The third edition of the new Hackfest occurred over this past November 4th and 5th.

Hackfest is a security conference held annually in Québec City (Ste-Foy, to be precise). The Subgraph crew has been fortunate enough to have been there for all of the past three events. What makes Hackfest special is the close connection to Université Laval and the well put-together hacking games – specifically the main CTF. This year the CTF was packed – at least one group that wanted to register at the last minute was denied due to a lack of space.

Félicitations to this year’s CTF winner, AmishSecurity (Montrealers, friends, and MTLSEC regulars). They had some good competition.

This year there were many familiar faces, and many more unfamiliar. What was most exciting for us was seeing the beta version of Vega being used by competitors in both hacking competitions. Just walking around the room we saw both the scanner and the proxy in action, for example:

1. During the first challenge, which involved each team maintaining operation of several network services and attacking the services of the opposing team, a player ran a Vega scan and found that one of the webservers permitted HTTP PUTs to /. This was then exploited to fill the partition and knock out the www service.

2. During the CTF, a directory traversal/file include vulnerability detected by a Vega module was confirmed as exploitable using the request replay feature and then used to access one of the flags on the webserver.

At one point, we were asked by a player if we’d put Vega content on a webserver during the first challenge. It wasn’t us, and we still don’t know who this was, but it made our evening – so thanks.

Finally, we had a chance to hand out plenty of Vega stickers. With the beta out, we’re now hard at work on the next version of Vega. I’ll be presenting some of the new features at PHP Quebec on Dec 1. More on this soon.

Much thanks to the organizers. We had fun, and we’ll be back for Hackfest 2012.