OOO logo


DEF CON CTF 2019 was held Friday, August 9th through Sunday 11th in Planet Hollywood.

Based on an excellent qualification round, 16 teams accepted our invitation to compete for the glory of winning the official DEF CON CTF.

The Plaid Parliament of Pwning (PPP) emerged victorious once again.

Players, it was an honor to play with you. Everyone, we hope you enjoyed our work and will play next year. Join a team, win one of the awesome pre-qualifying CTF events, or play our online qualifier.

We are also gradually releasing service source code and reference exploits: see OOO’s github. Our ported (and heavily customized) Dooom repos are under

 1.  Plaid Parliament of Pwning     973
 2.  HITCON⚔BFKinesiS               772
 3.  Tea Deliverers                 590
 4.  A*0*E                          564
 5.  mhackeroni                     556
 6.  Samurai                        399
 7.  Sauercloud                     375
 8.  r00timentary                   359
 9.  SeoulPlusBadAss                331
10.  Shellphish (tied)              284
10.  r3kapig    (tied)              284
12.  KaisHack GoN                   281
13.  saarsec                        235
14.  TokyoWesterns                  215
15.  CGC                            110
16.  hxp                             67
AFL-like recap of the game

Game data

Scoreboard with attack/defense/KoH components / CTFtime

JSON with all recorded exploitation events and scores: final_tick.json

Dump of the database with all events, announcements, and game data (~1.7 GB): dc2019_finals_db.sql.xz

Pcaps will be available from DEF CON’s website in a few days.

All event data is being released, and most of it was available (with a delay) to players during the first two game days. We strive to be fully transparent and welcome recalculations. For more info see our philosophy.

We appreciate comments to and @oooverflow. You’re awesome, hack on!


The Order has continued from prior tradition, but uses two types of services: Attack/Defense and King of the Hill. The former format is familiar: you exploit other teams’ services to steal their flags, and protect your own. King of the Hill is different: you compete against other teams for the best solution, which depends on the service in question.

To attack a team’s Attack/Defense service, connect to 10.13.37.X, where X is the victim team ID. To attempt a King of the Hill, connect to 10.13.37.Y, where Y is YOUR team ID.

Services will go through a simple lifecycle, which is shown on the scoreboard. They begin their life as green, unexploited services. Once they are exploited, they become yellow. After significant exploitation of the service has occurred by several teams, or the service reaches a steady state, the service becomes orange and network traffic for the service will be released. A service will become red when it has been played out. After this, the Order may retire the service at any time. Inactive service might still be accessible for interested parties, but they will no longer be scored and no flags from them will be accepted. They will not re-activate.


Score takes into account three factors: attack points (earned by stealing flags from other teams’ Attack/Defense services) will account for 40%, defense points (earned by resisting attacks against YOUR Attack/Defense services) will account for 40%, and KoH points (earned by top solutions of King of the Hill challenges) will account for 20%.

Note that there is no “SLA” or “uptime” here.

Defense points accumulate by 1 for each of your services that is unexploited in a tick where successful exploits are launched.

Attack points accumulate by 1 for each flag that you retrieve, except for your own.

King of the Hill points depend on the quality of your solution. Each tick, all teams tied for first place will get 10 points. Teams tied for second will get 6, teams tied for third will get 3, teams tied for fourth will get 2, and teams tied for fifth will get 1. Other teams will not receive points. The Order encourages you to consider hacking harder.

The three types of points are normalized (compared to the top performer in each category) to account for 40%, 40%, and 20% of the total points of a team, respectively.

Team Communications

Sent to the teams on August 7th, 2019:

Attention, Hackers!

In the future, there are no vulnerabilities in _/any/_ platform, not **just** GNU/Linux. In order to prepare yourself for a view of the future of bug-free computing, there are a few tools you'll need to bring from the past. It is _/highly/_ suggested to take all of the following with you.

Microsoft Windows + Visual Studio

- If you don’t have a proper install, can probably work in a pinch

MacOS + XCode + iOS SDK

- If you don't have a physical Mac in your hands, don’t fret. may have a solution for you

Any GNU/Linux distribution with proper toolchain + Android SDK


FreeBSD (comes with toolchain)

While we can't tell you exactly what the future will bring, and you may not need everything listed on your journey, it's better to come prepared, and you may need more of these tools than you think!

See you... in the future!

Sent to the teams on August 2nd, 2019:

Hello teams!

We hope you are excited, because DEF CON is one week away! Here is some information to help you finalize your infrastructure setup. Organizational info (badge pickup, etc.) will be sent out shortly.

- The game will start at 10am on Friday morning. Eight people per team can get in to set up starting from 9am.

- If all goes well, you will have four tables, arranged in a square, with eight chairs inside them. You may not have more than eight people at the table. This is a hard limit, and if you violate it, we will disqualify you. Where the rest of your team hacks from is up to you.

- We will provide the compute to host services.

- We will run one power cable and one ethernet cable for each team. You will access the game over the ethernet cable using good old-fashioned ipv4. We plan to provide internet access over this same link, however, this depends somewhat on the hotel's cooperation, so please be prepared for the contingency where we don't have internet, have filtered internet, or the world suddenly switches to FreeBSD and ipv6.

- Please come equipped to display video over HDMI (i.e., bring a monitor with HDMI input and an HDMI cable).

See you in Vegas!

Thanks and sponsors

People and organizations to which we owe thanks are listed here.