Continuing with our wildly-popular “Hac-Man” theme that we introduced at DEF CON 30, and brought back last year at DEF CON 31, I)ruid again collaborated with lots of hackers to produce Hac-Man for a third year! Each year we have managed to drastically improve our Scramble gaming platform. We accomplished a lot more with the game this year. We also introduced some new and exciting challenges, some of which had external API integration to other technology systems.
To get players started, we again printed and distributed 3000 Hac-Man information cards around the conference and of course posted its image on social media. We were again officially registered as a DEF CON Contest and had a location in the Contests area! The information cards for this year looked like this:
If you’re unfamiliar with Hac-Man, we suggest you read the beginning of our first year write-up from DEF CON 30, as it explains how the game looks, plays, and other mechanics, which we will not duplicate here.
Winners were again determined by our points leaderboard. Where in previous years we gave away some video game themed prizes, this year we stuck to mostly hacker tools and devices for the prizes, such as a HackRF One, WiFi Pineapple, Raspberry Pi, Flipper Zeros, and lock pick sets. As always, we had some book prize donations from our friends over at No Starch Press, “the finest in geek entertainment”. The full prize list in the game looked like this:
The game had 103 individual challenges and puzzles across the Tutorial, 10 subject-matter specific categories, and the Final collection of challenges. We won’t be detailing every single challenge here in this post, but rather a few of the more interesting or memorable ones from each category.
Tutorial Track
Continuing the format from last year, we kept the super simple Tutorial Track at the beginning of the game that helps players get familiar with the Scramble platform, the game mechanics, how the challenges work, and introduces them to a few common types of challenges that they’ll be interacting with throughout the rest of the game. These challenges are fairly simple and should allow most Players to pass them and reach the Lobby Maze, which is the game’s hub area where Players can then easily reach all of the subject-matter themed Mazes and their challenges.
Upon completing the final challenge in the Tutorial Maze, Players were instructed to come by the Hac-Man booth in the Contests area to get a prize, a set of Hac-Man stickers! If you missed out on these stickers, you can now purchase them from the Rogue Signal Shop.
The game also added something mysterious to the Player’s inventory, a chunk of Python code… What could that be??
Lobby Maze
After completing the Tutorial Track, Players progressed to our “Lobby Maze”, a maze where there were many tunnels leading off the left and right sides of the maze to subject-matter specific Mazes.
In this maze there was also fruit that would spawn near the center, which Players could collect and spend to unlock hint and location information about individual challenges that they might be stuck and need help on. The fruit were also worth some points, and would re-spawn every 30 minutes after being eaten, so a Player could potentially rack up some extra bonus points from diligently eating fruit shortly after it re-spawned each time.
Finally, at the top of this maze was a locked door, leading to the Final Track of challenges, which would remain locked until the Player had completed at least one of the other subject-matter specific tracks.
Ciphers Challenges
We always try to include some ciphers and codes in our game each year, and this year was no different. Like most Tracks of challenges, the Ciphers challenges were a Track of 10 challenges getting progressively more difficult ranging from trivial to extremely hard in difficulty.
This year’s collection of ciphers was fairly eclectic and definitely had some strange ones, including some that were very visual like a dominos based cipher.
Rotten to the Core
| Hint: | Letters in “core” |
| Location: | dcode.fr |
| Challenge: | EttpiWpmgi |
We almost always start out the Ciphers section of challenges with some kind of simple rotation cipher, as they are the most familiar and approachable for everyone, however rather than a simple Caesar or ROT-13 cipher, we try to make them just slightly more challenging. This one is indeed a simple rotation cipher like ROT-13, but uses a 4 character offset rather than 13, as clued by both the challenge title as well as the challenge hint. The decoded message would solve this challenge.
Going Royally Postal
| Hint: | |
| Location: | |
| Challenge: |  |
This cipher was just a simple barcode encoding, however it is a specific one called RM4SCC that the UK Royal Postal Service uses and is not likely to be decoded by a standard bar code scanner. We used the Tec-IT Royal Mail 4-State barcode generator to create this barcode. To solve this challenge, Players could either find a scanner that could decode it, or they could manually decode it by hand using a translation table. The resulting decoded message entered into the game solved this challenge.
Based Dominos
| Hint: | 7 Values |
| Location: | https://www.rapidtables.com/convert/number/base-converter.html -> https://www.rapidtables.com/convert/number/hex-to-ascii.html |
| Challenge: |  |
This string of dominos simply represented a string of numbers: 1, 1, 0, 5, 4, etc. Given the possible numbers available using dominos, 0 through 6, gives you seven values total, which was also the challenge’s hint. This hinted at decoding the values from Base-7 into ASCII. If Players couldn’t accomplish this themselves, the Location hint gave Players two tools that could be used to accomplish this, converting from Base-7 into hexadecimal, then from hexadecimal into ASCII. The resulting decoded message solved this challenge.
