About MAGICs Capture the Flag Competition

This introductory Capture the Flag competition allows participants to get a feel for the cyber process in an environment designed to help competitors “learn” logical thinking skills and teamwork. The leveled puzzle approach allows participants to learn new skills and build on those skills to form a good cyber foundation.

MAGIC’s Capture the Flag competitions are a reliable source of information and support for learning the basic building blocks used in cybersecurity. We provide the “white” hat approach and apply the principles of ethical hacking during our competitions. Our staff of volunteer industry professionals help coach and support the process.

As this competition is rated a beginner competiton, we evolve our puzzles and challenges to become progressivaly more complex as you move through the levels.

  • Level 0 is the introduction level. A general knowledge and the ability to "Google" or search the internet will allow participants to solve these trivia style puzzles.
  • Level 1 take general cyber concepts learned in level 0 and uses the various skillsets to solve general puzzles like decimal or binary conversion.  Using our built in Cyber Chef tool will help you through most of this level.
  • Level 2 Puzzles in this level require more progressive thinking skills.  Understanding how different tools work together to solve the challenge.   These puzzles require several steps  to solve.
  • Level 3 and Level 4 puzzles require a more complex thought process and relies on different tools and may be specific to operating systems.  You may need to download our Shaark Linux instance to solve some of these puzzles.
  • Investigation puzzles are a series of forensic puzzles that must be solved in a certain order and limit the number of solves allowed.  These puzzles are extremely difficult and require the user to download forensic evidence.
  • Web puzzels are challenges that require access to a fictitious website to perform various tasks to location flags within the site. This may include the use of Steganography, cookie investigations, hashing passwords, etc.

The goal of the competition is to find the flag.  A flag consists of short strings of code in the format flag{this is the flag} Once you find the answer or "flag", you enter what is inside of the bracket into the competiton scoreboard and submit your answer.  The system will confirm the correct answer, which will allow you to move on.  Most puzzles do not have a submission limit.  However, the multiple choice, and some of the higher level puzzles do have submission limits. so please ready directions carefully.

EX: flag{I_am_happy}  would be entered into the scoreboard as I_am_happy

How to Register

Our competitions are team-based challenges. A maximum of 4 people can be registered to a team. When registering, please follow the directions as the registration process is slightly different for each event. As all prizes are sent via email, make sure you enter a valid email address when registering. Failure to provide a valid email will cause a forfeit of any prize offered to winning teams.

NOTE: No inappropriate user names or team names will be permitted! MAGIC reserves the right to disqualify you AND your team if it is determined that you and/or your team registered with any keyword, terms, or words with a negative connotation. This includes icons or emojis.

Individuals:

If you are registering to play as an individual you must still create a team of 1. To register as an individual select Register from the navigation bar. Fill out the username, valid email address, affiliation (school, club, company), and password for your user. Please remember your user id and password. After registering, you'll be presented with the options to create or join a team.

For your team name insert your team name (can be the user id you just created, or a new team name). Select a password. If at a later time you want to invite others to join your team you can forward the team name and password for them to join.

That’s it! You are now registered to play. Your scoring for the competition will be listed under your team name.

Teams: (up to 4 individuals per team)

Assign a team captain from your group. That person will register the team name and assign a password for the other members to join.

Team Captain: Create an account for yourself, as described above. As captain, you will create a team. Select a team name, team affiliation, and a password associated with that team. Once that is done, you can forward the team name and password to your team members to use for registration. Once they create their individual username, they will choose Join Team and enter the information forwarded by the team captain. Please note that team name and password is case sensitive.

For a complete walk through on how to register, use the Online CTF Information Packet for Teams

Competition Help

Looking for help during the competition? Well, we can't give you the answers, but if you are stuck on a challenge and need a little hint, or two smile or have technical/general questions, we're here to help. You can chat with us by clicking on the green chat bubble located at the bottom right of your screen. We will be monitoring our communications during the competition, so you will get real-time answers to any questions or issues you have.

We make every effort to test and confirm our challenges, but we are all human so if you feel a puzzle answer is correct, but the system tells you it's wrong, let us know.  We give bonus bounty points for the first person/team to find an error.  If we confirm you are correct and the system anwser is wrong, your team will be awarded additional points for finding the error. 

Competition Rules

Participation Criteria:

  • Each individual who participates in the Competition (“Participant”) must be at least 13 years of age.
  • Participants must be current students in an accredited middle school, high school, or homeschooled program. College-level students must be currently enrolled in an accredited undergraduate program.
  • Postgraduate or certified professionals in the field of Cybersecurity are prohibited from competition.
  • Previous MAGIC CTF winners are excluded from participation.

By creating an account and participating in the competition challenges, you are agreeing to these competition rules with respect to the current competition.

