FAUST CTF is an online attack-defense CTF competition run by FAUST, the CTF team of Friedrich-Alexander University Erlangen-Nürnberg. Its fourth edition took place on 25 May 2019.



What a surprise, Bushwhackers won FAUST CTF the fourth time in a row, and scored surpassing 27892.61 points. The complete top-three teams are:

  1. Bushwhackers, 27892.61 points
  2. SPbCTF, 21805.27 points
  3. saarsec, 20235.37 points

Final "first blood" awards go to:

We thank all participating teams, apologize for our technical issues and hope everybody still had fun!


The competition will work in classic attack-defense fashion. Each team will be given a Vulnbox image to host itself and VPN access. You will run exploits against other teams, capture flags and submit them to our server.

The vulnbox decryption password will be released at 2019-05-25 13:00 UTC. The actual competition will start at 14:00 UTC and run for eight hours.


Thanks to our sponsors, we can again provide nice prize money:
  • First place: 512 €
  • Second place: 256 €
  • Third place: 128 €

Additionally, for each service the first team to exploit it, submit a valid flag and provide a write-up will win 64 €.


Vulnbox Hotfix 2

We hope that you all have fun.

Furthermore, we will deploy a second hotfix to the Vulnboxes now. If you left our SSH key on your Vulnbox, you shouldn’t notice.

Else, please change /srv/responsivesecurity/client/encrypted_storage.js with the file you find here

Vulnbox Hotfix

We will deploy some hotfixes to the Vulnboxes now. If you left our SSH key on your Vulnbox, you shouldn’t notice.

Else, please change the following files with the files you find here

  • /srv/two-factor-apache/cgi-bin/app/authenticate.py
  • /srv/two-factor-apache/data/pam-2fapache
  • /srv/responsivesecurity/client/main.js


The vulnbox password is out! "L1th1Um_N1Cke1_Z1nC_-_Th!s_!s_a11_we_n33d_!n_the_tw3nty_f!rst_C3ntury!" (without quotes). Enjoy!

VPN Config

Aaaand the last batch of VPN configs has been sent out. See you at 13:00 UTC!

Vulnbox Downloads

FAUST proudly presents you the final Vulnboxes for FAUST CTF. The boxes should have the IP 10.66.<team_ID>.2 configured.

On first login, the Vulnbox will ask you for your team ID and configure itself properly. You can log into the box as root with an empty password using any of the following ways:

  • Use the graphical console of your virtualization software
  • Connect to the serial port of the VM (may need configuration)

If you run into problems with the setup, try our suggestions from Basic Vulnbox hosting.

We provide two options for download:

Both images are encrypted with a password and are otherwise identical, so use the one that best fits your needs. The password will be released via Twitter, IRC and email at 13:00 UTC today.

To verify the integrity of your download, you may check the SHA256 sum:

29a71c4379bf4ec485b99c2d1c0ab47f00dc664fbc3e715707f1e1a1763a80d7 vulnbox.ova.gpg
796e1c795b3af6d3465e9008f20e9c0f6626a82a73f92fedd6f2c2c501a78455 vulnbox.qcow2.gpg

To decrypt the vulnbox, use:

gpg --decrypt-files vulnbox.ova.gpg

Registration closed

With less than 4 hours till the competition and over 200 registered teams, we have now closed the registration.

We are looking forward to a great CTF!

Registration open

Some teams already noticed but now it is official, this year's website is online and the registration is open. The CTF is already around the corner, so make sure to sign up now.

Supported by

BMW Car IT ERNW SYSS noris network

Organized by