Rules - Reply Cyber Security Challenge 2019

Registration will open on September 10th, 2019 at 11:00 CEST until October 10th, 2019 at 23:59 CEST. Enrolment after 23:59 CEST) on October 10, 2019, won’t be accepted, except if there’s an extension, which would be announced via the platform. Your team can be made up of one, two, three or four members. The team cannot be changed once the CTF has started.
During the registration phase you can: During the registration phase you can:
  • create a new team
  • ask to join an existing one
  • register and wait for the random team assignment once registration closes
The competition will begin on October 11th at 7:30 CEST and it will end on October 12th at 7:30 CEST (after this time the platform will no longer accept any submissions.)
The Reply Cyber Security Challenge is an online coding competition open to passionate coders and security experts from 14 years (at the time of registration) and above, from all over the world. There will be two challenges, one dedicated to Replyers and one to professionals and students outside Reply.
Your team will submit solutions through Reply’s challenge platform. The challenge platform features a regularly updated leader board, showing how teams are performing. The leader board will freeze 30 minutes before the challenge deadline (but we’ll continue to updates scores).
We’ll publish the 25 problems to be solved on the challenge platform. The problems will be divided into 5 categories (Coding, Web, Miscellaneous, Crypto, Binary), described below:
  • Coding: is related to problems that must be solved with programming languages and skills
  • Web: this type of challenges focus on finding and exploiting vulnerabilities in Web Applications
  • Crypto: involves attacking poorly implemented cryptographic algorithms that don't follow state of the art best practices. By leveraging on the introduced vulnerabilities, the user needs to find them and then decrypt the encrypted messages through, for example, cryptanalysis techniques.
  • Binary: involves reverse engineering and exploiting binary applications. You’ll receive a binary program (no source code), and you'll have to get the flag either by just reverse engineering the binary or by finding out and exploiting its security vulnerabilities.
  • Miscellaneous: this category is about challenges that get elements from all the other categories, plus requiring additional skills such as stegano, forensic, recon, as well as general knowledge: the player must discover how to properly chain them in order to get to the final flag of each challenge.

Each category is made of 5 levels each. When the challenge starts, only the first 3 problems of each category are available. The last 2 problems of each category are enabled once the first three problems of that category are completed by your team.
Alternatively, they are unlocked by the Reply Keen Minds Team according to the challenge progress. There are no cross-category dependencies.
The challenge is solved when the team finds a flag, a string in the following format: {FLG:ABCXXX...XXXXXXXXXX} (letters, digits or ASCII characters). The flag must be submitted in order to earn points for the team, by inserting it into the answer input box in the platform challenge (curly brackets included).

Each challenge gives some base points, according to its difficulty level.
For each category:
  • the first challenge gives 100 points
  • the second one 200 points
  • the third one 300 points
  • the fourth one 400 points
  • the fifth one 500 points

First blood points are assigned to the first 5 teams that solve a challenge.

The bonus points are listed below:
  • first solver: + 32 points
  • second solver: + 16 points
  • third solver: + 8 points
  • fourth solver: + 4 points
  • fourth solver: + 2 points
The official communication channel for the challenge is the web site, which also provides an online chat for tech issues and the possibility to receive broadcasted messages from the Reply Keen Minds Team. You can ask for clarification to the Reply Keen Minds Team during the challenge via chat. Each member can chat with other teams via chat or hangouts.
Any "hint" about available challenges will be provided through the broadcast messages, and then included into the challenge description. Each member can chat with other teams via chat.
The teams must be prepared to send a write-up of how they solved the challenge, if requested by the Keen Minds Team.
At the end of the challenge, the Reply Keen Minds Team will review and validate the top ranked teams on the leaderboard. Each member of the team placed first in the ranking (leaderboard) will win a MSI GS65 8RF Gaming Laptop. The team placed second in the raking will win a Oculus Go for each member, the team placed third in the ranking will win a Gaming keyboard Razer for each member. In order to win, the first 3 team must upload the write up file, with the full explanation of how they got the flag for each problem. If they won't provide the write-up file within 24 hours from the end of the challenge, the team will not considered as winner. The Keen Minds Team will announce the official winners no later than one week after the end of the CTF.

If the write-up is submitted within the deadline, each registered user (if more than one) of the 1st, 2nd and 3rd positioned team on the leaderboard will be contacted by email and required to send, within 10 days and via email, a copy of their own ID to verify the current correspondence with the information provided at the time of registration on the platform. If the Registered User is not at least 16 years old, he/she will receive, as attachment of the abovementioned email, a document to be filled in and signed by the parents (or legal guardian).
We expect every team to have a positive attitude during the contest. No team should prevent other teams from taking part – for instance, by trying to overload the challenge platform or interfering with devices of other participants. This will lead to disqualification.
It is strictly prohibited to:
  • attack the registration and flag submission portal (, or any system other than the challenge box
  • perform denial of service or other attacks (e.g. brute force) aimed to degrade network
  • performance, attack other participants and steal flags
  • use automatic tools (e.g., Nessus) to solve a challenge.
The traffic is monitored by Reply. Intentional acts will be punished.
Similarly, do not try to disturb or distract members from other teams. You’re not allowed to benefit from any external help or support.
Reply Keen Minds Team is responsible for enforcing all rules. The team will review submissions from teams and award prizes. They may exclude any participants or teams at any time, if the team members don’t follow the rules of the contest.

The Reply Keen Minds Team has the faculty, if during a certain moment of the Challenge no team will have been able to solve the first three problems of the related category, to release – for all teams – the access to the last two problems.