OOO logo


DEF CON CTF 2021 ran Friday August 6th through Sunday 8th (CTFTime) and were hybrid, like the rest of DEF CON.

Finals are over, congratulations Katzebin!

Scoreboard (click on things!)

DC29 Scoreboard
AFL-like recap of the game

Game Data

Scoreboard with extra data: visual scoreboard (info including formulas)

Latest game state JSON: latest.json, with derived service_info.json, score_data.json, current_score_info.json.

Database with all game events and tickets: compressed sql

PCAPs: game network PCAPs (unfiltered, during the game there is an internal anonymization filter)

Copy of the announcement channel on Discord: ctf-announcements-text

DEF CON CTF, like the rest of the DEF CON 29, will be hybrid. Players are welcome to join (part of) the Order in Vegas, but the infrastructure and challenges will live 100% on the internet. We’re taking pains to make sure that teams on-site have no advantage over online teams. We would love to see all of you, but it’s still a crazy time around the world, so we’ll accommodate those that can’t (or don’t feel comfortable) making the trip.

From our qualification round and the pre-qualifiers events, these 16 teams emerged as DEF CON 29 CTF finalists:

DiceGang             [via pwn2win]
HITCON ⚔️ Balsn
Katzebin             [winner of DEF CON CTF 2020 as A*0*E]
pasten               [via hxp CTF]
Plaid Parliament of Pwning
Perfect ⚔️ Guesser    [via HITCON CTF + PlaidCTF (!)]
Tea Deliverers

Stay tuned for updates.


The Order has prepared two types of services for your enjoyment: Attack/Defense and King of the Hill. The former format is familiar from decades of DEF CON CTF: you exploit other teams’ services to steal their flags, and protect your own. King of the Hill is different: you compete against other teams for the best solution, which depends on the service in question.

Once you have access to your jumpbox, to attack a team’s Attack/Defense service on port Z, connect to 10.13.37.X:Z, where X is the victim team ID. To attempt a King of the Hill, connect to 10.13.37.Y:Z, where Y is YOUR team ID. Your own team interface (for service info, flag submission, tickets, etc) is at 10.13.37.Y:80, where Y is YOUR team ID. This is all only accessible through the VPN connection.

Service Retirement

Last year, A/D challenges were be immediately retired when any single team stole 600 flags on the service. This year, most services will have pre-committed flag limits. Some will instead go through the system of prior year, where services progressed through a simple lifecycle, which is shown on the scoreboard.

King of the Hill challenges all progress through these colors as well, based on the optimality of teams’ solutions, with a minimum of 2 hours on each of Yellow, Orange, and Red.

Once retired, a service will not be re-activated. Note that a day may end with active services; they will resume in the next shift. No services will be retired earlier than 2 hours past the start of a day.


Score takes into account three factors:

Note that there is no “SLA” or “uptime” here.

Defense points accumulate by 1 for each of your services that is unexploited in a tick where successful exploits are launched on those services. For a service X, you get 1 defense point for every tick that some other team gets exploited on service X and you did not.

Attack points accumulate by 1 for each flag that you retrieve, except for your own. Stealth flags are worth 0.5 points (see the PCAP section).

King of the Hill points depend on the quality of your solution. Each tick, all teams tied for first place will get 10 points. Teams tied for second will get 6, teams tied for third will get 3, teams tied for fourth will get 2, and teams tied for fifth will get 1. Other teams will not receive points. The Order encourages you to consider hacking harder.

The three types of points are normalized (compared to the top performer in each category) to account for 35%, 35%, and 30% of the total points of a team, respectively.

Game network access

We will provide you with a VM that is VPNed into the game, on which you will have a ‘team’ account with sudo access.

You can use this VM as a jump box, or you can extract the extra wireguard configurations to set it up on your own (though we will offer no tech support for such a configuration). Each wireguard config on your machine will allow you to connect a single peer.

We also have an ‘ooo’ account on the jump-box VM. We won’t force you to keep it active, but it‘s useful for us to help in debugging access issues.

