Payment Village Challenges (11th-14th of August)
All interaction will take place on DEF CON Discord #payv-labs-text or on our Telegram channel https://t.me/paymentvillage
1. Card Hacking Challenge
Requisites:
- PaymentVillage.Org NFC cards. You can get them at the Retail Hacking Village (https://defcon.org/images/defcon-30/maps/forum.webp)
- Android 7+ device with NFC. Payment Village SoftPOS APK link - https://drive.google.com/file/d/1u5vd2pIf4J2z8paihR0_nZ4HZOf5mowg/view?usp=sharing
- OR take a smartcard reader like SCR3310 and install our POS Simulator for Windows: https://drive.google.com/file/d/1_UD3Rk3psP5ZXdtrs6YBsjb-43HExQXu/view?usp=sharing
Tasks:
1. Bypass the $10 limit for contactless payments.
2. Using one card, make total payments equivalent to 500 USD. Depict as detailed as possible how exactly you made each payment.
--
Additional challenge - any observations on vulnerabilities and potential attacks on our PaymentVillage.Org payment system. And remember - it's not a RE/APK hacking challenge.
--
Send all your solutions and writeups to https://forms.gle/Rn7ULNjoYUC1d5DK8
ATM1
Virtual Box image https://drive.google.com/file/d/10wDbWri0wfjH8Azy5FH-dNo6NPd8UkDg/view?usp=sharing
Severity: medium
Desc:
1. Bypass kiosk and run C:\task_kiosk.exe
2. Bypass applocker and run C:\task_applocker.exe
3. Get admin privileges and run C:\task_escalation.exe
Restrictions:
Do not use safe modes and external boot
ATM2
Virtual Box image https://drive.google.com/file/d/1ILV5t5nmL9dHcieEgLjJovbH1N1SS7uS/view?usp=sharing
Severity: hard
Desc:
1. Bypass kiosk and run C:\task_kiosk.exe
2. Bypass applocker and run C:\task_applocker.exe
3. Get admin privileges and run C:\task_escalation.exe
3. Online Bank Hacking Challenge
Ever thought about hacking a bank? Please register an account for access to PA (http://bank.paymentvillage.org:8081), look for bugs in the system, exploit them and find uncommon security bugs!
You can report your findings to the security team in the 'Bug report' section ('/reports'). In addition to the specified fields in the report form, you can attach your file with a detailed description of the vulnerability found and other details.
ATM Hacking Lab 2021
Ever wanted to try and hack ATMs? Download our virtual machines and feel the joy of "spitting money"!
ATM1.OVA https://drive.google.com/file/d/1NMp5X9HjPTHmqdcqMsZ0c_pQ8W_FAH_k/view?usp=sharing
Severity: Medium
Task: bypass Applocker to run VBS script and get administrator' privileges.
Limitations: do not boot from external devices, do not use safe modes
ATM2.OVA https://drive.google.com/file/d/1cMSaTg0YY9APyp9j148gGWCx4jBG7eUb/view?usp=sharing
Severity: Hard
Task: get administrator' privileges
Limitations: do not boot from external devices, do not use safe modes
ATM3.OVA https://drive.google.com/file/d/1Z49FVBZITW8fmQqnx3O6tWDoWlIbB7IS/view?usp=sharing
Severity: Low
Task: bypass kiosk mode on the ATM and get administrator' privileges
Limitations: do not boot from external devices, do not use safe modes
All answers should be submitted at this form: https://forms.gle/kvzZcqxcbxVcNgfU8 until the 08th of August 2021, 12 PM
Feel free to discuss these tasks in our #payv-labs-text channel on Discord!