PHDays IV CTF Rules


Game image (vulnbox)

An image of a virtual machine with several preinstalled vulnerable services. At the beginning of the game, teams are provided with identical game images. Each team has full control over its game image during the competition. Image administration is performed by a team.


Equal time intervals, which the game is divided into.


A vulnerable application preinstalled on the game image. The teams should keep the services running throughout the game to obtain resources. A running service provides a team with some resources once in a round. Exploiting service vulnerabilities, the teams can capture a part of rivals' resources. The jury controls the operability of the teams' services with checkers.


A script started by the jury and working with a specific service. Checkers are launched once in a round, they control the operability of the relevant services and add new flags to the game images.


Confidential data within the context of a service or a task. The flags in services are updated by the checkers once in a round. An unauthorized user of a service has to exploit a vulnerability to obtain a flag. By submitting the obtained flags to the jury's system the teams prove their attacks are successful. Moreover, an obtained flag is a proof that a task was solved.


Problems with a single answer (an obtained flag). A team firstly needs to open a task to be able to solve it. Tasks are opened for resources. Each task requires a certain set of resources (for instance, 2 units of the A resource and 1 unit of the B resource). A team can solve a certain task only once. A team receives a certain amount of gold if a task has been solved.


Points received by the teams for keeping their own services running and attacking other teams’ services. There are several types of resources. Each service brings resources of only one type.

A running service scores a certain number of resources for each round. This amount is divided among the owner of the service and the teams, which successfully attacked it. The number of the resources received by each attacking team is calculated by the formula: w*k/n+1, where w is the amount of resources for a round, k is a certain factor, n is the number of the teams, which have successfully attacked a certain service of a certain team within the finished round. The service owner receives the remaining part of the resources. The number of scored resources does not influence a team's rating, but the teams can exchange resources for gold.


Points received by the teams for solved tasks or sold resources. The amount of gold determines the rating of a team. Its value can be negative. If a team has enough gold, it can be exchanged for resources at a preset rate.

Quest chapters

Temporary tasks, the award for which is variable. An equal amount of gold is regularly deducted from each team’s gold to be added to the award for the solution of a quest chapter. Each quest chapter has a certain lifetime. If no team can manage a task within a certain time interval, it is considered unsolved and becomes unavailable. Accumulated award gold zeroes out as well. As soon as a team solves a quest task, all others are provided with some time, within which they can still try to solve the task. Time for task completion is calculated by the formula: min (t solve,t life), where t solve is a certain interval (this value is different for each quest chapter) from the moment the first team solved the task, t life is the remained lifetime of the quest chapter. When this time is over, the award is allocated among the teams that were able to solve the quest task.

Apart from attacking other teams’ services and solving quest tasks, CTF participants can participate in the CIA competition (under general conditions). Please mention your CTF team in you advisories. Your team will score points (gold) depending on the level of a detected vulnerability. The maximum possible number of points for an advisory equals the award for solving the most difficult CTF task."

Rules of PHDays CTF Finals

Only ten teams that scored the largest number of points during the qualifying stage take part in the contest. Each team includes no more than 7 participants (5 active players and 2 substitutes).

During the game, teams are allowed to:

  • Attack other teams’ services
  • Solve the tasks
  • Make any modifications of the provided servers unless it is explicitly prohibited by the rules
  • Use any number of computers and network equipment
  • Change topology of the team’s own network segment

During the game, teams are prohibited from:

  • Filtering the traffic of competing teams from the jury's traffic (e.g., by IP addresses)
  • Generating unreasonably high volume of traffic threatening the game infrastructure (of the jury or other teams)
  • Conducting attacks outside the game network
  • Attacking the jury’s computers
  • Conducting destructive attacks against the rivals’ servers (such as rm -rf /)
  • Performing the above actions in the guise of a rival team
  • Exploiting vulnerabilities of the jury system to gain undeserved points

A team may be penalized or disqualified for a foul.


The jury reserves the right to specify the rules at any time before the game begins.