First of all, the aim of this challenge is not to find out the best team. We sincerely believe that true professionals are incomparable. The main goal of RuCTFE is to share the experience and knowledge in computer security, and to have some fun together. Nevertheless, the luckiest team will become a winner.

It is difficult to give a complete set of rules for the CTF challenge, so these rules can change at any moment before the challenge starts. Be sure to check with this page once again. Just in case :)



A group of people with a captain.


A vulnerable application written for the challenge.


A string that matches regex: /^\w{31}=$/.


A period of time for checksystem to check and score all the teams. It usually takes about 2 minutes.


A group of people that runs the whole competition. Organizers do their best to provide quality and fun to all participants. Still organizers are to penalize/disqualify teams for rules violation and to solve the critical situations not described in these rules. Teams should be prepared to meet such decisions with understanding. Also organizers do determine the winner. In general, this decision is based on the scoreboard.


  • Do whatever they want within their network segment. Most likely the team wouldlike to patch vulnerabilities in their services or block exploitation of vulnerabilities;
  • Attack other teams. Didn't expect that, huh?


  • Filter out other teams' traffic;
  • Generate large amount of traffic that poses a threat to network stability of organizers facilities;
  • Generate large amount of traffic that poses a threat to network stability of any other team;
  • Attack teams outside of the VPN;
  • Attack the game infrastructure facilities operated by organizers.


The competition begins when the organizers announce vulnerable image decryption key. Since then the whole game time is divided into two periods:

  1. For the first hour network segments are closed, and teams should concentrate on initial vulnbox administration and vulnerabilities analysis.
  2. For the next 8 hours network segments are opened


Each team's score is calculated as: Score = FlagPoints * SLA

Each flag costs some FlagPoints (equal to a total number of registered teams).

At the game start, all teams have equal FlagPoints. When team steals a flag from another team and sends it to jury, it earns FlagPoints for that flag if it has the corresponding service in UP state. When team’s flag is stolen by another team, team looses FlagPoints for that flag.

FlagPoints is a non-negative number during all the game.

Checksystem puts flags to teams’ services during the whole game. But if TeamA has 0 FlagPoints, and TeamB steals TeamA's flag and sends it to jury, TeamA still has 0 FlagPoints. And TeamB earns 0 FlagsPoints for that flag.

If several teams steal the same flag, that flag's points are divided between them in equal portions.

All flags have an equal lifetime period (by default 15 min). If team sends jury too old flag, it earns 0 points. FlagPoints' changes are taken in account only when the flag's lifetime is over. At that moment FlagPoints for the flag (if it has been stolen) are redistributed between teams (added to attackers, and subtracted from victim).

SLA is a fractional number between 0 and 1. It reflects availability of your services. If all your services never go down, SLA will be equal to 1. If half of your services never go down, and another half is always down, SLA will be 0.5.


During the game, scoreboard will be available at

Teams are ranged by total score.

Apart from FlagPoints, SLA and total score, scoreboard shows statuses of each service. Statuses are as following:

  • OK — means that service is online, serves the requests, stores and returns flags and behaves as expected.
  • MUMBLE — means that service is online, but behaves not as expected, e.g. if HTTP server listens the port, but doesn't respond on request.
  • CORRUPT — means that service is online, but past flags cannot be retrieved.
  • DOWN — means that service is offline.

Before the game and during the game, network checks are available at