News
IDS Bypass contest at PHDays: writeup and solutions
Positive Hack Days 2019 included our first-ever IDS Bypass competition. Participants had to study a network segment of five hosts, and then either exploit a service vulnerability or meet a particular criterion (for example, send a certain HTTP response) in order to get a flag. Finding an exploit was easy, but the IDS complicated things as it stood between the participants and the hosts, checking every network packet. When a signature blocked the connection, participants were informed via the dashboard. Here are details on the tasks and the ways to solve them.
PHDays 9 Competitive Intelligence contest: writeup and solutions
For eight years now, the Competitive Intelligence contest at PHDays has provided participants with the opportunity to test their skill at searching for information while learning new OSINT techniques. This year's tasks centered on a fictional information security company specializing in a particular vulnerability. Participants had to dig up information on people related to this company, but do so without hacking, using only their wits and various online resources. They had to complete 19 tasks, each worth a certain amount of points depending on complexity: Company real name IDOR specialist username IDOR specialist location IDOR specialist work e-mail IDOR specialist personal e-mail Secret employee mobile phone Secret employee username Secret employee birthday Secret employee university Nightly programmer private username What the flag? Second employee IM username IP used in PoC Alexander's real lastname Peter's primary e-mail Peter's secondary e-mail Peter's password Donation wallet number Software which was downloaded from IP 77.71.34.171 In the text that follows, we will describe how to complete each task. Company real name — 10 To start with, participants were given a description of the company: nfsg64ttmvrxk4tjor4q. Solving this introductory task required performing a Google search. The results provide information about the company's domain:
AI CTF: writeup and solutions
At PHDays 9 we decided to take a look at the grittier side of artificial intelligence and machine learning. Our task-based capture the flag contest, AI CTF, put participants through their paces to test knowledge of AI-related security topics.
The Standoff winners at PHDays qualified to participate in HITB CyberWeek
World's top 25 CTF teams will battle for $100,000 at the HITB CyberWeek conference in Abu Dhabi from 12 to 17 October 2019. The best attacker teams of the last two PHDays (True0xA3 and Hack.ERS) were invited to participate in the finals in the UAE. To recap, Hack.ERS (Deloitte) pulled out a victory last minutes of the contest. One hour before the end of the cyberbattle, the city defenders decided to try living without its antifraud system. The team Hack.ERS rose to the occasion by cleaning out the bank. Previously hovering around last place, Hack.ERS rose to kick CAICA (last year's champions) out of first place. "It is exciting that PHDays keeps such high standards abroad, and The Standoff winners may try their hand at competing with the best CTF teams in the world. We are eager to take any opportunity to build up team spirit, better coordinate team efforts, and feel connected to the international IS community," says Ivan Nagornov, Hack.ERS captain. In 2019, True0xA3 (Informzaschita) remained a leader during the whole two days of the contest using loads of various techniques. The team hacked vulnerable infrastructure objects and kept them under control for two days. "I still cannot believe that we are going to compete with such teams as PPP and Eat Sleep Pwn Repeat in the UAE. The victory inspired us to take a shot at even bigger challenges. "The fact that The Standoff winners are going to take part in Hack In The Box, one of the leading IS conferences, and will go to the UAE for free, is simply exciting," says Vitaly Malkin, Head of the security analysis department at Informzaschita, True0xA3 captain. Of course we are happy to be the strongest team in the CIS. But we would like to show what we can do at the global stage and share experience. "Hack in The Box is held since 2002 and is one of the most important information security events in the world. HITB CyberWeek is like world cup finals among hacker teams. The fact that The Standoff winners from 2019 and 2018 were invited to participate in the finals without try-outs is recognition of the PHDays contest high level," says Mikhail Levin, member of the PHDays organizing committee and The Standoff organizer. "The Stand Off is easily one of the most challenging attack and defense contests around. The fact that teams are essentially competing to find real-world vulnerabilities and simulating what attackers are doing in the wild is simply amazing! We are extremely excited to have not only the winners from PHDays 2019 joining our CyberWeek PRO CTF, but also the champions from 2018. Simply put, this competition in October is going to be one of the greatest gatherings of pure CTF talent under one roof," says Dhillon Andrew Kannabhiran, Founder/Chief Executive Officer, Hack In The Box. Read more about CTF in Abu Dhabi at the HITB CyberWeek official website: .
PHDays: to the nines
PHDays 9 has finished, having brought together a record-breaking 8,000 participants. Information security experts, journalists, politicians, and artists, as well as representatives of business and government from all over the world, attended over 100 talks. In contests, attackers hacked a gas pumping facility, ATM, Tesla cars, and more. The evening wrapped up with a live rock concert. Today we will announce the results of some contests and highlight a few fascinating presentations from Day 2.
