Contests
Onsite contests |
Online contests |
$natch |
$natch
The competition allows the participants to check their knowledge and skills in exploiting typical vulnerabilities in online banking system web services. The competition tasks will include actual vulnerabilities of Internet banking applications detected by Positive Technologies specialists while analyzing security of such systems.
- Rules
-
Rules
Banking systems are part of the CityF infrastructure. You may get access to it via VPN or directly at the PHDays playground.
Please find rules and deatails of the contest at: www.phdays.com/cityf2016 - Participation Terms
-
Participation Terms
Any attendee is welcome to participate in the competition. The visitors can register at the information desk (in the lobby of the second floor). The number of participants is limited.
- Technical Details
-
Technical Details
You will need a laptop to participate in the competition.
-
2drunk2hack
The competition enables the participants to try their skills in hacking a web application which is protected by a Web Application Firewall and demonstrate the ability to think straight in any situation.
- Rules
-
Rules
The goal is to hack a web application protected by a Web Application Firewall (WAF). The web application contains a limited number of vulnerabilities, consecutive exploitation of which allows OS commands execution.
The competition takes 30 minutes. Every 5 minutes the competitors on whose actions WAF reacted more often can drink a 50 g shot of a strong drink and proceed with the competition.
The winner is the first who manages to capture the principal game flag on the stage of executing OS commands on the server. If the principal flag is not captured, the winner is the participant with the largest number of flags captured on other stages of vulnerabilities exploitation.
- Participation Terms
-
Participation Terms
Any attendee who has reached the age of 18 is welcome to participate in the competition. The participants can register at the information desk in the lobby of the second floor. The number of competitors is limited.
- Technical Details
-
Technical Details
Please bring your own software and hardware that you require for participation. Connection to the game network segment will be provided.
- Winners
-
Winners
1st place
Tom Van Goethem
2nd place
Vladas Bulavas
3d place
Andrewaeva -
2600
This competition challenges the participants’ knowledge and skills in old school phreaking. The contestants will try to use soviet coin-operated telephone to call a predefined number.
- Rules
-
Rules
The participants will be asked to first call a predefined number from an authentic soviet telephone using tokens as the means of payment and then extract the used token and give it back to the jury. The winner will be selected basing on how fancy the used extraction technique was. The competition results will be announced on the second day of the forum.
- Participation Terms
-
Participation Terms
Any attendee is welcome to participate in the competition. The contest will last through the forum days.
- Technical Details
-
Technical Details
The competitors must not perform any actions that may damage the competition telephone.
-
CAN4ALL
Would you like to become a part of the Watch Dogs game? Then this contest is for you! Open a car, control it, activate the signaling system! For two days, the conference’s participants will have access to a car that can be hacked using CAN. There will be prizes.
HackQuest
HackQuest challenges the security skills of participants around the world. Hackers have just seven days to solve a dozen tasks: the ideal preparation for the hardcore security activities at PHDays. Once again, the tasks are prepared by ONsec, a company renowned for analyzing and securing web resources. All HackQuest challenges are based on real life case studies that the ONsec auditors have come across during the past year.
Best Reverser
This reverse-engineering competition is an opportunity for participants to show their skill at analyzing executables.
- Rules
-
Rules
The contest is open to any Internet user. It takes place one month before the start of the forum from 11 to 17 April.
- Technical Details
-
Technical Details
To get the file for the analysis please use this link: phdays.ru/upload/contests/PHDays2016.zip
Forward your answers to: best2016re@phdays.com -
Critical Infrastructure Attack: Blackout
Participants are challenged to hack information security of a power supply system. The highly realistic model reflects the technology and functionality seen in power grids around the world. It is divided into separate parts including generation, transmission, distribution, and power supply management. The aim is to disrupt normal operation of a general power supply system, to take control over a regional power dispatching system and the central control room, to turn off the electric power transmission on a hydroelectric facility, and even to flood a small town near the station.
- Participation Terms
-
Participation Terms
The contest is held during the forum. Come to the stand at the PHDays venue.
-
BMS & SmartHouse Attack
Participants have an opportunity to try their hand at attacking various smart technologies designed to automate homes and offices. The set-up is a realistic hybrid of building automation and smart-home systems. Hackers can target a variety of systems including lighting, water meters, elevator, and ventilation with varying levels of security protection features. The challenge is to gain control of individual systems or disconnect them.
