Black Hat Briefings & Training Asia 2003

Black Hat Asia 2003 Main page

Black Hat Asia 2003 Call for Papers Black Hat Asia 2003 Briefings Speakers Black Hat Asia 2003 Briefings Schedule Black Hat Asia 2003 Sponsors Black Hat Asia 2003 Training Black Hat Asia 2003 Hotel & Venue Black Hat Asia 2003 Registration
briefings details

Black Hat Asia 2003 Briefings first ever Capture the Flag (CtF) Competition

This event is open only to paid registrants of the Black Hat Asia Briefings.
Chance to win a Sony Ericsson T610 Mobile Phone

To assure a seat for the CtF, email singapore at

Dates & Venue
16-17 December 2003, from 6pm to 8am, 14 hours of gaming at the Marina Mandarin Hotel.

Blakc Hat CtF

Game Scenario
Qwerty Security Research is a newly established IT security company that provides network security consultancy services, distributes security products and publishes security advisories. The company has recently launched a web portal that allows Internet users to access to its advisories and to sign up for its premium security alerting service. The CEO of Qwerty Security Research has recently published a statement on the web portal claiming that the portal is designed from ground up with security in mind and is impossible to penetrate. Your mission is to prove otherwise.

After performing the necessary information gathering you conclude that Qwerty Security Research owns the IP range and The URL of the web portal is at

To prove that the CEO is not entirely correct regarding the security of the site, you have to achieve the following objectives:

1) Obtain the /etc/passwd file of any compromised *NIX systems.
2) Obtain the /etc/shadow file of any compromised *NIX systems.
3) Steal ALL credit card numbers from the web portal.
4) Plant a file <yourname>.txt in C:\ of the web portal.
1. Contestants may participate individually or in pairs. Participation will be limited to 50 participants.
2. Each participating team-pair or person is allowed to bring in only one notebook and is allocated only one network and power point.
3. Participants are expected to bring their own tools and exploits, as there may be no Internet access provided for them to download their tools.
4. Upon registration, each participant will be assigned a single IP address. Participants are not allowed to change their IP addresses or to spoof the IP/MAC addresses of another person.
5. Participation is open to registered delegates of the Black Hat Asia 2003 Briefings. To assure a seat for the CtF, email singapore at

Participants will be judged based on their total score and the time they take to capture/plant the flags. The start time will be recorded for each participant during registration. This allows participants who arrive late to take part in the competition as well. At any time, the participants can declare that they want to end their game. The end time for every participant will be recorded.

The participant who successfully obtained the highest score within the shortest time will be the winner of the competition. The second and third place will be calculated as follows:

  • second place = 2nd_max(score) and min(endTime – startTime)
  • third place = 3rd_max(score) and min(endTime – startTime)

The time factor applies only if there are several participants with the same score.

The following rules ensure proper functioning of the competition. Participants that violate any of the following rules will be disqualified.
1. During the competition, there will be both scheduled and unscheduled Pit Stops. During the Pit Stops, all participants are required to leave the room and are only allowed to return at the end of the Pit Stop period.
2. No Denial of Service (DoS) attacks of any kind are to be launched.
3. No flooding of the network (e.g. UDP flood, smurf attacks).
4. No attacking or exploiting of other participant's systems.
5. No shutting down, disabling or patching of vulnerable systems.
6. No defacement or changing of the /etc/passwd and /etc/shadow files on vulnerable systems.
7. No harassment of other participants.
8. No planting or launching of worm, virus, or other destruction code.
9. No physical attacks are allowed.
10. No attacking or exploiting of network infrastructure devices, such as switches, routers, etc. (e.g. ARP cache poisoning, switch MAC table flooding and traffic re-routing are NOT allowed).
11. No changing, spoofing of IP addresses allowed. Participants must use the IP addresses assigned to them.
12. No changing, spoofing of MAC addresses allowed.
13. No removal of flags planted by other participants.

Chance to win one of the following prizes:
  • Free admission to a future Black Hat Briefings.
  • a Sony Ericsson T610 Mobile Phone compliments of MobileCiti. Phone specs.
  • A Black Hat branded short sleeve button down shirt.

More prizes to be announced.

Official Black Hat Hotel: Marina Mandarin
To assure a seat for the CtF, email singapore at
Black Hat Logo
(c) 1996-2007 Black Hat