DEF CON CTF 2017 Final Scores and Data Dumps

We'd like to again congratulate every team that played our final finals at DEF CON 25 this past weekend. We're very happy every team was able to score and patch services on our brand new cLEMENCy architecture. It was a lot to ask of our competitors, and we couldn't be more thrilled with their collective performance this weekend.

5Tea Deliverers813941
8Eat Sleep Pwn Repeat29369
10Lab RATs158564
12Team Rocket ☠️148496
n/aLegitimate Business Syndicate1637

The last-place "Legitimate Business Syndicate" team is where left over remainder flags end up before being reassigned.

The database dump and service binaries are signed with the GPG key available at,, and

Service binaries are named with this pattern: "#{team_id}-#{service_id}-#{digest}.bin". Team IDs are above, service IDs are as follows:


The cLEMENCy Architecture

Good morning, and welcome to DEF CON 25.

We are pleased to announce the general availability of the cLEMENCy architecture developed by Lightning for DEF CON CTF. This release includes architecture documentation and an emulator with built in disassembler and debugger.

The documentation and emulator are signed with the GPG key available at,, and

No warranty or support is provided for the documentation or emulator.

Updated Versions

Links to documentation are updated both above and in this section. Older docs are purely for historical interest.

Original 2017-07-27 0900 Vegas Time
emulator emulator signature docs signature
Updated 2017-07-27 1159 Vegas Time
docs signature
Updated 2017-07-28 0900 Vegas Time
emulator signature

Files from 2017 Qualifiers

Here are the files for each DEF CON CTF 2017 Qualifiers challenge. Challenge text is for reference only, the challenge servers are no longer available.

Baby's First


I really like to be beaten but keep it on the dl.

Connect to: 6969



send me some messages


What's that over there?


Welcome to 2017 DEF CON Quals! 57348

Potent Pwnables

Leo es Pequeno

You boys like Mexico?!


Enjoy some badint at


Shall we play a game? 80


Hush, you. 443


Are you a chicken?

reeses revenge

Two great tastes that taste great together:


From the author of dosfun4u comes a new idea and challenge. Show me what you got!


Huge thanks to Federico Faggin for making this challenge possible!

Reverse Engineering


Black box design, is it the answer to the universe?

No files

Pepperidge Farm

Remember when the first CTF was run with a custom architecture? Pepperidge Farm remembers:


Running here:

Get crackin'


Do you trust us?


Enjoy a finals classic from 2015, hackermud, @


Slay the giant lizard at



We have heard your bitching and agree, there were far too many challenges written in C last year.

Also... Yay, finally a web one!!!!

Connect to: 80

and qwitcherbitchen or not, we don't really care.

Crackme 2000







Babysit First


thing2 loves you 8454

2016 DEF CON CTF Final Scores

We are pleased and honored to announce the results of DEF CON CTF 2016.

Team Final Score
PPP 113555
b1o0p 98891
DEFKOR 97468
HITCON 93539
KaisHack GoN 91331
LC↯BC 84412
Eat Sleep Pwn Repeat 80859
binja 80812
pasten 78518
Shellphish 78044
9447 77722
Dragon Sector 75320
!SpamAndHex 73993
Mayhem 72047

Congratulations to our top three teams PPP, b1o0p, and DEFKOR. We would also like to congratulate all competing teams for spectacular performances all around. This year’s game was a drastic departure from previous DEF CON CTF games, and we appreciate the sacrifices you made to compete in it. Finally, we would in particular like to congratulate Mayhem, from For All Secure, for their spectacular performance as the first autonomous computer system to play DEF CON CTF. While Mayhem did finish in last place, many times throughout the game it was able to pull ahead of human teams.


At DEF CON, we noticed that contrary to what was communicated to some teams, proofs-of-vulnerability (PoVs) were not being re-run in successive rounds after submission. Since this was an error on our part, we committed to fixing them up after the fact, which took longer than expected.


In the coming days, we have more data we will be releasing:

  • Complete SQL dump of game state, both the during-DEF CON game run, and the post DEF CON game run that corrected some scoring issues
  • Complete source code of the game engine
  • Complete source code of challenges
  • Additional infrastructure and tooling for running CGC challenges
  • Packet captures from the rescoring run


Once again, thanks for everyone who helped make DEF CON CTF a reality this year: our fifteen finalist teams, everyone who played in qualifiers, DEF CON goons, DEF CON staff, and the CTF community around the world. See you in 2017!

DEF CON CTF 2016 is using the Cyber Grand Challenge Game Format

In 2016, DEF CON CTF will use the same game format as the DARPA Cyber Grand Challenge (CGC). It will not be the same attack-defense format it has been in previous years. The challenges will all be DECREE x86 binaries, instead of a wide sampling of challenge formats. Grab a beverage and some index cards, it's complicated.

What is the Cyber Grand Challenge game format?

The CGC game format is notionally similar to attack-defense. Teams receive vulnerable software, field patched versions, and launch exploits against other teams. The big differences are what aspects of the game teams control, and the role the scoring system plays in running the game.

We Hope You Like APIs

Because DEF CON CTF 2016 will feature the winning autonomous Cyber Reasoning System (CRS) from the Cyber Grand Challenge, our scoring system will provide the same APIs as CGC to all teams.

There will be a human-friendly interface that supports every feature of the CRS APIs. The CGC API is available today, and you can get a leg up on competitors by building tooling around it in advance. You did build baby’s first CRS for the thousand cuts quals challenges, right?

Virtual Competition is a CGC game API simulator that can be run locally. The virtual-competition source is also available.

Teams Don’t Control a Server

Attack-defense teams are usually given a privileged account (although maybe not root) on servers, which allows them to replace binaries, kill errant processes, and other activities.

