Friend
Professional
- Messages
- 2,670
- Reaction score
- 883
- Points
- 113
Once a year, pentesters have a chance to loudly announce their achievements, show their contribution to the development of the Russian information security market, and share the best stories from practice at the closed Pentest award ceremony.
To participate, experts leave applications with an impersonal story about their best project, where they showed the most ingenuity, professionalism and creativity. The main prize is a heavy glass personalized statuette for the first place. As well as macbooks, iPhones, and smart watches.
Thanks to the partners of the award, the finalists received:
* Smart speakers and gifts from VK Bug Bounty project partners
* OFFZONE Conference tickets
* Traditional grants for all CyberED courses
The organizers are Awillix, one of the best pentesting companies in the Russian Federation, which specializes in complex and unique projects for assessing information security risks, analyzing the security of information systems and IT infrastructure. We created this project so that ethical hackers could make themselves known and gain industry recognition, as well as be motivated to develop in an atmosphere of healthy sports competition.
WEB Penetration Category
This is a category that competes for proficiency in identifying and exploiting vulnerabilities in web services, APIs, and other components of web applications. The depth of analysis and complexity of detected technical and logical vulnerabilities are evaluated. Special attention is paid to unique and previously unknown vulnerabilities.
This year's nomination was curated by BI. ZONE Bug Bounty, led by Sergey Kuzminov, Head of Penetration Testing and RedTeam, a member of the jury. The BI platform.ZONE Bug Bounty is known to more than 6000 bug hunters, so we are proud to present you such a powerful project partner, who will monitor the objectivity of all ratings of works in this category.
Winners
1st place: author with the nickname-shin0_by and the case "Multiple Take Over"
Bypass 2FA by changing the GET parameter:go to the registration completion page, bypassing entering the code from the SMS, and setting a new username and password. Changing your username and password by brute-forcing the cookie value. For cookies, to capture the accounts of all users, you will need to search through all the values of one of the cookies (~1.05 million).
2nd place: author with the nickname-Tr3harder and the case "Cache Engine Deser"
RCE by accessing the admin panel and installing the vulnerable module. RCE via deserialization in the cache engine of one of the CMS modules.
3rd place: author with the nickname-Danr0 and the case "Cache Engine Deserialization"
Creating a new user on the system without checking the session, bypassing security features, and executing OS commands on the target system. Create custom functions for MSSQL to execute OS commands.
Rating of other finalists
arkiix — 317
cucurucuq — 312
larch1k — 291
w0ltage — 291
rakel_stan — 283
A32s51 — 281
sos1somba — 278
Russian_OSlNT — 274
maledictos — 274
graph_sotskiy — 265
kiriknik — 245
sypso — 234
jmaaax — 234
AndrewYalta — 226
elvisalarn — 210
Bisch — 207
lewaper — 195
Byte_Wizard — 195
Maximum number of points — 420
"There was a very strong line-up of participants and powerful works. Experts from many companies showed the most complex, fascinating and non-trivial attacks. It was not easy to choose the best works: in each report you could find something new. The award proves that today we have a large number of cool specialists, and this figure is only growing every year" - Sergey Kuzminov, Head of Penetration Testing and RedTeam, BI. ZONE
Category "Breaking through infrastructure"
A separate nomination this year, for outstanding achievements in testing for penetration and exploiting network infrastructure vulnerabilities, including, but not limited to, network devices, network services, and IoT devices. The focus is on the complexity and originality of approaches to detecting vulnerabilities that compromise the network infrastructure with little interaction between web components.
Supervises the VK Bug Bounty category! VK is one of the first companies in Russia to start paying external security researchers for found vulnerabilities. In 2024, VK rethought the generally accepted approach to payments in the industry, abandoning fixed maximum amounts and introducing the Bounty Pass mechanism. In addition to Apple equipment, the finalists of the VK Bug Bounty category received a set of VK Bug Bounty branded merchandise and a Marusya column.
