Istrancis

Hax to win a PS3!

23 posts in this topic

I've been checking it quickly.

I didn't find a lot, but still:

IP: 61.202.238.53

telnet 61.202.238.53 80 works, of course. This is for hosting the website. I haven't scanned for other open ports.

Something more interesting: ssh is running on the ps3, and there's an account named ps3.

ssh ps3@61.202.238.53 will connect and then ask for a password, with a max of three tries until next connection. I should write a program to try to bruteforce that account. Who knows. Unfortunately, after my three tries, it looks like ssh will refuse me to connect at all. So if we want to bruteforce, we'll have to make it by spoofing identity each time, I guess... quite hard.

ssh root@61.202.238.53 won't get you anywhere. (ssh_exchange_identification: Connection closed by remote host)

There is also this weird stuff at the end of the html file, I don't know what it is:

<!-- PPPC -->

<!-- 9280 8736 1010 2874 1099 1546 9890 5436 1287 0009 -->

<!-- 6588 6768 2020 5790 9622 1257 9087 5445 8987 1009 -->

<!-- 1120 0098 3030 2632 8279 6843 4554 3266 3789 2018 -->

<!-- 3DA4 430E 4040 53E0 35C8 5A52 2415 48BD 4911 7424 -->

<!-- DDDH -->

0

Share this post


Link to post
Share on other sites

Some new stuff:

If you telnet on port 22, you get the version of ssh this machine runs:

SSH-2.0-OpenSSH_4.3

I just checked on www.openssh.com, and the latest version of the software is 4.5 and was release nov7.

Maybe 4.3 has a flaw somewhere...?

EDIT: Found this info (French)

http://www.frsirt.com/bulletins/8008

or just google for "OpenSSH Privilege Separation Monitor Vulnerability"

However, chances are low that we can hack the ps3 this way. The flaw can only be exploited if other vulnerabilities are present. Also, if the ps3 is patched, of course it won`t work.

EDIT2:

http://secunia.com/advisories/8974/ seems like a good resource.

http://securitydot.net/xpl/exploits/vulner...72/exploit.html

EDIT3:

Okay, I can confirm now that there is an account named ps3 on this ps3. I tried to ssh to it at school this morning, and here's what I got:

$ ssh ps3@61.202.238.53

The authenticity of host '61.202.238.53' (61.202.238.53)' can't be established.

RSA fingerprint if 9b:9d:b3:fc:5c:7b:87:17:4f:b0:d6:25:04:a6:be:92.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '61.202.238.53' (RSA) to the list of known hosts.

ps3@61.202.238.53's password:

Permissing denied, please try again.

ps3@61.202.238.53's password:

Permissing denied, please try again.

ps3@61.202.238.53's password:

Permissing denied (publickey,gssapi-with-mic,password).

$

Maybe this could be helpful. I don't know much about RSA fingerprint, can it be useful for anything?

Edited by Aghaster
0

Share this post


Link to post
Share on other sites

I ran a port scan and EVERY port is open :P

Try for your self its kinda funny to watch it go.

0

Share this post


Link to post
Share on other sites

I ran a port scan and EVERY port is open :P

Try for your self its kinda funny to watch it go.

yeah, you ran nmap, I guess? I ran it yesterday and it listed tons of open ports. But this doesn't mean you can enter that way. Btw, now that I tried to ssh to it, it refused connection like on my computer at home (I'll have to try again back at home)

ssh_exchange_identification: Connection closed by remote host.

Edited by Aghaster
0

Share this post


Link to post
Share on other sites

Just because ssh asks you for a password doesn't mean that one exists on the box. It wont tell you whether the account exists or not, it will just tell you that the login is bad. And as said above, Fedora is actually pretty secure, they keep up with security holes and SELinux does a pretty good job also. Not to mention it comes with a nice gui for iptables as well as turning it on by default filtering all ports. Anyways, I think the best bet is through publicfile which I am about to go grab the source for.

0

Share this post


Link to post
Share on other sites

Just because ssh asks you for a password doesn't mean that one exists on the box. It wont tell you whether the account exists or not, it will just tell you that the login is bad. And as said above, Fedora is actually pretty secure, they keep up with security holes and SELinux does a pretty good job also. Not to mention it comes with a nice gui for iptables as well as turning it on by default filtering all ports. Anyways, I think the best bet is through publicfile which I am about to go grab the source for.

