HITB PRO CTF

World’s top 25 CTF teams battling for US$100,000
Days
Hours
Minutes
Seconds

TLDR;

Who?
25 winning teams (3 - 5 members per team) from various Capture the Flag contests from around the world.
What?
a new style of attack and defense CTF contest over 3 days.
When?
15th, 16th & 17th October
Please join #ctf channel at our official slack workspace: http://hitbcyberweek.slack.com
Where?
HITB+CyberWeek @ Emirates Palace, Abu Dhabi

Prizes

1st Place - US$50,000

2nd Place - US$30,000

3rd Place - US$20,000

In The Year 3030, time is more valuable than currency. Time is life.

We thought the curator would save us...

Part machine, and all AI – at first we thought the Curator would save us. An all knowing, interconnected super intelligence driven by quantum computing breakthroughs from the 2050s, we created these sentient AIs to help make our lives simpler, to make our lives better. We thought such a creation would free us from the shackles of work – the freedom to live our lives without a care in the world. The freedom to choose how we would spend our time.

Things were good for several years – several generations even. We expanded our creativity, spent time imaging what the future could look like and The Curator took care of running more and more of our existence.

At first it was just the small things – telecommunications, transport – then we added healthcare and government. When we banished our High Council of AI Ethics and let The Curator ultimately decide every decision we would ever make, we sealed our fates.

Now time is running out to save ourselves.

The Curator has now sent out a challenge that’s going to take the best of the best. The original cyber cowboys. The mission is simple but the stakes are high and this is a fight like no other. It’s time to hack cyber cowboys,  because time is all we have!

Join The Worlds' Best CTF Teams

Rules that govern our system

These rules are similar to the RuCTFE contest rules, but for those of you who haven’t ever played RuCTFE or other classical attack-defence CTF competition, please read this carefully. 

Here some general gameplay is described, the exact scoring rules will be announced later, on the evening before the game.

At the venue you’ll have a switch on your table that is already connected to the remote machines where some operating systems with vulnerable services run — they are called vulnerable images. All the teams have identical set of vulnerable images. There are also cables for your laptops to connect to the switch — please use them. 

All the computers — both team members’ laptops and vulnerable images — are connected via wired local network so you can send requests to other teams’ vulnerable images. They will have similar IPs: for the first team it would be 10.60.1.X, where X is a number of vulnerable image, for the second team it would be 10.60.2.X, for the third — 10.60.3.X, etc. 

Game structure

Every day the network will be closed for the first hour from 9AM to 10AM, so you can look through the images and services. At 10 AM we open the network and you can attack other teams yet being hacked by others. Also the checksystem starts its work.

Checksystem is orgs’ server that checks if services work as expected. Every game round (1 round = 1 minute) it checks all the services of all the teams and if something fails — the SLA of such a service will decrease. This may happen if you tried to patch the vulnerability in your service and broke its main functionality. Or if other team has deleted something critical from your service. 

The other important function of checksystem is to put some secret information in the services, we call it “flags”. A flag is a string that consists of 32 chars: digits, capital letters and “=” symbol in the end and can be described with the following regexp: ‘[A-Z0-9]{31}=’. It looks like this: 72DZHJQ509TPKPGRB1J9T7T9W6VVL5R=. 

During these three days we’ll unlock new services and shut down those ones we consider to have already done their work. We’ll announce the full algorithm later. 

Capturing the flags

You can capture the flags in any way except the physical one 🙂 You are not allowed to destroy other teams’ infrastructure (like running rm -rf /) or generate a large amount of traffic, otherwise we can disqualify you.

Once you’ve captured someone’s flag, send it to orgs as soon as possible by performing a HTTP request to http://10.10.10.10/flags using PUT method, X-Team-Token header (you’ll get your token right before the game) and a json payload with flags.

Here is an example:

$ curl -s -H ‘X-Team-Token: your_secret_token’ -X PUT -d ‘[“PNFP4DKBOV6BTYL9YFGBQ9006582ADC=”, “STH5LK9R9OMGXOV4E06YZD71F746F53=”, “0I7DUCYPX8UB2HP6D6UGN86BA26F2FE=”, “PTK3DAGZ6XU4LPETXJTN7CE30EC0B54=”]’ http://10.10.10.10/flags | json_pp

[

   {

   “msg” : “[PNFP4DKBOV6BTYL9YFGBQ9006582ADC=] Denied: no such flag”,

   “status” : false,

   “flag” : “PNFP4DKBOV6BTYL9YFGBQ9006582ADC=”

   },

   {

   “msg” : “[STH5LK9R9OMGXOV4E06YZD71F746F53=] Denied: flag is your own”,

   “flag” : “STH5LK9R9OMGXOV4E06YZD71F746F53=”,

   “status” : false

   },

   {

   “status” : false,

   “flag” : “0I7DUCYPX8UB2HP6D6UGN86BA26F2FE=”,

   “msg” : “[0I7DUCYPX8UB2HP6D6UGN86BA26F2FE=] Denied: you already submitted this flag”

   },

   {

   “msg” : “[PTK3DAGZ6XU4LPETXJTN7CE30EC0B54=] Accepted. 1.73205080756888 flag points”,

   “flag” : “PTK3DAGZ6XU4LPETXJTN7CE30EC0B54=”,

   “status” : true

   }

]

If the flag was put into the image in the last 15 minutes, you’ll earn FlagPoints (FP). The amount of FlagPoints depends on the victim team’s position on the scoreboard relative to you in the previous round. It is more FP-efficient to hack the teams that are higher than you.

If your flags were stolen, your FlagPoints will decrease, but never gonna fall below 1.

Teams are allowed to

  • Do whatever they want within their network segment. Most likely the team would  patch vulnerabilities in their services or block exploitation of vulnerabilities;

  • Attack other teams. Didn’t expect that, huh?

Teams are prohibited to

  • Filter out other teams’ traffic

  • Generate a large amount of traffic that poses a threat to network stability of organizers’ facilities

  • Generate a large amount of traffic that poses a threat to network stability of any other team

  • Attack teams outside the game network

  • Attack the game infrastructure facilities operated by organizers

Also there’s a certain class of problems that the teams cannot reasonably fix on their own, so we kindly ask the participants to refrain from:

  • Obscuring the flags by flooding the services (be it their own or other teams’) with the large amounts of data

  • Application level DoS attacks on other teams

  • Other uncompetitive actions that could ruin the fun of the game

Scoreboard

During the game, the scoreboard will be available at the main screen and at http://10.10.10.10.

Apart from FlagPoints, SLA and total score, scoreboard shows statuses of each service. Statuses are as following:

  • OK — means that service is online, serves the requests, stores and returns flags and behaves as expected.

  • MUMBLE — means that service is online, but behaves not as expected, e.g. if HTTP server listens the port, but doesn’t respond on request, or some of its functionality has been broken.

  • CORRUPT — means that service is online, but past flags cannot be retrieved.

  • DOWN — means that service is offline.

Scoring system will be announced later.

Join and win one of the contests on the right, and we'll fly you to HITB+CyberWeek!

Pre-qualified teams

All invited teams will receive up to USD 1200 per member for flights, for up to 5 members and be provided with hotel accommodation for 4 nights / 5 days! 

    1. Eat Sleep Pwn Repeat (HITB2018 Overall Champions & Winners of HITB2019AMS CTF) 
    2. RedRocket (CyberSec Challenge Germany & HITB2019AMS CTF 2nd Place)
    3. Hack.ERS (HITB2019AMS CTF 3rd Place)
    4. dotRA (Winners of PHDays 2018)
    5. DEFKOR00T (Winners of DEFCON 2018 & HITCON CTF 2018 2nd Place)
    6. True0xA3 (WInners of PHDays 2019 CTF)
    7. TokyoWesterns (Winners of BCTF 2019)
    8. Tower of Hanoi (Winners of RUCTF 2019)
    9. saarsec (Winners of RUCTFE 2018)
    10. Bushwhackers (Winners of iCTF 2019 & RuCTF 2018)
    11. Dragon Sector (Winners of 0CTF 2018 & HITCON 2018)
    12. r3kapig (Winners of 0CTF 2019 & BCTF 2018 & XCTF Finals 2018)
    13. LC↯BC (Winners of Insomni’hack 2019)
    14. PDKT (Winners of HITBGSEC 2019 CTF)
    15. r3billions (Winners of Arab Regional CTF)
    16. mHackeroni
    17. H3X VI5ION
    18. 4horsemen
    19. root4fun
    20. TBA (Winners of Cyber Battle of the Emirates)
    21. RESERVED
    22. RESERVED
    23. RESERVED
    24. RESERVED
    25. RESERVED

    Contest Organizers

    RUCTF + HITB CTF

    Polina Zonova

    hackerdom team

    Polina has Master’s degree in Mechanics and Mathematics of Perm State University. Now she works as a senior software engineer at SKB Kontur specializing in distributed fault-tolerant services. To bring some security-related tasks into everyday work she has started creating a SSDLC (security software development lifecycle) at her department. She also teaches computer science courses to both students and newbies at work.

    Polina was a service developer in RuCTFE and task developer for jeopardy-style RuCTF Olymp.

    Konstantin Plotnikov

    hackerdom team

    Konstantin was a member of HackerDom team from the very beginning. He took part as a team player in a lot of CTFs including DEF CON CTF and Nuit du Hack CTF. He also participated as a service developer or techlead in nearly all of RuCTFs and RuCTFEs.

    Konstantin together with Dmitriy Titarenko has created a popular B2B service for contractors inspection and works as a senior software developer at SKB Kontur.

    He also had taught computer science at the Ural State University.

    Dmitriy Titarenko

    hackerdom team

    Dmitriy works as senior software engineer and has more than ten years of .NET development experience, building scalable services with high availability. Last five years he has been involved in secure development and researching at SKB Kontur.

    As a part of HackerDom team Dmitriy took part in RuCTF and RuCTFE as a service developer since 2014.

    Aleksander Bersenev

    hackerdom team

    One of the oldest members of HackerDom team. He has Master’s degree in Mechanics and Mathematics and works as a cluster administrator and  teaching assistant in the Ural Federal University. He enjoys both playing CTFs and also finding vulnerabilities in real services. Thus he belongs to top 5% hackers on HackerOne – a popular bug bounty platform. Ha also has found an important vulnerability in Siemens Hardware.

    Aleksander took part in tons of CTFs as a player and was involved in developing of all the RuCTF and RuCTFE since 2009. He often combines roles of service developer and network administrator.

    Mikhail Vyatskov

    hackerdom team

    During the university years, besides being involved in playing and developing CTFs, Mikhail was participating in competitive programming competitions. Nowadays Mikhail has experience working on security-related projects in production, most notable examples being audit logging subsystem in Kubernetes cluster management system and authentication/authorization systems.

    He was a service developer in RuCTF every year between 2013 and 2018 and in RuCTFE between 2014-2017.

    Andrey Gein

    hackerdom team

    Andrey works as a senior software engineer at Yandex company. He is a very enthusiastic member of HackerDom team and spends a lot of time teaching and training new hackers. He has created an online course on information security that has about 5000 views on youtube.com. He also gives onsite classes to students and organizes a special CTF for newbies who want to practice their hacking skills.

    He has developed a lot of CTFs, including RuCTF, RuCTFE, PHDays CTF and QCTF.

    Arthur Khanov

    hackerdom team

    Arthur has a lot of academic interests. During his postgraduate studies in Saint-Petersburg State University he created a fast disassembler for ARM codes, a neural network on chip, a virtual machine for operating with attribute trees and an operating system for testing algorithm.

    He took part in a number of CTFs as a member of HackerDom team both as a player and as a service developer.

    Andrey Khozov

    hackerdom team

    Andrey is co-founder and Chief Technology Officer at RYDLAB IT company since 2012. He has Master’s degree in Mathematics in Computer Science at Ural State University. He also had been teaching programming at the same university for five years. He had been developing services and checksystem for RuCTF and RuCTFE for ten years, moreover, he was one of techleads of the developers team.

    Dmitrii Simonov

    hackerdom team

    Dmitrii works as a software developer at Yandex company and at Regional Education and Science Center “Intellectual systems and Information security” of Institute of Mathematics and Computer Sciences, so he has massive experience in both programming and information security.

    He also teaches operation systems at the Ural State University.

    He has a lot of experience not only in developing services for our CTFs, but also in network administration, assembling and administration of vulnerable images.

    Artem Zinenko

    hackerdom team

    Artem works as a senior research developer at Kaspersky Lab, in an Industrial Systems Emergency Response team. He has reported a lot of vulnerabilities to well-known instruments including but not limited to: TeamCity, Octopus Deploy, Mosquitto. He also contributes to some open-source projects, for example: chronograf, kapacitor, ansible.

    Artem has a huge enterprise experience – he worked as a team lead in two high-performance projects: a search engine system and EDS issuing center.

    Roman Bykov

    hackerdom team

    Roman works as a Software engineer at SKB Kontur. His work is connected with system reliability and failure incident investigation. He had been developing services for RuCTF and RuCTFE since 2016 and as early as in 2017 he managed to become a team lead of developers team.

    Ingmar Steen

    hitb.nl / CONTEST coordinator

    Ingmar is a software developer turned security consultant, turned back to software developer to ensure best practices get introduced at an early stage in the development cycle.

    Besides doing paid-for work, he is also an enthusiastic creator and contributor to several open source projects. Before entering the security industry professionally, he participated as a team player in various CTFs.

    He is also a member of the HITB.nl Capture the Flag main organizing team authoring challenges and building the infrastructure to run the challenges on. He is the lead coordinator for the PRO CTF contest at HITB CyberWeek.

    CTF VIZUALIZATION TEAM

    GENERAL ARCADE

    Andrei Topilin

    Project Manager

    He has 10 year experience as network engineer. Andrei worked as a senior software engineer and team lead on projects for the biggest network equipment manufacturers and telecommunication companies.
    For the last two year, Andrei works as project manager for General Arcade.

    Anton Savinov

    Art Direction, Concept Art, UI Design

    Co-founder, art director and game designer of General Arcade. Has a Master’s degree in Architecture at SSTU and ten years of experience as an illustrator, graphic designer and comic book artist. Worked on projects for Unity Technologies, 3D Realms, Devolver Digital, From Software and many others.

    Stanislav Vlasko

    Gameplay Programmer

    He has bachelor’s degree in Applied Math and Informatics of Saratov State University. He took part in ACM ICPC competitions. With this algorithmic and math background Stanislav became experienced data scientist. Three years, he worked as software engineer at “Otkritie” bank (one of the biggest banks of Russia) and next two year at General Arcade.

    Georgy Reshetnikov

    System Engineer

    A newcomer in General Arcade, Georgy worked in a company, specialized in flaw detection.  As a software engineer with experience for about 9 years, he participated in the development of products, which are now used in gas and oil companies in the different countries.  His main area of expertise is a data analysis and signal processing.

    Alexander Novikov

    Backend Engineer

    He has a bachelor’s degree in Robotics of Saratov State Technical University.
    Alexander worked as an embedded software engineer on projects for avionics and EV manufacturers. For the last year, he works at General Arcade.

    Lead Organizer

    HackerDom

    HackerDom appeared in 2005 at the Faculty of Mathematics and Mechanics of Ural State University. Our main interests is studying of information security, participating in Capture the Flag competitions and organizing our own competitions. Besides RuCTF, we’re making international online Attack/Defence challenge RuCTFE and task-based CTF for newbies QCTF.

    General Arcade is a porting house and co-development studio with offices in Russia and Singapore. General Arcade was involved in development of following titles and IPs: Metal Wolf Chaos XD, Duke Nukem 3D, Dragons Dogma, Shadow Warrior, Tooth and Tail, Tacoma, Hotline Miami 2, Gone Home, Luftrausers, Project Zomboid, etc.