Developer walks through Arecibo CTF challenge, showing MQTT and client-header fixes that complete six single-use tokens
June 11, 2026 | The Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), Executive, Federal
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Alex, the lead challenge developer for the President's Cup Cyber Challenge, walked viewers through the Arecibo competition challenge and demonstrated how a sequence of MQTT monitoring and a client-side header change complete the scenario’s six single-use tokens.
"My name is Alex and I'm the lead challenge developer for the President's Cup Cyber Challenge," he said at the start of the video, pointing viewers to the challenge platform at pccc.cisa.gov/pc7. He described the scenario as an espionage-themed exercise in which participants act as undercover operatives tasked with confirming an EMP-style weapon at the Arecibo Observatory.
Alex front-loaded the technical objectives: "We need to configure the angle, coordinates, HMAC, and operational mode," he said, and recommended working sequentially because early steps introduce MQTT concepts used later. He emphasized a key game rule: "Tokens are only issued once as stated in the challenge description. If a token is missed ... it cannot be recovered," adding that a missed token forces a full challenge reset.
For telemetry capture, Alex subscribed to all MQTT topics (the broker permits anonymous access) and used a continuous watcher to tee the output so tokens could be captured in real time. He described using a standard MQTT client (Mosquitto) and a simple catcher so one-time tokens beginning with "PCCC" could be copied from the subscription feed and submitted to the submission field to advance checkpoints.
Alex demonstrated the steps that yielded each token. He published a valid payload to the core control topic to obtain token one, published a JSON payload changing the observatory mode to "attack" for token two, and set the correct angle (87.3 degrees) for token three. He then submitted the observed MAC/HMAC value, labeled "GoldenEye" in the telemetry, to obtain token four.
To find the correct target coordinates for token five, Alex used a documented CMD interface to "dump coords," which returned a list of candidate coordinates. For the walkthrough he submitted the known correct pair (4.830, -73.950) and captured token five.
When the panel showed the system fully armed, the final action was to "fire." Alex clicked the fire control but observed no token and an unresponsive button. Inspecting the browser’s developer tools and the network request tied to fire.js, he identified a problematic request header (transcript truncated it as "X-Requested-"; inspection indicates the request header commonly labeled "X-Requested-With"), removed that header from the request, resent it, and received token six. Submitting token six completed the challenge and awarded full points.
The walkthrough highlighted two practical lessons for defensive and competitive practitioners: anonymous MQTT brokers expose telemetry that can reveal one-time tokens and control-state information, and client-side request headers can block or filter critical requests — sometimes remediable by adjusting or removing those headers during testing.
Alex closed by thanking viewers and noting future walkthroughs on the competition platform.
"My name is Alex and I'm the lead challenge developer for the President's Cup Cyber Challenge," he said at the start of the video, pointing viewers to the challenge platform at pccc.cisa.gov/pc7. He described the scenario as an espionage-themed exercise in which participants act as undercover operatives tasked with confirming an EMP-style weapon at the Arecibo Observatory.
Alex front-loaded the technical objectives: "We need to configure the angle, coordinates, HMAC, and operational mode," he said, and recommended working sequentially because early steps introduce MQTT concepts used later. He emphasized a key game rule: "Tokens are only issued once as stated in the challenge description. If a token is missed ... it cannot be recovered," adding that a missed token forces a full challenge reset.
For telemetry capture, Alex subscribed to all MQTT topics (the broker permits anonymous access) and used a continuous watcher to tee the output so tokens could be captured in real time. He described using a standard MQTT client (Mosquitto) and a simple catcher so one-time tokens beginning with "PCCC" could be copied from the subscription feed and submitted to the submission field to advance checkpoints.
Alex demonstrated the steps that yielded each token. He published a valid payload to the core control topic to obtain token one, published a JSON payload changing the observatory mode to "attack" for token two, and set the correct angle (87.3 degrees) for token three. He then submitted the observed MAC/HMAC value, labeled "GoldenEye" in the telemetry, to obtain token four.
To find the correct target coordinates for token five, Alex used a documented CMD interface to "dump coords," which returned a list of candidate coordinates. For the walkthrough he submitted the known correct pair (4.830, -73.950) and captured token five.
When the panel showed the system fully armed, the final action was to "fire." Alex clicked the fire control but observed no token and an unresponsive button. Inspecting the browser’s developer tools and the network request tied to fire.js, he identified a problematic request header (transcript truncated it as "X-Requested-"; inspection indicates the request header commonly labeled "X-Requested-With"), removed that header from the request, resent it, and received token six. Submitting token six completed the challenge and awarded full points.
The walkthrough highlighted two practical lessons for defensive and competitive practitioners: anonymous MQTT brokers expose telemetry that can reveal one-time tokens and control-state information, and client-side request headers can block or filter critical requests — sometimes remediable by adjusting or removing those headers during testing.
Alex closed by thanking viewers and noting future walkthroughs on the competition platform.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
