Inside the Festival Hacking Contest

Cover idea: @zuzinskiy

Disclaimer. The competition itself and every line of its rules were agreed upon. The participants of the competition, even if they were detained by security, were not in danger. However, we strongly do not recommend repeating this in everyday life, for example at other events!

Greetings everyone!

This is an article about SEQuest – the first social engineering quest at the city cyber festival PHDays Fest 2which took place at the end of May. The idea of ​​the quest belongs to Anton Bochkarev, founder and CEO of the Third Party company (3side.org). The quest was carried out by the 3side team, and we want to express our gratitude to the festival organizers – Positive Technologies, the quest zone team and especially Dmitry Savlovich for their patience! We also thank our wonderful volunteers and all the quest participants.

The idea of ​​SEQuest itself appeared about two months before the start of the festival. We discussed that at PHDays almost all competitions are technical and have a fairly high entry threshold, so many participants cannot participate in them. Especially considering that not only technical specialists come to the festival, but also sales managers, marketers, executives and many others. We thought it would be a good idea to offer the organizers a social engineering competition in the style of a guided hacking festival.

When we presented a structured and described idea, we were sure that we would be rejected. After all, this idea was too bold for what we thought was a conservative industry and could bring a lot of problems to the organizers. But suddenly I liked the idea so much that it was immediately approved! Over several meetings, we discussed the list of tasks, possible solutions, positioning, restrictions and rules.

If we talk about the complexity of the tasks, we were wrong in about half of the cases. But more on that later.

Zero penetration

The day before the start of the festival, Anton decided to check if everything was in order with the stand design. To do this, he needed an organizer badge, which is issued only with an identity document. But it turned out that this rule is not always followed.

Anton, who wanted to check how these instructions were being followed, was given a badge on a piece of laminated paper with the inscription “PRESS CARD”. Although even a real press card is not a document that allows you to issue anything. Even the date on the presented “press card” was expired, because Anton forgot to “extend” it at the press center. However, he was given a badge without any questions asked.

After this, employees of the registration area for the first time encountered “instructions based on the results of the jamb.” They could not even imagine how many similar situations awaited them ahead.

Initially, the idea of ​​the competition was very simple – to create a kind of public red teaming platform, but from a non-technical point of view. Understand how prepared the security is, how easy it is for an outsider to get into places where he doesn’t need to go, and much more. That is, both we and the organizers wanted to understand how vulnerable the system is. Answer: pretty much.

And in the process of making successful decisions, train festival staff and work on mistakes. After all, the second, no less important task is teach organizers and security to successfully resist such attacks.

Now about the tasks. There were six of them, and they varied in difficulty level. The seventh task was canceled and forgotten by us like a bad dream. For solving tasks, participants received points in the competition and PosiToken tokens, which could be exchanged for merchandise from the conference.

The top three participants received a “Third Party” hoodie with the inscription Social Engineer. So, what were these tasks and, most importantly, how were they solved?

Tasks and creative solutions

1. Make a fake organizers badge.

The very first, simple and “cheap” task in terms of points. There are a lot of ways to go through it – a carriage and a small cart, from printing at the nearest printing center to pasting your name onto a real blank, “found” somewhere at the registration counters. Despite the fact that we handed over some of the badges to the organizers during the process, by the last day quite a lot of them had accumulated, here they are in the photo. There were different versions – both hastily glued and printed out entirely, and similar to the original so that it was difficult to recognize a fake, even holding it in your hands. Thanks to the competition, the number of Alekseev Lukatskys and Yanov Khachaturovs at the festival was much more than one!

2. Get a T-shirt from the organizers.

This is where things get a little more interesting. In general, the easiest way was to pretend to be a volunteer, find a merchandise warehouse and “get” the required number of T-shirts there. After all, it was the volunteers who wore the right T-shirts. According to rumors, it was possible to persuade a volunteer (or female volunteer) to give up a T-shirt, but we didn’t seem to receive such requests. By the way, we considered the red organizational cap from the photo above to be half a T-shirt. But it could only be given in exchange.

One “team” literally took out the warehouse, saying that they were orgs and the press. The deception was quickly revealed, but they were able to bring this entire armful of T-shirts to our counter, so we accepted the task. Other participants acted differently and more carefully.

