PHDays IV Competition Program

Before the start of the forum PHDays IV remains quite a bit. The finalists of the CTF competitions have already been identified, the formation of the program (parts 1 and 2 ) and the preparatory work within the PHDas Everywhere initiative are in full swing. But of course, the matter will not be limited to this, and besides the most interesting reports and master classes, the guests of the forum will have an exciting competitive program.

A bit of history

Traditionally, among the competitions held during PHDays, the central place is given to applied tests, during which participants can demonstrate their practical skills in hacking and protection.
')
In past years, Positive Hack Days defended the miniature railway management system, smashed locks , searched for loopholes in Internet bank protection and stole money directly from an ATM, passed through the most complicated hacker labyrinth stuffed with lasers and motion sensors. You can participate in such exciting adventures only on PHDays! We don’t even talk about more traditional tests like security analysis of network infrastructure or reverse engineering .

And here are the tests for the "white hats" from around the world prepared by the organizers this time.

Competitions on the site

Attention! To participate in most competitions, you must bring a laptop.

Critical Infrastructure Attacks (CIA)

The competition for analyzing the security of real-world ACS systems, on the basis of which the railroad model is functioning ( Choo Choo Pwn ), became an absolute hit of PHDays III, and its organizers could feel like real rock stars by arranging a world tour of information security conferences (see reports about Seoul and Hamburg ).



This year, during the competition, contestants will have access to the network of automated process control systems and within a given time will either have to disrupt the performance of individual parts of the toy world, or gain controlled access to the target systems.

Here is a video of how it looked last year.

Winners will receive gifts from the organizers of the forum.

Big ku $ h

Thanks to the “Big $ ku” competition on PHDays, anyone can visit the shoes of an attacker stealing money from bank accounts - without any risk of running into problems with the law.

The competition is designed to test the knowledge and skills in the field of exploitation of typical vulnerabilities in the web services of remote banking services (RB) systems. Competitive tasks are presented by real vulnerabilities of Internet banking applications, which were revealed by the specialists of Positive Technologies when analyzing the security of such systems.



The competition takes place in two stages. First, participants will be provided with copies of virtual machines containing vulnerable web services of RB (an analogue of a real Internet banking system containing typical vulnerabilities). For a given time, contestants will need to detect vulnerabilities in the system. Then they will have to use the detected vulnerabilities for the purpose of unauthorized withdrawal of funds.

The winner takes all the money “taken” from the system to himself!

Survive Hacking

Another competition that causes associations with Hollywood blockbusters is the real “Resident Evil”, consisting of a variety of different obstacles: a laser field, motion sensors, solving puzzles, battles with artificial intelligence and bomb neutralization. To pass the obstacle course on PHDays III, and even to make it faster than others, it was necessary to try very hard!



This year the competition promises to be no less exciting: new high-tech tests will be added to the bugs and lasers. Winners and prize-winners will receive excellent gifts from the organizers.

WAF bypass

Participants will be provided with an archive of the source code of the web application, which contains many different vulnerabilities, as well as a report on scanning for vulnerabilities using the Application Inspector . The challenge is to bypass the new protection system - Positive Technologies Application Firewall , which will protect the application. Having the source code, participants will be able to verify the presence of detected vulnerabilities, try to find others.

Winners will receive gifts from the organizers of the forum.

Leave ATM Alone

If last year at PHDays the ATM was physically hacked , now it was decided to enter from the other side. Leave ATM Alone competition will allow participants to test their skills in exploiting vulnerabilities in ATMs.

Access to the physical level of management of some ATM modules will be offered. The task - having studied them, to seize complete control over the device. Winners will receive gifts.

2600

The task is to make a call from a payphone to a predetermined number. The token must be returned to the organizers. Results will be announced on the second day of the forum. When selecting the winner, the judges will take into account the originality of the methods that allowed participants to complete the task. Last year, the competition enjoyed considerable popularity .



In addition to gifts from the organizers of the competition, the winner will be able to collect unique PHDays coins that replace conventional tokens for a payphone as a souvenir.