  1. Individuals and/or Teams may not interfere with the progress of other individuals/Teams, nor with the operation of the Competition’s infrastructure. More specifically, attacking the scoring server, other Teams, or machines not explicitly designated as targets is cheating. This includes both breaking into such machines, and denying others access to them or the ability to solve problems. Sharing keys or providing overly-revealing hints with other teams is cheating, as is being directly assisted by personnel outside the Team (using tools from the internet is OK; asking people on the internet to help solve the problem is not). We encourage participants to solve problems in novel and creative ways using all available resources, but we do require that Participants solve the problems themselves.
  2. All information provided to establish an account must be true and correct. You are responsible for keeping such information up-to-date. Failure to keep your account up-to-date may, among other things, jeopardize your eligibility to compete.
  3. You must utilize appropriate usernames and team ids. No usernames and IDs will be allowed that promote a negative connotation or meaning. MAGIC will disqualify a participant if we deem inappropriate IDs are being used. This includes icons and emojis.
  4. MAGIC runs an honest, ethically responsible competition. At any time, in the sole and absolute discretion of MAGIC, we shall be entitled to disqualify a Participant and/or Team in the event of a failure to meet relevant eligibility criteria or any other violation or suspected violation of these Competition Rules.
  5. Professional teams and teams that have professional skill levels should not participate in this beginner-level educational competition. MAGIC strictly aims to host a beginner competition meant for educational purposes and to allow participants to "get their foot in the door" of cybersecurity. Professional or ranked teams will automatically be disqualified at the end of the event.
  6. Competition problems(challenges) or other content on the MAGIC site remains the property of MAGIC. MAGIC reserves all rights to such materials. You are authorized to access and use such materials solely with respect to registration for and/or participation in virtual CTF by you. You may not use the MAGIC site or any materials on it (including but not limited to the Competition problems) for any unauthorized purpose.
  7. In this competition, tie breaks are essentially resolved by time. If two teams have the same score at the conclusion of the competition, the team with the oldest score time stamp will be declared the winner.

Team Information

As your team will be spread out during the competition, you can utilize several team collaboration tools to communicate with them. All the resources listed are free to use.

You can also use other means of communication such as facetime, text, phone, etc.


Tips for your team during the competition:

Each level and challenge is available for solving. Your team does not need to answer the challenges in order or one at a time. Each team member can work on a different puzzle at the same time if they so desire. Only one team member can input an answer to a particular challenge. Once that puzzle is solved a checkmark will appear next to it confirming the puzzle has been solved. You can work together to solve each puzzle or you can divide and conquer. Hit your browser refresh occasionally to confirm a puzzle hasn't been solved yet. There is no wrong way to work. We don't limit the attempts on puzzles. You can make as many attempts as needed to get the correct answer. This is a learning experience. We want to you solved every puzzle. We also do not deduct points for any of our Level 0 puzzles that have hints attached. However, points are deducted from the more difficult, higher-level puzzles that contain hints. Be very careful asking for a hint as the "cost" points will be deducted from the team score immediately. And remember; the answers are case sensitive.

Tools and Resources:

Unlike our location CTF's, this competition is completely virtual. To help competitors out, we have included a built-in helper tool called CyberChef.

CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES, and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

You can find the Tool button located at the bottom-left of your browser window.

The majority of challenges can be solved with one or more of the following tools:

  • Google search engine.
  • Encrypting/encoding tools. Data conversion. Ciphers. (XOR, ROT, Binary, Base64, Hex(adecimal) Octal, ASCII/UTF-8 character, etc.)
    • Cyberchef ("Tools" button within the competition window)
    • https://www.dcode.fr/ (Warning: Output is always uppercase.)
  • Hex editor.
    • https://hexed.it/
    • HxD (Windows).
    • Bless Hex Editor (Linux).
    • Cyberchef's "To Hexdump" (read-only).
  • File Identifier.
    • Cyberchef's "Detect File Type.”
    • "File" command.
    • https://mark0.net/onlinetrid.html
  • File scan database / history.
    • https://www.virustotal.com/
  • Hash Identifier.
    • https://www.onlinehashcrack.com/hash-identification.php
    • hash-identifier (Linux).
    • Cyberchef's "Analysis hash."
    • Cyberchef's "Magic" tool (encoding/encryption lookup/bruteforce).
  • Hash Lookup (Rainbow tables).
    • https://crackstation.net/
    • https://md5decrypt.net/
    • https://md5hashing.net/
    • https://hashtoolkit.com/
    • https://hashkiller.io/
    • https://www.virustotal.com/ (Files).
  • Password/hash cracking.
    • John the Ripper (Kali Linux).
    • Crunch (Custom wordlist generator).
    • office2john, zip2john, etc.
  • Hash computer/generator.
    • Powershell "Get-FileHash."
    • Linux "sum" (i.e. sha256sum, md5sum) utilities.
    • Cyberchef's Hashing tool series.
  • Packet sniffer/analyzer. Connection viewer. PCAP viewer/editor.
    • Network Miner.
    • Fiddler 4 (Windows).
    • System Internals TCPView (Windows).
    • netstat command (windows -bano/linux -tunap).
    • Wireshark
  • Memory Editor.
    • CheatEngine (Windows).
    • scanmem (Linux).
  • Python/C#/Java IDE.
    • .NET framework / python / Java JDK +
      • IDE
        • Visual Studio (Windows).
        • Notepad/Notepad++.
    • C#: https://www.tutorialspoint.com/compile_csharp_online.php
    • Python 2: https://www.tutorialspoint.com/execute_python_online.php
    • Java: https://www.tutorialspoint.com/compile_java_online.php
  • Decompilers
    • C#
      • dnSpy (Windows).
      • ILSpy (Windows. Linux/MAC forks available.).
    • Python
      • Easy Python Decompiler (Windows).
      • Uncompyle (Linux).
      • https://python-decompiler.com/
      • http://www.decompiler.com/
    • Java
      • http://www.decompiler.com/
      • http://www.javadecompilers.com/
      • JD-GUI (Windows/MAC/Linux).
  • Archive manager
    • 7-zip (Windows).
    • https://sourceforge.net/projects/p7zip/ (cmdline, Linux).
  • File Resource Viewer
    • Resource Hacker (Windows).
  • Document viewer (.doc/.docx).
    • Microsoft Word.
    • Google Doc
    • Notepad
  • Image EXIF extractor
    • Cyberchef "Extract EXIF."
    • http://exif.regex.info
  • Command Prompt, Powershell, Linux Terminal.

 

  • Kali Linux is a free open-source version of Linux used by cyber security professionals for cyber testing. Kali will have many of the tools you may need already installed.