Dolphinspeak
| Hint: | Dah! Dat’s dits. Duh. |
| Location: | Puzzle’s Backpack |
| Challenge: | Find Puzzle’s backpack. Do you even speak dolphin, bro? What’s the wrong word in the message? |
This challenge first tasked Players with finding Puzzle and her backpack. To make this easier, Puzzle was being GPS tracked and could be found with the help of a real-time map that we linked to in the Location info. Once found, Players could discover on the back of her backpack was a dolphin with a message:
The dolphin’s message was constructed of clicks and eeks, which Players might have immediately recognized as potentially Morse code, but if they didn’t the challenge hint cluing them into dits and dahs should have gotten them there. Decoding the dolphin’s message from Morse code resulted in the message “So long and thanks for all the hax”. Recognizing or looking up the original quote would allow the Player to identify the wrong word in the message and solve the challenge.
Spin It
| Hint: | Circular |
| Location: | |
| Challenge: |  |
This challenge was a simple substitution cipher using an encoding that we found on Pinterest simply called “Circular Glyphs”. Arranging the plaintext into a grid of 5×5 letters allowed us to create this square pattern using the glyphs. Decoding the glyphs into letters and then putting all five rows together allowed Players to solve this challenge.
Intrepid Short Story
| Hint: | Ottendorf [P,W] |
| Location: | Short Story Contest 27 |
| Challenge: | [3,28] [6,10] [8,20] [1,50] [11,6] |
We love Ottendorf ciphers because you can build them out of all kinds of printed or structured text, and for this challenge we found an old story called “Intrepid Ones” by Robotron that was submitted to the DEF CON 27 Short Story contest. Given that the contest requires stories to be submitted in plain text, all of the stories are available in TXT files. This format leads to fairly minimal formatting, represented in our Ottendorf cipher key as a simple two value pair. In the text file, there are only paragraphs, sentences, and words as structure, so the two values could be fairly easily identified as paragraph and word, or this information could also be gleaned from the challenge hint. Decoding the message by counting the paragraphs and words within those paragraphs allowed Players to solve this challenge.
German Structure
| Hint: | French defeated Germans 1914 |
| Location: | dcode.fr |
| Challenge: | Determining the key is the name of the game! Since when did NULL == 3? TXNMYEILZA |
Identifying this cipher, its key, and configuring the decoder properly was a bit difficult. The inclusion of “NULL == 3” in the challenge both helped identify the cipher as one that needed “null letters” removed as well as telling you one of the values to configure the decoder with. The hint about the French defeating Germans in 1914 could help the Player identify that the cipher was one used by the Germans during WWI. The message in the challenge about the key told Players, literally, that the key is the name of the game (“HACMAN”). Once the Ubchi cipher was identified, the correctly configured dcode.fr tool could easily decipher this challenge’s ciphertext and allow the Player to complete the challenge.
Greeting Rotation
| Hint: | Phonetic Japanese |
| Location: | dcode.fr |
| Challenge: | Left and Right are simply LEFT and RIGHT. チャオ! FONBTCQ |
This challenge gave the Players some Japanese characters to work with and the clue that this cipher had something to do with left and right. The name of the challenge also clued the Player into it having something to do with rotations. Translated to English, the Japanese says “Chao”, directing the Player to the Chaocipher, which is a cipher that uses rotating disks with custom alphabets on each, a left disk and a right disk. A common way to create alphabets that would be used on disks such as these is to put a word with no repeating letters at the beginning of the alphabet and then put the remaining letters in the normal sequence for the rest of the alphabet. If the Player constructed two alphabets using LEFT and RIGHT as the beginning words, then the Player had the correct alphabets to configure the dcode.fr tool to decipher the message and solve this challenge.
Squared Maze
| Hint: | Square the Square |
| Location: | Hac-Man Puzzle Board |
| Challenge: | 16 61 74 12 76 71 22 67 46 14 73 23 75 55 53 32 17 24 15 25 65 66 62 43 44 22 31 23 41 14 31 34 24 23 31 |
This challenge provided the Player with a grid of numbers and then a second string of numbers. The name of the challenge as well as the hint clued the Player into using the Polybius Square cipher, which uses a square grid as a key. The Hac-Man maze final puzzle board at the booth was also arranged in a grid and provided letters in each space:
By using the grid numbers from the challenge as row and column coordinates along with the puzzle board, the Player could construct the square values needed to configure the dcode.fr tool to decipher the second string of ciphertext and solve the challenge.
Time is of the Essence
| Hint: | Time Lords |
| Location: | Sherman’s Planet |
| Challenge: |  |
This challenge presented Players with just an image. If the Player wasn’t already a giant nerd and could identify this writing system on sight, the hint and location info should have directed Players toward Sherman’s Planet and the fictional writing system that the Time Lords in the Doctor Who universe use, Gallifreyan. While there are a myriad of tools available to create Gallifreyan glyphs from English, there were unfortunately no good tools available to decode Gallifreyan, so most Players likely had to learn the writing system and decode it by hand. Perhaps AI systems could do this now? Correctly decoding the glyph back into English resulted in the message used to solve the challenge.
Radio Challenges
A new challenge category this year, and one that was incredibly fun to create, was a set of challenges based around radio technology. We brought an RF radio transmitter, various LoRaWAN devices, and other radio gadgets to DEF CON to use in our Radio challenges. There was a lot going on!
