Since our Persistence competition is now over, we’re rounding it up by sharing everyone’s walkthrough and announcing the winners!

The objective of the contest was to boot and root the Persistence virtual machine and provide a write up of their journey. A strong write-up with a chance of winning would be detailed, contain potentially unique methods of solving the challenge, and at the same time be entertaining to read.

There was a lot of hype for Persistence about before it was even announced! This continued with superkojiman’s fantastic promoting skills. From the social network memes, to videos, to IRC chatter. We hugely appreciate all the effort superkojiman put in to keep the competition alive and active. Thank you.

The challenge wasn’t best suited for “beginners” or people who are only just starting out. The challenge went into rather a lot of depth which gave more experienced contestants something to sink their teeth into. Still, this didn’t stop people getting root - the first submission was just a little over 7 hours of the challenge machine released (crazy impressive - very well done solarwind)!

When the download link appeared the IRC channel lit up with chatter about the event. The channel was alive with discussion about the event for all of the first week (and was still mentioned mostly daily for the remaining three weeks). People were informing each other of their progress or quizzing others where they had gotten to:

[09/09/2014] Lok_Sigma: unpriv shell on persistence. Step 1!

[10/09/2014] RogueCoder barrebas, lol yeah! I downloaded Persistence the day it came out and I still haven’t popped a shell :P

[22/09/2014] knaps: One more roadblock and either I’ll get a root shell on persistence or I’ll smash my keyboard

The desire to capture the flag and complete the challenge was keeping people up late into the night:

[16/09/2014] knaps: I’m off to bed, maybe I’ll dream of a solution to persistence

[16/09/2014] leonjza: well, I have made good progress on persistence, and think i’ll dust it tomorrow after some sleep

[01/10/2014] hostess: i should probably finish my work and go to sleep instead of messing with persistence

It was hard to track who got what first as people were getting in contact in so many different ways. So this time, we’ll just look at when submissions came in:

  • The first one was by solarwind (7 hours, 17 minutes)
  • The next (valid) solution was by Bas (3 days, 7 hours, 49 minutes)
  • Afterwards was Swappage (8 days, 9 hours, 48 minutes)
  • …at this point all the other then start to come in regularly.
  • The last submission was by teh3ck (10 hours before the deadline)

Between them, they also uncovered various unknown vulnerabilities in the VM, as well as coming up with unique clever methods to advance through the different stages. Hackers are hackers - forever doing things that you didn’t believe were possible ;).

So well done to these guys, we tip our hats to you guys!

There hasn’t been a patched version of the VM (yet?). The competition used version 1.0 which will always stay hosted on VulnHub.

There was a grand total of 18 submissions for this competition. However, we had to exclude two of them, as they broke the rules (sorry, booting into single user mode isn’t allowed!).

We know there were various other people who had successfully reached the flag who didn’t find the time to write up a entry - we understand. For everyone who submitted a (valid) write up, their submissions can be found here. Feel free to read through their submissions: its great way to learn a new trick (or two!) or see what you missed.

This was a hard contest to judge. To try and make the final decision easier we up’d the prizes to five total winners. But even that it was still tough to decide the final winners:

The prize pool was also increased:

  • Winner - £50 eGift Card + Customized T-Shirt + Challenge Coin + Stickers
  • Second & Third - £25 eGift Card + Customized T-Shirt + Challenge Coin + Stickers
  • Runner Ups - £15 eGift Card OR Customized T-Shirt + Challenge Coin + Stickers

…Whats this? Challenge coins!

The challenge coin prize is something new. There are rumors of VulnHub one day opening up a shop which would sell certain merchandise, such as t-shirts for example. Even though the competition t-shirts are unique, as they contain a certain graphic and participants name on the back, we feel that winning a t-shirt in the future might not mean as much as it once did to contest winners. We want the winners of the competition to be rewarded with something different. Something that cannot be purchased in a shop. As a result, the idea of challenge coin was born. These will only ever given to select few, and never sold.

As this is a new competition there’s a new t-shirt design. Each winner will receive a personalized version of the competition t-shirt. Competition shirts cannot be found in shops or bought online. The only way to get one, is to win one. The base design can be seen below, to give you a rough idea.

We wish that we were able to offer prizes to everyone who took part, and it pains us to limit who we give prizes too. If you missed out this time don’t worry! Keep your eyes peeled for our next competition for a chance of winning goodies next time!

We have now three competitions. Looking back from last time, we said we would improve:

  • “Hype. There was more. But not enough!” - We believe that superkojiman single handedly made sure this was stronger.
  • “Different prizes.” - We invested in challenge coins as an additional prize.
  • “Longer timeframe.” - Which we did 4 weeks and we will do this again: it was a good amount of time.
  • “Test the challenge more.” - There was an external beta tester this time. Even though there was an unintentional shortcut, less people exploited it. Still something we need to work on in future.
  • “Post challenge response faster. We were slow.” - And still are, though only two days late this time!

New things which we learned this time around:

  • Solutions were made public before the deadline - even though this is out of our control, we can try and be aware of it happening. For the ones which were live (that we saw), we kindly asked people to postpone making their post live until the competition - everyone was happy to oblige and were removed within an hour.
  • Prize pool needs to grow - with more people entering, we need to (somehow) increase the giveaways. Both the amount of winners and prize value.
  • Longer delay between the blog post announcing the competition, and the event itself starting.

We would once again like to thank both Sagi- and superkojiman for taking the time to create Persistence, help run the event and judge the submissions. It wouldn’t of been possible without them, so please thank them if you see them!

Our final words:

  • For the people that really persisted and got the root flag - congratulations!
  • To everyone that entered and submitted a guide - thank you =)
  • To all the winners - well done ;).
  • To anyone that hasn’t yet tried persistence - what’s stopping you?! =P

Warm regards,

The VulnHub Team

Competition Results - Sokar

Our [Sokar birthday competition][1] is well and truly over now. So the only thing left todo is to summarize everything and of course …… Continue reading

New Blog Desgin

Published on March 01, 2015

Competition - Sokar

Published on January 30, 2015