Announcing DEF CON CTF 2016 Qualifying Contests

We are pleased to announce the qualifying events for DEF CON CTF 2016! We've spent a great deal of time reviewing a record number of proposals, and had to make some very difficult choices. We'd like to thank everyone in the CTF community who took the time to send us proposals: even if we weren't able to accept your proposal, your contest is important to us and the larger CTF community.

Without further ado, the qualifying contests, in order of start date:

Event Start Date End Date Link Notes
DEF CON CTF 2015 May 16, 2015 August 9, 2015 https://legitbs.net/ Qualified DEFKOR
HITCON CTF October 17, 2015 December 6, 2015 http://ctf.hitcon.org/ Qualified Cykorkinesis
RuCTFE November 21, 2015 November 21, 2015 https://ructf.org/e/2015/ Qualified StratumAuhuur
SECCON CTF December 5, 2015 January 31, 2016 http://ctf.seccon.jp/ Online Jeopardy quals, finals on-site in 2016
32C3 CTF December 27, 2015 December 29, 2015 https://32c3ctf.ccc.ac/ Online Jeopardy style
Boston Key Party March 4, 2016 March 6, 2016 http://bostonkeyparty.net/ Online Jeopardy style
0ctf March 12, 2016 April 24, 2016 https://ctf.0ops.sjtu.cn/ Online Jeopardy quals, finals on-site in 2016
PlaidCTF April 15, 2016 April 17, 2016 https://twitter.com/plaidctf Online Jeopardy style
DEF CON CTF 2016 Qualifiers TBA TBA https://legitbs.net/ Online Jeopardy style, qualifying multiple teams
DARPA Cyber Grand Challenge August 4, 2016 August 4, 2016 http://cybergrandchallenge.com/ All-machine competition!!! On-site in Las Vegas

Want to qualify for DEF CON CTF?

The only way to qualify is through competition! Most qualifying teams compete in every contest they can, including CTF events that aren't prequalifiers, to learn the flow of the game and the experience of solving challenges.

Qualified Teams:

We will be in contact with you soon!

Updated Feb. 3, 2016

Adjusted the date for 0ctf to March 12, 2016.

How to be a DEF CON CTF 2016 Qualifying Competition

There are several ways to qualify for DEF CON Capture the Flag 2016: win DEF CON CTF 2015 (congratulations DEFKOR!), qualify through DEF CON CTF 2016 Qualifiers (more news on this in 2016), or win a "qualifying competition." If you run a Capture the Flag or other computer security competition and want to have your winners move on to DEF CON finals, you can become a DEF CON CTF 2016 Qualifying Competition!

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Running a Competitive Competition

DEF CON CTF competitors are the best in the world. When less-qualified teams compete, they don’t enjoy the game, and don’t provide a lot of enjoyment for other teams either. Therefore, we must ensure  only the most qualified teams are invited. Our standards are as follows:

  1. Your competition MUST be open to all. You MUST NOT restrict entry or winning to students or professionals. You MAY structure your game with separate qualifying and finals events.
  2. You MUST NOT charge a fee to competitors, except for normal admission to a conference.
  3. Your competition MUST allow teams of at least four people.
  4. You MUST publish a final scoreboard within seven days of competition ending.
  5. You MUST be able to privately share the winning team’s contact information with us within seven days of competition ending.
  6. You MUST NOT publish personal information about competitors without consent.
  7. You MUST NOT require consent to publish personal information from competitors or winners.
  8. You MUST NOT announce DEF CON CTF qualifying status prior to a Legitimate Business Syndicate announcement of same.
  9. You MUST either have run a competition previously, or be willing to share details and challenge samples with Legitimate Business Syndicate prior to approval.
  10. Your competition MAY have both offensive and defensive components.
  11. Your competition MAY be either online or local/in-person, or both!

If you don’t or can’t meet these requirements, please don’t ask for an exception. It’s possible we might not be a good fit for your competition as designed, and we don’t want to force you to compromise how you run your event.

Sending a Proposal

Send us an email to [email protected] before Midnight, Dec. 1, 2015 (1449014400) with answers to the following questions:

  1. Who is your group?
  2. What is your game named?
  3. Where and when are you hosting it?
  4. How do you design and build challenges?
  5. What’s your favorite vulnerability or exploit (CVE-number or well-recognized name)? Why?
  6. Do you have a favorite CTF challenge or service? How did you solve it?
  7. How do you plan to handle cheating?
  8. Have you or members of your team ever organized a CTF before? Provide details.
  9. Have you or members of your team participated in a CTF event? Provide details.
  10. How many people are involved in the following: challenge writing, game design, infrastructure, and support?

