2 mins read

HITCON 2016 discovers three real-world zero-day vulnerabilities in one day

After stiff competition at the two-day finals of HITCON CTF 2016, Cykorkinesis from Korea won the championship and prize money of unnamed-1US$10,000, and will advance directly to the finals of DEF CON 2017 in the US. The runner-up and third place were respectively LC ↯BC from Russia and PPP from the US, each winning prize money of US$5,000 and US$2,000. The prize money was sponsored together by MediaTek, Magicapital, and Hope Bay Mobile.

Alan Lee in charge of HITCON CTF 2016 noted three distinctive features of the 2016 event: 1) An international contest taking place physically in Taiwan for two consecutive years, 2) the qualifying CTF organized by Taiwan for two consecutive years for DEF CON, 3) worldwide entries’ almost total satisfaction with the CTF in Taiwan. The finalist teams included PPP from the US, LC ↯BC from Russia, Cykorkinesis from Korea, Shellphish from the US, TokyoWesterns from Japan, CLGT from Vietnam, !SpamAndHex from Hungary, PwnThyBytes from Romania, KAIST Gon from Korea, 0ops from Mainland China, Dispwnable and Hacker Forge from Taiwan, and p4 from Poland. “In the second morning of the CTF, competition escalated drastically as all the teams launched their all-out offensives that they developed by staying up at night,” said Alan Lee. “PPP from the US made the first kill, gained on LC↯BC, and advanced to the second place temporarily. The competition among entries was very intense.”

Moreover, something amazing about the CTF was an application with three zero-day vulnerabilities identified. According to Orange who created a web challenge called WebRop, the challenge was based on the open source application SugarCRM and features of SugarCRM which Orange used to hacked this application with. The WebRop challenge leveraged the real-world environment of SugarCRM and tried to induce more ways of vulnerability utilization and zero-day vulnerabilities. As a result, LC ↯BC first hacked a zero-day vulnerability of the application and then PPP and Cykorkinesis hacked other vulnerabilities. “As long as I am sure there are solutions to the questions I give, entries will find different ways out or hack the vulnerabilities they identify,” said Orange. “This is best way to maximize question effectiveness.”

According to onsite observers, the event organizer not only designed game animations to provide real-time contest updates but also set up Internet of Things development board-controlled lighting to animatedly and immediately inform audiences of each and every team being attacked. Moreover, the comprehensive and in-depth questions raised this time evidenced those who provided the questions are very experienced in such contests, while the challenge categories including Pwnable, Reverse, Web, Forensic, Cryptography, and Misc. required entries to be very attentive, cautious, and improvisatory in order to overcome their challenges.

This time HITCON CTF and HITCON Pacific took place at the same time, inviting information security experts as well as hackers from around the world to develop an international technology exchange platform for Taiwan to help local information security talents keep abreast with their international peers, stimulate the development of hacker communities on and off campus, and expedite information security innovation.

Winning Teams

Team

Country

Ranking

Profile

Cykorkinesis

Korea

Champion entitled to  prize money of US$10,000 and direct advancement to the finals of DEF CON 2017 in the US。 HITCON CTF 2015 champion too
LC↯BC

Russia

Runner-up entitled to prize money of US$5,000 Organized by information security research and CTF contest enthusiasts
PPP

US

Third place entitled to prize money of US$2,000 A Carnegie Mellon University CTF team organized six years ago