Rules

What is the purpose of SecChallenge?

The CrySyS Security Challenge is a Capture-The-Flag (CTF) competition intended for university, college and high school students interested in IT security.

Who can participate in SecChallenge?

The competition is open for any university, college and high school students. We mainly expect students from Hungary, but international students could join as well. Please set the "I'm a Hungarian student" box during registration. Non-student players can also register and solve the challenges if they are interested, but they will not be visible on the scoreboard and they will not be awarded.

Can I play in a team?

No, this is an individual competition, so no teams, please! In addition, any collaboration or information sharing between participants is strictly forbidden too. Do not post, tweet or share good or bad solutions. Play fair!

Can I hack or attack everything, everywhere? Can I use any tool?

Definitely not! Only those websites and TCP services can be attacked which are explicitly given in the description of the challenges. Targeting other services, websites, ports, hosts etc. is strictly forbidden. You should adhere to the Hungarian and international laws, and keep in mind that the Hungarian Criminal Code (paragraphs 423 and 424) applies, which considers even attempts to attack production sites and services as a crime. So we strongly recommend to follow the rules of the game! If the targets are not clear, ask the Organizers.

Who are the Organizers?

The CrySyS Security Challenge is organized by the CrySyS Lab of the Budapest University of Technology and Economics. The challenges are created and the event is run by members of the CrySyS Student Core and the c0r3dump CTF team.

Changes

The Organizers reserve the right to change any of the challenges or the evaluation criteria during the event, or even cancel the entire event, while obviously trying to maintain the fairness of the competition. Any changes and decisions made by the Organizers should be accepted by the participants (even if they are based on false data). There is no legal remedy.

Prizes

Some prizes will be given to the best performing Hungarian Students. This is still under discussion and strongly depends on how the Organizers can agree with sponsors. In previous years, the 3 best performing Hungarian students received prizes. In addition, Hungarian students with outstanding performance may be invited to join the CrySyS Student Core community. What outstanding means will be determined by the Core after the event.

Handling personal data

We do not need real personal data of participants only a working email address so we can verify you after registration. But if you become eligible for a prize or invitation to the Core, then we need to be able to reach you after the competition.

Some operative information
  • The main communication channel the official Discord channel
  • Registration will be open before and throughout the competition
  • The competition will last for TBD days straight (17:00, 27th of March - 17:00, 12th of April CET)
  • We use the dynamic scoring system of the CTFd platform, which means that the challenge’s points depend on the number of its solves
  • Every challenge starts from 500 points, after the first solve, each solve decreases the points by 10, until it reaches the minimum 100 points (points = max(100,500-10*(solves-1)) if solves > 0). For example if a challenge has 10 solves, each player would get 410 points, if a challenge has 50 solves, each player would get 100 points.
  • All flags have the following format: cd23{s0m3_l33t_m3ss4g3}
  • There are 30+1 challenges, 5 in each category (crypto, hardware, misc, pwn, reverse and web)
  • All crucial information about the challenges or the competition will be announced on Discord, via email and via the CTFd platform
  • The official email address for the competition is secchallenge@crysys.hu
  • During the last day, the scoreboard will be hidden until the end
  • You don't have to use your real name, you can use a nickname on the CTFd platform
  • Only your username, website, affiliation and country is visible by anyone
  • In order to consider you as eligible for a prize, you should check the I'm a Hungarian student box in your Settings page. The Student Scoreboard will show only those competitors who have checked this box, the Overall Scoreboard will show every player
  • Your email address will only be used by the Organizers for verification and communication purposes in connection with the CrySyS Security Challenge 2023 event
General rules (do's and dont's)
  • Attacking the infrastructure or any attempt to disrupt the competition is prohibited
  • During the contest, sharing flags, solutions, hints with other competitors is prohibited
  • Denial-of-Service attacks against the challenges or the main website is prohibited
  • Do not use automated scanners like Nessus, Nexpose, Burp Suite Scanner, SQLMap etc.
  • Do not brute-force login passwords, keys, web directories etc.
  • You do not have to guess anything, just think
  • Do not hoard flags
  • If you have questions about challenges or you believe that you found a correct flag, but the system is not accepting it, ask organizers on Discord or via e-mail
  • Do not brute-force flag validation endpoint
  • Report any bugs you find in the infrastructure or tasks directly to the organizer
  • Organizers can modify and change the rule at the time of SecChallenge according to the situation
  • Breaking any of the above rules may result in disqualification
  • The presented set of rules might change before the start of the competition
  • Resolving any unregulated cases remains on organizers' discretion