A cybersecurity Capture The Flag (CTF) event is a competition designed to test a variety of computer skills. There are different types of CTFs, but this one is jeopardy-style. Your goal as a competitor will be to solve a series of security-related tasks by analyzing provided materials (a log file, an encrypted message) or breaking into a vulnerable application.

The goal of each CTF challenge is to find a "flag," which is a string of text that you can submit for points. For example, flags can be obtained by cracking ciphers, hacking into vulnerable websites, analyzing log files, etc. Each challenge will provide you with the information you need to get started.

1. You may participate as an individual or in teams of up to 4 players. Each individual must register separately. No account sharing is allowed.
    
2. There are separate prize tiers for teams and individual competitors.
   1. 1st, 2nd, and 3rd place teams will win $3,000, $2,000, and $1,000 per team respectively.
   2. 1st, 2nd, and 3rd place individuals will win $1,500, $1,000, and $500 respectively.
   3. Additional prizes may be awarded.
       
3. By default, teams with only one competitor will be placed in the "Individual" tier. Individuals may choose to participate in the "Team" tier by contacting the competition organizers but they may not move back to the “Individual” tier. Teams are allowed to merge or switch players. Any tier or team change requests must be communicated to the competition organizers no later than 8pm PT on February 19th, 2025. If you would like to change your team registration or move to a different team, please contact support@metactf.com.
    
4. The prize money will be awarded to the individual who first creates the team in the MetaCTF platform. That individual will be responsible for splitting the money amongst the team members. OR The prize money will be equally distributed between the team players.
    
5. All players must check in at the conference in-person. You may compete from anywhere at the conference or outside the venue as long as you have physically checked in.
    
6. The competition will start on February 19th (Day 1) and end on February 20th (Day 2).
   1. The exact competition start and end times are TBA.
   2. The competition will be open continuously throughout the night, but support from the competition will be limited after 6pm PT.
   3. On Day 2, the competition will continue with the same challenges from Day 1 as well as additional new challenges.
       
7. As participants solve challenges and submit flags, they will gain points on the scoreboard. The team with the highest score will win. If there’s a tie, the team that reached the score first will be ranked higher.
    
8. Challenge categories will include web exploitation, binary exploitation, cryptography, reconnaissance / OSINT, reverse engineering, forensics, other / miscellaneous, and more. Other/miscellaneous challenges may cover topics such as network attacks and operating system security. You may access a practice environment (with all solutions published) at https://mctf.io/practice.
    
9. The challenge point values will be calculated dynamically and range from 50 to 500 points. All challenges will start out at the same point value of 500 points per challenge. As teams solve these challenges, the point value will decrease. The new point value will apply to all teams, including the teams that have solved the challenge already. Because of this, teams' scores may decrease or increase over time.
    
   1. OR The point values of the challenges will be predetermined by the competition organizers. The points will range from 25 to 500 points. Challenges with higher point values are generally more difficult. If the competition officials determine that a challenge point value needs to be changed, they may increase the point value by at most 150 points. No challenge point values will be decreased and no changes will be made within the last 6 hours of the competition.
       
10. Participants can use the internet during the competition to solve the challenges. Using any resource freely found on the web by any team is fair play, but participants may not ask anyone outside their team for assistance. For example, you may not communicate with other teams, colleagues, instructors and may not post on forums, send emails, etc about the challenges. This includes, but is not limited to the sharing of flags, hints, methodology, or other problem aids.
     
11. Participants may not use any paid tools, subscriptions, or paid cloud resources to solve the challenges. Any tool or service used must be equally accessible by all the other participants for free. Teams are allowed to use tools they have developed themselves.
    1. Teams may use AI and LLM services such as ChatGPT to help solve the challenges as long as they are using the free tier.
        
12. Participants may ask the competition organizers for hints about the challenges marked with a lifebuoy symbol. The teams may ask the competition officials to validate their flag manually or confirm that a given challenge is working and running as expected.
     
13. Only attack platforms that are designated as targets. If a team finds an issue or a bug in the platform, they should notify the organizers and not use it to their advantage. Any attack on scoring or other infrastructure will not be tolerated. This includes:
    1. DoS attacks
    2. Modifying or deleting flags or any other activity that makes the challenge harder or easier to solve by other teams
    3. Attacking the MetaCTF servers
    4. Though team environments are generally isolated, do not attack other competitors
        
14. All attackable services will be clearly listed in the challenge descriptions. No unauthorized attacks allowed, and breaking this rule is grounds for immediate disqualification. All in-scope endpoints will be provided as a part of each challenge from the CTF platform, and no part of the CTF platform itself will ever be in scope.
    1. Some challenges will be hosted on the same virtual machine, and the challenge descriptions may point the competitors to a specific port, a directory, or a file on that machine. Unless specified otherwise, your scope for that challenge is limited to that port or directory. Do not port scan or directory brute force the challenge hosts outside of that port or given directory.
        
15. Do not publish write ups or solutions for the CTF challenges.
     
16. Do not harass other players.
     
17. No offensive content: team names, usernames, and any other shared content should be appropriate and respectful.
     
18. Disqualification, enforcement, and interpretation of rules will be at the complete discretion of the competition officials. Email support@metactf.com should you have any questions regarding the rules. You may also ask our team in person during the contest.