FAUST CTF is an online attack-defense CTF competition run by FAUST, the CTF team of Friedrich-Alexander University Erlangen-Nürnberg. Its fourth edition took place on 25 May 2019.
ScoreboardResults
What a surprise, Bushwhackers won FAUST CTF the fourth time in a row, and scored surpassing 27892.61 points. The complete top-three teams are:
- Bushwhackers, 27892.61 points
- SPbCTF, 21805.27 points
- saarsec, 20235.37 points
Final "first blood" awards go to:
- ENOFLAG: PostHorn (write-up)
- Corrupted Lights: ptth (write-up)
- Bushwhackers: Happy Birthday GDPR (write-up)
SIGFLAGSPbCTF: SL Online Compiler (write-up)- Bushwhackers: punchymclochface (write-up)
- saarsec: 2fapache (write-up)
We thank all participating teams, apologize for our technical issues and hope everybody still had fun!
Facts
The competition will work in classic attack-defense fashion. Each team will be given a Vulnbox image to host itself and VPN access. You will run exploits against other teams, capture flags and submit them to our server.
The vulnbox decryption password will be released at 2019-05-25 13:00 UTC. The actual competition will start at 14:00 UTC and run for eight hours.
Prizes
Thanks to our sponsors, we can again provide nice prize money:- First place: 512 €
- Second place: 256 €
- Third place: 128 €
Additionally, for each service the first team to exploit it, submit a valid flag and provide a write-up will win 64 €.
News
Vulnbox Hotfix 2
We hope that you all have fun.
Furthermore, we will deploy a second hotfix to the Vulnboxes now. If you left our SSH key on your Vulnbox, you shouldn’t notice.
Else, please change /srv/responsivesecurity/client/encrypted_storage.js
with the file you find here
Vulnbox Hotfix
We will deploy some hotfixes to the Vulnboxes now. If you left our SSH key on your Vulnbox, you shouldn’t notice.
Else, please change the following files with the files you find here
- /srv/two-factor-apache/cgi-bin/app/authenticate.py
- /srv/two-factor-apache/data/pam-2fapache
- /srv/responsivesecurity/client/main.js
Password
The vulnbox password is out! "L1th1Um_N1Cke1_Z1nC_-_Th!s_!s_a11_we_n33d_!n_the_tw3nty_f!rst_C3ntury!" (without quotes). Enjoy!
VPN Config
Aaaand the last batch of VPN configs has been sent out. See you at 13:00 UTC!
Vulnbox Downloads
FAUST proudly presents you the final Vulnboxes for FAUST CTF. The boxes should have the IP 10.66.<team_ID>.2
configured.
On first login, the Vulnbox will ask you for your team ID and configure itself properly. You can log into the box as root with an empty password using any of the following ways:
- Use the graphical console of your virtualization software
- Connect to the serial port of the VM (may need configuration)
If you run into problems with the setup, try our suggestions from Basic Vulnbox hosting.
We provide two options for download:
- An OVA container and has been tested with VirtualBox
- A QCOW2 image tested with libvirt/KVM
Both images are encrypted with a password and are otherwise identical, so use the one that best fits your needs. The password will be released via Twitter, IRC and email at 13:00 UTC today.
To verify the integrity of your download, you may check the SHA256 sum:
29a71c4379bf4ec485b99c2d1c0ab47f00dc664fbc3e715707f1e1a1763a80d7 vulnbox.ova.gpg
796e1c795b3af6d3465e9008f20e9c0f6626a82a73f92fedd6f2c2c501a78455 vulnbox.qcow2.gpg
To decrypt the vulnbox, use:
gpg --decrypt-files vulnbox.ova.gpg
Registration closed
With less than 4 hours till the competition and over 200 registered teams, we have now closed the registration.
We are looking forward to a great CTF!
Registration open
Some teams already noticed but now it is official, this year's website is online and the registration is open. The CTF is already around the corner, so make sure to sign up now.