This page describes the technical details for participation in FAUST CTF. If you're looking for a guide on how to get the Vulnbox running, have a look at Basic Vulnbox Hosting.

Vulnbox

The Vulnbox image will be available as an x86-64 image in OVA and QCOW2 format. This means it should run in VirtualBox, QEMU/KVM and other hypervisors.

Note that this year, our hardware requirements are a bit higher than in the past: We suggest giving your VM at least 3 CPU cores and 6 GB of RAM. Support for hardware virtualization (VT-x) is still highly recommended.

A test image to check your virtualization setup will be available. To also check your networking setup, the VPN will be online as soon as the test image is available.

Network

We will send out OpenVPN configs containing the required passwords when the VPN is online. OpenVPN is supposed to run on a router box under your responsibility. This might be another VM, the box which hosts the hypervisor, or a completely different machine.

You probably want to reach the competition network (your Vulnbox, flag submission etc.) from your team member's personal computers. The easiest way to achieve this is to use the "team network" IP space delegated to you (although you might want to firewall connections originating from the vulnbox to the team's computers).

Graphic of network setup and IP ranges

IP Ranges Overview

  • VPN routing networks:
    • 10.65.<team_ID>.1: Competiton gateway
    • 10.65.<team_ID>.2: Team router
  • Team networks: 10.66.<team_ID>.0/24
    • Vulnbox: 10.66.<team_ID>.2
    • Testing Vulnbox: 10.66.<team_ID>.3
  • Competition infrastructure (flag submission etc.): 10.67.0.0/16

NOP Team

A mostly unaltered Vulnbox to check your exploits against will be available with team ID 1 (i.e. IP 10.66.1.2). No vulnerabilities will be patched on this machine, but it will receive new flags (which of course won't be valid for submission) and be checked by the Gameserver.

Exploitation

You will run attacks against other teams from your infrastructure, using your own tools.

Flag submission will be possible using a plaintext protocol on submission.faustctf.net:666 from within the competition network.

Flag Format

Flags will match this regular expression: FAUST_[A-Za-z0-9/\\+]{32}

Flag IDs

Some (but not all) services come with flag IDs. Flag IDs are identifiers that help you access the flags that are still valid (like usernames or database IDs), without having to search through all of them. The current set of IDs will be provided in JSON format on https://2019.faustctf.net/flagid.json. The format looks like this:

{
  "service1": {
    "10.66.6.2": [
      "822a8af2b9643caeacbbe2f8c1118936e8148baf323904fe0f735cb2a710679e",
      "0ab55fed1ef6534848812ae538c99daee97bdb052cf155ab914e185caab27d1e",
      "6524c055b1484c4cb5db18410f71970b3f82626b48f8f8b3aa13422a60f19d21"
    ],
    "10.66.2.2": [
      "44d7419d2de7bd72d09738da2059bba7ff1b147acf28dbf8b483b033598ce2b1",
      "dcb4bafe7429454dcba0b1e9082be69574d95cec9262311d72e6595148d1c72e",
      "69c5cba76caa2c49583ddce0c9a7cc8be63ecb99171fb10569af7bbb4b8eb017"
    ]
  },
  "service2": {
    "10.66.6.2": [
      "noXGLHYwZNPpftDBxmql",
      "JWIpSrPtbexwjNORnZzY",
      "PVfNDdEbrMKUlzIXuTmB"
    ],
    "10.66.2.2": [
      "gNTBaxzucwXqVRpOCFJe",
      "rlaXnyxczukBNwfdSZLC",
      "EmaWSrdynQGUZxhiNTBe"
    ]
  }
}

Service Status

The Gamerserver's checks for the functioning of a service have one of these results:

  • up: Everything is working fine
  • flag not found: The service seems to be working, but flags from past ticks cannot be retrieved
  • recovering: Flags from more recent ticks can be retrieved, but flags from previous ticks are still missing
  • faulty: The service is reachable, but not working correctly
  • down: The service is not reachable at all, e.g. because the port is closed or a timeout occured

Info on TCP and HTTP Connections

Please note that we're intercepting TCP connections to the services of other teams and so you won't get any TCP RST or ICMP unreachable packets. Instead, the connections will get closed (HTTP 503 and/or TCP FIN) after a timeout, or when the other vulnbox is down. Note that when using netcat, you might not notice this immediately as the connection will be in half-open state. If you run into unexplainable TCP or HTTP issues, please contact us.