It’s time for another Metasploit community CTF! We're back on our usual end-of-year schedule this time around, and we’re doing a few things differently. Past CTFs have featured a wide range of challenges across different architectures, difficulty levels, and targets. This year, we wanted to make the CTF beginner-friendly—so we developed a more focused game  with a single Linux target, prizes for more teams, and a variety of easy and medium challenges that aim to help infosec newcomers build practical skills. As always, teams are encouraged, and once again we’ll have no cap on the number of players who can join a team. Read on for full competition details, and join the #metasploit-ctf channel on Slack to start building your team.

TL;DR overview

There are 1,000 team spots available; both individuals and teams of multiple members are allowed. There is no limit on the number of players who can be on a team. Please note: Those playing as a team only need to register ONE team upon signup. Help us make the competition accessible to as many players as possible by organizing with your fellow team players ahead of time and creating only a single team for all of you. If others want to join your team later, that’s no problem. See the FAQ at the end of this post for details.

Important dates (all times in U.S. Central Standard Time):

  • Initial team registration opens for the first 750 teams on Monday, November 30, 2020 at 11:00 AM CST (UTC-6).
  • CTF game play begins on Friday, December 4, 2020 at 9:00 AM CST (UTC-6).  When the CTF officially begins, we will open registration for an additional 250 teams.
  • The CTF ends on Monday, December 7, 2020, at 3:00 PM CST (UTC-6).

Our goal in putting on CTFs is to enable relationship building and knowledge sharing across the security community. To further emphasize community partnership and camaraderie over purely monetary gain, we’re increasing the value of CTF prizes but spreading those prizes out over more teams. Therefore:

  • The 15 teams with the highest point totals when game play ends will receive Amazon Gift Cards (only one per team!).
  • As in previous years, we’re partnering with Hack the Box to offer other prizes to the three teams with the highest point totals! See the prize section at the end of this post for details.

Our thanks to CTFd and HacktheBox for helping make this CTF possible. You can see results and statistics from the last Metasploit CTF here.

Questions?

To report technical issues during the competition or to discuss play with your teammates and community members, join us in the #metasploit-ctf channel on Slack. The Metasploit team will be occasionally available on Slack in case of technical issues, but please be advised that Rapid7 staff members will not respond to DMs with requests for hints or help with flags or MD5 hash submission.

A few notes on the technicalities of game play:

  • You must use a valid email for registration. You’ll need to verify your email upon signup; email is also how we communicate with winners.
  • We’ve run this CTF for several years now, and we’ve yet to encounter an actual technical issue with a flag (other than the occasional bit of latency, which we try to avoid by being thoughtful about challenge development). If your MD5 hash submission isn’t being accepted, it is because the hash is incorrect. Keep trying! There is no penalty for wrong answers.
  • The scoreboard is not a target. Nothing except the official CTF target is a target. Please don’t attack anything except the target box.
  • When game play starts, provisioning is first come, first served. It may take a few minutes. Be patient! If you’ve been waiting for more than half an hour for your network to be provisioned, you can reach out to us on Slack.
  • Please, no spoilers in Slack channels or other public places. Everyone learns at their own pace, so don’t ruin the game for others. We may kick you out of Slack if you post flag spoilers. Harassment of other players and community members won’t be tolerated.
  • Metasploit Slack messages archive automatically after a certain threshold (this is just how our implementation of Slack works). If you’re worried about continuous access to your conversations, you may want to hold them outside of Metasploit’s Slack channel.

December 2020 Metasploit Capture the Flag: Official Rules

No purchase is necessary to participate. Only the first 1,000 registrants (teams or individuals) will be able to participate. For further information, see the full Contest Terms here.

To enter

Starting Monday, November 30, 2020 at 11 AM CST (UTC-6),  the first 750 teams can register here. On Friday, December 4, 2020, at 9:00AM CST (UTC-6) the CTF will begin. An additional 250 teams can register here when game play begins.  Please note: Only ONE team needs to be created for all players. Teammates can and should share their team credentials. Please ensure you enter your email address correctly when registering: you will need to verify your email upon registration, and we will use email to communicate with winners about prizes.

Play starts Friday, December 4, 2020 at 9:00 a.m. CST (UTC-6). When play starts, players should use the instructions on the Control Panel to connect to the Kali Linux jump box. From there, players can attack the vulnerable target environment to find flags. All flags are PNG images.

