The 2018 iCTF is an online attack-defense competition (i.e., it is not a Jeopardy-style security competition). Every team is given access to an instance that has a number of vulnerable services. The goal of the teams is to analyze the services, find the vulnerabilities, and use them to attack the services of the other teams. Of course, each team should also patch its services to protect them from attacks. A successful attack is able to steal a flag, which is a unique piece of information that is associated with the service and is periodically updated. Each service has multiple flags; to demonstrate the ability to actively exploit the service, a team must steal the correct flag, which is identified by a flag ID.

The game is divided in ticks. For every tick, every service of every team is associated with a certain amount of points (e.g., 50 points). If the service is up, functional, and unexploited, that team will get all 50 points for the service. However, if the service is down or non-functional (the SLA checks fail) their 50 points will be divided between all the teams that have that service up during that round. If the service is exploited, the associated 50 points will be divided between all of the teams that exploited the service during that tick.

NEW THIS YEAR: To encourage more competative play, this year, we will only score flag captures against teams higher on the scoreboard than the capturing team, with the exception of the top 10 teams, who may score against each other freely. For example, the team in 30th place, can attack teams in the 1-29th places for points, while the team in 2nd place can attack teams in 1-10th places.


Teams interact with the game using the team interface, which is a Python module that allows teams to submit flags and perform other team-related operations.

There are a few things that are not allowed.

First of all, denial-of-service attacks against the infrastructure or other teams are not tolerated, and are ground for being thrown out of the competition.

Also, any attacks against the infrastructure are discouraged.

If you find a problem with our infrastructure, please let us know, so that we can fix it and improve the overall quality of the game.

We make all of our code open-source, so that other researchers and practitioners can benefit from it.

We know that this comes with risks, and we are aware that software always has bugs.

Team cooperation is prohibited.

Suspicious patterns will be detected, and the involved teams banned from the competition.

Finally, we reserve the right to exclude from the competition teams that appear to be inactive. The team instances cost money, and unless we see a team having an active role in the competition we will consider the team to have quit and left the competition. If you think that your instance has been taken down by mistake, please let the organizers know.