Challenge rules
This website is the support of the pre-selection challenge for the final Capture The Flag event at European Cyber Week in Rennes (see below). The pre-selection will take place from October 8th, 2021 to October 24th, 2021 for the final of November 17th, 2021.
- Participation in the pre-selection challenge is strictly individual (teamwork is not allowed). This edition includes the participation of European institutions and will therefore take place in English.
- Participants must register with an e-mail address managed by their school.
- A visualization of the individual scores will be accessible on the one hand between all the participants and on the other hand between French or invited schools.
- The selected candidates will then be invited to form the teams of their choice (team from the same school), with a maximum of 4 participants.
- Subject to an individual level, nationals of the invited countries may form teams and 1 place in the final is reserved per nation.
- The institutions of the nations participating for this edition are:
- Belgium
- Switzerland
- Germany
- Estonia
- Spain
- Finland
- France
- United Kingdom of Great Britain and Northern Ireland
- Ireland
- Luxembourg
- Netherlands
- All participants in the pre-selection challenge must be students and commit to providing authentic information. It is up to the schools to which the students belong to make a first check on the authenticity of the application.
- Further verification for students selected for the final challenge will be done. A copy of the student card will be requested.
- Each participant has the right to create only one account. Any participant violating this rule will be disqualified.
- Each participant has the obligation to accept and respect these rules.
- Any dispute will be submitted to the organizing committee of the event.
- The selection for the final will be weighted according to the prorate of entries by school.
- The only public data are nickname and school.
- The other data will be used to authenticate student who makes it to the final.
- At the end of the ECW event every data will be deleted.
- The qualification challenge for the final is composed of several events divided into the following categories:
- Exploitation
- Forensics
- Pentest
- Reverse Engineering
- Each challenge yields a number of points dynamically computed depending on the number of solves. The more challengers solve the less points it's worth.
- No bonus points ("First blood") will be attributed for solving challenges.
- Submitting wrong flag for a challenge will cause an increasing point penalty, starting from the third attempt.
- In case of a tie, the first participant who validated the last event will be ranked highest.
- Events are available from October 8th, 2021 21:09 to October 24th, 2021 23:00.
- The more points a participant earns, the better his ranking.
- The flags to be recovered are of the form ECW{<alphanum>}.
- The proofs published on the site are covered by the copyright. Any resumption is conditional on the respect of the intellectual property right with regard to authors and rights holders. In order to respect the work of the authors and the search work of the players:
- The publication of solutions during the duration of the challenge is not allowed and is penalized.
- Fraud through the use of these solutions is strongly penalized by disqualification or cancellation of the relevant event.
- It is totally forbidden to attack another IP address than the one hosting the challenge (IP 176.31.135.50).
- Any attack of type DOS or DDOS is formally forbidden.
- Any attempt to manipulate the site will be penalized by the elimination of the player.
- It is strictly forbidden to attack the infrastructure and website hosting the challenge. The only attacks allowed are those directly related to the different tests.
- Any attempt to distort individual results by cooperation between participants will be sanctioned up to the final exclusion of the event.
- The test is held in France, therefore, in accordance with the Data Protection Act and the General Data Protection Regulation (GDPR), each participant has a right to access, rectify and delete information about them. To exercise this right, simply send an email to the challenge administrators.
- The player database and its processing comply with the requirements of the GDPR. In particular, the processed data respect the principle of minimization. Optimum protection of personal data is achieved through the implementation of data protection measures respecting the principle of traceability.