No game services run on the jumpbox, and you can take it down if you want, but that’s just making things harder for yourself.

PCAP access

Tired of us deciding when PCAPs are released? This year, we once again put the decision in YOUR hands!

Each A/D service will have a STEALTH port alongside it’s normal port. The stealth port will be 10000+SERVICE_PORT, so If a challenge listens on port 1337, the stealth port will be 11337. The stealth port hits the same exact challenge endpoint as the normal port, but traffic through that port will not be released to the victim team. But beware: maintaining backdoor access to other teams ain’t cheap! If your team sends any traffic through a service’s stealth port to a given team, you will only receive half points for stealing that team’s flag that round.

We leave the analysis of the implications of this, both on attack and defense, as an exercise to the player.

Denial of Service

You’ll notice that there are no SLA points. This simplifies things for the players: they don’t have to worry about opaque testing failures leading to a loss of points; the patches are verified at submission, and are not deployed unless they pass the tests.

New this year, we will try to be helpful if your patch test fails for some lame reason not relating to the service.

Of course, this system leaves room for abuse via specially-crafted patches. The Order will check verified patches manually (post deployment), and if we determine that a team has crafted a patch that adversarially passes our pre-deployment tests but brings down their service, we will disqualify that team from the competition, even retroactively. Play fair.

Unlike prior years, there are no connection frequency limits for services. If this becomes a problem for a specific service, we might enforce it on a case-by-case basis.

DDOS against other teams, including their jump boxes, is strictly forbidden.


Game updates and announcements. The OOO will make announcements in the #ctf-announcements-text DEF CON discord channel. It is your responsibility to stay up to date with them.

Contacting OOO. Your team interface has a ticket system to ask us for help. This is the way. Contacting individual OOO members on Discord will almost guarantee that you’ll come up against human bottlenecks and won’t get the help you need.


DEF CON 29 is hybrid! This means that we are running the game in Las Vegas, but it’s fully accessible online.

In-person Logistics! If you are joining us in person, awesome! Some info: each team will have 4 tables and 8 chairs. You’ll be provided with one power cord (ONE outlet) and one ethernet cable. The ethernet cable will have internet, and the power cord will probably kill you if you lick it (the Order highly discourages such actions). You should bring your own power strips, switches, etc. DEF CON wifi has actually been pretty reliable in recent years, FWIW, so you can also give that a try: Setup is 9am every day: you’ll need your captain card to get in. The CTF network goes live at 10am! CTF ends at 8pm on Friday and Saturday and 2pm on Sunday. All times are Las Vegas local time.

On-line Logistics! You will get access to your jump boxes for setup at 9am, and the game goes live at 10am, Friday, Saturday and Sunday. All times are in Las Vegas local time. The game will end at 8pm on Friday and Saturday and 2pm on Sunday.


All communication will happen over DEF CON’s discord, in the various CTF channels. Captain meetings will be held on discord and in meatspace at the same time. We’ll post summaries of them on discord.

Pre-game Team Communications


We hope that you are excited about DEF CON CTF (reminder: setup is on Friday at 9:00am Vegas time)! To keep you amped until then, we have compiled info for you that might cause (or simplify) some prep work on your part!

**Game network access:** How will you access your network? We're glad you asked. We will provide you each with a VM that is VPNed into the game. You can use this VM as a jump box, or you can extract the wireguard configuration to set it up on your own (though we will offer absolutely no tech support for such a configuration). We'll grant access to these VMs by literally emailing ssh keys to your team POC emails like massive noobs, so make sure those mailboxes are secure! We won't send out the wireguard configs: you can scp them off of the VMs. The VMs will have several spare configurations so that you can distribute them to any players that need them, without compromising the configuration of the jump box.

** Jump box???** There will be no services running on the jumpbox. The machine will have something like 2 cores and 8gb RAM, running Ubuntu 20.04. The jump box is there just for your convenience. You can nuke your jumpbox if you really want to, but honestly, you're just hurting yourself at that point. Use the jump box.

