Challenge rules


This website is the support of the pre-selection challenge for the final Capture The Flag event at European Cyber Week in Rennes, France (see below). The pre-selection will take place from October 14th, 2022 8pm to October 30th, 2022 8pm for the final of November 16th, 2022 at Rennes in France.


  

Pre-selection

Attendance
  • Participation in the pre-selection challenge is strictly individual (teamwork is not allowed). This edition includes the participation of European institutions and will therefore take place in English.
  • For 2022, the CTF challenge is open to 3 categories of participants: students, professionals and military. The scores will be effective by category.
  • Students participants must register with an e-mail address managed by their school.
  • A visualization of the individual scores will be accessible on the one hand between all the participants and on the other hand between French or invited schools.
  • For the final the selected candidates will then be invited to form the teams of their choice (team from the same school for example), with a maximum of 4 participants.
  • The finalists will again be divided by category : 52 students, 12 professionals, 12 military.
  • Subject to an individual level, nationals of the invited countries may form teams and 1 place in the final is reserved per nation.
  • The institutions of the nations participating for this edition are:
    •  Belgium
    •  Switzerland
    •  Germany
    •  Estonia
    •  Spain
    •  Finland
    •  France
    •  United Kingdom of Great Britain and Northern Ireland
    •  Ireland
    •  Luxembourg
    •  Netherlands
  • All participants must provide authentic information. For students it is up to the schools to which the students belong to make a first check on the authenticity of the application.
  • Further verification for students selected for the final challenge will be done. A copy of the student card will be requested.
  • Each participant has the right to create only one account. Any participant violating this rule will be disqualified.
  • Each participant has the obligation to accept and respect these rules.
  • Any dispute will be submitted to the organizing committee of the event.
  • The selection for the final will be weighted according to the prorate of entries by school.
Personal data
  • The only public data are nickname, category and school.
  • The other data will be used to authenticate student who makes it to the final.
  • At the end of the ECW event every data will be deleted.
Qualifying challenge
  • The qualification challenge for the final is composed of several events divided into the following categories:
    • Android
    • Reverse
    • Misc
    • Hardware
    • Network
    • Web
    • Cryptography
  • Each challenge yields a number of points dynamically computed depending on the number of solves. The more challengers solve the less points it's worth.
  • No bonus points ("First blood") will be attributed for solving challenges.
  • In case of a tie, the first participant who validated the last event will be ranked highest.
  • Events are available from October 14th, 2022 8pm to October 30th, 2022 8pm.
  • The more points a participant earns, the better his ranking.
  • The flags to be recovered are of the form ECW{<alphanum>}.
  • The proofs published on the site are covered by the copyright. Any resumption is conditional on the respect of the intellectual property right with regard to authors and rights holders. In order to respect the work of the authors and the search work of the players:
    • The publication of solutions during the duration of the challenge is not allowed and is penalized.
    • Fraud through the use of these solutions is strongly penalized by disqualification or cancellation of the relevant event.
Restrictions
  • It is totally forbidden to attack another IP address than the one hosting the challenge (IP 213.32.7.237).
  • Any attack of type DOS or DDOS is formally forbidden.
  • Any attempt to manipulate the site will be penalized by the elimination of the player.
  • It is strictly forbidden to attack the infrastructure and website hosting the challenge. The only attacks allowed are those directly related to the different tests.
  • Any attempt to distort individual results by cooperation between participants will be sanctioned up to the final exclusion of the event.
Legislation
  • The test is held in France, therefore, in accordance with the Data Protection Act and the General Data Protection Regulation (GDPR), each participant has a right to access, rectify and delete information about them. To exercise this right, simply contact the challenge administrators on discord.
  • The player database and its processing comply with the requirements of the GDPR. In particular, the processed data respect the principle of minimization. Optimum protection of personal data is achieved through the implementation of data protection measures respecting the principle of traceability.
  • Competitors are subject to French law and in particular:
    • Article 323-1, paragraph 1 of the Penal Code: "The fact of fraudulently accessing or remaining in all or part of an automated data processing system is punishable by two years of imprisonment and 30,000 euros fine". The simple attempt is repressed in the same way (article 323-7 of the Penal Code)
    • Article 321-1, paragraph 2 of the Penal Code: "When this results in either the deletion or modification of data contained in the system, or an alteration of the functioning of this system, the penalty is three years' imprisonment and a fine of 45000 euros"
    • Article 323-3 of the Criminal Code: "The fraudulent introduction of data into an automated processing system or the fraudulent deletion or modification of the data contained therein is punishable by five years' imprisonment and 75000 euros fine"
    • Article 323-2 of the Penal Code: "The fact of hindering or distorting the operation of an automated data processing system is punishable by five years' imprisonment and a 75,000 euro fine. When this offense has been committed against a system of automated processing of personal data implemented by the State, the penalty is increased to seven years of imprisonment and a fine of € 100,000."