The earlier we get your submission, the earlier we'll read it and form a concrete opinion. Slots are limited. Expect a response by Dec. 9, 2015.

Rules, Disclaimers, and Caveats

  1. Legitimate Business Syndicate may terminate your qualifying event status at any time for any reason, including reasons not covered in this document.
  2. Competitions that publicly publish personal information about competitors will be forbidden from being qualifying events.
  3. Competitions that announce their qualifying event status before a Legitimate Business Syndicate announcement of their status will be forbidden from being qualifying events.
  4. Legitimate Business Syndicate reserves the right to use your competition’s name, logo, and description in promotional materials.
  5. Legitimate Business Syndicate will not use your or your competitors’ contact information for anything besides internal decision-making and official game communication.

All qualifying competition decisions made by Legitimate Business Syndicate members are final.

DEF CON CTF 2015 Score Data Releases

We're releasing several pieces of scoring data today, ready to download and analyze as you see fit.

Finals Visualizer

We've replayed all the redemption events from DEF CON CTF 2015 Finals into this YouTube video for your viewing pleasure.

Qualifiers Data Dump

Much like our 2014 data dump, this release includes JSON dumps of categories, challenges, notices, teams, and limited user information, and more importantly, offline-browsable HTML pages about teams, challenges, and more!

Download the DEF CON CTF 2015 Qualifiers data dump from https://files.legitbs.net/statdump_2015.tar.bz2, and verify its cryptographic signature using Vito's previously-published public key.

Finals SQL Dump

Want to get exhaustive detail about scoring in DEF CON CTF finals? This Postgres 9.4.1-compatible SQL dump file is what you want.

Installation

  1. Have PostgreSQL 9.4.1 or newer installed. 9.3 or older may work but has not been tested.
  2. OPTIONAL: verify that you downloaded an official dump. More instructions below.
  3. Create a database named scorebot-2015. From the command line: createdb scorebot-2015
  4. Load the pgdump file into the database: pg_restore -d scorebot-2015 scorebot-2015.pgdump
  5. Query it:
    > psql scorebot-2015
    psql (9.4.3)
    Type "help" for help.
    
    scorebot-2014=# select id, name, dupe_ctr from teams order by name asc;
     id |             name              | dupe_ctr
    ----+-------------------------------+----------
      9 | !SpamAndHex                   |        0
     12 | 0daysober                     |     2289
     11 | 0ops                          |        0
      6 | 9447                          |     1549
      2 | Bushwhackers                  |        0
     10 | CORNDUMP                      |        0
      5 | DEFKOR                        |       11
     13 | Dragon Sector                 |        4
      7 | Gallopsled                    |        0
      4 | HITCON                        |        0
     15 | LC↯BC                         |        1
     16 | Legitimate Business Syndicate |        0
      1 | Plaid Parliament of Pwning    |    18441
      3 | Samurai                       |        0
     14 | Shellphish                    |        0
      8 | blue-lotus                    |        0
    (16 rows)
    

Validating and Verifying These Dumps

Once you've downloaded the dump files, you can check its signature against Vito's public GPG key.

  1. Obtain Vito's public key from this blog, Keybase.io, or the MIT Public Key Server .
  2. Install the key in your GPG keychain.
  3. Run gpg --verify scorebot-2015.pgdump.sig. You should see output similar to:
    > gpg --verify scorebot-2015.pgdump.sig
    gpg: assuming signed data in 'scorebot-2015.pgdump'
    gpg: Signature made Fri Aug 28 20:04:57 2015 EDT using RSA key ID C81CA674
    gpg: Good signature from "Vito Genovese " [unknown]
    gpg:                 aka "keybase.io/vito " [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 3D67 0192 A797 5173 646C  79D3 B07D 6161 43CA A77B
         Subkey fingerprint: D586 0919 7A9F 6055 BF1D  F3E9 18A0 1190 C81C A674
    

2015 DEF CON CTF Final Scores

We are pleased to announce the 2015 DEF CON Capture the Flag final scores.

