Hack2Win 2017 – The Online Version
Credit to Author: SSD / Maor Schwartz| Date: Sun, 11 Jun 2017 10:14:42 +0000
Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
We proud to announce the first online hacking competition!
The rules are very simple – you need to hack the D-link router (AC1200 / DIR-850L) and you can win up to 5,000$ USD.
To try and help you win – we bought a D-link DIR-850L device and plugged it to the internet (we will disclose the IP address on 1st of July 2017) for you to try to hack it, while the WAN access is the only point of entry for this device, we will be accepting LAN vulnerabilities as well.
If you successfully hack it – submit your findings to us ssd[]beyondsecurity.com, you will get paid and we will report the information to the vendor.
The competition will end on the 1st of September 2017 or if a total of 10,000$ USD was handed out to eligible research.
Product details:
- Model: DIR-850L
- Product name: AC1200
- Firmware: FW1.14.B07
- Updated: Latest == 02/17/2017
- Hardware version: A1
Prizes:
- Unauthenticated Remote Code Execution – up to 5,000$ USD
- Authentication Bypass (bypassing authentication mechanism without any knowledge, or resetting of the password to the default) – up to 2,500$ USD
- Information Disclosure (access to current password) – up 1,000$ USD
- Other – the amount paid will depend on the risk and seriousness of the vulnerability
The total amount paid during the contest will be up to 10,000$ USD.
If more than one person submits an unauthenticated RCE, the first one to submit the vulnerability to us will win the amount promised, while the other person will receive 50% of the above promised amount.
All items will be considered, unless they are a duplicate – duplication will be considered for any vulnerability that targets the same URL or mechanism to preform the attack.
For any duplicate submissions we will receive, we will give the researcher a free T-shirt as well as an acknowledgement in the vendor’s advisory and our advisory for finding the vulnerability.
Judging Criteria
- The participant uses an unknown vulnerability (no record of it can be found Google, Exploit-DB, etc)
- Complexity of attack – what was required to achieve the attack
- Innovative method – SQLi, RCE, etc from least to most innovative
- Whether Attack affects the LAN or WAN – more points if it affects the WAN
- What is achieved by the attack – no access is given to the challengers, so they would need to reach from no-access to some access – therefore a guest access would be considered less valuable than root
- Write-up Quality – the best write up (in English), most detailed, best explanation, etc
Device Settings
The router will be accessible to participants via IP we will disclose the IP address on 1st of July 2017.
The router has been updated to the latest version available from the vendor website (http://support.dlink.com/ProductInfo.aspx?m=DIR-850L at the time of writing its Security Advisement (1.14B07 h2ab BETA1))
We left the default settings, and the only non-default setting is that we changed the password for the ‘admin’ account and enabled the “Remote Management” feature.
What counts as ‘hacked’
A device would be considered ‘hacked’ if the participant can prove they:
- Gained access to the device’s post-authentication admin web interface (remember – you will not be given any credentials)
- Changed some configuration value, like WiFi password
- Made the device do something it’s not supposed to do: like execute code, open a port/service which was previously closed (like SSH, telnet, etc)
What we won’t count as a ‘hacked’
- Causing a malfunction to the device, DoS / XSS / CSRF, making it unresponsive, making it no longer boot, etc
- Usage of any known method of hacking – known methods including anything that we can use Google/Bing/etc to locate – this includes: documented default password (that cannot be changed), known vulnerabilities/security holes (found via Google, exploit-db, etc)
Eligibility
The contest is open to anyone who is at the legal age to receive a contest prize in your country, if you are not allowed to receive prizes – and please make sure to check this before participating – you may want to team up with a person that is at the legal age to receive prizes.
The contest is not allowed to anyone working for D-Link, or are involved in development of the above device.
Submitting your findings
In order to submit your findings – please send us email to ssd[]beyondsecurity.com with the following title: “Hack2Win [TYPE-OF-VULNERABILITY] [YOUR-NAME]”
The email should contain the following information:
- Vulnerability Title
- Date of submission
- Description of Vulnerability
- Configuration Requirements (if needed)
- Vulnerability Requirements (if needed)
- Vulnerability Summary Information
- Affected Versions Tested
- Attack Vector
- Exploitation Impact (Code Execution, Denial of Service, etc)
- Exploitation Context (runs on Server/ attacks User)
- Vulnerability Technical Details
- Exploitation