🔒 General Rules

  1. No Attacking the CTF Infrastructure
    • You may not attack the scoreboard, challenge servers (unless explicitly allowed), or other core infrastructure.
    • You may only interact with challenge services as intended.
  2. No Denial of Service (DoS)
    • Flooding or crashing services, either on purpose or by brute-force automation, is forbidden, and violators will be disqualified from the competition(s).
    • Don’t crash or overload services intentionally.
    • Don’t forkbomb, fuzz indiscriminately, or lock out other players from shared services.
  3. No Sabotaging Other Teams
    • Individuals solve challenges independently, and interfering with others (e.g., locking files or poisoning environments) is not allowed.
    • Do not modify or lock shared files. This includes (but is not limited to):
      1. Change file permissions.
      2. Lock files in VM challenges.
      3. Upload malicious payloads to sabotage others.
  4. No Multiple Accounts
    • This is an INDIVIDUAL competition, and using multiple accounts is prohibited.
  5. Don’t Share Flags or Solutions
    • Flags and write-ups must not be shared with anyone during the competition. Competitors can share challenge write-ups AFTER the conclusion of the Season V, US Cyber Open (11:59 p.m. Eastern Time, Wednesday, June 18th).
  6. No Automated Flag Submission
    • Bots/ scripts that auto-submit flags repeatedly are not allowed, and a rate limit has been set to detect abuse.

🧠 Challenge-specific Rules

  1. Flags Follow a Pattern

    All flags follow a format unless explicitly stated within the challenge description.

    • Beginner’s Game Room CTF: SVBRG{This_is_a_Flag} or SVBGR{This_is_a_Flag}
    • Competitive CTF: SVUSCG{This_is_a_Flag}
    • Warmup Challenge: SVUSCG{Y0u_r34d_th3_ru135}

    Submitting random strings or guessing excessively is frowned upon.

  2. Reverse Engineering or Exploitation is Scope-limited
    • Only attack targets and binaries that are part of the challenge scope.
  3. Use of Public Tools is Fine, but Use Ethically
    • Tools like Burp, Ghidra, IDA, Metasploit, etc., are allowed, but using them to cheat or scan unrelated targets is not.
    • Tools such as SQLMap, Go/Dirbuster, and other brute-force and fuzzing tools are not needed and should not be used. Any exploits used against web apps should be developed for a specific target rather than using premade tools that generate a lot of traffic and stress the CTF infrastructure.
  4. Most Web Challenges Should Be Solved Offline
    • For instanced web challenges, you will have limited time to use each container. You should use any provided source code to test your exploits locally before starting your instance.

👨‍⚖️ Ethics & Conduct

  1. Be Respectful
    • Respect organizers, competitors, and the rules. No explicit/ targeted trash talk or unsportsmanlike behavior, and harassment of any kind will not be tolerated. Violation of these policies will result in immediate disqualification from the competition(s).
  2. Bug Bounties vs. CTF
    • CTFs are isolated environments; don’t confuse them with real-world targets or bug bounty platforms.
  3. Follow Organizer Instructions
    • Organizers may add specific rules for their event (e.g., VM setup, hints usage, scoring changes).

📌 Additional Tips

Join the Official Discord for clarifications, announcements, and updates.

Recommended List of Tools:

CyberChef dnSpy Angr
Wireshark binwalk SIFT
Ghidra Shodan Autopsy
IDA gdb Hashcat
BurpSuite pwntools NetworkMiner
Nmap Radare2 Scapy
FTK Imager socat John the Ripper
Volatility xinetd EZTools
Docker