We decided to go big this year with Hack2Win eXtreme! Hack2Win eXtreme will focus on two primary targets, browsers and mobile.
We have up to $500,000 USD to give away, the competition will take place during the beVX conference Hong Kong, on September 20-21, 2018.
Targets and prizes
- Name/Alias for public use
- Contact name (will not be made public - optional)
- Contact Information (will not be made public)
- Contact name
- Contact phone number
- Contact Email
- Payment information (wire transfer info, paypal or address for mailing a check)
The competition will be held September 20-21 2018 during the beVX conference in Hong Kong
Beyond Security is offering cash and prizes during the competition for vulnerabilities and exploitation techniques against the listed targets in the below categories.
If more than one contestant registers for a given category, the order of the contestants will be drawn at random.
Based on the participation order, the first contestant will be given an opportunity to attempt to compromise the selected target. If unsuccessful, the next randomly drawn contestant will be given an opportunity, and so on. This will continue until a contestant successfully compromises the target.
The first contestant to successfully compromise a selected target will win the prize money for that target in that category.
After a target has been compromised, the contest for that category will be over. Beyond Security may decide to continue the contest and offer an additional prize for that target, in which case this would be announced at the conference.
All prizes are in USD.
- On any of these devices: Pixel 2, Nexus 5X, Galaxy J7 and Galaxy S8 w/ latest available Android and security patch. The vulnerability needs to work on any of these 4 (four) devices. It is not a requirement for it to work on all 4 (four) devices.
- iPhone X w/ latest iOS
- Firefox RCE and Info Leak
- Latest Firefox on latest Windows 10
- Chrome RCE and SBE
- Latest Chrome on latest Windows 10
- Chrome SBE (Android/ Android Prize)
- Latest Chrome on Pixel 2, Nexus 5X, Galaxy J7 and Galaxy S8 w/ latest available Android and security patch (vulnerability should preferably work on both devices)
Prizes per target
- Infoleak - 30,000$
- Remote Code Execution - 60,000$
- Sandbox Escape Windows - 80,000$
- Sandbox Escape Android - 100,000$
- Remote Code Execution - 80,000$
- Privilege Escalation - 80,000$
- Infoleak - 30,000$
- Privilege Escalation - 80,000$
Firefox Information Leak
- Native thread stack
- An address within xul.dll
- The address of a heap allocation with fully controlled data
Lesser rewards may be awarded for leaks of address of other memory objects.
- The targets will be running on the latest, fully patched version of the operating system available on the selected target.
- All targets will be installed in their default configurations.
- The vulnerabilities utilized in the attack must be unknown, unpublished, and not previously reported to the vendor.
- A given vulnerability may only be used once across all categories.
Remote Code Execution without Sandbox Escape
- To provide a testing environment for this vulnerability, Chrome will be launched without the Sandbox feature chrome.exe --no-sandbox.
- The URL of the researcher will be accessed - this URL needs to be reachable to the phone by having your laptop of USB key contain a payload that will be served by a web server (yours or provided by us).
- Code will be executed due to the access of this URL.
- This will be the only interaction allowed with Chrome (the URL placement and opening of it), any additional popup or question presented to the user will not be considered as RCE and will be considered a social engineering vulnerability and will not qualify as an RCE.
Remote Code Execution
- Code execution would be considered as one when its arbitrary shell code execution.
- The shell code should in assembly (either native or compiled code stored as assembly instructions).
- The shell code should be running without any character, opcode, length or other restrictions. If any such restrictions exist, this should be noted during the demonstration of the code execution. The preferred shell code execution outcome would be popping of calc triggered by launching the executable.
Upon successful demonstration of the exploit, the contestant will provide a fully functioning exploit plus a whitepaper explaining the vulnerabilities and exploitation techniques used in the attack. Beyond Security will then determine whether the exploit meets the above rules. Beyond Security may choose to accept the entry(ies) but offer a prize at a value less than the initial prize offering for a given category if it decides that part of the exploit chain fails to meet the above rules.
A short white paper including details about all of the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prizes.
Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the exploits and whitepapers will be the property of Beyond Security. The original finder of the vulnerability will receive credit (or remain anonymous if he wishes to) for the vulnerabilities, the whitepaper and the disclosure.
