Metasploit’s community CTF is back by popular demand. Starting January 30, put your skills to the test for a chance to win prizes and bragging rights. Read on for full competition details, or join the #metasploit-ctf channel on Slack to start building your team.

TL;DR overview

Registration: Starting today, you can register here. There are 1,000 registration spots; both individuals and teams are allowed. There is no limit on the number of players who can be on a team. Please note: Teams only need to register ONE account. Team members can and should share credentials. Help us make the competition accessible to as many players as possible by registering only the account(s) you need.

Play starts at noon EST (U.S. time) on Thursday, Jan. 30. Play ends at 11:59 a.m. EST (U.S. time) on Monday, Feb. 3.

Communication and support: Join the #metasploit-ctf channel on Metasploit Slack to form teams and chat with other players (no spoilers during the game, please!). The Metasploit team will monitor Slack during game play in case there are technical issues with CTF infrastructure; however, we will not respond to DMs with requests for hints or help with flags.

Our thanks to CTFd and HacktheBox for helping make this year’s CTF possible. You can see results and statistics from last year’s Metasploit CTF here.

2020 Metasploit Capture the Flag: Official Rules

No purchase is necessary to participate. Only the first 1,000 registrants (teams or individuals) will be able to participate. For further information, see the full Contest Terms here.

To enter

Starting January 15 at 5 PM EST (U.S.), you can create an account here. Please note: Only ONE account is needed per team. Teammates can and should share credentials. Please ensure you enter your email address correctly when registering an account: you will need to verify your email upon registration, and we will use email to communicate with winners about prizes.

Play starts Thursday, Jan. 30 at 12:00 p.m. (noon) EST (U.S.). When play starts, players should use the instructions on the Control Panel to connect to the Kali Linux jump box. From there, players can attack the vulnerable target environment to find flags. All flags are PNG images.

When a flag is found, players should submit the MD5 hash to the Challenges section of the scoreboard. If the MD5 hash is correct, points will be awarded.

The leaderboard competition will open on Thursday, Jan. 30, 2020 at 12:00 p.m. (noon) EST and close on Monday, Feb. 3, 2020 at 11:59 a.m. EST. The three (3) participants with the highest point total at the end of the competition will receive the prizes listed below. In the event of a tie, the participant who reached that score first will be the winner.

You may participate as an individual or as a team. However, only ONE prize can be awarded for each winning account; therefore, if you are participating as a team, please be aware that we cannot offer prizes to each team member. (Any further method used to determine who among your teammates takes home the CTF spoils is up to you. We hear thumb wars and structured rock/paper/scissors competitions are effective.)

Prizes

Only the prizes listed below will be awarded as part of the competition. Prizes are not transferable or redeemable for cash. Rapid7 reserves the right to make equivalent substitutions as necessary, due to circumstances not under its control. Please allow several weeks for delivery of any prize.

To reiterate, only ONE prize can be awarded for each winning account; therefore, if you are participating as a team, please be aware that we cannot offer prizes to each team member. How you divide spoils among your team is up to you!

Place Prize ARV
1st $500 Amazon Gift Card (1), Hack The Box 1 Year Pro Lab Ticket for EITHER Offshore OR RastaLabs (1) 880 USD
2nd $300 Amazon Gift Card (1), HacktheBox 6 Months Pro Lab Ticket for EITHER Offshore OR RastaLabs (1) 550 USD
3rd $200 Amazon Gift Card (1), HacktheBox 1 Year VIP (1) 330 USD

Questions?

To report technical issues during the competition or to discuss play with your teammates and community members, join us in the #metasploit-ctf channel on Slack. The Metasploit team will be occasionally available on Slack in case of technical issues, but please be advised that Rapid7 staff members will not respond to DMs with requests for hints or help with MD5 hash submission.

A few notes on the technicalities of game play:

  • You do need to use a valid email for registration (and verify that email); email is also how we communicate with winners. NOTE: Login emails will be locked down prior to the start of the game. You can still change your password if you forget it.
  • We’ve run this CTF for several years now, and we’ve yet to encounter an actual technical issue with a flag. If your MD5 hash submission isn’t being accepted, it is because the hash isn’t correct. Keep trying! There is no penalty for wrong answers.
    The scoreboard is not a target.
  • When game play starts, provisioning is first come, first served. It may take a few minutes. Be patient! If you’ve been waiting for more than half an hour for your network to be provisioned, you can reach out to us on Slack.
  • We’ve gotten a number of complaints or questions in previous CTFs on target or jump box reversion. If you notice that one or both of your CTF environments have been reverted, it is because you or a teammate clicked the “Revert” button from the control panel. Your boxes will not revert on their own, and Rapid7 staff will not revert boxes for you unless specifically requested.
  • Please, no spoilers in Slack channels or other public places. Everyone learns at their own pace; don’t ruin the game for others. We may kick you out of Slack if you post flag spoilers. Harassment of other players and community members won’t be tolerated.
  • Metasploit Slack messages archive automatically after a certain threshold (this is just how our implementation of Slack works). If you’re worried about continuous access to your conversations, you may want to hold them outside of Metasploit’s Slack channel.

FAQ

Is there a maximum number of players allowed on a team? Nope! Feel free to team up with as many friends and strangers as you like—just remember that only one prize can be awarded to each winner, so how you divide prizes if you win is totally up to you.

How do I connect to my CTF environment? Starting at 12 PM (noon US Eastern Time) on Thursday, January 30, you can log in here and follow the directions on your Control Panel to access the CTF environment.

Do I need to use Metasploit to solve the CTF challenges? No. Using Metasploit is an option for some challenges, but the CTF was not engineered to be Metasploit-specific.

I am not receiving points when I submit my flag. What’s wrong? You are not submitting the correct MD5 hash. This means you still have some work to do to solve the challenge correctly. Keep trying! There is no penalty for wrong answers.

Can you give me a hint about $FLAG? No. That would spoil the fun!

I’m having technical difficulties. OR I think I’ve found a bug! Can I DM someone for help? In general, Rapid7 staff will not respond to DMs requesting help with flag discovery, exploitation, or anything else related to the workings of the game. If you think you have discovered a bug in the CTF environment, you can reach out to a designated admin in the #metasploit-ctf channel on Slack. If the behavior is something we think is unexpected, we’ll respond and take a look, but in general, you should expect to proceed without input or attention from us.

Good luck!