The Rules

First of all, the aim of this challenge is not to find out the best team. We sincerely believe that true professionals are incomparable. The main goal of RuCTFE is to share the experience and knowledge in computer security, and to have some fun together. Nevertheless, the luckiest team will become a winner.

It is difficult to give a complete set of rules for the CTF challenge, so these rules can change at any moment before the challenge starts. Be sure to check with this page once again. Just in case :)



A group of people with a captain.


A vulnerable application written for the challenge.


A string that matches regex: /^\w{31}=$/.

Game round

A period of time for checksystem to check and score all the teams. It usually takes from 5 to 15 minutes.


A group of people that runs the whole competition. Organizers do their best to provide quality and fun to all participants. Still organizers are to penalize/disqualify team for rules violation and to solve the critical situations not described in these rules. Teams should be prepared to meet such decisions with understanding. Also organizers do determine the winner. In general, this decision is based on the scoreboard.

Teams are allowed to

  • Do whatever they want within their network segment. Most likely the team would like to patch vulnerabilities in their services or block exploitation of vulnerabilities;
  • Attack other teams. Didn't expect that, huh?

Teams are prohibited to

  • Filter out other teams' traffic;
  • Generate large amount of traffic that poses a threat to network stability of organizers facilities;
  • Generate large amount of traffic that poses a threat to network stability of any other team;
  • Attack teams outside of the VPN;
  • Attack the game infrastructure facilities operated by organizers.

Game structure

Before the competition all teams are divided into three initial groups by lot. The draw is held by the script that tries to form equally balanced groups based on past RuCTFE statistics and data. Draw results are available before the competition so the teams can adjust their strategy.

The competition begins when the organizers announce vulnerable image GPG key. Since then the whole game time is divided into four periods:

  1. For the first hour network segments are closed, and teams should concentrate on initial vulnbox administration and vulnerabilities analysis.
  2. For the next three hours network segments are opened, and three initial groups play independently. Teams from one group cannot access teams from another group. Each group has its own scoreboard.
  3. After three hours there is 5 minutes break for organizers to rearrange groups. 10 best teams of each initial group will form the new group (A), consisting of 30 teams. Other teams will form the second tier (B). All scores are zeroed. The network is closed during the rearrangement.
  4. For the last five hours network segments are opened again, and two new groups play independently. Teams from one group cannot access teams from another group. Each group has its own scoreboard.

The final scoreboard is merely a join of two scoreboards, A goes first. Which effectively means that team from second tier cannot take place higher than 31st. Prepare to show off in the first three hours.

The main idea behind such structure is to focus tough teams on each other. The other bright side is that rookie teams will have far more opportunities against another rookie teams than against tough ones.

Scoring system

In a nutshell each team is given points in 2 categories: defense - for the correct work of their services and attack - for capturing flags from others teams' services respectively. The detailed description of scoring is as follows:

  • Team gets +1 defense score for confidentiality for each own team's old flag that was not posted by another team during flag's lifetime.
  • Each round team gets +1 defense score for integrity and availability for each service that is up and running and provides its general functions, is able to recall recent flags and store the new one.
  • Team gets an attack score for submitting the flag if it has the corresponding service in UP state. First team to post gets +2, rest team gets +1.
  • Team can get a score by organizers special decision, which happens quite rarely and generally means that checksystem has failed.
  • In each category team's score is a percent from the leader's category score
  • Scores from all categories are summed
  • Total score is again a percent from the leader's total score


Apart from attack, defense and total scores, scoreboard shows statuses of each service. Statuses are as following:

  • OK means that service is online, serves the requests and behaves as expected.
  • MUMBLE means that service is online, but behaves not as expected, e.g. if HTTP server listens the port, but doesn't respond on request.
  • CORRUPT means that service is online, but past flags cannot be retrieved.
  • DOWN means that service is offline.