ZeroNights hackquest - a hacker competition before annual ZeroNights conference where participants need to solve tasks related to information security (reverse engineering, web, mobile hacking, penetration testing and more).

Winners will receive free invitation to conference and place at our Hall of Fame.

2015's Rules

  1. Duration of hackquest - 7 days, from November 9 to November 16 (each task starts at 8pm by Moscow time (UTC +4, check your time);
  2. Each day - one task. Task duration: 24 hours;
  3. Total tasks: 7;
  4. Who first solve task - gets an invite;
  5. NEW! The second and third person who solves the task will also earn some points. The second one receives 0.5 point, the third - 0.25. You will get an invitation after earning 1 point (NB! even if you earn 2 points or more, you will be given only one invitation);
  6. By request you need to describe how you solve task (cheats are not acceptable);
  7. Don't share hints and answers with other participants;
  8. Do not answer more than once (under different account);
  9. Current date and time: 2016-09-24 23:52:01.

Good luck and have fun!

Day 1 / Chocolate Factory


Come and eat some sweeties! But remember, one chocolate for one person at a time. But only if you're not The Big Boss.
Otherwise, show us your super secret big boss key

Как многие могли заметить, некоторое время (сразу после старта) можно было получить RCE обычной заливкой шелла и мгновенно прочитать флаг (у томката был кэш со старым классом проверки на RCE). За это время в соревновательном духе несколько человек успели получить финальный флаг. Им мы честно по порядку засчитаем сдачу задания (1 место - cdump / 21:10:32, 2 - blackfan / 21:35:23 и 0.5 балла, 3 - kidcrash / 21:37:38, 0.25 балла. Последующие сдачи были еще на 20 минут позже). После этого задание было исправлено и больше RCE получить было нельзя.

Так как есть оригинальный сценарий решения без RCE мы поменяем флаг и рестартнем задание. Чтобы уравнять всех, мы выложим данные, которые могли получить участники с RCE и дадим всем 30 минут на изучение. Рестарт таска в 00:00 (файлы дадим в 23:30), где можно его будет решить ожидаемым решением. С новым флагом задание будет засчитываться как новое.

Скачать файлы

As many can notice, some time (just after launch) it was possible to get RCE via simple shell uploading and instantly read final flag (due tomcat cache with the old validation class of RCE). During this time, in the spirit of competition some people got the final flag. We will award them like a normal process (1st place - cdump / 21:10:32, 2 - blackfan / 21:35:23 and 0.5 point, 3 - kidcrash / 21:37:38, 0.25 points). After that, the task was fixed, and there are not more ways to get RCE (we hope).

Because this task has an original scenario without RCE we have changed the flag. To equalize all participiants, we'll share data that could get members with RCE and give to all 30 minutes. Task will be restarted at 00:00 (at 23:30 we will share files). After 00:00 you can find a new flag thru expected solution.

Download Files
upd2 00:10 - task is down for maintenance (before 01:00)
upd3 01:00 - task is available


10/11/2015 01:43
What about stack traces? O_o

Day 2 / HSM v1.0


This resource (http://phishdom.com/) has been hacked and dumped by x_qwerty123_x and asdfgh88. All users belong to us! We know that you can get a key if you recover some of leaked passwords. Devops are trying to make some security, but they can't lol :D After they reveal fact that them were hacked, some functionality of website were disabled.

Here you can find all dumps: http://dump.phishdom.com

UPD 11/11/2015 19:55: Still no winners. Task is extended for 12 hours

UPD 12/11/2015 02:36: + 8 hours

UPD 12/11/2015 14:32: + 5 hours

UPD 12/11/2015 19:57: + 24 hours

UPD 13/11/2015 21:29: + 12 hours


13/11/2015 22:28
Imagine that you in real world and trying to crack hashes. Most common user fails is to use passwords - like name+date, login+date and so on (and many others). All of them are really easy to remember. Use them for profit!
13/11/2015 17:46
x_qwerty123_x reportin'. As the part of the struggle, we also tried to crack those hashes and got some luck using dictionaties on dump.phishdom.com - you can find all dictionaries that we use in cracking.
11/11/2015 21:40
Hi guys! We also dumped some dev actions (http://dump.phishdom.com/devlog.txt), lol)) which may help you to make own hsm with cracking and invites
12/11/2015 10:20
To get the final flag you are required to brute force all hashes and pay attention to first letter of each password
11/11/2015 18:14
Top 1,000,000 will be enough, right?
11/11/2015 16:35
Good progress guys! There are 2 hints for you: REVERSE.png may help; If you get access to dev, you may see that sha1 is only the beginning. There you may find the true scheme.
11/11/2015 14:14
Try to use login as password and some other approaches!
11/11/2015 14:00
There also some kind of vulns in webapp. If you got user you can use it.
11/11/2015 10:07
Don't forget - recovering hashes is the key
11/11/2015 03:33
Zip lol, really?
11/11/2015 02:59
Look in code Luke!
11/11/2015 00:47
Hello $username. This is temporary domain only for developers.
10/11/2015 23:41
There are may be a different subdomains that can used by developers

Day 3 / Bazaar NG


The Internet Bazaar’s opened! And we have to do something with it!

