House of Flags / Flag Heist

Capture The Flag on 12 October 2024 in Bonn

Win prizes with a total value of up to €35,000!

Tokyo, Rio, Denver, Berlin - and now Bonn!

On 12 October 2024, the aim of Germany's largest on-site capture-the-flag event in Bonn is to storm the House of Flags and collect all the flags. One hundred hackers from all over Germany will compete against each other in teams of up to four people to put their skills to the test!

Are you ready to storm the "House of Flags"?

In a world where information is the most valuable currency, evil forces have stolen secret information and stored it in a highly secure data centre.

Only a group of outstanding hackers can recover this information.

But time is pressing, because others will also do everything they can to be the first to obtain the information!

The house of flags

At the heart of a highly secure virtual data centre, hidden from public view, are the world's most valuable digital flags. Each flag represents a challenge that only the most cunning hackers can solve. The Professor has recruited a team of the best IT security talents to overcome these almost insurmountable hurdles and capture the flags.

The plan

A digitally secured fortress that no one has ever entered before is waiting to be conquered by the hackers. The aim is to find and secure all the flags before the security mechanisms stop them.

With personalised laptops and customised operating systems (I use Arch), a targeted toolset and a perfectly thought-out strategy, the hackers will get to work. They penetrate protection mechanisms, decipher complex codes and navigate through the labyrinth of cybersecurity challenges.

Every flag they capture brings them closer to ultimate glory and recognition as the best IT security experts of their time.

The team

Tokyo, Denver and Rio were yesterday! Today the team consists of:

Bonn - The specialist for exploits and system vulnerabilities.
Berlin - The expert for cryptography and encryption.
Cologne - The master of network security and data traffic.
Frankfurt - The virtuoso hacker and developer of customised attack technology.

Will you be part of the team?

Now it's up to you. Are you ready to take on the ultimate challenge and become part of the "House of Flags"? Join us and show that you have what it takes to become the master thief of the cyber world. Sign up now and become a virtuoso of IT security.

Register now and be part of the big digital coup!

Experience the excitement and thrill of a digital heist like you've never experienced before. The "House of Flags" is waiting for you. Are you ready?

The event

Show what you've got - at Germany's largest on-site capture-the-flag event organised by cybersecurity specialists Laokoon SecurITy, CGI, IBM and Bechtle Bonn!

On 12 October, over one hundred ambitious IT security enthusiasts will meet to solve challenging challenges in teams, collect the flags and win the competition!

The game is played in classic Jeopardy style. The best players can look forward to high-quality prizes and further training opportunities totalling up to €35,000.

With around 120 participants on site, this on-site Capture The Flag event one of the biggest in Germany this year.

The CTF

The CTF will take place in the IBM Garage for Defence at Godesberger Allee 125 in Bonn from 10 am to 8 pm.

The following categories will be played:

OSINT

FORENSIC

JAIL–BREAKOUT

FULL-PWN

CRYPTO

PWN

WEB

MISC

REVERSING

The prices

Prizes totalling up to €35,000 will be awarded to the best teams.

1st place: A SANS onDemand course per team member of your choice worth between approx. 7000 € and 9000 € per course

2nd place: One year HackTheBox Academy Subscription

3rd place: One year VIP+ membership at HackTheBox

Places 4 to 10: One month HackTheBox VIP+

The procedure

10 ClockArrival at the IBM Garage for Defence, Godesberger Allee 125, 53175 Bonn
10.15 am: Opening of the event and presentation
10.45 Clock: Keynote speech tba.
11.30 Clock: Preparation of the CTF
12.00 to 18.00 Clock: Realisation of the CTF
6.00 pmGet-together with food and drinks
19.45 Clock: Award ceremony
From 20.00 ClockNetworking and celebrating

Drinks and catering will be available free of charge throughout the event.

Your participation

Participation is open to interested adults who have registered and been selected by the registration deadline on 7 September 2024. Students and graduates in the fields of computer science and IT security as well as trainees and apprentices specialising in IT security are particularly welcome.

Selection is primarily based on the "first come, first served" principle. You can find out more about this here.

Participation takes place in teams of 1 to max. 4 members. It is possible to fill teams with individual participants if desired.