Team NameFinal Score
DEFKOR23949
Plaid Parliament of Pwning19896
0daysober17943
HITCON13560
blue-lotus12442
0ops11306
Dragon Sector11288
Samurai10742
Shellphish10591
LC↯BC9941
!SpamAndHex9461
Gallopsled8608
94478410
CORNDUMP7508
Bushwhackers7447

How Scoring Worked

Before game start, we had a set of regular game services (that might or might not ever be enabled), and two LiveCTF services. Each team has an instance of a service (15+1 teams, 11 services, 176 instances), and every non-legitbs instance was given 1337 flags, for a total of 220,605 flags in the game. Ignoring the never-scored services and LiveCTF, (15 teams * 6 services * 1337 flags =) 120,330 flags were in play.

Similar to 2014, failing availability would cause a team to lose 14 flags divided evenly among their opponents. Getting owned (having a token stolen and redeemed) would also cause a team to lose 14 flags divided evenly among the teams that redeemed the token, with any remainders assigned to us until enough remainder existed to dole out to all the teams scoring that service.

LiveCTF was scored differently. The first team to finish LiveCTF qualifiers (DEFKOR) received 600 flags, and the next two teams (LC↯BC and PPP) received 300 and 200 flags, respectively. The other teams that finished (0daysober, Samurai, Shellphish, HITCON, and 9447) received 100 flags each. LiveCTF finals awarded 1000 points to the first team finishing, PPP.

Breakdown by Service

team \ servicerxcirkdtachikomaombdsuhackermudbadloggerlivectf_qualslivectf_finals
ppp3488117938592528136822632001000
bushwhackers0138900120384400
samurai012541129802127821681000
hitcon230413293871313386041000
defkor6746135926243731136835106000
team-94475514043871138310691000
gallopsled01359527559135379900
blue-lotus8761299146520781323139000
spamandhex013442861578136887400
corndump1129900133885900
0ops21701389110311383124900
0daysober2095128416056216133812941000
dragonsector219013891220461132369400
shellphish12814193792057133811591000
lcbc01359160039135312793000
legitbs2001001845519055

But Wait, There's More!

We have more releases planned in the coming days and months:

End of August, 2015
Supplemental scoreboard material: 2015 Quals data dump, 2015 Finals visualization, 2015 Finals SQL dump
End of November, 2015
2014 and 2015 Quals and Finals services

Thanks

Thanks to everyone who made DEF CON 23 CTF our best game yet: DEF CON goons, DEF CON staff, our fifteen finalist teams, the Capture the Flag community around the world, and everyone who came by our contest area to experience CTF first-hand! See you all in 2016!

DEF CON 23 Finalists

Greetings,
Congratulations to the following teams, who have qualified and accepted spots in the DEF CON 23 Capture The Flag.
Team NumberTeamQualifying Event
1Plaid Parliament of PwningDEF CON CTF 2014 Finals
2BushwhackersRuCTFE
3SamuraiGhost in the Shellcode
4HITCONBoston Key Party
5DEFKORDEF CON CTF Qualifiers
69447DEF CON CTF Qualifiers
7GallopsledDEF CON CTF Qualifiers
8blue-lotusDEF CON CTF Qualifiers
9!SpamAndHexDEF CON CTF Qualifiers
10CORNDUMPDEF CON CTF Qualifiers
110opsDEF CON CTF Qualifiers
120daysoberDEF CON CTF Qualifiers
13Dragon SectorDEF CON CTF Qualifiers
14ShellphishDEF CON CTF Qualifiers
15LC↯BCDEF CON CTF Qualifiers
We look forward to seeing everybody out in Las Vegas. Even if you didn't qualify for our game, we hope to see anybody interested in CTF in our room, in the corner of the Bally's Event Center.

2014 Finals Scorebot SQL Dump

"I want to download and audit the Scorebot from DEF CON 22 CTF just like I did for DEF CON 21 CTF finals ."

