Google CTF

Google Capture the Flag competition

  • About

    "Capture The Flag" (CTF) competitions (in the cybersecurity sense) are not related to running outdoors or playing first-person shooters. Instead, they consist of a set of computer security puzzles (or challenges) involving reverse-engineering, memory corruption, cryptography, web technologies, and more. When players solve them they get a "flag," a secret string which can be exchanged for points. The more points a team earns, the higher up it moves in rank.

    Google runs a CTF competition in two rounds: an online qualification round and an onsite final round. The top 10 teams from the qualification round will be invited to the finals to compete onsite for a prize pool of more than USD $31,337. In addition to the grand prizes, some of the best and creative write-ups that we receive during the qualifying round will be rewarded as well. We want to give you an opportunity to share with the world the clever ways you solve challenges.

    At Google, we believe that CTFs are not just a good way for security pros to get better at what they do, but also a fun way to get into the cybersecurity field. That’s why along with the main Google CTF competition there is also a Beginner’s Quest for folks who want to get started.

  • FAQ

    What is a CTF? "Capture The Flag" (CTF) competitions (in the cyber security sense) are not related to running outdoors or playing first-person shooters. Instead, they consist of a set of computer security puzzles (or challenges) involving reverse-engineering, memory corruption, cryptography, web technologies, and more. When players solve them they get a "flag," a secret string which can be exchanged for points. The more points a team earns, the higher up it moves in rank.

    Watch @LiveOverflow's video on the topic to learn more.

    Can you show me an example challenge? Of course! There are countless write-ups on challenges on the CTF scene — for example, here are some from the Google CTF 2017 Qualification round created by the contestants:

    Can I play after the competition is over? Yes! The challenges will stay up after the competition is over.

    How does it work?

    1. Once the CTF has started, navigate to the scoreboard (the website will be communicated beforehand)
    2. Create a team
    3. Invite others to your team (if you like)
    4. Solve the challenges presented in the various categories (e.g. Pwnables, Web, Reversing, Cryptography, Misc)
    5. At the end of each challenge there is a flag (text token) that usually looks like this — CTF{SomeTextHere} — enter it next to the challenge on the Google ctf website to score points!

    Where do I register? Registrations aren't open yet! You'll be able to register a few days before the event starts. To be notified as soon as registration opens you can subscribe to our Google group.

    How can I get a team for the Google CTF? If you don't have a team, try to get a friend, classmate, or colleague to play and learn with you. We have listed some places where you can start learning below. You can also play alone, or consider joining an existing CTF team. If you want to join existing local CTF team, click here to see a list of the top CTF teams and their country of origin (if any).

    Note that not all teams are looking for new members. One of the CTF teams that is always looking for new members is the OpenToAll team.

    Do I need a team for the Beginner’s Quest? No, the Beginner’s Quest can be played solo.

    **Can I qualify for the Google CTF Finals by playing the Beginner’s Quest? No, only players from the main Google CTF can qualify for the finals. BUT: We will pick 10 players from the Beginner’s Quest at random and invite them to observe the Google CTF Finals in the audience. How? There will be a pop-up after a certain Beginner’s Quest challenge (which challenge it is, is a secret). The pop-up will instruct you how to submit your details to enter the draw.

    How can I prepare for this competition? A good introduction to CTFs is available on GitHub. If you want to practice similar challenges to the ones you will be asked you can play security wargames such as:

    Why is Quebec excluded from the CTF? Local laws and regulations make it extremely challenging for us to run a competition open to residents of Quebec. We are truly sorry about this, and hope to change this in the future if possible.

    Do I have to be online the whole time? Nope. Don't forget to eat and sleep.

    Where will the finals be held? This will be communicated to the 10 finalist teams.

    What are the tax implications of the prizes? This is up to you to figure out according to your local laws.

    Will you provide visa invitation letters for travel? Yes, if needed we can issue a visa letter for the four participants of each of the 10 finalist teams.

    Where can I ask more questions? Email us at google-ctf@google.com

  • Rules

    Google Capture the Flag 2019 Official Rules

    NO PURCHASE NECESSARY TO ENTER OR WIN. VOID WHERE PROHIBITED. CONTEST IS OPEN TO RESIDENTS OF THE 50 UNITED STATES, THE DISTRICT OF COLUMBIA AND WORLDWIDE, EXCEPT FOR QUEBEC, CRIMEA, CUBA, IRAN, SYRIA, NORTH KOREA, and SUDAN.

    This Contest consists of two events: the first is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants (the “qualification round”). From this first exercise Google will select a number of finalists to compete in another exercise that will be held on-site (the “final round”).

