Back to DocsBack to Challenges

Platform Rules & Scoring

Read these rules before competing to avoid avoidable penalties and submission issues.

Challenge vs Lab

Labs are instance-based: start your instance, connect through VPN, solve inside the environment, and submit the flag.

Challenges come in two forms. Static challenges are hosted services with no per-user container — open the page and interact directly. Instance-backed challenges spin up a private Docker container for you, just like labs — start the instance, connect over VPN, and then solve.

  • Static challenge: no instance, no VPN needed.
  • Instance-backed challenge: active instance + VPN required.
  • Lab: active instance + VPN required.
  • The challenge detail page shows a Start Challenge button when an instance is needed.

Points

Each item has base points and a difficulty tier. Typical tiers are Easy / Medium / Hard / Insane.

Some events may use dynamic scoring where points can vary based on total solves.

  • Easy: lower base points.
  • Hard/Insane: higher base points.
  • Scoreboard totals are cumulative across solved items.

Hints

Hints are optional and cost points. Penalties remain applied even if you solve later.

Use hints strategically when blocked, not as first action.

  • Hint 1: -10 points
  • Hint 2: -20 points
  • Penalty is permanent for that item.

Flag Rules

Submit flags exactly as displayed by the challenge or lab.

Flags are case-sensitive. Extra spaces or altered characters will fail validation.

For instance-backed challenges and labs, the flag is unique to your instance. Do not share it — submitting someone else's flag will fail.

  • Format: FLAG{...}
  • No leading/trailing whitespace.
  • Copy exactly from source output.
text
FLAG{example_redacted_flag}

Attempts & Rate Limits

Do not brute force submissions. Rapid incorrect attempts may trigger rate limits or temporary cooldown.

If you hit repeated failures, validate format, encoding, and challenge context before retrying.

Solved Status

Points are awarded once per user per item.

Resubmitting a solved flag does not grant extra points.

Leaderboard

Leaderboard ranking uses total points earned.

Tie-breaker is earliest solve timestamp for the last score-changing submission.

Fair Play

Compete independently and respect platform boundaries.

Attack only your assigned targets and explicitly in-scope content.

  • No flag sharing.
  • No account sharing.
  • No DoS or abuse against platform infrastructure.
  • No scanning, pivoting, or interfering with other users.
  • Report vulnerabilities responsibly to staff.

Writeups

Writeups are allowed after an event ends.

Do not publish live event solutions or private flags while the event is active.

Academic Integrity

Learning is the priority: document your process and cite external references when used.

During graded activities, do not copy/paste complete solutions from others.

FAQ

No. Any automated guesswork against flag endpoints is prohibited and may trigger penalties or account action.