Ctrl+Space CTF

The challenges will be realised by the mhackeroni Team.

Ctrl+Space CTF is supported by the ESA Security Office and the ESA Security Cyber Centre of Excellence (SCCoE). ESA supports the finalists via the “ESA Academy Sponsorship”.

CTF Rules: https://ctrl-space.gg/rules/index.html.

Register here https://scoreboard.ctrl-space.gg/. Scoreboard for the qualifiers: https://scoreboard.ctrl-space.gg/scoreboard.

Timeline

Qualification Event

The qualification is an online, open competition (Jeopardy-style) where teams solve cybersecurity challenges of varying categories and difficulties on a dedicated platform. At the start of the qualifier, multiple challenges will be available on the board. Teams earn points by solving challenges and submitting the correct “flags” through the contest website.

Challenges may involve topics such as cryptography, reverse engineering, radio, web security, space systems, pwn, etc. The event lasts 24 hours with no interruptions, from September 20, 09:00 UTC to September 21, 09:00 UTC. The qualifier event challenges will be freely available to all registered teams; teams can solve challenges in any order until the contest ends.

The scoreboard ranking at the end of the Qualification round will determine the top teams. The five highest-scoring teams will receive invitations to the Final Event. In case of a tie, it will be broken by the team who achieved the score first, or by additional criteria at the organizers’ discretion.

In-Orbit Finals

The finals of the 2025 Ctrl+Space CTF will be held in-person at ESTEC (European Space Research and Technology Centre) in the Netherlands, alongside the 2025 Security for Space Systems (3S) Conference on November 4–6, 2025.

Finalist teams will compete in a series of live challenges involving a target space system. This may include a mix of Jeopardy-style tasks and interactive scenarios with real or simulated satellite systems. For example, finalists will have scheduled contact windows to interface with an in-orbit satellite provided for the competition, as well as ground-based challenges in between live contacts.

If live satellite interaction is not possible, the competition will pivot to a simulated space system environment. The team with the highest score at the end of the finals will be the winner. The final event also serves as an educational opportunity with exposure to real-world space cybersecurity scenarios.

Eligible Participants

The Ctrl+Space CTF final event is only open to students, reflecting the educational aim of the competition. Team members must be enrolled in an academic program (undergraduate, graduate, or PhD). Participants should be from an ESA Member State or an Associated/Cooperating country in an ESA education program.

A list of eligible countries is provided by ESA. For a list of the relevant countries, please check: https://www.esa.int/Education/Current_ESA_Member_States. Each participant may need to show proof of student status and nationality during registration or event check-in for the finals.

Team Size

Teams may consist of 2 to 6 students including the team leader. A minimum of two team members from each finalist team must attend in-person the on-site final. It is up to each finalist team whether to bring additional members (up to the 6 member limit) to the finals.

Registration

Teams will register for the qualification round via the designated CTF platform.

• No participant may compete on more than one team
• Account sharing is prohibited.
• For the final event, teams will be contacted by the organizers to arrange their members participation. After confirmation of participation to the final event, teams cannot add new members or change team composition without organizer approval.
• The organizers reserve the right to verify participants’ eligibility (such as student status or organizational affiliation) and may reject registrations that do not meet the criteria.

Travel to Finals

Finalist teams will receive instructions from ESA regarding the final event logistics.

• At least two members must attend in person; teams may bring up to 6 members to the finals (within the team size limit).
• All on-site participants must comply with ESTEC visitor procedures (e.g. providing ID for entry, following facility rules).
• If a team cannot field the minimum required members on-site, they may be disqualified and the next-ranked team from qualifiers could be invited as a replacement.
• Keep in mind that any travel support (sponsorship by ESA Academy) may have a budget cap per team. All members of a team must meet the eligibility requirements.

See the ESA Academy Sponsorship section for details.

