How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?


Thursday, June 14, 2012

Positive Hack Days CTF 2012 – The Way It Was

The battle between hackers based on the Capture The Flag model has become the star turn of the PHDays 2012 program: for two days and a night non-stop 12 teams from 10 countries were breaking rival networks and protecting theirs.

PHDays CTF conditions, unlike those of other contests of this kind, were as real as possible: the vulnerabilities used for the competition are common for modern information systems. Besides, the participants were allowed to take blind actions when solving the tasks. In other words, they could attack systems that they had no access to. The most curious feature of PHDays CTF 2012 was the King-of-the-Hill scheme used at the heart of the contest. According to the logic of this scheme, a team scored not only for having captured a system, but for having held it down as well.

For the conditions to be as real as possible, the King-of-the-Hill scheme copied a typical arrangement of enterprise networks: the external perimeter was made of web applications, DBMS servers, and various catalogs (LDAP) and, if penetrated, gave access to the internal perimeter – Microsoft Active Directory. Everything was the way it is in real life.

The Show

To add a special flavor to the competitions, we prepared a game infrastructure and were modifying it throughout the CTF according to a single plot line. So, the participants were not only to complete tasks faster than their competitors, but to save the world! (For the legends of Day 1 and Day 2, visit the forum’s blog).

Besides, this time the show was spiced with an element of a reality show: random visitors were given cards with bonus keys that they could present to their favorite team at the end of the second day.


The competitions were not only about “pure” hacking. In the lobby of Digital October, the organizers mounted an enormous container with “litter”. The CTF contest required the teams to dive into the container (dumpster) and find bonus keys (flags). Each team had 30 minutes to do the Dumpster Diving.

The second day of Positive Hack Days prepared new surprises for the CTF participants. First, they had to take over an aircraft AR.Drone operated with a mobile phone via an insecure wireless connection. The contestants had 30 minutes to win the competition.

The weather on the 31st day of May was not quite warm and sunny, so the Drones were launched indoors, right next to the dumpster.

Not only did the winner score extra points to their team, but took the drone home as a prize. The quadrocopters went to Sergey Azovskov from HackerDom (Russia) and Matt Dickoff from PPP (the USA).

Yet, there was even more to come. The Way To Protect Money section offered the $natch competition composed of three parts. The first one required participants to take out money from a remote banking system specially developed for this occasion. The second part was meant for the CTF teams, who had four hours to enhance the security of the banking system. Finally, contestants of the online HackQuest joined the game to attack the system and steal the money from bank accounts of the CTF teams (for details, read our blog entry).

The CTF contestants managed to win the battle and save almost all their money.


The best team of Positive Hack Days CTF 2012 proved to be LeetMore (Russia). Last year they were second, but this time they gave no chances to their rivals and took the main prize – 150,000 rubles. The second place was taken by a Swiss team, 0daysober (100,000 rubles), followed by Int3pids from Spain (50,000 rubles). Last year’s favorite PPP (the USA) became the fourth. The final results are provided in the table below:

Tachikoma from Japan deserves a special mentioning. The team was comprised of students of four Japanese universities who participated in such a contest for the first time. The whole country was cheering for the guys, and they did a good job for novices.


The CTF wars helped to reveal a few quite interesting vulnerabilities. For example, the LeetMore contestants detected a 0-day in the FreeBSD 8.3 release (a local vulnerability that allows bypassing security restrictions). By exploiting this vulnerability, anyone could have broken the security mechanism and deleted the flags of other participants. However, everyone played fair :)

Another vulnerability was found by Eindbazen (the Netherlands). They discovered a vector of XSS attack on the King of the Hill. Since this web attack had not been foreseen by the CTF authors, this vulnerability can be considered as a 0-day.

Defcon: Greetings from Moscow

Unfortunately, Defcon refused to put off its CTF qualifications. It’s quite understandable that, having fought in PHDays for two days non-stop, 12 best teams were physically incapable of taking part in the qualifications: some of them were on their way back home; others were literally exhausted.
The teams, inspired by PPP (who have a really good sense of humor), took quite a suggestive photo as their response to Defcon:

Anyway, everything was great! We’ll do our best to make PHDays CTF even more exciting in future!

P. S. For those who are interested, the full version of the CTF legend (text+video) and links to feedbacks on the forum can be found in a personal blog of one of the organizers.


  1. Some information on how to write good book report you can find at this site. I think that you should check it out as soon as possible

  2. Thanks for sharing.I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one.

  3. Are you tired of paying a lot of money for research papers help? We offer the Write My Research Papers and other custom writing services, certified to be top-notch quality for the best results.

  4. ketika pria sudah tidak bisa lagi memberi kepuasan maka yang dikhawatirkan wanita akan merasakan kebosanan jika kejadian seperti itu tidak segera diatasi, oleh karena itu levitra asli 100 mg cod bandung bisa menjadi solusi pasutri yang ingin mencapai kepuasan dalam bercinta. levitra asli 100 mg cod di jakarta barat adalah tablet mungil yang berasal dari bayer sangat bermanfaat bagi pria yang ingin memperbaiki ereksi agar bisa mencapai klimaks baca disini . wanita butuh hubungan yang lama agar libidonya bisa terangsang sampai puncak klimaks. procomil spray sangat cocok untuk mengatasi ejakulasi dini pria ketika sedang berhubungan badan. vitamale adalah obat kuat bpom yang dibuat diindonesia berguna untuk memelihara stamina pria agar tetap kuat saat diranjang klik web . banyak pria yang mencari vimax spray untuk memuaskan pasangan mereka supaya tidak cepat keluar sperma waktu sedang berhubungan.

  5. Very useful content for match. I also share with you
    King Cinema For PC

  6. It is important for theology & religion writing service students to seek Religion & Theology Research Writing Services from a reputable theology & religion research paper service provider for their custom theology & religion assignment writing services.

  7. Magix PC Check & Tuning Download Free Crack: It lets you scan your hard drive for unwanted duplicate files such as photos or music and video files.
    It provides a clear definition of your computer system and allows you to extract stupid data quickly and easily.
    Download it free from here:

  8. We absolutely love your blog and find nearly all of your post's to be exactly what I'm looking for. Would you offer guest writers to write content available for you? I wouldn't mind composing a post or elaborating on a few of the subjects you write regarding here. Again, awesome web log!2021 diary singapore

  9. Hi there, simply become aware of your weblog thru Google, and found that it's really informative. I’m going to watch out for brussels. I will appreciate for those who continue this in future. Lots of folks can be benefited from your writing. Cheers!LEW

  10. Hey there! This is my first comment here so I just wanted to give a quick shout out and tell you I genuinely enjoy reading through your blog posts. Can you suggest any other blogs/websites/forums that cover the same subjects? Appreciate it!authorised money lender Singapore