What is this whole thing about?
CTF (Capture the Flag) competitions are contests in the area of IT security. In an attack-defense CTF like FAUST CTF, teams attack each other in a special network cut off from the outside world. For more information, see CTF? WTF?.
Who may participate in FAUST CTF?
Basically everyone! We are not limited to academic teams or such. Participation is free, and all teams will be eligible for prize pay-outs.
What constitutes a team and do I have to join one?
While you may register a team on your own, we highly recommend playing with a larger group of people. The workload during the competition probably won't be manageable alone and it will be more fun with a group anyway.
Typical teams consist of five to twenty people.
Is the competition suitable for beginners?
We want the CTF to be fun for everyone, not just for those who compete for the first ranks. That being said, getting started on your own will be quite hard.
We encourage you to look for a team at a local university or hackerspace. If there is an existing team, they will hopefully introduce you to the basics of CTF playing. If there is none, you may find like-minded people to establish one!
Another good way to pick up the skills for an attack-defense CTF are the many jeopardy CTFs round the year. There, you will have more time to focus on a specific problem.
What skills should we have?
The competition will cover different topics from the area of security, e.g. web security and reverse engineering. If you don't have much previous knowledge, web security may be a good field to start.
Besides that, specific domain knowledge is obviously helpful: If you happen to know the framework or programming language a service is using, this is of course an advantage – but hard to prepare for.
It will certainly be helpful to have a decent understanding of (the administration of) Linux/UNIX systems and networking.
We've only played jeopardy CTFs before. How do we get started with attack/defense?
Have a look at Attack/Defense for Beginners and Basic Vulnbox Hosting.
What are the hardware requirements for Vulnbox hosting?
We recommend at least 3 CPU cores and 6 GB of RAM assigned to the Vulnbox VM.
How will I log into the Vulnbox/test image?
As soon as the system is booted up, you will be able to log in as user root
without any password on a TTY (serial or console, but not via SSH). There's no need to "root" your system (start into a shell from the bootloader).
How can I check whether my VPN is set up correctly?
Everything should be fine if you can ping the gateway (10.65.<team_ID>.1
) from the (test) Vulnbox.
My team mate tried to connect to the VPN and it doesn't work!
The OpenVPN configs we distribute use topology p2p
. This means that they're only suitable for connecting two hosts with each other, your team router and our gateway. If you can't directly attach team members to the team router (e.g. because your team is split across multiple locations), you'll have to build an additional VPN yourself.
I can't start OpenVPN with the config file on Arch Linux because of this error: "failed to find GID for group nogroup"
Change the group to nobody
.
What is that strange SSH key on my Vulnbox? I didn't add it!
We have a backup key on all Vulnboxes, for example for delivering hotfixes. Feel free to remove it, but that will make life harder for you and us.
This is the legit key:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMIhG3OljzqMpQWfoXFLPABfimQTlfoxPPwDWKHSDeK
Fingerprint: SHA256:TsGMABTOSt7oZNJyULiQfekpGqaz7OTAuAeVNUrfzk8