In CGC-format games, teams don’t have privileged access to the servers that run their software; instead, they upload software as a DECREE Replacement Challenge Binary (RCB) directly to the scoring system. Finally, teams don’t launch their own exploits; instead, teams build exploits using one of the DECREE Proof-of-Vulnerability (PoV) formats, and upload them to the scoring system.

Understanding Proofs of Vulnerability is a high-level overview of how PoVs work. The sample challenge sets NRFIN_00073, CROMU_00070, and CROMU_00071 have working examples of PoVs that can be tested locally.

The virtual-competition system can accept and validate uploads of RCBs, firewall rules, and PoVs, but only stores them, and doesn't run them.

Teams Get a Programmable Firewall

Unlike previous Legitimate Business Syndicate games, defending teams have the option of writing firewall rules for the CGC network appliance. Just like RCBs and PoVs, these are uploaded to the scoring system.

Additionally, the firewall provides dumps of both poller and PoV traffic to teams over UDP.

Using the Network Appliance from the CGC documentation is a good starting point for how to make firewall rules. The network appliance implementation provided by DARPA is open-source. cb-packet-log is a tool for receiving packet dumps from the firewall.

Patched Challenges and Firewall Rules Are Shared

There’s very limited security-by-obscurity in commercial, industrial, and open-source software. Patches are analyzed to understand the vulnerability they fix, new software can be tested in lab conditions, third-party patches for major vulnerabilities aren’t unheard-of, and there’s little to be done about it.

Replacement challenge binaries and firewall rules will be shared among teams as they’re fielded. This means you can figure out how PPP’s patching progressed, or just field their binary yourself #yolo

How Do We Play It?

Just like DEF CON CTF years past, the game is divided into rounds. During each round, the functionality of teams’ challenges is evaluated, exploits fire, teams upload new stuff, and scores change. There is a bit of lag, and that’s where things get interesting.

Game Start

At game start, teams will be able to grab a list of currently-enabled challenge sets, and download the challenge binaries for them. As the game progresses, more challenge sets will be come available, and teams will download fresh binaries for them.


The challenge binaries are DECREE executables. Analyze them how you wish.

In addition to the CBs, traffic tested against binaries fielded by your team is sent to you. This includes both poller and exploit traffic.


In round 16, team “ShadyTel” has got an exploit that they’d like to field against “Milliways.” They create a C-based PoV for the exploit, and upload it the the scoring system. It’s an unreliable exploit, so they want to run it ten times per round.

curl --digest -u shadytel:loud \
  -F throws=10 \
  -F csid=LEGIT_00006 \
  -F [email protected]_milliways \
  -F team=2 \

Starting in round 17, the scoring system runs the ShadyTel PoV against the Milliways challenge set ten times, mixed in with regular poller traffic. If it negotiates and successfully proves a register control (Type 1) or private memory disclosure (Type 2) vulnerability, ShadyTel gets offense points and Milliways loses them.


Milliways sees the ShadyTel PoV traffic (it ran ten times a round, super noisy), confirm that they’re vulnerable to it, and produce a patched Replacement Challenge Binary. They upload it in round 20.

curl --digest -u milliways:dome \
  -F csid=LEGIT_00006 \
  -F [email protected] \

In round 21, Milliways fails all their pollers by design. Patching has a cost. Any PoVs against it automatically fail too. Milliways' new RCB also becomes available to other teams. ShadyTel downloads it. So does team “Psychoholics.”

curl -f --digest -u shadytel:loud \

In round 22, Milliways’ new RCB passes pollers.


During their analysis, the Psychoholics notice that their in-progress replacement has already fixed the vulnerability Milliways patched, but that Milliways also tuned up some code to require less space, use less memory, and run faster. They gank it for their patch, since in addition to being graded on security and availability, teams are graded on efficiency as well.

curl -f --digest -u psychoholics:pdp11 \

But You Don’t Have To Take My Word For It

CGC is an unprecedented investment in the future of CTF, and while it feels extremely academic today, we're confident that CGC-derived technologies are going to be a fixture in CTF from now on. We’re extremely excited to see what the future of CTF will be like, and we think you will be too.

Quals Wrapup


DEF CON 2016 CTF Qualifiers are officially over. Thanks to everybody who came by our IRC this weekend and played in our game. HUGE props to PPP, who solved every challenge available with just under 6 hours left in the game.

Source code to all of our challenges from this year is already up and posted on our github.

In addition to source code, the challenges, as they ran, are all available on Docker Hub. If you want to run a challenge from this year, it's as easy as `docker run -it legitbs/challengename`. Our docker hub page is

In the coming days, we will be contacting the team captains of all the teams who qualified to confirm participation in finals. Please be on the look out for this email.

As a reminder: this year, DEF CON CTF Finals will be running on DECREE. We will be inviting the winning CRS from DARPA's Cyber Grand Challenge to compete against our qualified humans to see if they can stave off the Rise of the Machines. Details of the finer details of our game are forthcoming, be on the lookout for that.

From all of us at Legitimate Business Syndicate, we thank you for letting us run your Capture The Flag. We hope everybody had a good time playing, and we look forward to seeing all of you at the Bally's Event Center in Las Vegas!

DEF CON CTF Qualifiers for 2016 Starting Soon

Hey, we're running online qualifiers for DEF CON CTF at midnight UTC (five hours from now), and you should play them.

Really Obvious Foreshadowing

Quals this year have a lot of references to DARPA Cyber Grand Challenge technologies. If you have no idea what that is, read our CGC for Hackers series of posts. If you do have an idea of what that is but are fuzzy on some of the details, read those posts, and maybe also tear into our collection of CGC technical documentation. If you get bamboozled by all of the above, perhaps keep our CGC Glossary handy too.

• vito goes back to the flag mines…