PHDays video

POSITIVE HACK DAYS



ORGANIZER

Contests

Onsite contests

Online contests

2600
$natch
Critical Infrastructure Attack: City
WAF Bypass
Automotive Village: CarPWN
MITM Mobile
HackBattle
CAMBreaker
Free SCADA
2drunk2hack

Competitive Intelligence
HackQuest

$natch

"How to Clean Out a Bank and Stay Alive" is one of the oldest and most exciting contests at PHDays. This year, participants will have more to deal with than just analyzing e-banking source code—they will have to empty ATMs and self-service kiosks, and be ready to smuggle money out past anti-fraud systems. Like last year, hackers can also choose to play for the "good guys" by writing about vulnerabilities to a special incident response group.

Rules

Rules

Contest will last for the duration of the forum. http://contest.phdays.com

Participation Terms

Participation Terms

All forum participants may take part. Come to the contest stand to join.

Prizes

Prizes

Players take home all the money "stolen" from the system (stealable funds total RUB 60,000).

$natch

2drunk2hack

The competition enables the participants to try their skills in hacking a web application which is protected by a Web Application Firewall and demonstrate the ability to think straight in any situation.

Rules

Rules

The goal is to hack a web application protected by a Web Application Firewall (WAF). The web application contains a limited number of vulnerabilities, consecutive exploitation of which allows OS commands execution.
The competition takes 30 minutes. Every 5 minutes the competitors on whose actions WAF reacted more often can drink a 50 g shot of a strong drink and proceed with the competition.
The winner is the first who manages to capture the principal game flag on the stage of executing OS commands on the server. If the principal flag is not captured, the winner is the participant with the largest number of flags captured on other stages of vulnerabilities exploitation.

Participation Terms

Participation Terms

Any attendee who has reached the age of 18 is welcome to participate in the competition. The participants can register at the information desk in the lobby of the second floor. The number of competitors is limited.

Prizes

Prizes

Winners will recieve valuable prizes.

Technical Details

Technical Details

Please bring your own software and hardware that you require for participation. Connection to the game network segment will be provided.

2drunk2hack

2600

Participants can watch wits at old-school phone phreaking. Their task: use an ordinary token to make a call on an old Soviet pay phone.

Rules

Rules

To emerge victorious, a participant must make a call from the pay phone to a certain phone number—and retrieve the token.

Participation Terms

Participation Terms

All forum participants may take part. Contest will be held throughout the forum.

Technical Details

Technical Details

Participants may not damage the pay phone in any way!

2600

Free SCADA

Free SCADA is an educational open-source project intended to demonstrate typical vulnerabilities in SCADA components. Free SCADA will consist of SCADA components with PLCs (based on Raspberry Pi). As part of The Standoff, each of the attacking teams will be given access to a separate stand for warming up and gathering useful hints about the infrastructure and settings of one of the main contests—Critical Infrastructure Attack: City.
Made possible with the support of ASP Labs.


Rules

Rules

Contest will last for the duration of the forum as part of The Standoff.

Participation Terms

Participation Terms

Only Standoff teams may take part.

Technical Details

Technical Details

Participants must bring their own software and hardware.

Free SCADA

CAMBreaker

Forum visitors can try to hack IoT devices by finding zero-day vulnerabilities in popular IP cameras. Besides web vulnerability aficionados, we encourage masters of firmware reverse engineering and JTAG wizards to show off. Don't forget to bring your own devices!

Rules

Rules

Contest will last for the duration of the forum. http://contest.phdays.com

Participation Terms

Participation Terms

All forum participants may take part. Come to the contest stand to join.

Prizes

Prizes

1st place: LG Nexus 5X smartphone, PHDays souvenirs
2nd place: PHDays souvenirs
3rd place: PHDays souvenirs

Technical Details

Technical Details

Participants must bring all necessary software and hardware themselves.

CAMBreaker

HackBattle

HackBattle is new to PHDays. A qualifying stage will be held on the first day of the forum at the contest stand, where participants will need to complete several tasks. On the second day, the brightest hacker minds will assemble on the main stage to astound the audience with their speed, smarts, and improvisation while hacking in real time. Our team of professional streamers will be providing commentary.

To participate, hackers must come to the HackBattle stand on the first day and perform the qualification tasks.

Participation Terms

Participation Terms

All forum participants may take part. Qualifying stage will be held on the first day of the forum. Finalists will be determined by the end of the first day. Championship will be on the afternoon of the second day.

Prizes

Prizes

1st place: Hak5 Field Kit, PHDays souvenirs
2nd place: PHDays souvenirs

HackBattle

MITM Mobile

Mobile network security has well-known issues at all levels from client devices to operators. One sore point is the GSM standard, which can be hacked not only by nation-states, but by engineers with $20 to spare. Don't get your hopes up for 3G/4G though: operators are stuck supporting GSM for years to come, so downgrade attacks involving "evil-twin" base stations can force subscriber devices to switch to the not-very-secure GSM standard. Interception of SMS messages and USSDs, eavesdropping on phone conversations, use of IMSI catchers, and cloning of mobile phones—all this can be seen and learned at our stand by trying to hack the special mobile operator we have set up specially for the event. Prizes await the nimblest participants.

Participation Terms

Participation Terms

Contest held during the forum. Come to the contest stand to take part.

