beVX Conference Challenge – HiTB

During the event of Hack In the Box, we launched an ARM reverse engineering and exploitation challenge and gave the attendees the change to win great prizes.

The challenge was divided into two parts, a file – can be downloaded from here: https://www.beyondsecurity.com/bevxcon/bevx-challenge-10 – that you had to download and reverse engineer and server that you had to access to have a running version of this file.

The challenge consisted of a binary that is acting as a ‘server’ which expects incoming connections to it, when an incoming connection occurs and a certain ‘protocol’ is implemented and it will print out ‘All your base’ and exit. The challenge was to write an exploit that will cause the program to print out ‘Belong to us!’.

The intended way of solving this challenge was to preform an overflow and cause the execution path of the code to change, while one of the solutions provided did not follow this path – and was still able to change the output of the program.

We received several submissions, only two were complete and solved the challenge completely, others were close but did not meet our minimum requirements and therefore are not presented here.
ebux25
In this submission, the execution path is not overwritten rather the string displayed is changed such that the program does not crash while it still prints the required string. While this was not the intended idea of the challenge, there was no rule against this kind of solution.

yohanes
The solution provided by yohanes, was meeting more our expectations to what we were looking, it changes the execution code path.

beVX Conference Challenge – OffensiveCon

During the event of OffensiveCon, we launched a reverse engineering and encryption challenge and gave the attendees the change to win great prizes.

The challenge was divided into two parts, a file – can be downloaded from here: https://www.beyondsecurity.com/bevxcon/bevx-challenge-1 – that you had to download and reverse engineer and server that you had to access to have a running version of this file.

The challenge could not have been resolved without access to the server as the encryption key that you were supposed to extract was only available in the running version on the server.

We had some great solutions sent to us, some of them were posted below – some arrived after the deadline, and some were not eligible as their solution was incomplete, but in the end we had three winners.

First place winner got an all paid, flight and hotel, and entry to our security conference beVX in September, second place prize winner got flight and entry to our security conference and the third place winner got a free entry to our event.
Continue reading beVX Conference Challenge – OffensiveCon

Hack2Win – Code Blue 3rd Edition

Hi everyone,

We are excited to announce our 3rd Hack2Win Code Blue competition!

This year we have changed the format, raised the difficulty level and increased the prizes.

The goal of the event is to find who can gain the highest privileges on any of the target software and hardware.

Prizes for this contest will total $50,000 USD!

In the new format we have:

  • 3 categories, in each category we will have a 2 products from different vendors
  • Each category has different prizes
  • Each category’s highest prize will be given to the first eligible submission
  • A Quadcopter will be given to one participant who will be “the best of the show”

Category 1 – CMS
Prizes:

  • WAN RCE – 10,000$ USD
  • Information disclosure that leads to password disclosure / Authentication bypass – 5,000$ USD
  • Pre-Authenticated XSS / Rest password – 2,500$ USD

Products:

(*) Each of those plugins has at least 900K active installations

(**) Each of those plugins has at least 500K active installations

Category 2 – Routers
Prizes:

  • WAN RCE – 10,000$ USD
  • LAN RCE / Information disclosure that leads to password disclosure / Authentication bypass – 5,000$ USD
  • Rest password – 2,500$ USD

Products:

Category 3 – NAS
Prizes:

  • WAN RCE – 5,000$ USD
  • LAN RCE / Information disclosure that leads to password disclosure / Authentication bypass – 2,500$ USD
  • Rest password – 1,250$ USD

Products:

Judging Criteria

  • New – the attack uses an unknown vulnerability (no record of it can be found on Google, Exploit-DB, etc)
  • Complex – what was required to reach a successful attack
  • Innovative – we regard an RCE as more innovative than SQLi, for example
  • LAN or WAN – more points if the attack comes from the WAN side
  • What is gained – we give no initial access to the challengers, so any type of access is an achievement. Of course, a guest level access would be considered less valuable than root
  • Write-up Quality – how well is the write up (in English): including details, explanations, etc

Device Settings
All the devices will be factory reset – i.e. default settings, and the only non-default setting would be the password for the ‘admin’ (or equivalent) account as documented in the product’s user guide, and the WiFi password (if applicable).

What counts as ‘hacked’
A device would be considered ‘hacked’ if the participant can prove they:

  • Gained access to the device’s post-authentication admin web interface (remember – you will not be given any credentials)
  • Changed some configuration value, like the WiFi password
  • Made the device do something it’s not supposed to do: like execute code, or open a port/service which was previously closed (like SSH, telnet, etc)

What we won’t count as a ‘hacked’

  • Causing a malfunction to the device, DoS / XSS / CSRF, making it unresponsive, making it no longer boot, etc
  • Usage of any known method of hacking – known methods including anything that we can find on Google/Bing/exploit-db/etc – this includes: documented default password (that cannot be changed), known vulnerabilities/security holes

Eligibility
The contest is open to anyone who is at the legal age to receive a contest prize in your country, if you are not allowed to receive prizes – and please make sure to check this before participating – you may want to team up with a person that is eligible.

The contest is not allowed to anyone working for one of the vendors, or is involved in development of the above devices.