Rules

These rules must be respected by all players.

I. Online pre-selection challenge

This website is the support of the pre-selection challenge for the final Capture The Flag event at European Cyber ​​Week in Rennes (see below). The pre-selection will take place from October 5 to October 20, 2019 for the final of November 21, 2019.

Attendance:

• Participation in the pre-selection challenge is strictly individual (teamwork is not allowed). This edition includes the participation of European institutions and will therefore take place in English.
• Participants must register with an e-mail address managed by their school.
• A visualization of the individual scores will be accessible on the one hand between all the participants and on the other hand between French or invited schools.
• The selected candidates will then be invited to form the teams of their choice (team from the same school), with a maximum of 4 participants.
• Subject to an individual level, nationals of the invited countries may form teams and 1 place in the final is reserved per nation.
• The institutions of the nations invited for this edition are: Belgium , Estonia , Finland , Germany and Spain
• All participants in the pre-selection challenge must be students and commit to providing authentic information. It is up to the schools to which the students belong to make a first check on the authenticity of the application.
• Further verification for students selected for the final challenge will be done. A copy of the student card will be requested.
• Each participant has the right to create only one account. Any participant violating this rule will be disqualified.
• Each participant has the obligation to accept and respect these rules.
• Any dispute will be submitted to the organizing committee of the event.
• The selection for the final will be weighted according to the prorate of entries by school.

Qualifying Challenge:

• The qualification challenge for the final is composed of several events divided into the following categories:
• Embedded system attacks
• Exploitation of binaries
• Forensic analysis
• Miscellaneous tests
• Reverse engineering of binaries
• Web vulnerabilities
• Each test yields a number of points specific to it which is indicated on the site.
• The first of the successful candidates will receive 15 bonus points, the second 10 points and the third 5 bonus points.
• In case of a tie, the first participant who validated the last event will be ranked highest.
• Events are available from Saturday, October 5, 2019 21:00 UTC+2 to Sunday, October 20, 2019 23:00 UTC+2.
• The more points a participant earns, the better his ranking.
• The flags to be recovered are of the form "ECW{<alphanum>}"
• The proofs published on the site are covered by the copyright. Any resumption is conditional on the respect of the intellectual property right with regard to authors and rights holders. In order to respect the work of the authors and the search work of the players:
• The publication of solutions during the duration of the challenge is not allowed and is penalized.
• Fraud through the use of these solutions is strongly penalized by disqualification or cancellation of the relevant event.

Restrictions:

• It is totally forbidden to attack another IP address than the one hosting the challenge (IP 176.31.135.50).
• Any attack of type DOS or DDOS is formally forbidden.
• Any attempt to manipulate the site will be penalized by the elimination of the player.
• It is strictly forbidden to attack the infrastructure and website hosting the challenge. The only attacks allowed are those directly related to the different tests.
• Any attempt to distort individual results by cooperation between participants will be sanctioned up to the final exclusion of the event.

Legislation:

• The test is held in France, therefore, in accordance with the Data Protection Act and the General Data Protection Regulation (GDPR), each participant has a right to access, rectify and delete information about them. To exercise this right, simply send an email to the challenge administrators.
• The player database and its processing comply with the requirements of the GDPR. In particular, the processed data respect the principle of minimization. Optimum protection of personal data is achieved through the implementation of data protection measures respecting the principle of traceability.
• Competitors are subject to French law and in particular:
• Article 323-1, paragraph 1 of the Penal Code: "The fact of fraudulently accessing or remaining in all or part of an automated data processing system is punishable by two years of imprisonment and 30,000 euros fine". The simple attempt is repressed in the same way (article 323-7 of the Penal Code)
• Article 321-1, paragraph 2 of the Penal Code: "When this results in either the deletion or modification of data contained in the system, or an alteration of the functioning of this system, the penalty is three years' imprisonment and a fine of 45000 euros"
• Article 323-3 of the Criminal Code: "The fraudulent introduction of data into an automated processing system or the fraudulent deletion or modification of the data contained therein is punishable by five years' imprisonment and 75000 euros fine"
• Article 323-2 of the Penal Code: "The fact of hindering or distorting the operation of an automated data processing system is punishable by five years' imprisonment and a 75,000 euro fine. When this offense has been committed against a system of automated processing of personal data implemented by the State, the penalty is increased to seven years of imprisonment and a fine of € 100,000."

II. Final Challenge on the spot (Rennes)

This regulation concerns the final of the challenge which will take place on November 21, 2019 from 10 am as part of the European Cyber ​​Week at the Jacobins convent in Rennes. This final round will consist of 12 teams of 4 candidates selected following the online preselection challenge.

Attendance:

• All participants in the challenge final must be students and commit to providing authentic information.
• Each participant has the obligation to accept and respect these rules.
• Any dispute will be submitted to the organizing committee of the event.
• A maximum of 2 teams per school will fulfill the representativeness of these.

Hardware:

• It is strongly recommended that each participant come with his own laptop with a Kali Linux intrusion test distribution. Laptops may however be made available to certain participants if they have made a prior request by email to the organizing committee of the event before November 8, 2019.

Challenge:

• The challenge will take place on Thursday, November 21, 2019 from 11 am to 6 pm
• Candidates will be welcomed from 9 am by the representative of the cyber center of excellence, coordinator of the challenge, then can eat on site. Feedback on the preselection will be presented by Thales from 10 am followed by a briefing by Airbus prior to the launch of the final at 11 am.

Converging information circulating on the Dark Net suggests that groups of hackers are organizing to attack European port infrastructure.

Europol's intelligence services have alerted the directors of the main ports who, having massively used High Tech to manage their critical resources, are seeking to recruit teams of defenders to strengthen their infrastructures in terms of information systems, building management, access control and passenger / luggage, intrusion detection and CCTV.

In the face of this imminent threat, 12 teams of cyber defense specialists are selected and mobilized. Their goal: to try to thwart these attacks, to limit the consequences and to report the progress to the authorities.

You will start your mission directly connected inside the port operations center that you are defending. for this you will need:

• Mapping the agency's network to identify the different services and potential vulnerabilities and then regain control over the systems compromised by the attackers.
• Then strengthen the security of connected infrastructure and investigate the group of attackers behind the cyber attacks.

Different information and related missions will be communicated to you as you progress.

• Each hardship will allow to recover a "flag" which will then be validated and posted on a common portal of points, allowing the different teams an instantaneous follow-up of their classification and in fine at the end of the time allotted to the team having won the most points corresponding to the difficulty of the hardships.
• In case of a tie, the team with the most complete and accurate network topology will be ranked highest. This assessment is left to the discretion of the organizing committee of the final round.
• The flags to be recovered are of the form "ECW {MD5}".
• The events set up as part of the final of the challenge are covered by copyright. Any resumption is conditional on the respect of the intellectual property right with regard to the authors and assigns. In order to respect the work of the authors and the search work of the players:
• The publication of solutions during the duration of the challenge is not allowed and is penalized.
• Fraud through the use of these solutions is strongly penalized by disqualification or cancellation of the relevant event.

Restrictions:

• It is strictly forbidden to attack the infrastructure hosting the challenge and the score portal shared by the different teams. The only attacks allowed are those directly related to the different tests put in place in the virtual infrastructures for each team.
• Each team has its own virtual infrastructure. It is strictly forbidden to enter the virtual infrastructure of another team in any way.