Scan the Backpack
| Hint: | 13.56 MHz |
| Location: | Puzzle’s Backpack |
| Challenge: | Track down Puzzle and her backpack and scan it! See what you find… |
This was another challenge that tasked the Player with tracking down Puzzle and her backpack to scan it… but how? With what? The hint of 13.56 MHz would clue Players in that there was an RFID tag somewhere on the backpack. Scanning around the backpack with an RFID reader would find an RFID tag that would respond with the code needed to solve this challenge.
Pirate Radio
| Hint: | 103.1 |
| Location: | Contests Area |
| Challenge: | Find the Hac-Man FM Pirate Radio station and listen in… |
The location info suggested that Players be in the Contests Area because our “pirate” radio station was only broadcasting around 200ft per FCC regulations for unlicensed broadcast. By being near the Hac-Man booth and scanning the FM airwaves, or getting the frequency from the challenge hint information, Players would find our pirate radio station on 103.1 FM, playing a dozen or so video game themed songs on rotation. In between these songs were station identification as well as number sequences such as you might hear on radio “numbers stations”. Each sequence was unique, beginning at the top of the play list with a sequence using only 0 and 1, the second one using numbers 0, 1, and 2, the third using 0 through 3, and so forth. Each sequence was the same message encoded in different base numbering systems beginning with binary and going up through octal and hexadecimal. Decoding any of these sequences resulted in the same message which could be used to solve the challenge.
WiFi Hunt
| Hint: | 2.4 GHz |
| Location: | Westgate Hotel |
| Challenge: | To reach the Eastern Tower, You must go through the West Gate. One less than a Blackjack you seek to rise, To find the signals that are your prize… The signals are weak so to find them all, You may need to be close to the wall. |
This challenge tasked the Player with locating a WiFi 2.4 GHz signal somewhere at the Westgate Hotel. If “West Gate” in the challenge didn’t clue the Player into the location of the WiFi signal, the location info certainly did. Once at the Westgate, Players would need to search the Eastern Tower of the hotel on floor 20 (one less than a blackjack). Unfortunately our WiFi equipment we used for this challenge was a bit weak, so we also hinted that you’d need to scan close to the walls to find the signal. Once the signal was found, the WiFi AP was broadcasting multiple SSIDs. Each SSID was a ciphertext, again encoded in various number systems beginning with Base-8 (octal), Base-10 (decimal), Base-16 (hexadecimal), Base-32, Base-58, Base-64, Base-92, and Base-100 using emojis. Decoding any of these SSIDs into ASCII would result in the message needed to solve the challenge.
Meshtastic
| Hint: | 915 MHz |
| Location: | Contests Area |
| Challenge: | Identify the Hac-Man node on the Meshtastic network. What is the emoji used for its short name? |
This challenge tasked the Player with finding the name of the Hac-Man node on the Meshtastic mesh network. This could be done a few different ways, such as joining the default LongFast channel on the wider Las Vegas area network, or by coming by the Hac-Man booth where one of our signs has a QR code to join the Hac-Man dedicated channel. Once listening to the correct network, the Hac-Man meshtastic node would broadcast its location about every five minutes, revealing itself. Entering the name of the node would allow Players to complete this challenge.
Crack the WiFi
| Hint: | 2.4 GHz |
| Location: | Hac-Man Contest Area |
| Challenge: | Crack the Hac-Man contest network’s password. What is the password? |
This challenge required Players to come by the Hac-Man booth and attempt to crack the Hac-Man WiFi network’s password. The network was configured to 2.4 GHz and WEP security, which is vulnerable to a number of attacks, however because there was not much traffic on this network it made it much more difficult to execute such attacks. Once a Player managed to crack the password, entering the password into the game allowed them to complete this challenge.
Beartooth
| Hint: | 902 MHz – 928 MHz |
| Location: | The Eleet Network |
| Challenge: | Connect to our elite Beartooth network. Use the OpenWRT firmware marker found between the static firmware and the jffs2 filesystem as the network encryption code. Identify the gateway node. What is the name of the gateway? |
This challenge tasked the Player with connecting to an encrypted Beartooth network to identify the gateway node. This challenge was quite difficult as Beartooth is very expensive, proprietary hardware. Aside from having your own Beartooth equipment, a Player would have to likely build their own connection tool using open radio software or hardware to be able to connect. Finding the network encryption code was not too difficult as we told the Player exactly where to find it in the challenge, however connecting to the network was the difficult part. Once connected, identifying the name of the gateway node is trivial. Entering the name of the node into the game solved this challenge.
“In Print” Challenges
Another new category for this year, we had a bunch of challenges focused on things you would find in print (“hardcopy… ewww.”) Things like the local newspaper, the PHRACK 71 hardcopy edition printed just for DEF CON, the conference booklet, books and magazines, and other various printed materials, made this set of challenges a bit of a combination scavenger hunt. Again, we LOVE Ottendorf ciphers, and this category gave us a lot of opportunity to use them!
2600 Magazine Volume Forty-One Number Two
| Hint: | SOWPODS [L,W] |
| Location: | Book Store Magazine Rack |
| Challenge: | Turn your calculator upside down and tell us what this message is: [29,06] [58,10] [39,01] [01,10] [46,06] |
This challenge was an Ottendorf cipher using key [L, W] (line, word) built from 2600 Magazine Volume Forty-One Number Two. In this issue there is an article called “I Sell Shoe Oil” about typing words that are readable on calculators when they’re turned upside down. This article included a word list labeled “Found words in SOWPODS”, which are words found in the Collins Scrabble Words (formerly SOWPODS) that can be written upside down on a calculator. Using this list as the source material for the cipher would result in the plaintext message needed to solve the challenge.
