Been waiting for the Linux version of Metasploitable3 to drop? We’ll do you one better: Metasploit is giving the community a week to rain shells on a penguin-shaped Metasploitable3 instance—and to win prizes at the end of it. Play starts December 4; see below for full competition details.

TL;DR: Sign up, drop shells, win stuff.

Not into capturing flags but jonesing for a look at the code? We’ll release the Linux Metasploitable3 source code to the community soon after the competition ends. Happy hacking!

Metasploitable3 Capture the Flag: Official Rules

No purchase is necessary to participate. Only the first 500 registrants will be able to participate.

To enter

  1. Create an account here.
  2. Use the instructions on the Control Panel to connect to the Kali Linux jump box. From there, attack the vulnerable Metasploitable3 box to find flags.
  3. When a flag is found, submit the MD5 hash to the Challenges section on the scoreboard. If it’s correct, points will be awarded! There are 14 flags total.

The participants with the three highest scores will win prizes. We’ll announce the winners in an official blog post shortly after the contest ends.

The leaderboard competition will open on Monday, December 4, 2017 at 12:00 PM (noon) EST and close on Monday, December 11, 2017 at 11:59 AM EST. The three (3) participants with the highest point total at the end of the competition will receive the prizes listed below. In the event of a tie, the participant who reached that score first will be the winner.

You may participate as an individual or as a team. However, only ONE prize can be awarded for each winning account; therefore, if you are participating as a team, please be aware that we cannot offer prizes to each team member. (Any further method used to determine who among your teammates takes home the CTF spoils is up to you. We hear thumb wars and structured rock/paper/scissors competitions are effective.)

Questions?

To report technical issues or request support during the competition, join us on Slack.

Prizes

Only the prizes listed below will be awarded as part of the competition. Prizes are not transferable or redeemable for cash. Rapid7 reserves the right to make equivalent substitutions as necessary, due to circumstances not under its control. Please allow several weeks for delivery of any prize.

Place Prize ARV
1st Hak5 Essentials Field Kit $400 USD
2nd Hak5 Wifi Pineapple $100 USD
3rd Hak5 USB Rubber Ducky $50 USD

Acceptable Use

The Metasploitable3 CTF infrastructure should be used for the purposes of this competition and nothing else. Use of competition infrastructure for behavior outside of these guidelines may result in disqualification from the contest and/or revoked access.

The scoreboard server is not a competition target. Any malicious activity detected on or aimed at the scoreboard server may result in disqualification from the contest.

Fair behavior is expected of all participants. Please do not harass other participants. This includes verbal, physical, or emotional harassment as well as intentional disruption of service for others.

Competition host is Rapid7 LLC, 100 Summer St, Boston, MA 02110.

By entering the competition, you agree to these terms and conditions. Employees of Rapid7 and their respective affiliates, subsidiaries, related companies, advertising and promotional agencies, and the household members of any of the above are not eligible to participate in the competition. See full Terms here.