POSITIVE HACK DAYS



ORGANIZER

Contests


Download the full program in PDF

Levels

Onsite contests

Online contests

$natch
2drunk2hack
2600
Big Shot
Fox Hunting
Best T-Shirt
Wipeout
NetHack
Lockpicking
Leave ATM Alone
Choo Choo Pwn
WAF Bypass
The Labyrinth

Competitive Intelligence
Hash Runner
Best Reverser
PHDays III Online HackQuest
PHDays HackQuest

$natch

The competition allows the participants to check their knowledge and skills in exploiting typical vulnerabilities in online banking system web services. The competition tasks will include actual vulnerabilities of Internet banking applications detected by Positive Technologies specialists while analyzing security of such systems.

Rules

Rules

The contest is held in two stages. At first, the participants are provided with copies of virtual machines containing vulnerable web services of an online banking system (an analogue of an actual Internet banking system). The participants should detect vulnerabilities in the system within a specified period of time. In the second stage the participants are to exploit the vulnerabilities for unauthorized money withdrawal within a limited time.

Participation Terms

Participation Terms

Any attendee is welcome to participate in the competition. The visitors can register at the information desk (in the lobby of the second floor). The number of participants is limited.

Prizes

Prizes

Following the results of the competition, each participant gets a monetary reward equaling to the amount of money stolen from the game Internet bank service.

Technical Details

Technical Details

You will need a laptop to participate in the competition.

Winners

Winners

1st place
Heartless

2st place
Beched

$natch

2drunk2hack

The competition enables the participants to try their skills in hacking a web application which is protected by a Web Application Firewall and demonstrate the ability to think straight in any situation.

Rules

Rules

The goal is to hack a web application protected by a Web Application Firewall (WAF). The web application contains a limited number of vulnerabilities, consecutive exploitation of which allows OS commands execution.
The competition takes 30 minutes. Every 5 minutes the competitors on whose actions WAF reacted more often can drink a 50 g shot of a strong drink and proceed with the competition.
The winner is the first who manages to capture the principal game flag on the stage of executing OS commands on the server. If the principal flag is not captured, the winner is the participant with the largest number of flags captured on other stages of vulnerabilities exploitation.

Participation Terms

Participation Terms

Any attendee who has reached the age of 18 is welcome to participate in the competition. The participants can register at the information desk in the lobby of the second floor. The number of competitors is limited.

Prizes

Prizes

Positive Technologies (the PHDays organizers) and the sponsors of the forum provide prizes for the competition.

Technical Details

Technical Details

Please bring your own software and hardware that you require for participation. Connection to the game network segment will be provided.

Winners

Winners

1st place
geohot

2st place
ei-grad

3st place
dØznpp

2drunk2hack

Hash Runner

Hash runner challenges the competitors’ knowledge of cryptographic hash algorithms and skills of cracking password hash functions.

Rules

Rules

The competitors will be provided with a list of hash functions generated according to various algorithms (MD5, SHA-1, BlowFish, GOST3411, etc.). Points for each decrypted password are scored according to the algorithm’s level of difficulty. To become a winner, a competitor should gain the most points in a limited period of time, leaving the rivals behind.

Participation Terms

Participation Terms

Any Internet user can participate in the competition. You can register via the website phdays.com (the registration opens one week before the forum begins). The competition will be held as part of PHDays III and will last through the forum days.

Prizes

Prizes

Prizes will be provided by the PHDays organizers — the Positive Technologies company, and by the forum sponsors. The winner will receive a special prize.

Technical Details

Technical Details

Please prepare your own software and hardware for participation in the competition. You will also need Internet connection to participate.

Winners

Winners

1st place
Aleksey Cherepanov
Alexander Cherepanov

2st place
InsidePro_Team
(Admin, .Scorpio., blazer, dda, gscp, h0wler, lindros, LorDHash, mastercracker, Mastermind, mr.2x, POLIMO, proinside, test0815, usasoft, Tyra, User)

3st place
Team Hashcat

Hash Runner

2600

This competition challenges the participants’ knowledge and skills in old school phreaking. The contestants will try to use soviet coin-operated telephone to call a predefined number.

Rules

Rules

The participants will be asked to first call a predefined number from an authentic soviet telephone using tokens as the means of payment and then extract the used token and give it back to the jury. The winner will be selected basing on how fancy the used extraction technique was. The competition results will be announced on the second day of the forum.

Participation Terms

Participation Terms

Any attendee is welcome to participate in the competition. The contest will last through the forum days.

Prizes

Prizes

Positive Technologies (the PHDays organizers) and the sponsors of the forum provide prizes for the competition.

