Last updated at Wed, 07 Feb 2024 19:40:54 GMT

UPDATE: Leaderboard can be found on this new post! Plus, some notes that may be helpful.

Exciting news! Rapid7 is hosting a month-long, world-wide capture the flag(s) competition!

Rapid7 recently released Metasploitable3, the latest version of our attackable, vulnerable environment designed to help security professionals, students, and researchers alike hone their skills and practice their craft. If you are unfamiliar with Metasploitable3, you can get up to speed with this blog post announcing its release. For an additional challenge in Metasploitable3, we've hidden several flags in the virtual machine that penetration testers can find to demonstrate their prowess.

To honor the release of this new tool – and to have a little fun – we're hosting a month-long competition to see who can find the most Metasploitable flags! The competition will be very simple, and easy for anyone to participate in. For our leaderboard winners, we'll be giving out some great prizes as well as some Metasploit T-Shirts for others who submit a captured flag.

Here's how it works.

  1. Download and install Metasploitable3.
  2. Dig in! Find those flags!
  3. Complete a simple write-up (see format below or template here), providing proof you've found one and you'll be added to the leaderboard. (Note: We may ask your permission to publish the write-up after the competition closes.)
  4. We'll keep a running tally of the leaderboard at the bottom of this blog post.
  5. On December 31st we'll announce the winners!


There are currently 15 flags hidden in Metasploitable3, with more being added. When you find a flag, take a screenshot of it.  Put it in a doc with the following information:

  • How did you get access to the machine?
  • How did you spot the file?
  • How did you extract the file?

Note: In some cases, the files are easy to find so please describe the extraction process. A template can be found here.

Please note: in the spirit of friendly competition, please only submit flags that have been found from a running metasploitable3 instance, not the vagrant folders used to build the instance

Then email capturetheflag [at] and we'll review and add you to the leader board.  At the end of the month the top 3 people with the most submitted flags accepted will receive prizes. In the case of a tie, a set of subjective measures will be used to select the winners. The measure will be: creativity of methods used to obtain the flags and strength of the write-up. We reserve the right to award bonus prizes. And one note for our beloved Rapid7 employees: You are welcome to play along, but standings will be tracked separately and awarded accordingly.


1st Place: Hak5 Pineapple
2nd Place: LAN Turtle or Lock Pick Set
3rd Place: LAN Turtle or Lock Pick Set

The first 25 to submit a flag will get a Metasploit T-Shirt! We reserve the right to award bonus prizes.

Any questions? Feel free to comment below or email community [at] and we'll get back to you. Happy Hunting!


Get all the updates here: Metasploitable3 CTF Competition: Update and Leaderboard!

Official Rules: Terms & Conditions

The Metasploitable3 Capture the Flags competition is open to anyone. No purchase is necessary to participate. Eligibility is dependent on following the entry rules outlined in this guide.

To Enter: Locate and screenshot flags found in Metasploitable3 and send a written submission detailing 1) how you got access to the machine; 2) how you spotted the file; 3) how you extracted the file, to capturetheflag [at]

A template can be found here or by searching for “Metasploitable3 CTF” on Partial or incomplete submissions WILL NOT BE ACCEPTED as an entry and shall not be eligible for any prize. All submissions will be reviewed by Rapid7 for adherence to these Official Rules. Rapid7 may ask for permission to publish written submissions after the contest close.

The leaderboard competition will open on Wednesday, December 7, 2016 at 12:00:01 ET and close on Saturday, December 31, 2016 at 11:59:59 ET. Entries submitted after this time may be eligible for additional prizes determined by Rapid7. In the event of a tie, Rapid7 will evaluate submissions to select the first place winner. A set of subjective measures will include 1) creativity of methods used to obtain the flags and 2) strength of the written submission. Rapid7 reserves the right to award bonus prizes.

The leaderboard will be updated regularly with the final submissions being added by Tuesday, January 3, 2017 at 11:59:59 ET.

Prizes/Odds of Winning: Only the prizes listed below will be awarded in the competition. Odds of winning depend on the number of eligible entries submitted by the close date. Prize is not transferable or redeemable for cash. Rapid7 reserves the right to make equivalent substitutions as necessary, due to circumstances not under its control. Please allow 3-4 weeks for delivery of any prize.

Leaderboard Prizes

Three (3) Prizes

Leaderboard Position Prize Approx. Value
1st place Hak5 Pineapple (Nano Basic) $149.99
2nd place LAN Turtle OR Lock Pick Set $49.99
3rd place LAN Turtle OR Lock Pick Set $49.99

Additional Prizes

Twenty-five (25) Prizes**

The first 25 people to submit a flag will get a Metasploit T-Shirt (approx. value: $10) available from the online Rapid7 Retail Store. Rapid7 reserves the right to award additional T-shirt prizes.

Competition host is Rapid7 LLC, 100 Summer St, Boston, MA 02110.

By entering the competition, you agree to these terms and conditions. Employees and the immediate families of Rapid7 may not participate.

If you have any concerns or questions related to these terms and conditions, please email capturetheflag [at]