01 October 2019

Hacker House Recap: Costa Rica (with Video)

Ryan Rutan

Burrowed away on the western shore of Costa Rica is a small town in Puntarenas Province by the name of Esterillos Este. This July, the peaceful and serene neighborhood welcomed 10 of Synack’s most elite Red Team members for our second annual HackerHouse. The 5-day, all-inclusive “hack-cation” was a reward to the top 10 winners of a Synack #Hack4Levels competition.


The trek to Costa Rica didn’t just start at each SRT’s departing airport; it began months before. In April, Synack launched a 60-day competition that was open to all Synack Red Team members. The rules were simple: the top 10 with the most severe vulnerability discoveries would earn themselves a fully paid, fun hacking-filled vacation to Costa Rica. Week after week, SRT brought their best skills to the table and our final leaderboard was impressive with researchers constantly jockeying for position in the top spots. Authentication bypass, cross-site scripting, remote code execution… you name it, someone found it.

Synack’s best of breed researchers represent 5 continents, thousands of previously found vulnerabilities via Synack, and hacking experience levels from 3 to 30 years. Some came to crowdsourced penetration testing via training and universities; others from on-the-job training.

The Hacker House

The SRT winners arrived at not one but three luxurious beach houses near the placid western shores of Costa Rica. A custom, waterproof Patagonia gift bag filled with beach goodies (Synack towels, fan, water bottles, etc.) awaited each one. More than an hour from the bustling capital of San Jose, Esterrillos Este provided a calm backdrop for adventure by day and hacking by night.

Our inflatable Synack pool monkey knows how to relax.

What happens when pool/ hacking indecision strikes.

Adventures through Costa Rica

Our adventures through Costa Rica included rides through foliage, passing chickens, and fording rivers in the Synack Red Team Jungle Chariots.

One of the Synack Red Team Jungle Chariots

On the first day, we took our Jungle Chariots to a base station for hiking. After ditching most of our gear, our hands were free for precarious rock climbing, wading through rivers, and scrabbling through riverbeds. The best rewards were the waterfalls and pools, perfect for wading, beating the heat and cooling off.

Our winner in a Refreshing Jungle Waterfall

The next day we went ocean kayaking, which allowed us to see Costa Rica’s transcendent beauty from the calm Pacific waters. Both above…

Canoeing in the Pacific Ocean…

And below it.

Sharing a Pre-Hack Meal

Honorary SRT Member conducting Recon

The Hacking

It wouldn’t be a Synack HackerHouse without some hacking. Given our commitment to provide ample high quality hacking surface and avoid free-for-all chaos, each night, Synack fired up a new surprise target from its penetration and continuous testing client base – only accessible to this select group of researchers. Needless to say, vulns were found.

One of our early targets was an API target with a Perl based back-end, so the SRT were excited to attack it as soon as they could. Perl is notorious for requiring the web developer to take care of numerous security items themselves. So SRT immediately perceived this to be a good place to kick things off

Within minutes, SRT unanimously agreed that XSS was going to be a systemic issue and feverishly raced to submit each report. They managed to report 17 valuable and unique XSS findings within the first hour. To keep the testing diverse, XSS was removed from scope (with fair warning – all valid, submitted vulns were paid) and the team moved on to the remaining attack surface.

The SRT were after points and high CVSS bounties to win cash bonuses awarded to the best of the best at the end of the three day hacking event. Points help determine levels within the SRT, which lead to special rewards, access and invitations in the community. Their performance was so good that Synack eventually doubled those bonuses for the top 3. Ultimately, the ten participants – on “vacation” in Costa Rica – averaged hundreds of dollars per hour each for the scheduled hacking time – talk about pay to play!

Live Hacking Isn’t Just Hacking

Synack live hacking experiences are the purest distillation of our philosophy. We want the SRT to be career- and life-enhancing – for skilled researchers just starting out with crowdsourcing, or seasoned pros. There is no more energizing feeling than when you bring researchers together in a live setting and witness the inspired creativity that is cultivated as a team. Our Costa Rica Hacker House, like the Bali one before it, gives SRT something to strive for that goes beyond pure security research and extends into relationships and memories that permeate throughout their hacking careers. Stay tuned for the next Synack HackerHouse™ announcements. You never know, the next top SRT might be you!

Take a look:

Rajesh Krishnan and Ryan Rutan