Online Capture the Flag
MAGIC’s Online Capture the Flag competition is an online version of our popular hosted event. While the look and feel is different, we have continued to provide a beginning level of competition for novices.
Instead of a local VM(virtual machine) instance used in our hosted event, the online CTF utilizes a web browser that is accessible from any computer with a browser. This allows the competitor to participate in the online version from anywhere they have internet access.
This version is also slightly more difficult as the individual is responsible for managing their own tools and environmental resources to compete. And because this is totally virtual, no industry professionals are available to coach or give hints on the challenges.
Our challenges are broken down into difficulty levels. Level 0 challenges are basic introduction puzzles that allow the participant to “get into" the competition. Level 1,2, and 3 puzzles become progressively more difficult and will required additional time. We also have two challenge levels specific to an operating system.
A Linux level with challenges specific to the Linux operating system. You will need an installation of Kali Linux to solve these puzzles.
The second is a Windows level. These puzzles are specific to a windows operating system and you will need an installation of Windows to solve this level. These 2 levels are more complex, but will gain you more points when solved.
The online competition allows MAGIC to expand our cybersecurity learning opportunities to interested people that would not ordinarily attend a live event. Each has it’s positives and negatives. You choose which is right for you!
Each individual who participates in the Competition (“Participant”) must be at least 13 years of age.
By creating an account and participating in the competition challenges, you are agreeing to these competition rules with respect to the current competition.
- Individuals and/or Teams may not interfere with the progress of other individuals/Teams, nor with the operation of the Competition’s infrastructure. More specifically, attacking the scoring server, other Teams, or machines not explicitly designated as targets is cheating. This includes both breaking into such machines, and denying others access to them or the ability to solve problems. Sharing keys or providing overly-revealing hints with other teams is cheating, as is being directly assisted by personnel outside the Team (using tools from the internet is OK; asking people on the internet to help solve the problem is not). We encourage Participants to solve problems in novel and creative ways using all available resources, but we do require that Participants solve the problems themselves.
- All information provided to establish an account must be true and correct. You are responsible for keeping such information up-to-date. Failure to keep your account up-to-date may, among other things, jeopardize your eligibility to compete.
- You must utilize appropriate username and team id’s. No usernames and IDs will be allowed that promotes a negative connotation or meaning. MAGIC will disqualify a participant if we deem inappropriate ID’s are being used. This includes icons and emojis.
- MAGIC runs an honest, ethically responsible competition. At any time, in the sole and absolute discretion of MAGIC, we shall be entitled to disqualify a Participant and/or Team in the event of a failure to meet relevant eligibility criteria or any other violation or suspected violation of these Competition Rules.
- Professional teams and teams that have professional skill levels should not participate in this beginner level educational competition. Professional or ranked teams will automatically be disqualified at the end of the event.
- Competition problems(challenges) or other content on the MAGIC site remains the property of MAGIC. MAGIC reserve any rights in such materials. You are authorized to access and use such materials solely with respect to registration for and/or participation in virtual CTF by you. You may not use the MAGIC site or any materials on it (including but not limited to the Competition problems) for any unauthorized purpose.
- In this competition, tie breaks are essentially resolved by time. If two teams have the same score at the conclusion of the competition, the team with the oldest score time stamp will be declared the winner.
Registering for the Virtual CTF
The online CTF is a team based challenge. Up to 4 people can be registered to a team. Please follow the directions for creating teams and registering your user id to a team. As all prizes are sent via email, make sure you enter a valid email address when registering. Failure to provide a valid email will cause a forfeit of any prize offered to winning teams.
NOTE: No inappropriate user names or team names will be permitted! MAGIC reserves the right to disqualify you AND your team if it is determined that you and/or your team registered with any keyword, terms, or words with a negative connotation. This includes icons or emojis.
If you are registering to play as an individual you must still create a team of 1. To register as an individual select Register from the top menu. Fill out the username, valid email address and password for your user then click Register. Please remember your user id and password. Next select Create Team from the pop up buttons.
For your team name, you can insert your user id you just created, or a new team name. Select a password. If at a later time you want to invite others to join your team you can forward the team name and password for them to join. Please be aware that the team name is case sensitive. Potential team members must enter the team name and password exactly as enter by you. That’s it. You are now registered to play. Your scoring for the competition will be listed under your team name.
Teams: (up to 4 individual per team)
Assign a team captain from your group. That person will register the team name and assign a password for the other members to join.
Team Captain: Register your id by clicking on Register from the menu. Enter a user name, valid email address, and password. Once completed, a pop up to create or join a team appears. As Captain, you will Create a team. Select a team name and a password associated with that team. Once that is done, you can forward the team name and password to your team members to use for registration. Please be aware that the team name is case sensitive. Once they create their individual username, they will choose Join Team and enter the information forwarded by the team captain. You are ready to go.
Prize are determined for the top 3 teams after the completion of the competition. The prizes are:
$100 electronic gift card from Amazon for each member of the 1st place team
$50 electronic gift card from Amazon for each member of the 2nd place team
$25 electronic gift card from Amazon for each member of the 3rd place team.
MAGIC will determine and announce the top 3 teams after the competition ends. MAGIC reserves the right to disqualify any team that is found not conforming with the Rules of the competition. Any ties for the top 3 slots will be determined by time stamps on the teams in question. Oldest time stamp(who scored the points first) will win.
Looking for help during the competition? Well, we can’t give answers or hints, but if you have technical or general questions, you can find us on Twitter at @MAGICWestMD. Use the #octfmagic hashtag to send us your questions or issues. You can can also send us an email at firstname.lastname@example.org.
Available resources to connect with your teammates:
As your team will be spread out during the competition, you can utilize several team collaboration tools to communicate with them. All the resources listed are free to use.
