VolgaCTF 2024 Final – Technical information
- Equipment
- Network
- Vulnbox
- Extra instance (remote teams)
- Flag signatures
- Submitting flags
- An insight into ACS
Equipment
Each team will be provided with the following equipment:
- a network switch with 7 free Ethernet (RJ-45) ports;
- 6 UTP CAT5 cables;
- a power strip (surge protector) with 7 free outlets.
please note: no usb type-c to ethernet adapters will be provided!
Network
Each team's network segment has the following address: 10.5.1XY.0/24, where XY stands for a team's number (zero-based).
Scoreboard URL (intranet): https://final.volgactf.ru/scoreboard
Scoreboard URL (public): https://live.volgactf.ru/scoreboard
Vulnbox
Virtualbox 7.1.0 or later is needed to launch the vulnbox. The vulnbox is based on Debian 11, all services are isolated from each other by the means of Docker. Containers start at boot.
please note: the vulnbox won't run on apple silicon!
A vulnbox instance MUST have the following address: 10.5.1XY.3.
before launching the vulnbox instance, do not forget to regenerate your virtual machine instance mac address!
Flag signatures
Flags are stored and transported into so-called capsules. A capsule looks like this:
VolgaCTF{eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJmbGFnIjoiYzA4ODI0NjI2MjNkNjFmM2VlYzgwYjcyY2ZlNDQ3NjkifQ.YqcT52o3_S9XhjE6txPayJ-iylCHhpQs4SzfnCwKKsP3_XGol30GQVWf9QZ85RaO4l5uXVOgrkF335UIDn7x4A}
Data between VolgaCTF{ and } is a JSON Web Token signed using ES256 algorithm. You will need an ACS public key to decode a capsule and obtain a flag from it. Flag format is ^[\da-f]{32}=$.
Public key (for the sample capsule)
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5aiazVMn0K9M0PyP4/iGZpKKqYez\n+6rCzO8iUjfkVvH87KcccPfNzv2olMtrFvF1bTLBAchFfDiNqewauTe/GA==
-----END PUBLIC KEY-----
Submitting flags
You should submit flags to the REST API server: https://final.volgactf.ru (base URL).
Each flag's lifetime is 6 minutes.
API
- VolgaCTF Final API public APIs description
- volgactf.final CLI & public API library for Python 2/3
Rate limits
- Flag info
10r/s - Flag submit
5r/s - Service status
10r/s
An insight into ACS
A game is divided into 2-minute rounds.
When a new round is triggered, ACS tries to push flags (transported in capsules) to every service of every team. If a push attempt of a flag is successful, this particular flag is marked as active. ACS immediately tries to pull active flags.
Every flag expires 6 minutes after it has been marked as active.
Additionally, in each round ACS launches 3 polls: it pulls one randomly chosen active flag from each service from each team.
Scores are updated when all active flags issued in a particular round become expired.
Availability
1 availability point for a flag (AvPflag) is given if all attempts to pull this flag were successful (UP state). Otherwise, a fraction of a point is given according to the equation:
AvPflag = SPAflag / TPAflag,
where SPA stands for the number of successful pull attempts and TPA stands for the total number of pull attempts.
Defence
By default, no defence points for any flag from any service are given.
Defence points for flags from a service are to be awarded starting from the next round a flag from this very service is successfully submitted into ACS by any team (first blood). 1 defence point (DPflag) is given if all attempts to pull a flag were successful and no-one has stolen and submitted this particular flag into ACS.
Attack
1 attack point (AtPflag) is given for each stolen flag.
A team cannot submit a flag stolen from a service X if a state of a service X in their vulnbox is not UP.
Total
Total team score (TtS) is calculated as a sum of total scores (tS) in each category:
TtS = tSattack + tSdefence + tSavailability
In case of equal TtS a team who performed the last attack before the other team is placed higher in the scoreboard.