PHDays III Contests Program: Hacking ATM and SCADA, Passing the Labyrinth

The participants of Positive Hack Days, which will be held in Moscow on May 23-24, will hear the reports of well-known experts in information security, partake in hands-on labs, support a CTF team — and this is not all there is to it. The forum guests will have the opportunity to try themselves in fascinating competitions. We would like to bring to you attention the list of contests that will take place during Positive Hack Days III at the WTC Moscow.

Contests held at the venue

Please note that it is necessary to bring your laptop with you to take participate in most of the contests.

Choo Choo Pwn
The contestants will be offered to choose access to communication systems of industrial equipment or HMI systems. The goal is to independently obtain access to a model of a control system of a railroad and cargo re-loading by exploiting vulnerable industrial protocols and to bypass SCADA systems authentication or industrial equipment web interfaces. There will be video surveillance, and, as an additional task, the competitors will be offered to affect the surveillance system.

Labyrinth
Labyrinth is the most unusual and large-scale amusement ride in the history of PHDays. Anyone will have the opportunity to try themselves in the art of hacking: to get over the laser field and motion detectors, try skills in security analysis of present-day information systems, remove bugs, combat with artificial intelligence and render a bomb harmless. To get through the Labyrinth, the participants will need some skills in dumpster diving, lock picking, application vulnerabilities detection, social engineering, and of course there is no way without sharpness of mind and physical fitness.

Leave ATM Alone
The competition challenges the participants' skills in exploiting various vulnerabilities in ATMs. The software is developed for PHDays III and does not exist in real life, but it contains most types of vulnerabilities in such systems. The contest consists of two rounds: first, the participants search and exploit vulnerabilities in the ATM system, and then the finalists are to perform similar tasks being constrained by time.

$natch
During the competition, the participants check their skills in exploiting common vulnerabilities in web services of the remote banking system. Real vulnerabilities in the I-bank system applications, which were discovered by the Positive Technologies specialists during security analysis if such systems, will be presented in the contest.

The contest consists of two rounds. Virtual machine copies with vulnerable web services of the remote banking system (a real I-banking system analog) will be provided to the participants. During the time defined by the organizers, the participants should discover vulnerabilities in the system. Then the participants should exploit the vulnerabilities they discovered to withdraw funds.

Wipeout
This year, every guest will have an opportunity to view him- or herself as Dade Murphy from Hackers. Anyone will have the opportunity to compete in controlling a futuristic bolide in arcade racing.

Lockpicking
This Lockpick Village will be presented by Deviant Ollam, Babak Javadi, and Keith Howell, members of TOOOL, The Open Organisation Of Lockpickers. New applicative knowledge, interesting practical problems and many challenges are waiting for the guests of the forum.

Fox Hunting
The participants are offered to detect of wireless access point 802.11 a/b/g/n with a known ESSID identifier. The access point location will change from time to time. The participants should identify exact coordinates of the current location of the wireless access point (a fox) and notify the organizers. The participant who catches more foxes than others do, wins the contest.

2600
The goal is to call a certain number from a coin-box telephone. The coin should be returned to the organizers. The results of the contest will be announced on the second day of the forum. The originality of the method being used to complete the task will be considered. The participants are not allowed to perform any actions that may damage the coin-box telephone.

Big Shot
A participant of the contest will receive a photo of a person (it won't be easy to identify the person pictured) and certain features of the person. The person will be present at the forum and the participants should identify him or her and perform certain actions (for example, to get his or her business card or to get him or her photographed).

2drunk2hack
The participants should perform an attack against a web application equipped with a security filter. The application contains a finite number of vulnerabilities, the exploitation of which allows executing the operating system commands. The contest total time is limited to 30 minutes. Every 5 minutes the participants those participants who attacked WAF more often are offered to have a drink and then continue. The participant who receive the main flag when executing commands on the server, wins the contest.

Best T-Shirt
There is no need to be an expert in information security to partake in the forum contests, rich imagination can fix the problem. The one who wears the coolest hacking T-shirt will get the prize from the forum organizers.
The contests winners and participants will get presents from Positive Technologies, the Positive Hack Days organizers. Anyone will be able to prove himself!

You can register to participate in Positive Hack Days III on the RUNET-ID site.

Online contests

Those who won't be able to be present at the forum in the WTC Moscow can participate in online contests.

Hash Runner
The contest challenges the participants knowledge in hashing algorithms and skills in hacking passwords hash functions. The competitors are given a list of hash functions generated according to various algorithms (MD5, SHA-1, Blowfish, GOST3411, etc.). To win the competition, a participant is to score as many points as possible during a limited period of time, leaving the competitors behind.

The competition is open for any Internet user. Registration will be opened on phdays.ru a week before the forum starts.

Competitive Intelligence
During the contest the participants will find out how good they are at searching information in the Internet.

Questions related to a certain organization will be published on the contest's page. The goal is to find as many right answers to these questions as possible for a short period of time. The results will be announced at the end of the second day of the forum.
The competition is open for any Internet user. You can register on phdays.ru (registration will be opened a week before the forum starts).

PHDays HackQuest

Organizer: @ONsec_Lab (http://onsec.ru)

Everybody is welcome to participate in the hacking competition PHDays HackQuest http://hackquest.phdays.com. A good mood and perfect brain training are guaranteed!

We will try to make you sink into the almost forgotten world of DOS and 8-bit music, to evoke nostalgic feelings and fill you with positive emotions facing the international forum PHDays III.

Date: May 1-13, 2013

The winners will receive keepsakes and tickets to the international forum on information security PHDays III.

Prizes:
1st place: 5 tickets + 5 T-shirts
2nd place: 4 tickets + 4 T-shirts
3rd place: 3 tickets + 3 T-shirts
4th—10th places: 1 ticket + 1 T-shirt

A special prize for a bonus task is 1 ticket and 1 T-shirt.