Hack2Win – Code Blue 3rd Edition

Hi everyone,

We are excited to announce our 3rd Hack2Win Code Blue competition!

This year we have changed the format, raised the difficulty level and increased the prizes.

The goal of the event is to find who can gain the highest privileges on any of the target software and hardware.

Prizes for this contest will total $50,000 USD!

In the new format we have:

  • 3 categories, in each category we will have a 2 products from different vendors
  • Each category has different prizes
  • Each category’s highest prize will be given to the first eligible submission
  • A Quadcopter will be given to one participant who will be “the best of the show”

Category 1 – CMS

  • WAN RCE – 10,000$ USD
  • Information disclosure that leads to password disclosure / Authentication bypass – 5,000$ USD
  • Pre-Authenticated XSS / Rest password – 2,500$ USD


(*) Each of those plugins has at least 900K active installations

(**) Each of those plugins has at least 500K active installations

Category 2 – Routers

  • WAN RCE – 10,000$ USD
  • LAN RCE / Information disclosure that leads to password disclosure / Authentication bypass – 5,000$ USD
  • Rest password – 2,500$ USD


Category 3 – NAS

  • WAN RCE – 5,000$ USD
  • LAN RCE / Information disclosure that leads to password disclosure / Authentication bypass – 2,500$ USD
  • Rest password – 1,250$ USD


Judging Criteria

  • New – the attack uses an unknown vulnerability (no record of it can be found on Google, Exploit-DB, etc)
  • Complex – what was required to reach a successful attack
  • Innovative – we regard an RCE as more innovative than SQLi, for example
  • LAN or WAN – more points if the attack comes from the WAN side
  • What is gained – we give no initial access to the challengers, so any type of access is an achievement. Of course, a guest level access would be considered less valuable than root
  • Write-up Quality – how well is the write up (in English): including details, explanations, etc

Device Settings
All the devices will be factory reset – i.e. default settings, and the only non-default setting would be the password for the ‘admin’ (or equivalent) account as documented in the product’s user guide, and the WiFi password (if applicable).

What counts as ‘hacked’
A device would be considered ‘hacked’ if the participant can prove they:

  • Gained access to the device’s post-authentication admin web interface (remember – you will not be given any credentials)
  • Changed some configuration value, like the WiFi password
  • Made the device do something it’s not supposed to do: like execute code, or open a port/service which was previously closed (like SSH, telnet, etc)

What we won’t count as a ‘hacked’

  • Causing a malfunction to the device, DoS / XSS / CSRF, making it unresponsive, making it no longer boot, etc
  • Usage of any known method of hacking – known methods including anything that we can find on Google/Bing/exploit-db/etc – this includes: documented default password (that cannot be changed), known vulnerabilities/security holes

The contest is open to anyone who is at the legal age to receive a contest prize in your country, if you are not allowed to receive prizes – and please make sure to check this before participating – you may want to team up with a person that is eligible.

The contest is not allowed to anyone working for one of the vendors, or is involved in development of the above devices.

SSD Advisory – D-Link 850L Multiple Vulnerabilities (Hack2Win Contest)

Vulnerabilities Summary
The following advisory describe three (3) vulnerabilities found in D-Link 850L router.

The vulnerabilities have been reported as part of Hack2Win competition, for more information about Hack2Win – Hack2Win – https://blogs.securiteam.com/index.php/archives/3310.

The vulnerabilities found in D-Link 850L are:

  • Remote Command Execution via WAN and LAN
  • Remote Unauthenticated Information Disclosure via WAN and LAN
  • Unauthorized Remote Code Execution as root via LAN

The vulnerabilities were found by the following researchers, while participating in Beyond Security’s Hack2Win competition:

  • Remote Command Execution via WAN and LAN: Zdenda
  • Remote Unauthenticated Information Disclosure via WAN and LAN: Peter Geissler
  • Unauthorized Remote Code Execution as root via LAN: Pierre Kim

Vendor response
The vendor has released patches to address this vulnerabilities (Firmware: 1.14B07 BETA).
For more details: http://support.dlink.com/ProductInfo.aspx?m=DIR-850L

Continue reading SSD Advisory – D-Link 850L Multiple Vulnerabilities (Hack2Win Contest)

Hack2Win – The Online Version – Ubiquiti Router

After the great success of the first “Hack2Win – The Online Version” (https://blogs.securiteam.com/index.php/archives/3310 ) we decided to raise the bar.

The rules are very simple – you need to hack the Ubiquiti EdgeRouter X router (ER-X) and you can win up to 10,000$ USD.

To be clear, this program is not endorsed by Ubiquiti Networks, Inc. Ubiquiti hosts its own Security Rewards Program.

To try and help you win – we bought a Ubiquiti EdgeRouter X device and plugged it to the internet IP for you to try to hack it, while the WAN access is the only point of entry for this device, we will be accepting LAN vulnerabilities as well.

Just to make things clear – the competition has began – you can submit your findings from today!

If you successfully hack it – submit your findings to us ssd[]beyondsecurity.com, you will get paid and we will report the information to the vendor.

The competition will end on the 1st of October 2017 or if a total of 20,000$ USD was handed out to eligible findings.

Continue reading Hack2Win – The Online Version – Ubiquiti Router

Hack2Win 2017 D-Link 850L Results

On June 11th 2017 we announced the first online version of our ‘Hack2Win’ hacking competition. We allocated $10,000 USD as pay outs to valid submissions, and 2 months of competition time – by making the product available on the internet – to allow everyone a chance to hack it. The device was made publicly accessible on July 3rd.

We were pleasantly surprised to get the first submission on June 12nd, just one day after we advertised our competition. But unfortunately that submission didn’t work on our hardware revision, and thus was not considered for a prize.

Subsequent submissions were not far behind: on Jun 29th, a LAN – Unauthorized RCE as root, was received.

On June 30th we received another submission – one that allowed remote retrieval of the admin password from both the WAN and LAN interfaces.

On July 3rd we received the submission that ended the competition – an Unauthenticated Remote Code Execution from both the WAN and LAN interfaces.

Once this last submission arrived, we ended the competition having reached the goal of owning the device from both the LAN and WAN sides.

D-Link has been contacted and the full write-up will be published after the vendor releases patches for these vulnerabilities.

What’s interesting is that all 3 researchers that submitted the vulnerabilities found the same similar security issue – but from there, each researcher exploited the vulnerability in a different way. Only one of the researchers successfully exploited the vulnerability and achieved unauthenticated remote code execution from WAN.


  • 1st place goes to Zdenda – 5,000$ USD for the unauthenticated Remote Code Execution from WAN
  • 2nd place goes to Peter Geissler – 2,500$ USD for retrieving admin password from WAN
  • 3rd place goes to Pierre Kim- 2,500$ USD for the unauthorized RCE as root from LAN

Our main takeaway from this competition is how talented researchers out there are. Our research community members are really good at finding vulnerabilities in products, and when there is a clear goal they will reach it. In addition, we decided that we need to challenge them more and more frequently 🙂

Our next target won’t be as easy as a D-Link router – and the prizes will rise accordingly. Stay tuned.