You can also utilize other means of communicate such as Facetime, text messaging, etc.
Tips for your team during competition:
Each level and challenge is available for solving. Your team does not need to answer the challenges in order or one at a time. Each team member can work on a different puzzle at the same time if they so desire. Only one team member can input an answer to a particular challenge. Once that puzzle is solved a check mark will appear next to it confirming the puzzle has been solved. You can work together to solved each puzzle or you can divide and conquer. Hit your browser refresh occasionaly to confirm a puzzle has not be solved yet. There is no wrong way to work.
We don’t limit the attempts on puzzles. You can make as many attempts as needed to get the correct answer. This is a learning experience. We want to you solved every puzzle. We also do not deduct points for any of our Level 0 puzzles that have hints attached. However, points are deducted from the more difficult, higher level puzzles that contain hints. Be very careful asking for a hint as the “cost" points will be deducted from the team score immediately. Also remember, your answers are case sensitive.
Tools and Resources
Unlike our location CTF’s, this competition is completely virtual. To help competitors out, we have included a built in helper tool called CyberChef.
CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more. You can find the tool button located at the bottom of your browser window. CyberChef is a read only utility. It will allow you to see your input and outputs but will not allow changes to be saved within the app.
Other tools that may be helpful:
- Google search engine.
- Encrypting/encoding tools. Data conversion. Ciphers. (XOR, ROT, Binary, Base64, Hex(adecimal) Octal, ASCII/UTF-8 character, etc.)
- Cyberchef (“Tools" button within the competition window)
- https://www.dcode.fr/ (Warning: Output is always uppercase.)
- Hex editor.
- HxD (Windows).
- Bless Hex Editor (Linux).
- Cyberchef’s “To Hexdump" (read-only).
- File Identifier.
- Cyberchef’s “Detect File Type.”
- “File" command.
- File scan database / history.
- Hash Identifier.
- hash-identifier (Linux).
- Cyberchef’s “Analysis hash."
- Cyberchef’s “Magic" tool (encoding/encryption lookup/bruteforce).
- Hash Lookup (Rainbow tables).
- Password/hash cracking.
- John the Ripper (Kali Linux).
- Crunch (Custom wordlist generator).
- office2john, zip2john, etc.
- Hash computer/generator.
- Powershell “Get-FileHash."
- Linux “sum" (i.e. sha256sum, md5sum) utilities.
- Cyberchef’s Hashing tool series.
- Packet sniffer/analyzer. Connection viewer. PCAP viewer/editor.
- Network Miner.
- Fiddler 4 (Windows).
- System Internals TCPView (Windows).
- netstat command (windows -bano/linux -tunap).
- Memory Editor.
- CheatEngine (Windows).
- scanmem (Linux).
- Python/C#/Java IDE.
- .NET framework / python / Java JDK +
- Visual Studio (Windows).
- C#: https://www.tutorialspoint.com/compile_csharp_online.php
- Python 2: https://www.tutorialspoint.com/execute_python_online.php
- Java: https://www.tutorialspoint.com/compile_java_online.php
- .NET framework / python / Java JDK +
- dnSpy (Windows).
- ILSpy (Windows. Linux/MAC forks available.).
- Archive manager
- 7-zip (Windows).
- https://sourceforge.net/projects/p7zip/ (cmdline, Linux).
- File Resource Viewer
- Resource Hacker (Windows).
- Document viewer (.doc/.docx).
- Microsoft Word.
- Google Doc
- Image EXIF extractor
- Cyberchef “Extract EXIF."
- Command Prompt, Powershell, Linux Terminal.
Kali Linux is a free open-source version of Linux used by cyber security professionals for cyber testing.
We have compiled some Frequently asked questions that we hope will answer any questions you may have.
What is the age limit to compete in the CTF?
Participants must be at least 13 years of age to compete. Students ages 13-20 are encouraged to participate in this beginner level competition. Continuing education adults with no prior cybersecurity experience is also welcome.
How can I register for the online CTF?
The registration link for the online ctf will be posted on this page and in our Event listing on the Wednesday before the event. We reset our system before each competition, so if you register before that date, your registration will be deleted. You must re-register for each event.
I want to compete, but I don’t know if I have enough experience.
The great thing about MAGIC’s CTF is that you need NO prior experience. This competition is a truly entry level competition that includes basic knowledge puzzles as well as more in depth challenges. Learn at your own pace.
What do I need to know to compete?
Basic understanding of computers and how to use Google are about the only things you need to know to start out. Most of our basic Level 0 challenges only require being able to use your internet browser to search for specific information. The higher level challenges do required several different tools to help solve puzzles, but we have included a helpful tool within the competition to get you started. Also, check out our Tools & Tips tab to get a great list of resources to help you out.
Will I have help during the competition?
Simple answer is no. This competition is a work at you own pace event. It is designed as a self motivated competition and you must rely on your knowledge and sleuthing skills to solve the puzzles. However general questions or technical issues or errors can be directed to us at email@example.com or our twitter feed at @MAGICWestMD with the hashtag #octfmagic.
I don’t have a team, can I still participate by myself?
YES! Although our online competition is team based, individuals can participate by creating a team of one. Check out the How to register tab for detailed information on registering.
What prizes are given, if any, for this competition?
MAGIC’s main goal is to promote an unstructured experience to learn and grow. We do however, offer a small prize for the top 3 placing teams. Each member of the 1st place teams will receive a $100 Amazon gift card. Each member of the 2nd place team will receive a $50 Amazon gift card, and members of the 3rd place team will each receive a $25 Amazon gift card. The gift cards are sent electronically, so please make sure you register with a valid email address as any prizes won will be sent to that email. Electronic gift cards will be sent out within 24 hours of the end of the competition.