PHDays IV Competitive Program

4/15/2014

There is little time left before the beginning of PHDays. The CTF finalists are already determined, we develop the conference program (see part 1 and 2) and prepare PHDaуs Everywhere activities. Surely, not only exciting talks and hands-on labs, but also awesome contests are waiting for the visitors!

A bit of history

Traditionally, at Positive Hack Days the main focus is on practical contests, which allow attendees to demonstrate their skills in hacking and protection.

Last time the PHDays contestants tried to protect the industrial control system of a miniature railroad model, practiced lockpicking, searched for breaches in a specially crafted Internet banking system and “stole” money right from an ATM. The hit of the show was the hacking labyrinth, full of laser motion sensors, imitators of covert listening devices and other cool stuff. Only at PHDays can you experience these and other adventures (such as analyzing network security or reverse engineering). Check out the contests below, prepared this time for white hats from all over the world.

Challenges at the Venue

Please note that you will need a laptop to participate in the majority of the contests.

Critical Infrastructure Attacks (CIА)

The challenge of analyzing security of real ICS systems controlling a railway model (Choo Choo Pwn) was a real specialty of PHDays III. Afterwards, its organizers had a real rock-star experience touring from one security conference to another around the world (see reports on Seoul and Hamburg).

This time the contestants will be provided with access to the ICS network and (during a limited period of time) will try whether to disrupt the operation of some components of the toy world or to obtain controlled access to the targets. Check out how it looked last year.

The winners will be awarded prizes by the forum organizers.

$natch

This challenge allows any PHDays attendee to try what it’s like to be hacker stealing money from bank accounts — without any risk of law problems at all.

The contestants will test their knowledge and skills in exploiting common vulnerabilities of remote banking web services. The tasks are based on the vulnerabilities that Positive Technologies experts commonly find during real-life remote banking pentests.

The contest is held in to stages. First, the participants will receive copies of virtual machines with vulnerable web services (an analogue of a real remote banking system with common vulnerabilities). The aim is to detect specially planted vulnerabilities during a set period of time. The next step is to exploit the vulnerabilities to withdraw money from a special account.

The winner receives the “stolen” money as a prize!

Survive Hacking

This is onу more contest of a Hollywood blockbuster type. The contestants had to go through a labyrinth full of obstacles: to pass laser motion sensors, solve puzzles, outwit artificial intelligence and deactivate a bomb. To pass the PHDays III labyrinth quicker than others one had to try really hard!

This year the challenge promises to be even more exciting – bugs and lasers will be complemented with new hi-tech tasks. The winners and successful participants will receive excellent prizes from the forum organizers.

WAF Bypass

The organizers provide an archive with a web application source code, containing multiple vulnerabilities specially planted in it. The vulnerability scanning report by Application Inspector will also be available. The task is to bypass a new system of protection — Positive Technologies Application Firewall, that will be guarding the web application. With the source code provided, the participants will be able to verify the existence of the detected vulnerabilities and try to find other ones.

The winners will receive prizes from the organizers of the forum.

Leave ATM Alone

Last year PHDays contestants were probing ATM physical security, this time it was decided to change the approach. The contest Leave ATM Alone will challenge the skills of exploiting ATM software vulnerabilities.

The access to the physical control level of some modules will be provided. Contestants will try to analyze and leverage it to obtain full control on the device. The winners will be awarded presents.

2600

The aim is to make a call from an old coin telephone using a special phone number. The coin has to be returned to the organizers. The results will be announced on the second day of the forum. The jury will take into account the originality of applied methods. Last year the contest quite popular with the attendees.

Apart from prizes, the winner will be able to keep unique PHDays coins that can substitute usual telephone tokens.

2drunk2hack

This is already a Positive Hack Days’ classic. At the end of the second day of the forum, when all the battles are over, the CTF winner is named and everyone wants to relax and have a nice time in an informal setting, this utterly atmospheric contest starts. The contestants should successfully attack a web application, protected by a security filter. The application contains a number of vulnerabilities, a successive exploitation of which allows, among other things, OS commands execution.

The contest time is limited to 30 minutes. After every 5 minutes the contestants whose attacks were registered oftener than others’ drink a 50 ml shot of a strong drink and go on hacking. The winner is the first who manages to capture the main flag via executing server-side commands.

2drunk2hack was such fun that during the last year’s competition even geohot himself, after finishing his CTF competition as a member of PPP, couldn’t resist the temptation to join the participants. By the way, he managed to win the contest!

The winners will receive souvenirs and keepsakes from the organizers of the forum.

Online Contests

Those of you who, for some reasons, cannot come to Digital October on May 21 and 22, are welcome to join the contest participants online.

Hash Runner

This contest challenges the attendees’ knowledge in crypto algorithms hashing and skills in cracking hash passwords. The contestants will receive a list of hash functions generated by various algorithms (MD5, SHA-1, Blowfish, GOST3411, etc.). To become a winner, a participant should score the highest number of points during a limited time, leaving all rivals behind.

Any Internet user can participate. The registration via phdays.com will open on May 8 and will be available until the beginning of the forum.

The organizers promise excellent prizes for the winners.

PHDays Online HackQuest

The contest is organized by PentestIT. The tasks will be develo9ped by PentestIT, Ares (the developer of Intercepter-NG), Yury Khvil (malware analysis at CSIS: www.csis.dk) and Ivan Novikov (d0znpp, OnSec: onsec.ru/en/).

The attendees of PHDays Everywhere hackspaces can also take part in this contest, they will have a separate team scoring. The game infrastructure, crafted to be as close to real one as possible, will be represented by a distributed network including a several branches of a target enterprise. Each successfully solved task brings a flag. The winner is the person with the highest number of flags.

The winners of the contest will be awarded cool prizes from the PHDays organizers and PentestIT.

Competitive Intelligence

The contest challenges the attendee’s skills in quickly and thoroughly searching and analyzing data on the Internet, in using technical tools and methods of competitive intelligence.

Not long before the start of the forum the organizers will publish some questions concerning n organization, information on which is available on the Internet. The aim is to find as many right answers as possible with minimum time.

Any Internet user is welcome to participate. You can register via phdays.com starting from May 9. (Check out the report [ru] on the last year’s contest.)

Successful participants will receive free invitations to PHDays IV, and the winner will additionally get presents from the organizers.

Tweeting and Blogging Contest

You can become a contest winner at PHDays not only by hacking, but also by demonstrating your writing and reporting skills.

First of all, Twitter users get a wonderful opportunity to win nice prizes and free invitations to Positive Hack Days in 2015. Last year Artyom Ageev won the contest and has a right to get a free invitation to PHDays IV.

To participate, subscribe to our account on Twitter @phdays and during the two days of the forum tweet with the hashtag #PHDays, telling your followers about what’s going on at the venue: commenting contests, noting interesting talks, hands-on labs, etc. After the forum the organizers will evaluate the “broadcast”, count the number of deserved retweets and announce the winner.

However, if you are not a master of miniatures and prefer traditional blog posts to 140 characters, don’t get upset. Post an exciting story with your feedback on attending PHDays, participating in the contests and labs, then send us the link via Twitter Facebook or VK. The winner will receive a prize and an invitation to PHDays in 2015.

Don’t forget that we prepared additional exclusive contests for the attendees of PHDays Everywhere hackspaces.

Join the battles of information security specialists from all over the world as part of Positive Hack Days!