Competition Rules

iconChallenge I icon
CTF (Capture The Flag) Problem-Solving Competition 2024

Key Dates and Times:

August 17, 2024 | Online Competition

Time: The start time of the competition will be notified to each team by email. If you have not received an email notification before August 16th, please contact the organizers.

Language: The competition system and problems will be conducted in English.

Competition Introduction:

CTF is a popular form of information security competition internationally, known in English as "Capture The Flag," commonly translated into Chinese as "Flag Capture Competition." CTF competitions abstract typical flawed network environments into corresponding technical points and applications as problems, and verify whether contestants can analyze scenarios, resolve vulnerabilities, and exploit them through the preset Flag method, to test the contestants' actual grasp of network security technology. During the competition, team members work together to analyze programs and be the first to obtain a string with a specific format (commonly referred to as the Flag value) or other content from the competition environment provided by the organizers and submit it to the platform to score points.

Competition Content:

The competition will use the protection platform provided by Check Point to identify attack traces according to the problem instructions. The competition will be conducted in a scenario-based manner, and participants must complete the previous problem to answer the next one. The problem types involve different types, including but not limited to:

  • Weak encryption algorithms
  • Local file inclusion
  • Lateral movement
  • Vulnerability exploitation
  • Privilege escalation
  • Port scanning
  • Linux kernel
  • File analysis
  • SQL injection attacks
  • Posterior data analysis
  • Remote file inclusion vulnerabilities
  • Directory enumeration
  • Brute force attacks
  • PCAP analysis

Competition Rules:

  • Before the competition starts, contestants are requested to test the online competition platform network connectivity in advance, verify the competition system account and password, and ask the proctors on site for any issues and difficulties.
  • Contestants must bring their own notebook computers (recommended configuration not lower than 4 cores 2.2Ghz, 8GB of memory, support for virtualization, installed Windows 10 or higher operating system, and Firefox or Chrome browser), bring their own problem-solving toolkit, power supply, mouse.
  • Each team will share the same account, and members can log in simultaneously, but when answering questions, if answers are entered at the same time, it will cause the system to double count the answers, please be careful when operating.
  • During the competition, teams are not allowed to communicate and discuss in any form, and no one is allowed to disturb other teams in the competition.
  • During the competition, it is strictly forbidden for contestants to launch any attacks or malicious operations on the competition server, contestant's host, or other facilities that may affect the normal progress of the competition, strictly forbidden to use heavy scanning tools, those detected using improper tools will be disqualified, strictly forbidden to use platform vulnerabilities to disrupt the order of the competition, if found, the competition results will be canceled, those who find platform vulnerabilities can report to the organizers in time and will be given appropriate bonus points.
  • Violators of the above rules will be subject to penalties such as verbal warnings, point deductions, and disqualification by the on-site referee team depending on the situation.

Promotion Rules:

How to advance to "Challenge 2 - AWD Attack and Defense Competition": Teams that complete the "CTF-Challenge 1" on August 17th will be selected based on the competition scores of the "CTF-Challenge 1" on the same day, and the top 10 teams with the highest scores will be determined by their ranking from high to low scores to advance.

Teams will be ranked based on their scores. If teams have the same score, the ranking will be determined by the following criteria:

  1. Total score
  2. Time taken to earn points
  3. Number of incorrect attempts

Hints can be obtained during the competition, but using hints will result in point deductions, please use them wisely.

CTF Challenge 1 Awards:

  • First Prize: 2 winners – CTF certificate
  • Second Prize: 3 winners - CTF certificate
  • Third Prize: 5 winners - CTF certificate
  • Honorable Mention: 3 winners – CTF certificate

Teams winning the first to third prizes are eligible to enter the AWD Defense Battle on the afternoon of August 25th, competing on-site for the championship, runner-up, and third place honors!

