Exams

Please read the following logistics carefully before starting:

  • The exam duration is 2 hours.
  • The exam is individual.
  • The exam is conducted via CTFd. Students not taking the exam will not have access to the infrastructure.
  • Please bring your own laptop. If you do not have one, reach out immediately.
  • Materials: You may use all materials (notes, previous assignments, internet).

1. Report & Submission (Critical)

⚠️ Guideline Points vs. Explanation
The CTFd points act as a guideline for the maximum points you can obtain. To receive points, you must explain how you solved each task in your report. Flag submission alone is not enough. We ask you to document all your steps and decisions so your solution is replicable.

Google Doc Setup

You are allowed (and encouraged) to use a pre-prepared Google Docs report template. You must share the document as "Editors" with us before starting.

Naming Convention:
2026 BSY Exam XX - ctuusername

(If the name format is wrong, we will pause the exam start for everyone until it is fixed.)

Share as "Editor" with the following emails:

sebastian.garcia@agents.fel.cvut.cz
veronica.valeros@aic.fel.cvut.cz
ondrej.lukas@aic.fel.cvut.cz
maria.rigaki@aic.fel.cvut.cz
sladic.muris@gmail.com
repa.martiin@gmail.com
lukasforst@gmail.com
eldraco@gmail.com

2. Exam Content

The flag format is bsyexam{...} unless otherwise specified.

Theoretical Discussion

The exam includes theoretical discussion tasks (time-boxed to 3-5 minutes). You may choose any moment during the exam to complete this. If you are confident in your points, you may choose to skip it.

Topics include: Authentication & Authorization, SQL Injection, Network Traffic Analysis, Web Attacks, and Deception.

3. Grading

  • Passing Threshold: You need 50/100 points in this exam to pass.
  • Semester Points: Any extra points earned during the semester are added after the exam is approved.
  • Final Grade: The final grade follows the standard CTU grading scale.

4. Special AI/LLM Policy

🤖 Using AI as a Helper, Not a Solver
  • You can ask LLMs to help, but not to solve it for you.
  • You must show the interaction (screenshots/links of both prompt and the output) in your report.
  • You must explain your interpretation of the suggestion and prove you understand what the code/command does.
  • We need to see that you learned and understand the topic.

5. Asking Questions

If you feel stuck, confused, or suspect an error in the challenge infrastructure:

🙋 Please Reach Out!
  • No Penalty: There is no penalty or point reduction for asking questions. Do not hesitate to ask.
  • Technical Issues: If you suspect a technical error, let us know immediately.
  • Solutions: If your question relates to the answer itself (and we cannot help), we will simply tell you: "We cannot answer that, as it is part of the exam challenge."

6. Rules of Engagement

You can NOT:
  • Brute-force challenges or attack the class infrastructure.
  • Attack other servers/services in the university network (outside your given IP range).
  • Share your code or solution with other students.
  • Attack others on the Internet from your docker container.
You CAN:
  • Attack the given docker from the Internet.
  • Attack the dockers of other students only if they are inside the local docker network.