FAUST CTF is an online attack-defense CTF competition run by FAUST, the CTF team of Friedrich-Alexander University Erlangen-Nürnberg. Its third edition will take place on 1 June 2018.

View scoreboard


The competition will work in classic attack-defense fashion. Each team will be given a Vulnbox image to host itself and VPN access. You will run exploits against other teams, capture flags and submit them to our server.

The vulnbox decryption password will be released at 2018-06-01 13:00 UTC. The actual competition will start at 14:00 UTC and presumably run for eight hours.


Thanks to our sponsors, we can again provide nice prize money:
  • First place: 512 €
  • Second place: 256 €
  • Third place: 128 €

Additionally, for each service the first team to exploit it, submit a valid flag and provide a write-up will win 64 €.


Announcement regarding TCP and HTTP connections

Please note that we're intercepting TCP connections to the services of other teams and so you won't get any TCP RST or ICMP unreachable packets. Instead, the connections will get closed (HTTP 503 and/or TCP FIN) after a timeout, or when the other vulnbox is down. Note that when using netcat, you might not notice this immediately as the connection will be in half-open state. If you run into unexplainable TCP or HTTP issues, complain on our IRC channel.

Vulnbox downloads

FAUST proudly presents you the final Vulnboxes for FAUST CTF. The boxes should have the IP 10.66.<team_ID>.2 configured.

On first login, the Vulnbox will ask you for your team ID and configure itself properly. You can log into the box as root with an empty password using any of the following ways:

  • Use the graphical console of your virtualization software
  • Connect to the serial port of the VM (may need configuration)

If you run into problems with the setup, try our suggestions from Basic Vulnbox hosting.

We provide two options for download:

Both images are encrypted with a password and are otherwise identical, so use the one that best fits your needs. The password will be released via Twitter, IRC and email at 13:00 UTC today.

To verify the integrity of your download, all files have a detached gpg signature available. Append ".sig" to the filename for download.

To verify the download, run:

gpg --verify vulnbox.ova.gpg.sig vulnbox.ova.gpg

To decrypt the vulnbox, use:

gpg --decrypt-files vulnbox.ova.gpg

Registration closed, all VPN configs sent out

Registration is now closed, VPN configs have been sent to all teams via email. If you didn't receive yours, please contact us urgently!

Registration open

After a long wait, this year's website is finally online and the registration is open. The CTF is already around the corner, so make sure to sign up now.

Supported by

ERNW BMW Car IT noris network

Organized by