It's an A/D CTF.
The game starts at 10:00UTC, the network opens at 11:00UTC.
Flag lifetime: 15 rounds. Round: ~1 min.
How to post flags: example.


First of all, the goal of this event is not to find out who is the best team. We sincerely believe that true professionals are incomparable. The main goal of RuCTFE is to share experience and knowledge in computer security and to have some fun together. Nevertheless, the luckiest team will become a winner.

TIt is difficult to give a complete set of rules for a CTF challenge, so these rules can change without notice at any moment prior to game start. That is why we recommend checking the rules one more time before the competition starts. Just in case :)



A group of people with a captain.


A vulnerable application written for the challenge.


A virtual machine that contains all the services. It is provided prior to game start in a form of game image. Game image is identical for all teams.


A string that matches regex: /^\w{31}=$/.


A period of time for the checksystem to check and score all the teams. Game round usually takes about 1 minute.


A group of people that run the competition. Organizers do their best to provide a quality and fun event to all participants. Still organizers are to penalize/disqualify teams for rules violation and to solve the critical situations not described in these rules. Teams should be prepared to meet such decisions with understanding. Also organizers do determine the winner. In general, this decision is based on the scoreboard.


  • Do whatever they want within their network segment. Most likely the team would like to patch vulnerabilities in their services or block exploitation of vulnerabilities;
  • Attack other teams. Didn't expect that, huh?


  • Filter out network traffic coming from other teams;
  • Generate excessive amounts of traffic that pose a threat to network stability of organizers' facilities;
  • Generate excessive amounts of traffic that pose a threat to network stability of any other team;
  • Attack teams outside of the VPN;
  • Attack the game infrastructure operated by organizers.


The competition begins when the organizers announce the decryption key for the game image. After that the game time is divided into two periods:

  1. For the first hour network segments are closed and there's no cross-team traffic. We recommend that teams use this time to perform initial  vulnbox administration and vulnerability analysis.

  2. After the first hour, network segments are opened, allowing the teams to attack each other. Network segments remain open until the competition ends.


Key parameters in the scoring system are SLA and FlagPoints. Their values are individual for each service of each team. Team score is calculated as the sum of the products of the corresponding SLA and FlagPoints of all team's services.

SLA (team, service) is the fraction of the game time in which that service of that team was in the UP state. E.g. if the service was always UP, SLA would be 1. If 4 hours passed from the game start and the service was UP during the first hour and then was not UP for the rest 3 hours, SLA would be 0.25. At the beginning of the game all teams have SLA equal to 1.

FlagPoints (team, service) is the number that correlates with a team's ‘understanding’ of the service. FlagPoints depend on the team attack capabilities (exploiting vulnerabilities against other teams) and defense capabilities (fixing vulnerabilities in their own service). At the beginning of the game all teams have equal FlagPoints, and FlagPoints are updated every game round. If during the round the team failed both in attack and defense of the service, the corresponding FlagPoints will decrease, but will never reach 0. If during the round, the team was only able to defend the service, the corresponding FlagPoints will not change. If the team was able both to attack and to defend, the corresponding FlagPoints will grow.

Flag price is the number of FlagPoints got by attackers for stealing the flag from the victim.

Flag lifetime is the amount of time during which the flag must be available in the service for the checksystem. At RuCTFE it's 15 rounds. Teams should steal the flag and post it to the checksystem until it is expired.

The maximum amount of points awarded/deducted for the flag is equal to the number of the participating teams.If a flag was stolen from a team that was higher on the scoreboard in the previous round, the team that has stolen the flag earns the maximum number of FlagPoints. If a flag was stolen from a team that was below your team on the scoreboard, the number of FlagPoints will decrease based on the difference in teams' positions on the scoreboard, but will never go below 1.

FlagPoints for a flag are awarded when that flag expires.

Luckily all this complex text can be expressed in pseudocode:


    def on_game_start(team):
        team.sla = [1] * number_of_services
        team.flagpoints = [0] * number_of_services

    def on_flag_post(attacker, flag):
		victim = flag.owner
        victim_pos = scoreboard[victim]
		attacker_pos = scoreboard[attacker]
        service = flag.service
        max = number_of_teams

        flag_score = attacker_pos > victim_pos ? max : exp(log(max) * (max - victim_pos) / (max - attacker_pos))

        attacker.flagpoints[service] += flag_score
		victim.flagpoints[service] -= min(victim.flagpoints[service], flag_score)

    def get_score(team):
        return sum(map(lambda x: x[0] * x[1], zip(team.sla, team.flagpoints)))


During the game, scoreboard will be available at
You must submit your flags to, here is an example.

Teams are ranged by total score.


Apart from FlagPoints, SLA and total score, the scoreboard shows the state of each service. There are four possible states of a service:

  • OK — means that service is online, serves the requests, stores and returns flags and behaves as expected.
  • MUMBLE — means that service is online, but behaves not as expected, e.g. if HTTP server listens the port, but doesn't respond on request.
  • CORRUPT — means that service is online, but past flags cannot be retrieved.
  • DOWN — means that service is offline.

Before the game and during the game, network checks are available at



The prize fund this year is 50 000 Free TON Crystals.

Every highly active team deserves a reward. The reward will be sent to the team’s wallet. Token distribution between team members is up to the team captain. Each team must provide a wallet address within 90 days from the end of the competition in order to receive the prize, but we recommend you to provide it in registration form (if you must, just write there "TBA" and we'll contact you after the contest). If a team failed to provide a wallet address, after 90 days from the end of the competition their prize will be transferred to the HackerDom fund to finance future events.

Per Free TON rules, if any of the team members is a US citizen or if the team represents an American organization (university, etc), we will not be able to reward this team. This team’s award will be transferred to the HackerDom fund to finance future events.

The RuCTFE organizers retain the right to deprive one or several participating teams of their prize, a part or entirely, in case of discovered cheating, irregularities or unsportsmanlike behaviour before, during or after competition. In such a case, the prize will be distributed among other teams or transferred to the HackerDom fund by the decision of the organizers

To get your wallet address we recommend TON Surf wallet which is available on web, Android and iOS. Also you can use TON OS CLI (manual).

Here's Free TON Crystal distribution plan among winning places:

1 place: 8192
2 place: 4096
3 place: 2048
4 place: 1024
5 place: 950
6 place: 900
7 place: 850
8 place: 800
9–82 places: 840 - place * 10
83 place and below: 10

The remaining Free TON Crystal is planned to be spent on FirstBloods, BugBounty and other special bonuses achieved by the participants.

RuCTFE devteam wallet address is 0:bd9e0f00061e6ffc95c2107ce381d5050b692be2f95b1c83af72300756020d5d.