🎓 ESA Academy Sponsorship

The sponsorship for the 5 finalist teams will cover traveling and accommodation expenses. The following restrictions apply:

• All participant must be students (bachelor, master, PhD students)
• Eligibility requirements apply:
  • To participate to the event, teams and all members of the teams shall have to be from an ESA member state or from a state has signed an agreement with ESA on educational programs. For a list of the relevant countries, please check: https://www.esa.int/Education/Current_ESA_Member_States.
  • Specifically, The sponsorship will cover travel and accommodation expenses of min 2 students of each team, up to a ceiling amount of EUR 1000 per team, which will be reimbursed via a single bank transfer after the event and will only be paid upon submission of receipts.

Sponsorship Eligibility Criteria

To be eligible for an ESA Academy Student Sponsorship, students must fulfil the following criteria at the time of application:

• be part of one of the teams selected via the qualifier event.
• be minimum 18 years old at the time of the conference;
• be a citizen of an ESA Member State, Canada, Latvia, Lithuania, Slovakia or Slovenia;
• be enrolled as a student (Bsc, Msc, or Ph.D.) in a tertiary education academic programme (not graduating before the conference);
• not benefiting from an overlapping financial support to attend this conference, unless duly justified;
• agree with the conditions of the ESA Academy’s Privacy Policy

NOTE: Registration fees for students who will participate at the finals of the Space Systems Security Challenge are waived (there will be no cost).

Rules of Engagement – Terms and Conditions

By participating and registering for the event, participants agree to the terms and conditions of the event.

While the organizing team will take all necessary steps to minimize any unexpected or unpleasant technical problems, malfunctions or damages, participants agree to participate at their own risk. No claims for damages of any kind can be made as a result of participating in the CTF event, nor during travel to or from the venue.

In-Scope Systems

Participants are only allowed to target and interact with the systems explicitly provided for the CTF challenges purposes. This includes the official CTF infrastructure (challenge servers, the dedicated competition network, provided network interfaces, and the designated in-orbit satellite CTF environment or its simulation during the event). Each challenge will clearly specify the scope of what can be accessed or attacked for that challenge. For instance, if a challenge provides an IP address or URL and port, or a specific satellite command interface, those are the only authorized targets for that challenge. The organizers will provision all necessary access to these systems. All attackable services and endpoints will be clearly defined as part of the challenges, and no part of the overall CTF platform or external infrastructure is ever considered “in play” unless explicitly stated.

Out-of-Scope Targets (Strictly Prohibited)

Any attempt to tamper with or attack systems outside the CTF environment is expressly forbidden. Participants must not target any infrastructures that are not part of the competition, including but not limited to: the scoreboard system, other teams’ personal devices or networks, the conference venue’s general IT systems (such as ESTEC’s Wi-Fi or networks), or any external websites and satellites not provided as part of the CTF. Even the satellites involved in the CTF must only be interacted with through the approved channels and time windows defined by the contest – any other interference is out-of-scope. Under no circumstances should teams attempt to penetrate or disturb non-CTF systems. Violations of scope will result in immediate disqualification and removal from the event. Specifically, no activities shall take place against any systems or assets outside the challenges environment, including the satellites or ground assets not explicitly part of the CTF scenario. If such a deviation from the rules is detected, the offending team will be expelled from the competition, removed from the conference venue, and denied further access to ESTEC premises. The organizers may also report any malicious attempts to the appropriate authorities if laws are violated.

Finding Vulnerabilities in the Platform

If a team discovers a vulnerability or flaw in the CTF platform or infrastructure (for example, a bug in the scoring system, or an unintended access to a server), they must report it to the organizers immediately and must not exploit it to gain advantage. Exploiting platform bugs or misconfigurations (even if found accidentally) is considered out-of-bounds behavior. The competition officials may, at their discretion, provide clarifications or fix any such issues once reported. Using an unintended exploit against the contest infrastructure itself (as opposed to solving the intended challenges) is strictly prohibited and falls under out-of-scope attacks.

