The annual hacking contest, Pwn2Own 2020 was a remote event owing to the Coronavirus (COVID-19) pandemic, where hackers as contestants try to exploit popular software and mobile operating systems.
The 3-day event ended on March 20, with the previous 2 days been rather phenomenal as a team from Georgia Institute of Technology Systems Software and Security Lab won the second biggest price of $70,000 on the first day by targeting Apple's browser, Safari. They exploited a bug chain to pop calc and escalate to root privilege.
Pwn2Own 2020 is perhaps the first time the hackers contest is being held remotely, with several ethical hackers from all over the world participating to demonstrate their hacking abilities.
Day 1 - Pwn2Own 2020
The RedRocket team member, Manfred Paul won $30,000 and 3 Master of Pwn points by successfully leveraging on an input validation bug to escalate privileges on Ubuntu Software.
Confirmed! Manfred Paul of @redrocket_ctf used an improper input validation bug to escalate privileges on #Ubuntu Desktop. His first foray into #Pwn2Own nets him $30,000 and 3 Master of Pwn points. pic.twitter.com/nzLhyckDN7— Zero Day Initiative (@thezdi) March 18, 2020
And closely followed by last year’s champion, team Fluorescence who won $40,000 by leveraging a UAF in Windows to escalate to SYSTEM.
Day 2 - Pwn2Own 2020
The team from Synacktiv, comprising the due of Corentin Bayet and Bruno Pujos failed to successfully demonstrate their exploit targeted at the VMware Workstation in the virtualization category within the allotted time.
However, Phi Phạm Hồng from STAR labs who targeted Oracle Virtualbox using an OOB Read for an info leak won $40,000, by leveraging an uninitialized variable for code execution on the hypervisor.
Pwn2Own 2020 ended with the title of Master of Pwn going to the duo of Fluorescence team with their 9 points (amounting to $90K) which was ahead of the price for team from Georgia Institute of Technology. With just one official entry left to go, Team Fluoroacetate took the lead in the Master of Pwn standings by amassing 9 points, they targeted Adobe Reader along with a Windows LPE.
All it took them was one click of the mouse to exploit Adobe Reader and then take over the system through a local privilege escalation.