In Its Second Year, JawnCon Was Bigger And Better

Starting a hacker con is hardly what anyone would describe as easy — but arguably, the truly difficult part is keeping the momentum going into the second year and beyond. For the first year, you can get away with a few missed opportunities and glitches, but by the time you’ve got one event under your belt, you’ll have set the bar for what comes next. There’s pressure to grow, to make each year bigger and better than before. All the while, making sure you don’t go broke in the process. Putting on a single hacker con is an achievement in and of itself, but establishing a long-running hacker con is a feat that relatively few groups have managed to pull off.

With this in mind, the incredible success of the second annual JawnCon is all the more impressive. The Philadelphia-area event not only met the expectations of a sophomore effort, but exceeded them in pretty much every quantifiable way. From doubling attendance to providing a unique and immersive experience with their electronic badge, the team seized every opportunity to build upon the already strong foundation laid last year. If this was the make-or-break moment for the Northeast’s newest hacker con, the future looks very bright indeed.

But before setting our sights on next year, let’s take a look at some of the highlights from JawnCon 0x1. While you can watch all of this year’s talks on YouTube, the aspect of a hacker on that can’t easily be recorded is the quality time spent with like-minded individuals. Unfortunately, there’s no way to encompass everything that happened during a two-day con into a single article. Instead, this following will cover a few of the things that stood out to me personally.

If you’d like to experience the rest of JawnCon, you’ll just have to make the trip out to Philly for 2025.

Continue reading “In Its Second Year, JawnCon Was Bigger And Better”

Photo of the MCH2022 badge's screen, showing the "Hack me if you can" app's start splashscreen, saying "Service is accessible on IP ADDRESS : 1337"

MCH2022 Badge CTF Solved, With Plenty To Learn From

Among all the things you could find at MCH2022, there were a few CTFs (Capture The Flag exercises) – in particular, every badge contained an application that you could  try and break into – only two teams have cracked this one! [dojoe] was part of one of them, and he has composed an extensive reverse-engineering story for us – complete with Ghidra disassembly of Xtensa code, remote code execution attempts, ROP gadget creation, and no detail left aside.

There was a catch: badges handed out to the participants didn’t contain the actual flag. You had to develop an exploit using your personal badge that only contained a placeholder flag, then go to the badge tent and apply your exploit over the network to one of the few badges with the real flag on them. The app in question turned out to be an echo server – sending back everything it received; notably, certain messages made it crash. One man’s crashes are another man’s exploit possibilities, and after a few hacking sessions, [dojoe]’s team got their well-deserved place on the scoreboard.

If you always thought that firmware reverse-engineering sounds cool, and you also happen to own a MCH2022 badge, you should try and follow the intricately documented steps of [dojoe]’s writeup. Even for people with little low-level programming experience, repeating this hack is realistic thanks to his extensive explanations, and you will leave with way more reverse-engineering experience than you had before.

The MCH2022 badge is a featureful creation of intricate engineering, with the ESP32 portion only being part of the badge – we’re eager to hear about what you’ve accomplished or are about to accomplish given everything it has to offer!

Capture The Flag, Along With The Game Data

With events of all sizes on hold and live sports mostly up in the air, it’s a great time to think of new ways to entertain ourselves within our local circles. Bonus points if the activity involves running around outside, and/or secretly doubles as a team-building exercise, like [KarelBousson]’s modernized version of Capture the Flag.

Much like the original, the point of this game is to capture the case and keep it for as long as possible before the other team steals it away. Here, the approach is much more scientific: the box knows exactly who has it and for how long, and the teams get points based on the time the case spends in any player’s possession.

Each player carries an RFID tag to distinguish them from each other. Inside the case is an Arduino Mega with a LoRa shield and a GPS unit. Whenever the game is afoot, the case communicates its position to an external Raspi running the game server.

If you haven’t met LoRa yet, check out this seven-part introductory tutorial.

The United States Air Force Would Like You To Hack Into Their Satellite

The Air Force is again holding its annual “Space Security Challenge” where they invite you to hack into a satellite to test their cybersecurity measures. There are actually two events. In the first one, $150,000 is up for grabs in ten prizes and the final event offers a $100,000 purse divided among the three top participants (first place takes $50,000).

