HITB-XCTF GSEC Capture the Flag


This year, HITB-XCTF GSEC CTF will again co-organized by HITB and XCTF League from China! An Attack & Defense Style CTF Competition is planned for the 30th and 31st of August alongside the conference.

The game is hosted on-site utilizing the CP-AD Contest Platform developed by CyberPeace Technology, China. Game challenges are authored by FlappyPig CTF Team, The Champion Team of 3rd XCTF International League.

For the on-site game, we have a capacity for a maximum of 16 teams (no more than 4 players per team). The game will run for 30 hours over the 2 days of the conference (30th & 31st August starting at 10:00SGT and ending at 18:00SGT on Day 1 and restarting on Day 2 at 10:00SGT and ends at 16:00SGT). The onsite contest will be hosted in the FREE TO ACCESS CommSec area of the conferenceYou do not need to be a paid conference delegate in order to compete.


The AD-Style HITB-XCTF GSEC CTF will use the traditional scoring rule of DEFCON CTF, i.e. “zero-sum” scoring rule.

Each team will be given the game machines that contain the same services, they need to maintain their own services, to keep them available to score server checking, and to defend them against other teams to guarantee the integrity and confidentiality of their secret flags, which will be updated each round by the scoring bot. They also need to find pre-planted or even unanticipated vulnerabilities from the services, and try to exploit the services of other teams to capture their respective flags or completely take down their service.

Each team will be assigned initial points and divided into point buckets for each service.

Integrity/Confidentiality Score Rule:

Team A’s service S was exploited and flag F was captured, then Team A’s score will be deducted by N Points – the N Points will then be divided to P pieces (P = the number of teams who successfully captured the flag F and submitted it to the score server), Teams will get N/P Points added to their score. If the point bucket of Team A’s Service S run out, then Team A will not lose points, and teams that captured the flag will not get any additional points.

Availability Score Rule:

Team A’s service S was checked and found to be down/invalid, then Team A’s score will be deducted N Points – the N Points will be be divided to Q pieces (Q = the number of teams whose service S was checked and found to be running correctly).  Teams will be given N/Q Points. If the point bucket of Team A’s Service S run out, then Team A will not lose points, and other teams will not get any additional points.


      1st Place : USD1500 + Flight to HITB Beijing’s Capture The Flag 2018

      2nd Place : USD1000

      3rd Place : USD500



CTF Main Sponsor & Prize Sponsor

Things to Bring (for on-site teams)

  • Laptops
  • Network cables
  • Extra power sockets / power gangs.
  • (optional) 4G Router for your own dedicated Internet access


We try hard to keep the competition as free and exciting as possible; however we do require teams to adhere to a few simple rules:

  • Show up on time or you’ll miss the briefing
  • No cooperation between teams with independent accounts. Sharing of flags or providing revealing hints to other teams is cheating, don’t do it.
  • No off-the-shelf automated scanning tools such as Nessus, OpenVAS etc. It’s useless and we’ll kick you out for being lame
  • No attacking the competition infrastructure. If bugs or vulns are found, please alert the competition organizers immediately
  • Absolutely no sabotaging of other competing teams, or in any way hindering their independent progress.
  • No brute forcing of challenge flag/ keys against the scoring server
  • DoSing the CTF platform or any of the challenges is forbidden
  • All participants must obey to PIT STOP calls. PIT STOP calls are rest intervals where all the players must leave the CTF area to facilitate for the CTF Crew to perform maintenance work.Teams who don’t adhere to the rules will be penalized or disqualified from the competition.

At all times, the decision of the HITB and XCTF Crew is final on any matter in question.

Pre-Qualified Teams

  1. KITCTF / Eat Sleep Pwn Repeat (Germany) – Winners of the #HITB2018AMS Capture the Flag contest

  2. Balsn (Chinese Taipei)

  3. CyKor (Korea)

  4. Injocker10K (Vietnam)

  5. LeaveCat (Korea)

  6. MeePwn (Vietnam)

  7. Dubhe (China)

  8. Eur3ka (China)

  9. Bushwhackers (Russia)

  10. AceBear (Vietnam)

  11. XMan (China)

  12. ISITDTU (Vietnam)

  13. W&P (China)

  14. NUS Greyhats (Singapore)

  15. AVICII (Korea)

Final Organizers


Platform Support

Challenge Author Team



If you have any questions, please send an email to ctfinfo@hackinthebox.org