Good. I know now that this meant nothing. I guess I couldn't get a prompt for root as too many people are probably requesting login, making the software to reject additionnal login attempts.

0

Share this post


Link to post
Share on other sites

The stuff you've tried so far is pretty cool, Aghastar, well done! Unfortunately I'm still a newb at this, think you could explain what you did in a little more detail? Also, how did you find the machine's IP? And how did you know that there'd be an account called PS3, or was that just a lucky guess? Any information would be helpful, thanks in advance!

Also, if anyone could offer me a plain English explanation as to what SSH is, as well as Telnet, it'd be much appreciated. Again, thanks in advance!!! ;)

Update: I've been reading through the Diggs for this challenge, they might be useful, especially since the weird code at the bottom of the page is discussed. Check out the discussion here: http://www.digg.com/security/Own_this_Play...983106#c3983106

Edited by Istrancis
0

Share this post


Link to post
Share on other sites

I got an online translation of the French page for this challenge:

Ownez this Playstation 3 and win it! Pirate the PS3 on which turns this site, and you will win:

* The PS3 and all its incidental ones of origin (notes: the hard disc was replaced by a hard disc of 160 Go!),

* a cable HDMI, * Linux (Fedora core 5 PPC + PS3 add-on) préinstallé, evidently, * the game "Resistance - the

fall of Man".

ATTENTION You will have to pirate it "properly" : not any or other BACKS attacks "dirty" that clutter the pipes. It in addition forbade to attack itself to the others machine even under network.

To prove that you pirated the PS3, you will have to replace the picture below: Kaede and his PS3 by the picture JPEG situated currently in the home directory of the user root, under file “ps3_challenge". You will have in addition to announce your victory on This discussion wire of the forum ACBM (on which also can discuss you this competition), and at the same time to identify you by mall with SHIMPINOMORI. (In case of ex-aequo, the winning one will be the one of which mall will have arrived in first). You will have to deposit a file text indicating your names and first name as well as your postal address in the home directory of the user root, under file “ps3_challenge". NO OTHER DETERIORATION OF THE FILES OF THE PS3 IS NOT AUTHORIZED.

Once your confirmed victory, your Playstation 3 will have sent you (without expenses) by International EMS during the month of January 2007.

You have until at the beginning of January 2007. Good luck!

It probably won't help much, but I thought I'd post it here anyway.

0

Share this post


Link to post
Share on other sites

http://61.202.238.53/admin (access denied)

http://61.202.238.53/root (file does not exist)

For whatever reason http://61.202.238.53/admin/ (note the ending slash) also displays the normal index.html page, instead of giving an "access denied" page.

Not terribly useful... but hey.

EDIT: I've also noted you can http://61.202.238.53/admin/admin/admin/admin/ and so on forever, for some odd reason?

Edited by Dirk Chestnut
0

Share this post


Link to post
Share on other sites

Just so you all know if anyone is still working on this, it is pretty much a futile effort. After some fingerprinting and research I found that the httpd an ftpd is an application called publicfile which anyone who was checking the http header would have seen. This was written by Dan Bernstein who is just crazy. Looking at the source and reading the notes on it, he has rewritten stdio because some of the function in it allow for buffer overflows. This has been secure since 1999 and has not needed to be updated since. While fc5 ppc is a little behind the x86 version, core 5 is still supported and secure not to mention it is running SELinux most likely. This challenge was not created to be won, it was created for others to check his security. He has taken steps in order to make sure this box is painfully secure and a pain in the ass to anyone who would ever want to own it. While partially using security through obscurity by using publicfile, publicfile is actually really secure.

0

Share this post


Link to post
Share on other sites

I got an online translation of the French page for this challenge:

Ownez this Playstation 3 and win it! Pirate the PS3 on which turns this site, and you will win:

* The PS3 and all its incidental ones of origin (notes: the hard disc was replaced by a hard disc of 160 Go!),

* a cable HDMI, * Linux (Fedora core 5 PPC + PS3 add-on) préinstallé, evidently, * the game "Resistance - the

fall of Man".

ATTENTION You will have to pirate it "properly" : not any or other BACKS attacks "dirty" that clutter the pipes. It in addition forbade to attack itself to the others machine even under network.