DEF CON Program
| Hint: | [P,L,W] |
| Location: | Conference Registration Materials |
| Challenge: | The answers to your questions will be COVERED in the order they are presented. [??,12,06] [??,21,07] [??,41,02] [??,25,08] [??,33,02] [??,12,06] [??,30,03] [??,34,09] [??,21,13] [??,01,01] [??,03,02] [??,05,04] |
This challenge was obviously another Ottendorf cipher, except the first value of each coordinate was missing! Where to find the values? The challenge name and first part of the challenge text clued Players in to needing the conference program and, more specifically, its cover. The number of letters on the cover matched the number of missing page values in the coordinates, so taking the number of each letter in the alphabet gave the Player the values needed for the coordinates. Once the Player had the full coordinates, solving the cipher using the program booklet was straightforward. This would result in the plaintext message required to solve the challenge.
Las Vegas Sun Fri Aug 9th / Sat Aug 10th
| Hint: | Crossword |
| Location: | Newsstand |
| Challenge: |  XWORD: D21:1-3 A5:1-5 D38:2-3 D67:1-3 |
This challenge was fun as we changed it every day to use the current day’s newspaper. The challenge method didn’t change but the clues and the answer did. This challenge pointed the Player at the crossword puzzle in the local daily newspaper, the Las Vegas Sun. The coordinates would point you at a particular (D)own or (A)cross word, and then a string of characters from each word, so Players needed to solve enough of the crossword puzzle to have solved the target words. Concatenating all of the characters together into a single string would solve this challenge.
DEF CON Trading Cards
One of our very favorite things that happened at DEF CON this year was the introduction of the DEF CON Trading Cards. These collectible cards were distributed around the con and included cards for famous hackers, various Goons, some projects, contests, and other interesting things around con. We were able to find out about them early and get them included in our game!
| Hint: | @DefconRaffle |
| Location: | Around DEF CON |
| Challenge: | Find the Hac-Man trading card and SHA-256 hash the card text area on the card (not including the URL). |
This challenge tasked the Player with locating the Hac-Man trading card and then hashing with SHA-256 the card text. The resulting hash would solve this challenge.
Phrack 71
Another really cool thing that happened at DEF CON 32 was a hardcopy print edition of Phrack! Phrack 71 was printed in paperback format and distributed around the con. We got a case to distribute ourselves, from which we hid a few around the con, dropped some at our closest Information Booth, and just generally gave them away throughout the conference. They were very well done, however the advance PDF that we were given to work from had page numbers, whereas the printed edition did not! We had to update our challenge hint mid-game to tell Players where to start counting the page numbers…
| Hint: | [P,L,W] ToC is Page 1 |
| Location: | Around DEF CON |
| Challenge: | [5,13,8] [182,14,4] [18,9,2] [171,16,6] [140,10,14] [12,22,7] [142,34,8] |
This challenge was your standard Ottendorf cipher, but in order to solve it, Players had to find a copy of the VERY sought-after print edition of Phrack 71. Decoding the message would allow Players to solve this challenge.
EFF Playing Cards
Another super cool thing that was around DEF CON this year was the EFF Playing Cards featuring HTTP response codes on each card. These were not available at the EFF booth until after the EFF’s fundraising Poker Tournament event, however they were too cool for us not to build a challenge around, so we did!
| Hint: | Work Backwards |
| Location: | The EFF Booth or Poker Tournament |
| Challenge: | In a faraway kingdom, there lived four royal families, each ruling over their own suit: Hearts, Diamonds, Clubs, and Spades. Each family consisted of a King, a Queen, and a Jack. One day, a great mystery emerged when a precious jewel was stolen from the royal treasury. To solve the mystery, you must determine which royal character is guilty. The royal investigator, the Ace of Spades, began questioning each member of the royal families. Here’s what they said: Hearts: King of Hearts: “I was in the garden with the Queen of Clubs.” Queen of Hearts: “I saw the King of Diamonds in the library.” Jack of Hearts: “The Queen of Spades is innocent.” Diamonds: King of Diamonds: “The Jack of Clubs was with me in the library.” Queen of Diamonds: “I was having tea with the Queen of Spades.” Jack of Diamonds: “The King of Hearts is telling the truth.” Clubs: King of Clubs: “I was in the garden with the King of Hearts.” Queen of Clubs: “The Jack of Diamonds is lying.” Jack of Clubs: “I was in the library with the King of Diamonds.” Spades: King of Spades: “The Queen of Hearts is innocent.” Queen of Spades: “I was having tea with the Queen of Diamonds.” Jack of Spades: “The King of Clubs is lying.” The Ace of Spades knew that only one member of each family was telling the truth. Based on these statements, who is lying and is the guilty one? Tell us the name of the HTTP response of the guilty party. |
This challenge was a logic puzzle themed around the royalty found in a deck of cards. Once a Player had solved the logic puzzle and knew which card was the guilty party, they needed to find the HTTP response code on that card. Entering the correct response code and message into the game solved this challenge.