Follow-up Activities:

The winning teams will have the opportunity to be invited to participate in major competition activities in various regions within the country, representing Hong Kong teams in competitions and exchanges.



icon(Advanced) Challenge IIicon
AWD (Attack With Defense and Pwn) Attack and Defense Competition 2024

AWDP is a comprehensive competition model that assesses the attacking and defending technical capabilities, as well as real-time strategic skills, of participating teams. Each team acts as both the attacker and defender, fully reflecting the practicality, immediacy, and confrontationality of the competition, and providing a comprehensive consideration of the teams' penetration and protection abilities.

Date and Time :

August 25, 2024 | 2:30 PM – 5:00 PM (Hong Kong Time) (2 hours 30 minutes) | HKCEC (Wan Chai) Hall 1D

Language: The competition system and problems will be conducted in Simplified Chinese and English

Competition Introduction :

By simulating real network systems and network conditions to the greatest extent, participating teams are required to attack and defend against them. The competition process refers to real-world information and communication systems, focusing on the participants' understanding of the security mechanisms of these systems, their ability to collect and analyze data, and their theoretical knowledge and practical skills in conducting penetration tests based on this foundation. The scenario simulates industry network architecture and equipment functions, requiring players to continuously collect clues and data, identify and protect their own vulnerabilities, and attack the environments of other teams in the venue using discovered vulnerabilities.

Ø Participants should note that these "network attack and defense" platforms can only be used for competition and learning purposes, not for illegal activities.

Competition Content :

I. The rules of the attack and defense phase

1. The attack and defense phase uses a dynamic attack and defense competition model, comprehensively assessing the participating teams' vulnerability discovery, mining, repair, and real-time strategic capabilities.

2. Team scoring: The score for the attack and defense part is the total of the attack and defense points. Successfully exploiting a vulnerability to obtain a flag and submitting it successfully will earn the team attack points for that question within the scoring round. Successfully repairing a vulnerability and passing the platform check will earn the team defense points for that question within the scoring round. Service abnormalities will result in point deductions.

3. If a team's service for a question is abnormal and cannot be attacked, the team can reset by clicking the 'Reset Attack Target' button. Note the number of times each question can be reset, please refer to the competition interface for details.

4. Defense repair: Players can download the question package from the platform, which includes some or all of the source code and other files for the question. After successfully repairing it locally, players upload the repair package (limited to the name format xx.tar.gz, which must include an executable update.sh file) via ftp. After the ftp receives the repair package, click the 'Apply for Judgment' button in the corresponding question box on the interface. The platform will upload the repair package to the defense environment, decompress it, and execute the update.sh file, running the platform's check and exp.

5. If the check fails, it is judged as a defense abnormality, and 200 points will be deducted for each round; if the check and exp succeed, it is judged as a defense failure, no points are deducted; if the check succeeds and the exp fails, it is judged as a successful defense, the team will no longer lose points for that question in subsequent rounds and will earn defense points.


II. Scoring rules

1. All teams in AWDP have a corresponding starting score, with rounds lasting 5 minutes each. The scoring for each round changes with the attack and defense situation, and each effective attack and defense in each round is scored.

2. Players attack their own target machine and submit the correct flag. After each round, the platform will automatically help the team attack other teams to earn points, which are dynamic scores.

3. After the player uploads the question repair package and it is verified successful by the platform, they will receive the defense points for that question. The defense points for each round also change dynamically based on the difficulty of the question and the number of successful defense teams. Failure in repair will result in point deductions.

4. If a team can successfully defend all questions and there are no service abnormalities, they will not lose points.

5. Uploading a defense package that causes a service abnormality will result in a deduction of 200 points per round per question until the repair is successful or fails.

6. The attack and defense score values for the questions decrease dynamically with the number of teams solving the questions.

7. Question attack and defense score = 500 + (difficulty coefficient - 1) * (competition time - difficulty coefficient) * 50;

Note: The difficulty coefficient of the question has three levels, 1 for easy, 2 for medium, and 3 for difficult. The unit of competition time is hours, rounded up. If there is no first blood for the question, the current competition time is substituted; if the first blood is achieved, the competition time is substituted with the first blood time, and the question score will be a fixed value. The defense score formula is the same. The referee gives bonus or penalty points based on the situation at the competition site.


AWD Challenge 2 Awards:
Champion: 1 winner - AWD trophy, certificate, and a cash prize of HKD $3,000
Runner-up: 1 winner - AWD trophy, certificate, and a cash prize of HKD $2,000
Third Place: 1 winner - AWD trophy, certificate, and a cash prize of HKD $1,000

The winning teams will have the opportunity to be invited to participate in major competition activities in various regions within the country, representing Hong Kong teams in competitions and exchanges.

Competition Rules:
  • Representatives of the organizing committee, staff, and service providers involved in this competition are not allowed to participate.
  • After the competition is completed, teams confirmed by the organizing body will be announced as the gold, silver, and bronze prize winners. In case of a tie, the final ranking will be determined by the time taken to answer the questions.
  • Do not register more than one team account.
  • Do not share your team's competition account and password.
  • During the competition, if you encounter any issues, participants should immediately report to the organizing body.
  • Do not attack the competition platform, for example:
    • Altering the scoreboard;
    • Overloading the system;
    • Conducting a denial-of-service attack;
    • Except for designated servers and services, do not attack other servers or services;
    • And other abnormal competition behaviors
  • Do not engage in social engineering attacks.
  • Do not cheat or disrupt the competition, for example:
    • Sharing flags;
    • Asking others for flags;
    • Deleting flags;
    • Interfering with other teams' submission of flags;
    • And other abnormal competition behaviors
  • Do not send messages containing violence, obscenity, or indecency in the chat room or venue, upload any files that infringe on copyright or intellectual property rights, violate Hong Kong law; and other abnormal competition behaviors.
  • Do not share any content or details of the competition with anyone before it ends.
  • Any misuse or violation of these competition rules may result in penalties as stated in the terms and conditions.
Terms and Conditions:
  • The organizer reserves the right to change any prizes without prior notice.
  • The organizer reserves the right to amend the competition rules and will notify participants in a timely manner.
  • By submitting their registration, participating teams agree to and undertake to abide by all terms and conditions and competition rules. Please read and understand them carefully.
  • The organizer will comply with the Hong Kong Personal Data (Privacy) Ordinance to protect the personal data of participants.
  • Data collection statement: All personal data provided for participating in this event will be used solely for event-related announcements (notifications), press releases, prize awards, prize delivery, and for promotional activities by the guiding and executing units, and will not be used for any other purpose.
  • Registering for this event signifies consent for the executing unit to record or edit any photographs, videos, or related materials provided for or taken at the event for promotional purposes within the scope of the event's publicity, to be compiled into event highlights or testimonials for public release.
  • Participating teams must agree to and abide by all terms and conditions and competition rules; otherwise, the organizer has the right to suspend or cancel the participation of team members, and the team members may not object.
  • During the competition, the use of inappropriate language or behavior to insult other participants, spectators, judges, and staff is prohibited. In such cases, the executing unit has the right to cancel the team's participation based on the severity of the situation.
  • The organizer reserves the right to change any team names without prior notice. Participants may not object.
  • If any participating team member is found to be ineligible, the entire team will be disqualified.
  • All items in the competition must be performed by eligible team members.
  • If there are any changes to the team members, they should be immediately notified to the organizer. The organizer will verify the identity of all members of the winning teams before the award ceremony.
  • The organizer may allow teams from other countries/regions to compete on the same platform. It will not affect other scores and rankings. Participants may not object.
  • The executing unit retains the right to modify, suspend, or terminate the event due to force majeure such as natural disasters or in response to epidemic prevention measures. For any matters not covered, the executing unit will correct and supplement the announcement on the event website.
  • The competition results are final at the organizer's discretion and will be published at https://ShieldTag.hk-tag.org. Participants may not dispute the competition results or rankings.