feed, @chuksjonia, see also the tag, #hackbattle
See as below.
1. clue number 1, jenniffer.kimari at gmail dot com
2. clue number 2, Q: do you do backups? A: Yes sir, mysqldump!
3. clue number 3, scholastika.muraguri at gmail dot com
4. clue number 4, best flaw, top 5 2007 OWASP
Clue number five should be published by 14th Feb in the morning. Now what i have learned is that most of the pentesters in KE rely a lot on tools. PENTEST IS NEVER AUTOMATED.
So a lot of participants are really rushing into breaking in, which is where they are loosing control. Am finding other people scanning up the webapps, others bruteforcing and they lack the idea of the infrastructure.
I needed everyone who is doing this game to think like a blackhat, this game is a Covert forensics surveillance. So what happens if an Agency asks you to do such a job for them, do you start scanning, or do you learn the target first?
One thing i would like to clarify is take your time, open one screen to be running a movie beside you, don't rush. Take naps when you do this, get ideas, understand how the admin and the developer created the infrastructure. Learn the OS the server is running, do threat intelligence as much as you can about the application.
Don't start shooting in a dagger fight. So its around 36 hrs remaining until we get a winner, which i hope we find soon.
Good luck to all playing, and we meet at the finish line.