13 March 2018

Synack #Hack4Levels and Hacker House Recap

Andre Gerard

On November 1, 2017, we launched our second-ever Synack Red Team Levels hacking challenge. Our #Hack4Levels competition brewed up a storm of exciting action, and for our winners, a beachside journey and more hacking adventures with a bit of a twist. The challenge was an exciting, high-stakes game. For the Top leaderboard winners, we sent invitations for an all-expenses paid, fun and action-packed weekend trip to the Synack Hacker House in Mexico.

“My favorite moment was watching the sunset from the house with a great beach & ocean view while having margaritas and hacking at the same time with teaming was great!”

-Ozgur, SRT Level 0x05, Overall #Hack4Levels winner

The competition was open to all Levels of the Synack Red Team. They battled it out for 8 weeks by finding impactful vulnerabilities on live customer targets to accumulate competition points. We used a leaderboard point system to keep track of the SRT who were making the biggest contributions during the competition, with special status recognition for our Top 5.

Here is our final #Hack4Levels Top 10 Overall for the competition:

#hack4levels leaderboard

We’d also like to give a special shout-out to all of the SRT members who top ranked in their Level for the categories below – Congratulations to all #Hack4Levels competition achievers!

hack4levels logo

Kudos to these SRT!!

Once we sent the #Hacks4Levels Top 10 SRT to Mexico, they were presented with new objectives:

  1. Celebrate their amazing work and friendly competition in the #Hacks4Levels challenge
  2. Get to know fellow top SRT hackers
  3. Team up and learn from each other during the weekend’s hacking activities on live targets that included web, host, and hardware targets
  4. Have fun in Mexico!

Read on to get a view from the inside. Hear more about the fun that was had in the House, straight from our winners…

SRT Teaming in the Hacker House

“In general I find the security testing community to be pretty small, so I enjoy chances to meet and get to know others in the community…One of the things I was definitely looking forward to during this event was getting to meet some of the SRT.”

“It was actually a great experience! This was the first time I met with other top SRT performers. It was awesome to talk the same Synack-language and share platform experience!”

“Meeting other like-minded people is always great. I enjoyed my time in the house and the main reason of that were people that i met there. The key benefit of the event for me was the possibility to share and gain knowledge and ideas.”

What did they learn from working together on targets?

SRT hacking together in the Hacker House

“I think overall, a lot more can be covered when you team up. In some cases, person A might find a testing area that looks promising but not know how to end up with a working exploit. Person B can then find that working exploit. Instead of the vulnerability being suspected, but never actually reported by a single person, it can actually make its way to the customer through teamwork.”

“Being with other security researchers and the Synack Vuln Ops team really helped bring specific targets into focus. We all have different experiences with tools and pentesting methods. For example, when one of us finds a sql injection but can’t bypass the WAF, someone else can use his/her experience to bypass the WAF.”

“I think teaming may help uncover more complex vulnerabilities…Ozgur did some great recon and shared his findings with me. As a result it helped me to find a few serious vulnerabilities.”

What types of vulns did they find?

SRT Finding Vulns

“We discovered several critical vulnerabilities, both technical and logical. If an attacker had gotten there before we did, he/she could have obtained sensitive customer data, putting their financial information and reputation at risk.”

“Some of my findings were pretty severe. SQLi vulnerabilities could have allowed an attacker to obtain sensitive business data from client databases. XXE vulnerabilties could have allowed an attacker to obtain access to services running inside internal network.”

What did they enjoy most about the Mexico Hacker House?

palm trees

“Spotting pelicans and sea lions on the boat ride were really great. Doing some hacking while enjoying the warm weather with a great view from the house was pretty memorable each day.”

“My favorite moment was watching the sunset from the house with a great Cabo Beach & ocean view while we having some margaritas and hacking at the same time!”

“I will never forget our fishing trip 🙂 Unfortunately we didn’t catch any marlin but meeting a wild sea lion was awesome.”