Prizes

Prizes

1st place: bladeRF x40, PHDays souvenirs
2nd place: PHDays souvenirs
3rd place: PHDays souvenirs

MITM Mobile

Automotive Village: CarPWN

At Automotive Village: CarPWN, participants can compete to show off their knowledge of everything related to car security. Competition tasks will include searching for wires, ECU searching, connecting to the on-board network, setting up an MITM attack using CANToolz, testing the security of QNX, and much more. Conference participants will have two days of access to a training stand and vehicle for hacking.

Participation Terms

Participation Terms

Contest will be held throughout the forum. All forum participants may take part.

Technical Details

Technical Details

We recommend that participants bring their own special CAN equipment.

Automotive Village: CarPWN

HackQuest

This year's HackQuest is organized by Wallarm. Hackers must solve as many tasks as possible. These tasks are based on real vulnerabilities found in the past year. New to this year: neural networks.

Rules

Rules

Contest will be held from May 1 to 13. Start: 12:01 a.m. (midnight) on May 1.

Participation Terms

Participation Terms

All Internet users are eligible to participate.

Prizes

Prizes

Winner will receive free PHDays tickets and souvenirs.

Technical Details

Technical Details

To sign up, visit hackquest.phdays.com

HackQuest

WAF Bypass

WAF Bypass is back at PHDays. As always, participants will try to bypass PT Application Firewall. This year’s tasks will center around bypassing the new database protection component of the Positive Technologies web application firewall. Victory will be gauged based on special flags. Both forum visitors and Internet users are eligible to participate.

Rules

Rules

The contest consists of tasks during which the competitors collect flags. Each flag is worth points. In case of a tie, victory goes to the participant who obtained their final flag more quickly.

Participation Terms

Participation Terms

The contest consists of tasks during which the competitors collect flags. Each flag is worth points. In case of a tie, victory goes to the participant who obtained their final flag more quickly.

Prizes

Prizes

1st place: Apple Watch, PHDays souvenirs
2nd place: one-year Burp Suite Pro license, PHDays souvenirs
3rd place: PHDays souvenirs

Technical Details

Technical Details

To sign up, go to waf-bypass.phdays.com

WAF Bypass

Competitive Intelligence

In today's world, it's easy to dig up sensitive information on people and companies. The main skill in competitive intelligence is to find and synthesize morsels of information scattered across public sources. For several consecutive years (2012, 2013, 2014, 2015) we have shown how big secrets can be ferreted out with little or no hacking. This craft is becoming easier on the one hand because of the amount of information online, but also harder because of the difficulty for humans to process all this information. In addition to search engines, online sleuths will need to use special tools and techniques from the realm of competitive intelligence. The contest will be held online over three days: May 14, 15, and 16. The victors will receive prizes at the PHDays awards ceremony.

Rules

Rules

The contest page will have questions regarding a particular organization that is widely represented on the Internet. Competitors try to find the maximum number of correct answers as quickly as possible.
Results will be known on May 16 at 18.00.

Participation Terms

Participation Terms

Contest will open at 9:00 a.m. on May 14, 2017 at phdays.com/ci2017/.

Prizes

Prizes

1st place: iPad Air, PHDays souvenirs, 3 forum invites
2nd place: PHDays souvenirs, 2 forum invites
3rd place: PHDays souvenirs, 1 forum invite

Technical Details

Technical Details

Participants select all necessary software and hardware themselves. Internet connection required.

Competitive Intelligence

Critical Infrastructure Attack: City

In this contest, hackers will target a model city's automation systems, which are concentrated in a large industrial zone essential for the ongoing operation of the city and its infrastructure. The model city approximates a real-world city in terms of both technology and functionality. Opportunities for acting on city systems are limited only by attackers' imaginations and the defenses in place on various system segments.

The model city includes:

  • Residential areas with building management systems (BMS), smart homes, transportation systems, and IoT gadgets
  • Railroad linking all parts of the city
  • Power station and substation (electrical generation, distribution, and management)
  • Oil refinery and oil storage/transport facilities
  • Video surveillance systems

Rules

Rules

Contest will last for the duration of the forum as part of The Standoff.

Participation Terms

Participation Terms

Only Standoff teams may take part.

Technical Details

Technical Details

Participants must bring their own software and hardware.

Critical Infrastructure Attack: City


Download the full program in PDF

Levels

The Labyrinth

The Labyrinth at Positive Hack Days is a real hacking attraction. During only one hour the participants of the competition are to get over the laser field and motion detectors, open secret doors, clear the room of bugs, combat with artificial intelligence, and render a bomb harmless. To get through the Labyrinth, you will need some skills in dumpster diving, lock picking, application vulnerabilities detection, social engineering, and of course there is no way without mother wit and physical fitness.

How to Get Into the Labyrinth?

To pass the Labyrinth, create a team of three persons and register in the contest zone. You will be offered some vacant time slots. Please note that passing the Labyrinth may take more than an hour, so avoid planning anything else for this time.

Rules

Rules

"The judge is always right." If while you are breaking through the perimeter the judge requires going back to the starting point, you must fulfill this requirement. Even if you don't hear the horrid sound of the security alarm.

"Sobriety is the norm of life." Do not mix up Labyrinth and Too Drunk to Hack — in order not to loose your way, keep your mind clear.

"Breaking? No, making!" Please avoid any destructive actions against the Labyrinth infrastructure. If you think that it is impossible to pass a room without applying a Bolt Cutter™, please consult the judge.

"Time is short." If you manage to pass the room quicker than it was planned according to the schedule (9 minutes are allocated for each room), you may use the rest of time to fulfill additional tasks. Accomplished all tasks? Impossible!

Winners

Winners

1st place
Antichat

2st place
Shkolota

3st place
Extra Team

The Labyrinth