astronautrocket1rocket2asteroid

Can we count on you to unlock the city?

Battle it out against other teams from all over the world by solving all sorts of challenges related to cyber security and emerging technologies.
The competition is closed, but you can still play most of the challenges

Mission accomplished

Hacky Holidays – Unlock the City has come to an end and the results are in! We are overwhelmed with the great effort of every crew and individual in the battle against the rogue A.I. algorithm.

So a big thanks to everyone who joined Unlock the City and made sure that the Smart City returned to its peaceful nature.

Unlock the City consisted of three phases in which in every phase a new part of the city revealed additional challenges to be solved. During phase one, players had the opportunity to solve challenges in the districts of Science Park and Hacky Harbour. In the second phase, challenges of Commercial Avenue were unlocked. In the final phase, phase 3, the challenges in Downtown were unlocked at last, meaning that all challenges were made available to be solved. The participants got to test and train their skills on a range of different technologies such as cloud hacking, quantum computing, IoT, Industrial Control Systems, reverse engineering and abusing weak cryptography. When a challenge was successfully solved, the participants were awarded with a flag, which was worth points on the leader board.

There were two leagues in Unlock the City, one for students and one for professionals, where the top 3 teams in each league could win a prize. Finally, participants could win a prize for making a creative write-up or video walkthrough of their favourite challenge. Read on for facts about the event or click click here to jump straight to the winners. Do not forget to watch the after-movie

to get an impression of the event.

Hacky Holidays – Unlock the City was a great success with 33 different challenges, 1242 active participants, more than 10.000 flags captured, estimated more than 10.000 hours played and participants from 128 different countries. The team bootplug was the only team able to solve all the challenges in the event and thereby fully unlocking the city. A lot of participants contacted the Hackazon Team to ask questions about the challenges and it was great to be part of their learning experience. Of course, no game-changing hints were given that would influence the results of the top leader board. We have received a lot of feedback from participants that they learnt a lot of new things; played their first Capture the Flag and had a lot of fun solving the challenges. There was great creativeness in solving the CTF challenges: more than once, people found ways to solve our challenges in ways we didn’t expect. It was great to read your write-ups and the team learnt some new tricks from you too.

The Deloitte team behind Unlock the City had a lot of fun creating and supporting the event. Over the three weeks in which Hacky Holidays took place, we answered your (100+) questions via e-mail, and even got to know some of you and your backgrounds a bit more. From a challenge infrastructure point of view, it ran mostly smoothly. A lot of challenges required a unique system (docker container or a VM) to be launched for an individual user. To handle the load, multiple systems (pods) were available to run the challenges. This turned out to be more than sufficient for the event – even with fully virtualised Windows and Macintosh systems running in parallel.

The Hacky Holidays team wants to thank everyone for being part of this event. A shout out to Narwal Creative for creating the epic Unlock the City theme with awesome story writing, graphic and sound design. Next, we want to thank everyone involved in creating challenges, which were provided by Deloitters from all over the world, in specific our colleagues from Belgium, Finland, Bulgaria, Greece, Spain and Australia. Thanks to the Hackazon platform team, which offered the solid infrastructure. Also, a shout out to all the marketing people who made sure that no one missed out on our third Hacky Holidays experience.

See you at the next one!

And the winners are...

Top 3 student teams
2. Stinky_Inc5925 pointsWinner of 777 USD
1. ShellOnes6000 pointsWinner of 1337 USD
3. wforget5900 pointsWinner of 337 USD
Top 3 professional teams
2. Orion_square6300 points
1. bootplug6500 points
3. PreIncrement5900 points
Winners of a 50 USD M5stack voucher per team member
Best write-ups
0xAPPACloud Escalator Part 1[Web/Cloud]
EnscribePort Authority[PPC]
J0R1ANStop the Heist[Forensics/IR]
khr0x40shHistory Repeats[Network/Exploit]
pjg1Technical Debt[Network]
leonuzSecret Conve.rsa.tions[Crypto]
simonmysunUnlock Train Data[Pwn]
pantsuCity Control[Pwn]
cyberbutlerLocation Analysis[PPC]
MatildaLocation Analysis[PPC]
Winners of a 50 USD M5stack voucher
Best video write-ups
cyberbutlerRecover Pet Data[Web]
Hacking HelpAudible Transmission[Stego]
Arrow1337Protect the Supply[Forensics]
Winners of a 50 USD M5stack voucher

Challenges and solutions

Chemical plant

[#network #ics]

You can't see me

[#network #ics]

Audible transmission

[#stego]

Team Radio

Unlock the City

You've been officially chosen to compete in UNLOCK THE CITY from July 8. till July 26.

Help! The smart city is in trouble. An A.I. algorithm went rogue in the once so peaceful, intelligent city. It's chaos out there. To regain control and restore peace, we need a group of talented hackers. Each hacker or hacking team will unlock the city in phases by solving a set of challenges in four city districts. The city council has announced that the event's winner will be appointed "Mayor" of the City to sweeten the deal. Additionally, the best hacker in a particular district will become the "Sheriff" for that district. Can we count on you to unlock the city?

Phase 1 Hacky Harbour and Science Park

You passed the customs check point and entered the Hacky Harbour by spoofing the Hackazon Admin shield. The harbour is in total chaos, the ships are no longer on course; explosions have been spotted in the factory and even computers that have not been touched for more than 30 years have started to communicate on the network again.

