[ mainpage :: register :: conference :: training :: the venue ]
[ capture the flag (CTF) :: hitb cinema :: lock picking village :: zone-h/hitb hacking challenge :: bzflag ]
[ call for papers (CFP) :: conference agenda :: sponsors :: press/media :: forum ]
[ conference kit (PDF) :: past conferences :: contact us ]

Conference Materials: http://conference.hitb.org/hitbsecconf2007kl/materials/

Official Photos: http://photos.hitb.org


Filed under: Main Page — Administrator @ 1:59 pm


The objectives of the game is for teams to gain as many points as possible by defending their servers, and attacking other teams’ servers. Teams will be given identical pre-configured vmware image of a Gentoo Linux installation. There will be custom services running on the server. This services contain vulnerabilities, such as buffer overflows, format string and so on. The teams’ objective is to analyze the services, find vulnerabilities and write exploits. As such, the following skills are needed:

- Reverse engineering
- Binary analysis
- Debugging
- Exploit writing

The ability to write a working exploit will enable the team to attack other servers, retrieving the flag associated with each service running on the server and thus scoring an offensive point. The ability to keep the services running will enable the teams to score a defensive point.


Prior to the actual game day, registered teams will be given a binary that needs to be cracked. Cracking the binary will provide the team with a code which they must give to the CTF organizing team in return for root access to the vmware image. This binary will be emailed to all participating teams on 2nd September, 3 days prior to the game. Failure to crack the binary does not mean teams will be disqualified - it just means they will not have root access to their own servers during the game day and risk losing.


Offensive Points: Gained by hacking into other team’s server and retrieving their flags.
Defensive Points: Gained by keeping your server’s services running.

In order to score an offensive point, all that a team needs to do is hack into other team’s server, retrieve the flag, and submit it to the score server. In order to get defensive score, teams must keep their services running and accessible to the ScoreBot. The ScoreBot will periodically connect to the team’s server and perform either two actions: set new flags on the services and/or retrieve flags from the services. Failure of the ScoreBot to complete either of these 2 actions when it connects will result in point deductions.

More points are given for offensive attacks as opposed to defensive score. Defensive scores are the same for all services, while offensive scores vary depending on the complexity level of the exploit needed to hack the service. During the course of the game, the score server will randomly set new flags on each teams’ services. This means that a service can have as many as 10 unique flags throughout the game - so if a particular team has an exploit against this service, they can get 10 times the points multiplied by the number of teams.


- No flooding and/or DoS attack. Teams will be penalized by disqualification, points deduction or time penalty.
- No harassment of other opponents.
- All participants must obey PIT STOP calls. PIT STOP calls are rest intervals where all players must leave the game area to facilitate for the CtF judges to update the score, and/or do maintenance work etc.


1.) Padocon (Korea) - DEFENDING CHAMPIONS
2.) Army Strong (US Army)
3.) Scanit ME (UAE)
4.) Qb1t (Singapore)
5.) DTF07 (Malaysia)
6.) Powerhacker (Korea)
7.) WsLabi (Switzerland)
8.) Stealther (Malaysia)
9.) t3nth (Singapore .edu)
10.) SaoVang (Vietnam)

Final Judgement

At all times, the decision of the CtF Organizing Team is final on any matter in question.


1st Place - USD3,000
2nd Place - USD2,000
3rd Place - USD1,000

All prizes are sponsored by SCAN ASSOCIATES BHD

Source Code

The CTF organizing team reserve the rights to release or not to release the source code of the services during the game.


The HITBSecConf organizing committe would like to give shoutouts, ninja greetz and ghetto loves to The Ghetto Hackers, who came out with the attack and defense concept for the CtF game. Much love also to the current organizers of Defcon’s CTF, kenshoto!


Event Organizer

Hack In The Box (M) Sdn. Bhd.

Supported & Endorsed By

Malaysian Communications and Multimedia Commission (MCMC)

Malaysian Administrative Modernisation & Management Planning Unit

Platinum Sponsors

Microsoft Corporation

Gold Sponsors


Official Airline Partner

Internet Bandwidth Sponsor

Global Transit

CTF Sponsor

Scan Associates

CTF Prize Sponsor

Scan Associates

Sponsor for Zone-H/HITB Hacking Challenge


HITB Cinema Sponsor

Avenuz Sdn. Bhd.

Official Creation Station

The Womb.com

Our Speakers are Supported By

F-Secure Corporation

Arbor Networks


Bellua Asia Pacific


Mozilla Corporation

Mu Security

Supporting Media:

Virus Bulletin

Virus Bulletin (VB)

InfoSec News

(ISN) InfoSec News

InfoSec News

XAKEP (Russia)

Insecure Magazine

PHRACK Magazine

Hakin9 Magazine

Supporting Organizations

Chaos Computer Club

ISECOM - Insititue for Security and Open Methodologies


IT Underground

X-Focus China

Zone-H Defacement Mirror

Xatrix Security

Special Interest Group in Security & Information InteGrity Singapore