    The qualification round will consist of a set of challenges for participants to solve. There are two ways for participants to achieve rewards based on solving these challenges: two independent components: (1a) by submitting written challenge solution descriptions (“write-ups”) rewards, where Google will give cash rewards to the best and more creative challenge solution descriptions that participants submit; and (2b) by earning points for solving challenges within the Contest time period—as described further below, teams earning the most points will qualify to participate in a final round contest where additional cash awards are possible.

    The final round will consist of an on-site contest where selected teams will compete to solve another set of challenges.

    Term of qualification round: The Contest begins at 00:00:01 A.M. UTC on June 22 2019 and ends at 23:59:59 A.M. UTC on June 23 2019** (“Contest Period”). ENTRANTS ARE RESPONSIBLE FOR DETERMINING THE CORRESPONDING TIME ZONE IN THEIR RESPECTIVE JURISDICTIONS.

    Sponsor: Google LLC located at 1600 Amphitheatre Parkway, Mountain View, CA 94043 is the sponsor of this Contest ("Google").

    Eligibility: The Contest is open to individuals who are (1) over the age of eighteen (18) at the time of entry; (2) not a resident of Quebec, Cuba, Iran, Syria, North Korea, Sudan, or Crimea; (3) an individual who is not restricted by applicable export controls and sanctions programs; and (4) people who have registered at capturetheflag.withgoogle.com. Employees, officers, and directors of the member companies of Google Inc., their subsidiaries and affiliated companies and their immediate families and those living in their households, are not eligible to participate in the Contest. VOID WHERE PROHIBITED. All federal, state and local laws and regulations apply. Google reserves the right to verify eligibility and to adjudicate on any dispute at any time.

    How to Enter: Eligible participants may enter by registering at capturetheflag.withgoogle.com and completing the tasks as detailed on the site. Participants may enter only once. Participants may work in groups; however, the prize money will be awarded solely to the person whose email is listed on the team registration. It is the sole responsibility of the registrant to distribute any potential winnings. Google takes no liability for the distribution of payment to other group members.

    Any entries, points or flags are void if they are in whole or in part illegible, incomplete, damaged, irregular, altered, counterfeit, produced in error, forged or obtained through fraud or theft. By entering you agree to be bound by these Official Rules and that all decisions of Google are final. If you are entering on behalf of your employer, these rules are binding on you, individually, and your company, and your company has consented to your entry and potential receipt of the Prize.

    Qualification round rewards: Write-up Rewards: There will be a write-up submission form on the website capturetheflag.withgoogle.com, where all participating teams will be allowed to voluntarily submit a summary on how they solved any challenge from the online qualification round, and any code or tools used to solve those challenges. The write-up rewards do not award participants any points on the online qualification round, nor in the final round. Google will select 31 of the best submissions and give them a reward of 100 US dollars per write-up, as well as 9 of the most creative solutions and also give them a reward of 500 US dollars per write-up. The selection of the 40 winning submissions will be decided at Google's sole discretion.

    The list of write-up rewards recipients will be announced on or about July 31, 2019, and they will be contacted and asked to claim the prize. If a potential reward recipient does not respond to the notification attempt within 3 days from the first notification attempt, then such potential reward recipient will be disqualified and an alternate potential reward recipient will be selected from among all eligible entries based on Google's sole discretion.

    Rewards for Points Accumulated: There will be a scoreboard where points will be assigned at the end of the competition based on the challenges that were completed. Each challenge will have an amount of points based on the number of teams that solved it. Winners will be selected based on the greatest number of points earned. In case of a tie, the team with the earlier submission of the last flag will be the winner. Note that write-up rewards do not give any points for the qualification round.

    At the conclusion of the qualification round, Google will select those teams that have earned the ten highest points scores. On or about June 30 2019 these potential finalist(s) will be selected and notified by email. If a potential finalist does not respond to the notification attempt within 3 days from the first notification attempt, then such potential finalist will be disqualified and an alternate potential finalist will be selected from among all eligible entries received based on the judging criteria described herein.

    If no entries are received, no prize will be awarded. Determinations of the judges are final and binding.

    Final round: Finalists chosen from the qualification round will be invited to visit the final event venue for a weekend in October or November 2019, where they will have to solve more challenges. From this final round, Google will select the 3 final winners. Google may offer travel grants for those participants that might not have the funds to visit the final venue. Google will issue a maximum travel grant of 8,000 US dollars per team. Only four people from each finalist team will be allowed to visit the final event venue. The exact dates and location will be communicated to the qualifying finalists before June 30 2019.

    During the final round, there will be a scoreboard where points are assigned based on challenges completed. The winner will be based on highest points score achieved, and in case of a tie the, first to reach those points will be the deciding factor.

    Privacy: Google will be collecting personal data about participants when they register and enter the Contest. Google will treat this data in accordance with its privacy policy, located at http://www.google.com/intl/en/privacypolicy.html.