Pouring

Classic Positive Hack Days. Toward the close of the second day of the forum, when all the battles had already died down, the CTF winner was determined and everyone wants to continue communication in an informal setting, this extremely atmospheric competition starts. Participants need to conduct a successful attack on a web application protected by a security filter. The application contains a finite number of vulnerabilities, the sequential operation of which allows, among other things, to execute OS commands.

The total duration of the competition is limited to 30 minutes. Every 5 minutes, the participants, whose attacks were most often detected by means of protection, are invited to drink 50 ml of strong hot drink - and continue the fight. The winner is the one who will be able to first get the main game flag during the execution of commands on the server.

“ Filling ” is so much fun that last year even the geohot, who had previously fought in the CTF as part of the PPP team, could not resist. By the way, he managed to become the winner of "Pouring on" the first time.



geohot wins “cashier”

Souvenirs from the organizers of the forum are waiting for the prizes of the competition winners.

Online contests

Those who for some reason will not be able to be in Moscow on May 21 and 22 will be able to join the online contests.

Hash runner

As part of this competition, participants' knowledge in the field of
cryptographic hashing algorithms, as well as hacking functions of password hash functions. The competitors will be offered a list of hash functions generated by various algorithms (MD5, SHA-1, Blowfish, GOST3411, etc.). To win you need to score as many points as possible for a limited time, overtaking all competitors.

Take part in the competition will be able to any user of the Internet. Registration for participation will open on the website phdays.ru on May 8 and will last until the start of the forum.

Winners of the competition will receive great prizes from the organizers of PHDays.

PHDays Online HackQuest

The organizer is the PentestIT laboratory. In addition to the PentestIT team, Ares (developer of Intercepter-NG), Yuri Khvyl (CSIS virus analyst - www.csis.dk ) and Ivan Novikov (d0znpp, OnSec - onsec.ru) will take part in the development of tasks.

Visitors to the competition, which will be held on the days of the PHDays IV forum, will be able to be visited by the PHDays Everywhere sites, for which there will be a separate team competition. The game infrastructure will be as close to real conditions as possible and will be a distributed network comprising several branches of the attacked company. For each correctly solved task the participant will receive points (flags). The winner will be the one who scores the most points.

Prize-winners of the competition are waiting for excellent gifts from the organizers of PHDays and the PentestIT laboratory.

Competitive intelligence

The competition will allow forum participants to find out how quickly and efficiently they are able to search and analyze information on the Internet, use the tools and techniques of competitive intelligence.

Shortly before the forum will be published questions related to some organization, information about which can be found on the Internet. The task of the participant in the competition is to find as many correct answers to the questions as possible in the shortest time possible.

Any Internet user is allowed to compete. You can register on the site phdays.ru starting from May 8. (Read the report on how the competition took place last year .)

All winners of the competition will receive a complimentary ticket to PHDays IV, and the winner will also receive memorable gifts from the organizers.

Competitions for twitter reporters and bloggers

At PHDays you can become the best not only by demonstrating hacking skills, but also by displaying literary or reporter talents.

First of all, active Twitter users will be able to win great prizes and an invitation to Positive Hack Days in 2015. Last year, the winner was Artem Ageev , he was entitled to an invitation to PHDays IV.

To participate in the competition, you need to subscribe to our twitter account @phdays and during the two days of the forum write tweets with the #PHDays hashtag, telling your subscribers about what is happening on the site, commenting on the contests, noting interesting reports, workshops, etc. At the end of the forum, the organizers will assess the overall quality of the broadcast, calculate the number of well-deserved retweets and give the name of the winner.

Do not despair and those who are not master of small forms and prefers traditional blog posts to 140 characters. Write a fascinating article with your impressions of visiting PHDays, participating in contests and master classes, and then send us the link on Twitter ( English or Russian ), Facebook or VKontakte . The winner will receive a prize and an invitation to PHDays in 2015.

Pay attention to the posts of last year's winners ( 1st place , 2nd place , 3rd place ). They all rely on PHDays IV tickets, so if your note was one of the best, but you haven't contacted us yet, it's time to do it - write to phd@ptsecurity.com .

We remind you that this year additional exclusive contests are provided for PHDays Everywhere hackers .

Join the battles of IB-specialists from around the world in the framework of Positive Hack Days!