Final

This regulation concerns the final of the challenge which will take place on November 16th, 2022 as part of the European Cyber Week at the Jacobins convent in Rennes, France. This final round will consist of 18 teams of 4 candidates selected following the online preselection challenge.

Attendance
  • 48 participants in the challenge final must be students and commit to providing authentic information.
  • 12 participants in the challenge final must be professionals or not student and commit to providing authentic information.
  • 12 participants in the challenge final must be military and commit to providing authentic information.
  • Each participant has the obligation to accept and respect these rules.
  • Any dispute will be submitted to the organizing committee of the event.
  • A maximum of 2 teams per school or enterprise will fulfill the representativeness of these.
Hardware
  • It is strongly recommended that each participant come with his own laptop with a Kali Linux intrusion test distribution. Laptops may however be made available to certain participants if they have made a prior request by email to the organizing committee of the event before November 10th, 2022
  • Don't forget to bring an USB/RJ45 adapter if you need it to use RJ45 cable
Challenge
  • The challenge will take place on November 16th, 2022 from 11 am 9 am to 6 pm.
  • Candidates will be welcomed from 9 am by the representative of the cyber center of excellence, coordinator of the challenge, then can eat on site. Feedback on the preselection will be presented by Thales from 10 am followed by a briefing by Airbus prior to the launch of the final at 11 am.

In just a few years, Smart Transport & Logistics has become the world's leading freight forwarding company by using artificial intelligence technologies to optimize its entire supply chain management.

In recent months, Smart Transport & Logistics has been confronted with several difficulties due to the pandemic and the increase of international tensions. In the last few days, the company has been the target of an exceptional wave of cyber-attacks that have severely disrupted its activities. As a result, all its customers and suppliers have been affected, and the fear of supply difficulties has already led the authorities of various countries to take emergency measures to avoid panic among the population.

State actor? Activists? Cybercriminals? The origin and motivation of the attackers remains unclear for the moment.

Faced with the urgency of the situation and in order to avoid a generalized shortage that could cause an economic collapse on a global scale, a crisis unit was quickly organized in the various logistics platforms of the company Smart Transport & Logistics that were affected by this wave of cyber-attacks. You are among the best cyber defense experts mandated to fulfill the following mission: help the logistics platforms to resume their activities as soon as possible.

  • Each hardship will allow to recover a "flag" which will then be validated and posted on a common portal of points, allowing the different teams an instantaneous follow-up of their classification and in fine at the end of the time allotted to the team having won the most points corresponding to the difficulty of the hardships.
  • In case of a tie, the team with the most complete and accurate network topology will be ranked highest. This assessment is left to the discretion of the organizing committee of the final round.
  • The flags to be recovered are of the form FLAG{<MD5>}.
  • The events set up as part of the final of the challenge are covered by copyright. Any resumption is conditional on the respect of the intellectual property right with regard to the authors and assigns. In order to respect the work of the authors and the search work of the players:
    • The publication of solutions during the duration of the challenge is not allowed and is penalized.
    • Fraud through the use of these solutions is strongly penalized by disqualification or cancellation of the relevant event.
Restrictions
  • It is strictly forbidden to attack the infrastructure hosting the challenge and the score portal shared by the different teams. The only attacks allowed are those directly related to the different tests put in place in the virtual infrastructures for each team.
  • Each team has its own virtual infrastructure. It is strictly forbidden to enter the virtual infrastructure of another team in any way.