Clever recruiting

Nixu Ltd is an information security consulting company from Finland. When searching a specialist to work as a penetration tester some weeks ago, they got an idea. The company told about the opening in their blog: a certain webpage contains a password, everyone finding that password is going to be invited to round 2, the interviews.

To company's surprise, there was over 200,000 tries to hack the page, from 66 countries. A total of 19 people succeeded to find the password, 12 of them are now going to be invited to be interviewed (7 declined).

The whole recruiting campaign was only in Finnish because the new penetration tester has to be a native Finnish speaker. However, due to extensive international interest, the company published the solution also in English in their blog.

The solution, for those interested:

The browser starts by fetching a simple JavaScript from r.php without parameters. Typing the script URL in the location bar causes the user’s IP to be banned as the script contains a JavaScript comment that also can be interpreted as an HTML meta redirect. The ban can be removed by visiting the base64 encoded address hidden in the source code of the “403 Forbidden” page. The first script does a few simple loops and calculations to fetch the next script.

Every script except the first one can be fetched only once and this needs to be done within a short timeframe. The scripts are dynamically generated and different every time.

The next script contains xor-encrypted code to get the script of the next phase. This script sends the browser local time in the rand-parameter to the server.

The first two scripts can be bypassed e.g. by using a proxy tool (Burp etc.) in order to directly fetch the last phase script. This script implements an obfuscated stack-based virtual machine processing the byte-code which in turn does the actual validation of the password.

The virtual machine contains an embedded time-check comparing the local time into the timestamp sent to the server during the second phase. In case the local time differs too much from the expected time, the bytecode execution is disrupted. The password is converted into a base-63 number system and the resulting number is compared to a known value.

During the first week the password was aeIrfYh and then it was changed to dEys56_.

Congratulations to all who were able to solve the puzzle!

(Näin Nixun haaste ratkesi - TigerTeam - suomalainen tietoturvablogi)

Kari

I didn't understand anything of the solution... no wonder why so few people was able to get the passwords!