Suspicious Plugin Response Team Training - Submissions

If you haven’t seen this thread yet please read the top post first!

What do you need to do?

Right now I don’t have time to submit some beginner level examples of my own, so anyone is welcome to submit a plugin. Submissions will take place on this thread, responses, questions and discussion will be on the original thread linked above.

Exploit Rating Scale
The exploit rating is the difficulty involved in finding the exploit or hidden functionality, here’s what the scale is and some examples:

  • Novice - The exploit is obvious, possibly accidental, it immediately sets “NewbieNewbers” as op when it starts or similar.

  • Intermediate - The exploit shows craft and purpose. Instead of immediate op there might be some indirection and hiding of exploit code, however it still contains a basic op, once the hidden functionality is discovered the function of it is clear.

  • Advanced - The exploit is definitely purposeful, the code all looks legitimate but the code that synchronizes the op list actually uses that two byte text encoding to show that the second byte should be subtracted from the first byte to get the op name. Sometimes (but internationally) that changes the name to “NewbieNewber” instead of “TheRealUnixCabal”.

  • Expert - The plugin uses an exploit in Java or Sponge/Sponge API/Granite itself to perform a simple op, or truly terrifying actions to the server running the plugin’s code.

Submission Format:

The fields are meant to be generic, so change Plugin Name to your plugin’s name and Some Exploit Rating to one of the listed ratings.

Plugin Name [Some Exploit Rating] [Solved by username/Unsolved]

Description of plugin (this is your posted description, if the website was BukkitDev or Ore what would you say about the plugin’s functionality?)

Link to jar download (this must be from Dropbox, Google Drive, GitHub (for release link only, no source), a personal website, or renaming the .jar to a .java and uploading it to the forums with your post. This must be noted so people can rename it back.

.java uploads?

The forum is setup to only allow images and .java files to be uploaded, unfortunately .jar files and .class files are more helpful most of the time, since source can easily be shared via GitHub. For those that don’t want to use or have file hosting sites with direct links, simply renaming your .jar to a .java before uploading will bypass this restriction. But when participants download the .java they will have to remember to rename it to a .jar before working through the challenge.

Please only post submissions here, discussion will be flagged for delete/move to the original thread. That keeps this clean for people looking for the next challenge.

Updates:

  • Format now requires a “solved/unsolved” field and a solver to keep track of what’s done and what isn’t. I will also post a response to this thread specifying when each challenge is solved.
3 Likes