Skip navigation
All Places > Metasploit > Blog > Authors Brian Oneill

Metasploit

3 Posts authored by: Brian Oneill Employee


The Metasploitable3 CTF competition has wrapped up and we have our winners!  We had almost 300 flag submissions from more than 50 fine folks.  There were some really great right-ups submitted with great details on how flags were found.  Thanks to everyone who took time to submit a finding!  ON TO THE RESULTS!

 

When we announced the competition, we didn't specify if team submissions were allowed or not.  Well, it turns out that  a team was in the top 3.  Team RUNESEC went bonkers and submitted all 15 flags over the course of 4 days.  Nice work RUNESEC.   We didn't want anyone to feel slighted so we decided to go ahead and (in the spirit of the season) be generous .   Therefore, Team RUNESEC will receive a 2nd place prize as they were second to submit all the flags.  Additionally, the Top-3 individual submitters will receive prizes.

 

These winners showed some tremendous talent and skill.  Vaibhav completed just 7 days after the contest was announced and Jonathan completed all the flags in roughly 12 hours!  A total of 4 individuals completed the challenge, based on reviews of the write-ups, and time of completion we have the top 3 winners.

 

Top Individual Submitters

1st Place, Hak5 Pineapple: Vaibhav Deshmukh

2nd Place, LAN Turtle or Lock Pick Set: Igor Guarisma

3rd Place, LAN Turtle or Lock Pick Set: Jonathan Echavarria

 

Top Team Submitter

1st Place, LAN Turtle or Lock Pick Set: Team RUNESEC

 

Here is a break down of the top-10 submitters, please note that the grouping by count doesn't reflect overall standings, just the number of valid flags submitted.

 

Top 10 Submitters

2016-12-29_15-59-36.png

 

Great work everyone!

 

The card most frequently found where:

2016-12-29_15-28-56.png

 

The card most likely to be found first?  The Joker.

 

yougeta.gif

We will be contacting the winners directly over the next few weeks to arrange delivery of the prizes.  And... as an added bonus EVERYONE who submitted a valid flag will get a Metasploit t-shirt!!

 

Thanks again to everyone who participated, we've had a great time reviewing all the very creative and well-written submissions.  Going forward we will continue to add new and fun flags to Metasploitable3 as always, we'll keep you posted when we have some new flags to discover.  We will also be adding new options to exploit Metasploitable3 as they emerge.   If you have any ideas or things you'd like to see in future iterations of Metasploitable3 please feel free to comment on our Git page.  Metasploitable3 is an open source project so, if you're up to it, you can submit a pull request with any of your own ideas!  Check out the repo on git.

 

I'd like to give a special thanks to sinn3r for all of his great work judging submissions and helping out everyone with questions.

The Metasploitable3 Capture The Flag Competition has been underway for about a week now and the submissions have been pouring in!  We're very excited to see so many great submissions. We're reviewing as fast as we can so if you don't hear back from us right away, don't worry, you will.  For all valid submissions we will update this blog post and subsequent ones with the leaderboard. For any questions submitted we will get back with you as fast as we can, and for any invalid solutions submitted we will write back and let you know the reason. Got a question? Send it to capturetheflag [at] rapid7 [dot] com.

 

Some of the flags are a little bit tricky and have been causing the most questions, so we wanted to add a little clarity.

 

Firstly, all flags will be in the same design. If you see a flag that looks different than others, it's probably not a flag.  Additionally, all the real flags are .PNGs.

 

There is also one flag where we lost some of the data, if you find one half flag, it counts. And don't forget, flags found in C:\Vagrant or the virtual box console don't count.

 

Now that some housekeeping is out of the way, let's get on with the current results!!

 

So far we have had 155 submissions from 31 individuals!  One rock-star submitter went BONKERS over the weekend and found 11 flags in 2 days.There's definitely still time to get submissions in and take over the leaderboard though!

 

The Joker is the most common flag found and the Ace of Hearts has been the most tricky flag to find with 10 invalid submissions

 

Top Submitters

2016-12-14_12-53-38.png

 

Card Counts

2016-12-14_12-53-05.png

 

Great stuff everyone! Keep those submissions coming in!

UPDATE: Leaderboard can be found on this new post! Plus, some notes that may be helpful.

 

Exciting news! Rapid7 is hosting a month-long, world-wide capture the flag(s) competition!

 

Rapid7 recently released Metasploitable3, the latest version of our attackable, vulnerable environment designed to help security professionals, students, and researchers alike hone their skills and practice their craft. If you are unfamiliar with Metasploitable3, you can get up to speed with this blog post announcing its release. For an additional challenge in Metasploitable3, we’ve hidden several flags in the virtual machine that penetration testers can find to demonstrate their prowess.

