HITB Capture The Flag – EDU Pre Qualifications

Dear teams, unfortunately due to human error we have lost part of registration data (emails + logos) for some teams.

We kindly ask ALL TEAMS to FILL OUT our form again: https://zfrmz.com/klpUCGsARYe9V6aORuQq


Organized by Hackerdom in collaboration with CTF.ae and HITB, this Capture the Flag is specifically for educational teams from universities and other educational establishments. Each team should consist of no more than 5 members (students only!)

Date: August 27th & 28th

Start Time: 27th August @ 18:00 SGT

End time: 28th August @ 05:00 SGT

Where: Online / Virtual

The top 3 teams from this pre-qualifer round will qualify to play the PRO CTF FINALS @ HITB+ CYBERWEEK  in Abu Dhabi in person (The finals are to take place in a dual game format in-person and online from November 24 – 25th at the Abu Dhabi National Convention Center). Other top-ranked teams from this prequalifer EDU CTF will also be invited to participate in the PRO CTF Finals @ HITB+ CyberWeek but only online.  (Note: Educational establishment affiliation documents will be required and checked for EDU participants of the HITB+ CyberWeek PRO CTF Finals)

Main Sponsor



Pre-CTF Training Session (14 & 15 August)



The Road to HITB+ Cyberweek PRO CTF Finals


30th July – Pre-qualification CTF registration opens

13th August – Last day for registration to the pre-CTF online training session

14th & 15th August  – Online Training Session for all teams who registered before the 13th.

25th August  – Last day for CTF prequalification team registrations

26th August – Passwords to the cloud infrastructure will be sent to team captains

27th August @ 18:00 SGT (UTC+8)  –  Cloud infrastructure boot up

27th August @ 19:00 SGT (UTC +8) – Network is open, Hack on!

28th August @ 05:00 SGT (UTC +8) – GAME ENDS


The Game Network


At the start teams get identical virtual servers with a set of vulnerable services. Teams’ goal is to find the vulnerabilities, fix them in their services and use them to get private info (flags) from other teams’ services. The game is continuously monitored by an independent checksystem, which regularly puts new flags on teams’ services and also receives flag submissions from teams.

It is difficult to give a complete set of rules for a CTF challenge, so these rules can change without notice at any moment prior to game start. That is why we recommend checking the rules one more time before the competition starts. Just in case 🙂



A group of people with a captain.


A vulnerable application written for the challenge.


A virtual machine that contains all the services. It is provided prior to game start in a form of game image. Game image is identical for all teams.


A string that matches regex: /^\w{31}=$/.


A period of time for the checksystem to check and score all the teams. Game round usually takes about 1 minute.


A group of people that run the competition. Organizers do their best to provide a quality and fun event to all participants. Still organizers are to penalize/disqualify teams for rules violation and to solve the critical situations not described in these rules. Teams should be prepared to meet such decisions with understanding. Also organizers do determine the winner. In general, this decision is based on the scoreboard.


  • Do whatever they want within their network segment. Most likely the team would like to patch vulnerabilities in their services or block exploitation of vulnerabilities;
  • Attack other teams. Didn’t expect that, huh?


  • Filter out network traffic coming from other teams;
  • Generate excessive amounts of traffic that pose a threat to network stability of organizers’ facilities;
  • Generate excessive amounts of traffic that pose a threat to network stability of any other team;
  • Attack teams outside of the VPN;
  • Attack the game infrastructure operated by organizers.

Game Structure

The competition begins when the organizers announce the decryption key for the game image. After that the game time is divided into two periods:

  1. For the first hour network segments are closed and there’s no cross-team traffic. We recommend that teams use this time to perform initial  vulnbox administration and vulnerability analysis.
  2. After the first hour, network segments are opened, allowing the teams to attack each other. Network segments remain open until the competition ends.

Scoring System

Key parameters in the scoring system are SLA and FlagPoints. Their values are individual for each service of each team. Team score is calculated as the sum of the products of the corresponding SLA and FlagPoints of all team’s services.

SLA (team, service) is the fraction of the game time in which that service of that team was in the UP state. E.g. if the service was always UP, SLA would be 1. If 4 hours passed from the game start and the service was UP during the first hour and then was not UP for the rest 3 hours, SLA would be 0.25. At the beginning of the game all teams have SLA equal to 1.

FlagPoints (team, service) is the number that correlates with a team’s ‘understanding’ of the service. FlagPoints depend on the team attack capabilities (exploiting vulnerabilities against other teams) and defense capabilities (fixing vulnerabilities in their own service). At the beginning of the game all teams have equal FlagPoints, and FlagPoints are updated every game round. If during the round the team failed both in attack and defense of the service, the corresponding FlagPoints will decrease, but will never reach 0. If during the round, the team was only able to defend the service, the corresponding FlagPoints will not change. If the team was able both to attack and to defend, the corresponding FlagPoints will grow.

Flag price is the number of FlagPoints got by attackers for stealing the flag from the victim.

Flag lifetime is the amount of time during which the flag must be available in the service for the checksystem. Teams should steal the flag and post it to the checksystem until it is expired.

The maximum amount of points awarded/deducted for the flag is equal to the number of the participating teams.If a flag was stolen from a team that was higher on the scoreboard in the previous round, the team that has stolen the flag earns the maximum number of FlagPoints. If a flag was stolen from a team that was below your team on the scoreboard, the number of FlagPoints will decrease based on the difference in teams’ positions on the scoreboard, but will never go below 1.

FlagPoints for a flag are awarded when that flag expires. Teams are ranged by total score.

Apart from FlagPoints, SLA and total score, the scoreboard shows the state of each service. There are four possible states of a service:

  • OK — means that service is online, serves the requests, stores and returns flags and behaves as expected.
  • MUMBLE — means that service is online, but behaves not as expected, e.g. if HTTP server listens the port, but doesn’t respond on request.
  • CORRUPT — means that service is online, but past flags cannot be retrieved.
  • DOWN — means that service is offline.

During the game, scoreboard will be available at http://monitor.ctf.hitb.org/monitor 

You must submit your flags to http://monitor.ctf.hitb.org/flags

Flag submission example:

$ curl -s -H 'X-Team-Token: your_secret_token' -X PUT -d '["PNFP4DKBOV6BTYL9YFGBQ9006582ADC=", "STH5LK9R9OMGXOV4E06YZD71F746F53=", "0I7DUCYPX8UB2HP6D6UGN86BA26F2FE=", "PTK3DAGZ6XU4LPETXJTN7CE30EC0B54="]' http://monitor.ctf.hitb.org/flags | json_pp



      "msg" : "[PNFP4DKBOV6BTYL9YFGBQ9006582ADC=] Denied: no such flag",

      "status" : false,

      "flag" : "PNFP4DKBOV6BTYL9YFGBQ9006582ADC="



      "msg" : "[STH5LK9R9OMGXOV4E06YZD71F746F53=] Denied: flag is your own",

      "flag" : "STH5LK9R9OMGXOV4E06YZD71F746F53=",

      "status" : false



      "status" : false,

      "flag" : "0I7DUCYPX8UB2HP6D6UGN86BA26F2FE=",

      "msg" : "[0I7DUCYPX8UB2HP6D6UGN86BA26F2FE=] Denied: you already submitted this flag"



      "msg" : "[PTK3DAGZ6XU4LPETXJTN7CE30EC0B54=] Accepted. 1.73205080756888 flag points",

      "flag" : "PTK3DAGZ6XU4LPETXJTN7CE30EC0B54=",

      "status" : true



Additional Questions?

CTF Orga: ctf@hitb.org

Pre-CTF Training: ctf-training@hitb.org

CTF Discord Channel: https://discord.gg/3UCQf82


Registered Teams


  1. csoc (KMA, VIETNAM)
  2. Unreal Security (University of Dubai, UAE)
  3. 0ni0n (FPT University, VIETNAM)
  4. Newbie& (FPT University, VIETNAM)
  5. obelus (Singapore Polytechnic, SINGAPORE)
  6. Wh1t3h4t5 (Singapore Management University, SINGAPORE)
  7. sploit00n (NRNU MEPhI, RUSSIA)
  8. Pwn$tars (Asia Pacific University, MALAYSIA)
  9. LunarWinds (Singapore Management University, SINGAPORE)
  10. TRX (Sapienza University of Rome, ITALY)
  11. Deadsec (Rochester Institute of Technology, UAE)
  12. CSI (IPB University, INDONESIA)
  13. Greyhats (National University of Singapore, SINGAPORE)
  14. qaqaenbersama (Universitas Gadjah Mada, INDONESIA)
  15. VXFireEagle (Hong Kong University of Science and Technology, HONG KONG)
  16. Jeremyah Joel Kusnadi Army (Bina Nusantara University, INDONESIA)
  17. HumbleLords (Sagar Institute of Science and Technology, INDIA)
  18. bi0s (Amrita University Kerala, INDIA)
  19. Cathub (Novosibirsk State University, RUSSIA)
  20. Kour-Geek (Ural Federal University, RUSSIA)
  21. PaperWhale (Reshetnev Siberian State University of Science and Technology, RUSSIA)
  22. efiens (Ho Chi Minh City University of Technology, VIETNAM)
  23. C4T BuT S4D (National Research University HSE, National Research University ITMO, RUSSIA)
  24. Firebird (The Hong Kong University of Science and Technology, HONG KONG)
  25. CTForce (Altai State Technical University, RUSSIA)
  26. WebSpiders (Innopolis University, RUSSIA)
  27. TeamZer0 (American University of Sharjah, UAE)
  28. Sudoers Force (Multiple Schools, HONG KONG / USA / TANZANIA / INDIA)
  29. bot3310 (Hong Kong Polytechnic University, HONG KONG)
  30. Omaviat (OAT, RUSSIA)
  31. CyberErudites (Ecole Supérieure en Informatique, ALGERIA)
  32. jekrid (Ural Federal University, RUSSIA)
  33. echo (Higher School of Economics, RUSSIA)
  34. TehEveryDay (Nanyang Polytechnic, SINGAPORE)
  35. STT (University of Lisbon – Instituto Superior Técnico, PORTUGAL)
  36. Aztecs (Universitas Gadjah Mada, INDONESIA)
  37. Noob_sec (Laxmi Narain College of Technology, INDIA)
  38. Lala G3r4k (Universiti Tenaga Nasional, MALAYSIA)
  39. Tính sau đi (FPT University, VIETNAM)
  40. error (NSU, HSE, SibADI, RUSSIA)
  41. s1mple (Asia Pacific University, MALAYSIA)
  42. RedRocket (Bonn University of Applied Science, GERMANY)
  43. exploders (Rajiv Gandhi University of Knowledge Technologies, INDIA)
  44. BantaiSajek (UiTM / IIUM / UKM, MALAYSIA)
  45. CTF Tech (University of Tartu, ESTONIA)
  46. Jane Street Pls Hire (NUS / SIT / Oxford / Cooper Union, SINGAPORE)
  47. FBT (FPT University, VIETNAM)
  48. Cyber_Guys (Bharath University, INDIA)
  49. Arcane (Amal Jyothi College of Engineering, INDIA)
  50. havce (University of Parma, ITALY)
  51. dbuser (Jiaxing University, CHINA)
  52. Wukong449 (Ho Chi Minh University of Technology, VIETNAM)
  54. ByteForc3 (Birla Institute of Technology, Mesra, INDIA)
  55. Pengg0damn (UniKL, MALAYSIA)
  56. dez (Industrial University Of HoChiMinh City, VIETNAM)
  57. SouthFlagsington (Imperial College London, UNITED KINGDOM)
  58. ilovevnsec (VNSECURITY Education, VIETNAM)
  59. Baby Zepto (VNSECURITY Education, VIETNAM)
  60. SweetArmy (Ho Chi Minh City University of Science, VIETNAM)
  61. Average Kuliah Online Enjoyer (Sepuluhnopember Institute of Technolgy, INDONESIA)
  62. Pseudo Sudo (Iowa State University, UNITED STATES)
  63. N00B HACK3RS COMMUNITY (Sir Padampat Singhania University, INDIA)
  64. 0xch1ah (FPT University, VIETNAM)
  65. CyberV (Vellore Institute of Technology, INDIA)
  66. csictf (Vellore Institute of Technology, INDIA)
  67. UIT.PwN3v3rY7h1nG (VNSECURITY Education, VIETNAM)
  68. CyberV (Vellore Institute of Technology, INDIA)
  69. leonuz (Universidad de Los Andes, VENEZUELA)
  70. Ave M | Morris-1988 (Penza State University, RUSSIA)
  71. devme4f (Vietnam Academy of Cryptography Techniques, VIETNAM)
  72. D4nt3 (Tunku Abdul Rahman University College, MALAYSIA)
  73. fi$he (University of Science and Technology of Hanoi, VIETNAM)
  74. B3bieSec (Industrial University of Ho Chi Minh City, VIETNAM)
  75. !FBT (FPT University, VIETNAM)
  76. Nat (Charles Sturt University, AUSTRALIA)
  77. Mac_book (NanTong University, CHINA)
  78. BL4CK-B0T (Vellore Institute of Technology, INDIA)
  79. uetctf (Vietnam National University, VIETNAM)
  80. pwnthem0le (Politecnico di Torino, ITALY)
  81. SiBears (Tomsk State University, RUSSIA)
  82. PSA_team (Hanoi University of Technology, VIETNAM)
  83. Cryptonite (Manipal Institute of Technology, INDIA)
  84. Alt-Backdoor (Abu Dhabi University, UAE)
  85. cyberblue21 (Independent University, BANGLADESH)
  86. test123 (GLA, INDIA)
  87. Ret2Cringe (HTBLA Kaindorf an der Sulm, AUSTRIA)
  88. InfoSecIITR (Indian Institute of Technology, Roorkee, INDIA)
  89. xSTF (University of Porto, PORTUGAL)
  90. SoftSec (ITU, TURKEY)
  91. Euregone (EURECOM, FRANCE)
  92. PwsecTeam (LPU, INDIA)
  93. Ug0tpwnd (National Autonomous University of Mexico, MEXICO)
  94. [LIFE] Sudo SU (Siberian State University of Telecommunications and Information Sciences, RUSSIA)
  95. Nupakachi (Hanoi University of Science and Technology, VIETNAM)
  96. pixels (Moscow Higher Combined Arms Command School, RUSSIA)
  97. N0ty0urT4rg3t (FPT University, VIETNAM)
  98. LunarWinds (Singapore Management University, SINGAPORE)
  99. flag_not_found (University of Information Technology, VIETNAM)
  100. 4n0nym0u5 (Vignan Institute of Information and Technology, INDIA)
  101. Thelonestar (University of Bolton, UNITED KINGDOM)
  102. HgbSec (University of Applied Sciences Upper Austria, AUSTRIA)
  103. Teilzeit-Schwenker (Saarland University, GERMANY)
  104. 5h1eLd (Tezpur University, INDIA)
  105. benctfbilmem (Istanbul Gelisim University, TURKEY)
  106. Cyber_Guys (Bharath University, INDIA)
  107. pcstar (Savitribai Phule Pune University, INDIA)
  108. SOCTEAMPH (Holy Angel University, PHILIPPINES)
  109. FBTsrkt (FPT University, VIETNAM)
  110. a0 (Tomsk Polytechnic University, RUSSIA)
  111. HugsforBugs (Islamic University of Technology, BANGLADESH)
  112. CyberSpace (Troy High School, USA)
  113. 6R1G4D4 (MIREA – Russian Technological University, RUSSIA)
  114. cheeeesy (Ural Federal University, RUSSIA)
  115. ZenHack (University of Genoa, ITALY)
  116. INSERT_NAME (College of Southern Nevada, USA)
  117. Towson University (Towson University, USA)
  118. SPbCTF (ITMO University, RUSSIA)
  119. Federal_Bonk_Investigations (University of Information Technology & Sciences, BANGLADESH)
  120. xSpark (Various Edu Institutes, INDIA)
  121. exzettabyte (University of Amikom Yogyakarta, INDONESIA)