Photo of the MCH2022 badge's screen, showing the "Hack me if you can" app's start splashscreen, saying "Service is accessible on IP ADDRESS : 1337"

MCH2022 Badge CTF Solved, With Plenty To Learn From

August 7, 2022 by Arya Voronova 3 Comments

Among all the things you could find at MCH2022, there were a few CTFs (Capture The Flag exercises) – in particular, every badge contained an application that you could try and break into – only two teams have cracked this one! [dojoe] was part of one of them, and he has composed an extensive reverse-engineering story for us – complete with Ghidra disassembly of Xtensa code, remote code execution attempts, ROP gadget creation, and no detail left aside.

There was a catch: badges handed out to the participants didn’t contain the actual flag. You had to develop an exploit using your personal badge that only contained a placeholder flag, then go to the badge tent and apply your exploit over the network to one of the few badges with the real flag on them. The app in question turned out to be an echo server – sending back everything it received; notably, certain messages made it crash. One man’s crashes are another man’s exploit possibilities, and after a few hacking sessions, [dojoe]’s team got their well-deserved place on the scoreboard.

If you always thought that firmware reverse-engineering sounds cool, and you also happen to own a MCH2022 badge, you should try and follow the intricately documented steps of [dojoe]’s writeup. Even for people with little low-level programming experience, repeating this hack is realistic thanks to his extensive explanations, and you will leave with way more reverse-engineering experience than you had before.

The MCH2022 badge is a featureful creation of intricate engineering, with the ESP32 portion only being part of the badge – we’re eager to hear about what you’ve accomplished or are about to accomplish given everything it has to offer!

An illuminated MCH2022 sign composed of large LED letters

Mutually Crafted Happiness: How MCH2022 Happened

August 2, 2022 by Arya Voronova 16 Comments

Just a few days ago, MCH2022, a six day long hacker camp in Netherlands, has concluded – bringing about three thousand hackers together to hang out. It was my first trip to a large hacker camp like this, as I’ve only been to smaller ones, and this story is coming from someone who’s only now encountering the complexity and intricacy of one. This is the story of how it’s run on the inside.

MCH2022 is the successor of a hacker camp series in the Netherlands – you might’ve heard of the the previous one, SHA, organized in 2017. The “MCH” part officially stands for May Contain Hackers – and those, it absolutely did contain. An event for hackers of all kinds to rest, meet each other, and hang out – long overdue, and in fact, delayed for a year due to the everpresent pandemic. This wasn’t a conference-like event where you’d expect a schedule, catering and entertainment – a lot of what made MCH cool was each hacker’s unique input.

Just like many other camps similar to this, it was a volunteer-organized event – there’s no company standing behind it, save for a few sponsors with no influence on decisionmaking; it’s an event by hackers, for hackers. The Netherlands has a healthy culture of hackerspaces, with plenty of cooperation between them, and forming a self-organized network of volunteers, that cooperation works magic. Continue reading “Mutually Crafted Happiness: How MCH2022 Happened” →

May (No Longer) Contain Hackers: MCH 2021 Has Been Cancelled

February 25, 2021 by Jenny List 7 Comments

In a sad but unsurprising turn of events, MCH, this summer’s large hacker camp in the Netherlands, has been cancelled. Organising a large event in a pandemic would inevitably carry some risk, and despite optimism that the European vaccine strategy might have delivered a safe environment by the summer that risk was evidently too high for the event organisers IFCAT to take on. Our community’s events come from within the community itself rather than from commercial promoters, and the financial liability of committing to hire the site and infrastructure would have been too high to bear had the event succumbed to the pandemic. Tickets already purchased will be refunded, and they leave us with a crumb of solace by promising that alternatives will be considered. We understand their decision, and thank them for trying.

As with all such events the behind-the-scenes work for MCH has already started. The badge has been revealed in prototype form, the call for participation has been completed, and the various other event team planning will no doubt be well under way. This work is unlikely to be wasted, and we hope that it will bear fruit at the next Dutch event whenever that may be.

It would have been nice to think that by now we could be seeing the light at the end of the pandemic tunnel, but despite the sterling work of scientists, healthcare workers, and epidemiologists, it seems we still have a a way to go before we’ll once more be hanging out together drinking Club-Mate in the company of thousands of others. If the pandemic is weighing upon you, take care of yourselves.