Science, technology, and innovation are the city's key to the future. Unfortunately, the algorithm has attacked the Science Park; scrambling or hiding the formulas we need to function. As a result, we lost access to the cloud where some of the vital knowledge is stored. There have even been reports that the new high-tech particle accelerator has been turned on and is running out of control.

Phase 2 - Commercial Avenue

Commercial Avenue has been mayhem since the rogue algorithm has taken over the city. The NFT museum was hit hard with all images being scrambled and blurred, ATMs are infected with ransomware, ones and zeroes are flipped, payments and transfers are going to the wrong accounts, and the trading market has plummeted. This is even more visible in the city, with all the digital advertising billboards now displaying its propaganda.

Phase 3 - Downtown

The Downtown district has been plagued by hacked traffic lights (showing only smileys), communication systems are acting up, and it is dangerous to walk around in the city with self-driving vehicles driving around erratically. Other issues have been a cause of big annoyance, like pizzas being delivered to the wrong address with the wrong toppings, drones being stuck in the air, and cats being reported missing!

Mission debriefing

Looking back at what has been a great success we have, of course, one last gift from the restored Smart City for you. The Aftermovie! So sit back, grab a box of Space Popsicles and enjoy the ride (eehh.. race)!

What is in it for me

First of all, you will learn a lot about the various cyber security topics introduced in the game, but that is not all! You can also win a prize for creating a writeup or solving the most challenges. The winners will be announced on August 2rd on the Hacky Holidays website.

Top 3 student teams

  • 🏆 1st place: 1337 USD
  • 🏆 2nd place: 777 USD
  • 🏆 3rd place 337 USD

* Each member of a student team must sign up as a student and be able to provide evidence of being a student.

Top 3 non-student teams
🏆 The members of the top 3 non-student teams are awarded a 50 USD voucher which you can spend at the M5STACK webshop for your IoT hobby projects!

Best 10 writeups
🏆 We invite everyone who solved a challenge to write a creative and detailed writeup on how you solved the challenge. You must publish the writeup after the game has ended in order not to spoil the solution to anyone else in the competition (starting July 27th). Out of those writeups we will select the best 10 write-ups that will be rewarded with a 50 USD voucher which you can spend at the M5STACK webshop for your IoT hobby projects! You can participate by submitting (a link to) your writeup to hackazon@deloitte.nl until August 1st, 2022.

Best 3 video-writeups
🏆 We invite everyone who solved a challenge to (screen-)record a creative and detailed video-writeup on how you solved the challenge. You must publish the writeup after the game has ended in order not to spoil the solution to anyone else in the competition (starting July 27th). The write-up must be published on a publicly available platform. Out of those writeups we will select the best 3 write-ups that will be rewarded with a 50 USD voucher which you can spend at the M5STACK webshop for your IoT hobby projects! If you submit your video you also make a chance that your video write-up will be used in the aftermovie! You can participate by submitting (a link to) your video-writeup to hackazon@deloitte.nl until August 1st, 2022.

Note: Deloitte employees can play in the event but are excluded from winning a prize. The top X players refers to the entries on the scoreboard and is based on the total score of the team and the time of flag submissions. Participants can win a maximum of 2 vouchers by participating in Hacky Holidays.

How do I participate

Hacky Holidays has all sorts of challenges (technical puzzles) related to cyber security. Each challenge has a task description, which gives you a clue on how to solve the particular challenge.

An example challenge could be a web application in which you need to find a vulnerability that gives you administrative access. When you have successfully solved a challenge, you will be given a flag, which is a piece of text, most of the times formatted as follows: CTF{…}. When you find the flag, you can enter it under the challenge description’s input field, and you will be allotted the points assigned to the challenge. Each flag gives you a certain number of points that are counted towards your total score. Your score and those of other players and teams can be seen on the scoreboard of the event.

In order to join the competition, you just need a PC/laptop and your favourite (hacking) tools and software (e.g. using Kali Linux). When you have signed up for the event, you will be given access to all sorts of challenges in different categories such as web application hacking, cryptography, network security, cloud security, hardware hacking and reverse engineering.

Hackazon by Deloitte

Hackazon is a platform developed by Deloitte that allows students and professionals to constantly refresh and improve their technical cyber skills based on the latest developments in cyber security. The Hackazon platform covers a broad range of cyber topics through challenge-based activities. The challenge materials are perfect for cyber students, developers, IT engineers, incident responders, security analysts and penetration testers but also has material to improve the security awareness for anyone without a technical focus.

Learn more about Hackazon

Solving challenges for a living
Does solving challenges during work time sound too good to be true? At Deloitte Cyber Risk Services, it's part of your daily job. The skills that you learn solving hacking challenges are quite important in our job. Therefore, we regularly train our hackers and cyber security specialists on our Hackazon platform. Are you interested in working for Deloitte?

Find our vacancies

Let's connect

If you have any questions during the event you can ask them via hackazon@deloitte.com.

Manager

Rikkert ten Klooster

Rikkert is a security specialist at Deloitte Cyber Risk Services with over 6 years of experience as a security specialist and Red Teamer. Rikkert performs APT (Advanced Persistent Threat)

Partner

Dana Spataru

Currently engaged with building the IOT security practice in EMEA, including Industrial Control Systems and Cloud security. I am working on large cyber security transformations


Partner

Frank Groenewegen

Frank Groenewegen is an outspoken security leader with over 20 years of experience in helping organizations become more resilient to cyber attacks. He is a trusted advisor who helps