We are absolutely thrilled to announce that OWASP San Diego will be hosting an amazing AppSec California CTF hacking competition for the fifth year in a row!

Here are all the important details:

  • Date: January 30-31, 2018
  • Time: 10AM – 5PM PST runs until 4pm PST the second day
  • Location: Marian Davies Guest House (Hacking Village) Must be there in-person!
  • Players: 100 Players Maximum
  • Required: Bring your laptop (and a ethernet/usb adapter if you do not have an ethernet port on your laptop).
  • Optional Equipment: Bring lock picks (as there will likely be physical security challenges)
  • Prizes: Yes! =]

Get plugged in, and get started. Contest begins on January 30th at 10:00 in the Hacking Village and will run through the end of the day January 31st at 4pm. Winners will be announced and prizes given out at the closing ceremonies.

Contest Rules:

  • Don’t be a jerk.
  • No host discovery is required. Everyone scanning a network just makes it break. Scanning a single host as part of a challenge is fine.
  • Targets are clearly marked, only attack those. No attacking the switches, networks, etc.
  • No DOS attacks, just “Catch The Flags” (CTF)!
  • No physical attacks – cables, switches, hardware services are right out. Don’t break them.
  • Don’t delete or change the the flags.
  • VMs will be reverted somewhat regularly.
  • Don’t mess with splunk and logging, we are just health checking.
  • Don’t delete our root key from the box or we’ll have to revert it. Don’t do this as a DOS attack for the other participants.
  • If we ask, you need to show us what/how you did something.
  • We aren’t lawyers, you probably aren’t a lawyer. Don’t look for loopholes, and don’t get in the way of other people having fun.

Random Thoughts:

  • If this is your first CTF ever, you will be able to find things if you try, if it is not, we have challenges for you also.
  • Objectives and flags are fairly clearly marked.
  • NO STEGO! We hate stego. The tools never work and it’s a pain, so we didn’t do that. Images that have flags are clearly marked and are images for the lulz.
  • No host discovery is required, but scanning a host may be useful.
  • Challenges are standalone, but some easier ones may give ideas for harder ones.
  • We are logging lots of things, if you aren’t happy with that, don’t play.