Last updated at Tue, 16 Jan 2024 15:25:07 GMT

It’s time for another Metasploit community CTF! Last year’s beginner-friendly CTF attracted a wider range of audiences and skill levels than in previous years, so we’re replicating our previous game architecture. Players will attack a single Linux target, we’ve spread prizes out across 15 teams, and the Metasploit Framework teams have devised a variety of challenges that aim to help infosec newcomers build practical skills. While there are some challenges that are intended to be a bit more difficult, we’ve designed the majority of them for beginner audiences. Hint: We’ve arranged challenges by port number according to difficulty this year. The higher the port number, the harder the challenge. If you want to start out with easier challenges, start by targeting services that run on lower port numbers.

As always, teams are encouraged! There is no cap on the number of players who can join a team. Read on for full competition details, and join the #metasploit-ctf channel on Slack to start building your team.

Big thanks to TryHackMe and CTFd for powering this year’s game!

TL;DR overview

There are 1,000 team spots available; both individuals and teams of multiple members are allowed. There is no limit on the number of players who can be on a team. Please note: Those playing as a team only need to register ONE team upon signup. Help us make the competition accessible to as many players as possible by organizing with your fellow team players ahead of time and creating only a single team for all of you. If others want to join your team later, that’s no problem. See the FAQ at the end of this post for details.

Important dates (all times in US Central Standard Time):

  • Initial team registration opens for the first 750 teams on Monday, November 22, 2021 at 2:00 PM CST (UTC-6).
  • CTF game play begins on Friday, December 3, 2021 at 11:00 AM CST (UTC-6). When the CTF officially begins, we will open registration for an additional 250 teams.
  • The CTF ends on Monday, December 6, 2021, at 11:00 AM CST (UTC-6).

Our goal in putting on CTFs is to enable relationship building and knowledge sharing across the security community. To further emphasize community partnership and camaraderie over purely monetary gain, we’ve increased the value of CTF prizes in the past few years but spread those prizes out over many teams.

  • The 15 teams with the highest point totals when game play ends will receive Amazon Gift Cards (only one per team!).
  • We’re partnering with TryHackMe to offer other prizes to the 3 teams that achieve the highest point total the fastest! See the prize section at the end of this post for details.

You can see results and statistics from the last Metasploit CTF here.

Questions?

To report technical issues during the competition or to discuss play with your teammates and community members, join us in the #metasploit-ctf channel on Slack. The Metasploit team will be occasionally available on Slack in case of technical issues, but please be advised that Rapid7 staff members will not respond to DMs with requests for hints or help with flags or MD5 hash submission.

A few notes on the technicalities of game play:

  • You must use a valid email for registration. You’ll need to verify your email upon signup; email is also how we communicate with winners.
  • We’ve run this CTF for several years now, and we’ve yet to encounter an actual technical issue with a flag (other than the occasional bit of latency, which we try to avoid by being thoughtful about challenge development). If your MD5 hash submission isn’t being accepted, it is because the hash is incorrect. Keep trying! There is no penalty for wrong answers.
  • The scoreboard is not a target. Nothing except the official CTF target is a target. Please don’t attack anything except the target box.
  • When game play starts, provisioning is first come, first served. It may take a few minutes. Be patient! If you’ve been waiting for more than half an hour for your network to be provisioned, you can reach out to us on Slack.
  • Please, no spoilers in Slack channels or other public places. Everyone learns at their own pace, so don’t ruin the game for others. We may kick you out of Slack if you post flag spoilers. Harassment of other players and community members won’t be tolerated.
  • Metasploit Slack messages archive automatically after a certain threshold (this is just how our implementation of Slack works). If you’re worried about continuous access to your conversations, you may want to hold them outside of Metasploit’s Slack channel.
  • Higher port numbers signify more advanced challenges.

2021 Metasploit Capture the Flag: Official rules

No purchase is necessary to participate. Only the first 1,000 registrants (teams or individuals) will be able to participate. For further information, see the full Contest Terms here.

To enter

Starting Monday, November 22, 2021 at 2:00 PM CST (UTC-6),  the first 750 teams can register here. On Friday, December 3, 2021, at 11:00 AM CST (UTC-6) the CTF will begin. An additional 250 teams can register here when game play begins. Please note: Only ONE team needs to be created for all players. Teammates can and should share their team credentials (and/or their links to invite new players). Please ensure you enter your email address correctly when registering: You will need to verify your email upon registration, and we will use email to communicate with winners about prizes.

Play starts Friday, December 3, 2021 at 11:00 AM CST (UTC-6). When play starts, players should use the instructions on the Control Panel to connect to the Kali Linux jump box. From there, players can attack the vulnerable target environment to find flags. All flags are PNG images.

When a flag is found, players should submit the MD5 hash to the Challenges section of the scoreboard. If the MD5 hash is correct, points will be awarded. There is no penalty for wrong answers.

