[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAnZqX9zg3u=6pDwT=H=Gpscu0k_f+q8BFoQsemSzzkoW1kOSw@mail.gmail.com>
Date: Sun, 3 Sep 2017 16:03:41 +0300
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] Hack2Win – Code Blue 3rd Edition
Hi everyone,
We are excited to announce our 3rd Hack2Win Code Blue competition!
This year we have changed the format, raised the difficulty level and
increased the prizes.
The goal of the event is to find who can gain the highest privileges on any
of the target software and hardware.
Prizes for this contest will total $50,000 USD!
In the new format we have:
3 categories, in each category we will have a 2 products from different
vendors
Each category has different prizes
Each category’s highest prize will be given to the first eligible submission
A Quadcopter will be given to one participant who will be “the best of the
show”
Category 1 – CMS
Prizes:
WAN RCE – 10,000$ USD
Information disclosure that leads to password disclosure / Authentication
bypass – 5,000$ USD
Pre-Authenticated XSS / Rest password – 2,500$ USD
Products:
WordPress default installation with the following plugins(*):
Really Simple CAPTCHA
Contact Form 7
WooCommerce
Google XML Sitemaps
Yoast SEO
All in One SEO Pack
Akismet
Wordfence Security
W3 Total Cache
NextGEN Gallery – WordPress Gallery Plugin
Page Builder by SiteOrigin
Advanced Custom Fields
Ninja Forms – The Easy and Powerful Forms Builder
MailChimp for WordPress
(*) Each of those plugins has at least 900K active installations
Drupal default installation with the following plugins(**):
Chaos tool suite (ctools)
Token
Pathauto
Webform
(**) Each of those plugins has at least 500K active installations
Category 2 – Routers
Prizes:
WAN RCE – 10,000$ USD
LAN RCE / Information disclosure that leads to password disclosure /
Authentication bypass – 5,000$ USD
Rest password – 2,500$ USD
Products:
Cisco RV132W Wireless-N VPN Router
Asus – RT-AC68U
Category 3 – NAS
Prizes:
WAN RCE – 5,000$ USD
LAN RCE / Information disclosure that leads to password disclosure /
Authentication bypass – 2,500$ USD
Rest password – 1,250$ USD
Products:
Western Digital – My Cloud Pro Series PR2100
Synology – DiskStation DS216j
Judging Criteria
New – the attack uses an unknown vulnerability (no record of it can be
found on Google, Exploit-DB, etc)
Complex – what was required to reach a successful attack
Innovative – we regard an RCE as more innovative than SQLi, for example
LAN or WAN – more points if the attack comes from the WAN side
What is gained – we give no initial access to the challengers, so any type
of access is an achievement. Of course, a guest level access would be
considered less valuable than root
Write-up Quality – how well is the write up (in English): including
details, explanations, etc
Device Settings
All the devices will be factory reset – i.e. default settings, and the only
non-default setting would be the password for the ‘admin’ (or equivalent)
account as documented in the product’s user guide, and the WiFi password
(if applicable).
What counts as ‘hacked’
A device would be considered ‘hacked’ if the participant can prove they:
Gained access to the device’s post-authentication admin web interface
(remember – you will not be given any credentials)
Changed some configuration value, like the WiFi password
Made the device do something it’s not supposed to do: like execute code, or
open a port/service which was previously closed (like SSH, telnet, etc)
What we won’t count as a ‘hacked’
Causing a malfunction to the device, DoS / XSS / CSRF, making it
unresponsive, making it no longer boot, etc
Usage of any known method of hacking – known methods including anything
that we can find on Google/Bing/exploit-db/etc – this includes: documented
default password (that cannot be changed), known vulnerabilities/security
holes
Eligibility
The contest is open to anyone who is at the legal age to receive a contest
prize in your country, if you are not allowed to receive prizes – and
please make sure to check this before participating – you may want to team
up with a person that is eligible.
The contest is not allowed to anyone working for one of the vendors, or is
involved in development of the above devices.
--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists