HAR-CTF rules


The intention of this CTF is to raise public awareness of the importance of security in IT technologies. It aims to create an environment in which teams of students and other interested parties can use their skills in a contructive way.

The teams' remit is to uncover vulnerabilities in custom services and subsequently fix them - whilst maintaining service functionality for as long as possible. Also, all teams are encouraged to write advisories, informing others about potential software flaws and how these might be dealt with. In addition to that, teams may try the exploits they find on other teams' machines that way, to prove they correctly understood the impact of the weaknesses they found.


A gameserver distributes random data fragments (called flags) to all services. It later collects these flags to see if the services are functional. If a team gets access to a flag of another team (i.e., captures that flag), it may report the flag to the gameserver.

For each captured flag, the capturing team earns one offensive point. For each successfully defended flag, the defending team earns one defensive point.

A flag is owned by the team it is distributed to, i.e., the team that knows what the flag looks like without having to exploit any service.

A flag is considered defended if it was successfully retrieved from the host it was originally posted to, and was not reported by any team beforehand.

A flag is considered captured if it is not yet considered defended, and was reported to the gameserver by a team that does not own the flag and has the service the flag originates from running. Flags that were successfully defended are no longer valid.

Each team may report a flag only once; the same flag may be reported by multiple teams. Teams may not report their own flag; however, an attempt to do so will not be punished.

Advisories are rated on various criteria; no more details are available - just be as thorough as you can when writing advisories;)


Modifying services in unfair ways is considered a foul. Any modification is considered unfair if it gives the gameserver an unfair advantage. The gameserver should be seen as a normal user of the service; if, for example, the service's functionality is reduced to the subset the gameserver requires, you are preferring the gameserver over others.

If a foul is detected, the team in violation is deducted one rule compliance point. Fouls are detected automatically.


Starting time: August 14th 2009, 10 PM CEST


Teams are ranked for each category. The team with the most points in a category is ranked 100 (top). Teams with no points in a category are ranked 0. All others lie in between.

Each team is awarded 0-100 score points. Each category weighs a quarter for the calculation of score points.

Teams are ranked from 1 to n where n is the number of teams. The more score points a team has, the higher it is ranked.


The CTF will last between 12 and 24 hours.

Discouraged actions

This is an exercise that emphasises on application layer security.

The following actions are discouraged:

Violations may result in the violator being banned from the game.

Extra tasks

After a certain period of time, an extra task will be announced. Completion of this extra task will finish the game and win the team that solved the task first 100 offensive points.