Technical Details

Technical Details

The competitors must not perform any actions that may damage the competition telephone.

2600

Big Shot

This competition allows participants to test their social engineering skills in practice.

Rules

Rules

A participant is given a photo of a person and a number of statements that characterize this person. The photo is taken in a way that prevents unambiguous identification. The person is one of the attendees of the forum. The participant’s goal is to identify the person and make certain actions according to the task, for example, to get the person's business card or to take a photo of them both from a specified angle. The winner is a participant who will cope with the largest number of tasks for the shortest period of time. The results will be summed up on the second day of the forum.

Participation Terms

Participation Terms

Any attendee can take part in the competition. You can register at the information desk in the lobby of the second floor. The competition will last through the forum days.

Prizes

Prizes

Prizes will be provided by the PHDays organizers — the Positive Technologies company, and by the forum sponsors.

Technical Details

Technical Details

The participation requires such qualities as determination, excellent social skills and charisma. Neuro-linguistic programming skills at level 137 are an advantage :)

Winners

Winners

1st place
Yulia Shestakova

2st place
Guest Fortuity

3st place
Yevgeny Novikov

Big Shot

PHDays III Online HackQuest

The PHDays 2013 program will include Online HackQuest, a competition for the Internet users that offers participants to try their hands at solving various information security tasks.

Rules

Rules

The participants will be provided with access to the site with a list of tasks. The tasks are grouped according to their type and level of difficulty. Once a task is solved, the participant obtains a key (flag) to submit to the jury via a special form. If the flag is valid, the participant will score an appropriate number of points. The participant who scores the maximum points quicker than others becomes the winner.

Participation Terms

Participation Terms

The competition is open for any Internet user. You can register on the PHDays website (hackquest.phdays.com) from the moment the forum starts. The contest will be held for two days, during the forum.

Prizes

Prizes

The winners of the contest (first, second, and third participant) will receive prizes from the PHDays organizers (Positive Technologies) and the sponsors of the forum.

Technical Details

Technical Details

The registration is at its high! Do not miss the chance to demonstrate your skills and have a great time.

Details on competitions and prizes are available on the official Positive Hack Days web site. 

Winners

Winners

1st place
Really NonamesFor

2st place
orionprime

3st place
Letm

WAF Bypass

During the Positive Hack Days a competition for enthusiasts and experts of web application security will take place. The challenge organized by forum's technological partner ICL-KME CS company provides an opportunity to test oneself in exploiting vulnerable web applications protected by a Web Application Firewall.

Rules

Rules

The participants will be offered to attack (or demonstrate the attack possibility) for the purpose of gaining data from a DBMS and file system. There are several vulnerable web applications in the contest. All attacks exploiting any SQL injection vector, inclusive of gaining file system access, OS commanding, brute force and binary search attacks are counted. Attacks exploiting other vulnerabilities (e. g. buffer overflow in the web server or DBMS server) are not counted. The winner is the first who obtains access to all specially crafted data (flags). There are three flags in the competition. If several competitors implement different techniques of exploiting the same vulnerability, the winner is the person whose attack allows obtaining the same DBMS data set using the least number of queries to the server.

Participation Terms

Participation Terms

Any PHDays III is welcome to compete for prizes. The competition will last throughout the forum. To receive the prize, the winner should provide his or her contact information (name, phone number, postal address) or be present at the award ceremony in person.

Prizes

Prizes

The winner will receive a special prize from the forum’s technological partner, ICL. The people who took first five places will receive prizes and souvenirs from the PHDays organizers (Positive Technologies) and the ICL company.

Technical Details

Technical Details

The selection and usage of equipment that may be needed is up to the participants. You will need any mobile device with a Wi-Fi option to partake in the contest.

Winners

Winners

1st place
ONsec_lab

2st place
Georgy Noseevich

3st place
Karim Valiev

4st place
Andrey Lem

Best Reverser

The purpose of the contest is to demonstrate good knowledge in analysis of executable files for Microsoft Windows.
The contestants will be offered to generate a code that will successfully pass validation in a specially prepared program. The program verifies three different codes. It is possible to enter another code after successful validation of the previous one.

Tasks downloaded here. Responses should be sent by mail best2013re best2013re@phdays.com

Rules

Rules

A specially designed program will be offered. You should generate codes for the program so that the program considers them to be valid. You can use any method that meets the law of the Russian Federation.
The participant who is the first to generate three valid codes and to provide the jury with concise description of the process of code generation, will be the winner. The participants who accomplished the task and those who generated two or one code, will take a prize-winning place according to the jury's decision.

