Bug hunters *

Однажды мы со Standoff 365 договорились сделать крутой конкурс для начинающих багхантеров и представить его на PHDays Fest. Каково же было наше удивление, когда за первые 5 минут в конкурсе зарегистрировались 17 человек, всего же было 74 участника и 10 победителей. Еще больше удивило то, что багхантеры были вовсе не начинающие: в конкурсе участвовали сильнейшие хакеры страны. В этой статье разберем, какие были задания.

Мы приняли решение сделать конкурс в формате CTF. Для этого с нуля в ChatGPT была разработана платформа. Как показала практика, код, который написала нейросеть, оказался неидеальным в плане безопасности, но в целом после исправления некоторых проблем все стало работать стабильно.

 Python, Java, C++, Delphi, PHP—these programming languages were used create a virtual crypto ATM machine to be tested by the participants of the $NATCH contest at Positive Hack Days 12. The entire code was written by ChatGPT and proved to be exceptionally good. This time, we had reviewed the contest concept and decided to use a report system. In addition to standard tasks (kiosk bypass, privilege escalation, and AppLocker bypass), this year's participants faced new unusual tasks. Read on below to find out which ones.

Hello everyone! We've already talked in our blog about how the Positive Hack Days 11 forum had a special Payment Village zone, where anyone could look for vulnerabilities in an online bank, ATMs, and POS terminals. Our competition to find vulnerabilities in an online bank is not new, but in recent years it has been somewhat supplanted by ethical hacking activities for other financial systems. In 2022, we decided to correct this injustice and created a new banking platform, making use of all our years of experience. We asked the participants to find typical banking vulnerabilities and report them to us. In the competition, the participants could play for either the "white hats" (participate in the bug bounty program of an online bank) or for the "black hats" (try to steal as much money from the bank as possible).

The Positive Hack Days 11 forum, which took place May 18–19, 2022, was truly epic. The bitterly fought ATM hacking contest featured no fewer than 49 participants. How cool is that? The winner of this year's prize fund of 50,000 rubles, with the handle Igor, was the first to hack the virtual machines. And he wasn't even at the event! :)

Besides Igor, eight other participants picked up prizes this year for their VM-hacking skills. They were: drd0c, vient, vrazov, durcm, zxcvcxzas7, asg_krd, hundred303, and drink_more_water_dude. A big thank-you to everyone who took part, and for those who weren't at PHDays, here are the links to the virtual machines.