Saturday, March 2, 2024 // 10:00AM – 3:00PM MT
National Cybersecurity Center, 3650 N Nevada Ave., Colorado Springs, CO 80907
Embark on the first of a series of high-octane Cybersecurity Capture the Flag (CTF) challenges this year at NCC. Calling all high school digital sleuths to dive into cyber puzzles and network battles. Utilizing the unique Deloitte Hackazon platform, test your skills, outmaneuver competitors, and solve perplexing challenges in a dynamic race against time. Your team stands a chance to win enticing cash prizes and kickstart a year of cyber conquests.
Join us for an unforgettable journey into the heart of cybersecurity – your cyber glory awaits!
- Assemble Your Team: Rally 2-6 of your school’s sharpest minds. No solo players, please team up to enter.
- Bring Your Tech: Participants should bring their own laptops. Need one? NCC offers loaner laptops – just let us know when you register.
- No Entry Fee: Schools compete for free!
- Space is Limited: With only 50 competitor slots available, register promptly to avoid the waitlist.
Prizes
Winning teams will earn real cash prizes for their schools!
1st Place Prize – $1,000
2nd Place Prize – $500
3rd Place Prize – $250
NCC 2024 CAPTURE THE FLAG COMPETITION OFFICIAL RULES
NO PURCHASE NECESSARY TO ENTER OR WIN
The NCC 2024 Capture the Flag Competition (the “Competition”) is co-sponsored by Deloitte & Touche LLP (“D&T”) and The National Cybersecurity Center (“NCC”) (together, the “Sponsors”). Competition participants agree to be bound by these Official Rules and the decisions of the Sponsors, which are binding and final on matters relating to this Competition. The Competition is subject to all applicable federal, state, and local laws. Void where prohibited by law.
REGISTRATION PERIOD
Registration begins on February 1, 2024, at 8:00 AM mountain time (“MT”) and ends February 28 at 8:00 PM MT.
COMPETITION PERIOD
The Event will begin on Saturday, March 2, 2024, at 10:00 AM and end on Saturday, March 2, 2024, at 3:00 PM.
WHO IS ELIGIBLE?
Open only to legal residents of the fifty (50) United States and the District of Columbia who are age 13 or older and who register for the Competition in accordance with the instruction in the “How to Participate” section below and are in enrolled in high school. Current partners, principals, and employees of Deloitte LLP and its subsidiaries and NCC (as of the start date of the Competition) are not eligible to participate in the Competition. Federal, state, and local government officials and employees may participate but are not eligible to win a prize.
COMPETITION OBJECTIVE
The objective of the Competition is to solve practical cyber challenges in a simulated environment.
HOW TO PARTICIPATE
Participants may only participate in the Competition as a team. To register for the Competition, participants must complete an online form on the Website at https://cyber-center.formstack.com/forms/ctf_2024_march. [AG1] Participants under the age of 18 are not required to provide their email addresses or other identifying information on the Website or Competition Website. Teachers or Legal Guardians must register all participants under 18 years of age. Each team member, and where applicable, their parent/legal guardian must acknowledge and agree to these Official Rules.
The goal of each challenge is to find a “flag,” which is a string of characters. The flags for each challenge are submitted to D&T on their website, https://us.hackazon.org/ (“Competition Website”) to receive points. Points are assigned for each challenge based on the level of difficulty. The participant with the most points at the end of the Competition wins. The scoreboard is automatically updated to reflect the current standings within the Competition. The scoreboard on the Competition Website will reflect the final rankings at the end of the Competition Period. In the event of a tie, the fastest participant wins.
For the purpose of these Official Rules, a participating team will be referred to as a “participant.”
TEAM COMPOSITION
Teams may have up to six (6) members. Participation will be in person at the National Cybersecurity Center 3650 N. Nevada Ave, Colorado Springs, CO 80907. Seating is limited to fifty (50) participants. The first fifty (50) participants organized as a team will be allowed to participate. Participants must use their own computers/laptops.
COMPETITION STRUCTURE
The event consists of a 30-minute setup period, a 4 hour competition, and a 30 minute award period at the end. The event will start at 10:00 MT on March 2nd and conclude at 3:00 PM MT.
