• saarCTF is a classical attack-defense CTF.
  • We start on 21.03.2020 14:00 UTC. Network opens 15:00 UTC. Game ends 00:00 UTC.
  • A tick is 2-3 minutes, flags are valid for 10 ticks.
  • Flag format: SAAR\{[A-Za-z0-9-_]{32}\}
  • Submit flags: nc 31337

About the Event:

The saarCTF is an IT security competition for teams of one or more members. It is organized by saarsec, the CTF team of Saarland University.

As events happening during a CTF competition are hard to foresee, these rules may be enhanced or changed at any time before or during the competition. Changes will be announced via email, IRC (#saarctf on freenode) and/or the saarsec's Twitter account. In cases not covered by the rules, we will decide according to our own judgement.


The password for the Vulnbox decryption will be released at 14:00 via email, IRC and Twitter. Network connections between teams are enabled one hour later, at which point Gameserver traffic and scoring start as well. The competition is then planned to run for 9 hours. So in total 10 hours: 1 hour preparation + 9 hours with network open.

One tick lasts two to three minutes. The Gameserver checks the status of each service once per tick and places one or more new flags. Therefore, flags exist per tick, service and team. Flags can be submitted within ten ticks from their generation.


The total score is the sum of the individual scores for each service. The score per service is made up of three components:

  • Offense: Points for flags captured from other teams (except the "NOP team") and submitted to the Gameserver within their validity period
  • Defense: Points for not letting other teams capture your flags
  • SLA: Points for the availability and correct behavior of your services

Scores per Service

For each service, the component scores for a team are calculated with these formulas:

Offensive points = 1 + (1/num_captures)**0.5 + (1/victim_position)**0.5

If you steal a flag from a service, you get at least 1 point. You get up to 1 point more if few teams attack this service. You get up to 1 point more if you attack high-ranked teams. If multiple flags are issued each tick, each flag gives only partial points.
Furthermore, the final worth of a flag is only calculated once its validity is over. That means, everyone that submits a flag while it is still valid receives the same points. Hence, you can technically "loose" offensive points for a flag if someone else submits it later while it is still valid. The victim rank is taken at the point when the flag was issued, not when you submit it, so there is really no point in waiting.

Defensive points =

You lose more points if more teams steal your flag. You can't lose more points here than you received by the SLA. If multiple flags are issued each tick, each flag gives only partial points.


We consider teams online that have an active VPN connection.

Total Score

Final team points =

Simply add up the points from each service.

Bug Bounty

Responsible disclosure of vulnerabilities and serious bugs in our infrastructure or rules will be rewarded with bonus points according to our judgement as well as eternal fame.

Abusing vulnerabilities or serious bugs in our infrastructure will be punished. If in doubt, talk to us.

Results & Prizes

During the contest, a preliminary live scoreboard is provided. The official final results will be published by saarsec after the competition. The scores in the contest might not be a good representation of your actual skills, so we encourage you to focus on gaining experience and having fun.

Nevertheless, we will have a price for the winning team, which is yet to be announced.

Technical Behavior

The Vulnboxes of other teams are the sole target for exploitation, attacks against competition infrastructure or any other portion of a team's network (inside or outside of the VPN) are forbidden.

Causing unnecessarily high loads for CPU, traffic, memory, I/O, etc. ("denial of service") on our infrastructure, other teams (including Vulnboxes) or any other party is also strictly prohibited. Breaking a service of another team through sheer amount of requests is forbidden, breaking it through a vulnerability is OK as long as it does not lead to resource spikes. But remember that preventing yourself from stealing their flags won't do you any good.

Despite these policies, all participants are responsible for the security of their own hard- and software. We will do our best to enforce the rules, but cannot give any guarantees for other participant's behavior. saarsec and Saarland University are not liable for any potential damage to your equipment.

Social Conduct

The goal of saarCTF is to allow people to practice their skills and have fun. We ask you to avoid spoiling other's fun unnecessarily.

We want the competition to be a pleasant experience for all participants, regardless of their gender, sexual orientation, race, religion, skill level, personal background or any other criteria. Therefore, we do not tolerate harassment in any form.

This especially applies to our official communication channels, i.e. IRC and Twitter. Misbehavior may lead to a ban from these communication channels and ultimately, the same consequences as for any other rule violation (see below). We ask everyone to speak English in the IRC channel, so that all participants know what's going on.

Teams are prohibited to collaborate with other teams (e.g. share flags, information on vulnerabilities and exploits, or similar). There may be some services where collaboration is allowed, this will be stated explicitly. Every individual participant must only be member of one team.

Rule Enforcement

Violation of the rules or any other hostile behavior may lead to deduction of points, temporary or permanent exclusion from the competition or any other measure deemed appropriate by the organizing Team.

We suggest every team to have at least one representative in our IRC channel with a nick starting with the team name. In case of problems this will be our first point of contact, because email delivery can be slow. If we want to stop you from doing something and are not able to reach you as fast as the issue requires, we might temporarily kill your VPN connection in order to get your attention.

Credits: We adapted these rules from Faust CTF 2019 by Faust.