- Where can I start?
- Those are easy, what next?
- Everything is impossible!
- No, really, this challenge is impossible to solve here
- Everything is super easy!
- Where can I report issues or suggest hints, achievements, features, etc.?
- Can I get credit for suggesting hints?
- I want my VMs to stay up longer
- What if I click "Spawn server" on all challenges?
- Archive code
- I love the auto VM spawning. Can I use it to host a CTF? Archive my own challenges?
- Can I run this myself?
- Philosophical matters
- What is the Order of the Overflow, and who do they think they are anyway?
- Is source code available for all challenges?
- Are you going to archive all OOO challenges?
- You run one of the toughest finals of the CTF world, and there was no money to win?!?
- Who certifies that you’re actually important in the CTF world?
- I'm sold, but these challenges are still too hard.
Clone this wiki locally
Look for the point value. Quals challenges with low point values were solved by many teams -- you could be next :)
hinted are also great to explore. Admittedly we don't have many right now, but suggesting some is a great way to contribute.
Note that the
easy tag is carried over from the competition difficulty (which is hard in general).
The DEF CON CTF is akin to the Olympics -- things are supposed to be hard. Don't get discouraged though, we're gradually adding hints and links to write-ups, as well as making more challenges' server-side playable.
Our testing is not super-reliable, and it's possible that the new deployment doesn't work correctly. If you're confident that's the case, please open an issue in this repo (or in the challenge's source repo) and we'll look into it.
In the meantime, consider re-building and running locally. Most binaries can be run outside docker without issues: in fact, many challenges were designed to be solved offline and required interaction just to get the final flag.
We're glad you think so... congrats! 🥇
Could this have to do with the fact that this is an archive of past challenges, many of which have public write-ups, source code, and flags? If so... that's not a bug -- the site is here to practice, people cheating by copy-pasting flags are only deluding themselves :)
On a more serious note, we do recognize that top teams probably don't need hints or to see the same challenges again: this effort is more dedicated to long-term archival and accessibility to non-top players. We still hope you will find it useful for occasional practice, and if you have suggestions we would be glad to hear them.
We hope you'll enjoy our archiving effort, and if you run into issues or have suggestions do contact us, either by opening an issue here or via email.
Hints and extra notes for challenges are explicitly allowed (and encouraged!) -- the challenge author might have to confirm though.
We're also somewhat available on DEF CON's discord (CTF area).
Just keep in mind that preparing and running the competition is hard, and has priority over the archive.
We're open to adding a gray "suggested by" link next to contributions. No legal promises though.
Remember that this is a volunteer effort... the Order can provide only so much.
When possible we provided the pre-built container and/or the source code, so you can play on your laptop with decent isolation.
Also: none of the challenges require extensive bruteforcing -- in fact, during live competitions there were proof-of-work requirements specifically to prevent this (and overloading servers on purpose).
We hope you will be kind enough to consider the spirit and limitations of what we're doing.
We want to make play as accessible as possible, if people start abusing it we may have to restrict this and we hope we don't have to.
The code is mostly geared towards archiving and long-term playing, but we'd love to expand to archiving more challenges!
Edges are a bit rough (right now we assume dockerization), but if you ran a top CTF and want to try archiving please email us.
It should be possible (it's simply a Django app + utilities, after all), but admittedly right now this is not tested beyond our test and production deployments.
Do feel free to open issues if you find bugs or have improvement ideas though.
Great question -- we have a full philosophy page on this topic :)
Source code is available for the majority of challenges, but not for all.
One of the advantages of the archive is that we can provide playable portions even without the full source code.
We'd love to, but realistically some challenges will not be playable online. This is generally true for custom deployments (think the iOS and Xbox challenges, but also web challenges that had special dedicated servers during the game).
That's correct, there's no monetary prize. DEF CON provides eight black badges and leather jackets (more than any other contest) and that's quite the prize in our opinion -- but let’s face it, if you’re playing for the prize you're kinda looking at it from the wrong side.
Like the Paul’s Street boys, we fight in a playground and we give it all… and we do it for the sake of the playground itself. Like the Paul Street lot, maybe one day this will become corporate ground and there will be catered lunches, paid flights, and millions of dollars to win. It wouldn't necessarily be a bad thing, we don't have much money and there are things that simply require it.
In the meantime, enjoy that our epic fights are still mainly fought (and organized!) by volunteers.
Fight for the common ground (our common ground), and find a community there.
No one, really.
Well, DEF CON sort of does -- in the sense that this is an official event, it's been running continuously since 1996, and awarded more black badges than any other contest. Arguably, the first CTF community also intersected a lot with the DEF CON crowd (at least in the US), and so they were among the first to run a serious live attack-defense contest.
With that said, ultimately it's about what the CTF community feels. The DEF CON CTF is generally recognized as the “Olympics”, and organizer teams strive to realize that. This includes making very hard challenges, trying to fight team-size inflation, and being as transparent as possible with the scoring and game structure.
We recognize that there are extremely skilled hackers that just don't play CTFs or who play but (for example) only go to CCC. That's OK! With that said, we do try to reach out -- that's why many of our prequalifier events are based outside the US.
Members of the Order also work on teaching challenges:
- pwn.college, from our ASU members
- MOBISEC challenges, from Reyammer
- how2heap, with Shellphish
- The list of playable wargame sites maintained by zardus
A great introductory CTF game is PicoCTF.