Winners
1st place: author with the nickname-Im10n and the case "FreeIPA"
Analysis of the FreeIPA-based infrastructure. Extracting the salt for the user and brute-forcing passwords with TGS decryption. This allowed you to restore the domain administrator password and compromise the infrastructure. The vulnerability was reported to the vendor and received CVE-2024-3183.
2nd place: author with the nickname-Snovvcrash and the case "Pivot Point"
Petit Potam to get the NTLM hash, DCSync attack and create a Golden Ticket. Getting access to the Kaspersky server by installing Reverse Shell, Pivoting with Chisel, Extracting the KeePass master password, and accessing the Check Point panel to change Firewall rules
3rd place: author with the nickname-Secm3_n and the case ".NET Init"
Detected.The NET application allowed you to decrypt your credentials, access the database, and execute OS commands. The sequence of attacks resulted in privilege escalation, credential extraction, Pass-the-Ticket and Shadow Credentials attacks, and ultimately a complete compromise of the domain controller.
Rating of other finalists
Tcr0ss — 281
aiWeevi — 267
dmitt22 — 266
AY_Serkov — 250
s0i37 — 248
ratel_xx — 246
r00t_owl — 245
killgoree — 244
exe_cute — 232
snovvcrash — 230
s0i37 — 226
Wdanya — 204
r00r_owl — 200
ka1_ne — 169
VlaDriev — 168
The maximum number of points is 420
"For us, participating in the Pentest Award is another opportunity to support the community of ethical hackers, encouraging them to search for bugs, share their experience and achievements. Such events bring additional motivation and excitement. And while we are waiting for the announcement of the start of accepting applications for the next award, I invite everyone to try their hand at VK Bug Bounty – we have a lot of programs and a unique Bounty pass mechanic, which does not have a limit on maximum rewards." - Petr Uvarov, Head of VK Bug Bounty.
Device Category
For outstanding achievements in the field of vulnerability analysis and research of technical flaws found in a variety of devices, firmware and environments. The focus is on devices that are actively involved in organizations ' IT processes, including, but not limited to, controllers, mobile devices, ATMs, cameras, MFPs, and so on.
Winners
1st place: author with the nickname-N0um3n0n and the case "SMS Heap Overflow"
Researchers have identified a heap overflow vulnerability in the modem that allows you to execute arbitrary code by sending specially generated SMS messages. Taking advantage of this vulnerability, they were able to read and write modem memory, execute arbitrary code, and install an application that provides full control over the device.
2nd place: author with the nickname-VlaDriev and the case "Davinci"
The author discovered a vulnerable Hikvision camera by installing an access point with the ESSID "davinci" to connect via CVE-2017-14953. Using CVE-2021-36260, he gained SSH access with privileges. By proxying traffic through the camera, the attacker scanned the network and gained access to the Active Directory domain controller.
3rd place: author with the nickname-Ka1_ne and the case "Printer"
Anonymous access to network storage with RCE (CVE-2019-16057). Configure a proxy server using GOST for further network analysis. The hash of the domain account was intercepted through a printer and hacked, which allowed us to collect information about the domain. Taking advantage of vulnerabilities in certificate templates, the author obtained the certificate and extracted the NTLM hash, which gave him domain administrator rights.
Rating of other finalists
r00t_owl — 220
doe546052 — 212
drKeksik — 201
Byte_Wizard — 105
Byte_Wizard — 71
The maximum number of points is 420
Hack the logic Category
For finding the most popular logic solutions.
Winners
1st place: author with the nickname-only4u2day and the case "From Bot to Admin"
The author used the ability to create bots in the na software without Mattermost, manipulating the bot-roles-fiel parameter to increase privileges to the administrator level.
Then the bot was converted to a user with admin rights, which provided full access to the administrative panel.
2nd place: author with the nickname-Arkiix and the case "Take Over"
The author used a case-sensitive vulnerability in email to bypass verification and capture accounts by spoofing JWT tokens. After fixing the vulnerability, a new vulnerability was found using the Unicode control character and the token update mechanism, which allowed us to capture accounts again.
