HITCON 2016 discovers three real-world zero-day vulnerabilities in one day

HONG KONG, CHINA--(Marketwired - Dec 5, 2016) - After stiff competition at the two-day finals of HITCON CTF 2016, Cykorkinesis from Korea won the championship and prize money of US$10,000, and will advance directly to the finals of DEF CON 2017 in the US. The runner-up and third place were respectively LCBC from Russia and PPP from the US, each winning prize money of US$5,000 and US$2,000. The prize money was sponsored together by MediaTek, Magicapital, and Hope Bay Mobile.

Alan Lee in charge of HITCON CTF 2016 noted three distinctive features of the 2016 event: 1) An international contest taking place physically in Taiwan for two consecutive years, 2) the qualifying CTF organized by Taiwan for two consecutive years for DEF CON, 3) worldwide entries' almost total satisfaction with the CTF in Taiwan. The finalist teams included PPP from the US, LCBC from Russia, Cykorkinesis from Korea, Shellphish from the US, TokyoWesterns from Japan, CLGT from Vietnam, !SpamAndHex from Hungary, PwnThyBytes from Romania, KAIST Gon from Korea, 0ops from Mainland China, Dispwnable and Hacker Forge from Taiwan, and p4 from Poland. "In the second morning of the CTF, competition escalated drastically as all the teams launched their all-out offensives that they developed by staying up at night," said Alan Lee. "PPP from the US made the first kill, gained on LCBC, and advanced to the second place temporarily. The competition among entries was very intense."

Moreover, something amazing about the CTF was an application with three zero-day vulnerabilities identified. According to Orange who created a web challenge called WebRop, the challenge was based on the open source application SugarCRM and features of SugarCRM which Orange used to hacked this application with. The WebRop challenge leveraged the real-world environment of SugarCRM and tried to induce more ways of vulnerability utilization and zero-day vulnerabilities. As a result, LCBC first hacked a zero-day vulnerability of the application and then PPP and Cykorkinesis hacked other vulnerabilities. "As long as I am sure there are solutions to the questions I give, entries will find different ways out or hack the vulnerabilities they identify," said Orange. "This is best way to maximize question effectiveness."

According to onsite observers, the event organizer not only designed game animations to provide real-time contest updates but also set up Internet of Things development board-controlled lighting to animatedly and immediately inform audiences of each and every team being attacked. Moreover, the comprehensive and in-depth questions raised this time evidenced those who provided the questions are very experienced in such contests, while the challenge categories including Pwnable, Reverse, Web, Forensic, Cryptography, and Misc. required entries to be very attentive, cautious, and improvisatory in order to overcome their challenges.

This time HITCON CTF and HITCON Pacific took place at the same time, inviting information security experts as well as hackers from around the world to develop an international technology exchange platform for Taiwan to help local information security talents keep abreast with their international peers, stimulate the development of hacker communities on and off campus, and expedite information security innovation.

Winning Teams







Champion entitled to prize money of US$10,000 and direct advancement to the finals of DEF CON 2017 in the US

HITCON CTF 2015 champion too



Runner-up entitled to prize money of US$5,000

Organized by information security research and CTF contest enthusiasts



Third place entitled to prize money of US$2,000

A Carnegie Mellon University CTF team organized six years ago

Entering its twelfth year, HITCON has won the respect and support from different sectors of Taiwan. In order to speed up its growth, HITCON organized itself as an association approved by the government in 2015, and 2016 is the first anniversary of the association, Different events, contests, and many other activities organized by HITCON are intended to provide more room for development of information security talents in Taiwan, call more business attention to the importance of information security, and convey the correct concepts about information security in order to prompt the government and private sector as well as hacker communities to together enhance information security for Taiwan.