#BadgeLife Challenges
What really is DEF CON without BadgeLife? The badge building, collecting, and hacking culture around DEF CON has been growing for years and is now an indispensable part of the conference and its culture. DEF CON wouldn’t be the same without the badges. To celebrate this, and bring even MORE interaction with various badges to our Players, we brought back the #BadgeLife category of challenges.
Cicada Invada
| Hint: | No comment. |
| Location: | Hacker Warehouse |
| Challenge: | Follow the Badge’s QR to find the hidden question. What is the answer? |
This challenge tasked the Player with finding the badge in order to scan its QR code. This QR code took the Player to a website. Hidden in the HTML comments of the website was the following question:
This year, two large broods of cicadas in the Midwest and southeastern U.S. surfaced simultaneously. One brood surfaces every 13 years and the other every 17 years. In what year was the last time these two broods surfaced simultaneously?
Entering the answer to this question would solve this challenge.
BigFuckingOOTBadge: Ocarina
| Hint: | Simultaneous Buttons |
| Location: | Hacker Warehouse |
| Challenge: | The greatest volume one must vet, Whilst pressing three buttons, none unset. Always up but never down, The other two are how you turn around. Pressing these will start your task, The first 24 of the final color sequence is what we ask. Enter the answer in the format of the first letter of each color separated by commas, using ‘o’ for off. Example: “”r,o,o,b,g,o,r””… etc. |
This challenge tasked the Player with finding the “Big Fucking Badge”. It should be obvious which one this is, it’s HUGE. Like, obnoxiously big, and that’s the point. This year’s BFB was themed after the ocarina from The Legend of Zelda: Ocarina of Time video game. You could press its buttons to play music. Deciphering the riddle, it instructed players to set the volume to maximum and then press the up, left, and right buttons simultaneously, which would get you into a mini-game on the badge. Once the mini-game was completed, the badge displayed a sequence of colored lights. Entering the first 24 of the colors in the sequence (including off) would solve this challenge.
UberBox
| Hint: | Send & Receive |
| Location: | https://shop.uberfoo.net/ |
| Challenge: | Only one can send, the other must receive… “CHALLENGE: Hac-Man” |
This challenge tasked the Player with locating at least two of the UberBox badges at the same time. The UberBox badge could send and receive messages between them in a challenge/response method. Entering the challenge “Hac-Man” on one would cause the other to display an easter-egg message instead of the normal response. Entering this easter-egg response into the game would solve this challenge.
Dante’s Inferno Badge
| Hint: | USB tty |
| Location: | https://www.tindie.com/products/redactd/dantes-inferno-badge/ |
| Challenge: | Get the badge into adventure story mode and tell us, who’s the first character you meet? |
This challenge was pretty straight-forward and tasked the Player to find the Dante’s Inferno badge and go into story mode and begin playing the story. In the story you meet various characters. Entering the name of the first character you met would solve this challenge.
Mad Hatter Auto Revelator
| Hint: | Mormon Honeybee |
| Location: | Hacker Warehouse |
| Challenge: | The holder of the book has “Gone Mad”. 𐐡𐐀𐐔 𐐜 𐐒𐐡𐐂𐐀𐐢 |
This challenge tasked the Player with hunting down one of the Mad Hatter Auto Revelator badges. On the badge, there is a man in a hat, presumably a “mad hatter”, holding a book. The script on the book and in the challenge is the same and needed to be identified. The challenge hint may clue the Player in as searching for the key terms uncovers that according to the Book of Mormon, in the language of the Jaredites, “deseret” meant “honeybee”. Deseret was a proposed State of the United States by the leaders of the Church of Jesus Christ of Latter-day Saints who had founded settlements in what is today the State of Utah. The Deseret alphabet is a phonemic English-language spelling reform developed between 1847 and 1854 by the board of regents of the University of Deseret. Using a Deseret translator, the Player can decipher the message written in Deseret in the challenge, which reads “READ The /B/R/AH/EE/L/”. Around the edges of the badge are solder points that are arranged in braille letters. Reading these letters reveals a message which when entered into the game solved this challenge.
VetCon Badge
| Hint: | Based Numbers |
| Location: | https://shop.threathunter.ai/collections/vetcon |
| Challenge: | Check these digits: 02: 01001100011101010110100001101110? 06: 331142020542? 08: 114165150156? 10: 076117104110? Puzzle = ???? |
This challenge tasked the Player with finding the check digit at the end of multiple strings of numbers, as clued by the request to “check these digits”. The strings of numbers being represented in different bases was a bit of a red herring as the Player did not need to change these values in any way, but rather run the Luhn check digit algorithm on them to determine what each one’s final check digit (“?”) would be. Running the algorithm on each resulted in four numbers, which when put together in the same order as they were listed, resulted in a 4 digit number. The VetCon badge had a “Puzzle” section in its menu which would take four digit values as input and would return a related text string. Entering the text string into the game would solve this challenge.
Phobos-V
| Hint: | PGP |
| Location: | Badge Filesystem |
| Challenge: | Scattered throughout the badge you will find pieces. Reassemble them and within you will find your answer. What is in the file? |
This challenge tasked the Player with finding chunks of a file that were scattered throughout the filesystem of the badge, as well as the PGP key needed to decrypt the reassembled file. Each chunk was named “hac-man.bin-##” so not too difficult to find. The PGP key was simply available in the GPG keyring. Decrypting the file and telling the game what was found inside would solve the challenge.