NOTE: Beyond Security reserves the right to solely determine what constitutes a successful attack.
Who Can Apply
The Hack2Win eXtreme is open for registration to anyone who is 18 years of age or older at the time of registration - excluding anyone working for one of the vendors whose equipment is used in the contest or is involved in development of the devices used in the contest. Also excluded are Beyond Security employees and any of its affiliates.
Applicants may apply individually or as a team. All applications must contain valid, true, complete and accurate information.
Beyond Security reserves the right to disqualify any applicant and/or application, at its sole discretion, if untruthful information is submitted.
Beyond Security reserves the right to request further information from the Participant, as may be required in order to evaluate their ability to perform the required tasks at the Competition (this request may include the evidencing of formal identity documents)
You may provide the item for further inspection after being announced a winner in a category by using the following public GPG key (please DO NOT email, bevx-senderbeyondsecurity.com, it is not a monitored mailbox, email: bevxbeyondsecurity.com):
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: Mailvelope v2.2.2 Comment: https://www.mailvelope.com xsFNBFuZAGwBEAC55/KiIYBdHzcb+F67L+yiYRXfkh+I3Y4Ct88gXF+kPMdI 5VGfWUErtnBYfiWQ2g+n223AgC3/WihXpUC6w5AOC700JADJ68SKen1ynqfJ jvtCoD0D11AdTRTh6SHR81vqhHXRlQTyp70hXhwcxaWaiRFR4Wrtzw/T4e7u 0au1HA3Nvoypx9ytUEYHR7gWC446ciiz6PmR70tjrkUo+V3zsO0loc/iA3nt PgTaiPCEkIgp+EQ/3UMIUdpd50S0JA02m9NffkYcT61jaJvpKD5uVaaottnS EzjOj+G32Fl+iV0UdT4jjhsTk9xGj3I43J51uOFMX7CQcf+mcnAAH37dSAVi l7/rcpm6bPFPSiPS1YWTwqPljgZYqMcxdaxBSgtsbwbxey+OpVKd55foyQn7 LcdZKHNjdyG5oDjDoSeHheKQBsFRSw/56/X9p9V4n/BgBlw9FsOCdYAVlhHm xu58L8GVu34HVzkPj+SxZfp3LcqawQlNpW01rJniuqZJracnsMvbqp0rWCdr JkyCb27twDeSz4Rj20LEe1HXrhhIgNBLvn/A6Yne9FDiuA9mb3SPZpKpkbSd yMSEXEo9HanZzYDTB5arpe6d4u/OsVtmtyX80PcO91PTaYo0lhLiRY9Ab77b 6NRZFAP9CKbY2BOJlTFgc2HXPH44yf1d+3qELwARAQABzSxiZVZYIFNlbmRl ciA8YmV2eC1zZW5kZXJAYmV5b25kc2VjdXJpdHkuY29tPsLBewQQAQgALwUC W5kAbQUJABUYAAYLCQcIAwIJEB9KOlFZCCFqBBUICgIDFgIBAhkBAhsDAh4B AAAefw//cn+wGJvxr0ZOFL3x6Ap5ghoEikXqoAUVvBmhND+UiYefLla4ZMM5 +/2cSGqjeKnF2FVFuPrvtKBh64emXFGq/P9CdWeVU2o5LhVJgfqGKf+wloSY ybQ5N47EWdCKsLO8qsXmmfRQw2jrxbGEUsbxNX1pJ6yNyO4x0Nf75SMLhrwq D0M0uM+zLbEVsbTFYkSAG4aQwcmrLaBc6Y5ZZ4+hQ0S0WpfUzuoXkP+i/VBo