- Participation Terms
-
Participation Terms
The contest is held during the forum. Come to the stand at the PHDays venue.
- Winners
-
Winners
1st place
Petr Ivanov
2nd place
Artur Grigoryev
3d place
Oleg Kochev -
WAF Bypass
In this contest the aim is to bypass Positive Technologies Application Firewall, which protects an application with specially planted multiple vulnerabilities. The contest participants will be provided with the application's source code and a vulnerabilities report generated by Application Inspector – another new product of Positive Technologies. With the source code provided, the participants will be able to verify the existence of the detected vulnerabilities and try to find other ones.
The contest will be held throughout the forum and everyone is welcome to participate. To receive the prize the winner should provide his or her contact information (name, phone number, e-mail) and personally be present at the forum.
- Rules
-
Rules
The participants will be offered to attack (or demonstrate the attack possibility) for the purpose of gaining data from a DBMS and file system. There are several vulnerable web applications in the contest. All attacks exploiting any SQL injection vector, inclusive of gaining file system access, OS commanding, brute force and binary search attacks are counted. Attacks exploiting other vulnerabilities (e. g. buffer overflow in the web server or DBMS server) are not counted. The winner is the first who obtains access to all specially crafted data (flags). There are three flags in the competition. If several competitors implement different techniques of exploiting the same vulnerability, the winner is the person whose attack allows obtaining the same DBMS data set using the least number of queries to the server.
- Participation Terms
-
Participation Terms
Any PHDays is welcome to compete for prizes. The competition will last throughout the forum. To receive the prize, the winner should provide his or her contact information (name, phone number, postal address) or be present at the award ceremony in person.
- Technical Details
-
Technical Details
The contestants get an archive with the source code of the web application with multiple vulnerabilities planted in it. A vulnerability scanning report by Application Inspector will also be provided. A WAF bypass is scored when a participant manages to gain one of the flags. Attack vectors will also be taken into account by the jury. The winner is the participant with the highest number of flags obtained.
- Winners
-
Winners
1st place
Georgy Noseevich
2nd place
Ivan Novikov
3d place
Vladas Bulavas -
Competitive Intelligence
The competition will enable participants of the forum to discover how quickly and accurately they can find useful information on the Internet.
- Rules
-
Rules
Use all possible means to detect CorpF insiders!
Please find rules and deatails of the contest at: www.phdays.com/cityf2016
The results will be announced at the end of the second day of the forum. - Technical Details
-
Technical Details
Please prepare your own hardware and software for participation in the competition. You will also need Internet connection.
- Winners
-
Winners
1st place
Rdot -
Download the full program in PDF
Levels
The Labyrinth
The Labyrinth at Positive Hack Days is a real hacking attraction. During only one hour the participants of the competition are to get over the laser field and motion detectors, open secret doors, clear the room of bugs, combat with artificial intelligence, and render a bomb harmless. To get through the Labyrinth, you will need some skills in dumpster diving, lock picking, application vulnerabilities detection, social engineering, and of course there is no way without mother wit and physical fitness.
How to Get Into the Labyrinth?
To pass the Labyrinth, create a team of three persons and register in the contest zone. You will be offered some vacant time slots. Please note that passing the Labyrinth may take more than an hour, so avoid planning anything else for this time.
- Rules
-
Rules
"The judge is always right." If while you are breaking through the perimeter the judge requires going back to the starting point, you must fulfill this requirement. Even if you don't hear the horrid sound of the security alarm.
"Sobriety is the norm of life." Do not mix up Labyrinth and Too Drunk to Hack — in order not to loose your way, keep your mind clear.
"Breaking? No, making!" Please avoid any destructive actions against the Labyrinth infrastructure. If you think that it is impossible to pass a room without applying a Bolt Cutter™, please consult the judge.
"Time is short." If you manage to pass the room quicker than it was planned according to the schedule (9 minutes are allocated for each room), you may use the rest of time to fulfill additional tasks. Accomplished all tasks? Impossible!
- Winners
-
Winners
1st place
Antichat
2st place
Shkolota
3st place
Extra Team
-