Winner’s Circle – 2024 Hacker of the Year

Alec Brandman, Levi Keyton, and Hailey Diaz, with the trophy.

The first round challenges participants to crack an introductory riddle with a hidden prompt. Participants encounter two riddles embedded in the webpage that hint at a modification required for the URL. By combining their answers to each riddle into a single, seamless phrase, they replace a specific URL segment to unlock the next stage. This round not only tests players’ riddle-solving skills but also introduces them to subtle techniques in URL manipulation—key for security practitioners.

For the second challenge, participants encounter a cybersecurity-themed quiz on a hidden page. To advance, they must correctly answer three foundational questions on cybersecurity, phishing, and the “Zero Trust” security model. Once all answers are correct, a message confirms success and displays the next clue. This round reinforces knowledge of key cybersecurity concepts and highlights the importance of foundational understanding to solve advanced challenges.

In Round 3, participants face a series of social engineering scenarios presented as cards, each with unique tactics like phishing emails, deepfake calls, and fake social media profiles. The challenge is to rank these scenarios from easiest to hardest to detect. Users are allowed only a limited number of attempts before a lockout temporarily restricts further guesses, emphasizing the importance of precision in identifying threat levels. A correct sequence reveals the next clue. This exercise deepens awareness of social engineering strategies, stressing the escalating sophistication of such attacks.

In Round 4, participants must “crack the password” through a double-hashed code provided on the page. The two hashes used were BASE64 and Caesar Cipher, the page subtly alluding to these methods without giving them away outright. Users have limited attempts to enter the correct password, with feedback guiding them on progress. If they exceed the maximum attempts, an “explosion” animation appears, temporarily locking them out and forcing them to wait or restart. A correct answer reveals the next clue. This round emphasizes the importance of cautious, methodical approaches when dealing with encrypted data, while introducing users to various cryptographic concepts, such as hashing and encoding.

Round 5 introduces participants to SQL Injection techniques, challenging them to manipulate input fields to retrieve a hidden message. Players interact with a form that simulates a vulnerable SQL query, testing their ability to exploit web applications. The challenge enforces a limited number of attempts before locking users out temporarily, emulating real-world security mechanisms against brute-force attacks. Successful injection reveals the next clue. This round emphasizes understanding SQL structures and potential weaknesses in input handling, underlining the importance of secure query practices to protect sensitive data.

In Round 6, participants simulate a Wi-Fi intrusion, testing their ability to identify a weak network and crack its password. Players are presented with a list of networks with varying security levels, such as WPA2 and WEP. Using social engineering clues, participants must deduce the password for a WEP-secured network based on public information—the phone number of Skyline Apartments. Successfully cracking the password reveals the next clue. This challenge emphasizes understanding of network security levels and showcases how simple, publicly accessible information can compromise weakly secured networks.

In Round 7, participants face the challenge of identifying real videos among deepfake forgeries. Presented with nine video clips, players must analyze each for subtle signs that distinguish genuine footage from AI-generated deepfakes. Only three clips are authentic, and participants are limited to four attempts to select the correct videos. Clues like unnatural facial movements, awkward lip-syncing, and mismatched lighting can reveal the fakes. However, with only a few chances, participants need to scrutinize each clip carefully. Success rewards them with the next clue. This round highlights the critical need for media literacy and deepfake detection skills as AI makes it easier to forge realistic video content.

In Round 8, participants face the classic Piccolo challenge, a repeat from last year. They must locate the Piccolo server hidden in a digital storm, using nmap to scan for open ports and telnet or nc to connect. This round is a test of network reconnaissance and exploitation techniques, challenging participants to navigate through potential ports, identify the accessible ones, and retrieve the next clue. As they engage with these tools, participants dive deeper into cybersecurity essentials, honing skills crucial for penetration testing and real-world networking. Success here unveils the next key to continue their journey.

In Round 9, participants tackle a honeypot challenge: they must enter the correct keyword without triggering hidden honeypot fields on a webform named “Website” and “Phone.” If these fields are filled, the system locks users out for five minutes, simulating real-world security measures. With only three attempts allowed, this challenge teaches players to avoid security traps, honing their skills in recognizing and navigating cybersecurity defenses.

For the final round, participants receive a simulated shortwave radio transmission with a sequence of numbers. The challenge is to decode the numbers using “Fieldata,” an old character encoding system developed in the 1950s for punch card systems and early computers. Each number corresponds to a character in the Fieldata encoding, which translates the transmission into the final clue. The solution requires recognizing the encoding and using it to decipher the message. Successfully decoding it reveals the final keyword, marking the end of this intense cybersecurity journey.