FAUST CTF is an online attack-defense CTF competition run by FAUST, the CTF team of Friedrich-Alexander University Erlangen-Nürnberg. Its fifth edition took place on 10 July 2020.

View scoreboard


Congratulations to MoreBushSmokedWhackers who won FAUST CTF 2020 and scored amazing 50158.65 points. The top-three teams are:

  1. MoreBushSmokedWhackers, 50158.65 points
  2. saarsec, 41815.88 points
  3. corruptedpwnis, 37323.22 points

First-blood candidates are currently reviewed.

We thank all participating teams, apologize for our technical issues and hope everybody still had fun!


Once again, the competition will work in classic attack-defense fashion. Each team will be given a Vulnbox image to host itself and VPN access. You will run exploits against other teams, capture flags and submit them to our server.

The vulnbox decryption password will be released at 2020-07-10 13:00 UTC. The actual competition will start at 14:00 UTC and run for eight hours.


Thanks to our sponsors, we can again provide nice prize money:
  • First place: 512 €
  • Second place: 256 €
  • Third place: 128 €

Additionally, for each service the first team to exploit it, submit a valid flag and provide a write-up will win 64 €.


Vulnbox Hotfix

We will deploy a hotfix to the Vulnboxes now. If you left our SSH key on your Vulnbox, you shouldn’t notice.

Else, please replace the file at /srv/marscasino/app.py on the Vulnbox with the one you find here.

Vulnbox Decryption Password

The password for Vulnbox decryption is: "Im g0nna hav3 t0 sc13nc3 th3 sh1t 0utta th1s" (without quotes)

Happy hacking!

Registration Closed

With less than 3 hours till the competition, we have now closed registration and the last batch of VPN configs has been sent out.

If you registered and did not receive the VPN configs yet, contact us urgently!

Vulnbox Downloads

FAUST proudly presents you the final Vulnboxes for FAUST CTF 2020.

Once again, we provide two options for download:

The SHA256 sums are:

fb35fe8876c4472e8e49e91a434747208b0931eacaecc12265ddcc9ce4680f92  vulnbox.ova.gpg
5104a940572210faa6f6b27d43f97902bb36e01f7164416f35e37bf69e1fdf74  vulnbox.qcow2.gpg

The decryption password will be released via Twitter, IRC and email at 13:00 UTC today. Otherwise, setup should be identical to the testing Vulnbox.

VPN Configs & Testing Vulnbox

We just sent out the first batch of VPN configs via email. If you registered before 2020-07-08 16:45 UTC, you should be able to connect to the VPNs now (see our Setup page for details).

Testing Vulnbox images are available as well. On first login, the Vulnbox will ask you for some information and configure itself properly. You can log in as root with an empty password using any of the following ways:

  • Use the graphical console of your virtualization software
  • Connect to the serial port of the VM (may need configuration)

If you run into problems with the setup, try our suggestions from Basic Vulnbox hosting.

We provide two options for download:

To verify the integrity of your download, you may check the SHA256 sums:

0112af90b44914a66ae29e411d6745ddabc85a2de7697971b5933d1d406f30d1 vulnbox.ova.gpg
85f2f082f99689e235ff215a58387e73d00ffc6b812526d0f0d1bfbb845e64a1 vulnbox.qcow2.gpg

Both images are encrypted with the password "test" and are otherwise identical, so use the one that best fits your needs. To decrypt the Vulnbox, use:

gpg --decrypt-files vulnbox.ova.gpg

Registration open

This year's website is finally online and the registration is open. The CTF is already around the corner, so make sure to sign up now.

Supported by

SEC Consult SySS Codecamp:N noris network

Organized by