Rules Philosophy

Our goal is to run a challenging CTF that is as fair as possible. In that spirit, we present the rules, with the goal of keeping things fair, and hopefully fun.

We hope that you play with the spirit of competition and adopt a competitive, fair play, and positive sports(person/man/women)ship attitude.

Basic Rules

  • No Denial of Service—DoS is super lame, don't do it or you will be banned
  • No sharing flags, exploits, or hints—Do your own hacks
  • No attacks against our infrastructure—Hack the challenges, not us
  • No automated scanning—For these challenges, do better


We do adaptive scoring based on the number of solves: starting at 500 and decreasing from there (based on the total number of teams that solved the challenge).

We released a scoring playground so that teams with questions or concerns about the exact scoring algorithm can see how that affects the overall ranking.

Challenge Release Schedule

We will release challenges throughout the competition as we see fit. We base these decisions on the flow of the game and the availability of the humans that wrote the challenge. We will not release any challenges less than 12 hours to the end of the competition (except for patches for shortcut solutions).

Shortcut Solutions

We strive to develop challenges that stretch and test everyone's skills. We also test the challenges to ensure that there's ~one intended path/solution.

Unfortunately, we are human and mistakes happen. Our policy will be: if we see that a challenge has been solved within what we consider to be a short time from launch by a "shortcut solution", then we might release an updated version.

Flag Format

Unless otherwise noted, all flags will be in the format: OOO{…}

NOTE: You must submit the whole thing, including the OOO{…}.

Flag Location

Unless otherwise noted in the challenge description, all flags will be located at: /flag

Proof of Work (POW)

We may implement a POW in front of a challenge if we feel it is necessary.

Please don't make it necessary


Do not expect hints. Particularly if a service is already pwned, it would be unfair to give one team a hint when it's already solved.

We do appreciate issue reports and if we feel that something is significantly wrong, then we will update the description and tweet about it. If you straight up ask for hints on Discord, expect to be referred to this page.

The one exception to this rule is any challenge marked with the tag easy. These challenges are (in our estimation) on the easy side, and we will hint and help people on these challenges. There will only be a few challenges marked easy.

Twitter and Discord

All game announcements will be made through our Twitter account @oooverflow

Times change, and we must change with them. We're using the official DEF CON discord You should hang out with us in the CTF area.

Flag Submission Delay

Flags can be submitted once every 30 seconds per challenge.

Team Size

There is no limit on team sizes.

Public pcaps

We collect pcaps for almost all challenges. They will be relased after the game, anonymized.

You can find your own traffic (after the fact). To do so, during the game, run nc -v 5000

If you use multiple IPs to connect to the game, remember to run that command from all of them.

Info on prequals, etc.

See our main website.

Who are you anyway?

We are the Order of the Overflow. We are the current host of DEF CON CTF (Quals and Finals).

Info about us and our philosophy is here and we're reachable at

OMG I'm insanely confused

It's a hacking competition, and the DEF CON CTF is a hard one at that.

You might want to start with something easier, maybe from our archive -- more info or start your hacking journey at