HITB SECCONF CTF is an onsite + online international challenge in information security. Developed by Hackerdom team for HITB SECCONF in Phuket, Thailand. HITB SECCONF CTF 2023 was held on August 24–25th, 2023.
The contest is driven by almost classic rules for Attack-Defense CTF. Each team is given a set of vulnerable services. Organizers regularly fill services with private information — the flags. The goal of each team is to find vulnerabilities, fix them in their services and exploit them to get flags from other teams.
You can read the details on the official contest website: https://ctf.hackerdom.ru/hitb-ctf-phuket-2023/.
Official conference website: https://conference.hitb.org/hitbsecconf2023hkt/.
- sources of all services in the folder services/
- checkers for the checksystem in the folder checkers/
- ... and configuration for it in cs/
- exploits for all services in the folder sploits/
- writeups with vulnerabilities and exploitation description for all services in folder writeups/
Also, we're happy to share with you some of our internal infrastructure magic:
- CI/CD for Digital Ocean's images services' packing and proxies deploying. See vuln_images/ and .github/workflows/
- our CTF Cloud and VPN Infrastructure in ansible/
All materials are licensed under the MIT License.
Congratulations for 🇷🇺 C4T BuT S4D for the first place!
Second place: 🇮🇹 A.B.H.
Third place: 🇮🇹 pwnthem0le
| Service | First Blood Team | Lang / Framework | Checker | Sploit | Writeup | Author |
|---|---|---|---|---|---|---|
| docs | SKSD | Ruby, Python, PostgreSQL | 🔗︎ | 🔗︎ | 🔗︎ | and |
| funding | C4T BuT S4D | Ethereum, Node.js | 🔗︎ | 🔗︎ | 🔗︎ | andgein |
| godeeper | SKSD | Python | 🔗︎ | 🔗︎ | 🔗︎ | awengar |
| keys | ECQ-B | PHP | 🔗︎ | 🔗︎ | 🔗︎ | znick |
| lockstone | C4T BuT S4D | Javascript, GraphQL, Node.js | 🔗︎ | 🔗︎ | 🔗︎ | bay |
| notes | You're all a bunch of fucking skids * | PHP | 🔗︎ | 🔗︎ | 🔗︎ | hx0day |
| passmgr | C4T BuT S4D | Go, PostgreSQL | 🔗︎ | 🔗︎ | 🔗︎ | dimmo |
| places | C4T BuT S4D | Go, SQLite | 🔗︎ | 🔗︎ | 🔗︎ | dscheg |
| pure | pwnthem0le | Javascript, Node.js, Express.js | 🔗︎ | 🔗︎ | 🔗︎ | art |
| spaces | You're all a bunch of fucking skids * | C# .NET, websockets | 🔗︎ | 🔗︎ | 🔗︎ | dscheg |
| tokenourcer | You're all a bunch of fucking skids * | Python, nginx | 🔗︎ | 🔗︎ | 🔗︎ | werelaxe |
* Service vulnerabilities were not used
This CTF is brought to you by these amazing guys:
- Alexander Bersenev aka
bay, the author of the servicelockstone, also our Cloud and VPN master - Andrey Gein aka
andgein, the author of the servicefunding, also our teamleader, DevOps and support for teams - Andrey Khozov aka
and, the author of the servicedocs, also our checksystem master - Artem Deikov aka
hx0day, the author of the servicenotes - Artem Zinenko aka
art, the author of the servicepure - Artur Khanov aka
awengar, the author of the servicegodeeper - Daniil Sharko aka
werelaxe, the author of the servicetokenourcer - Dmitry Simonov aka
dimmo, the author of the servicepassmgr - Dmitry Titarenko aka
dscheg, the author of servicesplacesandspaces - Konstantin Plotnikov aka
kost, our project manager - Nikolay Zhuravlev aka
znick, the author of the servicekeys
If you have any question about services, platform or competition write us an email to [email protected] or [email protected].
© 2023 HackerDom