DEF CON CTF 2019 was held Friday, August 9th through Sunday 11th in Planet Hollywood.
Based on an excellent qualification round, 16 teams accepted our invitation to compete for the glory of winning the official DEF CON CTF.
The Plaid Parliament of Pwning (PPP) emerged victorious once again.
Players, it was an honor to play with you. Everyone, we hope you enjoyed our work and will play next year. Join a team, win one of the awesome pre-qualifying CTF events, or play our online qualifier.
We are also gradually releasing service source code and reference exploits: see OOO’s github.
1. Plaid Parliament of Pwning 973 2. HITCON⚔BFKinesiS 772 3. Tea Deliverers 590 4. A*0*E 564 5. mhackeroni 556 6. Samurai 399 7. Sauercloud 375 8. r00timentary 359 9. SeoulPlusBadAss 331 10. Shellphish (tied) 284 10. r3kapig (tied) 284 12. KaisHack GoN 281 13. saarsec 235 14. TokyoWesterns 215 15. CGC 110 16. hxp 67
JSON with all recorded exploitation events and scores: final_tick.json.
Pcaps will be available from DEF CON’s website in a few days.
All event data is being released, and most of it was available (with a delay) to players during the first two game days. We strive to be fully transparent and welcome recalculations. For more info see our philosophy.
The Order has continued from prior tradition, but uses two types of services: Attack/Defense and King of the Hill. The former format is familiar: you exploit other teams’ services to steal their flags, and protect your own. King of the Hill is different: you compete against other teams for the best solution, which depends on the service in question.
To attack a team’s Attack/Defense service, connect to 10.13.37.X, where X is the victim team ID. To attempt a King of the Hill, connect to 10.13.37.Y, where Y is YOUR team ID.
Services will go through a simple lifecycle, which is shown on the scoreboard. They begin their life as green, unexploited services. Once they are exploited, they become yellow. After significant exploitation of the service has occurred by several teams, or the service reaches a steady state, the service becomes orange and network traffic for the service will be released. A service will become red when it has been played out. After this, the Order may retire the service at any time. Inactive service might still be accessible for interested parties, but they will no longer be scored and no flags from them will be accepted. They will not re-activate.
Score takes into account three factors: attack points (earned by stealing flags from other teams’ Attack/Defense services) will account for 40%, defense points (earned by resisting attacks against YOUR Attack/Defense services) will account for 40%, and KoH points (earned by top solutions of King of the Hill challenges) will account for 20%.
Note that there is no “SLA” or “uptime” here.
Defense points accumulate by 1 for each of your services that is unexploited in a tick where successful exploits are launched.
Attack points accumulate by 1 for each flag that you retrieve, except for your own.
King of the Hill points depend on the quality of your solution. Each tick, all teams tied for first place will get 10 points. Teams tied for second will get 6, teams tied for third will get 3, teams tied for fourth will get 2, and teams tied for fifth will get 1. Other teams will not receive points. The Order encourages you to consider hacking harder.
The three types of points are normalized (compared to the top performer in each category) to account for 40%, 40%, and 20% of the total points of a team, respectively.
Sent to the teams on August 7th, 2019:
Attention, Hackers! In the future, there are no vulnerabilities in _/any/_ platform, not **just** GNU/Linux. In order to prepare yourself for a view of the future of bug-free computing, there are a few tools you'll need to bring from the past. It is _/highly/_ suggested to take all of the following with you. Microsoft Windows + Visual Studio - If you don’t have a proper install, https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ can probably work in a pinch - https://visualstudio.microsoft.com/vs/community/ MacOS + XCode + iOS SDK - If you don't have a physical Mac in your hands, don’t fret. https://github.com/foxlet may have a solution for you - https://developer.apple.com/news/releases/ Any GNU/Linux distribution with proper toolchain + Android SDK - https://www.debian.org/ - https://gcc.gnu.org/ - https://clang.llvm.org/ - https://developer.android.com/studio FreeBSD (comes with toolchain) - https://www.freebsd.org/ While we can't tell you exactly what the future will bring, and you may not need everything listed on your journey, it's better to come prepared, and you may need more of these tools than you think! See you... in the future! OOO
Sent to the teams on August 2nd, 2019:
Hello teams! We hope you are excited, because DEF CON is one week away! Here is some information to help you finalize your infrastructure setup. Organizational info (badge pickup, etc.) will be sent out shortly. - The game will start at 10am on Friday morning. Eight people per team can get in to set up starting from 9am. - If all goes well, you will have four tables, arranged in a square, with eight chairs inside them. You may not have more than eight people at the table. This is a hard limit, and if you violate it, we will disqualify you. Where the rest of your team hacks from is up to you. - We will provide the compute to host services. - We will run one power cable and one ethernet cable for each team. You will access the game over the ethernet cable using good old-fashioned ipv4. We plan to provide internet access over this same link, however, this depends somewhat on the hotel's cooperation, so please be prepared for the contingency where we don't have internet, have filtered internet, or the world suddenly switches to FreeBSD and ipv6. - Please come equipped to display video over HDMI (i.e., bring a monitor with HDMI input and an HDMI cable). See you in Vegas! - OOO