This is more of a personal post which may not give value to anyone else. Actually, the blog has more often than not been for my own benefit rather than for others. When I started it, all my posts were write ups for www.overthewire.org‘s Natas wargame. Pretty sure it’s frowned upon to post spoilers. However, it helped me a lot by being forced to narrate my own thought process in understanding the challenge. Because in some cases I didn’t even solve them myself, but needed to make sure I understood the solution. But the main reason I did it was I wanted to get a job in pen testing whilst having no degree and no professional experience. I thought being able to point at these write ups might be a good way to demonstrate my skills to prospective employers. I think it worked.
My friend Fabius put me onto Natas when we worked together as security analysts in a soc (a dirty soc :D). That was in 2014, and it was also the time that I learned what Pwn2own was. Since that moment I thought it was the coolest thing in the world and dreamed of playing. Five years later after being in pen testing for 3 years my skills and confidence had grown. I had just completed the Corelan advanced training course, an incredible experience I will never forget. Fabius messaged me and asked if I was going to play the upcoming ICS Pwn2own contest in Miami. I don’t exactly remember how I responded but I think I said no. A short while later though I checked out the list of targets and decided to download one of them.
Within a couple days I had an unauth RCE due to unsafe .NET object deserialization. I found the bug quickly by using wireshark to analyze the network traffic between the client and server programs. I could see .NET objects being passed over the wire. However, it was using the worst serializer possible, and they had implemented a custom whitelist of objects which were allowed to be deserialized. None of the whitelisted objects had gadget chains in ysoserial.net at that time, but with such a good bug staring me in the face I decided to hunt for a new chain and had success pretty quickly.
By luck I crossed path’s online with mr_me, someone who’s work I had admired for years. After learning that I already had one target down he invited me to team up with him. I was reluctant only because I thought it might be not actually be him, but instead someone trying to scam me out of an exploit. Eventually I took a leap of faith, we exchanged exploits, because he already had one too for a different target, and from that point we collaborated on the rest of them. There was a good synergy between us for the rest of the contest prep. We met IRL for the first time in Miami, and ended up winning the contest overall in January 2020, shortly before corona virus happened.
Since that contest in 2020 I have played at least 1 time every year, all the while maintaining my 9-5 pen testing job. Here’s a list of all the contest I’ve played in:
- Pwn2own Miami 2020 (1s place with mr_me)
- Pwn2own Austin 2021 (1 target with justin)
- Pwn2own Miami 2022 (2nd place with mr_me)
- Pwn2own Toronto 2022 (just 1 target solo)
- Pwn2own Miami 2023 (did prep but didn’t get any exploits due to rule changes)
- Pwn2own Toronto 2023 (1 target solo)
- Pwn2own Tokyo 2024 (2 targets with Fabius)
- Pwn2own Ireland 2024 (2nd place with Fabius)
My most recent 2nd place finish was with Fabius in Cork, Ireland playing as “Team Cluck”.
We had a really good prep. It was reminiscent of the preps I had with mr_me for the Miami contests. The preps always start right around the time the contest is announced which is usually ~3 months in advance. We had the SOHO ($100k) target knocked out in about 2 weeks. By the 6 week mark we’d pwned 2 of the NAS targets as well, giving us 18 points if all the bugs were unique. Knowing that the prior year 2nd place had less than 18 points, and seeing that we still had a long 6 week runway ahead we started to set our sights on a possible 1st place finish.
As you can see from the list above, there are some years where I showed up with only one or two targets. These are not years where I considered my placing at all, and simply went to have fun and collect my loot for whatever I had to offer. But in the years where a 1st place finish was feasible you can bet that I grinded very hard. So we grinded.
We only landed 1 more target, a camera, for 3 points, giving us 21 points total if all the bugs were unique. The exploit for that final device was killed a day or so before the contest. Additionally, once we were on-site at the contest, we learned that many other teams had the same bug anyway.
So what am I whining about?
One thing to know at Pwn2own is that it’s common to only receive a full payout if you pwn the target first, though you will still get full points if your bugs are unique. If you go nth it’s possible you will receive only 1/2 or 1/4 of the advertised payout. The order of entries is determined by a random drawing the day before the contest begins. Due to a bad draw, even though we came in 2nd place, at least 4 teams that placed below us earned significantly more money. This was crushing given that Fabius and I both grinded hard for 3 months on top of our day jobs to achieve this outcome. Even moreso because our bugs were unique despite going towards the end (or dead last in the case of our SOHO target).
Pwn2own itself is a beautiful thing. A contest where whitehats can earn money for exploits and maintain a clear conscience, show off their skills, and be given the grace to blog about it afterward. I’m grateful that it exists and that I had many opportunities to participate. Through the contest I’ve gained friends, travel experiences, hacking prowess, and of course money 😀
I was thinking about trying virtualbox at the upcoming Vancouver contest. After spending 2 weeks doing research and feeling like I might not be capable of achieving the goal I decided to check the results for last year’s Vancouver contest.
Manfred Paul achieved something that I can literally only dream of. And you can see he earned a whopping $42k for a browser exploit that pwns 2 of the leading web browsers. This was less than 1/3 of the advertised price of $150k. I’m happy to see him create something so powerful, but sad to see him earn so little money for it.
Why was his payout so low? There’s two equally correct answers. The contest is too busy. The budget for prizes is too low. I can’t blame ZDI for not expanding the budget, since AFAIK this is just a marketing event for them. I also can’t blame people for wanting to play, it’s fun! But I’ve reached a point where I can’t justify the time and energy for the gamble that the contest has become due to these low payouts. I’ll probably play again in the future. But for now I’m going to focus my free time on other projects.