Main   Speakers   CtF   Venue Map   Press/Media   Itinerary   FAQ   Contact   Forum
HITBSecConf 2003 Capture the Flag Game


OpenHack 2003
Registered Teams
CtF Game Concept
CtF Game Rules
CtF Game Play and Scoring
CtF Game Hints
CtF Game Participation
CtF Sponsors

OpenHack 2003

As part of this year's Capture the Flag competition, we have decided to include an OpenHack competition as well. This contest is open to all teams that have registered, and also to any individuals that are interested in participating. Individual participation for OpenHack is FREE!

What is OpenHack?

There will be two targets setup: A fully secured and fully patched Microsoft Windows machine either running Windows NT or 2000, and a fully secured and patched *nix machine (distribution to be determined). The goal is to hack/crack into the servers.

Who can participate?

Anyone can participate, including speakers! No kidding. All you need to do is indicate your interest to participate during the event, and you are set. Ensure that you have your own notebook and tools because we are not providing any.

What about teams participating in the CtF?

Teams participating in the CtF can also join in. OpenHack will be setup as a bonus flag - if any of the teams can penetrate either of the machines, they will be given extra points.

What happens when the machines are compromised?

Once the machines have been broken into, they will no longer used, and OpenHack will come to an end.

What else do I need to know?

If you are able to compromise either of the machines, you will be allowed to present to the public the method in which you accomplished the task. If however you do not wish to present, the organizers will do so on your behalf. If you FAIL TO DOCUMENT how you penetrated the machines, you will not be DISQUALIFIED.


Registered Teams

The following teams have registered and confirmed their participation for the CtF's game:

  • Digital Transcendence Force
  • Insatiable
  • Palladium Group
  • Noname - Singapore
  • Ingramz - Singapore
  • Blackhawkdown - India
  • -m0s-
  • Top

    Game Concept

    Attack and Defend

    This CtF will be the third CtF game to be held in Malaysia, after the hugely successful game held during HITB Security Conference in 2002 and INFOSEC 2003. While the previous two games focused on attack, this year's game will focus on both attack and defense - whereby each participating team will be given a server to defend, and they can attack other participant's servers as well. As such, participants must know how to attack and plant flags on opponents's servers in order to score points, and at the same time, know how to defend their own box from being compromised.

    Defending Vulnerable Services/Code

    Sounds easy? Think again. Prior to the game, teams will be given a reference distribution server that they have to set up within a specific time frame - All services on the reference server MUST RUN! Do note though that the services may or may not be vulnerable. Some of the services may or may not be needed to run at all. There will be a score server that will attempt to establish connections to the services and ensure they are running. Points will be given if the service is up, or deducted if the service is down. The problem here is, teams will not know which services the score server will check before hand. Thus, they must be able to differentiate between legitimate score server connections and attacks from opponents during the competition itself.

    Rapid Deployment

    Anytime during the game, the CtF judges may require new services or applications to be added the server. One example is the famously vulnerable PHPNuke. Vulnerable PHPNuke source will be given to the teams, who then have to deploy it within a time frame (failure to get it up within the allocated time will results in point deduction), and at the same time, teams will have to patch all vulnerabilities in the above mentioned application.



    1. NO flooding of network. A 30 minutes NO GAME penalty and points deductions will be given to teams that who are found to be flooding the network.
    2. NO Denial of Service (DoS) attack. A 30 minutes NO GAME penalty and points deductions will be given to teams that are found to be launching attacks
    3. All teams must obey PIT STOP calls. PIT STOP calls are rest intervals where all teams must leave the game area to facilitate for the CtF judges to update the score, and or do maintenance work etc.
    4. NO harrassment of other opponents (verbal abuse, etc).
    5. NO physical attack.
    6. NO attacking of score servers. Teams that attack score servers will be given points deductions.


    Game Play

    The Game

    1. Teams are allocated their own network block.
    2. They must defend one host and keep it running.
    3. Teams attack each other.
    4. Teams with the highest accumulated points at the end of the game wins.
    1. +10 points for each successful flag/service request from score server.
    2. +20 points for each successful flag planted on opponent server.
    3. -10 points for each failed flag/service request from score server.
    4. -20 points if server is compromised and opponent's flags is detected.
    5. -100 points for DoS attack.
    6. +30 points for teams that set-up server within 1 hour of distro handout. After 1 hour, 10 points will be deducted for every 30 minutes until the server is up.
    7. +30 points for new service/application which are set up within 10 minutes of service requests from the CtF judges. After 10 minutes, 10 points will be deducted onwards until the service/application is up and running.

      NOTE: Keeping services up and running is vital to get more points. Team scores are updated after every service poll. This will give the teams hints as to what/which services the score server will be polling for.
    1. Teams will be given reference CDs that will contain the Operating System.
    2. They can choose to upgrade, port or replace the services.
    3. Teams can choose between three OSes: RedHat Linux, Windows 2000 Server, and FreeBSD for their server.
    4. Teams must indicate the choice of OS prior to the game.
    5. They can build whatever defence for their system around the services.
    6. Teams ARE NOT ALLOWED to run their servers off CDs. This is absolutely prohibited. Teams that are found to do this will be eliminated from the game.
    7. Teams ARE NOT ALLOWED to run their servers off honeypots. This is absolutely prohibited. Teams that are found to do this will be eliminated from the game.
    8. Firewalls ARE ABSOLUTELY outlowed.
    9. Teams ARE NOT ALLOWED to bring extra serves.



    1. Plan, plan, plan.
    2. Be organized. 1 team principal. 1 firewall/IDS expert. 1 l33t sysadmin. 1 l33t hacker. 1 code junky would be a good line up.
    3. Learn, learn, learn. Learn what the score server wants, and please it.
    4. Learn how attack Linux, FreeBSD and Windows 2000. It is not too late to do so!
    5. Choose your OS wisely. If you chose an OS with less security issues, then you will have less time defending and more time attacking others.


    How to participate

    1. Participation is limited to 15 teams only.
    2. Each team is limited to 5 members only.
    3. Registration fee is RM 200 per team.


    CtF Game Sponsors

    Compu-zone Sdn. Bhd.


    Supporting Organizations

    Malaysian National Computer Confederation

    Special Interest Group in Security & Information InteGrity Singapore
    Official Hardware Sponsor
    Silver Sponsor
    Silver Sponsor
    Silver Sponsor
    Bronze Sponsor
    Media Partners

    Official Media Partner

    Official Internet Magazine
    © 2003 Hack In The Box (M) Sdn. Bhd.
    HTML and PHP by spoonfork (mel at hackinthebox dot org)