Competition Rules
AUST CTF 2026 - Official Rules & Guidelines
Important Notice
By participating in AUST CTF 2026, you agree to abide by all rules listed below. Failure to comply may result in disqualification, score penalties, or a ban. The organizers reserve the right to modify rules at any time to ensure fair competition.
General Rules
-
Individual Competition
This is an individual-based CTF competition. Team collaboration is prohibited. Each participant must solve challenges independently.
-
Registration Requirements
Participants must register before February 19, 2026. Late registrations may be accepted subject to availability. Use your real identity for registration.
-
Account Security
Participants are responsible for maintaining account security. Sharing credentials or allowing others to use your account is prohibited.
-
One Account Per Person
Each participant may only use one account. Creating multiple accounts (sockpuppeting) results in disqualification.
Flag Submission
-
Flag Format
All flags follow:
CTF{...}. Submit exactly as found (case-sensitive unless stated otherwise). -
Submission Limits
Rate limiting applies to flag submissions. Excessive incorrect submissions may trigger temporary restrictions.
-
First Solve Bonus
The first solver of each challenge receives bonus points. Tie-breakers are based on submission timestamp.
-
Dynamic Scoring
Challenge points may decrease as more participants solve them. Solving early yields maximum points.
Prohibited Actions
-
No Attacking Infrastructure
Attacking the CTF platform, servers, or network is prohibited (DDoS, brute-force, unauthorized access, etc.).
-
No Collaboration
Sharing flags, hints, solutions, or challenge details with other participants is forbidden during the competition.
-
No Automated Scanning
Automated vulnerability scanners are prohibited unless a specific challenge explicitly allows it.
-
No Flag Sharing
Submitting flags obtained from others, write-ups, or previous competitions is cheating and results in disqualification.
-
No Disruption
Do not disrupt others (deleting content, modifying files, interfering with progress, etc.).
Violation Penalties
- First violation: Warning and score penalty (-20% of current score)
- Second violation: Disqualification from current competition
- Severe violations: Permanent ban from future AUST CTF events
- Legal action may be taken for attacks on infrastructure
Scoring System
-
Base Points
Each challenge has a base point value based on difficulty. Points are awarded immediately upon correct submission.
-
Dynamic Scoring
Points may decrease as more participants solve a challenge to reward early solutions while maintaining fairness.
-
Tie-Breaking
In case of ties, the participant with the earliest last correct submission wins.
| Achievement | Bonus Points | Description |
|---|---|---|
| First Blood | +10% of challenge points | First to solve a challenge |
| Speed Bonus | +5% of challenge points | Solve within first 5 solves |
| Category Master | +100 points | Solve all challenges in a category |
| Completionist | +500 points | Solve all challenges |
Challenge Categories
-
Web Exploitation
SQL injection, XSS, authentication bypass, file uploads, and other web vulnerabilities.
-
OSINT
Information gathering from public sources, metadata analysis, and digital footprint investigation.
-
Cryptography
Classical ciphers, modern crypto weaknesses, hashing, encoding, and protocol analysis.
-
Reverse Engineering
Binary analysis, disassembly/decompilation, program logic understanding, and hidden behavior discovery.
-
Digital Forensics
File analysis, memory forensics, network packet analysis, steganography, and evidence recovery.
-
Miscellaneous
Programming puzzles and creative challenges that don’t fit other categories.
Competition Format
-
Jeopardy Style
Challenges are organized by category with varying points. Participants choose which challenges to attempt.
-
Competition Duration
The competition runs for 4 hours on February 28, 2026 starting at 09:00 AM.
-
Hints
Hints may be available. Using a hint may apply a point penalty (typically 10–20%).
-
Leaderboard
The leaderboard updates in real time. Final rankings are determined at the competition end time.
Equipment & Tools
-
Required Equipment
Bring your own laptop with internet connectivity. A modern browser and terminal access are required.
-
Allowed Tools
Standard security tools are permitted (Burp Suite, Wireshark, Ghidra, IDA Free, Python, etc.).
-
Prohibited Tools
Automated scanners that disrupt infrastructure, or tools that solve challenges automatically, are prohibited.
-
Internet Usage
Internet access is allowed for research and docs. Searching for or sharing flags online is prohibited.
Ethics & Conduct
-
Sportsmanship
Respectful behavior is expected. Harassment or discrimination will not be tolerated.
-
Responsible Disclosure
If you discover platform vulnerabilities, report them immediately. Do not exploit them.
-
Learning Environment
This is an educational event. Focus on learning and skill development.
-
Legal Compliance
All activities must comply with Lebanese law and AUST policies. Illegal activity will be reported.
Dispute Resolution
-
Challenge Disputes
If a challenge is unclear or broken, contact organizers via the support channel. Do not discuss publicly.
-
Scoring Appeals
Scoring disputes must be submitted within 1 hour of the competition end, with evidence.
-
Organizer Decisions
Organizer decisions regarding rules, scoring, and disqualifications are final.
Prizes & Recognition
-
Top 3 Winners
First, second, and third place receive trophies, certificates, and prizes. Winners must be present at the closing ceremony (or provide a valid reason).
-
Participation Certificates
All participants who solve at least one challenge receive digital participation certificates.
-
Category Winners
Top scorer in each category receives special recognition.
-
Industry Recognition
Top performers may be recommended for internship opportunities with industry partners.
Questions or Concerns?
If you have any questions about the rules or need clarification, please contact the organizing team.