Top three (3) scoring participants (on the Competition Website) will be chosen as 1st, 2nd, and 3rd place winners.
The winning teams will win an award (see “Awards” section below). In the event of a tie, the fastest participant, as determined by the Competition Website, wins.
GROUND RULES
Sponsors’ decisions are final and binding on all matters.
- No Outside Help – Participants are not allowed to use outside help during the Competition (i.e. no remote and/or unregistered players are allowed). Google/internet research is allowed.
- No Collateral Damage – Only attack systems for which they have explicit permission and are running in the Competition infrastructure (these will be clearly indicated) provided by the D&T. No attacks on any systems or equipment outside of this environment are allowed.
- Competition Area – Participants are not allowed to take any of the equipment outside of the Competition area unless explicitly permitted by the Sponsors. Also, please take any phone calls outside the area.
- No Brute Forcing – Avoid generating large amounts of traffic and/or brute forcing; none of the challenges can be solved by running automated scanners, so please do not do so. This includes scanning with Nikto, Skipfish, Vega, Nessus, etc. (Nmap and Sqlmap are fine!)
- No Fratricide – Sabotaging or in any way hindering the progress of other participants is strictly prohibited and may result in disqualification. This includes attempting to alter or disrupt a challenge or service after you have completed it.
- One Team/Multiple Challenges – Each participant may work on multiple challenges at one time, with some restrictions, based on the portal backend software.
- Challenge Progression – Challenges may be attempted in any order. If you are stuck on a challenge, move on to a different challenge.
- Bring Your Own Attack Platform – All teams should to bring their own attack platform(s). We recommend Kali Linux, but this is not a requirement. NCC has a limited supply of loaner laptops available for those who do not have one. Notify NCC during registration if you have need for a loaner laptop.
- Sponsors reserve the right to disqualify any participant for any reason, in its sole and absolute discretion. Sponsors reserve the right to remove any participant from the Competition who does not conform to the ground rules for any reason, in its sole and absolute discretion.
- AWARDS
1st place: $1000.00 donation from the NCC to the participant’s High School STEM program
2nd place: $500.00 donation from the NCC to the participant’s High School STEM program
3rd place: $250.00 donation from the NCC to the participant’s High School STEM program
Sponsors will announce the awards after the Competition Period.
Awards are subject to verification of eligibility and compliance with these Official Rules. A winner may not substitute, assign, or transfer their award, but Sponsors reserve the right, at its sole discretion, to substitute an award of comparable or greater value. Winner is responsible for all federal, state, and local taxes associated with acceptance and use of an award as well as any other costs and expenses associated with award acceptance and use not specified herein as being awarded. All award details are at Sponsor’s sole discretion.
WINNER NOTIFICATION
Sponsors will notify potential winners following the completion of the Competition Period. Each winner may be required to execute and return an Affidavit of Eligibility and Liability and, unless prohibited by law, Publicity Release (“Affidavit/Release”), which must be received fully executed within seven (7) days of date printed on notification or be disqualified. In the event it is determined that any winner has not complied with these Official Rules or has failed to execute and return any required documents within the specified time period or has made false statements in any document required by Sponsors, then winner will be disqualified and required to promptly return to Sponsors the award. If a winner is disqualified for any reason, at Sponsors’ discretion, the award may be given to another participant.
The decisions of the Sponsors are final and binding on all matters.
CODE OF CONDUCT / HONOR CODE
Professional behavior is expected. Each participant is required to maintain the highest standards of integrity throughout the Competition. Any violation of these Official Rules, including but not limited to, the ground rules or breaches of integrity will subject a participant to immediate disqualification.
DATA COLLECTION
All personal information submitted to Deloitte & Touche LLP in relation to this Competition will be handled in accordance with the privacy policy of Deloitte & Touche LLP, which may be found at https://www2.deloitte.com/us/en/legal/privacy.html. Your personal information will only be used in connection with the Competition and as provided for in these Official Rules.
