Richmond, VA

June 4th - 5th, 2015

CTF Update

We caught up with Nick Popovich from the RV4sec CTF team and he had some great information to share with us!

The RV4sec CTF is next week, and is going to be the most intense CTF the 804 has ever seen! Here’s what’s new and amazing this year. Also you’ll want to read on for some info that will aide you during the event.


1). We have what most folks expect: the RV4sec CTF with new challenges and our smiling faces.

2). Bugcrowd will be onsite, and all LIVE, REAL vulns in the Bugrcrowd bug bounty system that CTF participants submit during the event will be checked on the spot. Points for the CTF will be awarded if the submitted bugs are accepted as valid by Bugcrowd.

3). GE has partnered with us and will have their Ghost Red CTF running with MANY amazing challenges (including hacking a simulated nuclear power plant). All points for Ghost Red will also be added to total RV4sec CTF score.

4). Last but certainly not least, the HackRVA folks have included CTF challenges in the RV4sec badges. That’s right, you can tinker with your badges and find “keys” or “flags” and submit those into the RV4sec CTF scoreboard for points.The scoreboard also has clues (for all the challenges).


There will be three systems that folks can register for that will count towards their total score for the CTF:

1). The RV4sec CTF scoreboard.
2). The Bugcrowd system via the Internet (click here for more info for Bugcrowd)
3). The GE Ghost Red CTF scoreboard

The Bugcrowd info linked to above has some values for “points” but that is for the Bugcrowd system only. We will be adjusting the point values for Bugcrowd vulns for the CTF to match our points system. But obviously, the harder/neater the vuln is to exploit, the more points you’ll get.

It is CRAZY important that in all the systems you choose THE SAME USERNAME, and append “_rvasec” without quotes to your username. I’ll say it again. CHOOSE SAME USERNAME IN ALL SYSTEMS and AND “_rvasec” without quotes to your username. if you don’t the points won’t be added up for all your hard work across the systems.

Example: If i want my username to be pipefish, I would put pipefish_rvasec in when creating accounts in all 3 systems.

I know some App Devs, DBA’s and IT folks are scowling now, asking why we don’t have API’s or some consolidated system that curates all the data from the three systems and shows a single leaderboard. To you I say… maybe next year 😉 This year, we have three systems, and that’s that.

We’ve got some rad prizes too including a OnePlus phone loaded with NetHunter courtesy of OffsecNetsparker licensesWiebeTech Forensic ComboDock v5, USB-WiFi-Premium KeyGrabber and a Yubikey NEO!