3rd place: author with the nickname-Guleroman and the case "RCE bot"
The researcher discovered a vulnerability in the Telegram bot of the online education service that allows you to implement a command through incorrect processing of links in the message. Potential SSRF? — No, it's RCE!
Rating of other finalists
m2ch3t3 — 275
r0binak — 265
WILD_41 — 262
elvisalarn — 241
telegadlyasvyazi2 — 238
dmarushkin — 235
AndrewYalta — 222
curiv — 218
damnwaree — 214
shdwpwn — 211
sos1somba — 208
Engineer586898 — 207
curiv — 201
lewaper — 198
AndrewYalta — 197
w00t1 — 196
graph_sotskiy — 186
jmaaax — 182
brotherok — 178
Byte_Wizard — 61
The maximum number of points is 420
Category "One bypass, two bypass"
For the most beautiful bypass of information security tools.
Winners
1st place: author with the nickname-snovvcrash and the case "SafetyNDump"
The author used TokenDuplicator to get SYSTEM privileges, then used NanoDump and AV traversal to create a dump of the LSASS process with elevated privileges. The dump was analyzed using MiniDump to extract secret data, such as credentials and keys, from the process's memory.
2nd place: author with the nickname-Maledictos and the case "Hollowing"
Used a vulnerability in a web application to execute OS commands, and to bypass AV-shell code using the process hollowing technique. Then I established a Meterpreter connection, upgraded my privileges, and was able to safely implement attacks on internal resources.
3rd place: author with the nickname-Human1231 and the case "BYOVD"
The author used a vulnerable driver PDFWKRNL.sys to perform memory reads and writes via IOCTL requests, bypassing the Driver Signature Enforcement (DSE) protection of the Windows 11 kernel. This allowed you to download and install Banshee in the operating system kernel, giving you full control over the system.
Rating of other finalists
vanja_b — 297
s0i37 — 282
X0red — 279
Danr0 — 247
shin0_by — 221
curiv — 202
Maximum number of points — 420
Category "Catch a fish"
For the most original phishing or an attempt to socialize employees. Everything is evaluated: the load, the phishing text, and the use of non-standard tools.
Winners
1st place: author with the nickname-X0red and the case "Advanced Rogue RDP"
The author used the Rogue RDP technique, sending a phishing email with an RDP file that automatically connected to an external server and created a proxy tunnel.
This allowed us to scan the internal network, identify vulnerable services, get credentials, and compromise the infrastructure.
2nd place: author with the nickname-Szybnev and the case "Real SEngineering"
A team of social engineering quest participants used fake badges to gain access to various areas of the festival, including the warehouse, the organizers headquarters, and the merch store. They successfully completed most of the tasks, but when they tried to gain access to the newsroom, they were detained, which caused the intervention of security guards and law enforcement officers.
3rd place: author with the nickname-S3n_q and the case "VISHING"
The author collected open information about the company's employees and sent a phishing email with a non-opening file. Then, by calling on behalf of the system administrator, I convinced the recruiter that the computer was infected, and found out the password, offering to change it with the addition of a character at the end.
Rating of other finalists
post_gatto — 297
fromkhabar — 256
P1N_C0DE — 186
Maximum number of points — 420
Resume
The winners in all categories showed truly unique examples of outstanding and professional solutions. The jury notes that this year the competition has become tougher, as the quality of works has significantly increased. All finalists are honored and respected!
Awillix organizers are happy that the Pentest award fulfills its mission of developing the pentester community in Russia and look forward to seeing you again next year <3
P.S.
Detailed information about the project jury, criteria for evaluating works, project partners, requirements for the application for participation and the archive of last year's winners can be found on the official website — https://award.awillix.ru/awards
You will be able to see the winners ' cases in more detail in the autumn special issue of Hacker magazine.
Recording the broadcast of the ceremony: https://www.youtube.com/live/9tpfdqEYac8?si=j_3DtQ-AVc44yHKu&t=620
Last year's winners cases: https://xakep.ru/issues/xa/294/
• Source: https://habr.com/ru/news/834332/
