The competition is co-organized by XCTF League and HITB and will be a mixed-style CTF competition, that includes both Jeopardy style challenges and an attack & defense service segment for teams to play with. Accepted teams must either be invited or qualified based on previous XCTF League or CTFTIME ranking.
The contest is hosted on-site utilizing the CP-OJ and CP-AD Contest Platform developed by Cyber Peace Technology, China. Challenges are authored by blue-lotus CTF Team – the initiator of XCTF International League, as well as some hackers from The Order of the Overflow (New Lords of DEFCON CTF), PPP (one of the greatest CTF Teams on the planet), and of course the HITB CTF Crew.
For the on-site game, we have a capacity for 30 teams (no more than 4 players per team). 18 teams have already pre-qualified through qualification contests and 6 international teams have been pre-invited according to the ranking list of CTFTIME 2018.
The game will run for 30 hours over the 2 days of the conference (1st & 2nd November starting at 09:00 BJT and ending at 18:00 BJT on Day 1 and restarting on Day 2 at 09:00 BJT and ends at 17:00 BJT). This includes both a one-hour lunch break and hardware hacking break. The onsite contest will be hosted in the FREE TO ACCESS CommSec area of the conference. You do not need to be a paid conference delegate in order to compete.
The XCTF Finals 2018 will be an AD-style contest against several AD Services together with some Jeopardy Challenges, running in parallel, thus the teams need to decide how to allocate their time and resources in solving the different challenges.
For the Jeopardy-style portion, there will be multiple categories including reverse engineering, pwnable, artificial intelligent (AI) hacking, hardware hacking, web penetration, crypto, forensic analysis, network analysis and more! The more challenges you beat, the more points you get. Points for each challenge will be dynamically calculated according to the number of teams who manage to solve it. Higher difficulty challenges with fewer teams that have solved it will carry more points, so teams should choose a strategy that optimizes for high returns.
For the AD-style contest, we will employ similar rules as used at DEFCON CTF 2018 Finals – it will not be “zero-sum” scoring rule, but “cumulative” scoring rule.
The final score takes into account these factors:
- Attack points (earned by stealing flags from other teams’ services) will account for 20% of your total score
- Defensive points (earned by maintaining your services against attack by opposing teams) will account for 20% of your score.
- Jeopardy challenge points (earned by solving the jeopardy challenges) will account for 60% of your total score.
- Jeopardy challenge points will be based on PoC submission and Final code + flag submission
Note: There is no “SLA” or “uptime” score.
- Defensive points are incremented by 1 for each of your services that remain unexploited.
- Attack points are incremented by 1 for each flag that you retrieve, except for your own.
The organizer will not permit you to run broken services. To facilitate this, we have taken control of all service machines and will manage them for you.
You will submit your patches for evaluation by the organizer. If your patch does not pass functionality tests, it will not be deployed. If your patch somehow fails functionality tests after deployment, it will be reverted.
The organizer frowns upon automated defenses. Most services will severely limit the files that can be patched, and the number of bytes that can be changed. Plan accordingly.
The winners of the following events have automatically pre-qualified for the finals
Eat Sleep Pwn Repeat (Germany) – Winners of the HITB-XCTF GSEC CTF 2018 Finals
XMan (China Mainland) – Winners of the HITB GSEC .edu CTF
Nu1L (China Mainland) – Winners of SCTF 2018
Dubhe (China Mainland) – Winners of SUCTF 2018
CyKor (Korea) – Winners of RCTF 2018
0ops (China Mainland) – Winners of *CTF 2018
r3kapig (China Mainland) – United Team of Eur3kA (N1CTF 2018) + FlappyPig (XCTF Finals 2017)
AAA (China Mainland) – Winners of WHCTF 2017
The TOP 17 teams from the 4th XCTF ranking have also pre-qualified for the finals
Vidar-Team (China Mainland)
kn0ck (China Mainland)
ROIS (China Mainland)
****** (China Mainland)
Balsn (Chinese Taiwan)
SU (China Mainland)
Redbud (China Mainland)
Whitzard (China Mainland)
Lancet (China Mainland)
De1ta (China Mainland)
We’re looking to host an additional 12 CTF teams, please send a registration email with your team name to firstname.lastname@example.org . We will approve the registered teams and send out invitations. Please send us the following details:
- Team Name + Country of origin
- Team Leaders Name/Handle + Email Address
- Team Members Names/Handle + Email Address
- Past CTFs that your team has participated in and your final ranking/score (links where appropriate)
Things to Bring (for on-site teams)
- Network cables
- Extra power sockets / power gangs / power adapter.
- (Suggested) 4G Router for your own dedicated Internet access
We try hard to keep the competition as free and exciting as possible; however we do require teams to adhere to a few simple rules:
- Show up on time or you’ll miss the briefing
- No cooperation between teams with independent accounts. Sharing of flags or providing revealing hints to other teams is cheating, don’t do it.
- No off-the-shelf automated scanning tools such as Nessus, OpenVAS etc. It’s useless and we’ll kick you out for being lame.
- No attacking the competition infrastructure. If bugs or vulns are found, please alert the competition organizers immediately.
- Absolutely no sabotaging of other competing teams using SE or physical attacks, or in any way hindering their independent competition progress.
- No brute forcing of challenge flag/ keys against the scoring server
- DoSing the CTF platform or any of the jeopardy challenges services is forbidden.
- All participants must obey to PIT STOP calls. PIT STOP calls are rest intervals where all the players must leave the CTF area to facilitate for the CTF Crew to perform maintenance work.Teams who don’t adhere to the rules will be penalized or disqualified from the competition.
- The organizer reserves the right to dispatch long-term (>1 year) all HITB and XCTF contest bans.
At all times, the decision of the HITB and XCTF Crew is final on any matter in question.