RogueWave WiFi Hunter
| Hint: | Crack the data |
| Location: | Badge Filesystem https://shop.1337sheets.com/ |
| Challenge: |  There is a badge at the Hac-Man booth. What is the secret phrase on the badge? |
This challenge was quite complicated and tasked the Player with finding a secret phrase on the badge. The badge was designed to connect back to someone attempting to access it, so the Player had to trigger this response and then have a WiFi AP waiting for the badge to connect back to. Once connected, it could be accessed and the Player could find the file on the badge filesystem. The Player would then need to crack this file in order to get its contents, which would solve this challenge.
Social Challenges
We’re all anti-social hackers trying to fake it ’till we make it by going to a conference, right? One of the goals of our game is always to get our Players socializing, collaborating, and making new friends. This set of challenges is specifically focused on doing just that! Challenges such as taking group selfies with new friends, joining the game’s Discord channel, interacting with the DEF CON social media accounts, interacting with Goons, and more are what these challenges are all about. We won’t detail them here, you just had to be there!
Green Scavenger Hunt
I)ruid brought back his “green scavenger hunt” again this year where every item is green and the points do matter! Players had to pay particular attention to the instructions and descriptions of the items, because I)ruid is a pedantic asshole and loves to reject items! This year’s item list was:
| Item | Description | Points |
| Three Limes | Three whole and uncut lime fruits. | 3 |
| Green Pen | A Pilot brand Precise Rolling Ball V5 Extra Fine green ink pen. | 7 |
| Green Socks | A pair of mostly green socks. | 10 |
| Green Book | A bound book what’s entire cover, including spine, is the color green. | 15 |
| Green Hotel Key Card | A green colored hotel key card. | 20 |
| Green Casino or Poker Chip | A green colored casino or poker chip. | 25 |
| Green Velvet Cupcake | A green velvet cupcake with green frosting. | 30 |
| Lockbox Green Contents | The green item from inside the Hac-Man lockbox. | 45 |
| Green Breadboard Circuit | A green colored breadboard with a functional circuit in it. | 60 |
| Unique Green Badge | A green colored badge that I)ruid doesn’t already have. | 85 |
NFC Hunt
Another scavenger-hunt of sorts is the NFC Hunt! In the past, this part of the game has been very popular, and gets people out and walking around the conference, the surrounding area, and the greater Las Vegas area. This year we mostly contained it to the convention center and immediate surrounding area. The NFC tags were stickers that looked like this:
All of the NFC tags could be generally located using this map and the photos attached to each challenge, however in a multi-level building like the convention center, only having the approximate latitude and longitude coordinates made for some tricky fun in hiding the tags. The challenge for US was keeping all 10 available, as many locations did not like our stickers and would remove them periodically, which we would then have to change or replace. This set of challenges was very much a moving target! Here’s a photo gallery of some of the locations that the NFC tags were placed:
Packet Analysis Challenges
This track of challenges was provided by our friend and collaborator, PrestonZen. Rather than duplicate effort, we’ll just link you to his writeup of these challenges, found HERE.
Bitcoin Challenges
This collection of challenges were all about Bitcoin! Challenges involved various amounts of novice to experienced user skills, blockchain analysis, some returning challenges from our friend and collaborator, D++, and finally a wallet cracking challenge. A bonus for Players who had configured their LNAddress during the Tutorial is that every challenge in the Bitcoin category would pay them a reward in sats upon completion!
Seed Words
| Hint: | BIP-39 |
| Location: | New Wallet |
| Challenge: | Create and submit a valid set of 12 seed words. Enter the words with a space between each word. |
This challenge tasked the Player with submitting a valid set of 12 wallet seed words. The hint pointed Players to the related specification and/or word lists, however this challenge isn’t as simple as just picking 12 words, as one of the words is a checksum word. If the checksum word didn’t check out, it was not a valid set. Crafting a valid set either by hand or using a wallet generator and entering the words into the game would solve this challenge.
Lightning Invoice
| Hint: | Pay it! |
| Location: | Lightning Wallet |
| Challenge: | Demonstrate that you know how to pay a Lightning invoice by paying this one. Submit once to create invoice. Pay it, then click the button to check if it has processed. When it has been processed, the challenge will be solved. <UNIQUE DYNAMIC QR CODE> |
This challenge would generate a unique Lightning Invoice for the Player to pay a small amount of bitcoin using their Bitcoin Lightning wallet. Paying the invoice and then clicking the check button would solve this challenge. All bitcoin received through this challenge went back into the prize pool for other Players to win by completing Bitcoin challenges!
Trace the Coinbase
| Hint: | Use a Blockchain Explorer |
| Location: | Bitcoin Blockchain |
| Challenge: | The majority of the Bitcoin sitting in address 1KWSBZAZKKmpujfyxi7UMTFKRaq6xyNvAG came from a single block’s coinbase. What block number is it? |
This challenge tasked the Player with finding a particular Bitcoin address in the Bitcoin blockchain and then tracing its sources backwards through the blockchain to an originating coinbase transaction (a new bitcoin block that created the coins in question) and then telling the game what block number it was that mined those coins. Entering the block number into the game would solve this challenge.
