During this intense day of competition, the Viettel Cyber Security team emerged as a notable frontrunner in the pursuit of the coveted title, delivering remarkable performances across multiple categories. Leading the charge was Pham Tuan Son, alongside ExLuck from ANHTUD, who commenced the day with a successful exploit of a Canon imageCLASS MF656Cdw printer utilizing a stack-based buffer overflow. Their efforts secured a handsome reward of $10,000 and two Master of Pwn points.

However, the spotlight quickly shifted to some of the day’s more spectacular exploits. Ken Gannon from the NCC Group executed a complex chain of five vulnerabilities, which included a path traversal, against the latest Samsung Galaxy S24 smartphone. This attack not only earned him $50,000 but also netted five points towards the Master of Pwn title. Gannon’s successful exploit enabled him to install an unauthorized application on the device and gain shell access, highlighting significant security weaknesses in a device favored by millions.

In another standout performance, Dungdm from Viettel Cyber Security managed to seize control of the Sonos Era 300 smart speaker through a Use-After-Free (UAF) vulnerability. His successful manipulation of the device resulted in a windfall of $30,000 and six Master of Pwn points, accentuating the risks associated with smart home technology.

The breadth of vulnerabilities exploited during the event was impressive. Team Cluck’s duo, Chris Anastasio and Fabius Watson, chained together two vulnerabilities—including a critical CRLF injection—to compromise the QNAP TS-464 NAS, earning $20,000 and four points. Additionally, Corentin BAYET of Reverse Tactics secured $41,750 and 8.5 points targeting the QNAP QHora-322 router, despite one of his identified bugs being a repeat from earlier rounds.

Day 2 of Pwn2Own also witnessed several incidents of collision where multiple researchers attempted to exploit similar vulnerabilities on the same device. As a result, both Tenable and Synactiv encountered reduced payouts and points while attempting to hack the Lorex 2K and Synology BeeStation devices, respectively. Furthermore, competing teams such as DEVCORE, Rapid7, and Neodyme faced challenges executing their exploits within the strict timeframes, resulting in setbacks on devices like the Sonos Era 300 and Lexmark CX331adwe printer.

Despite these hurdles, the competition remains fierce as participants strive to ascend the rankings. With two full days still left in the event, researchers have already showcased a remarkable total of 103 zero-day vulnerabilities, comprising 52 vulnerabilities detected on the opening day. So far, the cumulative earnings for the participating teams have reached an impressive $847,875, setting the stage for an electrifying continuation of the competition.

As the cyber challenge unfolds, the stakes continue to rise for both participants and the brands behind the technology under scrutiny. The findings not only highlight significant flaws in some of the most widely used devices but also underscore the critical importance of continual vigilance in cybersecurity practices to protect against evolving threats in the digital landscape.

As the event progresses, experts and enthusiasts alike will be following closely to see which teams ultimately prevail in their quest for dominance in the cybersecurity arena.

Leading the charge was Viettel Cyber Security, who quickly established dominance in the competition by accumulating 13 points. The team, comprising skilled participants known by their handles phudq and namnp, executed a successful exploit against a Lorex 2K WiFi camera utilizing a stack-based buffer overflow vulnerability. Their efforts were not only rewarded with 3 points but also a generous payout of $30,000.

Sina Kheirkhah from Summoning Team emerged as a standout performer during this intense hacking event. Kheirkhah orchestrated a remarkable chain of nine vulnerabilities that began with a QNAP QHora-322 router and concluded with a successful compromise of the TrueNAS Mini X device. This impressive feat netted the team a whopping $100,000 and a total of 10 points towards the Master of Pwn title.

Following Kheirkhah’s triumph, Jack Dates from RET2 Systems showcased his prowess with a successful out-of-bounds (OOB) write exploit on the Sonos Era 300 smart speaker. This exploit allowed him comprehensive control over the device, landing him $60,000 and 6 points. The action didn’t stop there, as Viettel Cyber Security returned to the fray with a second successful exploit, cleverly combining four new bugs to transition from the QNAP QHora-322 router to the TrueNAS Mini X, resulting in an additional $50,000 reward and another 10 points.

Despite the excitement, day one was not without its challenges. The Summoning Team faced difficulties executing their exploits on the QNAP TS-464 and Synology BeeStation BST150-4T, ultimately running out of time. Similarly, Synacktiv encountered a bug collision during their attempt to exploit the Lorex 2K camera, which unfortunately resulted in a reduced payout of $11,250.

As the first day of Pwn2Own Ireland 2024 drew to a close, participants demonstrated their tactical skills and resilience, proving that the road to success in hacking is fraught with both triumphs and setbacks. With three more days of the competition remaining, participants are poised to continue their quest for exploiting security vulnerabilities in fully patched SOHO devices. These range from printers and NAS systems to WiFi cameras, routers, smart speakers, and even mobile phones, including the latest Samsung Galaxy S24, with a substantial portion of the $1 million prize pool at stake.

The event also highlights the pressing nature of cybersecurity threats, as evidenced by several recent zero-day vulnerabilities being exploited actively. For instance, reports have emerged regarding Lazarus hackers employing fake DeFi games to exploit a Google Chrome zero-day, and Fortinet warning of a new critical flaw in FortiManager being used for zero-day attacks. Furthermore, Google disclosed that 70% of the vulnerabilities exploited in 2023 were zero-days. This underlines the importance of ongoing vigilance and innovation in cyber defense practices.

The initial day of competitive hacking concluded with shouts of congratulations for the participants from industry peers. Acknowledgment was also given to the businesses and organizers supporting this event aimed at fostering safe discovery and rewarding bug bounties. As the competition progresses, the hope remains that all involved will walk away having gained invaluable experience and insights from this unique event.