The third edition of the new Hackfest occurred over this past November 4th and 5th.
Hackfest is a security conference held annually in Québec City (Ste-Foy, to be precise). The Subgraph crew has been fortunate enough to have been there for all of the past three events. What makes Hackfest special is the close connection to Université Laval and the well put-together hacking games – specifically the main CTF. This year the CTF was packed – at least one group that wanted to register at the last minute was denied due to a lack of space.
Félicitations to this year’s CTF winner, AmishSecurity (Montrealers, friends, and MTLSEC regulars). They had some good competition.
This year there were many familiar faces, and many more unfamiliar. What was most exciting for us was seeing the beta version of Vega being used by competitors in both hacking competitions. Just walking around the room we saw both the scanner and the proxy in action, for example:
1. During the first challenge, which involved each team maintaining operation of several network services and attacking the services of the opposing team, a player ran a Vega scan and found that one of the webservers permitted HTTP PUTs to /. This was then exploited to fill the partition and knock out the www service.
2. During the CTF, a directory traversal/file include vulnerability detected by a Vega module was confirmed as exploitable using the request replay feature and then used to access one of the flags on the webserver.
At one point, we were asked by a player if we’d put Vega content on a webserver during the first challenge. It wasn’t us, and we still don’t know who this was, but it made our evening – so thanks.
Finally, we had a chance to hand out plenty of Vega stickers. With the beta out, we’re now hard at work on the next version of Vega. I’ll be presenting some of the new features at PHP Quebec on Dec 1. More on this soon.
Much thanks to the organizers. We had fun, and we’ll be back for Hackfest 2012.
did you participate in the CTF?
Nope, not this year. I think we’ll assemble a team for 2012.
I am facing a prob r3gardign installationof VEGA:
SESSION 2012-05-29 15:33:55.194 ———————————————–
eclipse.buildId=unknown
java.version=1.7.0
java.vendor=Oracle Corporation
BootLoader constants: OS=win32, ARCH=x86_64, WS=win32, NL=en_US
Command-line arguments: -os win32 -ws win32 -arch x86_64
!ENTRY org.eclipse.equinox.ds 4 0 2012-05-29 15:34:02.650
!MESSAGE [SCR] Exception while activating instance com.subgraph.vega.internal.http.proxy.HttpProxyService@4c1ddaa6 of component vega-proxy
!STACK 0
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
—— – - – - –
—- – - – ——
Caused by: java.lang.NoClassDefFoundError: sun/security/x509/X500Signer
at com.subgraph.vega.internal.http.proxy.ssl.CertificateCreator.createCertificateSigner(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.CertificateCreator.generateCertificate(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.CertificateCreator.initialize(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.CertificateCreator.(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.SSLContextRepository.createCertificateCreator(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.SSLContextRepository.(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.SSLContextRepository.createInstance(Unknown Source)
at com.subgraph.vega.internal.http.proxy.HttpProxyService.activate(Unknown Source)
… 79 more
Caused by: java.lang.ClassNotFoundException: sun.security.x509.X500Signer
at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:513)
at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:429)
at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:417)
at org.eclipse.osgi.internal.baseadaptor.DefaultClassLoader.loadClass(DefaultClassLoader.java:107)
at java.lang.ClassLoader.loadClass(Unknown Source)
… 87 more
Root exception:
java.lang.NoClassDefFoundError: sun/security/x509/X500Signer
at com.subgraph.vega.internal.http.proxy.ssl.CertificateCreator.createCertificateSigner(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.CertificateCreator.generateCertificate(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.CertificateCreator.initialize(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.CertificateCreator.(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.SSLContextRepository.createCertificateCreator(Unknown Source)
at com.subgraph.vega.internal.http.proxy.ssl.SSLContextRepository.(Unknown Source)
at
com.subgraph.vega.internal.http.proxy.ssl.SSLContextRepository.createInstance(Unknown
Hi saikat,
This is a known issue, a change in Java 7 breaks Vega. Uninstall Java 7, uninstall Vega, then reinstall Java 6 and then you can use Vega after you install again. We will address this soon.
Thanks!
Now we are already in August. Can you inform when Vega will be compatible with Java 7?
Hi Erik. We are still working on a release. I will send you a link to a build – we have fixed the Java 7 bug.