Iqf47s0PNc5uIUgP09QtVycNeWojNP+Zo67gGRDbnGFpXeU7xraZ94EjIqre BtMIigUc1iG6jWS+pY9uEYkvr6CJjJ/UkjtA9rvwEjG9PDbVERqurNEr8COL QOgqbmtLUW5iCwuWy4FvI40zUazcCOQbuBsqkxYi1h+czJ163azO7jFsYQtO BB2AKOw1fa73cBQf9rbPZfcwuVxG+mg/R66LJFWJ/UodYT0eqskH/bdk+aas dBKLq2PEFZE7ClctDryRf9xXfKl26vdtz5l9Snrujks6UptGckJR4XGOf3Th mF8fDSpXBi/SzYR7ts4jVQxjMWk15vC/ryVnAR1akttR75bUfcz4VAiGENL+ LTfRxGoM4Wt6HxBE5iRxzIFCgNHmaTze6eO4gz6WUdueZGNDYirMN/LmS1IX gHSoxEC1+Jevd8qVPvro5EHTlBRnXdPOwU0EW5kAbAEQAM1gp6Znr/enal11 5vbJl1maJp+8Sti9kHOounpZVYuRh4ZNElITrUMoqkLZAe5r/pvsLbtA5KyM KYzPe4mGfqqyPLJxWH1+CN7X03UVGXJ4GXXe+immR7C+msBc91nUizxVqjBn VyBjb7crLrBVMfMUAPPgznKSrO8UGhSO46pJ7prr3EOfWdlymjcrBXle7KEd kY+UDVGLeLH635UfOZPbdRJv/IdRuOU70IE8LT47HxOCjq0yG8+i/g6WVGx3 ybEVxUsw4xKgzmIluzIGCywbG5evGwkfCFL4ZnXk+aNLe2Vq7JtZu7fPFI+d 7mEpxOtzrek8bFfDo0tiPNcCFwrf8pak12z3dMESP8uZ0mNuYnhrKxMVw7Rx aAKve8YDEDBXYMWY2eLvK9D25MBX43Sv40j+AKDqOrWzZ+H3Ctnq4mNmThyP suNAwrLhhnDu+obdQAnoXtUgVBnllG3z5cblJtcXHwAjyuZ4HSIW8y0NZezL ObJmEfEu3S/XaitbtRDVJX3qgOPMOXbYOqrFbRwn7XncNHTdzI/i/s+VA3/N Uex9mkJtd9vRg1PKiFxaAHd3LO3gvz5+vF3KMEQnqd+bapk6tg2dlUAf+zJ0 H9a9ffqloaYL/CznM2uT/dvSHMWOhPg3y33sWchK3q4qIBheFEFS4dMFTj6d 39F2Si6dABEBAAHCwWUEGAEIABkFAluZAG4FCQAVGAAJEB9KOlFZCCFqAhsM AAAakhAAqiCiOK/Undr8B12PXfQ7ANjM87uisax/yv5lRMRkuD3X72K0MvxO Yv3jj2ryuHGmZK4oIzI7tvOhJZYLrreRol+bbCByt3h3M23dcQpembYZvI8x Fy8V7PfTWNH4UzyIJDzljyzmrwA9VJV/qxYQyj9nraAJjnrbH/2LKpEQ7k5k +bEkzOm2hzmLahQKMo8t998ttfOS982Gfq6dwaFXZnHHtpvC1Zpdt3JwonxJ nLKEGqBUW+yJsDJc/yimREqJWchgn97FZH0QupQCKoWLq+fs9PfSQkYLo5sU riEM8eTGwldhyOwm/XC8SmthLTy77+EIqGE/zbzJfkptVqei8hINocg42Q9F k0CYMGktFziIRhOk60uoil3pX1ONrRJKNbJbHIxdqelKxmJgmqUzSd2bY5jW vLN3f9QBBcHAQKvEQAGZ5P2OsgprO6SAip+1LelFIvAkUXfJth+5/gDbMqy2 oLNTIBtlNCumIwuGn6cT+B+kdfAraDEIClEymHqxjtcWWHRSBVhoWU6MHaHp o0sArFS1Qn1x/jsx3qOSs0BY2tO5l0hNLBWl6V4reuJDGEV6E+EzplnTc/cr riH899YYggUHcpFBo1eO3JWVln4qsiZwxMKSWbAaq2gVoStfNGRD6vXifE+q oBNw6715BE1RuTs23ACPrkHueYF8B88= =gru6 -----END PGP PUBLIC KEY BLOCK-----
2018/Feb - Added new target and prize
2018/Apr - Clarified the SBE targets (added Windows where no OS was written before). Added explanation on Firefox Information Leak
2018/Apr - Clarification on the Integrity Level required
2018/May - Added additional target devices
2018/Jun - Clarification on testing methodology of Chrome RCE without SBX, clarification on what is considered code execution. Added clarification about winners remaining anonymous if they wish to be not named in public for winning.