D++ Manual Mining Challenge
| Hint: | Crowd or Script |
| Location: | Internet |
| Challenge: | Visit D++’s Mining Simplified webpage. Guess a valid nonce to “mine” a block at the given difficulty target! Any valid nonce will solve this challenge. |
This challenge, created by D++, teaches the Player how Bitcoin mining works and then simulates mining at a fairly easy difficulty and then tasks the Player with guessing a nonce value that satisfies the mining difficulty. This challenge can be solved in a couple of ways, either by crowd-sourcing enough people to mine “manually” on the website so that a correct nonce is found somewhat quickly, or by analyzing what the website is doing and scripting a brute forcer (what bitcoin miners actually do). Either way, once the website verified that a valid nonce was found, entering the valid nonce into the game would solve this challenge.
D++ Bitcoin Script Challenge
| Hint: | ide.scriptwiz.app |
| Location: | bc1qt98rawu5xvrx0nkj9dltwx5lxte03rgtfyzttkvvmrm4usvxa6fsll5uny |
| Challenge: | Visit D++’s Bitcoin Script Challenge webpage and evaluate the Bitcoin Script found there. What does this script evaluate to? |
This challenge invites the Player to visit D++’s Bitcoin Script challenge webpage which educates the Player about Bitcoin Script and then tasks the Player with evaluating a script and its data to determine what the remaining stack elements are at the end of execution. Entering the remaining stack elements into the game would solve this challenge.
Crack This Wallet!
| Hint: | Encrypted wallet.dat file |
| Location: | Bitcoin Core |
| Challenge: | Crack this wallet.dat file and tell us what the wallet password is. It might have something to do with the Bitcoin whitepaper. |
This challenge gave the Player an encrypted wallet.dat file for them to crack, along with a link to an abbreviated Bitcoin whitepaper which may have had some clues in it to help crackers reduce the attack space. Cracking the wallet’s password and entering the password into the game would solve this challenge, and as a bonus, whoever cracked the wallet first got to sweep and keep any bitcoin that was found inside!
Other Challenges
While we love that many DEF CON attendees want to just play OUR game for the entire con (no really, we LOVE YOU!!!), some Players burn through our challenges so quickly that they’ve got plenty of time on their hands. We’re also friends with many, MANY other challenge and puzzle creators who we want to support, so our game has an entire section that directs our Players to OTHER challenges. Our challenges in this category can usually be solved fairly early on in the other challenges as our goal is simply to direct our Players there and get them started, but once you’re finished with Hac-Man (is anyone ever really finished with Hac-Man??), you’ll have many more other games and challenges and puzzles to work on.
Tin Foil Hat Contest
| Hint: | Put it on your head. |
| Location: | Tin Foil Hat Contest Area |
| Challenge: | Create and enter a tin foil hat in the contest. Bring it by the Hac-Man contest area and show us! |
This challenge was really simple and self-explanatory. Go to the Tin Foil Hat Contest and make a tin foil hat. Put it on your head. Show us. Challenge solved!
Raitlin’s Challenge
| Hint: | Rot Base |
| Location: | dcode.fr |
| Challenge: |   What are you instructed to follow? |
Raitlin’s Challenge each year is the doorway to a much larger challenge for the Illuminati Party’s set of challenges, which are traditionally extremely difficult. Their challenges sometimes don’t get completely solved until many months or even years later. If you’re looking for something really challenging, this is where you start. Solving this simple rotation cipher and answering the question about the result would solve this challenge.
DEF CON Scavenger Hunt
| Hint: | Sign up and score points! |
| Location: | Contests Area |
Challenge: | Prove to us that you have a registered team and collect at least 10 points from the DEF CON Scavenger Hunt. |
One of the longest-running games and challenges at DEF CON is the official Scavenger Hunt. Not your normal list of items, this scavenger hunt will really challenge your creativity and ingenuity in figuring out not only how to satisfy the items listed, but sometimes just figuring out WTF that item description even means… Like the scavenger hunt itself, our challenge requirement was very open to interpretation… If you could convince someone at the Hac-Man booth that you had joined the Scavenger Hunt and scored some points, they would give you a code which would solve this challenge.
Octopus Game
| Hint: | Play to Win! |
| Location: | Octopus Game Contest Area |
| Challenge: | Spin the Octopus Game Dueling Wheel and play a game with them. Bring your stamp by the Hac-Man contest area to prove that you have completed the duel. |
The Octopus Game gave out stamps for completing tasks. All we required is that you show us a stamp from them and we would give you a code to solve this challenge.
Gold Bug CTF
| Hint: | Only Need One |
| Location: | Gold Bug BBS |
| Challenge: | Begin the Gold Bug Challenge. Enter BBS command HACMAN on the main menu for further instructions. |
Another of the more difficult challenges, the Gold Bug Challenge is definitely up there on the list. This year they had a BBS System for Players to log into to start the challenge which also tracked points and progress and had a leaderboard. Registering on the BBS and entering the command “HACMAN” on the main menu would result in a code that you could enter into our game to solve this challenge.
