S4x23 Capture the Flag

S4x23 CTF Kick-off Video

The S4x23 CTF has started. Check out our S4x23 CTF Kickoff Video to get started.

S4x23 CTF Challenges

The S4x23 CTF is a series of challenges, collected by ICS Village and Cutaway Security, from S4x23 and ICS Village sponsors. Each sponsor team developed a combination of online and physical challenges to be solved by the CTF participants. The CTF portal and scoreboard, donated and supported by the SANS ICS team, will provide CTF players with a description of each challenge, where to find the physical challenges, downloads for the online challenges, and a continuously update on the current state of team and individual scores.


Contestants need to register at the Ranges.io website. Once registered, or if previously registered, each contestant will be presented with a textbox for an event code. The ICS Village team will provide the S4x23 CTF event code as a part of the kickoff presentation and in the ICS Village Slack channel #S4x23-CTF.

Activity Times in ET

Monday, February 13th from 1 PM to 7 PM
Tuesday, February 14th from 8 AM to 5 PM
Wednesday, February 15th from 8 AM to 1 PM
Thursday, February 16th from 8 AM to 3 PM
- Final Countdown (Hidden Scoreboard) Start: 1 PM
- S4x23 Awards Ceremony: 3 PM

CTF Winners Announcement

Thursday, February 16th at 3 PM at the S4x23 Awards Ceremony

CTF Challenges

1898 & Co.

Protecting industrial control environments comes with restricting physical access to the control environments. The 1898 & Co. team challenges you to gain access to a protected environment. Can you clone a badge/tag to gain physical access? Of course, attackers never sleep, while you are testing physical security the 1898 & Co. incident response team received a Critical alert about a client's assets being attacked. Can you put together the events related to the attack?


When not managed correctly, OT environments can have many vulnerabilities. The Forescout team has deployed several insecure devices. Can you exploit the services to access the flags? You’ll need to visit the Forescout sponsor area to get access to the assets to conduct your evaluation. Not onsite, well, the Forescout team has also provided a network packet analysis challenge for you as well. Will you be able to extract the key elements from the network communications and use them to access the flag?


The Fortinet team has generated two challenges that cover key areas of OT visibility and security. Control environments are constantly generating data that needs to be collected and analyzed. For the first challenge, help Fortinet analyze an industrial protocol to identify communications of interest in the system. The second challenge involves analyzing one of the worst-case scenarios for a production environment. Review the malware obtained by the Fortinet team and provide specific information on the malware and its behavior.


The GRIMM team has a collection of puzzles ranging from programming, event analysis, and security assessment. Use your skills to find the flags. Find the flags to earn more points. Earn more points to win the CTF. Win the CTF for fortune and fame.

Industrial Defender

Ready, set, solve! You've got an intruder on the loose in your OT environment, and it's up to you to catch them in the act. Using the Industrial Defender platform, you'll be the digital detective and track down any suspicious changes all the way back to the intrude. But wait, there's more! The forensic team needs some additional information locked in a puzzle box in Industrial Defender’s Prime Room. Can you crack the puzzle box and piece together the evidence to apprehend the culprit?


At Otorio, we understand industrial control communications. You might too. Think you know Modbus? Prove it and you might find the flag for our challenge At Otorio, we also understand malware. One of our incident response teams have recovered a suspicious binary. Help us understand what it would have done and you just might earn another flag.


The security of OT environments depends on physical and network security. The Phosphorus challenges will test your skills in both areas. Use your skills to find a physical device and complete the challenge. Then, perform network analysis to understand the industrial control traffic we have captured to complete our other challenges.

Schneider Electric

The SE team has prepared separate warehouse and water treatment facility process environments. It is possible that these implementations are vulnerable. Can you help us prove this for our client’s leadership. They need supporting details to understand, rate, and remediate risk. SE has also been approached by several partners that are implementing wireless and cloud services. Help us evaluate these services and determine if they are secure.


Siemens has been tasked with investigating a cyber incident involving a client’s waste water management system. The Siemens Cybersecurity team narrowed the incident down toa single misconfigured PLC and tank setup which we successfully simulated in an isolated network. A Siemens security analyst also noticed some unusual device activity on the client’s network. Help us figure out what’s happening to the client’s wastewater management system to earn some CTF flags.

Additional Contributors

Cutaway Security, LLC Information Security Consultants