PHDays 9 features a secure development section
At Positive Hack Days 9, a section supported by the Positive Development User Group community will be open for two days. Participants can attend 12 presentations on secure development. The first half of each day will contain technical reports, the second half will contain those on business processes. May 21 Vladimir Kochetkov and Valery Pushkar (Positive Technologies) will share their experience of developing an efficient static analyzer of JavaScript code, and will demonstrate how the analyzer works, using tough examples. Sergey Khrenov (PVS-Studio) will talk about SAST, CWE, CVE, SEI CERT, DevSecOps, and will explain programming standards that help to create reliable applications. Mikhail Shcherbakov (KTH Royal Institute of Technology, Sweden) will make a presentation on vulnerabilities in deserialization in .NET. Participants will also learn what .NET serializers are vulnerable, what tools can be used to search for vulnerabilities, what payloads are known for .NET applications. Alexander Chernov (Moscow State University) and Ekaterina Troshina (Higher School of Economics) will talk about consistently cultivating secure development from the very start of training. They will formulate goals and objectives of secure development training, using the basic course of low-level coding and operating systems as an example. The presentation of Sergey Gorokhov (EPAM Systems) will explain how to bring software to compliance with GDPR, and what to do if the client wants "a GDPR-compliant product." May 22 Pressing security issues of Android applications will be discussed by Dmitry Tereshin and Nikolay Islamov (Tinkoff Bank). They will point out the causes of vulnerabilities in Android apps, which were not sufficiently covered by OWASP guidelines. Alexey Dremin, an independent expert, will make a presentation on establishing a pipeline of continuous application security check. He will explain when the pipeline must be launched, which integrations with CI/CD are required and how they are to be done, where to save and process the results. Vladimir Sadovsky (M.Video) will talk about establishing secure programming process. He will talk about architectural design, automated tests, identification of business logic errors, and bug bounty. Alexey Ryzhkov (EPAM Systems) will draw upon EPAM experience of establishing the process of security impact analysis of every feature. Sergey Prilutsky (MixBytes) will discuss automatic security audit of smart contracts. He will explain the peculiarities of executable code of smart contracts and analyzers for them, using Ethereum Virtual Machine as an example. He will also discuss vectors of attack on smart contracts and capabilities of their automatic detection. Presentation of Vitaly Katunin (EPAM Systems) covers security risk assessment. Participants will learn how to make risk assessment transparent for all stakeholders and how to achieve backward compatibility of threats and security requirements. Anton Basharin (Swordfish Security) will share his experience of automating AppSec processes, collecting metrics, visualizing and analyzing them. How to join the section Tickets are traditionally free for members of the PDUG community, but their number is limited to 100. To get your ticket, apply and wait for confirmation. Please indicate your real name, or the organizing committee will have to reject your application. After your registration is confirmed, you will receive your invite in an email. Registration closes on May 17. You can watch videos from previous PDUG sections on our YouTube channel: youtube.com/channel/UCpcLVW5yxexISUIRbYBw_9w
Hack Battle at PHDays: Fight to become the fastest hacker
PHDays 9 will again have the Hack Battle contest. This year, it's organized by SPbCTF, an open independent community from St. Petersburg, Russia. Hack Battle will take the form of a knockout tournament. For two days, adrenaline junkies will fight in groups of three. In the course of 10–15 minutes they need to solve CTF-style tasks. The topics can be web, reverse, forensics & stegano, pwn, coding, and crypto. The winner in a round is the one who completes the task before the others do. A contestant must win five battles to become the Hack Battle winner. Spectators will be watching the hackers, and SPbCTF experts will be commenting the actions. Spectators may still solve tasks along with the battlers. If one of the contestants misses his or her turn, spectators get the chance to participate in the next round. We welcome everyone to have some fun and test their skills. To reserve a time slot, register at hackbattle.spbctf.ru before 5 p.m. (Moscow time) of May 17. The number of participants is limited to 108. If there are more potential contestants, on May 18 at 6 p.m. the organizers will hold an elimination round (at spbctf.ru as well). Stay tuned for more news. The contest has three prize-winning places, winners will receive valuable prizes and invites for the next PHDays. Find more details on the contest web page.
