HackBattle 2.0 competition at Positive Hack Days: how the school cafeteria attacked ICO

Last May, the HackBattle competition was held at Positive Hack Days VII for the first time. Our booth attracted a lot of attention from the audience. Then, almost 100 information security specialists took part in the competition, and so many spectators came to see the final in the large hall that it was impossible to push the stage (for more details see last year’s report ). Inspired by such interest from the professional community, we decided to run HackBattle 2.0 on PHDays 8. We tell how the competition went this year, and also publish the tasks from the competition so that you can try to solve them.

Contest format and rules

Competitions were held throughout the PHDays. On the first day there were qualifying tests: we chose two of the strongest, bravest, bravest candidates who decided the most tasks in the shortest time. On the second day the final took place on the main stage of the forum: hackers had to attack the same target. The victory was given to the one who first will be able to break through and increase the privileges on the target system. The final in real time was commented by information security experts, and the brightest moments were shown on the big screen.

Selection

Like a year ago, at the qualifying stage, we suggested that participants solve the CTF format problem for speed. For the solution of 10 problems 35 minutes were given. For each task, a certain number of points were awarded depending on the difficulty. Participation in the selection could only once.

This time we took into account the wishes of the participants of the first HackBattle and provided an opportunity to work not only on pre-prepared workstations, but also on our laptops.



Separate table with blackjack and patch cords for those who came with laptops



Participants qualifying test

It was not easy to determine the people who will reach the final and will be able to adequately cope with the solution of the problem under pressure from the audience. Until the end of the qualifying rounds it was absolutely unclear who would be the finalist - the struggle was very sharp. The difference between the leaders of the scorbord was only 50-100 points, and in cases when the score was equal, it was only a few seconds! And only at six o'clock in the evening, having closed the qualifying competitions, we were able to determine the finalists: they were Vladislav “W3bPwn3r” Lazarev and Arthur “inviz @ penis” Khashaev.



Standings



Problems solved by a finalist W3bPwn3r


Tasks solved by inviz @ penis finalist

The final

On May 16, at 14:00 sharp, the final stage HackBattle 2.0 took place on the main stage in the congress hall. Like a year ago, everything that happened on the hacker monitors was streamed to the big screen and commented on by Positive Technologies experts. For the convenience of the spectators, the monitor of each of the finalists was separately duplicated on the screens of televisions standing on the sides of the main stage.



Battle of the strongest

As a final test, we suggested that the participants attack the same target: this year the hacker victim was the server on which the school canteen's ICO was held.



ICO school cafeteria website

According to the legend, hackers should have time to replace the purse placed on the main page of the website with any other one before the start of the ICO presale-stage (you can download the task at the end of the article). Note that the task consisted of several stages and could be solved in various ways.

Over the past six months, experts from Positive Technologies have conducted many ICO pentests and in each project discovered vulnerabilities of varying degrees of danger. Information about the compromise of the ICO is increasingly appearing in the media. It is obvious that in this area the issue of information security is clearly not a priority. We decided to dedicate the final to this topic in order to draw attention to the security of cryptocurrency services.

The fight lasted 20 minutes (the full version of the final, as well as other video materials of the conference, can be viewed on the PHDays website - phdays.com/ru/broadcast/ ). The victory in a tense battle was won by Vladislav “W3bPwn3r” Lazarev, who was the first to cope with the task.



Winner - Vladislav Lazarev

After the contest, we interviewed the finalists and found out about their impressions.

“First of all I want to note the high level of organization of the infrastructure and the quality of the tasks themselves. It was pleasantly surprised by the attention of a large number of people, although it seemed that it was more difficult to carry out seemingly familiar actions when the crowd looked at your monitor. It would be more fun if the qualifying stage was held in the same format as the final, ”said Vladislav Lazarev .

“HackBattle is definitely the very event that allowed us to shake things up during the conference,” said Arthur Khashayev . - From surprises: in the final round, the Internet did not work right away, I had to spend some time importing the certificate from the proxy. At the same time, the ICO website of the school canteen was made famous. I would like to especially note the work of commentators who made this battle truly dynamic and did not let the audience get bored. ”

The technical details of organizing the stream, the work of the scorbord and its synchronization with the workstations provided by the organizers are outlined in the blog of Anatoly Ivanov .


Authors : Dmitry Galecha, Anatoly Ivanov, Alexander Morozov, Positive Technologies.