Wed, 15 Oct. 2014, 02:00 UTC — Thu, 16 Oct. 2014, 10:00 UTC 


Kuala Lumpur, Malaysia

HitbSecConf CTF (Kuala Lumpur) event.

Format: Attack-Defense Attack-Defense

Official URL:

Future weight: 20.00 

Rating weight: 20.00 

Event organizers 


The objective of the game is for teams (maximum of 3 participants per team) to gain as many points as possible by defending their servers and attacking other teams’ servers.

Teams will be given identical pre-configured vmware image of an Linux installation – the root password will not be given to the team. There will be daemons running on the servers. Some daemons are puzzle-based challenges and some contain vulnerabilities such as buffer overflow, format string and so on.

The teams’ objective is to analyze the daemons, find vulnerabilities and write exploits. A working exploit will enable the team to attack other teams' servers, retrieving the flag associated with each daemon running on the server and thus scoring an offensive point. The ability to keep the daemons running will enable the teams to score a defensive point.


Offensive Points = Gained by hacking into other team’s server and retrieving their flags.

Defensive Points = Gained by keeping your server’s daemons running.

Challenge Points = Gained by submit the correct flags for challenges

Total points = offensive points + defensive points + challenge points

In order to score an offensive point, all that a team needs to do is hack into other team’s server, retrieve the flag, and submit it to the score server. In order to get a defensive score, teams must keep their daemons running and accessible by the crew. Flag checks will be done randomly. If a flag check fails, teams will not gain a defensive point. Flags will be reset randomly as well, thus teams are allowed to harvest flags to gain more offensive points.

Higher points are given for offensive attacks as opposed to defensive scores. Defensive scores are the same for all daemons while offensive scores vary depending on the complexity level of the exploit needed. The first team able to exploit the daemon will gain a ‘breakthrough point’.

At the end of the competition, the team with highest total points will be the one who rules the world! In case of two different teams having the same points, whichever team is quickest to reach the highest points will be declared the winner. As such, teams are advised to submit the flags as soon as they obtain them.

The CTF network will be isolated from the rest of the conference network and we will NOT provide Internet access on the CTF network. You are free to use the HITB conference wireless network.


1st prize – 1000 USD
2nd prize – 750 USD
3rd prize – 500 USD

Team that solves the most challenges first – 1.337 BTC

- NSHC Security (Cash Prize)
- Webroot (Bitcoin)