What is this whole thing about?

CTF (Capture the Flag) competitions are contests in the area of IT security. In an attack-defense CTF like FAUST CTF, teams attack each other in a special network cut off from the outside world. For more information, see CTF? WTF?.

Who may participate in FAUST CTF?

Basically everyone! We are not limited to academic teams and can't really check your academic affiliation anyway, so all teams will be eligible for prize pay-outs.

What constitutes a team and do I have to join one?

While you may register a team on your own, we highly recommend playing with a larger group of people. The workload during the competition probably won't be manageable alone and it will be more fun with a group anyway.

Typical teams consist of five to twenty people.

Is the competition suitable for beginners?

We want the CTF to be fun for everyone, not just for those who compete for the first ranks. That being said, getting started on your own will be quite hard.

We encourage you to look for a team at a local university or hackerspace. If there is an existing team, they will hopefully introduce you to the basics of CTF playing. If there is none, you may find like-minded people to establish one!

Another good way to pick up the skills for an attack-defense CTF are the many jeopardy CTFs round the year. There, you will have more time to focus on a specific problem.

What skills should we have?

The competition will cover different topics from the area of security, e.g. web security and reverse engineering. If you don't have much previous knowledge, web security may be a good field to start.

Besides that, specific domain knowledge is obviously helpful: If you happen to know the framework or programming language a service is using, this is of course an advantage – but hard to prepare for.

It will certainly be helpful to have a decent understanding of (the administration of) Linux/UNIX systems and networking.

We've only played jeopardy CTFs before. How do we get started with attack/defense?

Have a look at Attack/defense for beginners.

Where is the scoreboard?

The scoreboard is here

Do teams have to submit vulnerable services?

No, all services are written by us. You just download the image, run it and find vulnerabilities. As far as we know, this year's iCTF was the first (and so far only) CTF ever where teams had to write their own services.

How many teams are there?

Here is a list of active teams: click

How can I check whether my VPN is set up correctly?

Unfortunately, we didn't get around to release to network status page we were aiming at. But everything should be fine if you can ping submission.faustctf.net at and try to submit a flag on port 666.

How will I log into the vulnbox/test image?

As soon as the system is booted up, you will be able to log in as user root without any password on a TTY (but not via SSH). There's no need to "root" your system (start into a shell) from the bootloader.

I have some troubles connecting the VM to your network

If OpenVPN and VirtualBox run on the same machine, it should be as easy as:

  1. Use host-only network in VirtualBox
  2. Configure VirtualBox to use 10.66..1 for vboxnet0
  3. Enable IP forwarding on the host

If you have a team network with 10.66..xx, use bridge networking in VirtualBox instead of host-only.

I can't start OpenVPN with the config file on Arch Linux because of this error: "failed to find GID for group nogroup"

Change the group to nobody.