Capture the Flag: On-Site Live Hacking Competition


JD-HITB2018 Beijing CTF + Finals of the 4th XCTF International League (XCTF Finals 2018) will take place on the 1st and 2nd of November alongside the first-ever HITB Security Conference in Beijing!


The competition is co-organized by XCTF League and HITB and will be a mixed-style CTF competition, that includes both Jeopardy style challenges and an attack & defense service segment for teams to play with. Accepted teams must either be invited or qualified based on previous XCTF League or CTFTIME ranking.

The contest is hosted on-site utilizing the CP-OJ and CP-AD Contest Platform developed by Cyber Peace Technology, China. Challenges are authored by blue-lotus CTF Team – the initiator of XCTF International League, as well as some hackers from The Order of the Overflow (New Lords of DEFCON CTF), PPP (one of the greatest CTF Teams on the planet), and of course the HITB CTF Crew.

For the on-site game, we have a capacity for 30 teams (no more than 4 players per team). 18 teams have already pre-qualified through qualification contests and 6 international teams have been pre-invited according to the ranking list of CTFTIME 2018.

The game will run for 30 hours over the 2 days of the conference (1st & 2nd November starting at 09:00 BJT and ending at 18:00 BJT on Day 1 and restarting on Day 2 at 09:00 BJT and ends at 17:00 BJT). This includes both a one-hour lunch break and hardware hacking break. The onsite contest will be hosted in the FREE TO ACCESS CommSec area of the conferenceYou do not need to be a paid conference delegate in order to compete.


The XCTF Finals 2018 will be an AD-style contest against several AD Services together with some Jeopardy Challenges, running in parallel, thus the teams need to decide how to allocate their time and resources in solving the different challenges.

For the Jeopardy-style portion, there will be multiple categories including reverse engineering, pwnable, artificial intelligent (AI) hacking, hardware hacking, web penetration, crypto, forensic analysis, network analysis and more! The more challenges you beat, the more points you get. Points for each challenge will be dynamically calculated according to the number of teams who manage to solve it. Higher difficulty challenges with fewer teams that have solved it will carry more points, so teams should choose a strategy that optimizes for high returns.

Scoring Details

For the AD-style contest, we will employ similar rules as used at DEFCON CTF 2018 Finals – it will not be “zero-sum” scoring rule, but “cumulative” scoring rule.

The final score takes into account these factors:

  • Attack points (earned by stealing flags from other teams’ services) will account for 20% of your total score
  • Defensive points (earned by maintaining your services against attack by opposing teams) will account for 20% of your score.
  • Jeopardy challenge points (earned by solving the jeopardy challenges) will account for 60% of your total score.
  • Jeopardy challenge points will be based on PoC submission and Final code + flag submission

Note: There is no “SLA” or “uptime” score.

  • Defensive points are incremented by 1 for each of your services that remain unexploited.
  • Attack points are incremented by 1 for each flag that you retrieve, except for your own.


The organizer will not permit you to run broken services. To facilitate this, we have taken control of all service machines and will manage them for you.

You will submit your patches for evaluation by the organizer. If your patch does not pass functionality tests, it will not be deployed. If your patch somehow fails functionality tests after deployment, it will be reverted.

The organizer frowns upon automated defenses. Most services will severely limit the files that can be patched, and the number of bytes that can be changed. Plan accordingly.

Pre-Qualified Teams

The winners of the following events have automatically pre-qualified for the finals

  1. XMan (China Mainland) – Winners of the HITB GSEC .edu CTF

  2. Nu1L (China Mainland) – Winners of SCTF 2018

  3. Dubhe (China Mainland) – Winners of SUCTF 2018

  4. CyKor (Korea) – Winners of RCTF 2018

  5. 0ops (China Mainland) – Winners of *CTF 2018

  6. r3kapig (China Mainland)  – United Team of Eur3kA (N1CTF 2018) + FlappyPig (XCTF Finals 2017)

  7. AAA (China Mainland) – Winners of WHCTF 2017

The TOP 17 teams from the 4th XCTF ranking have also pre-qualified for the finals

  1. Vidar-Team (China Mainland)

  2. kn0ck (China Mainland)

  3. ROIS (China Mainland)

  4. ****** (China Mainland)

  5. Balsn (Chinese Taiwan)

  6. SU (China Mainland)

  7. Redbud (China Mainland)

  8. Whitzard (China Mainland)

  9. Lancet (China Mainland)

  10. De1ta (China Mainland)

  11. PwnThyBytes (Romania)

  12. X1cT34m (China Mainland)

  13. CNSS (China Mainland)

  14. lilac (China Mainland)

  15. OPEN
  16. OPEN
  17. OPEN
  18. OPEN
  19. OPEN
  20. OPEN
  21. OPEN
  22. OPEN

We’re looking to host an additional 12 CTF teams, please send a registration email with your team name to . We will approve the registered teams and send out invitations. Please send us the following details:

  • Team Name + Country of origin
  • Team Leaders Name/Handle + Email Address
  • Team Members Names/Handle + Email Address
  • Past CTFs that your team has participated in and your final ranking/score (links where appropriate)

Things to Bring (for on-site teams)

  • Laptops
  • Network cables
  • Extra power sockets / power gangs / power adapter.
  • (Suggested) 4G Router for your own dedicated Internet access


We try hard to keep the competition as free and exciting as possible; however we do require teams to adhere to a few simple rules:

  • Show up on time or you’ll miss the briefing
  • No cooperation between teams with independent accounts. Sharing of flags or providing revealing hints to other teams is cheating, don’t do it.
  • No off-the-shelf automated scanning tools such as Nessus, OpenVAS etc. It’s useless and we’ll kick you out for being lame.
  • No attacking the competition infrastructure. If bugs or vulns are found, please alert the competition organizers immediately.
  • Absolutely no sabotaging of other competing teams using SE or physical attacks, or in any way hindering their independent competition progress.
  • No brute forcing of challenge flag/ keys against the scoring server
  • DoSing the CTF platform or any of the jeopardy challenges services is forbidden.
  • All participants must obey to PIT STOP calls. PIT STOP calls are rest intervals where all the players must leave the CTF area to facilitate for the CTF Crew to perform maintenance work.Teams who don’t adhere to the rules will be penalized or disqualified from the competition.
  • The organizer reserves the right to dispatch long-term (>1 year) all HITB and XCTF contest bans.

At all times, the decision of the HITB and XCTF Crew is final on any matter in question.


1st Place : USD 10,000

(Pre-qualified for HITB2018Dubai CTF)

  2nd Place : USD 5,000

3rd Place : USD2,000


  Meritorious Winner (3 teams): Gifts + Certifications

  Honorable Mentions (4 teams): Certifications



CTF Prize Sponsor






Game Organizers


Platform Support

Challenge Authors