It’s In That Place Where I Put That Thing That Time
| Hint: | Disks, USB drives, etc. |
| Location: | All around DEF CON |
| Challenge: | Find the thing in that place where I put that thing that time. Find the hac-man thing inside the thing. Use that thing to sign this thing: <UNIQUE DYNAMIC PLAYER MESSAGE> Submit your signature in ASCII-armored format. |
You’ll know it when you see it, right? This challenge littered the conference with all kinds of data storage devices with various data on them. We had data on them… You found it, right? You used that data to sign a message that we gave you. Entering the resulting signature into the game solved this challenge.
DarkNet CTF
| Hint: | Learn Something |
| Location: | DarkNet CTF |
| Challenge: | Complete an educational quest in the DarkNet CTF and earn a hex insert for your DarkNet badge. Come by and show us your hex! |
The DarkNet badge this year was a 3D printed enclosure for a Meshtastic device. On the enclosure it had a little spot for a snap-in hex shaped piece that had us wondering before the con what it was for. It turns out that at the con, the DarkNet CTF gave out little hex pieces that snapped into this spot for completing various educational quests in their CTF, like achievement badges. If a Player brought a hex by the Hac-Man booth and showed us, we would give them a code to enter that would solve this challenge.
EFF T-Shirt
| Hint: | URL |
| Location: | EFF Booth |
| Challenge: | Find the EFF’s T-Shirt. Where does the image take you? |
The Electronic Frontier Foundation each year has a T-Shirt puzzle on their shirt for the year. This challenge tasked Players with finding or acquiring the shirt and telling us what URL the shirt puzzle took them to. Entering the URL would solve this challenge.
Project Polybius
| Hint: | CP/M p: |
| Location: | On the Website |
| Challenge: | Play the classic text adventure game Polybius. Within the game somewhere there is a Pac-Man arcade machine. You’ll need coins to operate it… What is HACMAN’s high score? |
This challenge was previously embedded in a badge during DEF CON 31, but was brought back as a stand-alone web application for DEF CON 32 so that people who missed it on the badge the previous year could play. Inside the game Players could encounter a Pac-Man machine and play it… if they had the coins needed to operate it. After playing the Pac-Man game a high score screen would be shown. Entering HACMAN’s high score into our game would solve this challenge.
The Final Challenge
After completing at least one of the subject-matter themed groups of challenges, the door at the top of the Lobby Maze would become unlocked and Players could attempt the Final Challenge, which upon solving would complete the game. Once complete, Players had the opportunity to go back to the Lobby Maze to continue completing other challenges for extra points.
Hac-Man Physical Puzzle
Our final challenge over the past few years has always included some kind of physical puzzle fabricated by the talented Puzzle, and this year was no different. Using a combination of the physical game board, physical ghost pieces that were given as rewards for solving various challenges throughout the game, the Turtle Pac-Man piece found at the booth, and collecting and putting together bits of source code also given as rewards for solving various challenges that were put directly into the Player’s game inventory, this challenge ensured that you had completed enough of the other challenges throughout the game to even attempt to solve it.
| Hint: | Logo Turtle Graphics |
| Location: | Previous Challenges |
| Challenge: | Collect all four puzzle pieces and sixteen code chunks from prior challenges and use them with the Hac-Man Puzzle Board at the Hac-Man Contest table. What is the final password? |
At the Hac-Man booth there was a game board with an unusual puzzle piece… a Pac-Man with a curious turtle shell on its back… What could this mean?
After getting enough code chunks, or revealing the challenge hint, most Players would be able to figure out that the code they’ve been collecting chunks of uses the Python Logo Turtle Graphics library. This indicated that perhaps the code could tell Turtle Pac-Man where to go?
Using the Hac-Man game board found at the booth, placing the ghost pieces in the correct spots, and then interpreting the Logo code, Players could move Pac-Man around the game board maze collecting letters where he stopped. If Turtle Pac-Man attempted to move through a wall or a ghost, Players would know that they had gotten something wrong.
Putting all of the collected letters together into a string provided the Player with the encoded message “IRAVESZNJVAVURI=”.
We didn’t give many hints about how this message was encoded but the equals sign at the end directed some astute Players in the right direction. As this was DEF CON 32, we chose to encode the plaintext with Base-32, although finding the correct encoding that uses equals signs at the end could have been easily brute-forced. Decoding the encoded message revealed the plaintext message that could be entered into the game to solve this challenge.
Winners
Congratulations to our winners! At the end of the con, the leaderboard ended up like this:
Conclusion
As always, producing such a huge and complicated game, spanning various subject-matter and including both virtual and physical components is a massive undertaking and we absolutely couldn’t accomplish this without our many volunteers and collaborators.
From those who collaborate on individual challenges, those who produce entire groups or tracks of challenges themselves, to our in-person staff diligently helping those who come by the table or have technical support issues, we wholeheartedly thank each and every once of you. Unfortunately, the game has grown to the point that there are simply far too many of you to list everyone by name. Hopefully we mentioned and tagged you throughout this walkthrough blog post where appropriate.
We’ll definitely be bringing Hac-Man back once again for DEF CON 33. If you would like to collaborate or contribute to our game, please do get in touch! You can find us over on our Discord server in the Hac-Man channel.