12 February 2019

Hack4Levels Winter Competition


While the rest of us were slowing down and cozying up for the holidays, our Synack Red Team members kicked into high gear for a Synack Hack4Levels platform challenge. This challenge was a 30-day competition we ran through December to engage and reward our SRT in Levels 0x01 and 0x02. Competitors had the chance to rack up points through Synack Missions, accepted vulnerabilities, and duplicate submissions.

The SRT who finished in the final Top 10 received unique competition swag and recognition among the rest of the community and our First Place winner earned a spot in our 2019 Hacker House, where he will get to hang out and hack with our Level 0x04 and 0x05 top Synack Red Team hackers! Read on to hear hacking tips from some of our Top 10 of the December Hack4Levels challenge and a spotlight on the First Place winner, Mohamed. Stay tuned for a series of full SRT spotlights from this Hack4Levels Holiday Competition coming soon.

First Place Shout-Out

Hack4Levels Winner: Mohamed Sayed, @SecZiko

We are very excited to announce our most recent Hack4Levels winner! Mohamed started the competition at Level 0x01 and leveled up to Level 0x02 (while also making a lot of money!) during the 30 day time period. Read his Q&A below:

@SecZiko tweeted:

“After a lot of sleepless nights, hard word, i won the first place at synack hack4levels competition.. Elhamdolleah
@SynackRedTeam @synack @FrankiCreek”

Q: What was your favorite part of the Winter Hacking challenge?

A: The competition was great, well-organized and the Vuln Ops team was very responsive and helpful. I liked the challenge of hacking to level up. My favorite part was when I received the weekly leaderboard update results.  

Q: Do you have a favorite vulnerability discovery from this challenge that you can share and dive into some of the details of your approach?

A: I reported several vulnerabilities in the winter challenge so it’s hard to choose, but I prefer the logic attack and business function misuse vulnerabilities. One of my favorite vulnerabilities was in a target with no credentials provided and no registration. After some digging and recon, I was able to bypass the authentication of the application by collecting information about a certain user from OSINT. Then I found hidden pages that were vulnerable to authorization bypasses and cross-site scripting and leaking sensitive data which impact confidentiality and integrity of the application.

Q: What do you think contributed to your success for this Hack4Levels challenge?

A: The community and the Vuln ops team helped me by motivating and pushing me to do my best for each submission, which really helped me a lot in the competition. I kept my focus on challenging myself and doing my best, not worrying about the person beside me.

Q: What type of testing did the Hack4levels challenge motivate you to do, that you otherwise would not have done?

A: Challenging myself to win 1st place came with sleepless nights and very hard work that I probably wouldn’t have done if such a challenge was not there to motivate me.

Q: What tips do you have for other SRT to be successful on the Synack platform? On a Synack competition?

A: Focus on vulnerabilities that other SRT may not think about. Spend a good amount of time analyzing the application components to understand the target business well before starting to find vulnerabilities on it.

Want to read Mohamed’s Full Q&A? Continue on here.

Tips From Our Top Competitors

“Focus less on money and more on learning. When you decide to start research on a project, try to stick with it as much as you can to understand every business function and analyze each request parameter. Try harder and never give up- that’s the key to success.” – Mohamed, @SecZiko

“Try to participate in Missions. I was able to complete several missions and the work I performed on those missions, in several cases, led me to other discoveries. The missions also kept me engaged with the platform and constantly looking at functionality I would likely have overlooked otherwise.” -Ty, @200isOK

“Don’t be lazy. I have a day job as a software engineer, 2 kids, and one tolerable wife. It is difficult for me to contribute to the platform unless I put in hard work, and this time I did.” -Nahidul

“The first 2 weeks, I spent my maximum time on Synack and got into first place in the first week. I believe my contributions during that time was quite well spent as i worked hard and believed in myself that I could achieve the most in this competition.” -Shawar, @ShawarkOFFICIAL

“According to my observations, most of the SRT members have great knowledge and they are all qualified. Going into the competition against so many qualified people was a challenge for me. I think what set me apart from the others was spending more time and focusing on Synack.” -Berke, @ilovebinbash

Our Hack4Levels Philosophy

The purpose of Hack4Levels competitions is to incentivize our SRT in a way that goes beyond just a monetary reward. With Synack HackerHangouts as the prize, we provide an opportunity for SRT to build in-person relationships, learn new skills, and to celebrate their hard work through fun events in exotic locations! Hack4Levels gives select groups of Red Team members the chance to level up, reach their full potential, and win some incredible prizes along the way.

Researchers on the Synack platform are presented with opportunities to work on unique targets and challenges, the fastest payouts and highest level of support in the industry. Synack’s innovative technology optimizes the Synack Red Team’s (SRT) efficiency in vulnerability discovery.

Synack provides initiatives to help foster the researcher community and to recruit top talent. SRT Levels is a program that rewards SRT members for their increasing contributions to the Synack platform, and incorporates hacking competitions and specialized challenges.

If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.