Hack The Box PWNathon

1 Mar 2021

March is here… and we have a surprise for you! Are you into PWN? If yes, make sure to clear your schedule: The Hack The Box PWNathon is coming!

For the next four weeks, we will be releasing a series of exclusive challenges dedicated to PWN! Are you ready to test your skills on stack, heap, kernel, and browser exploitation?

All Things PWN - What is PWN? 

In the hacking and CTF world, PWN refers to pushing the boundaries via binary exploitation and memory corruption. In these types of challenges you are usually given a local copy of the vulnerable binary to PWN on your machine or its source code. Your task is to take your local exploit and eventually spawn a remote shell, own the system, and capture the flag. To solve these challenges, it’s recommended to read up on stack and heap-overflows, and binary exploitation in general.

What is PWNathon?

In our everyday lives, everything seems like a PWN Challenge if you take a closer look. You may find real-life binary exploitation in virtualization products,  browsers you use in your everyday life, and even sudo packages! By investigating coding bugs and memory corruption, this category will push you to develop exploits that'll make anyone lose their bits. 

Get Ready. JMP. PWN! 

Curious about the upcoming releases? Here is a quick preview for you:

Release No. 1: Bad Grades, created by w3th4nds
Easy | 30 Points | 05/03/2021
The Story: You're not interested in studying for school anymore, you only play CTFs and challenges! Now your grades fell off a cliff, and your laptop will be taken away "if you continue like this". You need to do something to raise them before your parents ground you forever!

Release No. 2: Echoland, created by w3th4nds & r4j
Medium | 50 Points | 05/03/2021
The Story: It is heavily raining. You run to the cave in order to find shelter, but a heavy boulder falls and shuts your exit. Darkness everywhere, you cannot see a thing. You and your friend get separated. You need your friend to help you move the boulder! You shout, and shout for dear life, but there's dead silence and your friend is nowhere to be found. Are you really both going to be stuck in this cave forever, or are you going to do something to get a response back?
Note: The challenge won't have a blood to claim, but we'll award the "lucky exploiter" prize nonetheless.

Release No. 3: Modern Typer, created by farazsth98
Hard | 80 Points | 12/03/2021
The Story: When compilers start speculating on what the future holds, even the simplest mistakes can have huge consequences.

Release No. 4: Dream Diary Part 4, created by FizzBuzz101
Insane | 100 Points | 19/03/2021
The Story: I keep getting pwned with my heap note applications. My boss was extremely frustrated and shipped me off to coding bootcamp, in order to learn about efficient data structures and better security practices. Try to pop a shell on this "circular" diary now. Featuring libc-2.32, better seccomp filters, and extra anti-hacking measures, this application is quite literally un-hackable now. But I need a skilled PWNer like you to prove whether it's secure or not. Unless you wouldn't mind my boss paying me in small cash from now on of course... :^)

Release No. 5: TicTacPwn, created by ntrung03
Insane | 100 Points | 26/03/2021
The Story: Everything seems so empty. All the time in the world with all its possibilities, and I still don't have anything to do. But who would slack around, when they can just become a superuser?

How will PWNathon work?
- Starting from March 5th, we will release only PWN challenges over the next four weeks.
- Every week, the first player solving the challenge (the one that takes the blood) will be awarded with a special prize.
- Late for the first blood? No worries! Every Friday, we will pick one player who pwned the previously released challenge. The winner - aka lucky exploiter - will be picked randomly (via draw) and awarded with a £25 Swag Card. You have 7 days to pwn the release so don’t lose any time. JMP to the PWN! 
- Weekly winners (first blood and lucky exploiter) will be announced on the #binexp-and-re Discord channel every Friday at 12 pm UTC. 

PWNathon Prizes
1st Week Blood - Bad Grades: £25 Swag Card & 1 Month VIP+ subscription (1 winner). 
2nd Week Blood - Modern Typer: £25 Swag Card & 3 Months VIP subscription (1 winner).
3rd Week Blood - Dream Diary Part 4: £50 Swag Card & 3 Months VIP subscription (1 winner). 
4th Week Blood - TicTacPwn: £100 Swag Card & 1 Month Pro Lab subscription of your choice (1 winner).
Weekly Lucky Exploiter: £25 Swag Card (5 winners).
Note: If you are the lucky exploiter, in order to get the prizes you have to verify your Discord account so our team can contact you directly. Check how to verify your account in the following section.

PWNathon on Discord
- JMP on the #binexp-and-re channel on our Discord to join the fun! 
- Share your favorite attack technique. 
- Leave your best PWN TIP for fellow PWNers or beginners.
- Too early in your hacking journey for a blood or PWN? Join the channel to get help from the community and chat with experienced PWNers! 
In order to have access to the #binexp-and-re channel on Discord, make sure to verify your account. Just DM the HTB Bot with ++verify and the bot will send you the instructions! 

Need help with Hack The Box Challenges? Learn more here.

Got what it takes? Challenge accepted!

Happy Pwning! Happy Hacking!
Hack The Box Team