Installation

  1. Have PostgreSQL 9.3 or newer installed. 9.2 may work but has not been tested.
  2. OPTIONAL: verify that you downloaded an official dump. More instructions below.
  3. Create a database named scorebot-2014. From the command line: createdb scorebot-2014
  4. Load the pgdump file into the database: pg_restore -d scorebot-2014 scorebot-2014.pgdump
  5. Query it:
    > psql scorebot-2014
    psql (9.4.3)
    Type "help" for help.
    
    scorebot-2014=# select id, name, dupe_ctr from teams order by name asc;
     id |             name              | dupe_ctr
    ----+-------------------------------+----------
     12 | (Mostly) Men in Black Hats    |       14
      2 | 9447                          |     1445
     19 | BalalaikaCr3w                 |        0
      8 | CodeRed                       |        2
     15 | Dragon Sector                 |    11880
     18 | Gallopsled                    |        0
      9 | HITCON                        |   112320
     11 | HackingForChiMac              |    40824
      6 | KAIST GoN                     |     5452
     21 | Legitimate Business Syndicate |        0
     14 | More Smoked Leet Chicken      |    39797
      1 | Plaid Parliament of Pwning    |   158842
      3 | Reckless Abandon              |        0
      4 | Routards                      |        0
     17 | Stratum Auhuur                |       10
     16 | [SEWorks]penthackon           |       29
     20 | binja                         |        0
     10 | blue-lotus                    |       10
      5 | raon_ASRT                     |     1096
      7 | shellphish                    |        0
     13 | w3stormz                      |      253
    (21 rows)
    

Analyses We've Seen Before and Analyses We'd Like To See

Willem Vandercat of ROPtimus Prime posted a great analysis of our 2013 data called A BS Analysis Based on Legit Data, and in our follow-up A Legit Analysis, we noted that we didn't store enough data for accurate replay both due to oversights and programming errors.

We hope that our 2014 data are more complete: this is one reason the dump is 84MB instead of 4.6MB. In particular, we've included a penalties table that connects failed availabilities to penalty flag transfers, and added a log of availability script output to the availabilities table. In particular, we've addressed the flaw about not storing enough data to accurately replay or rescore the game.

Validating and Verifying a Database Dump

Once you've downloaded the .pgdump file, you can check its signature against Vito's public GPG key.

  1. Obtain Vito's public key from this blog, Keybase.io, or the MIT Public Key Server .
  2. Install the key in your GPG keychain.
  3. Run gpg --verify scorebot-2014.pgdump.sig. You should see output similar to:
    > gpg --verify scorebot-2014.pgdump.sig
    gpg: Signature made Tue Jun 16 23:19:40 2015 EDT using RSA key ID C81CA674
    gpg: Good signature from "Vito Genovese <[email protected]>"
    gpg:                 aka "keybase.io/vito <[email protected]>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 3D67 0192 A797 5173 646C  79D3 B07D 6161 43CA A77B
         Subkey fingerprint: D586 0919 7A9F 6055 BF1D  F3E9 18A0 1190 C81C A674
    

If you just want to trust every ISP between us and you, you can also check the SHA-2/256 sums:

> shasum -a 256 scorebot-2014*
a49de19153bf78677d6c90f7ec1fea8ac2dc4f74b2d4cf1dc218dacc1f81b6a4  scorebot-2014.erd.pdf
9b6e90f2e52439ec9fc5a979c631b159f70b1fbd9371f40d6711526d2c002813  scorebot-2014.pgdump
854eb9250d0e8f083878871aebf154103e45cf3f01b339fe915efd32c1a75652  scorebot-2014.pgdump.sig

License

THIS SQL DUMP IS PROVIDED UNDER THE CREATIVE COMMONS CC0 LICENSE

To the extent possible under law, Legitimate Business Syndicate has waived all copyright and related or neighboring rights to the DEF CON 22 CTF SQL dump. This work is published from: United States.

http://creativecommons.org/publicdomain/zero/1.0/

Thanks

Thanks for your interest! DEF CON Capture the Flag only exists because of the CTF community around the world, and we hope these data are useful and interesting. Special thanks to Willem Vandercat of ROPtimus Prime for pushing us to store and release better data for 2014!

See you in Las Vegas!

DEF CON CTF 2015 Qualifiers are Complete

Hello,

Thanks for being a part of our biggest DEF CON CTF qualifiers yet. We're still very excited at how well the 4407 players, 1472 teams, and over 4000 unique IP addresses performed in our game, and have some preliminary results and other information to share with you.

