Cyber Capture the Flag

In this version of a "Cyber" Capture The Flag competition, you will work in teams of three to both to defend your system and attack those of others. The target system is a Content Management System (CMS) Web Application with a plug-in architecture. New functionality will be introduced during the competition via plug-ins, so be prepared to adapt to novel situations quickly.

The basic timeline is as follows (for more details see Events Calendar):

  • A VM containing the Web APP will be available October 3.
  • Instruction will begin October 3.
  • CTF competition is November 3-4, 9am to 9pm, on MIT campus.
  • Prizes will be awarded in a ceremony on November 4.

Competition VM

An important feature of this CTF is that the competition VM containing base OS and Web App will be distributed over a month prior to the competition proper. This is intended to add realism to the exercise, and it opens up a number of opportunities for extensive defensive and offensive preparation (read more about Why CTF?). Your team might choose to very carefully configure the Operating System to reduce the attack surface your system presents on the network. You might review the CMS for security problems. You might construct attacks. You might choose to modify or correct the code. You might devise host-based monitors and or interpose input filtering modules to protect the CMS from malicious inputs. These are only a few ideas, and you should feel free to implement whatever you think will succeed.


There are no formal prerequisites. Working knowledge of Linux will probably be necessary, and familiarity with Web Application bits and pieces will be very useful to have obtained by competition time, including HTML, PHP, Javascript, Ajax, and MySQL. Much of this could be acquired along the way, through self-study. We will be giving a 30-40 minute walk-through on the CMS, pulling it apart into its components. But we won't give PHP or MySQL lessons. In addition, other scripting and compiled languages will be used in challenges - a flavor will be given during one of the seminars.


We will be providing some instruction in defensive and offensive techniques and tools (see the schedulefor more information). Slides will be made available on to registrants. However, self-study is strongly encouraged! See the page of "Resources" for some jumping-off points for self-study. We, the organizers ("Contact"), additionally, will be happy to answer questions via email, within reason.


Participants are not strictly required to work in teams; however, it is encouraged that you do form a team. This CTF involves both offensive and defensive activity which would be tricky to accomplish alone. Team size is limited to five participants.

CTF Competition

CTF competition will be held 9am-9pm November 3 and 4. During the two day competition period, your team will actively defend and attack. At certain points during the competition, you will be asked to support new functionality in the form of plug-ins written by CTF management. The scoring system will provide some situational awareness, subject to random delays and outages. The scoreboard will not be visible for the final hour of the competition. Scoring will be a function of both defense (including measures of confidentiality, integrity, and availability) and offense. Rules are fairly standard (see "Rules").


We hope you will be motivated to participate in CTF because of all you will learn about how (and how not) to secure a Web Application (you can read more about Why CTF?). But if not, there will also be prizes! The top team will go home with MIT/LL CTF flag and $1,500. The second ranked team will receive $1,000 cash prize, and third ranked team will receive $500. All participants will receive T-shirts unless we run out of money...

  • No labels