PHDays IV Competition Program

Before the start of the PHDays IV forum, there is very little left. The finalists of the CTF competitions have already been identified , the formation of the program (parts 1 and 2 ) and preparatory work within the framework of the PHDаs Everywhere initiative are in full swing. But of course, this will not be limited to this and, in addition to the most interesting reports and master classes, the forum guests will find an exciting competition program.

A bit of history

Traditionally, among the competitions held during PHDays, the main place is given to applied tests, during which participants can demonstrate their practical skills in hacking and protection.

In past years, at Positive Hack Days, they defended the miniature railway control system , cracked locks , looked for loopholes in the protection of the Internet bank and stole money directly from the ATM, went through a complicated hacker maze stuffed with lasers and motion sensors. You can participate in such exciting adventures only on PHDays! We are not even talking about more traditional tests, such as security analysis of network infrastructure or reverse engineering .

And here are the tests for the "white hats" from around the world the organizers have prepared this time.

Competitions at the site

Attention! To participate in most competitions, you need to bring a laptop with you.

Critical Infrastructure Attacks (CIA)

The competition to analyze the security of real ICS systems, on the basis of which the railway model operates ( Choo Choo Pwn ), became an absolute hit by PHDays III, and its organizers were able to feel like real rock stars by organizing a world tour of information security conferences (see reports about Seoul and Hamburg ).



This year, during the competition, the contestants will have access to the ACS TP network and within a specified time period they will either have to disrupt the performance of certain parts of the toy world or gain controlled access to target systems.

Here's a video of what it looked like last year.

Winners will receive memorable gifts from the organizers of the forum.

Big ku $ h

Thanks to the “Big Ku $ h” competition at PHDays, anyone can go in the shoes of an attacker stealing money from bank accounts - without any risk of running into legal problems.

The contest is designed to test knowledge and skills in the field of exploitation of typical vulnerabilities in web services of remote banking systems (RBS). Competitive assignments are represented by real vulnerabilities of Internet banking applications that were identified by Positive Technologies specialists in the analysis of the security of such systems.



The competition is held in two stages. First, participants will be provided with copies of virtual machines containing vulnerable web services of RBS (an analogue of a real Internet banking system containing typical vulnerabilities). Within a given time, competitors will need to detect vulnerabilities in the system. Then they will have to take advantage of the discovered vulnerabilities in order to unauthorized withdrawal of funds.

The winner takes all the money "withdrawn" from the system to himself!

Survive Hacking

Another competition that evokes associations with Hollywood blockbusters is the real Resident Evil, which consists of many different obstacles: a laser field, motion sensors, solving puzzles, battles with artificial intelligence and bomb disposal. To go through the obstacle course at PHDays III, and even do it faster than others, you had to really try!



This year, the competition promises to be no less exciting: new high-tech tests will be added to the bugs and lasers. Winners and prize winners will receive excellent gifts from the organizers.

WAF Bypass

Participants will be provided with an archive with the source code of the web application, which contains many different vulnerabilities, as well as a report on scanning for vulnerabilities using the Application Inspector . The challenge is to circumvent a new security system - Positive Technologies Application Firewall , which will protect the application. Having the source code, participants will be able to verify the presence of detected vulnerabilities, try to find others.

Winners will receive memorable gifts from the organizers of the forum.

Leave ATM Alone

If last year, an ATM was physically hacked at PHDays , now it was decided to go from the other side. Competition Leave ATM Alone will allow participants to test their exploitation of vulnerabilities in ATMs skills.

Access to the physical control layer of some ATM modules will be offered. The task is to study them and take complete control over the device. Winners will receive gifts.

2600

The task is to make a call from a payphone to a predefined number. The token must be returned to the organizers. The results will be announced on the second day of the forum. When choosing a winner, the judges will take into account the originality of the methods that allowed the participants to complete the task. Last year, the competition was very popular .



In addition to gifts from the organizers of the competition, the winner will be able to pick up unique PHDays coins, which replace ordinary tokens for a payphone.