Your registration

What data we collect and what we use it for is explained here in our privacy policy.

In short: If you would like to take part in this event alone or in a team, we need some information from you. Without this information, participation is not possible.

Important: Each team member must register separately. You can refer to your respective team in the registration process.

Capture The Flag 2024 at a glance:

When: 12 October 2024 from 10 a.m. to 8 p.m.
Registration deadline: 07 September 2024
Where: IBM Garage for Defence, Godesberger Allee 125-127, Bonn
What: Capture The Flag Jeopardy style
Teams of up to four people and individuals can take part
All participants must register individually
Prizes with a total value of up to €35,000

That was the HAXORCIST CTF 2023

The last CTF of this kind took place on 28 October 2023 with over one hundred participants from all over Germany at the IBM Garage for Defence in Bonn.

Register now!

JavaScript is disabled in your browser. To access our ticket shop without JavaScript, please click here.

This event is made possible by:

Strong partners for a unique event

Important to know / FAQ

Answers to frequently asked questions about organising and running the CTF can be found here.

In what form does the CTF take place?

The CTF will take place as a Jeopardy-style event. This means that there will be different categories and the challenges can be solved independently of each other.

Who will win the event?

The team that solves all challenges first or has the most points at the end of the game wins the CTF and thus the main prize.

What is a CTF?

You can find everything you need to know about capture-the-flag competitions, or CTFs for short here.

How many team members can my team have?

Your team may consist of a maximum of four team members.

Can I take part in the CTF on my own?

Yes, solo participation is possible. However, there will not be a separate track for solo participants - in this case you will be considered as a team with one team member. Accordingly, the chances of winning may be slightly lower. If you do not have a team member but do not want to participate alone, you can indicate this in the registration form. In this case, we will try to place you in an existing team with open places.

Who can take part?

In principle, anyone interested in IT security and CTF enthusiasts over the age of eighteen (18) can take part in this event. It is important that you and your team register within the registration period. Registration after the registration period is only possible if not all places have already been filled.

Where does the event take place?

In Bonn in the IBM Garage for Defence at Godesberger Allee 125-127.

Language

The majority of the event will be held in German. Parts may be held in English. This may include presentations by speakers and parts of the challenges.

By when do I have to register?

Registration for participation is possible until 7 September. Participants who have registered by then will receive binding feedback by 14 September at the latest as to whether they will be taking part.

Prevention

If you and your team register to take part, we will reserve the slots for you and your team. If it becomes apparent that you will not be able to take part, please cancel as soon as possible so that we can reallocate the open slots.

How are the participants selected?

Places are allocated without qualification. The "first-come, first-served" principle applies. In short: If you register early enough, you have a good chance of being there. Under certain circumstances, however, we may decide not to invite participants or to give preference to other participants. This may be the case in particular if participants register as solo participants and would therefore block a place for a full team.

Is it also possible to participate online?

Online participation is not possible. The event will take place on site in Bonn, Germany.

Can I also take part as a spectator?

Participation as a spectator is currently not planned. The available space is reserved for active participants. We can only deviate from this in justified exceptional cases, such as accompanying disabled persons, press or supporters of the events or similar. Please send a message in advance to ctf@laokoon-security.com

Do you support visa applications to participate in the CTF?

No, we appreciate your interest, but you have to take care of these things yourself.

What do I need to bring with me?

You know your system best. Basically, you will be working on your laptop. There will be no hardware challenge where you have to plug something into your computer. Nevertheless, you should have the adapters you need with you. Especially your power connection. It may also be worth having a multiple socket. Always good to have with you. You never know. In principle, a power supply is provided, but if you want to charge additional devices, please bring the relevant equipment with you.

Can I bring my own screen?

For space reasons, it will hardly be possible to set up a complete workstation. Screens and desktop PCs are unlikely to have a place. The seats are distributed in such a way that you can either sit on a couch, an armchair or at a table without the teams disturbing each other. However, it is not possible to offer everyone enough space for a screen. Thank you for your understanding.

Data protection regulations and privacy policy

By using this website, you declare your consent to the data protection provisions set out here. If you do not agree with this policy, please do not use our website. Your continued use of the website following the posting of changes to this policy constitutes your acceptance of those changes.

