Important Dates

The BSidesLisbon Qualifiers will start on the 24th October 21:00 and will end on the 25th October 23:59.

Support

We highly recommend players to join the Ethiack Discord. To view the CTF channels you have to react to the message in the #bsides-role channel.

This will be the only official way to communicate with the organizers if you want to raise issues, ask questions or just vibe with the other players and share writeups after the competition ends.

Instances

The BSidesLisbon Qualifiers runs on the 1337 Ethiack Instancer™. This means that each team will get a private instance for each remote challenge that will be spawned on demand.

Do not spawn instances without a working local exploit. The instances are meant to be the ultimate test against your exploit not a playground to test the waters. Excessive instance spawning may lead do disqualification.

If you notice something that is not working correctly reach out to the organizers immediately by creating a ticket in the competition's official Discord.

Flag Format

All flags will follow the Ethiack{.*} regex unless stated otherwise.

Challenges

There will be between 10 and 15 challenges evenly distributed across 5 categories. The official categories will be Pwn, Web, Rev, Crypto and Misc but keep in mind that Misc may contain challenges that are related to Forensics, AI or Blockchain.

Expect the difficulty of the challenges to range from "even a monkey could do it" to "cosmic hallucinations by the authors".

Rules

• Only the top 10 teams will be qualified for the on-site finals.
• In case of ties, the date of last submission will be the deciding factor.
• The 10 finalist teams will be asked to form a team of (at most) 4 members.
• There is no player number restriction during the qualifiers but it is strictly forbidden for players to compete in more than one team.
• The organizers may ask any team to provide proof of exploitation for each challenge to avoid cheating. It can be either the exploit script or a small writeup.
• Attacking the organizer's infrastructure or using the infrastructure for any other goal rather than the competition itself is strictly forbidden.
• Bruteforcing is forbidden. There are challenges that may need multiple concurrent connections so please be mindful to keep the concurrent connection count low.
• Sharing flags and any other type of technical information between different teams, blackmailing organizers or other type of nefarious behavior is strictly forbidden.
• Violating any of the rules above will lead to immediate disqualification of the team that commited the offense.
• Please use your good sense, if you think something is not right open a support ticket in the official Discord.
• The organizers have the right to change and enforce any of these rules during the competittion.