Setup

Summary

  • CTF starts 2025-10-08 08:00 UTC. Network opens 09:00 UTC. Game ends 16:00 UTC.
  • A round is 60 seconds, flags are valid and checked for 5 rounds.
  • Flag format: ECSC\{[A-Za-z0-9_-]{32}\}
  • Public scoreboard at https://scoreboard.ad.ecsc2025.pl, internal at 10.42.251.2 (vpn only)
  • Submit flags: nc 10.42.251.2 1337 (vpn only)
  • Attack info at http://10.42.251.2:8080/api/v1/attack_info (vpn only)
  • What is attack info? Read this.

Game network
10.42.0.0/16
Team Network
10.42.<TEAM>.0/24
Vulnbox IP
10.42.<TEAM>.2
Game Router IP
10.42.<TEAM>.254

Cloud-hosted Setup

We host a vulnbox and an exploiter for you. You need to enter the ssh keys we should deploy to them on this page.

Captains:
  1. Sign onto the platform with the credentials you received via E-Mail (along with Discord auth tokens).
  2. Let your teammates register by giving them the magic join link from the profile page.
  3. You can promote members of your team to technician give them control over VMs and SSH keys.
  4. When the game starts, go to your team page start the cloud-hosted VMs are running.
Players:
  1. Use the join link from your captain to register yourself.
  2. In your team profile you should see at least one WireGuard config.
    These configs are assigned to you. Hover a key to download it.
  3. Use the downloaded config to connect to the WireGuard VPN: sudo wg-quick up ./ctf-vpn.conf
  4. Check that you can ping 10.42.251.2 - if so, the VPN connection works.
Some Hints:
  • Each player needs their own configuration file - it is not possible to use the same configuration across machines.
  • Changes to the SSH Keys will not be propagated to the Exploiter / Vulnbox after they were created.


A few words about WireGuard

All machines are connected to the game network using WireGuard.
Thus, there are a few fundamental aspects of our setup relating to WireGuard, that everyone should be aware of:

  1. One key-pair - One connection: You can not simultaneously connect from multiple machines using the same key-pair. If you want to connect multiple machines, you need to create multiple key-pairs and enter the public keys on this webpage.
  2. wg-quick and configuration files: The fastest way of setting up a WireGuard connection is downloading the configuration file and running wg-quick up ./ctf-vpn.conf.
  3. Disconnecting: wg-quick will create a network interface with the same name as the config file by default. To disconnect, run a matching wg-quick down ./ctf-vpn.conf or simply delete the interface: ip link del <IFACE>.
  4. Checking connection status: Simply run: sudo wg
  5. No automatic reconfiguration of clients: Key-pairs are assigned to ip-addresses. If for some reason the configuration changes, you also need to adjust the configration on the client - manually or by downloading the config file again.
  6. Troubling ISPs (Infra Demo): It seems that there are occasional misconfigurations from ISPs causing very elusive problems with WireGuard connections, especially common with DSL Internet connections. A typical manifestation is: HTTP works but SSH doesn't, or the connection over the VPN is simply slow. These problems can usually be resolved by adding MTU=1300 to the [Interface] section of your config file and re-connecting. It might also be necessary to set the MTU even lower.

Service status

Every tick the checkers tests your services and returns one of the following statuses:

  • SUCCESS — Service is working, you receive SLA points.
  • RECOVERING — Service is working, but flags from a previous round are missing.
  • MUMBLE — Service is accessible but non-functional.
  • OFFLINE — Service can't be accessed, error on network layer.
  • ERROR — The checker was unable to establish a connection.

If your service is broken, you can see more details in the scoreboard.



Dont forget to read the wiki!