When a flag is found, players should submit the MD5 hash to the Challenges section of the scoreboard. If the MD5 hash is correct, points will be awarded. There is no penalty for wrong answers.

The competition will open on Friday, December 4, 2020 at 9:00 AM CST (UTC-6) and close on Monday, December 7, 2020, at 3:00 PM CST (UTC-6). The Contestants with the fifteen (15) highest point totals at the end of the contest will each receive one (1) $100 USD Amazon gift card. In addition, the three (3) Contestants with the highest point total at the end of the Contest will also receive the prizes listed below and will be announced in an official blog post following the Contest. In the event of a tie, the Contestant who reached that score first will be the winner.

You may participate as an individual or as a team. However, only ONE cash prize can be awarded for each winning team; therefore, if you are participating as a team, please be aware that we cannot offer cash prizes to each team member. (Any further method used to determine who among your teammates takes home the CTF spoils is up to you. We hear thumb wars and structured rock/paper/scissors competitions are effective.)

Prizes

Only the prizes listed below will be awarded as part of the competition. Prizes are not transferable or redeemable for cash. Rapid7 reserves the right to make equivalent substitutions as necessary, due to circumstances not under its control. Please allow several weeks for delivery of any prize.

To reiterate, only ONE cash prize can be awarded for each winning team; therefore, if you are participating as a team, please be aware that we will not offer cash prizes to each team member. How you divide spoils among your team is up to you!

Place Prize ARV
1st $100 Amazon Gift Card (1), 1 year of Hack The Box VIP+ 300 USD
2nd $100 Amazon Gift Card (1), 6 months of Hack The Box VIP+ 200 USD
3rd $100 Amazon Gift Card (1), 3 months of Hack The Box VIP+ 150 USD
4th to 15th $100 Amazon Gift Card (1) 100 USD

Contestants with the highest point total at the end of the Contest will also be announced in an official blog post following the Contest.

FAQ

What’s the difference between an account and a team? Anyone can create an account, and accounts are unlimited. Teams, on the other hand, are limited to 1,000. To actually play in the CTF, you need to belong to a team—either by yourself or with your teammates.

How do teams work? When CTF registration opens on November 30, you’ll see a page that guides you through creating an account, verifying your email, and finally, asking you to either create a new team OR join an existing team. If you already have a team you know would like to play together, designate ONE team captain to create your team and a team password. Team captains (or whoever created the team) can then share the team password with all team members. Note that a team password is different from an account password.

What if I want to join a team later, or if someone else wants to join my team later? That’s okay! To join someone else’s team, ask them for their team name and password. You can then create an account if you don’t already have one (again, accounts are unlimited; it’s only teams that are limited) and input their team name and credentials. If you’d like someone to join your team, you can simply share your team name and password with them.

Is there a maximum number of players allowed on a team? Nope! Feel free to team up with as many friends and strangers as you like—just remember that only one prize can be awarded to each winning team, so how you divide prizes if you win is totally up to you.

How do I connect to my CTF environment? Starting Friday, December 4, 2020, at 9:00 AM CST (UTC-6) you can log in here and follow the directions on your Control Panel to access the CTF environment.

Do I need to use Metasploit to solve the CTF challenges? No. Using Metasploit is an option for some challenges, but the CTF was not engineered to be Metasploit-specific.

I am not receiving points when I submit my flag. What’s wrong? You are not submitting the correct MD5 hash. This means you still have some work to do to solve the challenge correctly. Keep trying! There is no penalty for wrong answers.

Can you give me a hint about $FLAG? No, sorry. That would spoil the fun!

I’m having technical difficulties or I think I’ve found a bug! Can I DM someone for help? In general, Rapid7 staff will not respond to DMs requesting help with flag discovery, exploitation, or anything else related to the workings of the game. If you think you have discovered a bug in the CTF environment that is affecting your ability to play, you can reach out to a designated admin in the #metasploit-ctf channel on Slack, but we strongly recommend you check the pinned Slack messages to see if your question has already been addressed. If we think the behavior you’re experiencing is unexpected, we’ll respond and take a look, but in general, you should expect to proceed without input or attention from us.

My target or jump box reverted! What happened? Either you or one of your teammates clicked the “Revert” button from the control panel. Your boxes will not revert on their own, and Rapid7 staff will not revert boxes for you unless specifically requested.

Grab your friends, grab your parents, meet new folks, and good luck!