Skip to content

Instantly share code, notes, and snippets.

@ccondon-r7

ccondon-r7/December 2020 Metasploit CTF.md

Created December 4, 2020 14:20
Show Gist options
  • Save ccondon-r7/30edd81cbe4dd53bda699c32607c346e to your computer and use it in GitHub Desktop.
Save ccondon-r7/30edd81cbe4dd53bda699c32607c346e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
December 2020 Metasploit CTF.md

Notes on CTF game play

  • The game begins at 9 AM U.S. Central Time.
  • We’ve run this CTF for several years now, and we have not yet had an actual technical issue with a flag (other than the occasional bit of latency, which we try to avoid by being thoughtful about challenge development). If your MD5 hash submission isn’t being accepted, it is because the hash is incorrect. Keep trying! There is no penalty for wrong answers.
  • The scoreboard is not a target. Nothing except the official CTF target is a target. Please don’t attack anything except the target box.
  • When game play starts, provisioning is first come, first served. It may take a few minutes. Be patient! If you’ve been waiting for more than half an hour for your network to be provisioned, you can reach out to us on Slack.
  • Please, no spoilers in Slack channels or other public places. Everyone learns at their own pace, so don’t ruin the game for others. We may kick you out of Slack if you post flag spoilers. Harassment of other players and community members won’t be tolerated.
  • Metasploit Slack messages archive automatically after a certain threshold (this is just how our implementation of Slack works). If you’re worried about continuous access to your conversations, you may want to hold them outside of Metasploit’s Slack channel.

FAQ

  • What’s the difference between an account and a team? Anyone can create an account, and accounts are unlimited. Teams, on the other hand, are limited to 1,000. To actually play in the CTF, you need to belong to a team—either by yourself or with your teammates.
  • How do teams work? During registration at metasploitctf.com, you’ll see a page that guides you through creating an account, verifying your email, and finally, asking you to either create a new team OR join an existing team. If you already have a team you know would like to play together, designate ONE team captain to create your team and a team password. Team captains (or whoever created the team) can then share the team password with all team members. Note that a team password is different from an account password.
  • What if I want to join a team later, or if someone else wants to join my team later? That’s okay! To join someone else’s team, ask them for their team name and password. You can then create an account if you don’t already have one (again, accounts are unlimited; it’s only teams that are limited) and input their team name and credentials. If you’d like someone to join your team, you can simply share your team name and password with them.
  • Is there a maximum number of players allowed on a team? Nope! Feel free to team up with as many friends and strangers as you like—just remember that only one prize can be awarded to each winning team, so how you divide prizes if you win is totally up to you.
  • How do I connect to my CTF environment? Starting Friday, December 4, 2020, at 9:00 AM CST (UTC-6) you can log in here and follow the directions on your Control Panel to access the CTF environment.
  • Do I need to use Metasploit to solve the CTF challenges? No. Using Metasploit is an option for some challenges, but the CTF was not engineered to be Metasploit-specific.
  • I am not receiving points when I submit my flag. What’s wrong? You are not submitting the correct MD5 hash. This means you still have some work to do to solve the challenge correctly. Keep trying! There is no penalty for wrong answers.
  • Can you give me a hint about $FLAG? No, sorry. That would spoil the fun!
  • I’m having technical difficulties or I think I’ve found a bug! Can I DM someone for help? In general, Rapid7 staff will not respond to DMs requesting help with flag discovery, exploitation, or anything else related to the workings of the game. If you think you have discovered a bug in the CTF environment that is affecting your ability to play, you can reach out to a designated admin in the #metasploit-ctf channel on Slack, but we strongly recommend you check the pinned Slack messages to see if your question has already been addressed. If we think the behavior you’re experiencing is unexpected, we’ll respond and take a look, but in general, you should expect to proceed without input or attention from us.
  • My target or jump box reverted! What happened? Either you or one of your teammates clicked the “Revert” button from the control panel. Your boxes will not revert on their own, and Rapid7 staff will not revert boxes for you unless specifically requested.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment