[ :: mainpage :: register :: conference :: training :: call for papers (CFP) :: the venue ]
[ :: capture the flag (CTF) :: press/media :: conference agenda :: contact us :: forum ]
[ :: sponsors :: past conferences :: conference kit (English) ]


Filed under: Main Page — Administrator @ 1:59 pm


This Capture the Flag will be the second CtF game to be held in the Middle East region after the attack-only game which was run in Bahrain in April of 2005. The attack-only CTF is different from the game that has been held in HITB Security Conference in 2002, 2003, 2004, 2005 and INFOSEC 2003. Instead of each participant having to attack and defend, participants in the game will be expected to launch penetrative attacks against single or multiple target servers. Each machine is configured with various services (some of which may be vulnerable while others might not be). Participants are required to retrieve pre-configured files or ‘flags’ from the target machine in order to score points. Attendees are not bared from attacking each other however any participant found using denial of service attacks will be removed from the game immediately.


We have space for 20 participants at a maximum - each team can consist of a MAXIMUM of 3 participants ONLY! Although we will not stop single registrant players from joining, we strongly encouraged that you form a team of at least 2 members if you’re really serious about winning.

1.) Army Strong (3 members)
2.) NDMTEAM (3 members)
3.) Eleet (3 members)
4.) OPEN
5.) OPEN
6.) OPEN
7.) OPEN
8.) OPEN
9.) OPEN
10.) OPEN

Game Play

* This will be a purely reverse engineering and exploit development game.
* There are 6 levels of increasing difficulties.
* Participants progress to the next level by cracking the current level.

Winners are determined as follows:

* 1st prize - The first team to get at least minimum level 4
* 2nd prize - The first team to get at least minimum level 3
* 3rd prize - The first team to get at least minimum level 2

In order to participate, teams must

* Be able to crack a given binary. This binary contains login information for the CTF game server.
* Once they are able to crack the binary, they can then login to the CTF game server with default level 0.
* They are free to do whatever they want on the CTF game server (assuming that the security restrictions allows it). Some actions may be disabled, such as scp’ing the binaries to their laptops.This restriction is up to the CTF organizing committee members. See *Things that may get you disqualified/penalized* below.
* Tools will be provided in the CTF game server, such gdb, objdump, hex editor, Perl, Ruby and Python interpreter, gcc

Game play scenario:

* For the first login, the user will have a uid of level0 and gid of level0
* There will be 6 directories, each belongs to different users and groups corresponding to the levels
* level1 users can’t browse the directory of level2 and so on
* Cracking level1 will enable to user to escalate his privilege to level2 and so on
* Cracking a level will enable the user to reveal the level’s flag. This flag must be submitted to the score server (a Web 2.0 compliant web interface will be provided) for validation and keeping score.

Things we don’t care about

* We don’t care how you get the flags - through pure good luck, copying from other teams, l33t reversing skills or bribery

Things that may get you disqualified/penalized

* DoS, e.g fork() bomb


* Of no use: nmap, metasploit, nessus and
* Of use: gdb


  • NO flooding of network. A 30 minutes NO GAME penalty and points deductions will be given to teams that who are found to be flooding the network.
  • NO Denial of Service (DoS) attack. A 30 minutes NO GAME penalty and points deductions will be given to participants that are found to be launching DoS attacks
  • All participants must obey PIT STOP calls. PIT STOP calls are rest intervals where all players must leave the game area to facilitate for the CtF judges to update the score, and/or do maintenance work etc.
  • NO harassment of other opponents (verbal abuse, etc).
  • NO physical attack.
  • NO attacking of Score Servers. Participants that attack Score Servers will be given points deductions.


  • Plan, plan, plan.
  • Learn how to attack the reference distributions.

    Final Judgement

  • At all times, the decision of the CtF Organizing Team is final on any matter in question.


    All Prizes for the CTF competition have been sponsored by Scan Associates Sdn. Bhd.

    1st Place - USD3,000 CASH
    2nd Place - USD2,000 CASH
    3rd Place - USD1,000 CASH


    The HITBSecConf organizing committe would like to give shoutouts, ninja greetz and ghetto loves to The Ghetto Hackers, who came out with the attack and defense concept for the CtF game. Much love also to the current organizers of Defcon’s CTF, kenshoto!


  • Event Organizer

    Hack In The Box (M) Sdn. Bhd.

    Supported & Endorsed By

    UAE Telecommunications Regulatory Authority(TRA)

    Malaysian Communications and Multimedia Commission (MCMC)

    Malaysian Administrative Modernisation & Management Planning Unit

    Platinum Sponsors

    Gold Sponsors

    Microsoft Corporation

    HP Middle East

    Official Airline Partner

    Official Airline Partner for HITB Crew

    CTF Sponsor

    Scan Associates

    CTF Prize Sponsor

    Scan Associates

    Official Media Partner

    Official Publications

    Our Speakers Are Supported By:

    Telspace Systems

    Telecom Security Task Force - TSTF.net


    F-Secure Corp

    Mozilla Corporation

    FMA-RMS (Singapore/Malaysia)

    Official Hotel

    Supporting Media:

    InfoSec News

    (ISN) InfoSec News


    Xakep (Russia)

    Insecure Magazine

    PHRACK Magazine

    Hakin9 Magazine

    Supporting Organizations

    ISECOM - Insititue for Security and Open Methodologies

    IT Underground

    X-Focus China

    Zone-H Defacement Mirror

    Xatrix Security