Full Report
Much like other events in 2020, our annual internal hackathon took a remote format this year, sporting over 120 hackers from across the globe. We had many challenges available during the conference which included a password cracking challenge, a discord bot challenge and a programming challenge. This post will talk about the programming challenge called sconwar. You can get the source code for it here. incubation Admittedly I was really nervous about the idea for a hacker hackathon in general, but we can only become better hackers by understanding technologies better, more specifically, understanding them by using them. I often hear people say they want to get into programming, for which there are many options, but more often that not the drive ends with “well, what do I code?”.
Analysis Summary
# Main Topic
Programming Challenge Analysis: "sconwar" from the SensePost 2020 Internal Hackathon. This topic details a programming exercise designed to encourage participation in coding by building clients for a turn-based game accessed exclusively via a JSON serialised HTTP API.
## Key Points
- The challenge, named "sconwar" (SenseConWar), involved players writing their own client applications to interact with a central game server.
- The game scenario involved a 20x20 tiled board where players battled to achieve a top score against potential creeps and other players.
- The primary interaction method was entirely through a JSON serialized HTTP API, emphasizing the "bring your own client" concept.
- Player submissions showed early signs of automated decision-making logic embedded within their custom clients.
## Threat Actors
- This context does not describe a malicious threat actor or campaign.
- The creators/developers are SensePost employees (Leon Jacobs, Jameel, Martin).
- Participants are "hackers" acting in a constructive, controlled competition environment.
## TTPs
- **API Interaction:** Players developed clients that communicated via HTTP requests serialized as JSON.
- **Development Focus:** Custom client development to automate or optimize gameplay (which resulted in observed automated decision-making).
- **Server Technology:** Golang utilized for the server with the Gin web framework for routing and a custom game engine.
- **Documentation:** Swagger was used for autogenerated API documentation via code annotations.
- **Persistence:** Simple SQLite database used for logging game stats and records.
- **Monitoring:** Prometheus and Grafana leveraged for observing server performance and game metrics.
## Affected Systems
- **Game Server:** Developed in Golang using the Gin framework.
- **Data Persistence:** SQLite database.
- **Client Applications:** Custom solutions written by participants (various, unknown languages for the clients themselves).
- **Monitoring Stack:** Prometheus and Grafana for statistics visualization.
## Mitigations
Since this is a write-up of a programming challenge and not an active threat, standard malicious mitigation steps do not directly apply. However, key defensive/development practices mentioned include:
- **Source Code Availability:** The entire challenge (server) is open-sourced via GitHub for review and transparency.
- **Automated Documentation:** Using tools like `swag` to ensure API documentation stays synchronized with code changes.
- **Observability:** Implementing comprehensive metric collection (Prometheus/Grafana) for monitoring internal system behavior during gameplay/usage.
## Conclusion
The sconwar challenge successfully used a RESTful API structure as a prompt for attendees to practice programming skills. While the focus was developmental and non-malicious, the implementation demonstrates a robust setup involving modern web frameworks (Golang/Gin), API documentation standards (Swagger), and operational monitoring (Prometheus/Grafana), serving as a useful baseline example for securely hosting API-driven internal applications.