The Final Results

These are the top 25 teams from the qualifiers. For a more complete and machine-readable list, please see https://legitbs.net/2015/quals_scoreboard.json. A more substantial data dump similar to the Quals 2014 Data Dump is forthcoming.

rankteamscore
1PPP57
2DEFKOR57
3944757
4Gallopsled53
5HITCON46
6blue-lotus45
7SpamAndHex44
8CORNDUMP43
90ops42
100daysober42
11Dragon Sector42
12Shellphish42
13LC↯BC41
14Mostly Inexperienced Beginner Hackers40
15Samurai39
16KAIST GoN39
17Alternatives36
18Eat, Sleep, Pwn, Repeat34
19Routards34
20binja32
21WhatTheBird32
22Blunt Instrument32
23tasteless30
24int3pids27
250x8F26

Preparing for Finals

Over the coming weeks, we'll be contacting qualifying teams about their appearance at DEF CON 23 in Las Vegas. If you have write-ups to share, please post or link them at the CTF write-ups github. If you want to find more CTF games to play, check out CTF Time.

Thanks again, and we hope to see you in Vegas!

DEF CON CTF 2015 Qualifiers This Weekend

tl;dr: When this post is 24 hours old, CTF qualifiers will begin. Register and play at https://2015.legitbs.net/.

How to Qualify for DEF CON CTF

  • Be one of the pre-qualified teams from DEF CON CTF 2014, SECCON CTF 2014, RuCTFE 2014, Ghost in the Shellcode 2015, Boston Key Party 2015, or PlaidCTF 2015.
  • Place highly in this weekend's game.

Good luck!

Registration for 2015 Qualifiers is Open!

Grab ∞ of your leetest friends and get ready for DEF CON CTF qualifications. We're building another great game for you this year, with brain-destroying binaries, super-sick shellcode shenanigans, and challenging fun for you. Register yourself, create or join a team, and get your affairs in order for DEF CON CTF 2015.

Register for DEF CON 23 Capture the Flag qualifiers at https://2015.legitbs.net/ or by clicking here.

DEF CON CTF 2015 Qualification Update: February Edition

Hello!

We'd like to share the current DEF CON CTF 2015 qualification status, two hours before the start of Boston Key Party!

Competition Start Date End Date Link Notes
DEF CON CTF 2014 May 17, 2014 Aug. 10, 2014 https://legitbs.net/2014/ Qualified the Plaid Parliament of Pwning.
SECCON CTF 2014 Dec. 12, 2014 Feb. 8, 2015 http://ctf.seccon.jp/timeline.html Qualified TOEFL Beginner.
RuCTFE 2014 Dec. 20, 2014 Dec. 20, 2014 http://ructf.org/e/2014/ Qualified Bushwhackers.
Ghost in the Shellcode Jan. 16, 2015 Jan. 18, 2015 http://ghostintheshellcode.com/ Qualified Samurai.
Boston Key Party Feb. 27, 2015 Mar. 1, 2015 http://bostonkeyparty.net Online jeopardy style game.
PlaidCTF Apr. 17, 2015 Apr. 19, 2015 http://www.plaidctf.com/ Online jeopardy style game.
DEF CON CTF Qualifiers 2015 May 16, 2015 May 17, 2015 https://legitbs.net/ Online jeopardy style, more information soon!
Congratulations to the teams that have qualified so far, and good luck to all the teams still hacking! Enjoy Boston Key Party, PlaidCTF, and we hope to see you in our qualifiers in May!

Quick Qualification Update

DEF CON CTF qualifications will be held from UTC Midnight at the start of May 16, 2015, to UTC Midnight at the end of May 17, 2015. Forty-eight hours total.

Competition Start Date End Date Link Notes
DEF CON CTF 2014 May 17, 2014 Aug. 10, 2014 https://legitbs.net/2014/ Qualified the Plaid Parliament of Pwning
SECCON CTF 2014 Dec. 12, 2014 Feb. 8, 2015 http://ctf.seccon.jp/timeline.html Qualifications round finished, finals in February 2015.
RuCTFE 2014 Dec. 20, 2014 Dec. 20, 2014 http://ructf.org/e/2014/ Finished.
Ghost in the Shellcode Jan. 16, 2015 Jan. 18, 2015 http://ghostintheshellcode.com/ Finished.
Boston Key Party Feb. 27, 2015 Mar. 1, 2015 http://bostonkeyparty.net Online jeopardy style game.
PlaidCTF Apr. 17, 2015 Apr. 19, 2015 http://www.plaidctf.com/ Online jeopardy style game.
DEF CON CTF Qualifiers 2015 May 16, 2015 May 17, 2015 https://legitbs.net/ Online jeopardy style, more announcements in 2015.

Thanks to skolor for the reminder to update this.