- Competitors are subject to French law and in particular:
- Article 323-1, paragraph 1 of the Penal Code: "The fact of fraudulently accessing or remaining in all or part of an automated data processing system is punishable by two years of imprisonment and 30,000 euros fine". The simple attempt is repressed in the same way (article 323-7 of the Penal Code)
- Article 321-1, paragraph 2 of the Penal Code: "When this results in either the deletion or modification of data contained in the system, or an alteration of the functioning of this system, the penalty is three years' imprisonment and a fine of 45000 euros"
- Article 323-3 of the Criminal Code: "The fraudulent introduction of data into an automated processing system or the fraudulent deletion or modification of the data contained therein is punishable by five years' imprisonment and 75000 euros fine"
- Article 323-2 of the Penal Code: "The fact of hindering or distorting the operation of an automated data processing system is punishable by five years' imprisonment and a 75,000 euro fine. When this offense has been committed against a system of automated processing of personal data implemented by the State, the penalty is increased to seven years of imprisonment and a fine of € 100,000."
This regulation concerns the final of the challenge which will take place on November 17th, 2021 as part of the European Cyber Week at the Jacobins convent in Rennes. This final round will consist of 12 teams of 4 candidates selected following the online preselection challenge.
- All participants in the challenge final must be students and commit to providing authentic information.
- Each participant has the obligation to accept and respect these rules.
- Any dispute will be submitted to the organizing committee of the event.
- A maximum of 2 teams per school will fulfill the representativeness of these.
- It is strongly recommended that each participant come with his own laptop with a Kali Linux intrusion test distribution. Laptops may however be made available to certain participants if they have made a prior request by email to the organizing committee of the event before November 10th, 2021.
- The challenge will take place on November 17th, 2021 from 11 am to 6 pm
- Candidates will be welcomed from 9 am by the representative of the cyber center of excellence, coordinator of the challenge, then can eat on site. Feedback on the preselection will be presented by Thales from 10 am followed by a briefing by Airbus prior to the launch of the final at 11 am.
In recent months, a frantic race against time has taken place between pharmaceutical laboratories in different states to research and produce the vaccine that will allow the world to emerge from the Covid-19 pandemic and thus avoid an economic and health collapse. and social on a planetary scale.
Recently, worrying events have disrupted the smooth running of operations. Indeed, the 12 largest global pharmaceutical companies are currently the target of an unprecedented wave of cyber attacks. Their operational bodies, including state-of-the-art research equipment, vaccine production chains and logistics platforms are severely disrupted.
The production of vaccines worldwide is therefore completely paralyzed.
State actor? Activists? Conspiracies? As the attribution of these cyber attacks is difficult to establish, the origin and motivation of the attackers remains unclear at this time.
It was decided to act in the face of the urgency of the situation. A crisis unit was thus quickly set up in the various laboratories that are undergoing this wave of cyber-attacks. You are one of the best cyber defense experts mandated to fulfill the following mission: to enable the various pharmaceutical laboratories to resume vaccine production as quickly as possible.
- Map the laboratory's network to identify the different services and potential vulnerabilities and then regain control over the systems compromised by the attackers.
- Then strengthen the security of connected infrastructure and investigate the group of attackers behind the cyber attacks.
Different information and related missions will be communicated to you as you progress.
- Each hardship will allow to recover a "flag" which will then be validated and posted on a common portal of points, allowing the different teams an instantaneous follow-up of their classification and in fine at the end of the time allotted to the team having won the most points corresponding to the difficulty of the hardships.
- In case of a tie, the team with the most complete and accurate network topology will be ranked highest. This assessment is left to the discretion of the organizing committee of the final round.
- The flags to be recovered are of the form FLAG{<alphanum>}.
- The events set up as part of the final of the challenge are covered by copyright. Any resumption is conditional on the respect of the intellectual property right with regard to the authors and assigns. In order to respect the work of the authors and the search work of the players:
- The publication of solutions during the duration of the challenge is not allowed and is penalized.
- Fraud through the use of these solutions is strongly penalized by disqualification or cancellation of the relevant event.
- It is strictly forbidden to attack the infrastructure hosting the challenge and the score portal shared by the different teams. The only attacks allowed are those directly related to the different tests put in place in the virtual infrastructures for each team.
- Each team has its own virtual infrastructure. It is strictly forbidden to enter the virtual infrastructure of another team in any way.