Pouring

Classic Positive Hack Days. Toward the close of the second day of the forum, when all the battles have already died down, the CTF winner has been determined and everyone wants to continue communicating in an informal setting, this extremely atmospheric competition starts. Participants need to conduct a successful attack on a web application protected by a security filter. The application contains a finite number of vulnerabilities, the sequential exploitation of which allows, among other things, to execute OS commands.

The total duration of the competition is limited to 30 minutes. Every 5 minutes, participants, whose attacks are most often identified by protective equipment, are invited to drink 50 ml of strong strong drink - and continue the fight. The winner is the one who will be able to first get the main game flag at the stage of executing commands on the server.

" Pouring"- this is so much fun that last year even geohot himself, who had previously fought in CTF as part of the PPP team, could not resist. By the way, he managed to become the winner of "Nalivaika" the first time.



geohot wins in “Navalivka”

Souvenirs from the organizers of the forum are waiting for prizes of the competition winners.

Online contests

Those who for some reason can’t be in Moscow on May 21 and 22 will be able to join the online competitions.

Hash runner

Within the framework of this competition, the knowledge of participants in the field of
cryptographic hashing algorithms will be tested , as well as the skills of breaking password hash functions. Competitors will be offered a list of hash functions generated by various algorithms (MD5, SHA-1, Blowfish, GOST3411, etc.). To win, you need to score as many points as possible in a limited time, ahead of all competitors.

Any Internet user can take part in the competition. Registration for participation will open on phdays.ru on May 8 and will last until the start of the forum.

The winners of the competition will receive great prizes from the organizers of PHDays.

PHDays Online HackQuest

Organizer - PentestIT Laboratory . In addition to the PentestIT team, Ares (developer of Intercepter-NG), Yuri Khvyl (virus analyst CSIS - www.csis.dk ) and Ivan Novikov (d0znpp, OnSec - onsec.ru) will take part in the development of tasks .

Visitors to the PHDays Everywhere sites, for whom there will be a separate team standings, will be able to participate in the competition, which will be held during the days of the PHDays IV forum. The game infrastructure will be as close as possible to the real conditions and will be a distributed network including several branches of the attacked company. For each correctly solved task, the participant will receive points (flags). The winner will be the one who scores the most points.

The winners of the competition are waiting for excellent gifts from the organizers of PHDays and PentestIT laboratory.

Competitive intelligence

The competition will allow forum participants to find out how quickly and efficiently they are able to search and analyze information on the Internet, use the tools and techniques of competitive intelligence.

Shortly before the forum, issues related to a certain organization, information about which can be found on the Internet, will be published. The task of the contest participant is to find as many correct answers as possible to the questions posed in a minimum amount of time.

Any Internet user is allowed to compete. It will be possible to register on the phdays.ru website starting May 8th. (Read the report on how the competition took place last year .)

All winners will receive an invitation ticket to PHDays IV, and the winner will also receive memorable gifts from the organizers.

Competitions for Twitter reporters and bloggers

At PHDays, you can become the best not only by demonstrating hacking skills, but also by displaying literary or reporter talents.

First of all, active Twitter users will be able to win great prizes and an invitation to Positive Hack Days in 2015. Last year, the winner was Artem Ageev , he is entitled to an invitation to PHDays IV.

To participate in the competition, you need to subscribe to our @phdays twitter account and write tweets with the #PHDays hashtag during the two days of the forum, telling your subscribers what is happening on the site, commenting on the course of the competitions, noting interesting reports, workshops, etc. n. At the end of the forum, the organizers will evaluate the overall quality of the broadcast, calculate the number of well-deserved retweets and give the name of the winner.

Do not despair for those who are not masters of small forms and prefer 140 blog posts to traditional characters. Write a fascinating article with your impressions of visiting PHDays, participating in contests and master classes, and then send us a link on Twitter ( English or Russian ), Facebook or VKontakte . The winner will receive a prize and an invitation to PHDays in 2015.

Pay attention to the posts of last year's winners ( 1st place , 2nd place , 3rd place ). All of them are entitled to PHDays IV tickets, so if your note was one of the best, but you have not yet contacted us, it's time to do this - write to phd@ptsecurity.com.

We remind you that for visitors to PHDays Everywhere hackspace this year additional exclusive contests are provided .

Join the battles of information security experts from around the world as part of Positive Hack Days!