PT Expert Security Center stand
PHDays 9 will include a stand from the PT Expert Security Center, offering an opportunity to talk with experts, try out fun contests, and even apply for a job. Knowledge is power. This is especially true when it comes to countering cyberthreats. The PT ESC experts invite you to see how well you know incident investigation. They've also prepared Who wants to become a rESearCher? Questions will be tough, pushing participants to the limits of their abilities. Prizes await the victors! What's more, the stand will host a tournament named Quest for ESCurity: The Handoff, based on the game card Munchkins. Become a superhero, pirate, astronaut, zombie slayer, knight, or fighter of ancient gods! Sign up and charge ahead, surely crushing all enemies along your path. Signup will be on Telegram (@QuestForESCurity_TheHandoffBot) starting May 18. But be ready to rush headlong into battle (first game on May 21 at 11:00 a.m.), make weighty decisions under pressure (spaces limited!), and proudly bear the title of claimant to the PHDays Munchkinship. For rules and details, see the contest page. During both days, all comers will have the chance to pose questions to the PT ESC experts. In addition, on both days, the thrEat reSearch Camp technical track will be dedicated to incident response, threat intelligence, threat hunting, OSINT, and malware analysis. Want to try your luck at investigating security incidents? Check out our online forensics contest ESCalation Story on Telegram (@jaxhunt_bot) from April 22 to May 15.
2drunk2hack, Competitive Intelligence, Best Reverser: traditional PHDays contests
Just one month left until PHDays 9 starts. Arrangement of presentations is in full swing, preparations for The Standoff and other contests are underway. We have already announced some new contests like Industrial Ninja, IDS Bypass, and ESCalation Story. Of course, this year our traditional hacking contests, like Best Reverser, Competitive Intelligence, and 2drunk2hack, will be held as well. The Best Reverser online contest for reverse engineers will take place from May 1 through May 14. Amateurs and experts of codebreaking can warm up before PHDays and demonstrate good knowledge in analysis of executable files. There will be a valuable prize and an invitation to the conference at stake. The file for analysis will be published on the contest's web page on the starting day. The Competitive Intelligence online contest is your chance to test how quickly and precisely you can find information online. It will be held on May 18, from 9:00 a.m. until 11:59 p.m. (UTC+3) on Telegram @phdayscibot. On Telegram, we will post questions about a certain organization. The task is to find as many correct answers in the minimum amount of time. Winners will get valuable prizes and an invitation to PHDays. Contest discussion group: . At the end of day two, when all the presentations are over and the Standoff battle is won, it's time for the merriest and the most spectacular contest, 2drunk2hack. The participants should perform a successful attack against a web application defended by a WAF. The application contains a finite number of vulnerabilities, sequential exploitation of which allows executing operating system commands, among other things. Every 5 minutes, the participants whose actions have been flagged the most by the WAF will have to drink 50 ml of hard alcohol and keep hacking. Whoever is first to get the main flag during the server command stage, wins the contest. The winner will receive mementos from the organizers. Everyone of drinking age is invited to take part. Details of the contests will be published soon. Stay tuned and get warmed up for the contests!
Two new contests at PHDays: bypassing an IDS and hacking a plant
As we said before, at PHDays 9 participants can test their strength in various applied security workshops. But this is not yet the full extent of the contests. Two new contests—Industrial Ninja and IDS Bypass—were recently added to the list. Industrial Ninja is an opportunity to try some industrial ninjutsu and work out the Big Bang theory. Throughout the event, any participant can try hacking a gas pumping facility. The contest will have three test beds modeling real-life industrial processes. The scenario is that a highly pressurized (over 100,000 Pa) lethal airborne pesticide (in reality, just air) is pumped into an elastic container (a balloon). Each test bed has a different difficulty level reflecting its degree of security: Novice, Veteran, and Ninja. Participants need to figure out the process, seize control of the facility, and cause an accident. The contest will take place over both days of the forum and all are welcome to take part. Those who can seize control of the process and cause an accident at the plant will get prizes from the organizers. The first prize will be a Proxmark3 RDV2. Those who are more interested in bypassing protection systems are welcome to join the IDS Bypass contest. Contestants need to hack five vulnerable hosts and get their flags, while remaining unnoticed by the intrusion detection system. All participants, regardless of knowledge level, are welcome. The vulnerabilities will be well-known ones, so participants will only need to focus on bypassing the IDS. You can brush up on your theory at Network Village where security experts from Positive Technologies and the DC7831 and DC2e06 communities will make presentations on various topics, including IDS bypassing. Participants need a laptop with Wi-Fi and Ethernet adapter. First prize is a WiFi Pineapple TETRA, second prize is a WiFi Pineapple NANO, and third prize is a Shodan account. Detailed participation terms and the whole PHDays agenda will be published soon on the PHDays website. Stay tuned!