Participation Terms

Participation Terms

The competition is open for any Internet user. You can register on the PHDays website, from the moment the forum starts. The contest will be held for two days, during the forum. The winner should provide contact information (name, telephone, e-mail) or be present at the awards ceremony to receive his or her award.

Technical Details

Technical Details

The participants should bring all the necessary equipment with them.

Winners

Winners

1st place
Victor Alyushin

2st place
Mikhail Voronov
Denis Litvinov

3st place
Anton Cherepanov

PHDays HackQuest

ONsec performs security audits (security assessment) of any complexity web applications: websites, content management system, social networks, portals, online banks and others. Narrow specialization on analysis of web applications only, provides ONsec to achieve the highest level quality of work, and performs unique services, such as analysis of tons of source code.
ONsec advantage is modern and highly skilled team, behind which a lot of vulnerabilities in products of famous companies such as Google, Adobe, Yandex, Opera, 1C-Bitrix. Regular research papers that are appreciated by well-known international information security experts.

Rules

Rules

Everybody is welcome to participate in the hacking competition PHDays HackQuest (http://hackquest.phdays.com). A good mood and perfect brain training are guaranteed! We will try to make you sink into the almost forgotten world of DOS and 8-bit music, to evoke nostalgic feelings and fill you with positive emotions facing the international forum PHDays III. Date: May 1-13, 2013 The winners will receive keepsakes and tickets to the international forum on information security PHDays III.

Organizer: @ONsec_Lab (http://onsec.ru)

Prizes

Prizes

1st place: 5 tickets + 5 T-shirts
2nd place: 4 tickets + 4 T-shirts
3rd place: 3 tickets + 3 T-shirts
4th—10th places: 1 ticket + 1 T-shirt

A special prize for a bonus task is 1 ticket and 1 T-shirt.

Stay tuned!

Winners

Winners

1st place  Karim
2st place  JustRelax
3st place  Bo0oM
4st place  Yngwie
5st place  MERRON
6st place  DarkByte
7st place  RDot.Org
8st place  Promix17
9st place  Dor1s
10st place push

PHDays HackQuest

Fox Hunting

Participants can demonstrate their skills in the field of wireless networks security assessment and PCI DSS Wireless Guideline compliance.

Rules

Rules

The task is to detect a 802.11 a/b/g/n wireless access point with a pre-defined ESSID. The access point location will change with time.
The goal is to become the first who detects the exact coordinates of the current wireless access point (a ‘fox’) and informs the organizers about it. The winner is the one with the largest number of caught ‘foxes’.

Participation Terms

Participation Terms

Any attendee is welcome to participate. The competition will last through the forum days.

Prizes

Prizes

Positive Technologies (the PHDays organizers) and the sponsors of the forum provide prizes for the competition.

Technical Details

Technical Details

Please bring your own software and hardware you require for participation.

Winners

Winners

1st place
Boris Ivano

2st place
Anna Breeva

Fox Hunting

Best T-Shirt

Want to stand out from the crowd and be awarded for it? Good idea! All you need is to put on your favorite geeky t-shirt and register at the information desk in the lobby on the second floor. Maybe you will be the lucky one to receive the prize!

Winners

Winners

Deviant Ollam

Competitive Intelligence

The competition will enable participants of the forum to discover how quickly and accurately they can find useful information on the Internet.

Rules

Rules

The competition web page will contain questions concerning a certain organization, information about which can be found online. The task of the competition participants is to find as many correct answers to the questions as possible in the shortest time. The results will be announced at the end of the second day of the forum.
Results

Participation Terms

Participation Terms

Any Internet user is welcome to take part in the competition. You can register via the website phdays.com (the registration opens one week before the forum begins). The competition will last through the forum days.

Prizes

Prizes

Plase prepare your own hardware and software for participation in the competition. You will also need Internet connection.

Technical Details

Technical Details

Prizes will be provided by the PHDays organizers — the Positive Technologies company, and by the sponsors of the forum.

Winners

Winners

1st place
Sergey Topoltsev

2st place
djecka

3st place
Apple fan

Competitive Intelligence

Wipeout

This year any guest of the forum will have a chance to feel themselves like Dade Murphy from the cult movie Hackers. You will be provided an opportunity to drive a futuristic racing car in the arcade racing game of the Wipeout series.
More details will be available at the information desk (in the lobby of the second floor).

NetHack

The competition challenges the participants’ skills in obtaining control over network infrastructure via exploiting the misconfiguration of network devices.

Rules

Rules

The competitions consists of two rounds — the qualification and final. Those who performed well in the qualifying round will receive some materials to prepare for the final round. In the final the goal is to obtain access to the game network, to get to the unrouted segment which contains a certain automated system, and to obtain direct access to that system.