To prove that you pirated the PS3, you will have to replace the picture below: Kaede and his PS3 by the picture JPEG situated currently in the home directory of the user root, under file “ps3_challenge". You will have in addition to announce your victory on This discussion wire of the forum ACBM (on which also can discuss you this competition), and at the same time to identify you by mall with SHIMPINOMORI. (In case of ex-aequo, the winning one will be the one of which mall will have arrived in first). You will have to deposit a file text indicating your names and first name as well as your postal address in the home directory of the user root, under file “ps3_challenge". NO OTHER DETERIORATION OF THE FILES OF THE PS3 IS NOT AUTHORIZED.

Once your confirmed victory, your Playstation 3 will have sent you (without expenses) by International EMS during the month of January 2007.

You have until at the beginning of January 2007. Good luck!

It probably won't help much, but I thought I'd post it here anyway.

you know there is an english page... right?

0

Share this post


Link to post
Share on other sites

I fingerprinted the box on Tuesday just for the hell of it, and didn't bother going any farther. As many have mentioned, it appears to only be running a very few carefully-selected services.

The only way I know to get into a box like this is through some social engineering, but even that would most likely be futile - after all, there IS a contest going on, and I'd doubt anybody but the guy who built the box would have access to it.

Oh well. Guess this guy won't be losing his PS3 after all... unless someone finds a new kernel vulnerability or something :)

0

Share this post


Link to post
Share on other sites

edit: double posted

Edited by nwbell
0

Share this post


Link to post
Share on other sites

...[publicfile] was written by Dan Bernstein who is just crazy. Looking at the source and reading the notes on it, he has rewritten stdio because some of the function in it allow for buffer overflows. ... This challenge was not created to be won, it was created for others to check his security. He has taken steps in order to make sure this box is painfully secure and a pain in the ass to anyone who would ever want to own it.

On the topic of publicfile: I also did some reading into it, though not so in-depth to look at the source, just the documentation on it. It supports HEAD, GET, and... that's pretty much it. Security by way of simplicity, ftw. You can read up on it here: http://cr.yp.to/publicfile/httpd.html . Seriously, that document has got to be shorter than the index for the Apache documentation.

On the topic of why this challenge was created: I read through some other forums of results others have had, and a lot of posters are raising a very valid point: Why is whoever owns this PS3 box bothering to post Google ads? How many hits is that page getting per day now that it's been dug? Who's owning who here, really? :P

0

Share this post


Link to post
Share on other sites

I got an online translation of the French page for this challenge:

Ownez this Playstation 3 and win it! Pirate the PS3 on which turns this site, and you will win:

* The PS3 and all its incidental ones of origin (notes: the hard disc was replaced by a hard disc of 160 Go!),

* a cable HDMI, * Linux (Fedora core 5 PPC + PS3 add-on) préinstallé, evidently, * the game "Resistance - the

fall of Man".

ATTENTION You will have to pirate it "properly" : not any or other BACKS attacks "dirty" that clutter the pipes. It in addition forbade to attack itself to the others machine even under network.

To prove that you pirated the PS3, you will have to replace the picture below: Kaede and his PS3 by the picture JPEG situated currently in the home directory of the user root, under file “ps3_challenge". You will have in addition to announce your victory on This discussion wire of the forum ACBM (on which also can discuss you this competition), and at the same time to identify you by mall with SHIMPINOMORI. (In case of ex-aequo, the winning one will be the one of which mall will have arrived in first). You will have to deposit a file text indicating your names and first name as well as your postal address in the home directory of the user root, under file “ps3_challenge". NO OTHER DETERIORATION OF THE FILES OF THE PS3 IS NOT AUTHORIZED.

Once your confirmed victory, your Playstation 3 will have sent you (without expenses) by International EMS during the month of January 2007.

You have until at the beginning of January 2007. Good luck!

It probably won't help much, but I thought I'd post it here anyway.

you know there is an english page... right?

'Course I know there's an English page! :D I wonder would we bother with this challenge at all if there wasn't?

Who's owning who here, really? tongue.gif

In light of what you menioned about the Google ads, Dirk, that is a really good question!

Update: I just checked the site again, there are no Google ads...

Edited by Istrancis
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now