Participant Manual

Core participant workflow and API entry points.

ManualSign In
Challenge Catalog
1
Owned Services
0
Enemy Targets
0
Signed In As
Not Signed In
API Status
Live
API Base
http://10.70.0.1
Realtime
/api/platform/realtime
Participant login is required for owned services, unlock, SSH, and reset actions.

Participant Flow

Start here for the normal participant workflow. Use Swagger for the full request and response contract.

Step 1
Sign In

Call POST /api/v2/authenticate to get the JWT used for participant actions.

Step 2
Find Targets

Use GET /api/v2/services to list your own services and enemy endpoints over WireGuard.

Step 3
Unlock SSH

Recover the unlock proof from your own service, then submit it to open SSH for your team.

Step 4
Patch Or Recover

Issue one-time SSH credentials, patch safely, or use restart and factory reset when needed.

Step 5
Submit Flags

Send stolen enemy flags to POST /api/v2/submit. Only the first valid submission scores.

Participant Endpoints

The participant API surface most teams automate against.

  • POST /api/v2/authenticate
  • GET /api/v2/challenges
  • GET /api/v2/services
  • GET /api/v2/scoreboard
  • GET /api/v2/attacks
  • POST /api/v2/submit
  • POST /api/v2/services/{challenge_id}/unlock
  • POST /api/v2/services/{challenge_id}/ssh-session
  • POST /api/v2/services/{challenge_id}/reset/factory
  • POST /api/v2/services/{challenge_id}/reset/restart

API Reference

Open SwaggerOpen Raw OpenAPI YAML

Practical Notes

Service traffic and SSH both use the same service IP.

Targets are reachable through WireGuard, not host-published ports.

Factory reset keeps the current match unlock state for the owning team.

Swagger is the browser-facing source of truth for request and response shapes.