Chaos Construction 2010. Chaos Constructions (CC) — this annual festival held at the end of August in St.Petersburg. Starting 2006, its format is similar to LAN party format.
CC festival started in 1995 as "demo party" – a competition between programmers, painters and musicians in several nominations, the main one is "demo" – a program with size limitations, that is usually a kind of video file but with animation (it can be used in short fragments). As a rule, demo is a program that can demonstrate realistic 3D graphics via special complex calculations. In most case this is true but earlier (and sometimes now) demo was considered to be a kind of story with special effects are just means to make the story more understandable.
Little by little, the festival was extending – new subjects were discussed and new competitions were introduced but demoscene always was the most important part of the festival and it was still in format of a number of preliminary prepared competitions - demo, intro, tracking music, redering graphics, etc.
Chaos Construction festival were widened, and new "realtime" competitions were introduced. During a couple of hours, competitors are drawing, creating music and special effects. This allows to introduce new competition – HackQuest that lasts during all the festival. The tasks are various; all of them are about information security, social engineering, programming, reverse engineering, etc. A competitor should find a cord word as tasks result. This cord word confirms that a competitor successfully passes the appropriate Hack Quest stage. Unlike competitions like CTF, HackQuest assumes absolute freedom of action: competitors have only access to the network and no information about network structure. Competitors should find "traps" and surprises, using their knowledge and experience in information security to bypass protection and get hidden flags. All these factors allow us to make HackQuest competition a close approach to penetration testing.
As in previous tear, Positive Technologies Research actively participates in HackQuest tasks design and development. Also, Dmitry Evteev made presentation "Development of security analysis systems. Looking ahead!" in the section devoted to information security. I should note that this year there were the most number of presentations in information security field at CC. The most interesting presentations were the following: Nikita Tarakanov (Storming the bastion!) that covers privilege escalation via attacks targeted to different information protection systems (AV/Firewall/IDS/IPS), Alexey Sintsov (How to bypass protection mechanisms in OS Windows), Vladimir Voronov (SDRF vulnerabilities. New ideas and their usage), Taras Ivanischenko and Dmitry Sidorov (HTML5 – look through the prism of security).
Summarizing HackQuest results, I can say that this year festival was the most interesting among all Chaos Construction festivals. About 30 persons take part in the competition for the title of the best hacker. Here is the table of winners in HackQuest CC'10:
I. RDOT.org (8 tasks done)
II. Andrey 1800 (4 tasks done)
III. nucro (4 tasks done)
III. neweagle (4 tasks done)
Considering that there were 21 flags in the game infrastructure, we can see that the best team coped with less than a half of game tasks. Therefore we decided together with Hacker magazine to provide public access to HackQuest CC'10 game infrastructure. But all tasks from "on site" category are unable to be remotely accessed. So the only limitation is that tasks with wifi, social engineering, etc. are not provided.
Have fun :)