Congratulations for all attendees!
If you want to talk in real time with organizers feel free to use our Telegram channel for this event. Please do not forget that flag sharing, hints and other information about challenges must not be published on the public channels or in private with other players. You can send PM to the organizers directly on Telegram for any questions related to the challenges. For any other communication, you can use [email protected]
As stated in the rules, you must provide detailed solutions for each of the tasks (based on this template) you have successfully solved in order to validate your score and qualify for the next round. The top 20 players from the Junior category and the top 20 players from the Senior category must send their writeups at [email protected] until 7th of April 23:59. Note that while the services may still be online after the contest ends, it would be better to save any screenshots you might want to include before that.

P.S.: You can send them in Romanian or English, PDF or text, etc.
Programming tasks will test your skills as a programmer. You will either have a straight forward challenge which requires automation or you will have to identify a vulnerability that can be solved with automation.

Cryptography tasks in this category require (identifying the target cryptosystem) doing an analysis on the way the cryptosystem was implemented or used. Many "textbook" implementations are often vulnerable if not used correctly. The intended way to solve the challenges is to reduce the problem to a general form, identify the vulnerability and either create an attack from scratch or find out if someone else has already done something similar.

Reverse engineering tasks in this category can be solved through:
  • static analysis: looking at the assembly code using a specialised program (IDA, Binary Ninja, Radare2, etc) and trying to analyse the program (without running it) in order to pass some checks, decode a file or correctly use a communication protocol
  • dynamic analysis: viewing a binary as a grey box and trying to recreate the functionality inside the binary with a minimal inspection of the assembly code
  • Note: there might be tasks that involve some (local) brute-force or heavy computation. However, all tasks are designed such that this process takes less than 1 minute (with the intended solution)

Web application attack & defense
Attack tasks will focus on classic vulnerabilities (among OWASP Top 10). Note that there are no tasks that can be solved with "automated hacking tools" (e.g. acunetix, nikto, etc) and there is no educational value in letting such a tool scan a task site. Defense tasks will require finding the right tools to deal with large binary files and applying filters and heuristics to reduce noise and pinpoint an attack and the information obtained by the attacker

Extra details
  • most tasks will have the following flag format ECSC{[0-9A-F]*} In fact here's a valid flag: ECSC{318C99B7B381DEE5499AA51224F25AA752B9BF8A7B851AAAAAEFCDF75CEC50B9} Some tasks will clearly specify if the format is different and what to look for (aka there will be no guessing necessary)
  • not all tasks will be released from the start
  • you can ask for hints on the contact email address mentioned at the bottom of this page
  • however, please note that all hints will be published for everyone: so you run the risk that other players will also get the same new insight we will release hints (if there are sufficient requests and not enough people already solved a specific challenge)

More information & resources can be found on this page.
The national competition will start on the 6th of April (12:00 Romanian local time) and will end on the 7th of April (12:00 Romanian local time).

Competition concept:
  • the tasks provided will test your knowledge on basic and intermediate topics of computer security
  • there are tasks that you can figure out without prior knowledge
  • there are also tasks that will require extensive "Googling" and learning new concepts
  • there can be multiple ways to solve one challenge; however, when you have solved it, you will obtain a piece of information called a flag
  • flags are unique per task
  • submitting a flag in the scoreboard will award you points
  • players will be ranked according to the number of points at the end of the competition
  • points will be validated by sending complete writeups of your solution for each task, the report must be written within this format
  • the reports must contain at least the following information: proof of solving, the method used to solve, snapshots proving that you got the flag, full source scripts / command lines used in the process of solving any challenge
  • if you do not submit writeups, we will assume you had external help and we will not include you in the list of finalists
  • for more information on the task format, you can check out the tasks, files and solutions submitted by the finalists last years: for 2016, for 2017

Registration rules:
  • competing criteria and categories according to the year of birth:
  • 1900 - 1993: Cannot qualify for the Finals
  • 1994 - 1998: Can qualify for the Finals. Senior category
  • 1999 - 2019: Can qualify for the Finals. Junior category
  • registering accounts from anonymous mailboxes is not allowed
  • registering accounts from IPs related to VPN or Tor services is not allowed
  • registering accounts with offensive/politically incorrect names is not allowed

Competition rules:
  • in the Final phase, the Romanian team will consist of 10 people (out of which, a number of maximum 5 Seniors)
  • after the pre-selection, up to 30 participants (both Juniors & Seniors) will be selected to join in Bootcamp, where the best 10 will be selected to represent Romania in the national team
  • however, in this National phase, each contestant will compete on his own using a separate account, external help is strictly forbidden. Examples of behavior that will lead to disqualification (and have done so in the past years): reposting the challenges or any part of the challenges, asking for help or spoiling the challenges by posting solutions/flags on IRC, Stack Overflow, Forums (RST, Tuts4You) etc
  • collaborating with other players is forbidden
  • registration is only available until the contest has started (to avoid abuse during the competition)
  • you can only attack the targets specified in the task descriptions
  • attacking the scoreboard (this site) will lead to disqualification
  • generating excessive traffic is not allowed (not even on the task targets)
  • DOS/DDOS is forbidden and will lead to disqualification
  • brute forcing flags on the site scoreboard is not allowed
  • until the logs and writeups have been analyzed and validated, the scoreboard does not completely reflect the final qualification, winning places

For any inquiries, the support address during the national phase is [email protected]