FAUST CTF is an online attack-defense CTF competition run by FAUST, the CTF team of Friedrich-Alexander University Erlangen-Nürnberg. Its third edition took place on 1 June 2018.

View scoreboard

Results

Bushwhackers did not let the opportunity pass to hodl win FAUST CTF the third time in a row, and scored surpassing 16961 points. The complete top-three teams are:

  1. Bushwhackers, 16961 points
  2. ENOFLAG, 12317 points
  3. CInsects, 11220 points

Our "first blood" awards go to:

  • JODLGANG: rmrfslash (write-up)
  • RESTchain: Bushwhackers (write-up)
  • The Tangle: CInsects (write-up)
  • Diagon Alley: Bushwhackers (write-up)
  • MtCamlX: SPbCTF (write-up)
  • Cryptocurrencies helpline: No valid flags submitted 😿
  • FAUST Coin: Noone managed to get a transaction into the blockchain

We thank all participating teams, apologize for our technical issues and hope everybody still had fun!

Facts

The competition will work in classic attack-defense fashion. Each team will be given a Vulnbox image to host itself and VPN access. You will run exploits against other teams, capture flags and submit them to our server.

The vulnbox decryption password will be released at 2018-06-01 13:00 UTC. The actual competition will start at 14:00 UTC and presumably run for eight hours.

Prizes

Thanks to our sponsors, we can again provide nice prize money:
  • First place: 512 €
  • Second place: 256 €
  • Third place: 128 €

Additionally, for each service the first team to exploit it, submit a valid flag and provide a write-up will win 64 €.

News

Announcement regarding TCP and HTTP connections

Please note that we're intercepting TCP connections to the services of other teams and so you won't get any TCP RST or ICMP unreachable packets. Instead, the connections will get closed (HTTP 503 and/or TCP FIN) after a timeout, or when the other vulnbox is down. Note that when using netcat, you might not notice this immediately as the connection will be in half-open state. If you run into unexplainable TCP or HTTP issues, complain on our IRC channel.

Vulnbox downloads

FAUST proudly presents you the final Vulnboxes for FAUST CTF. The boxes should have the IP 10.66.<team_ID>.2 configured.

On first login, the Vulnbox will ask you for your team ID and configure itself properly. You can log into the box as root with an empty password using any of the following ways:

  • Use the graphical console of your virtualization software
  • Connect to the serial port of the VM (may need configuration)

If you run into problems with the setup, try our suggestions from Basic Vulnbox hosting.

We provide two options for download:

Both images are encrypted with a password and are otherwise identical, so use the one that best fits your needs. The password will be released via Twitter, IRC and email at 13:00 UTC today.

To verify the integrity of your download, all files have a detached gpg signature available. Append ".sig" to the filename for download.

To verify the download, run:

gpg --verify vulnbox.ova.gpg.sig vulnbox.ova.gpg

To decrypt the vulnbox, use:

gpg --decrypt-files vulnbox.ova.gpg

Registration closed, all VPN configs sent out

Registration is now closed, VPN configs have been sent to all teams via email. If you didn't receive yours, please contact us urgently!

Registration open

After a long wait, this year's website is finally online and the registration is open. The CTF is already around the corner, so make sure to sign up now.

Supported by

ERNW BMW Car IT noris network

Organized by

FAUST