We take your privacy seriously and are committed to being transparent about our data protection practices. This privacy notice is intended to explain how and under what conditions we will process your personal data that we collect as part of the Capture The Flag event on 12.10.2024 and provide to the organisers of this event (Laokoon Security GmbH, CGI Deutschland B.V. & Co. KG, IBM, Bechtle Bonn GmbH) as part of the Capture The Flag event.

Personal information that we collect

We may collect personal identification information from users when they register on the website. Users may be asked for their first and last name, academic and personal e-mail address, telephone number, address, date of birth, associated academic institution, current academic year, field of study or current desire for professional reorientation. Other voluntary information is also collected, which is provided on a voluntary basis.

Information about the use of the game can also be saved: the number, type and details of the tasks solved, the answers given, the time spent on the tasks or the score achieved.

Technical information

We may collect non-personal identification information about users when they interact with our website. Non-personal information includes the browser name, the type of computer and technical information about the nature of the user's connection to our website, such as the operating system, the Internet service provider used and other similar information.

Use of cookies

Our website may use "cookies" to improve the user experience. They contain information, such as the language preference of the surfer, so that they do not have to enter this information again the next time they visit the same website. We also use the Google Analytics service, which sets cookies to collect visitor statistics.

On what legal basis is the data collected and how is the data used?

The organisers and partners (Laokoon Security GmbH, CGI, IBM and Bechtle Bonn GmbH & Co. KG) may use the information collected to communicate with users in connection with the CTF or related activities and events. Collected information may be used in the following ways:

To personalise the user experience
- We may use the information collected to understand how our users as a group use the services and resources offered on our website.
For analyses during and after the game
- We may use information about the user and information collected during the CTF to rank users, create a live scoreboard, evaluate user performance for each part of the CTF and improve the platform.
To send regular emails in connection with the game
- We may use the email address to send users information and updates relating to their registration. This is not considered direct marketing and is part of the CTF. It may also be used to respond to enquiries, questions and/or other requests.
For recruitment purposes
- We may use your information to provide you with information about customisation options.

We always process personal data in compliance with the provisions of the GDPR and the BDSG and in accordance with our general data protection policy.

We use the data provided in principle and in our legitimate interest exclusively for communication in connection with the event and for information on possible follow-up events (Art. 6 para. 1 lit. f GDPR).

If you are looking for a job and have expressed an interest in contacting us, we will also use the data to send you general or specific job information. We may then also process your data for the preparation and implementation of an employment relationship (e.g. invitations to job interviews). The primary legal basis for this is Art. 88 para. 1 GDPR.

i. V. m. § 26 para. 1 BDSG. If necessary, we may also process special categories of personal data if we need them for labour law reasons (Art. 9 para. 2 lit. b GDPR, Art. 88 para. 1 GDPR in conjunction with § 26 para. 3 BDSG). If we find that your and our ideas match and that you could be a good fit for our team, you will receive further data protection information from us before we process your data any further.

How is the data protected and how long is it stored?

We take appropriate technical, security and organisational measures to protect personal data from accidental or unauthorised destruction, accidental loss, alteration, access and other unauthorised processing of personal data. For example, data is exchanged between the website and its users via an SSL-secured communication channel that is encrypted and protected by digital signatures.

We store your data for 12 months after the end of the event. If you are interested in being included in our applicant pool, the relevant retention periods apply, which you can find in the data protection notice provided by us in such a case.

Who is responsible for data processing and how can I contact the person responsible?

On the part of Laokoon Security GmbH:
- Laokoon Security GmbH, Am Hauptbahnhof 6, 53111 Bonn, datenschutz@laokoon-security.com, T: 0228 - 50443980
On the CGI side:
- CGI Germany B.V. & Co. KG, Leinfelder Straße 60, 70771 Leinfelden-Echterdingen, T: +49 771 72846-0, F: +49 771 72846-846
On the IBM side:
- Contact via the IBM Privacy Portal
On the part of Bechtle Bonn GmbH:
- Bechtle AG, Bechtle Platz 1, 74172 Neckarsulm, Germany, as well as the affiliated companies according to §§ 15 ff. AktG, + 49 7132 981 - 0,privacy@bechtle.com

Who receives the data?

