HC's Capture the Flag site

News: Registration is open for Cipher 5 and the HAR CTF. Go ahead and register!

Capture the Flag at Easterhegg 2008

The CTF is over

Special thanks to...


Update: The money was not claimed; no one found a vulnerability. The offer still stands. Download the sources.

What is a CTF?

A Capture the Flag (CTF) contest is a contest about IT security. The goal of a CTF is to learn about security vulnerabilities in network application and/or system software. This CTF focuses on application security.

Several teams participate in a CTF; each team is operating a network server that runs network services that contain artificial security vulnerabilities. Teams must find these vulnerabilities and fix them on their own machine, while proving the found vulnerabilities pose a real security threat by exploiting them on their opponents' machines.

If you have never participated in a CTF, you may want to take a look at this good example of application-layer security holes.

Who can participate?


We are trying to make this CTF interesting both to beginners and experienced CTF players;-). Besides several pretty hard-to-find/fix vulnerabilities, this CTF will also include easy stuff for beginners who want to learn about IT security or just have some fun participating in the CTF.

To participate, you need a computer, and you should organize in teams. We will provide you with a network uplink, but please bring your own cables and power cords.

Each team needs one working copy of the latest VMware workstation.

If you want to participate, please add your team to the CTF team list.

Additionally, you can subscribe to the eh08 ctf mailing list by sending an empty message to ehctfusers-subscribe at server dot hcesperer dotorg. This is a low-volume moderated announcement list.

What to bring

The CTF will take place in a virtual network. We will provide each team with one uplink to that network (you will also have internet access through that uplink).

You need to bring the following equipment yourself:

How exactly does the CTF work?

Each team is assigned an IP address range, as well as a specific IP address the network server must listen on. The network server will run in a Virtual Machine, called VMware workstation, so that no matter how severe the security holes are, your own computer is never affected.

After all teams booted their network servers, the gameserver is started.

The gameserver regularily distributes data fragments (so called flags) to the services. The services store these flags; each flag is associated with a flag ID. Later, the gameserver retrieves the flags from the services. Each successfully retrieved flag gets the according team one defensive point.

If you cracked an opponent's service, and you managed to obtain one or more flags from it, you can present these to the gameserver. The gameserver checks the presented flags against a database and awards points for each valid flag.

In this CTF, the flags are 32 byte values represented by 64 byte strings matching [A-Fa-f0-9]{64}. A typical flag looks like this:


The Flag IDs are arbitrary strings of variable length.

See also

More information

You may want to check out the CCCamp07 CTF site. You will find vulnerable services there, as well as our scoring board for download.

The rules

Read more about the rules. To sum it up: Don't do any network layer traffic filtering, do not perform DoS attacks and do under no circumstances abuse the learned skills. The hosters' computers are off-limits. Do not try to crack them.


You can contact the organizers via jabber at: (g0ph3r|esperer) at jabber dot ccc dot de Alternatively, send an email to hcathcespererdotorg.
Powered by FreeBSD

$Id: index.html 546 2009-06-09 15:10:09Z root $ Impressum