Capture the Flag: On-Site Live Hacking Competition



What: Jeopardy style CTF hacking competition
When: November 27th and 28th
Where: On site at HITB2018DXB @ Grand Hyatt
Max of 12 teams with up to 3 players / team


This CTF is organized by XCTF League from China. This is a jeopardy-style CTF with multiple categories of challenges, including: reverse engineering, pwnable, web security, AI & blockchain, crypto, MISC (forensic, network analysis), etc

The game is hosted on-site and online utilizing the XCTF-OJ Platform developed by CyberPeace Technology, China. Game challenges are jointly authored by Blue-lotus CTF Team (core of Tea Deliverers, b1o0p CTF Team).

For the on-site game, we have a capacity for a maximum of 12 x 3-man teams. Your team MUST BE PRE-REGISTERED BEFORE GAME DAY AS COMPETING ON-SITE if you want to be eligible for the prizes. If you show up on the game day itself, you can still play the game (we have some additional space in the game arena or you can find somewhere to connect to the game server), but you will not be in the running to win any prizes. The game will run for 30 hours over the 2 days of the conference (27th & 28th November starting at 10:00GST and ending at 19:00GST on Day 1 and restarting on Day 2 at 10:00GST and ends at 17:00GST). The onsite contest will be hosted in the FREE TO ACCESS exhibition area of the conferenceYou do not need to be a paid conference delegate in order to compete.


The more challenges you beat, the more points you get.  Points for each challenge will be dynamically calculated according to the number of teams who manage to solve it. Higher difficulty challenges with less teams that have solved it will carry more points, so teams should choose a strategy that optimizes for high returns.  At the end of the competition, the team with highest total points will be named the winner. In the case of two different teams having the same points, whichever team was quickest to reach this high score will be declared the champion. As such, teams are advised to submit flags as soon as they obtain them.


We try hard to keep the competition as free and exciting as possible; however we do require teams to adhere to a few simple rules:

  • Show up on time or you’ll miss the briefing
  • No cooperation between teams with independent accounts. Sharing of flags or providing revealing hints to other teams is cheating, don’t do it.
  • No off-the-shelf automated scanning tools such as Nessus, OpenVAS etc. It’s useless and we’ll kick you out for being lame.
  • No attacking the competition infrastructure. If bugs or vulns are found, please alert the competition organizers immediately.
  • Absolutely no sabotaging of other competing teams using SE or physical attacks, or in any way hindering their independent competition progress.
  • No brute forcing of challenge flag/ keys against the scoring server
  • DoSing the CTF platform or any of the jeopardy challenges services is forbidden.
  • All participants must obey to PIT STOP calls. PIT STOP calls are rest intervals where all the players must leave the CTF area to facilitate for the CTF Crew to perform maintenance work.Teams who don’t adhere to the rules will be penalized or disqualified from the competition.
  • The organizer reserves the right to dispatch long-term (>1 year) all HITB and XCTF contest bans.

At all times, the decision of the HITB and XCTF Crew is final on any matter in question.


To register your team for the Capture the Flag competition, please send a registration email with your team name to (CC to Please send us the following details:

  • Team Name + Country of origin
  • Team Leaders Name/Handle + Email Address
  • Team Members Names/Handle + Email Address
  • Team link (we want to know the past CTFs that your team has participated in and your final ranking/score)

The following teams have successfully registered:

  1. Eat Sleep Pwn Repeat (Germany) – Winners of the HITB-XCTF GSEC CTF 2018 Finals
  2. Cyber Quest Team 1  (UAE)
  3. Cyber Quest Team 2  (UAE)
  4. DUBHE (China)
  5. naijasecforce (Nigeria / India)
  6. RageHackers (UAE)
  7. ProVise Secure Lab (UAE)
  8. OpenUAE (UAE)
  10. OSI Layer 8 (Singapore)
  11. Bluesky (China)

Things to Bring (for on-site teams)

  • Laptops
  • Network cables
  • Extra power sockets / power gangs / power adapter.
  • (Suggested) 4G Router for your own dedicated Internet access


1st Place – USD1500

2nd Place – USD1000

3rd Place  – USD500

The 1st place team will also be flown in to HITB2019 Amsterdam (May 9th and 10th), to compete in our 10th year anniversary CTF in The Netherlands

CTF Main Sponsor


CTF Prize Sponsor



Platform Support

Challenge Authors




If you have any questions, please send an email to (CC to