Before you get too excited, you or your team has to first qualify online. The qualification event will be over two days starting May 22. The qualifying event is set up a bit like the TV show Jeopardy. There is a board with categories. When a team solves a challenge in a category it receives a flag that is worth points as well as getting to unlock the next challenge. Once a challenge is unlocked however, any team could potentially work on it. There are more rules, but that’s the gist of it. At the end of the event, the judges will contact the top 10 teams who will then each have to submit a technical paper.

Continue reading “The United States Air Force Would Like You To Hack Into Their Satellite”

Capture The Flag Challenge Is The Perfect Gift

Nothing says friendship like a reverse engineering challenge on unknown terrain as a birthday present. When [Rikaard] turned 25 earlier this year, his friend [Veydh] put together a Capture the Flag challenge on an ESP8266 for him. As a software guy with no electronics background, [Rikaard] had no idea what he was presented with, but was eager to find out and to document his journey.

Left without guidance or instructions, [Rikaard] went on to learn more about the ESP8266, with the goal to dump its flash content, hoping to find some clues in it. Discovering the board is running NodeMCU and contains some compiled Lua files, he stepped foot in yet another unknown territory that led him down the Lua bytecode rabbit hole. After a detour describing his adjustments for the ESP’s eLua implementation to the decompiler he uses, his quest to capture the flag began for real.

While this wasn’t [Rikaard]’s first reverse engineering challenge, it was his first in an completely unknown environment outside his comfort zone — the endurance he demonstrated is admirable. There is of course still a long way down the road before one opens up chips or counts transistors in a slightly more complex system.

Facebook Open-Sources Their Capture-the-Flag Hacking Challenges

If you want to learn how to defeat computer security, nothing beats hands-on experience. Of course, if you get your hands on someone’s system without their permission, you may end up having a very short training that ends with a jail term. And that’s where capture-the-flag (CTF) events come in.

A CTF is a system of increasingly-difficult challenges that can’t be too easy or too hard. A well-designed CTF teaches all of the participants stuff that they didn’t know, no matter how far they get and what skills they came in with. Designing a good CTF is difficult.

But since it’s also a competition, running one also involves a lot of horrible bookkeeping for the folks running it. Registering teams and providing login pages is the dirty work that you have to do in the background, that takes away time from building the systems which others are going to take apart.

Which is why it’s great that Facebook is opening up their CTF-hosting platform, along with a few starter challenges, for us all to play along. We love CTFs and related hacking challenges. If this spurs the creation of more, we’re all for it. You can find the whole setup on GitHub.

If you’re new to CTFs, here’s an awesome collection of CTF-related material on GitHub to get you started. And if your tastes run more toward hardware hacking, we’ve covered previous firmware CTFs, but frankly there’s a lot more material out there. We feel a feature post coming on…

Thanks [ag4ve] for the unintentional tip!

Capture The Flag With Lightsabers

There’s a great game of capture-the-flag that takes place every year at HITCON. This isn’t your childhood neighborhood’s capture-the-flag in the woods with real flags, though. In this game the flags are on secured servers and it’s the other team’s mission to break into the servers in whatever way they can to capture the flag. This year, though, the creators of the game devised a new scoreboard for keeping track of the game: a lightsaber.

In this particular game, each team has a server that they have to defend. At the same time, each team attempts to gain access to the other’s server. This project uses a lightsaber stand that turns the lightsabers into scoreboards for the competition at the 2015 Hacks In Taiwan Conference. It uses a cheap OpenWRT Linux Wi-Fi/Ethernet development board, LinkIt Smart 7688 which communicates with a server. Whenever a point is scored, the lightsaber illuminates and a sound effect is played. The lightsabers themselves are sourced from a Taiwanese lightsabersmith and are impressive pieces of technology on their own. As a bonus the teams will get to take them home with them.

While we doubt that this is more forced product integration advertisement from Disney, it certainly fits in with the theme of the game. Capture-the-flag contests like this are great ways to learn about cyber security and how to defend your own equipment from real-world attacks. There are other games going on all around the world if you’re looking to get in on the action.

Continue reading “Capture The Flag With Lightsabers”