These rules are similar to the RuCTFE contest rules.

It is difficult to give a complete set of rules for a CTF challenge, so these rules can change at any moment before the challenge starts. That is why we recommend you to check the rules on this site one more time before the competition starts. Just in case :)



A group of people with a captain.


A vulnerable application written for the challenge.


A string that matches regex: /^\w{31}=$/.

Game round

A period of time for checksystem to check and score all the teams. It usually takes about 1 or 2 minutes.


A group of people that run the whole competition. Organizers do their best to provide quality and fun to all participants. Still organizers are to penalize/disqualify teams for rules violation and to solve the critical situations not described in these rules. Teams should be prepared to meet such decisions with understanding. Also organizers do determine the winner. In general, this decision is based on the scoreboard.

Teams are allowed to

  • Do whatever they want within their network segment. Most likely the team would like to patch vulnerabilities in their services or block exploitation of vulnerabilities;
  • Attack other teams. Didn't expect that, huh?

Teams are prohibited to

  • Filter out other teams' traffic;
  • Generate large amount of traffic that poses a threat to network stability of organizers' facilities;
  • Generate large amount of traffic that poses a threat to network stability of any other team;
  • Attack teams outside of the VPN;
  • Attack the game infrastructure facilities operated by organizers.

Game structure

The competition begins when the organizers announce vulnerable image decryption key. Since then the whole game time is divided into two periods:

  1. For the first hour network segments are closed and teams should concentrate on initial vulnbox administration and vulnerabilities analysis.
  2. For the next 8 hours network segments are opened.

Scoring system

Key params in scoring system are SLA and FlagPoints. Their values are individual for each service of each team. Team's score is calculated as the sum of the products of the corresponding SLA and FlagPoints of all team's services.

SLA (team, service) is the percentage of the game time, during which that service of that team was in the UP state. E.g. if the service was always UP, SLA would be 1. If 4 hours passed from the game start and the service was up only during the first hour and then was not UP for the rest 3 hours, SLA would be 0.25. At the beginning all teams have SLA equal to 1.

FlagPoints (team, service) — is the number that correlates with team’s ‘understanding’ of the service. If the team is able to exploit the vulns in the service to get flags and fixes these vulns in it’s own service, the FlagPoints will grow during the game. Otherwise, if the team is not able to exploit the vulns in service and to fix them in it’s own service, FlagPoints will decrease during the game but will never fall down to 0. If the team can only fix vulns but not exploit them, it’s FlagPoints will not change. At the beginning all teams have equal FlagPoints.

Flag's price is the number of FlagPoints got by attackers for stealing the flag from the victim.

Flag's lifetime is the amount of time during which the flag should be available in the service for checksystem. Teams should steal the flag and post it to checksystem until it is expired.

FlagPoints (team, service) decreases by the maximum value equal to the number of the teams for each stolen flag.

FlagPoints (team, service) If the flag was stolen from a team that was higher on the scoreboard in the previous round, the team that has stolen the flag earns the maximum number of FlagPoints(which is equal to the number of teams, as it was mentioned). If flag was stolen from a team that was below your team on the scoreboard, the number of FlagPoints will decrease exponentially down to 1.

FlagPoints score at the moment of each flag's expiration.

Luckily all this complex text can be expressed in pseudocode:

    def on_game_start(team):
        team.sla = [1] * number_of_services
        team.flagpoints = [0] * number_of_services

    def on_flag_post(attacker, flag):
        victim = flag.owner
        victim_pos = scoreboard[victim]
        attacker_pos = scoreboard[attacker]
        service = flag.service
        max = number_of_teams

        flag_score = attacker_pos > victim_pos ? max : exp(log(max) * (max - victim_pos) / (max - attacker_pos))

        attacker.flagpoints[service] += flag_score
        victim.flagpoints[service] -= min(victim.flagpoints[service], flag_score)

    def get_score(team):
        return sum(map(lambda x: x[0] * x[1], zip(team.sla, team.flagpoints)))


During the game, scoreboard will be available at
You can submit stolen flags to, TCP port 31337

Teams are ranged by total score.

Apart from FlagPoints, SLA and total score, scoreboard shows statuses of each service. Statuses are as following:

  • OK — means that service is online, serves the requests, stores and returns flags and behaves as expected.
  • MUMBLE — means that service is online, but behaves not as expected, e.g. if HTTP server listens the port, but doesn't respond on request.
  • CORRUPT — means that service is online, but past flags cannot be retrieved.
  • DOWN — means that service is offline.