**Services???** As in previous years, challenges will be running at 10.13.37.TEAM_ID. If you choose to export the wireguard config, your (hopefully) non-vulnerable personal machines will use 10.1.100+TEAM_ID.0/24, though we have reserved the lower 128 IPs of that network for our own use, so back off. Your gateway should be 10.1.100+TEAM_ID.1. We will tell you your team ID when we mail you your ssh key.

If you want to colocate your infra with our infra, Amazon's us-west will be pretty close.

**PCAP access!** This year, we once again put the decision of releasing PCAPs in YOUR hands. Each service will have a STEALTH port alongside its normal port. The stealth port will be 10000+SERVICE_PORT, so If a challenge listens on port 1337, the stealth port will be 11337. The stealth port hits the exact same challenge endpoint as the normal port, but traffic through that port will not be released to the victim team. But beware: maintaining backdoor access to other teams ain't cheap! If your team sends any traffic through a service's stealth port to a given team, you will only receive half points for stealing that team's flag that round.

**What are OOO's DEF CON CTFs like?** Prepare for trouble, and make it double! If you're new to the game, you might want to get a feel for our style by reading prior writeups by player(s):

- DEF CON 28:
- DEF CON 27:
- DEF CON 26:

Or viewing our prior challenges:
Or reading our own writeup of last year:
Or reviewing archives of tons of data from prior years:

In the archives, please take a special look at the game state JSON. We will communicate this to you with a brief time delay, and it gives you a near-complete view of the state and history of the game up to that point. Please make absolutely sure to familiarize yourself with last year's JSON ( We're not guaranteeing that this year's will be identical, but last year's will be a great start.
Games? You want games, I'll give you games. The Master Control Program
has chosen you to serve your system on the Game Grid. If you fail to
obey commands, you will be subject to immediate de-resolution. Order
of the Overflow will see you in Vegas. Important information is below.

What: Before you can get into DEF CON, you must provide an original,
signed, vaccination card, with the final COVID-19 vaccination dose
dated no later than July 22nd, 2021. Once this is verified, you’ll
receive a wristband that must be worn at all times while in DEF CON.
More info can be found here:

Badge Pickup: Thursday, August 5th, 9:00 – 10:00am.

Capture the Flag Hours (all times local to Las Vegas):

- Fri, Aug 6, 10am-8pm, set up begins at 9am
- Sat, Aug 7, 10am-8pm, set up begins at 9am
- Sun, Aug 8, 10am-2pm, set up begins at 9am

Discord: Plan on it, even in Vegas.

Discord info:

Attention teams! ... will not be heard, except if you're in Vegas and Zardus is in the mood.

Instead, game announcements will be made on DEF CON's discord #ctf-announcements-text.
We will mirror some on Twitter, but the canonical source is Discord.

Captain meetings will happen on ctf-captains-voice.
There is also a #ctf-captains-text channel. The internal ticketing system remains the chief team-OOO communication system, but we may ask you to post game-wide issues on Discord to keep things fair and visible to all (note that even internal tickets become public after the game together with the rest of the database). You're also welcome to use this channel if #ctf-discussion-text gets too noisy.
You must keep an eye on these sources even if you're physically in Vegas.

To get access, each team must reply with a short list of Discord user IDs, like this:
    zardus 839381277307830302
    crowell 841831894299312168
Each team must send at least one, it's strongly recommended to send at least two, and it's fine to have a few more, just don't exaggerate and make it hard for us to keep track of who's who. Each user will get the 'ctf-captain' role.
To copy the ID:

Finally, be nice to noobs that pop up in the channel asking for info on other CTFs. On Discord we have the "ctf-ooo" role. Goons are red. If you don't have an account there yet, remember to complete the captcha after registering. Official info:


<Any question about DEF CON’s COVID vaccination check>

COVID vaccination checks are completely out of our hands, and we’re not involved in any way, so we cannot answer questions about it. The rules are the same for CTF players as it is for DEF CON attendees, so we cannot give you advice about it or answer questions. Please see the information provided from DEF CON about COVID vaccination requirements.