FAUST CTF is an IT security competition for teams of one or more members ("the teams", "the participants" or "you"). It is organized by FAU Security Team ("the Organizing Team" or "we") on behalf of Fachschaft der Technischen Fakultät Erlangen e.V.

As events happening during a CTF competition are hard to foresee, these rules may be enhanced or changed at any time before or during the competition. Changes will be announced via email, IRC (#faustctf on Freenode) and/or the Organizing Team's Twitter account. In cases not covered by the rules, we will decide according to our own judgement.


The password for Vulnbox decryption will be released at 2017-05-26 13:00 UTC via email, IRC and Twitter. Network connections between teams are enabled one hour later, at which point Gameserver traffic and scoring starts as well. The competition is then planned to run for eight hours, but might be expanded.

One tick lasts three minutes. The Gameserver checks the functioning of each service once per tick and places a new flag. Therefore, one flag exists per tick, service and team. Flags can be submitted within five ticks from their generation.


The total score is the sum of the individual scores for each service. The score per service is made up of three components:

  • Offense: Points for flags captured from other teams (except the "NOP team") and submitted to the Gameserver within their validity period
  • Defense: Points for not letting other teams capture your flags
  • SLA: Points for the availability and correct behavior of your services

Scores per Service

For each service, the component scores for a team are calculated as in this Python-like pseudocode:


offense = count(flags_captured_by[team])
for flag in flags_captured_by[team]:
    offense += (1 / count(all_captures_of[flag]))


defense = 0
for flag in flags_owned_by[team]:
    defense -= sqrt(count(all_captures_of[flag]))


sla = (count(ticks_with_status['up'] + 0.5 * ticks_with_status['recovering'])) * sqrt(count(teams))

Total Score

total = 0
for service in services:
    total += offense[service] + defense[service] + sla[service]

Bug Bounty

Responsible disclosure of vulnerabilities and serious bugs in our infrastructure or rules will be rewarded with bonus points according to our judgement as well as eternal fame.

Results & Prizes

During the contest, a preliminary live scoreboard is provided. The official final results will be published by the Organizing Team after the competition. The scores in the contest might not be a good representation of your actual skills, so we encourage you to focus on gaining experience and having fun.

Nevertheless, the following prizes will be payed out to the best-ranked teams:

  • First place: 512 Euros
  • Second place: 256 Euros
  • Third place: 128 Euros

An additional "first blood" award of 32 Euros per service will go to the first team which exploits that service. To be eligible for this award, teams have to submit a valid flag and publish a write-up (explanation of the exploit) after the competition. The exploit must work against the "NOP team" (an unaltered Vulnbox run by the Organizing Team).

We will do our best to get the price money to the winners smoothly. Please understand that potential transaction fees will have to be covered by you. For regulatory reasons, we might also require you to specify payment information for each of your team members and transfer the prize money split to them.

Technical Behavior

The Vulnboxes of other teams are the sole target for exploitation, attacks against competition infrastructure or any other portion of a team's network (inside or outside of the VPN) are forbidden.

Causing unnecessarily high loads for CPU, traffic, memory, I/O, etc. ("denial of service") on our infrastructure, other teams (including Vulnboxes) or any other party is also strictly prohibited. Breaking a service of another team through sheer amount of requests is forbidden, breaking it through a vulnerability is OK as long as it does not lead to resource spikes. But remember that preventing yourself from stealing their flags won't do you any good.

Despite these policies, all participants are responsible for the security of their own hard- and software. We will do our best to enforce the rules, but cannot give any guarantees for other participant's behavior. FAU Security Team and Fachschaft der Technischen Fakultät Erlangen e.V. are not liable for any potential damage to your equipment.

Teams are prohibited to filter connections to services on the Vulnbox, as long as the services don't cause unreasonably high loads. Vulnerabilities should be patched by fixing the actual bug in the service.

Social Conduct

The goal of FAUST CTF is to allow people to practice their skills and have fun. We ask you to avoid spoiling other's fun unnecessarily.

We want the competition to be a pleasant experience for all participants, regardless of their gender, sexual orientation, race, religion, skill level, personal background or any other criteria. Therefore, we do not tolerate harassment in any form.

This especially applies to our official communication channels, i.e. IRC and Twitter. Misbehavior may lead to a ban from these communication channels and ultimately, the same consequences as for any other rule violation (see below). We ask everyone to speak English in the IRC channel, so that all participants know what's going on.


Violation of the rules or any other hostile behavior may lead to deduction of points, temporary or permanent exclusion from the competition or any other measure deemed appropriate by the Organizing Team.

We suggest every team to have at least one representative in our IRC channel with a nick starting with the team name. In case of problems this will be our first point of contact, because email delivery can be slow. If we want to stop you from doing something and are not able to reach you as fast as the issue requires, we might temporarily kill your VPN connection in order to get your attention.