DEF CON CTF 2020 QUALS

Quals are finished, congrats AOE!

Scoreboard: scoreboard2020.oooverflow.io

The quals spanned 2 days, starting from May 16th UTC. (CTFtime - timeanddate)

For a little while, we may still chat on DEF CON’s official discord (CTF area).

Available data:

Static (but playable) scoreboard.
Open-source releases on github/o-o-overflow.
- To try out challenges, simply spawn service/Dockerfile – you may also use our helper script
Internal scoreboard data.
PCAPs are available for: babymaze biooosless blursed bytecoooding coooppersmith cursed dogooos fungez interrupted introool keml lifebooox mamamaze maybe nooopsled notbefoooled ooo-flag-sharing ooobash ooofs ooonline-class ooonline-gradclass supersafecalc whooo-are-u (and its helper endpoint).
Check out Sirgoon and our friends at Hack-A-Sat, who provided guest challenge interrupted.

Pre-qualifiers

Only the world’s top teams make it to DEF CON. This enables the event to explore the cutting edge of the amazing things that the world’s hackers are capable of. But the trick, of course, is figuring out who these hackers are. In CTF, this is done through cut-throat competition.

Every year, the DEF CON CTF organizers select a number of prominent events in the CTF community as prequalifiers. The winner of each of these is automatically invited by the Order of the Overflow to compete in DEF CON CTF, and the OOO completes the roster by selecting teams through our own qualification round (scheduled this year for March 27th!) as well as last year’s DEF CON champion.

We select pre-qualifying events according to several considerations. We always look for quality events that present a variety of interesting challenges to their participants. We look for both prominent events with an established history and promising up-and-comers. And we have an additional metric: connecting the various global hacker communities. We want qualifiers not only to represent quality and innovation, but also to enable DEF CON to be a place where top hackers from the different worldwide hacker communities come together!

To that end, the Order of the Overflow has selected the following events as pre-qualifiers:

CodeBlue CTF 2019 - Prequalified: Cykor
HITCON CTF 2019 - Prequalified: Tea Deliverers
CTFZone 2020 - Prequalified: More Smoked Leet Chicken
hxp 36C3 CTF 2019 - Prequalified: pasten
PlaidCTF 2020 - Prequalified: A0E

Additionally, teams will prequalify through the following DEF CON events:

DEF CON 2019 CTF Finals - 19 August 2019 - prequalified: PPP
DEF CON China’s BCTF 2020 - cancelled due to COVID
DEF CON 2020 CTF Qualifiers - 16 May 2020 - will qualify top N non-qualified teams (N will be crypto-committed before the qualifiers begin)

From these events, we will identify the top hackers in the CTF community, invite them to DEF CON, and watch them battle it out at DEF CON 28. See you there!

What will DEF CON 28 CTF Finals look like?

As you might have heard, DEF CON 28 will be done in Safe Mode. This means that there will not be an in-person final event in Las Vegas. We will, however, host some form of final event! We’ll sort out the details as soon as we can.

New this year: GOLF CHALLENGES 🏌️‍♀️ 🏌️‍♂️ ⛳ IN CTF

Last year, we challenged you with an entire category of speedruns 🏎️: bite-size problems designed for hacking races. Speedrun challenges added a twist by letting the top teams dictate awarded points by beating each other to the punch.

What if they could also dictate the difficulty 🤔?

This year, the Order of the Overflow is excited to introduce a new style of CTF challenge: golf ⛳. In a golf challenge, teams race against time to solve a challenge that’s gradually degrading in difficulty. The sooner they solve it, the more difficult it remains, the harder it is for other teams to catch up, and the more points it will be worth. Can you keep those points out of the hands of your competition?

As an example, let’s look at how a King of the Hill ⛰️ challenge from DEF CON 27 Finals, The Bitflip Conjecture (writeups here, here, and here), where teams scored based on how many different bitflips their crafted shellcode survived. If The Bitflip Conjecture was deployed as a golf challenge, it might work like this:

When launched, the challenge would have a threshold of 0 failed bitflips: to solve the challenge, a team would have to craft a shellcode that could survive any single bitflip in any position.
After the service launches, there is a grace period where the threshold remains unchanged.
After the grace period, the threshold begins to slowly tick up, on a per-challenge rate. For example, the threshold might increase by 1 every ten minutes, so after an hour, a shellcode that fails on 6 bitflips would solve the challenge.
When a team submits a solution that satisfies the threshold, they receive the challenge flag. When they submit this flag, the threshold is locked.
To score, any future team must create a solution that is at least as “good” as that of the first team to solve the challenge.

As time passes and the threshold changes, the challenge becomes inherently easier. The easier the challenge, the more teams will eventually solve it, and the fewer points it will be worth for everyone. If you have the skills, it is in your interest to “lock” the difficulty as high as possible to keep the challenge harder, keep it solved by fewer teams, and get the most points out of it that you can.

Golf challenge ⛳ schedule for DEF CON 28 CTF Quals

Like speedruns, golf challenges have a time-critical ⏱️ component. Thus, we are pre-committing to a release of 3 golf challenges throughout the game, one 0 hours, one 8 hours, and one 16 hours after the start of the competition.

FAQs

Q: If I am the second team to solve a golf challenge, do I need to have a better solution than the first team to solve that challenge?
A: No, you need to have at least as good a solution. A solution exactly as good will continue to be valid for the challenge.

Q: How long is the grace period?
A: This varies by challenge and will be listed in the description.

Q: What is the starting threshold of a challenge?
A: This varies by challenge and will be listed in the description.

Q: How fast does the threshold change?
A: This varies by challenge and will be listed in the description.

Q: Does the threshold increase or does it decrease?
A: This varies by challenge and will be listed in the description. The threshold will only ever change monotonically in one direction.

Q: What happens if no one solves the challenge?
A: The threshold will continue to change until the challenge becomes trivial and is solved.

Q: If the threshold was at Y, and the first solution that satisfies it would also satisfy a “harder” threshold X, what is the threshold locked to?
A: The threshold would be locked to Y.