Hacky Holidays

Mission accomplished

Hacky Holidays - SPACE RACE has come to an end and the results are in! In a neck-and-neck race, Crews from all over the world attempted to be the first to get to planet Hackazon so they can build a new space village.

First of all, a big thanks to all participants who joined SPACE RACE and made sure that the Hacky Holidays mission was accomplished.

The race consisted of three phases where players had to (1) design their flag and build their space ship, (2) navigate through space toward planet Hackazon and (3) land on planet Hackazon and build their space village. Each phase introduced new hacking challenges that players had to solve in order to accomplish the goals of the respective phase. The participants got to test and train their skills on a range of different technologies such as cloud hacking, quantum computing, reverse engineering and abusing weak cryptography. When a challenge was successfully solved, the participant was awarded with a flag, which was worth points on the leaderboard. The space ship of the players grew larger as they progressed through the challenges.

There were two leagues in SPACE RACE, one for students and one for professionals, where the top 3 teams could win a prize. Finally, participants could win a prize for making a creative write-up or video walkthrough of their favourite challenge. Read on for facts about the event and to find out who are the winners. Do not forget to watch the after-movie to get an impression of the event.

Milestones

Hacky Holidays - SPACE RACE was a great success with 31 different challenges, 1400 active participants, 13.400 flags captured, estimated 10.707 hours played and participants from 111 different countries. The top 4 teams in the event (one student team and three professional teams) were able to solve all the challenges in the event. A lot of participants contacted the Hackazon Team to ask questions about the challenges and it was great to be part of their learning experience. Of course no game-changing hints were given that would influence the results of the top leaderboard. We have received a lot of feedback from participants that they learnt a lot of new things; played their first Capture the Flag and had a lot of fun solving the challenges.

The Deloitte team behind SPACE RACE had a lot of fun creating and supporting the event. Over the three weeks in which SPACE RACE took place, we answered your (100+) questions via e-mail, and even got to know some of you and your backgrounds a bit more. For those of you who played at the event launch, you will have noticed slow load times or pages erroring out – we had our fair share of challenges on an infrastructure level. We implemented lots of improvements to our platform over the course of the event to bring load times down by optimising backend queries and implementing caching. It was very much a learning experience for us as well. For instance, we didn’t expect people to brute-force a 14 million-entry password list against our flag submission endpoint, or attempting to find race conditions to obtain double the points. Some of you also submitted bug reports, which we attempted to resolve on the spot (thanks for that!).

It is that same creativeness that we also saw in solving the CTF challenges: more than once, people found ways to solve our challenges in ways we didn’t expect. It was great to read your write-ups and the team definitely learnt some new tricks from you too.

From a challenge infrastructure point of view, everything ran very smoothly. A lot of challenges required a unique system (docker container or a VM) to be launched for an individual user. To handle the load, multiple systems (pods) were available to run the challenges. This turned out to be more than sufficient for the event – even with fully virtualised Windows systems running in parallel.

In collaboration with

The Hacky Holidays team wants to thank everyone for being part of this event. A shout out to Knock Knock Studio for creating the epic Space Race story with awesome story writing, graphic and sound design, to Angelique Rijnsburger for animating the videos and to Becky van Paassen for the exciting Voice Over. Next, we want to thank everyone involved in creating challenges, which were provided by Deloitters from all over the world. Thanks to the Hackazon platform team, which offered the solid infrastructure. Also a shout out to all the marketing people who made sure that no one missed out on the Hacky Holidays experience.

See you at the next one!

And the winners are...

Top 3 student teams

Winner of our grand prizes per team:
🏆 1st place: [5665] ShellOnes - winner of 1337 USD
🏆 2nd place: [5440] TCache_Money - winner of 777 USD
🏆 3rd place: [5265] TechArmedEmus - winner of 337 USD 

Top 3 professional teams

Winner of a 50 USD M5stack voucher per team member:
🏆 1st place: [5665] bootplug
🏆 2nd place: [5665] PreIncrement
🏆 3rd place: [5665] 14_message

Best 10 writeups

Winner of 50 USD M5stack voucher:
🏆 1: Fiveplusfour - Engine Control [Pwn] 
🏆 2: Leonuz - Knock knock knocking on shuttles door [Web / PrivEsc] 
🏆 5: Nmcpher2 - Scorching [Redteam] 
🏆 6: Trenchesofit - TEASER: su admin [Web] 
🏆 7: Knittingirl - Engine Control [Pwn] 
🏆 8: Jojo1216 - Engine Control [Pwn] 
🏆 9: Oshawk - Engine Control [Pwn] 
🏆 10: AusCryptor - Under Construction [Web]  

Best 3 video-writeups

Winner of 50 USD M5stack voucher
🏆 1: Cryptocat - Knock knock knocking on shuttles door [Web / PrivEsc] 
🏆 2: Cryptocat - Stolen Research [Forensics] 
🏆 3: No other video write-ups submitted.  
 

🎉 Congratulations to all the winners of the event! 🎉  

How could you participate

Hacky Holidays has all sorts of challenges (technical puzzles) related to cyber security. Each of the challenges has a task description which give you a clue on how you can solve the particular challenge. An example challenge could be a web application in which you need to find a vulnerability that gives you administrative access. When you have successfully solved a challenge you will be given a flag, which is a piece of text, most of the times formatted as following: CTF{…}. When you find the flag you can enter it under the challenge description’s input field and you will be allotted the points assigned to the challenge. Each flag gives you a certain number of points that are counted towards your total score. Your score and those of other players and teams can be seen on the scoreboard of the event.

How could you join Hacky Holidays

The event was open from July 2nd till July 26th. You could participate in the event as an individual or as a team with a maximum of four members. Participants were able to register and invite others to their team once the event went live.

Participants could join the competition by going to hackyholidays.io. Only PC/laptop was required, and your favourite (hacking) tools and software (e.g. using Kali Linux). After signing up to the event the participants received access to all sorts of challenges in different categories such as web application hacking, cryptography, network security, cloud security, hardware hacking and reverse engineering.

If you have any questions about the event, feel free to contact the Hackazon team via hackazon@deloitte.com.

Solve challenges for a living

Does solving challenges during work time sound too good to be true? At Deloitte Cyber Risk Services it's part of your daily job. The skills that you learn solving hacking challenges are quite important in our job. Therefore, we train our hackers and cyber security specialists regulary on our own Hackazon platform. Interested in working for Deloitte?

Find our vacancies.

Hackazon by Deloitte

Hackazon is a platform developed by Deloitte which allows both students and professionals to constantly refresh and improve their technical cyber skills based on the latest developments in cyber security.

The Hackazon platform covers a broad range of cyber topics through challenge-based activities. The challenge materials are perfect for cyber students, developers, IT engineers, incident responders, security analysts and penetration testers but also has material to improve the security awareness for anyone without a technical focus.