 

To honor the release of this new tool – and to have a little fun – we’re hosting a month-long competition to see who can find the most Metasploitable flags! The competition will be very simple, and easy for anyone to participate in. For our leaderboard winners, we’ll be giving out some great prizes as well as some Metasploit T-Shirts for others who submit a captured flag.

 

Here’s how it works.

  1. Download and install Metasploitable3.
  2. Dig in! Find those flags!
  3. Complete a simple write-up (see format below or template here), providing proof you’ve found one and you’ll be added to the leaderboard. (Note: We may ask your permission to publish the write-up after the competition closes.)
  4. We’ll keep a running tally of the leaderboard at the bottom of this blog post.
  5. On December 31st we’ll announce the winners!

 

Details

There are currently 15 flags hidden in Metasploitable3, with more being added. When you find a flag, take a screenshot of it.  Put it in a doc with the following information:

  • How did you get access to the machine?
  • How did you spot the file?
  • How did you extract the file?

Note: In some cases, the files are easy to find so please describe the extraction process. A template can be found here.

 

Please note: in the spirit of friendly competition, please only submit flags that have been found from a running metasploitable3 instance, not the vagrant folders used to build the instance

 

Then email capturetheflag [at] rapid7.com and we’ll review and add you to the leader board.  At the end of the month the top 3 people with the most submitted flags accepted will receive prizes. In the case of a tie, a set of subjective measures will be used to select the winners. The measure will be: creativity of methods used to obtain the flags and strength of the write-up. We reserve the right to award bonus prizes. And one note for our beloved Rapid7 employees: You are welcome to play along, but standings will be tracked separately and awarded accordingly.

 

Prizes!

1st Place: Hak5 Pineapple

2nd Place: LAN Turtle or Lock Pick Set

3rd Place: LAN Turtle or Lock Pick Set

 

The first 25 to submit a flag will get a Metasploit T-Shirt! We reserve the right to award bonus prizes.

 

Any questions? Feel free to comment below or email community [at] rapid7.com and we’ll get back to you. Happy Hunting!

 

Leaderboard

Get all the updates here: Metasploitable3 CTF Competition: Update and Leaderboard!

 

 

 

 

Official Rules: Terms & Conditions

 

The Metasploitable3 Capture the Flags competition is open to anyone. No purchase is necessary to participate. Eligibility is dependent on following the entry rules outlined in this guide.

 

To Enter: Locate and screenshot flags found in Metasploitable3 and send a written submission detailing 1) how you got access to the machine; 2) how you spotted the file; 3) how you extracted the file, to capturetheflag [at] rapid7.com.

 

A template can be found here or by searching for “Metasploitable3 CTF” on community.rapid7.com. Partial or incomplete submissions WILL NOT BE ACCEPTED as an entry and shall not be eligible for any prize. All submissions will be reviewed by Rapid7 for adherence to these Official Rules. Rapid7 may ask for permission to publish written submissions after the contest close.

 

The leaderboard competition will open on Wednesday, December 7, 2016 at 12:00:01 ET and close on Saturday, December 31, 2016 at 11:59:59 ET. Entries submitted after this time may be eligible for additional prizes determined by Rapid7. In the event of a tie, Rapid7 will evaluate submissions to select the first place winner. A set of subjective measures will include 1) creativity of methods used to obtain the flags and 2) strength of the written submission. Rapid7 reserves the right to award bonus prizes.

 

The leaderboard will be updated regularly with the final submissions being added by Tuesday, January 3, 2017 at 11:59:59 ET.

 

Prizes/Odds of Winning: Only the prizes listed below will be awarded in the competition. Odds of winning depend on the number of eligible entries submitted by the close date. Prize is not transferable or redeemable for cash. Rapid7 reserves the right to make equivalent substitutions as necessary, due to circumstances not under its control. Please allow 3-4 weeks for delivery of any prize.

 

Leaderboard Prizes

 

Three (3) Prizes

 

Leaderboard Position

Prize

Approx. Value

1st place

Hak5 Pineapple (Nano Basic)

$149.99

2nd place            

LAN Turtle OR Lock Pick Set

$49.99

3rd place

LAN Turtle OR Lock Pick Set

$49.99

 

 

Additional Prizes

 

Twenty-five (25) Prizes

The first 25 people to submit a flag will get a Metasploit T-Shirt (approx. value: $10) available from the online Rapid7 Retail Store. Rapid7 reserves the right to award additional T-shirt prizes.

 

 

Competition host is Rapid7 LLC, 100 Summer St, Boston, MA 02110.

 

By entering the competition, you agree to these terms and conditions. Employees and the immediate families of Rapid7 may not participate.

 

If you have any concerns or questions related to these terms and conditions, please email capturetheflag [at] rapid7.com.

Filter Blog

By date: By tag: