Sign up
Events Introduction


This year, HITB-XCTF GSEC Capture the Flag contest will again be co-organized by HITB and XCTF League from China! An Attack & Defense Style CTF competition is planned for the 30th and 31st of August alongside the conference.

To select the best teams to play onsite, HITB and XCTF will organize a qualification competition during HITBSecConf2018 – Amsterdam. The qualification game is a jeopardy-style online Capture The Flag Competition, sponsored by JD Security with platform support by CyberPeace. The challenges for this qualification round is authored by the Champion Team of the 3rd XCTF League Finals — FlappyPig from China!

The qualification competition is hosted online and opened to all participants around the world. Teams can compete from any location. No restriction on the number of participants of any team. The Top 15 teams will be qualify for a spot to compete at the HITB-XCTF GSEC CTF 2018 Finals (30th – 31st of August).

Online Competition Time:

48 hours: From Apr 11, 2018, 15:00 p.m. to Apr 13, 2018, 15:00p.m., UTC/GMT +2

Competition Platform:

Online Qualification Criteria:

Top 15 teams (player limited to four) will be qualified for the HITB-XCTF GSEC CTF 2018 Finals on the 30th & 31st of August. Qualified teams are responsible for making their own travel and lodging arrangements to compete onsite in Singapore.

Online Qualification Challenge Categories

• Pwn
• Web security
• Crypto
• Reverse engineering
• Misc

Online Qualification Score and Ranking

• In most cases, flags are of format HITBXCTF{this_is_a_sample_flag}. Please submit the entire flag, including HITBXCTF{}, for score. If flag is in other formats, it will be clarified in the challenge description.

• The score of each challenge will be dynamically calculated according to the number of solved teams.

• Final ranking is determined by the total score of each team. In case of multiple teams with equal scores, the team that reached the score earlier ranks higher.

Online Qualification Contest Rules

• Teams breaking rules may be penalized or excluded from the competition.

• It is not allowed for teams with independent accounts to cooperate, or share any flag/hints.

• It is not allowed to attack the competition infrastructure. If flaws in the infrastructure are found, please report to us.

• It is not allowed to sabotage or in any way hinder the progress of other competing teams. This includes attempting to destroy a challenge after you have completed it.

• It is not allowed to generate large amounts of traffic. None of the challenges can be solved by running automated scanners.

• It is not allowed to brute-force challenge flags/keys against the scoring site.

• For placing teams to be qualified, they must submit a full and detailed writeup of each challenge, explaining how it was solved.

• Organizers may rearrange/modify contest problems, proceedings, and rules.

Online Qualification Contact

• Please join #hitbxctf2018 on freenode(English-speaking)

• QQ Room: 271910967 (Chinese-speaking)

• Email us at

Online Qualification Organizer :


Online Qualification Platform Support:


Online Qualification Sponsor:

JD Security

Online Qualification Challenge Authors:


XCTF International League Gold Sponsor:


If you want to the major security enterprises (Baidu, 360, Jingdong, MMSRC and so on) practice or work , can deliver resume to, XCTF League to help recommend!