Your data collected as part of your participation in the event will only be received by those who are directly involved in the organisation of the event. If you are interested in job offers, your data may be passed on within Laokoon Security, CGI, IBM or Bechtle Bonn to the people and departments that have vacancies in their area or are involved in recruitment decisions (e.g. the HR department, the specialist department).
The following applies to CGI: When processing your data, we use our internal IT service provider Conseillers en gestion et informatique CGI Inc, Montreal, Canada, to which we transfer your data, which is subject to our binding corporate rules ("BCR"). CGI's BCRs were approved by the French supervisory authority (CNIL) on 22 July 2021. This means that your data subject rights remain unchanged, regardless of where your personal data is processed.

Changes to the data protection provisions

The organisers have the discretion to update this privacy policy at any time. When we do, we will update the updated date at the top of this page. We encourage our users to frequently check this page for any changes to stay informed about how we are protecting the personal information we collect. You acknowledge and agree that it is your responsibility to review this Privacy Policy periodically and become aware of any changes.

Third-party websites

Users may find advertising or other content on our website that links to the websites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We have no control over the content or links that appear on these websites and are not responsible for the practices employed by websites linked to or from our website. In addition, these websites or services, including their content and links, may change constantly. These websites and services may have their own privacy policies and customer service policies. Browsing and interaction on other websites, including websites that have a link to our website, is subject to that website's own terms and policies.

Your rights as a user and how you can assert them

You have the right:

request access to your personal data (commonly known as a "data subject access request").
- This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
You can request the correction of the personal data that we have stored about you.
- This enables you to have any incomplete or inaccurate data we hold about you corrected, although we may need to verify the accuracy of the new data you provide to us.
You can request the deletion of your personal data.
- This enables you to ask us to delete or remove your personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
You may object to the processing of your personal data if we are relying on a legitimate interest (or that of a third party) and you object to the processing on this ground because of your particular situation and because you consider that it impacts on your fundamental rights and freedoms.
You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms.
You can request the restriction of the processing of your personal data.
- This enables you to ask us to suspend the processing of your personal data in the following cases:
  - (a) if you want us to check the accuracy of the data;
  - (b) if our use of the data is unlawful but you do not want us to delete it;
  - (c) where we need to keep the data even if we no longer need it because we need it for the establishment, exercise or defence of legal claims; or
  - (d) if you have objected to the use of your data, but we need to verify whether we have compelling legitimate grounds to use it.
Requesting the transfer of your personal data to you or to a third party.
- We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used and machine-readable format. Note that this right only applies to automated data that you have originally consented to us using or where we have used the data to fulfil a contract with you.
You can withdraw your consent at any time if we rely on your consent to process your personal data. However, this will not affect the lawfulness of the processing that took place before you withdrew your consent.
- If you withdraw your consent, we may no longer be able to use the content. We will notify you if this is the case when you withdraw your consent. If you wish to exercise any of the above rights, please contact us.
As a data subject, you have the right to information about the personal data concerning you and to rectification of inaccurate data or erasure if one of the reasons stated in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued.
There is also the right to restriction of processing if one of the conditions specified in Art. 18 GDPR applies and, in the cases of Art. 20 GDPR, the right to data portability.
In addition, you have the right to object to the processing of your personal data (Art. 21 GDPR), insofar as we process it on the basis of our legitimate interest, or to revoke your consent to receive job offers at any time by sending an e-mail to sebastian.jansen@cgi.com with effect for the future (Art. 7 para. 3 GDPR).
You can also contact us by e-mail to assert your rights as a data subject:
- datenschutz.de@cgi.com or in writing to:
- CGI Germany BV. & Co. KG, Leinfelder Straße 60,70771 Leinfelden-Echterdingen.
- For such requests, we ask that you enclose proof of your identity, for example by sending an encrypted copy of an electronic ID.
You have the right to lodge a complaint with a supervisory authority for data protection against the processing of your personal data if you feel that your rights under the GDPR have been violated. The supervisory authority responsible for CGI is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (https://www.baden-wuerttemberg.datenschutz.de/)

Where can you go if you have questions about the CTF and the data protection regulations?

If you have any questions about the event, the use and collection of the respective data, the privacy policy and all other matters relating to this page, please contact ctf@laokoon-security.com.