    Final Round Prize: First place winner will receive 13,337 US dollars. Second place winner will receive 7,331 US dollars, and third place winner will receive 3,133.7** US dollars. Prize may be subject to terms, restrictions and conditions imposed by Google.

    Google and its affiliates, subsidiaries and related companies, or their respective officers, directors, employees, representatives and agents will not be liable for unsuccessful efforts to notify a winner. The prize will be delivered within 60 days after the conclusion of the contest. No prize transfer, assignment or substitution by winner permitted except at Sponsor’s sole discretion. If the prize becomes unavailable, Sponsor reserves the right to substitute a prize of equal or greater value. All federal, state and local taxes, fees and surcharges on prizes are the sole responsibility of the winner. If a potential winner declines the prize, does not respond to the prize notification, fails to claim the prize, is unavailable for prize fulfillment, fails to abide by the Official Rules, or is ineligible, Google may select the next highest scoring team as the winner.

    Publicity: By entering, entrant agrees to permit Google and its agencies to use of his or her name and/or likeness, write-ups and code for advertising and promotional purposes without additional compensation, unless prohibited by law.

    Intellectual Property Rights: By submitting a code in this Contest, the entrant warrants and represents that the code, including the programming and related material, is open source and is released subject to the Apache License 2.0 or any suitable BSD (Berkeley Software Distribution) license and not subject to the proprietary rights of any person or entity.

    Warranty, Indemnity and Release: Entrants warrant that their codes are their own original work and, as such, they are the sole and exclusive owner and rights holder of the submitted code and that they have the right to submit the code in the Contest and grant all required licenses. Each entrant agrees not to submit any code that (1) infringes any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations; or (2) otherwise violates the applicable state or federal law.

    To the maximum extent permitted by law, each entrant indemnifies and agrees to keep indemnified Google at all times from and against any liability, claims, demands, losses, damages, costs and expenses resulting from any act, default or omission of the entrant and/or a breach of any warranty set forth herein. To the maximum extent permitted by law, each entrant agrees to defend, indemnify and hold harmless the Google from and against any and all claims, actions, suits or proceedings, as well as any and all losses, liabilities, damages, costs and expenses (including reasonable attorneys fees) arising out of or accruing from (a) any code or other material uploaded or otherwise provided by the entrant that infringes any copyright, trademark, trade secret, trade dress, patent or other intellectual property right of any person or defames any person or violates their rights of publicity or privacy, (b) any misrepresentation made by the entrant in connection with the Contest; (c) any non-compliance by the entrant with these Rules; (d) claims brought by persons or entities other than the parties to these Rules arising from or related to the entrant’s involvement with the Contest; and (e) acceptance, possession, misuse or use of any prize or participation in any Contest-related activity or participation in this Contest.

    Entrant releases Google from any liability associated with: (a) any malfunction or other problem with the Contest Site; (b) any error in the collection, processing, or retention of entry information; or (c) any typographical or other error in the printing, offering or announcement of any prize or winners.

    Right to Cancel: If for any reason the Contest is not capable of running as planned, including tampering, unauthorized intervention, fraud, technical failures, printing errors, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Contest, Google reserves the right at its sole discretion to cancel, terminate, modify or suspend the Contest. Google further reserves the right to disqualify any entrant who tampers with the submission process, cheats, deceives, abuses, annoys, or threatens any other entrants or Judges.

    Limitation of Liability & Disclaimer of Warranties: IN NO EVENT WILL GOOGLE OR ITS AFFILIATES, SUBSIDIARIES AND RELATED COMPANIES, OR THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, REPRESENTATIVES AND AGENTS, BE RESPONSIBLE OR LIABLE FOR ANY DAMAGES OR LOSSES OF ANY KIND, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING OUT OF YOUR PARTICIPATION IN THE CONTEST OR FOR ANY ACTION OR OMISSION MADE IN CONNECTION WITH THE CONTEST. WITHOUT LIMITING THE FOREGOING, EVERYTHING IN THESE RULES AND IN THIS CONTEST, INCLUDING THE PRIZES AWARDED, IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. SOME JURISDICTIONS MAY NOT ALLOW THE LIMITATIONS OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES OR EXCLUSION OF IMPLIED WARRANTIES SO SOME OF THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. CHECK YOUR LOCAL LAWS FOR ANY RESTRICTIONS OR LIMITATIONS REGARDING THESE LIMITATIONS OR EXCLUSIONS.

    Governing Law. This Contest is governed by the laws of California without regard to the conflict of laws provision.

    Winners List. You may request a list of finalists after June 30 2019 and you may request the list of winners after November 30 2019 by writing to: google-ctf@google.com