Student CTF Rules

Student CTF is a Capture the Flag competition for students of St. Petersburg, organized by SPbCTF meetups crew and supported by St. Petersburg Committee for Science and Higher Education. Partners of this year's Student CTF are ITMO University, Rostelecom Solar and Digital Security.

Capture The Flag

CTFs are competitive hacking events: like ACM ICPC, but in computer security. Teams get a number of tasks or challenges about cryptography, binary reverse engineering, web vulnerabilities, network security, digital forensics, etc — all the topics that computer security engineers work with.

Each challenge has a goal, e.g. find a vulnerability and extract the administrator's password from website database. Upon solving the challenge, team gets a flag — some secret string like spbctf{W3lc0M3_t0_t3h_G4M#}. Team submits it in exchange for points. The team with most points, wins.

To be successful in a CTF, you basically need to know computer systems good and deep.

More info about CTFs on CTFtime website.

Competition Details

Classically, the CTF will consist of two rounds.

Qualifying Round — Jeopardy CTF

Sunday, November 15th, 9:00–18:00 UTC, online

The quals will have two separate tracks:

  • Official student track for teams of 5 to 7 students of St. Petersburg's universities and colleges. One team may include students from several educational institutions, and there's no limit on the number of teams from single institution.
  • Free-to-play track for teams outside of St. Petersburg or teams with different kind of lineup – lone wolves included.

The qualifying round will be a Jeopardy CTF. Teams will get 18 challenges in different areas of computer security, ranging from easy ones to interesting pieces.

The challenges are scored dynamically: the more Official teams have solved the challenge, the less it will be worth in the end.

Final Round — Attack-Defense CTF

Sunday, November 29th, 9:00–18:00 UTC, online

Top 10 teams in each Quals track are eligible to compete in Finals. Official teams and Free-to-play teams are playing on the same vulnbox images but in separate game networks.

The final round will be an Attack-Defense CTF. Teams will get identical servers with specially crafted vulnerable services. The contestants will look for vulnerabilities and exploit them to steal flags from opponents' boxes, at the same time defending against their attacks.

Official track finalists will be able to use a ready-to-use Attack-Defense setup:

  • The vulnbox itself, hosted in organizers' cloud
  • Ready-to-go DestructiveFarm exploit manager
  • PackMon traffic analyzer

A week prior to the finals Official teams will get access to a bootcamp infrastructure to get grasp of the game and tools.


Official track participants are awarded with:

  • Finals Top 3 — trophies and 1st—3rd place diplomas
  • All the finalists — final round certificates and souvenirs


It's frowned upon

  • To play Jeopardy as if it were Attack-Defense: remove flags, take down game challenges. Organizers maintain challenge resilience, but will make a mistake or two. Instead of abusing the mistake, report it.
  • To help other teams or harass them for help. It's a competition, do your personal best.
  • To make organizers' life harder: to generate excessive load, to troll or flood in the chats, to register multiple accounts.

It's encouraged

  • To solve the challenges using any means: to google, to make use of available tools, to invent your own ones, to come up with unintended solutions.
  • To be a hacker in the word's true meaning: know a system so deep that you can make it do something unusual.
  • To do your best and to have fun.

‌Contact Us

Should any questions arise, please contact us in @studentctf Telegram chat or by E‑mail: