🇬🇧 Rules

"HACK'OSINT CTF" will be referred to in these rules as "CTF," "competition," "event," or "investigation."

Version française : Accéder aux règles

1. Accessibility :

   All assets (social networks, documents, etc.) that you discover during your investigation will be in French. The challenge statements will be available in both French and English. The CTF is open to participants of all ages. You may be required to visit unconventional websites; Hack'Olyte disclaims all responsibility for any use you make of them in the medium or long term.
   This second edition is completely independent of the first one. Therefore, you can participate even if you did not take part in the first. The full story and conclusion of APT-509 will be known at the end of the qualification phase.

2. Objective :

   Dear investigator, you are once again on the trail of the cybercriminal group 'APT-509'. Your mission: locate the remaining members and have them arrested to put an end to their activities once and for all! We invite you to discover or revisit the summary of the story from the first edition on this page: HACK'OSINT 2024 - REMEMBER.

3. Team composition :

   Teams can consist of 1 to 4 members. Each team must designate a captain.
   You must join the official CTF Discord to validate your team/registration (a detailed procedure is available on Discord).

4. Conduct of the survey :

   You have 48 hours to put an end to the activities of this cybercriminal group. Please note that the CTF administrative team reserves the right to extend or shorten the duration of the mission.
   You will have access to hints worth 50% of the challenge points—think carefully before using them. If a challenge does not provide any hints, you can request one from the administrative team via your dedicated team channel on the event's Discord server. However, this request will result in a 50% reduction of the challenge's points. Additionally, any request for help on Discord must respect a minimum interval of one hour, regardless of the challenge or its category.
   

5. Personal data :

   Through the CTFD platform, we collect the following personal data: email, IP address, and username. We are committed to deleting all of this data once the event is over (end of June 2025). We will retain only your email address to send you your rewards via Badgr. Once the reward has been sent, your email address will be removed from our database. For finalists, additional information may be required. All details regarding this will be specified in the general rules of the final.

6. Survey integrity :

   All forms of cheating are strictly prohibited. It is strictly forbidden to conduct any attacks targeting the platform or the various essential resources for this investigation (website, automated systems, databases, etc.).
   It is strictly prohibited to use automated messaging or information/data collection tools on platforms related to this investigation. This includes, but is not limited to, tools such as NMAP, automated CURL, WAPITI, or any similar software. This restriction is in place to ensure the stability and proper functioning of the provided resources.
   Additionally, innovative challenges will be introduced throughout this investigation. Any attempt to attack or bypass these challenges, or any person boasting about misusing a tool for a challenge, may result in the disqualification of the entire team.
   Teams must comply with the rules established by the event organizers.
   Administrators will closely monitor duplicate accounts. If a duplicate account is detected, the team will be automatically disqualified.
   Any unsportsmanlike behavior or attempt to disrupt the investigation will result in the immediate disqualification of the concerned team.
   
   It is strictly forbidden to start the investigation before the official launch date, set for May 23, 2025, at 9:00 PM. Checks will be conducted, and if a team is found searching for assets or starting the investigation before this date, they will be banned from the event without warning.



7. Claims :

   You have the option to submit a complaint to the administrative team via the Discord server only.
   A dedicated Discord channel is available for your team. To contact the administrative team, please write a message in this channel. An administrator will then respond to your request.
   Ticket creation is exclusively reserved for reporting a bug or submitting a technical complaint regarding the platform, such as requesting a team name change.
   Please also refrain from sending private messages (DMs) to an administrator or beta tester, as this may result in possible sanctions!

8. Tools :

   You are free to use any tools and resources you deem necessary. No restrictions are imposed (except for the tools mentioned in point 6 of these rules).

9. Dashboard & Site Status

   The leaderboard (dashboard) will remain intentionally hidden throughout your investigation. Our goal is for you to focus entirely on your progress rather than on statistics. However, we are introducing a brand-new system: the Status Platform [SOON]. On this platform, you will be able to view the TOP 16 teams in real-time, displayed in a random order. This allows you to know if you are in the TOP 16 without revealing your exact position. Additionally, you will find global statistics about the event, such as: the number of tickets opened, the percentage of submissions, the workload of the support team, and much more. We would like to extend our warm thanks to the Rhacknarok association for their help in setting up and securing this platform!

10. Communication :

    Team members are allowed to communicate with each other during the investigation.
    However, communication with other teams or any attempt to coordinate in solving challenges is strictly prohibited.

11. Investigation report :

    No investigation report will be required for this event! Qualification for the **"Hunt Finale"** will be determined exclusively by the final ranking of the investigation. Only the **top three teams (TOP 3)**, as determined at the end of the event on **Sunday, May 25, at 9:00 PM**, will qualify for the final. *(See Section 17 of this page for details on the final's conditions.)*

12. Bug reports :

    Participants must report any bugs or vulnerabilities discovered during the investigation to the organizers.
    The exploitation of undisclosed bugs or vulnerabilities is strictly prohibited.

13. Tips :

    Unfortunately, some malicious individuals may attempt to disrupt your investigation. For your information, all social media accounts were created before May 22, 2025, and all challenges were finalized several weeks ago. If you come across comments such as "Contact me privately" dated after May 22 2025, be aware that they are malicious and will not be useful for your investigation. The administrative team will remain vigilant and promptly report any malicious activity intended to interfere with the investigation.
    
    Reminder: To validate your registration, you must join the official Discord server (see Section 3 on this page for details). Important announcements regarding the investigation will be made on this Discord server.
    

    During your investigation, you will likely need to perform interactions—keep this in mind and don’t stay stuck. As a reference, if a challenge requires an interaction to be solved, its description will include this emoji: "👁️". If a challenge description does not contain this emoji, it means the challenge can be solved without interaction.

    Don't forget that taking breaks and resting is important when working on OSINT challenges! If you find yourself stuck on a challenge, step away, take a break, and try again later. A fresh perspective might help you solve the problem more quickly :)

    For your information, if you use a resource (website, social media, etc.) once, that does not mean it will no longer be useful for the rest of the mission. Make sure you fully explore and exhaust all your findings.

    Sometimes, creating an account on a platform may be necessary to access all its resources. Don't assume an account is useless—it might provide you with much more than you expect!

14. Flag format :

    Throughout the mission, you will need to submit your discoveries to the police authorities.

    Below, you will find a guide to help you understand how to submit your findings (validate a mission (challenge)).

    For each new mission, you will find a "Flag format" at the bottom of the challenge description. This format will indicate how you should submit your discoveries.

    For this mission, it's simple. All flags follow this policy:

    • Flags are case-insensitive (uppercase/accents matter)!
    • If a flag contains a combination of multiple words, each word must be separated by a single space (or a hyphen depending on the flag format)!
    • For geolocation challenges, we use the plugin developed by Ozcar Zulu, available on GitHub. This plugin is very intuitive and does not require any particular technical skills. It also saves you from having to manually enter geographic coordinates (latitude / longitude).
    
    Example 1 Example 2

    Challenge

    Example 1

    What is the name of the book written by Victor Hugo in 1862 describing the lives of poor people in Paris and provincial France?

    Flag format: Les Trois Mousquetaires

    Close Submit

    Challenge

    Example 2

    In which city was Alexandre Dumas (father), the famous French writer, born?

    Flag format: Charleville-Mézières

    Close Submit
    
    
    If a specific flag format is required for a mission, it will be clearly stated in the challenge description.
    
    

15. Final ranking :

    During this competition, speed is not the key to ranking high. You must be sure of your research and findings before submitting a flag.

    Here’s how the final ranking will be determined:

    For any teams with the same number of points, the total failure percentage and the time at which you complete the entire competition will be used to determine your final position.

    Based on your team’s failure percentage (the total percentage of incorrect submissions during the competition), additional points will be awarded. The administrative team has set the following thresholds:

    • If a team has no fails (0%), +100 points will be added to their total score.
    • Between 1% and 9.99% failures, +75 points will be added to their total score.
    • Between 10% and 19.99% failures, +50 points will be added to their total score.
    • Between 20% and 29.99% failures, +25 points will be added to their total score.
    • Above 30% failures, no additional points will be added to the team’s total score.

    (The administrative team reserves the right to modify this section at any time.)

    
    
    

    (Once the investigation has started, your total failure percentage will be visible in the "Team" tab on this platform.)

    Despite this, if two teams end up with the same final score, speed will be used to determine their ranking. Here’s an example to explain this mechanism:

    • Team A completed the CTF in 48 hours, 30 minutes, and 1 second, without using any hints. Their final score is 3000 points, and their total failure percentage is 8.6%.
    • Team B completed the CTF in 48 hours, 35 minutes, and 17 seconds, also without using any hints. Their final score is 3000 points, and their total failure percentage is 7.8%.
    
    

    Both teams fall into the first bonus tier and receive +16 points each, bringing their final score to 3075 points. To break the tie, speed will be taken into account. Since Team A finished 5 minutes and 16 seconds ahead of Team B, they will be ranked higher.

    
    

    If your team experiences an increase in the failure rate (total fail percentage) due to a misconfiguration (e.g., incorrect flag format) or a bug on the platform, we encourage you to report it directly in your dedicated Discord team channel. Our administrative team will review your report, investigate the issue, and may adjust your total failure percentage once the competition has ended.

    This final ranking system will only be applied to the top X teams, where X corresponds to a percentage determined by the administrative team based on the total number of teams in the competition.




16. Others :

    The organization may adjust the event's start and end times if necessary.

    In case of detected fraud or rule violations, the organization may penalize a team by deducting points or disqualifying them.

    Using an invalid email address (e.g., a temporary address) may result in disqualification from the competition.

    There is no limit to the number of teams, but the organizers may close registrations at any time.

    If flag sharing or rule circumvention is suspected, the organization may require the concerned team to provide proof.

    If a challenge negatively affects the fairness of the game, the organizers may modify, cancel, or neutralize it at any time.

17. Final (hunt)

    Only the top three teams of the event (TOP 3) will qualify for the Hunt Finale, which will take place on June 7, 2025, at the Science U campus in Lyon.

    Each qualified team must be represented by at least two members in person. Up to 50% of the team may participate remotely, although this may affect their performance (as some challenges require physical presence). A team can replace up to 2 members for the Hunt Finale (e.g : In case of absence on June 7, a player may be replaced by someone of their choice, provided that person was registered and present during the qualification phase.).

    Train transportation to Lyon is fully covered (100%) by our sponsor, École Supérieure de Génie Informatique! (This funding is exclusively reserved for participants residing in mainland France). If a team in the TOP 3 of the qualification phase cannot or does not wish to participate in the final, then the next team in the ranking (TOP 4) will be qualified in their place. If the TOP 4 is also unavailable, the spot will go to the TOP 5, and so on, until a team confirms their availability for the final.

18. Awards

    All participants of the online competition will receive a Badgr "Participant" badge, as well as other badges based on their ranking and final statistics!

    The finalists of the Hunt Finale will receive exclusive rewards (worth more than XXX euros 👀) and an exclusive Badgr badge!

By participating in the investigation (CTF), each team agrees to comply with these rules. Any violation of the rules may result in penalties, including the disqualification of the concerned team. (PS: Any resemblance to actual events or real persons, living or dead, is purely coincidental and unintentional.)

Good luck and have fun !