23. 08. 2023 Alessandro Mizzaro Development, Events, SEC4U

DEFCON 31: My Trip to Vegas w/ mhackeroni

Greetings, cyber enthusiasts! This year we hacked a satellite and won $50K!! Okay, now that I’ve got your attention, that last sentence isn’t fake, but let’s go back to a few days ago…

I’m Alessandro — Alemmi on the internet — and while I always enjoy playing CTFs with my workmates here at Würth Phoenix, I’m also part of the mhackeroni Team with whom I participate in CTFs in my free time.

As I set foot on the vibrant streets of Las Vegas, I couldn’t help but want to tell you about my journey. But first, why was I in Las Vegas in the middle of August? This year, mhackeroni earned a double qualification for two of the most important CTFs of the moment, the well-known DEFCON and the first CTF in space, Hack-A-Sat.

Ummm, who are mhackeroni? Oh well, mhackeroni is an Italian CTF team made up of several smaller teams from all over Italy. But before we start with that story, we need a little context…

What Are Defcon and Hack-A-Sat?

DEF CON (also written as DEFCON, Defcon or DC) is a hacker convention held annually in Las Vegas, Nevada. Every year [~ WIkipedia] and the Defcon staff organize a CTF where the best teams in the world compete against each other. We have some experience with Defcon CTF, in fact we played in the finals for 2018, 2019, 2020, 2021 and of course, 2023.

Hack-A-Sat instead is a new event. It’s the world’s first CTF in space. In the previous 3 years they organized a space-themed CTF in the aerospace village at Defcon, but this year they launched a satellite into orbit just so it could be hacked.

I N C R E D I B L E

And YES, we did it, we won Hack-A-Sat 4!

The Noble Art of the Sysadmin: Preparing for the Las Vegas CTF Challenge

Recipe:

1 Suite
Food
Coffee
Food again
A thousand meters of optic fiber
A local mirror of Wikipedia, Stack Overflow, dnf, pip (yes, network problems are very common)
Other sysadmin stuff (router, server, angry…)

With that, if you’re a sysadmin, you now have all you need for a good CTF. But fortunately I’m not a sysadmin and so — poof, some networking magic — and we now have 10Gb WiFi.

This year we played from a suite in the Venetian (no, it’s not at all like the real Venice/Venezia, the water is too unnervingly crystal clear). We divided our suite into two sections, one for the Hack-A-Sat and the other for Defcon, I mostly played Defcon this year.

Day 1: The Hack Begins

Because no one gives out much information about Hack-A-Sat, we had to do some osint before the CTF. The day before they gave us the first instructions on how to contact the satellite, the language we would have to use, etc.

There are 5 ground stations around the world and we had an API for scheduling the tasks. We could contact the satellite only as it was passing over the ground stations, and during this period we could schedule tasks and get the logs for our previous tasks.

Defcon started the same day, 1 hour after Hack-A-Sat, so we split into two teams, each of which was made up of sub-teams per challenge. NOW we could finally start hacking…

And…we also hacked the Defcon scoreboard, sorry organizers <3, but we warned them about that bug. Anyway, they took away the illegally taken points and said they would fix it.

Also congrats to @mhackeroni for whatever this is 🤔 pic.twitter.com/DOpRj8dhTo
— Zach Wade (@zwad3) August 14, 2023

Day 2

We woke up and…

Ooooookay, nevermind, let’s keep on focus. On the second day Hack-A-Sat finished, but they didn’t tell us who was the winner, and we didn’t know anything about our score, or even if we had solved the challenges, because it was a human checking them and the scoreboard hadn’t been updated yet. So we continued hacking Defcon CTF.

During this switchover we experienced a lot of network issues in the arena: we had a 400Kb connection that wasn’t nearly enough for uploading the crucial network logs needed for the competition in the suite. As a result, those who were not actively working on a challenge at that moment started running back and forth with USB drives to bring us the logs. Not too funny for the sysadmin, but we laughed a lot.

(Yes, we did it, we hacked the scoreboard again)

Day 3: News and Meme

Finally from the arena came the news: we won Hack-A-Sat, and this is what happened:

Same announcement, different location 😀 thanks @hack_a_sat 🙏 https://t.co/Fc52s7Xl55 pic.twitter.com/As93EagWDH
— mhackeroni (@mhackeroni) August 18, 2023

Then Defcon was also over: tenth out of twelve, an excellent result for us 🙂

Our space photo from the moonlighter:

@DEFCON wrap-up time🌴 great to be back & our new friends from @aboutblankets joining! We managed an unbelievable win at @hack_a_sat finals: so happy we could bring our pasta capabilities to space 🛰️ Thanks for an out-of-this-world experience! Our gorgeous sat pic attached 😍 pic.twitter.com/iiUKE8JBai
— mhackeroni (@mhackeroni) August 20, 2023

Last words

As the dust settles on our exhilarating journey through Las Vegas, I find myself awash with a mixture of emotions—pride, satisfaction, and an insatiable hunger for more. As I conclude this chapter, I extend my deepest gratitude to my teammates, the vibrant city of Las Vegas, and the cybersecurity community that continues to inspire and push us forward.

Thanks folks, and here’s some meme for you

This guy is the reason why we played Hack-a-Sat to begin with. Thanks @chqmatteo 🙏 pic.twitter.com/5xMWQfi9lr
— mhackeroni (@mhackeroni) August 14, 2023

These Solutions are Engineered by Humans

Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find security issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.