Our goal is to run a challenging CTF that is as fair as possible. In that spirit, we present the rules, with the goal of keeping things fair, and hopefully fun.
We hope that you play with the spirit of competition and adopt a competitive, fair play, and positive sports(person/man/women)ship attitude.
- No Denial of Service—DoS is super lame, don't do it or you will be banned
- No sharing flags, exploits, or hints—Do your own hacks
- No attacks against our infrastructure—Hack the challenges, not us
- No automated scanning—For these challenges, do better
We do adaptive scoring based on the number of solves: starting at 500 and decreasing from there (based on the total number of teams that solved the challenge).
We released a scoring playground so that teams with questions or concerns about the exact scoring algorithm can see how that affects the overall ranking.
Challenge Release Schedule
We will release challenges throughout the competition as we see fit. We base these decisions on the flow of the game and the availability of the humans that wrote the challenge. We will not release any challenges less than 12 hours to the end of the competition (except for patches for shortcut solutions).
We strive to develop challenges that stretch and test everyone's skills. We also test the challenges to ensure that there's ~one intended path/solution.
Unfortunately, we are human and mistakes happen. Our policy will be: if we see that a challenge has been solved within what we consider to be a short time from launch by a "shortcut solution", then we might release an updated version.
Unless otherwise noted, all flags will be in the format:
NOTE: You must submit the whole thing, including the
Unless otherwise noted in the challenge description, all flags will be located at:
Proof of Work (POW)
We may implement a POW in front of a challenge if we feel it is necessary.
Please don't make it necessary
Do not expect hints. Particularly if a service is already pwned, it would be unfair to give one team a hint when it's already solved.
We do appreciate issue reports and if we feel that something is significantly wrong, then we will update the description and tweet about it. If you straight up ask for hints on Discord, expect to be referred to this page.
The one exception to this rule is any challenge marked with the tag
These challenges are (in our estimation) on the easy side, and we will
hint and help people on these challenges. There will only be a few
Twitter and Discord
All game announcements will be made through our Twitter account @oooverflow
Times change, and we must change with them. We're using the official DEF CON discord discord.gg/defcon. You should hang out with us in the CTF area.
Flag Submission Delay
Flags can be submitted once every 30 seconds per challenge.
There is no limit on team sizes.
We collect pcaps for almost all challenges. They will be relased after the game, anonymized.
You can find your own traffic (after the fact). To do so, during the game, run
nc -v my-pcap-ip.oooverflow.io 5000
If you use multiple IPs to connect to the game, remember to run that command from all of them.
Info on prequals, etc.
See our main website.
Who are you anyway?
We are the Order of the Overflow. We are the current host of DEF CON CTF (Quals and Finals).
OMG I'm insanely confused
It's a hacking competition, and the DEF CON CTF is a hard one at that.