Your main goal is to read a flag from “webapp/flag.txt”

However, if you want to get it, at first you need get access to the shop and then access to the API.

This is a sprint-task. And all you need is your head. So, please, don’t use common scanners. Because the Bazaar is based on Java and your scanners can affect other hackers.

upd: task extended for 14 hours


12/11/2015 16:29
Read the API client project carefully and use google
12/11/2015 04:44
It’s seems admin tried to edit jsp files manually
12/11/2015 01:54
This info can help you with first step.

Day 4 / Illogical photogallery


Hey, here is some strange resource: http://www.0x3d.ru/zn1

Do you wanna to upload photo? Become a Harder, Better, Faster, Stronger!

But if you have some cool pics - you can show it us.

Your goal: get a secret flag from a secret domain.
You will need VK account (if you dont, you can register it without your real phone number, via some free services that can accept sms).


13/11/2015 00:27
Python is ZIP's best friend
12/11/2015 23:44
Check oAuth functional, may be you find smth wrong?
12/11/2015 21:35
Seems you can send some suggestions (like url?) to admins

Day 5 / CrackMe: ZN Edition


Find the three passwords

For the final flag just concatenate all passwords into one string like password1password2password3


UPD: There is some small mistake with 3rd password. Some symbols in the end of password can be accepted by provided binary but not accepted by our flag system (due collision issue). BTW - first person provided to us fully valid flag, second - same case. Third - almost correct (correct for provided binary) - and he will earn 0.25 points. If you have third password valid for binary and it looks like valid English word ([a-zA-Z]) - seems you have solved the task (btw - you can try to guess valid ending of flag)

Day 6 / Bank Robbery


Try to get MD5 key from the bank. Be free to phreak out!


upd: Due small mistake (already fixed) 2 participants got admin access without solving thru expected solution (1st - kidcrash / reward - invite, 2nd - fksis.ru / reward - 0.5 points). Flag already changed / task continues its work in normal mode.


15/11/2015 17:21
Use VISA, Luke
15/11/2015 15:01
Look for test SIP account
14/11/2015 23:25
Dirbuster will not help you, guys



Address of gateway balancer is, which implements transparent "Ethernet <-> UART" proxy. When user connects to the system balancer will choose a free chip for a subsequent communication. For architecture of the stand see file XD3788C_p46.jpg

Live broadcasting is available here: day7-live.html may be a have a delay of 3-5 seconds. (for lower latency use direct connection via "ffplay -fflags nobuffer rtmp://hackquest.zeronights.org/live/zeronights"

  1. Establish a connection;
  2. Capture the flag and blink via LED 2 times at intervals of 1 to 2 seconds to activate the system of delivery of the flag ("BLINK xN" shows how many times the LED blinked);
  3. Submit flag.
Please note that checker will stop receiving flags in 60 seconds if no double blinks were made.

Download firmware

P.S. fafb10755330a602b3706d3da2dc095d avr_task.bin

upd 17/11/2015 18:32: broadcasting is unavailable for maintance (for 15 minutes)

upd 17/11/2015 18:40: broadcasting is back

upd 18/11/2015 17:44: task is extended for +24 hours. It's a final call!


19/11/2015 19:50
Because there is not much time left we decided to simplify the task. From now on to activate the flag checking system you simply need to light one LED while in "IN USE" mod
18/11/2015 21:21
custom_spritz_decrypt(Flag) ~= /flag\{[A-F0-9]{58}\}/
17/11/2015 18:28

bin + simavr|simulavr + avr-gdb + ida + r2 + brain = SOLVED TASK

Download engineering version of firmware

17/11/2015 00:41
Stop bruteforcing! Use XD3788C_p91.jpg
16/11/2015 22:53
Fuzzing and bruteforcing cannot help you here. Think! Everything that you need you can get after disassembling!
16/11/2015 16:11
Use r2, Luke. Zignatures are the force.


Archive of past years. Currently unavailable - as soon as possible we will return it here


Hall of Fame of this year

Task Place Nickname Reward
Day #1 / Chocolate Factory #1 cdump Invite
#2 BlackFan 0.5 points
#3 kidcrash 0.25 points
Day #1 / Chocolate Factory (reborn) #1 BlackFan Invite
#2 Beched 0.5 points
#3 AV1ct0r 0.25 points
Day #2 / HSM V1.0 #1 Abr1k0s Invite
#2 BooL 0.5 points
#3 kidcrash 0.25 points
Day #3 / BAZAAR NG #1 AV1ct0r Invite
#2 shr 0.5 points
#3 Petuhov_Forever! 0.25 points
Day #4 / ILLOGICAL PHOTOGALLERY #1 Beched Invite
#2 bafoed 0.5 points
#3 allyofgood 0.25 points
Day #5 / CRACKME #1 sysenter Invite
#2 okob2008 0.5 points
#3 h0t_max 0.25 points
Day #6 / BANK ROBBERY #1 dr.glukyne Invite
Day #7 / BLINK2PWN #1 mr_dawerty Invite


If you have any questions related to hackquest - drop us a line to zeronights@dsec.ru