PHDays V Contest Program Published

5/18/2015

Positive Hack Days V will take place at WTC on May 26-27. Preparations are well underway: the program of reports and hands-on labs is being formed (you can vote for a performance at the site), new spots from a variety of countries joined the PHDays Everywhere initiative, and there's more to come.

Traditionally, the forum organizes many contests. Today we will take a look at the challenges and prizes for the Internet users and PHDays guests.

Challenges at the Venue

Please note that you will need a laptop to participate in most of the contests.

Leave ATM Alone

ATM physical attacks are gradually giving place to software attacks. At this contest, everyone can try his or her hand at detecting ATM vulnerabilities.

Preparing for the Leave ATM Alone contest at PHDays IV

The organizers have prepared an ATM, whose software contains typical vulnerabilities. The participants will have the access to the ATM module interaction interfaces (dispenser, card reader, PIN pad): if you gain control over them, you can try withdrawing money.

Prizes:

  • 1st place — FaceDancer21, a backpack, a 3D ATM and keepsakes from the organizers
  • 2nd and 3rd places — FaceDancer21, 3D ATMs and keepsakes

WAF Bypass

The task of the contestants is to bypass PT Application Firewall, a product by Positive Technologies. This year, vulnerabilities are injected into a dedicated web site.

A successful bypass will be counted only after flag submission. Both the forum participants and Internet users can try their best to win the challenge.

Prizes:

  • 1st place — iPad Air 2 and keepsakes from the organizers
  • 2nd place — Sony Xperia Z3 and keepsakes
  • 3rd place — Burp Suite (annual license) and keepsakes

$natch

This contest is as old as the hills (see write-ups of previous years — #1 and #2). The participants must analyze RBS source code (the system has been created specially for the contest, it contains typical vulnerabilities of e-banking applications), prepare exploits and try to identify other hackers and steal money.

The first one to rob the "bank", its "clients", and other players will be the winner. The money in our e-bank are very real, by the way.

The $natch contest at PHDays III.

The RBS image will be handed out for pilot study the day before the contest, the finals will be held at the venue on the second day.

The players take all the money "stolen" from the system (the prize pool is 40,000 rubles).

Note: The RBS has been specially developed by Positive Technologies for the PHDays forum. Though it is not a real system functioning in a bank, it contains all typical vulnerabilities.

Choo Choo Pwn

It's a contest on security analysis of critical systems. This year, the transport system model built with real industrial controllers and software has been significantly changed.

Transport security automation has been added to the system though making it less realistic. Now we can't send a command leading to a failure, just like in the real world: the traffic security logic won't let that happen. The goal of the challenge is to break the transport security means (which can afterwards lead to crashes).

Prizes:

  • 1st place — JTAGulator, a backpack and keepsakes
  • 2nd and 3rd place — keepsakes

2drunk2hack

2drunk2hack is traditionally held at the end of the contest program and the Positive Hack Days forum. In order to participate, you need to sign a document relieving the organizers of responsibility for anything that can happen with you 30 minutes after. Allowed is everyone of legal drinking age.

The participants will try out their skills in breaking web applications protected by a WAF (Web Application Firewall) and prove they can keep a sober mind whatever the circumstances. Every 5 minutes those participants who attacked WAF more often are offered to have a strong drink and then continue.

The winner of 2 drunk2hack 2013 was the famous hacker Geohot.

The participant who receives the main flag wins the contest. If no one gets it, the winner will be chosen by the number of flags gathered during the other stages of vulnerability exploitation.

Prizes:

  • 1st place: a samovar and keepsakes
  • 2nd and 3rd place — keepsakes

Online Contests

Those of you who, for some reasons, cannot come to Moscow on May 26 and 27, will still have the chance to take part in special online contests.

HackQuiz

There were three teams in 2014 — SESAME (Tunisia), Brizz (Omsk, Russia), and a team of PHDays participants from Moscow, Russia. The guys showed they know what Geohot and Solar Designer look like, can detect encrypted messages, and are aware of the biggest epic hacker fails. The Moscow team got the best score.

The first HackQuiz wasn't flawless, but ultimately the participants had a great time. That's why we are going to repeat the experiment — we invite the PHDays Everywhere spots and forum participants from the Moscow venue to join the quiz at PHDays V.

The winners will get a series of books on information security by Ryan Russel
(1, 2, 3, and 4) and keepsakes from the organizers.

Competitive Intelligence

This contest clearly shows how easy it is nowadays to get confidential information about people and companies. The key skill of a competitive intelligence researcher is the ability to find and analyze nuggets of information scattered throughout public networks. Over the last few years (2012, 2013, and 2014) participants have been demonstrating the ways of stealing the greatest secrets without breaking anything (or almost anything).

Every year the work of a competitive intelligence researcher gets easier, on the one hand, due to information spreading all over the Internet, but harder on the other hand — as it takes more effort for a person to process the data. Thus, the participants will have to use special tools and techniques apart from the search engines. Besides, the contestants will also face some tradition web vulnerabilities of different difficulty level.

Prizes:

  • 1st place — iPad Air and keepsakes from the organizers
  • 2nd and 3rd place — keepsakes

Best Reverser

Many people are quite familiar with this reverse engineering contest. The participants must show their skills in analyzing executable files. The winners will get FaceDancer21 and keepsakes from the organizers.

Join the battles of information security specialists from all over the world as part of Positive Hack Days! See you in Moscow!