The competition will open on Friday, December 3, 2021 at 11:00 AM CST (UTC-6) and close on Monday, December 6, 2021, at 11:00 AM CST (UTC-6). The Contestants with the fifteen (15) highest point totals at the end of the contest will each receive one (1) $100 USD Amazon gift card. In addition, the three (3) Contestants with the highest point total at the end of the Contest will also receive the prizes listed below and will be announced in an official blog post following the Contest. In the event of a tie, the Contestant who reached that score first will be the winner.

You may participate as an individual or as a team. However, only ONE cash prize can be awarded for each winning team; therefore, if you are participating as a team, please be aware that we cannot offer cash prizes to each team member. (Any further method used to determine who among your teammates takes home the CTF spoils is up to you. We hear thumb wars and structured rock/paper/scissors competitions are effective.)

Prizes

Only the prizes listed below will be awarded as part of the competition. Prizes are not transferable or redeemable for cash. Rapid7 reserves the right to make equivalent substitutions as necessary, due to circumstances not under its control. Please allow several weeks for delivery of any prize.

To reiterate, only ONE cash prize can be awarded for each winning team; therefore, if you are participating as a team, please be aware that we will not offer cash prizes to each team member. How you divide spoils among your team is up to you!

Place Prize ARV
1st $100 Amazon Gift Card (1), ($20) Two Month THM Premium Voucher per team member* + ($60) Throwback Voucher per team member* 180 USD
2nd $100 Amazon Gift Card (1), ($20) Two Month THM Premium Voucher per team member* + ($20) Swag Voucher per team member* 140 USD
3rd $100 Amazon Gift Card (1), ($10) One Month THM Premium Voucher per team member* 110 USD
4th to 15th $100 Amazon Gift Card (1) 100 USD


*TryHackMe vouchers will be provided for up to 15 members per team

Contestants with the highest point total at the end of the Contest will also be announced in an official blog post following the Contest.

FAQ

What’s the difference between an account and a team? Anyone can create an account, and accounts are unlimited. Teams, on the other hand, are limited to 1,000. To actually play in the CTF, you need to belong to a team — either by yourself or with your teammates.

How do teams work? When CTF registration opens on November 22, you’ll see a page that guides you through creating an account, verifying your email, and finally, asking you to either create a new team OR join an existing team. If you already have a team you know would like to play together, designate ONE team captain to create your team and a team password. Team captains (or whoever created the team) can then share the team password with all team members. Note that a team password is different from an account password.

There is also a new feature this year that allows team captains the option to share an invite link instead of (or in addition to) a password, so a new user can just follow that link to be automatically added to a team (once they have a valid account).

Please note: Team captains and team members should ONLY share team invitation links or team passwords with people they trust.

What if I want to join a team later, or if someone else wants to join my team later? That’s OK! To join someone else’s team, ask them for their team name and password, OR their team invite link. You can then create an account if you don’t already have one (again, accounts are unlimited; it’s only teams that are limited) and input their team name and credentials. If you’d like someone to join your team, you can simply share your team name and password with them.

I already created or joined a team, but I want to join a different one. What do I do? If you are the team captain (you’re the one who created the team), you can disband the team by clicking the trash can icon on your team settings page. This will help out the community by freeing up a team registration slot for someone else. If you’re not the team captain, you can also leave a team by clicking the arrow icon on your team settings page. Both options are available at any point before the contest starts on December 3. Please note that teams cannot be adjusted once play has started.

Is there a maximum number of players allowed on a team? Nope! Feel free to team up with  as many friends and strangers as you like — just remember that only one Amazon Gift Card can be awarded to each winning team, and TryHackMe vouchers are limited to a maximum of 15 per winning team. How you divide prizes if you win is totally up to you.

How do I connect to my CTF environment? Starting Friday, December 3, 2021, at 11:00 AM CST (UTC-6), you can log in here and follow the directions on your Control Panel to access the CTF environment.

Do I need to use Metasploit to solve the CTF challenges? No. Using Metasploit is an option for some challenges, but the CTF was not engineered to be Metasploit-specific.

I am not receiving points when I submit my flag. What’s wrong? You are not submitting the correct MD5 hash. This means you still have some work to do to solve the challenge correctly. Keep trying! There is no penalty for wrong answers.

Can you give me a hint about $FLAG? No, sorry. That would spoil the fun!

I’m having technical difficulties or I think I’ve found a bug! Can I DM someone for help? In general, Rapid7 staff will not respond to DMs requesting help with flag discovery, exploitation, or anything else related to the workings of the game. If you think you have discovered a bug in the CTF environment that is affecting your ability to play, you can reach out to a designated admin in the #metasploit-ctf channel on Slack, but we strongly recommend you check the pinned Slack messages to see if your question has already been addressed. If we think the behavior you’re experiencing is unexpected, we’ll respond and take a look, but in general, you should expect to proceed without input or attention from us.

My target or jump box reverted! What happened? Either you or one of your teammates clicked the “Revert” button from the control panel. Your boxes will not revert on their own, and Rapid7 staff will not revert boxes for you unless specifically requested.