The yearly Hack-A-Thon put on by Utah State University. This year me and my team competed in the Tool Development category, developing a program we call “$hame”. The idea was that we want the terminal to cause more stress, and the more you misspell commands, the more you get punished for it. I’ll be talking about our experience in building the project, as well as my other thoughts of the event.

Category Prompts

There were 7 total categories to compete in for this year’s HackUSU:

• Tool Development by Lightning Kite
• Optimize Your Time by Zaymo
• Data App Factory by Koch, DataBricks, and AWS
• Marketing Analytics by Sawtooth, DAIS, and the Data Science & AI Center
• Hardware (Open Ended)
• Game Development (Open Ended)
• Tech Start-up by Sandbox

Unfortunately, the Cybersecurity category that we were so excited to compete in got scrapped. I’m not sure why, but it felt odd to drop that category from a HACK-a-thon. I understand hack has its other contexts, but many today associate it with cybersecurity.

We went to the Tool Development prompt showcase, and the prompt was: “Build something useful or unhinged”. Most of the tools that were given as examples seemed to be related to making code compilers, so we weren’t quite sure if we would fit into this category very well.

Choosing a Project

With the Cybersecurity category scrapped, the most difficult part of the project for us was building something that we all would enjoy doing while also fitting into some category. Some of our ideas included:

• Game Dev - SIEM-ulation - Turning your favorite logging tools into a game to teach people how to use them in a safe environment
• Tool Dev - PM Safety - When you update your packages, it tells you what kind of things to expect to break in the latest update, reading the changelogs and summarizes the important fixes
• Tool Dev - Homelab Threat Monitor - Updates you on CVEs for even the raspberry pi running prod that you haven’t touched in 3 years

It took us 5 hours to settle on a project. We really liked SIEM-ulation, but we couldn’t figure out a way for people to win that didn’t make it feel like KC7’s story-driven game style.

Around 23:30, we had hit a massive wall with ideas. We joked about last year’s project and how we managed to accidentally create malware and thought it would be funny to make some more. Then it hit us. We were going to create more malware.

Building The Project

The Idea

Our project was inspired by Suicide Linux, where it keeps track of the commands that you input, and if you type one incorrectly, it just rm -rf /’s your system. We wanted to make the punishment for incorrect commands more closely related to the command itself. It has a dynamic tracking system, where the first few times you mess up the command, it does small things such as minor insults and back-handed comments. As you mess up a command more frequently, it starts to do progressively more malicious things.

The Punishments

Misspelling any of these commands would do these malicious things:

• cat - flips the text upside down
• clear - clears the screen randomly forever
• dig - changes your nameservers to localhost
• docker - spawns 50 containers all at once
• meltdown - gives a bunch of corrupted text
• mv - gives privilege of your home directory to root
• nano - puts you into vim
• nmap - fork bombs your computer
• nslookup - insults you
• passwd - gives a random reason to reject the password
• ping - forces a request timeout with some comments
• rm - creates a new file
• sudo - removes you from the sudoers file
• vim - insults you and removes vim quit command
• whoami - goes on a really long unquittable dialog about who you are
• zip - creates up to 10 random files

A Rough Start

Due to the dangerous nature of the project, we needed something that we would be fine nuking over and over without any problem. We also needed something to simultaneously work with, so VMs would be a last resort. I gave my teammates access to my test lab Kubernetes cluster. Each pod runs a VNC server with Kali Linux in it. If anything went wrong, we could type exit or close the terminal window and it would give a new pod instantly.

There were some issues with the cluster. The main one I had was due to the permissions of the non-root user created in the Dockerfile. We made a one-liner script for the installation of the project, but because Dockerfiles build as the root user, some of the permissions that we needed files to have weren’t working properly. I spent a good few hours trying to troubleshoot this, but when the Dockerfiles take 5-7 minutes to build every time, it gets tedious.

While I was working on the Kubernetes cluster, my teammates worked on the installation script, database setup, and creating all of the malicious events.

Failure After Failure

I was unable to get the Kubernetes cluster to work for what we needed. Because we were getting short on time, we went with our failback method and switched to VMs. My team and I have some of the worst luck when it comes to virtual machines. We were getting boot errors on some ISOs, stuck in automatic repair for others, network problems, and more.

We hit the point where we just needed something to show the judges. Out of desperation, I downloaded the least malicious scripts and set everything up on my live system for the demo, hoping that we could also get some virtual machines running properly to show the dangerous things.

A 30 Minute Miracle

After about 12:30 on day 2, we had some code somewhat working, but nothing to really show the judges what’s going on or how it works. I asked ChatGPT to create me a dashboard given the information from the database, and was pleasantly surprised to see it working on the first try. We now had something to show off.

My teammates were able to get some virtual machines running, and we finalized everything at about 12:55, five minutes before we had to be at a table for the project showcase and judging.

A Tired Final Stretch

Judgement Day

After skipping lunch and getting forced into a hot room for an hour, the judges finally came in. Initially, we were told that all of the judges in the room would go around and individually score every team. The final score would be calculated as the sum of all of the judges scores. We counted 11 judges in the room and were ready to present.

