Qualcomm Fall Security Tech Forum CTF 2025



Friday December 5th 10AM - Saturday December 6th 10AM (San Diego time)


Introduction

ISRM is proud to present Capture The Flag 2025. A capture the flag (CTF) event is a game designed to let you learn to hack in a safe, rewarding environment.

Registration

Use the scoreboard for registration. Also, make sure you join the Teams channel (see challenge for link).

Instructions

CTF stands for Capture The Flag, a style of hacking event where you have one goal: solve a hacking challenge and find the flag. Flags are placed in various locations -- they might be in a file, in the database, stuck into source code, or otherwise -- and your goal is to hunt them all down. Each flag is a unique string. You'll know when you see one.

Stuck or technical issues? Check out CTF Teams channel

  • Some challenges have automatically-created per-team hosts.
  • These hosts should be created shortly after you register your team but may take a few minutes to fully initialize.
  • Domain names for these hosts will be automatically built with a unique "team-key" and displayed in associated challenge descriptions.
  • FORMING TEAMS IS HIGHLY RECOMMENDED!
    • When the scoreboard opens up, you will first register yourself. Then you can create a team. Give other team members the team name and password so they can also join the team.
    • Do not exceed five (5) players per team
    • If you don't have a team and want to find one, post to the CTF Teams channel.
  • If you think there is an issue with any of your per-team hosts, the entire infrastructure for your team can be be reset by clicking on the "Infra" tab at the top of the scoreboard page and then clicking, "Reset Team Infrastructure". Be sure to read the warning before clicking.

Rules

  • Do NOT attack, exploit, DOS, or otherwise harm any sites not specifically in scope. Some sites are only for information gathering and theme purposes and are out of scope for everything else.
  • If the domain does not end in "ctf.land", it is OUT OF SCOPE for attacking. If you are not sure, ask before attacking a site.
  • Targets are clearly marked, only attack those. No attacking the scoreboard, switches, networks, underlying infrastructure, etc.
  • No DOS attacks, just get the flags.
  • Don't mess with splunk and logging, we are just health-checking.
  • Don't be rude or ruin the experience for other CTF participants.
  • Teams should be no larger than five players.
  • If we ask, you need to show us what/how you did something.
  • We aren't lawyers, you probably aren’t a lawyer. Don't look for loopholes, just don't get in the way of other people having fun.

Random Thoughts

  • If this is your first CTF ever, you will be able to find things if you try. If are a CTF expert, we have challenges for you also.
  • Objectives and flags are fairly clearly marked.
  • If you're looking for a f l a g, it is here: IReadTheRules2025
  • Host discovery is usually not required. Everyone scanning everything just makes the network break. Scanning a single host as part of a challenge may be useful.
  • Not all text in this CTF is human generated. Caveat Emptor.
  • Challenges are standalone unless otherwise indicated, but some easier ones may give ideas for harder ones.
  • We are logging lots of things, if you aren't happy with that, don't play.

Kali Attack Box

  • If you have are having trouble reaching some of the challenges, you may be having firewall issues. You are welcome to try the Kali attack box. This is a new feature for us, so there may be some bugs, but it will give you direct access to all the challenges and some tools that may be useful.
  • See Using the Kali Attack Box for details.
  • The lawyers requested that we include this privacy notice: Privacy Policy
  • The CTFd application requests your username, email address, and logs your IP address.
  • The username is for logon purposes and for CTFd to associate you with your team.
  • The email address is ONLY used for password resets, or if we need to contact you during the CTF, or after the CTF for prize purposes. Email addresses are never sold or given to 3rd parties or used for sales.