GENERAL CONDITIONS
Released Parties (as defined below) are not responsible for any lost, late, incomplete, inaccurate, stolen, misdirected, undelivered, delayed or garbled entries or email; or for lost, interrupted or unavailable network, server, Internet Service Provider (ISP), Competition Website, Website, or other connections, availability or accessibility or miscommunications or failed computer, satellite, telephone or cable transmissions, lines, or technical failure or jumbled, scrambled, delayed, or misdirected transmissions or computer hardware or software malfunctions, failures or difficulties, or other errors or malfunctions of any kind whether human, mechanical, electronic, network typographical, printing or otherwise relating to or in connection with the Competition, including, without limitation, errors or malfunctions which may occur in connection with the administration of the Competition, the processing or judging of entries, the announcement of the prizes or in any Competition-related materials.
Released Parties are also not responsible for any incorrect or inaccurate information, whether caused by site users, tampering, hacking, or by any equipment or programming associated with or utilized in the Competition.
Released Parties are not responsible for injury or damage to participant’s or to any other person’s computer related to or resulting from participating in this Competition or downloading materials from or use of Competition Website and/or Website. Persons who tamper with or abuse any aspect of the Competition, Competition Website, or Website, as solely determined by Sponsors, will be disqualified.
Should any portion of the Competition be, in Sponsors’ sole opinion, compromised by virus, worms, bugs, non-authorized human intervention or other causes, or in the event the Competition is unable to run as planned for any other reason, which, in the sole opinion of the Sponsors, corrupt or impair the administration, security, fairness or proper play, or submission of entries or comments, Sponsors reserve the right at its sole discretion to suspend, postpone or modify the Competition to address the impairment and resume the Competition in a manner that best conforms to the spirit of these Official Rules, or terminate the Competition and select the potential winners from all eligible, non-suspect entries received prior to action taken.
Participants, by participating, agree that Deloitte LLP, Deloitte & Touche LLP, Deloitte Tax LLP, Deloitte Financial Advisory Services LLP, Deloitte Consulting LLP, Deloitte Transactions and Business Analytics LLP, Deloitte Services LP, Deloitte USA LLP, Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), and any and all DTTL associate and member firms, all their respective, past, present and future parent companies, subsidiaries, affiliates, divisions, related entities, joint venturers, subcontractors, agents, attorneys, insurers, subrogees, co-insurers and reinsurers, all their respective, past, present and future officers, directors, employees, members, partners, principals, shareholders and owners, and all their respective heirs, executors, administrators, personal representatives, predecessors, successors, transferees and assigns and [enter sponsor here] (collectively, the “Released Parties”) will have no liability whatsoever for, and shall be held harmless by participants against, any liability for any injuries, losses or damages of any kind, including death, to persons, or property resulting in whole or in part, directly or indirectly, from acceptance, possession, misuse or use of the prize or participation in this Competition.
Each participant in the Competition, except where legally prohibited, grants permission to Sponsors and their designees to use their name, address (city and state), photograph, voice and/or other likeness and prize information for advertising, trade and promotional purposes, in any manner, without further compensation, in all media now known or hereafter discovered, worldwide, and on the Internet and world wide web, in perpetuity, without notice or review or approval.
In the event of a dispute regarding entries received from multiple users having the same e-mail account, the authorized subscriber of the e-mail account at the time of entry will be deemed to be the entrant and must comply with these rules. Authorized account subscriber is the natural person who is assigned the e-mail address by the Internet Service Provider (ISP), on-line service provider, or other organization responsible for assigning e-mail addresses by or on behalf of the Sponsors or any Released Party or recognized by the Sponsors or any Released Party.
GOVERNING LAW/DISPUTES
By entering the Competition, participants agree that (i) any and all disputes shall be governed by the laws of the State of New York to the extent permitted by law; (ii) any legal action or proceeding relating to the Competition shall be instituted in a state or federal court in New York, New York; (iii) they will submit to the exclusive jurisdiction of, and agree that venue is proper in, these courts in any such action or proceeding, to the extent permitted by law.
WINNERS LIST
For the names of the winners, which will be available after 3:00 PM [MT] on 2 March 2024, send an email request to ian.grahek@cyber-center.org.
Sponsors: Deloitte & Touche LLP, 30 Rockefeller Plaza, New York, NY 10112 and National Cybersecurity Center, 3650 N. Nevada Ave, Colorado Springs, CO 80907.