RabaCTF 2025 Setup Details

TL;DR Quick Information

Competition day information:

• URL: https://ad.rabac.tf
• Scoreboard: https://scoreboard.rabac.tf/
• Vulnbox access: 2025-03-29T11:00:00+0200
• Network opens: 2025-03-29T12:00:00+0200
• Network closes: 2025-03-29T19:00:00+0200
• Tick duration (sec): 120
• Flag lifetime (ticks): 5
• Flag IDs (schema below): https://ad.rabac.tf/competition/teams.json
• Submission: nc 10.98.0.1 31111
• Flag regex: RABA_[A-Za-z0-9+/]{32}
• Vulnbox IP: 10.98.${team_id}.1
• Team IDs: from 2 onwards
• NOP team: 10.98.1.1

VPN

A VPN is required to connect to your vulnbox, connect to the game services and attack other teams.
Your team will be given a zip file containing wireguard configurations. Give each team member a single different configuration file (make sure no two people have the same configuration).
For activating the VPN, install Wireguard (https://www.wireguard.com/install), open it and click Import tunnel(s) from file and then choose the wireguard configuration file you were given.
Then press Activate to start the tunnel.

Vulnbox

You will receive access to your vulnbox at 2025-03-29T11:00:00+0200. At 2025-03-29T12:00:00+0200 the network will open and you can start attacking other teams. The network will close at 2025-03-29T19:00:00+0200.

You will receive credentials to connect to the vulnbox at the start of the competition. You can then connect to the vulnbox with the command

ssh [email protected].[team_id].1

where the [team_id] is your team's ID, that you will also receive alongside your credentials.

Inside the root user's ssh directory (at /root/.ssh) there will be an authorized_keys file containing a public key. Do not delete it, or the organizers will not be able to help you with any problems (including resetting your vulnbox, should you need it).

The other teams' vulnboxes will have the same IP pattern, just replace the [team_id] with the ID of another team (IPs of other teams can be found on the scoreboard). Team IDs start at 2.

NOP Team

The NOP team is a vulnbox that is always available for you to attack. Nobody is playing the NOP team, and the flags of the NOP team vulnbox are not worth any points.

Perfect to test if your exploits are working.

The NOP team IP address is:

10.98.1.1

Scoreboard

The scoreboard can be accessed at https://scoreboard.rabac.tf (needs VPN connection).
There, you can see the current standings, current points, what services are alive on a per-tick basis, what services are being exploited and other statistics about the game.

Ticks and duration

The game is separated into ticks. Every 2 minutes, a new tick will start and every tick, the checkerbot will check whether your services are working properly and place a flag in each service.
A flag is valid for 5 ticks, meaning you can submit up to 10 minute old flags to the submission server, and get points for it, however flags older than 5 ticks will not give you any points.

Flag IDs

Flag IDs of the last 5 ticks can be accessed at https://ad.rabac.tf/competition/teams.json
It is a JSON formatted file, in which you can access the flag IDs via the flag_ids key.
There, the flag IDs are separated by service (flagstore) and further by team IDs.
An example teams.json file is given below:

{
  "teams": [
    7,
    8
  ],
  "flag_ids": {
    "exampleService": {
      "8": [
        "randomUsername1;randomGroupname1",
        "randomUsername2;randomGroupname2"
      ],
      "7": [
        "otherRandomUsername1;otherRandomGroupname1",
        "otherRandomUsername2;otherRandomGroupname2"
      ]
    }
  }
}

Flag Submission

You can submit flags to the teamserver at submission.rabac.tf:31111
Keep in mind to submit only one flag per line (seperate flags with newlines) and that it is not over HTTP, but raw TCP.
Example linux command to connect to submission server (must have netcat installed):

nc 10.98.0.1 31111

An example flag submission python function is given below:

import socket

def submit_flags(flags: list[str]):
  try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(5)
    sock.connect(('10.98.0.1', 31111))
    payload = b'\n'.join(s.encode() for s in flags) + b'\n'
    sock.sendall(payload)
    # Wait for the status to be returned
    lines = 0
    while lines < len(flags):
      x = sock.recv(1000)
      lines += x.count(b"
")
    sock.close()
  except Exception as e:
    print(f'Error while sending flags: {e}')    

Adapted from: https://github.com/lavish/flappy

Flag Regex

All the flags are in the regex format RABA_[A-Za-z0-9+/]{32}
You can use this regex to find flags in non-parsed output (for example inside the HTML of a webpage).