Hack2Win – a CodeBlue Conference Event

Hi everyone,
(Please note there is an update for this event here: https://blogs.securiteam.com/index.php/archives/2653)
A Japanese version is available here: https://blogs.securiteam.com/index.php/archives/2630
We have decided this year to not only sponsor CodeBlue, but also try something new (for us and I believe the conference’s attendees).
We will be bringing 11 devices to the conference premises and allowing people to try their skills at hacking them.
We tried to look wide and far for different devices, all around the 200$ USD mark, so that they won’t be expensive for you to buy and try out before the event

The devices are:
 

  • ASUS (RT-N16) Wireless-N 300 Maximum Performance single band Gaming Router
  • ASUS (RT-AC68U) Wireless-AC1900 Dual-Band Gigabit Router
  • OM2P-HS 802.11gn 300mbps HIGH POWER Access Point Router
  • NETGEAR ReadyNAS 102 2-Bay Network Attached Storage Diskless (RN10200-100NAS)
  • Hikvision DS-2CD2032-I Outdoor HD 3MP IP Bullet Security Camera 4mm
  • AXIS 0554-004 M1004-W Wireless HDTV Network Camera
  • Cisco ASA5505-BUN-K9 ASA 5505
  • TRENDnet 1-Bay Diskless Wireless USB 2.0 IDE Network Attached Storage Enclosure TS-I300W (Blue)
  • ZyXEL NSA310 1-bay Network Attached Storage and Media Server
  • D-Link AC3200 Ultra Tri-Band Wi-Fi Router (DIR-890L/R)
  • D-Link Wireless HD Pan & Tilt Day/Night Network Surveillance Camera with mydlink-Enabled (DCS-5222L)

The names above appear as they are listed on Amazon – in order to make it easier for you to get one – and will be hopefully distinctive enough for you to match it in your local shop.
The goal of the event is to find who is able to gain the highest privileges on any of these devices.
The event will be divided into two days, on the first day, 1 hour will be given to anyone that registers to the contest. On the second day, it will be a “free for all” for anyone that wants to try his or her skills, everyone will be given “simultaneous” access.
 
Prizes
The prizes for the first day event will be, 8,000$ USD, 4,000$ USD and 2,000$ USD. The prizes for the second day event will be, 3,000$ USD, 2,000$ USD and 1,000$ USD.
The first, second and third prizes for each day, will be given to one person (or group) for hacking any of the above devices that was not previously hacked. If a person (or group) is able to hack a device, it will be removed from the available targets list.
 
Judging Criteria
The decision whether someone wins first, second or third place will be based upon the following:
 

  1. Complexity of attack – what was required to achieve the access
  2. Innovative method – XSS, SQLi, RCE, from least to most innovative
  3. Attack affects on the LAN/WAN – if it affects the WAN more points would be given
  4. What is achieved by the attack – no access is given to the challengers, so they would need to reach from no-access to some access – therefore a guest access would be considered less valuable than root
  5. Writeup Quality – the best write up (in English), most detailed, best explanation, etc

 
Device Settings
All the devices will be factory reset – i.e. default settings, and the only non-default setting would be the password for the ‘admin’ (or equivalent) account as documented in the product’s user guide, and the WiFi password (if applicable).
 
Device Access
The devices will be accessible to participants via the WAN Ethernet interface, or WiFi access.
 
What counts as ‘hacked’
A device would be considered ‘hacked’ if the participant can prove they:
 

  1. Gained access to the device’s post-authentication admin web interface (remember – you will not be given any credentials)
  2. Changed some configuration value, like WiFi password (note: We will not be giving any award for changing the IP address of the device)
  3. Made the device do something it’s not supposed to do: like execute code, open a port/service which was previously closed (like SSH, telnet, etc)
  4. Did something else that would be innovative and unexpected. Be creative! For example: get images from the Camera without actually hacking it

 
What we won’t count as a ‘hacked’
 

  1. Causing a malfunction to the device, DoS, making it unresponsive, making it no longer boot, etc – we will immediate disqualify a participant if we feel this is being done intentionally
  2. Physically opening of device, connecting to the device in any means other than what we allowed the participant to use (Ethernet or WiFi)
  3. Usage of any known method of hacking – known methods including anything that we can use Google/Bing/etc to locate – this includes: documented default password (that cannot be changed), known vulnerabilities/security holes (found via Google, exploit-db, etc)
  4. Anything we at Beyond Security would consider as being unfair – like doing Social Engineering on Beyond Security staff or personnel, hacking a device that is not the target and using that as means of gaining access to the device, etc

 
Eligibility
The contest is open to anyone who is at the legal age to receive a contest prize in your country, if you are not allowed to receive prizes – and please make sure to check this before participating – you may want to team up with a person that is at the legal age to receive prizes.
The contest is not allowed to anyone working for any of the above companies whose device participates in, or are involved in development of any of the above devices.
 
Announcing the winners
We will announce all the winners (for first and second day) at the end of the second day. We plan stop the hacking event 2-3hrs before the end of the second day – so that we can prepare. Please don’t wait until the last minute!
 
What will happen during the contest
A. On the first day, each participant will have 1 hour with the device of his choice
B. Once a device is ‘hacked’, the participant wanting to collect the prize, would need to show, explain and technically describe what he did, both orally (talk) in English as well as provide a written document (at least 500 words) in English – we may accept it in Japanese if we find someone that can help with the translation on site – but that is not guaranteed, so please prepare for the possibility it will need to be in English.
C. The information provided will be given to the 3 judges
D. If the judges believe that the device has been ‘hacked’, we will make that device no longer available for hacking anymore to any additional participants – and we will examine the device. If we later discover that the ‘hack’ was somehow flawed, we will make the device once again available – after factory resetting it back to the previous settings to remove anything left by the previous participant
E. At the end of the first day we will go over all the participant’s handed material and decide which one is the best, second best, third best (see Judging Criteria)
F. If there are not enough participants on the first day, whose provided material is worthy of a prize we will transfer the winning prizes amount from the first day to the second day
G. Devices hacked during day 1 will not be available during day 2
 
Registration
Only the first day of the event will require you to register, either “on site” or before via email – this will allow us to give you a dedicated time slot with the device or devices of your choice. The second day will be a “free for all” type of event, anyone can hook up their laptop to the “network”. To register for the first day event, please send an email to ssd[@]beyondsecurity.com (remove the [ ] to allow the email to arrive correctly).