As the first few judges came by, we began to realize something: None of them knew the prompt except for the two people who were sponsoring this category. They didn’t know we were in the “build something unhinged” group, which I’m sure resulted in a large loss of points. Also, some of them weren’t even really developers, so mentioning any tools or libraries would result in blank stares.

We got 2 judges that at least found our project amusing, but the rest of them were asking how we could use this in a business context, or if it uses AI, or how it was supposed to be useful. It was interesting trying to come up with ways to satisfy their questions. We told them that an employer could use the program to view and store employee commands in order to produce better trainings for new hires.

We seemed to be doing good with our presentation, but then a massive problem happened. They stopped judging early. They cut everyone off at 5 judges. We didn’t get a chance to talk to either of the 2 company sponsors, so the other judges probably thought we didn’t care about the project and wanted to do something stupid.

The Awards

We didn’t place, but it was alright. We didn’t really expect to. After having our category chopped, deciding what we wanted to do 5 hours into the competition, and unequal judging, we still managed to get something put together that we had fun doing.

However, I managed to get a prize from the raffle! So many people had left the event after awards, that there were more prizes than people in the room. They told all of us to get in a line and we’d be able to pick whatever we wanted. I got a new computer repair kit with every bit you could imagine. I’m quite happy with it.

What We Learned

We learned a lot about the terminal and some niche things that it does with subprocesses in Python. We got to dive a bit more into bash scripting, which is super powerful. I got to work with SQLite databases for the first time and figure out how they work. I also learned quite a bit about container permissions and some new commands to manage my Kubernetes cluster.

I’m honored to have worked with Sean (Right) and Parker (Left) for the last 2 years. They have always been willing to team up for CTFs, homelabbing, study sessions, and of course, making more malware.

Other Thoughts About The Event

Comparison to Previous Years

Prompt Reveal After Keynote

This year, the prompts were revealed after the opening ceremony, but they were all revealed in different rooms at the same time. This caused people to only be able to hear one prompt. Anyone still deciding on a category would only know the one they went to. There were people going around for hours after the reveal asking what some of the other category prompts were.

Care Packages In Bathrooms

This was great! Please bring this back always. The only suggestion I would make would be to add the little disposable toothbrushes with the toothpaste inside of it. Other than that, this was a much-needed thing for this event. 10/10

Swag Not As Plentiful

All of the swag for this year was a t-shirt, a sticker, and a rubber duck. In 2024, we got fanny packs, mousepads, stress ducks, t-shirts, stickers, and more. The only super cool thing available was the sweatshirts, which were only available to students who put keyloggers on their system for a study. No cybersecurity person is going to do that. I’m willing to be lenient on this one if there weren’t enough sponsors for tons of swag.

Judging Seemed Disorganized

This year’s judging was round-robin style, which ultimately meant that some students got better judges than others. None of the judges seemed prepared with the prompt except for the sponsors, so anyone that made a chaotic tool was just cooked.

Previously, there were rooms reserved for judging, and each team would go in and present to the entire board of judges at once, all of who had experience in the field. Although this gives the final team to present an advantage of extra time, it was much more fair to everyone to have the exact same judges who all knew the exact same prompt.

No Midnight Aggie Ice Cream

I don’t need to elaborate on this.

Awards

In previous years, each winning team would have to select the same award. The awards would go down the line, so whichever category went last got the short shaft. This year, individuals were able to pick their own awards, and all of the winners would go out at the same time for 1st, 2nd, and 3rd place. This was a good change. However, I missed getting to see what all the awards were.

Lack of Professionalism

Everything Is Running Late

I understand that things happen that cause events to run late. What is not okay is the lack of communication when things are going to run late. There’s a big difference between “Hey, we have to push back awards from 4:30 to 5:00” being sent at 2:00 vs 4:30.

Presentations and Workshops

The Windows taskbar was visible throughout every presentation or workshop we attended. It’s not a big deal, but to me it shows lack of technology knowledge. At an event as big and tech-oriented as HackUSU, that should not be happening.

Zoom workshops were supposed to have someone in there in order to facilitate the meeting. Ours left after about 5 minutes and the Zoom window was hard to see because the presenters cameras took up the top half of the screen. The full screen mode should have been used with the pop-out attendees instead.

Event Organizers

Even though the communication for this event was through Discord, I still expect a level of professionalism from event organizers. There was one in particular who especially lacked, and I’m embarrassed to say that they represented the engineering college. We’re better than that. From poor spelling and grammar, to back-handed insults and threats, this student organizer was disrespectful to this entire event.

Here’s some screenshots from the Discord:

Other comments were deleted before I could get screenshots, but this organizer seemed to be very self-centered, referring to the Discord as “his” despite not being the owner.

Overall Thoughts

Although I had a lot of criticisms, I still had a good time with my team for another year as the Shelldivers. We had lots of laughs, made tons of memes, and in the end were still able to make a fun project that we could be proud of.

If I decide to come back next year, (we’ll see where graduation takes me) I’ll probably just try and go to all of the workshops and go for the raffle prizes. If the cybersecurity category returns, I’ll consider competing again, but we’ll see. I’ve considered trying to make a CTF for other people to do, I could have a fun time with that. Alternatively I’d like to get permission to do a data analytics track and run my own phishing campaign.