About

ZeroNights hackquest is a hacking challenge before annual ZeroNights conference where the goal is to solve tasks related to information security (reverse engineering, web, mobile hacking, penetration testing and more).
The winners receive free invitation to the conference and a place in our Hall of Fame.

2016's Rules

  1. Hack quest lasts 7 days, from October 31 to November 7 (each task starts at 8 PM Moscow Time (UTC+3, check your time);
  2. One task a day. Task duration: 24 hours;
  3. 7 tasks in total;
  4. First person to solve the task gets an invite;
  5. Second and third person who solves the task will also earn points. The second one gets 0.5 point, the third—0.25. 1 point will get you 1 invitation, but not more than one for one competitor;
  6. You may be asked to describe steps to solve the task to prevent cheating;
  7. It's prohibited to share hints and flags with other participants;
  8. Do not register more than one account per participant;
  9. Current date and time: 2016-12-11 05:10:07

Good luck and have fun!

Day 1 / ZeroCrypt

Description

Warning: run this binary only under VM! We are not responsible for any loss or damage Важно: запускайте бинарный файл только под виртуальной машиной! Мы не несем ответственности за любой возможный ущерб

Your boss catched crypto locker. Sysadmins were able to restore all files from backup - except one (which is very important for him). Your goal is to restore this file.

К твоему боссу на компьютер попал криптолокер. Админы смогли восстановить все его файлы из бекапов, кроме одного, очень важного для него. Воcстанови файл и помоги своему боссу (или накажи за все его грехи, ведь файл, похоже, относится к черной бухгалтерии).

Link: hackquest.zeronights.org/downloads/2016/1_zerocrypt.zip. Password: ZN2016

This task was prepared by RET (Reverse4you Education Team) team

Here you can get decryptor for ZeroCrypt task

Day 2 / Golden Rabbit

Description

Recently we’ve revealed a bunch of Trojans used by the hacker group “0n3 @n07her BearS”. Nevertheless, some big companies deny the fact of their existence. We've learned that the servers of the company "Horns and Hooves" were infected with one of the Trojans. Help us to get the flag to prove its CEO the threat is real.

Trojan sample: server
Server address: 104.236.3.255

If something wrong (server is down) - please ping https://telegram.me/yalegko or https://telegram.me/groke

This task was prepared by School CTF team

Day 3 / Etherium bot

Description

We found a way to store data in etherium via telebot @ZNquestbot

If something wrong (like server is down) - please ping https://telegram.me/awengar

This task was prepared by RuCTFE team. Registration for RuCTFE 2016 is here: https://ructfe.org/registration. RuCTFE 2016 starts on November 12, 2016 at 10:00 UTC

Day 4 / Bad assistant

Description

AAA! Justice League is recruiting new assistants for protecting somebody!

We must find out whom they try to protect. They store a photo of him on their server: http://95.85.55.121

Do not come back empty-handed! Bring. Us. Intel!

Day 5 / StrongBox

Description

Your friend wrote an algorithm for generating licenses and asked you to test it. He promised a beer and pizza if you will find a way to crack it. Prove to him that his algorithm is no good.
Binary - http://hackquest.zeronights.org/downloads/2016/StrongBox.zip

Please send valid keys for your wmail to zeronights[@]dsec.ru


This task was prepared by reverse4you team

Day 6 / Packer

Description

Hey, there is a person in Moscow who keeps his important password on his Android phone. Sounds weird, we know.

It turns out that he is using some program for managing his data called Packer

We performed MITM attack on his phone during application-to-server synchronization and got database file named `packs.db`. But it looks like important data are kept encrypted there. So get your task: decrypt the data and give us the password!

Hints

06/11/2016 19:40
These files can help you?
06/11/2016 19:11
Provider: Crypto, Android version: 4.0.3
06/11/2016 18:00
06/11/2016 17:11
Keygen class gives different results on the phone and on the computer. The victim ran this code on the phone with settings from build.prop
06/11/2016 14:38
You should to read more about security features of Android devices and especially about implementation of certain protocols.
06/11/2016 13:21
To solve this task it's necessary to view ENTIRE of database and manifest. Also there is a hint in the task.

Day 7 / I wanna be better!

Description

You are a super fucking amazingly gorgeous sexy and beautiful girl, but you cannot accept it and dream to be a bag of bones. That's the reason why you need hack this site and to know The Secret!

http://45.55.216.88/

Hints

07/11/2015 12:24
OTG-INFO-001.

Archive

Archive of past years. Currently unavailable - as soon as possible we will return it here

Winners of 2016

Hall of Fame of this year

Task Place Nickname Reward
Day #1 #1 sysenter Invite
#2 vos 0.5 points
#3 smalukav 0.25 points
Also solvedilyaluk, AVictor2007, a.v.e.r, dmit.mx, felis-sapiens, stas.znN/A
Day #2 / Golden Rabbit #1 smalukav Invite
#2 ilyaluk 0.5 points
#3 vos 0.25 points
Day #3 / ETHERIUM BOT #1 ilyaluk Invite
#2 lozko.roma 0.5 points
#3 snk 0.25 points
Also solvedvladas.bulavas, okob2008, dartslon, bechedN/A
Day #4 / BAD ASSISTANT #1 beched Invite
#2 smalukav 0.5 points
#3 aleksey.4erepanov 0.25 points
Day #5 / StrongBox #1 Stanislav Povolotsky Invite
Day #6 / Packer #1 erbolsyn Invite
#2 ilyaluk 0.5 points
Day #7 / I wanna be better! #1 blackfan Invite

Winners of prev year (2015)

Task Place Nickname Reward
Day #1 / Chocolate Factory #1 cdump Invite
#2 BlackFan 0.5 points
#3 kidcrash 0.25 points
Day #1 / Chocolate Factory (reborn) #1 BlackFan Invite
#2 Beched 0.5 points
#3 AV1ct0r 0.25 points
Day #2 / HSM V1.0 #1 Abr1k0s Invite
#2 BooL 0.5 points
#3 kidcrash 0.25 points
Day #3 / BAZAAR NG #1 AV1ct0r Invite
#2 shr 0.5 points
#3 Petuhov_Forever! 0.25 points
Day #4 / ILLOGICAL PHOTOGALLERY #1 Beched Invite
#2 bafoed 0.5 points
#3 allyofgood 0.25 points
Day #5 / CRACKME #1 sysenter Invite
#2 okob2008 0.5 points
#3 h0t_max 0.25 points
Day #6 / BANK ROBBERY #1 dr.glukyne Invite
Day #7 / BLINK2PWN #1 mr_dawerty Invite

Contacts

If you have any questions related to hackquest - drop us a line to zeronights@dsec.ru