CISA

PC7 Walkthrough: Arecibo

The video walks through the President’s Cup Cyber Challenge (PC7) “Arecibo” scenario, where participants act as covert operatives tasked with confirming and firing an EMP‑style weapon hidden at the Arecibo Observatory. The challenge is hosted on a new web platform and centers on a satellite operations panel exposed over TCP port 5000, with the real control channel implemented via an MQTT broker on port 1883. The presenter demonstrates how anonymous access to the MQTT broker lets anyone subscribe to every topic, capturing the one‑time tokens that unlock each objective. By publishing JSON payloads to the control topic, the team changes the observatory’s mode from a decoy “observation” to “attack,” sets the correct antenna angle, supplies the HMAC (“GoldenEye”), and dumps coordinates until the correct pair (4.830, ‑73.950) yields the next token. Each step reinforces MQTT concepts—subscribe, publish, QoS—and shows that missing a token forces a full reset because tokens are never replayed. A memorable moment occurs when the “Fire laser” button fails; inspecting the network request reveals an X‑Requested‑With header that blocks the action. Stripping that header and resending the request produces the final token. The presenter also notes that all tokens share the “PCCC” prefix and that the HMAC reference nods to the James Bond film “GoldenEye,” underscoring the espionage theme. The walkthrough highlights how an unsecured, open‑access MQTT service can become a vector for privilege escalation and command injection, a risk that extends to real‑world IoT and satellite control systems. For defenders, it stresses the need for authentication, token replay protection, and thorough validation of client‑side inputs to prevent similar protocol‑level abuses.