CTFs connect teams from all over the world in a peaceful competition. However, this year's FAUST CTF is overshadowed by the war in Ukraine. With the lives of civilians on the line, we believe in a peaceful resolution to this conflict and hope that the people in Ukraine can return to normalcy soon.
We want to remind everyone of our Social Conduct. We do not tolerate harassment of any form, and violating these rules may result in a ban from our competition.
FAUST CTF is an online attack-defense CTF competition run by FAUST, the CTF team of Friedrich-Alexander University Erlangen-Nürnberg. Its seventh edition took place on 9 July 2022.
View scoreboardResults
Congratulations to C4T_BuT_S4D who won FAUST CTF 2022 and scored amazing 53329.50 points. The top-three teams are:
- C4T_BuT_S4D, 53329.50 points
- Bushwhackers, 45374.17 points
- ENOFLAG, 43202.90 points
We thank all participating teams and our sponsors!
Facts
Once again, the competition will work in classic attack-defense fashion. Each team will be given a Vulnbox image to host itself and VPN access. You will run exploits against other teams, capture flags and submit them to our server.
The service decryption password will be released at 2022-07-09 12:00 UTC. The actual competition will start at 13:00 UTC and run for eight hours.
Prizes
Thanks to our sponsors, we can again provide nice prize money:- First place: 1024 €
- Second place: 512 €
- Third place: 256 €
Additionally, for each service the first team to exploit it, submit a valid flag and provide a write-up will win 64 €.
Please check our rules page for information on payout restrictions.
News
Services Decryption Password
The decryption password is:
Tim3_c1rcU1ts_0n_..._FLux_Cap4c1t0r_fluXing_..._Eng1ne_ruNn1ng_..._Let'S_h4ck_th1s!
Happy hacking!
Vulnbox Download
The vulnbox is ready! You have these download options:- An OVA container tested with VirtualBox
- A QCOW2 image tested with libvirt/KVM
To verify the integrity of your download, you may check the SHA256 sums:
0329bc73035cdbd97424d88760c90250a8f425b9853a6b62f1a5aca270bb6327 vulnbox.ova
120db6a84ef98f83c2c5a3c4b8f759249adaf063daed91f85b307641989857c5 vulnbox.qcow2
As stated in the rules, the decryption password will be released at 2022-07-09 12:00 UTC via email, Discord and Twitter, and thereafter also here. Please make sure you can run the testbox and connect to the VPN before the CTF.
Testing Vulnbox
Testing Vulnbox images are available. On first login, the Vulnbox will ask you for some information and configure itself properly. You can log in as root using any of the following ways:- Use SSH with the generated random password (may need port forwarding, for the NAT Network)
- Connect to the serial port of the VM (may need configuration)
- Use the graphical console of your virtualization software - not recommended if you want to deploy SSH-Keys or configure VPN.
- When hosting on a cloud provider, chances are that you can enter your SSH-Key when creating the VM (cloud-init is installed).
If you run into problems with the setup, try our suggestions from Basic Vulnbox hosting.
We provide two options for download:- An OVA bundle tested with VirtualBox
- A QCOW2 image tested with libvirt/KVM
To verify the integrity of your download, you may check the SHA512 sums.
Both images are identical, so use the one that fits your needs. The serivces inside are located in `/srv` and are encrypted with the password test
.
To decrypt and start them, use the command /srv/extract-services.py /srv/testbox_services.tar.xz.gpg
.
Note: Testbox and Vulnbox can not be connected to the game VPN at the same time, so make sure to shutdown the Testbox when the real Vulnbox is released.
Registration open
This year's website is online and the registration is open. The CTF is already around the corner, so make sure to sign up now.