Participation Terms

Participation Terms

Any attendee of the forum can take part in the competition. You can register by sending a message to nethack@ptsecurity.com (the registration opens one week before the forum begins). The number of participants is limited.

Prizes

Prizes

The winners will be awarded prizes by the PHDays organizers — Positive Technologies, and by the sponsors of the forum.

Technical Details

Technical Details

Please bring the equipment that you are going to use (such as a laptop).

Winners

Winners

1st place
Stanislav Mironov

2st place
Yury Shkodin

3st place
Sergey Stankevich

NetHack

Lockpicking

This Lockpick Village will be presented by Deviant Ollam, Babak Javadi, and Keith Howell, members of TOOOL, The Open Organisation Of Lockpickers. New applicative knowledge, interesting practical problems and many challenges are waiting for the guests of the forum.

Lockpicking

Leave ATM Alone

The competition challenges the participants' skills in exploiting ATM vulnerabilities. The software for the tasks is specially developed for PHDays III and contains the most common vulnerabilities of such systems seen in wild life.

Rules

Rules

The competition consists of two rounds. In the first round the participants will have a chance to find and exploit vulnerabilities in a system deployed on an ATM. Those who achieve the best results in the first round become finalists, and in the second round will face similar challenges but with a stricter time limit.

Participation Terms

Participation Terms

Any attendee of the forum can take part in the competition. You can register in the competition zone. The number of participants is limited.

Prizes

Prizes

The winners will be awarded prizes by the PHDays organizers — Positive Technologies, and by the sponsors of the forum.

Technical Details

Technical Details

Please bring your own ... brains :)

Winners

Winners

1st place
Xakep_l

2st place
villytigen

3st place
Dor1s

Leave ATM Alone

Choo Choo Pwn

The competition challenges the participants' skills in exploiting various vulnerabilities in industrial equipment which provides automation and control of technological processes. The contestants will be offered to choose from access to communication systems of industrial equipment or HMI systems access. The goal is to independently obtain access to a model of a system which controls a railroad and cargo loading by exploiting vulnerable industrial protocols or bypassing authentication of SCADA systems or industrial equipment web interfaces. The Industrial Control System (ISC) of the railroad will include video surveillance, and, as an additional task, the competitors will be offered to disable the surveillance system.

Rules

Rules

The competitions consists of two main rounds and an extra one. In the first round, the goal is to obtain access to the cargo loading system. In the second round, the participants will have an opportunity to gain access to the railroad ICS. During the extra round the competitors will have a chance to disable the surveillance system.
The participants will be given access to the ICS system and its HMI components. During the time defined by the organizers, the participants should whether disable some separate parts of the model, or to gain controlled access.

Participation Terms

Participation Terms

Any attendee of the forum can take part in the competition. You can register in the competition zone. The number of participants is limited.

Prizes

Prizes

The contestants will be awarded some nice prizes which will vary depending on level of access gained.

Technical Details

Technical Details

Please bring your own laptop to participate in the contest.

Winners

Winners

1st place 23.05
Arseny Levshin

1st place 24.05
Mikhail Elizarov

Choo Choo Pwn


Download the full program in PDF

Levels

The Labyrinth

The Labyrinth at Positive Hack Days is a real hacking attraction. During only one hour the participants of the competition are to get over the laser field and motion detectors, open secret doors, clear the room of bugs, combat with artificial intelligence, and render a bomb harmless. To get through the Labyrinth, you will need some skills in dumpster diving, lock picking, application vulnerabilities detection, social engineering, and of course there is no way without mother wit and physical fitness.

How to Get Into the Labyrinth?

To pass the Labyrinth, create a team of three persons and register in the contest zone. You will be offered some vacant time slots. Please note that passing the Labyrinth may take more than an hour, so avoid planning anything else for this time.

Rules

Rules

"The judge is always right." If while you are breaking through the perimeter the judge requires going back to the starting point, you must fulfill this requirement. Even if you don't hear the horrid sound of the security alarm.

"Sobriety is the norm of life." Do not mix up Labyrinth and Too Drunk to Hack — in order not to loose your way, keep your mind clear.

"Breaking? No, making!" Please avoid any destructive actions against the Labyrinth infrastructure. If you think that it is impossible to pass a room without applying a Bolt Cutter™, please consult the judge.

"Time is short." If you manage to pass the room quicker than it was planned according to the schedule (9 minutes are allocated for each room), you may use the rest of time to fulfill additional tasks. Accomplished all tasks? Impossible!

Winners

Winners

1st place
Antichat

2st place
Shkolota

3st place
Extra Team

The Labyrinth