HackBattle 2.0: school canteen ICO under attack
In May 2017, Positive Hack Days VII presented a brand new contest named HackBattle, which attracted audience attention. Almost 100 security specialists took part in that contest. The audience was so eager to see the final that the area was packed (more details in the last year's review). Inspired by professionals' interest, we decided to hold HackBattle 2.0 at PHDays 8. Learn how the contest passed this year, and check if you can solve the tasks.
The contest was held on both days of PHDays. During the first day, there was a qualifying stage: we selected two strongest and bravest participants who solved most tasks within the minimum period. The final of the contest was on the second day. Two hackers were to attack one aim, and the first to get through and escalate privileges on the target system was the winner. The progress was commented by security experts, and highlights could be followed on a large screen.
As in the previous year, the participants were to solve CTF-format tasks against the clock. Each participant had 35 minutes to solve 10 tasks and earn a certain amount of points, depending on the task complexity. Each participant could take part in qualification only once.
This time we took into account the requests of participants of the first HackBattle and allowed using not only our workstations but also participants' laptops.
It was hard to define two best participants who would be able to solve the final task under pressure of audience attention. The fight was very tough and it was unclear until the very end who was going to play the final round. Scoreboard displayed a small gap between the leaders—just 50 to 100 points—and when the scores were equal, the time difference was mere seconds! Only at 6 p.m., after the qualification was finished, we managed to define the shortlist: Vladislav W3bPwn3r Lazarev and Artur inviz@penis Khashayev.
On May 16 at 2:00 p.m., the final of HackBattle 2.0 was held on the main stage of the Congress Hall. As a year ago, the hackers' actions were streamed to the big screen and commented by experts from Positive Technologies. For convenience of the audience, most of which came to support the finalists, each of the hackers' monitors was separately shown on screens on both sides of the main stage.
The final task was to attack the same aim: this year the hackers' victim was a server that hosted an ICO for a school canteen.
The task was to replace the wallet ID displayed on the website to any other wallet ID before the ICO presale would start (use the link at the end of the article to download this task). This was a multistage task that could be solved in a number of ways.
During the last six months, Positive Technologies performed numerous ICO pentests, and each tested project contained vulnerabilities of various severity levels. Nowadays, media publish more and more information about compromised ICOs. Obviously, information security in this sphere is not a priority. Therefore, we decided to draw attention to the security of cryptocurrency services and make this issue a topic of the final battle.
The duel took 20 minutes (full-length version of the final, as well as other conference videos are available at phdays.com/ru/broadcast/). This tense battle ended with a victory of Vladislav W3bPwn3r Lazarev who was the first to accomplish the task.
We interviewed the finalists after the battle and learned what their impressions were.
"First of all, I'd like to give credit to the high level of infrastructure and quality of the tasks. It was a nice surprise to be in the spotlight, though doing even customary actions turned out to be more difficult when a lot of people are looking at your screen. Probably, it would be more fun to have the qualification in the same format as the final," said Vladislav Lazarev.
Artur Khashayev shared his impressions: "HackBattle is certainly the event that cheered everyone up during the conference. One of unexpected things was that it took a while to have the Internet working, so I spent some time importing a proxy certificate. But the canteen ICO website was well-crafted. And I would like to highlight the performance of speakers who commented the battle: they did a great job adding vitality and keeping a large audience excited."
Technical details about organizing the stream, performance of the scoreboard and its synchronization with the workstations provided by the organizers are available in Anatoly Ivanov's blog.
All tasks, except task 10, are OVA virtual machines. Task 10 is a binary file for *nix. All virtual machines have static IP addresses from the subnet 172.30.0.0/24, gateway 172.30.0.1, DNS 188.8.131.52. Access to virtual machines is provided for reconfiguring.
1. WhiteHub (150)
NotSoEvil corp has developed a clone application with blackjack and Brian Crépes. Can you find the sensitive information there?
2. Rates (350)
Our rate changer is rocket science, can you make it through to the secret info?
3. Mine is bigger (150)
Bet you can't beat me! Prove different.
Unix user would know what is going on here:
4. PHP Power (100)
Are you good enough at source code analysis?
5. Too Smart (450)
This NES games search engine seems to have some vulnerabilities. Unfortunately they claim to have bought a new age firewall, can you make it through and get the private game.
6. The Meme's Mystery - ez part (100)
Find out what this meme is hiding.
Note that this tasks has two flags. Send the second flag to The Meme's Mystery (hard part)
The Meme's Mystery - ez part (350)
The meme's intelligence has increased, but the flag still seems to be reachable
Note that this is the second flag of the task
7. JWT strikes back (50)
In memorial of old JWT bugs, the task we solve...
8. Robots Strike Back (100)
Robots are back, defeat them again and save the princess, mighty warrior!
9. Ticket to ride (250)
We have developed a nice website to get you some comfortable tickets, is it secure enough?
10. Trace Me (50)
This program prints flag, go get it. Oops, nearly forgot to say that it is ouputed to stdout. Hope you are still able to get it
In hosts file add strings:
Entry point: stolovaya-ico.ru
By: Dmitry Galecha, Anatoly Ivanov, and Alexander Morozov, Positive Technologies.