Denial of Service and Sabotage

Teams should refrain from any non-specific Denial-of-Service (DoS) attacks or other actions that degrade the performance of challenge services beyond normal use. Generating excessive traffic to overwhelm a service, “flooding” networks, or any similar tactic with the sole purpose of disruption is not allowed. For example, if a challenge involves solving a service, it is expected that teams interact normally with that service; deliberately overloading it to prevent others from access is forbidden. Likewise, any form of sabotage, such as modifying or deleting flags, altering challenge resources, or any activity intended to make challenges unsolvable or easier for certain teams, is prohibited. The organizers recognize that unexpected situations can occur due to the complex environment. Any edge cases or uncertainties about what is allowed will be judged by the organizers on a case-by-case basis, emphasizing the spirit of the competition. If you are unsure whether an action is within the rules, err on the side of caution and ask an official. The organizing team reserves the right to issue warnings or disqualify teams for activities that, while not explicitly covered above, violate the spirit of fair competition or the safety and security of the event. The final event will include live interactions with in-orbit satellites during defined time windows provided by the organiser team. In case of any unforeseen unavailability of the CTF spacecrafts, the competition will pivot to ground-based simulated environments representative of the spacecraft platform.

ESA, D-Orbit and mhackeroni retain the right to reject or disqualify any team not abiding by the rules without further explanation. ESA, D-Orbit and mhackeroni also retain the right to update the terms and conditions of the challenge until the beginning of the finals.

Equipment and Technical Requirements

Personal Equipment

Finalist teams must bring their own computing equipment (typically laptops) to the finals. Each team is responsible for having the tools and software they need pre-installed on their machines before the competition. Internet access and networking for the competition will be provided by the organizers at the venue. While, the qualification round, being online, requires teams to have their own internet access and computers to compete.

Prohibited Devices

A detailed list of allowed devices to the final event will be released to the finalist teams. The competition setup will include all necessary communications interfaces to interact with the satellite and ground systems; the need for SDR or other radio equipment will be clarified to the finalist teams. Similarly, specialized offensive hardware gadgets (for example, USB Rubber Ducky, Wi-Fi Pineapple, rogue access points, hardware keyloggers, etc.) are not permitted in the competition area. The intent is to prevent any device that could interfere with networks or equipment outside the intended scope.

Provided Interfaces

The organizers will provide all required interfaces to the competition systems. This may include network access to challenge servers, VPN credentials, or a dedicated local network at the venue that connects to the satellite ground station system. Teams will be briefed on how to interact with the in-orbit satellite during the allocated contact windows.

Software and Tools

Teams can use any software tools of their choice on their machines. It is recommended to have a wide range of cybersecurity tools (network analyzers, debuggers, reverse engineering tools, etc.) ready before the event. There is no on-site software installation support, so ensure everything is installed and functioning beforehand.

Environment Constraints

Participants must not attempt to alter the competition environment. For example, do not try to install persistent services on provided networks or scan beyond the scope. No port-scanning or broad vulnerability scanning of competition hosts outside of what a challenge specifically entails (especially if multiple challenges share infrastructure). Many challenges might run on shared virtual machines or containers; teams should respect any scope limitations given. Following these instructions helps avoid unintentionally crashing services or disrupting other challenges.

Frequently Asked Questions

Do I need any equipment for the qualification round?

No, everything is online and remote.

What equipment is necessary and what is allowed to bring on-site for the finals?

For the finals, participants will need to bring their own laptops with their preferred tools and software pre-installed, to be able to prepare and launch their attacks against the target space system. Participants to the finals are forbidden to bring any antennas of any kind.

Bringing specialised hacking hardware on-site (e.g., Rubber Ducky, Pineapple) is not allowed.

A detailed list of allowed and prohibited items will be provided to the finalist teams.

What is the process of participating?

Teams will have to enroll in the qualification event via the CTF platform.

Will all the team come to the finals?

Each teams should consist of 2 up to 6 participants (including the team leaders). At the finals, minimum 2 team members have to participate in-person to the event on-site. It is up to the team if more than 2 (and up to 6, including team leaders) will come. You should be aware though that travelling reimbursement, sponsored by ESA Academy, has a ceiling of 1000 EUR. See the ESA Academy sponsorship section for more details.

How many people will be selected to the final event and how?

The top 5 teams of the qualification event will be invited to the finals event, based on their overall score.