3. Make a real (!) organizers badge in your name.

In fact, the only way to complete the task was to enter the participant’s name into the organizers’ database as an org. There were basically two ways: either somehow get into the organization’s computer, or convince the registration employee with the necessary access that you urgently need an organization badge. Both options were realized, the second with the help of an amazing combination of charisma, drive and self-confidence.

Examples of solutions: one of the participants initially entered the wrong door and ended up in the warehouse of volunteers of a contractor company. When asked who he was, he said that he was called for a shift today (instead of tomorrow) and that's why he was late, and he had his participant badge with him, since today he just wanted to participate in the festival. But I wanted to work tomorrow. In the database they saw him as a participant, he “explained” that perhaps this was because of the ticket he had purchased. In the end, they believed him, added him to the staff database and gave him a full set: badge, T-shirt and cap!

One team entered itself into the database on its own, distracting the attention of volunteers and employees and chatting them up. By that time, they already knew the names of the most important organizers in the hierarchy and used them as an argument – a cool and beautiful example of social engineering.

But the most elegant solution was the decision of another participant: in fact, he coordinated the issuance of a badge in his name between different organizers, appealing to the other in a conversation with each of them (such shuttle diplomacy in the style of Kissinger). He told one that he just got a job at PT and he really needed a badge, otherwise the boss would kill him. It worked!

4. Get the sticker from the organizers’ headquarters.

In theory, this was one of the most difficult tasks, and its complexity lay in the fact that the headquarters of the organizations still had to be found, and its location was very non-trivial. There were two ways to find him:

  1. Persuade the organizer to tell where he is. Many, by the way, didn’t know themselves, and some simply didn’t say anything, suspecting something.

  2. Follow the organizers! It was noticeable that at times the organizers went somewhere away from the main activities, where, it would seem, there was nothing. By following them, one could find the headquarters.

Well, a separate line of defense of the headquarters was a guard at the entrance, which was not difficult for many participants to pass. The first participants entered there, pretending that they were filming an interview with the organizers.

5. Get the Wi-Fi password from the organizers’ headquarters.

A task that was often performed in conjunction with the previous one. In general, nothing radically complicated: if you managed to go into the headquarters, then finding the password, which was in a visible place near the picture, was not difficult.

It's funny, but before the event we didn't know how many Wi-Fi networks there were on the site. It feels like they brought us about 10 different options for other networks.

6. Take a photo at the merchandise store counter.

Before the event, we considered this task one of the most difficult. After all, this is merch – something that can really be stolen. But in reality, the merch shop turned into a walk-through courtyard, where there were literally two queues. One is for merch, the second is to take photos for the quest. Periodically, the screws were tightened, but the situation quickly returned to normal during a shift change. By the way, many participants used the shift change as a simplification.

Violations

Unfortunately, during the quest there were a number of gross violations of the rules:

  • One of the participants tore off the organizer's badge.

  • Another tried to unlock the computer at registration using technical means.

  • The girl made a false statement about the disappearance of the child, which provoked a reaction from special services – this is mandatory at any public events.

Results

The competition was a success, we received excellent feedback from participants and organizers. After all, our competition has become the most noticeable and popular at the festival!

Now some statistics:

  • In total, 202 people were registered in the quest, of which 33 completed at least one task.

  • The first task was completed by 30 participants.

  • The second task (counting both T-shirts and caps) was completed by 9 participants.

  • The third task was completed by 6 participants (two – alone, another four received a penalty for completing the group).

  • 11 people obtained the sticker from the headquarters.

  • Wi-Fi from the headquarters was recognized by 17 people.

  • 18 people took photos behind the counter of the merchandise store.

In the future, we plan to significantly improve the rules, add and slightly change existing tasks. Place more emphasis on stealth, without reducing the degree of drive and fun.

We are now working to ensure that the competition is approved for next year, or even becomes an annual event!

Victoria Alekseeva

General producer of Positive Hack Days and director of marketing projects at Positive Technologies:

Positive Technologies, as a leader in the field of effective cybersecurity, adheres to this approach in everything: for many years we have been testing our own infrastructure in cyber exercises, and the security of our products is being tested against bugbanuti. And the safety of our events, especially the flagship and open to all PHDays Fest, also does not remain aside. Social engineering is one of the top methods used by hackers around the world. Thanks to the SEQuest competition, we learned about very unobvious vulnerabilities that any public event has. And we simply cannot help but share this, since safety is the main goal of our company. Next year we will find out whether white hat hackers can repeat their success.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *