FAUST CTF is an online attack-defense CTF competition run by FAUST, the CTF team of Friedrich-Alexander University Erlangen-Nürnberg. Its second edition took place on 26 May 2017.

View Scoreboard


Yesterday's second edition of FAUST CTF was and a lot of fun for us and really successful. We watched an exciting race for the top places, interesting exploits, mostly fair play and smoothly running infrastructure (at least for the most part).

We congretulate the top teams, which are:

  1. Bushwhackers, 27460 points
  2. EatSleepPwnRepeat, 22630 points
  3. saarsec, 21421 points

The first valid flags per service were submitted by:

  • Smartscale: saarsec, tick 11 (as soon as submission started working)
  • Toaster: Bushwhackers, tick 11 (as soon as submission started working) – beat M.I.S.T by 17 seconds
  • Tempsense: Bushwhackers, tick 13
  • Toilet: khack40, tick 16
  • Doodle: EatSleepPwnRepeat, tick 24
  • Alexa: TokyoWesterns, tick 62 – beat c00kies@venice by 2.5 minutes
  • Smartmeter: EatSleepPwnRepeat, tick 69
  • Doedel: Bushwhackers, tick 80

These teams are eligible four our "first blood" awards if they publish a write-up within the next weeks.

We will be in touch with the winners soon to figure out prize pay-out details. We thank all teams for participating, hope you had fun and see you next year!


The competition will work in classic attack-defense fashion. Each team will be given a Vulnbox image to host itself and VPN access. You will run exploits against other teams, capture flags and submit them to our server.

The vulnbox decryption password will be released at 2017-05-26 13:00 UTC. The actual competition will start at 14:00 UTC and presumably run for eight hours.


Thanks to our prime sponsor SySS, we can again provide nice prize money:

  • First place: 512 €
  • Second place: 256 €
  • Third place: 128 €

Additionally, for each service the first team to exploit it, submit a valid flag and provide a write-up will win 32 €.


Vulnbox Patches

We will now deploy some hotfixes to the Vulnboxes. If you left our SSH key on your Vulnbox, you shouldn’t notice. Else, please get the files toaster.service and uwsgi.service put them into /etc/systemd/system. If you already edited those files yourself, we put them next to the others with extension „.patched“.

Vulnbox Password

The decryption password for the Vulnbox is: "0n th3 1nt3rn3t 0f th1ng5 n0b0dy kn0w5 y0u ar3 a fr1dg3" (without quotes)

Vulnbox Images Available for Download

We have prepared the download for the Vulnbox images. Please download one of these two images:

Remember, the decryption password will be released once the competition starts at 13:00 UTC.

If you haven't set up your network yet, better do so very soon: The closer the CTF, the less we will be able to assist you in case of problems.

Registration closed, Rules released

With less than 24 hours till the competition and 182 registered teams, we have now closed the registration.

We have also released our rules. Make sure to read and understand them, as they are binding for all participants!

Registration about to close

We're planning to close registration at 2017-05-25 13:00 UTC. So if you wanna participate and haven't registered yet, make sure to do that soon.

VPN configs and Test Vulnbox out

We just emailed OpenVPN configs to all teams which have registered so far. If you're going to register now, you will still get a VPN config but you'll have to wait a bit until we send out the next batch.

A test Vulnbox image to check your VPN and virtualization setup is available in OVA and QCOW2 format. The decryption password for both images is "test".

Please set up and test your network soon, as we will only be able to provide limited support during the competition. If you don't know how to do this, have a look at Basic Vulnbox Hosting.

Registration open

After a long wait, this year's website is finally online and the registration is open. The CTF is already around the corner, so make sure to sign up now.

Supported by

SySS ERNW Siemens noris network

Organized by