DEF CON Contests
Various contests, some lasting all 4 days of DEF CON, some short time on stage.
[image may come later]
Alpac@tack is an interactive defense simulation suite, which challenges participants to apply a wide variety of tools, knowledge and problem-solving skills to assess network and log activity, and build threat intelligence in a honeypot environment.
Unlike most Defcon contests, Alpac@tack provides a unique opportunity for participants to develop and hone a more holistic skill set when it comes to threat assessment. Other contests will focus on breaking machines or defending systems from a particular threat, where Alpac@tack presents a leveled-up experience and challenges attendees to evaluate
the honeypot is under attack, and if so, by what.
Teams achieve success during the contest by expeditiously analyzing activity and accurately identifying threats. Every team will be presented with a graph and a set of tools––the game platform––including Wireshark, Suricata, Velociraptor, and Wazuh, which will act as their source of truth for analyzing network and logging activity in the honeypot. The graph will update every 5 seconds, reflecting events and packets on ports and services. Participant teams must then select and leverage the appropriate tools to investigate and determine whether the incident is a benign anomaly or an attack. For each event and packet cataloged in the game platform, the team submits a report classifying the activity.
While Alpac@tack is designed for players with some degree of literacy in defense systems, we will offer an associated workshop to provide an overview of the relevant systems and technologies the day prior to the contest with the goal of lowering the barrier to entry. So, if you’re a beginner––or just a little rusty––don’t be discouraged! Alpac@tack is for you!
Auto Driving CTF
Last year, we organized the AutoDriving CTF as an official contest of DEF CON 29 (
) and did reasonably well: more than 100 teams participated and 93 teams had valid scores. Last year, due to the pandemic, the contest was online only with on-site demonstrations. All the challenges were deployed in 3D simulators. This year, we propose a hybrid event with in-person challenges on-site. We also plan to introduce some new challenges with real vehicles involved, in addition to those based on autonomous driving simulators. We hope to continue the engagement with the hacking community to raise the awareness of real-world security challenges in autonomous driving.
The AutoDriving CTF contest focuses on the emerging security challenges in autonomous driving systems. Various levels of self-driving functionalities, such as AI-powered perception, sensor fusion and route planning, are entering the product portfolio of automobile companies. From the security perspective, these AI-powered components not only contain common security problems such as memory safety bugs, but also introduce new threats such as physical adversarial attacks and sensor manipulations. Two popular examples of physical adversarial attacks are camouflage stickers that interfere with vehicle detection systems, and road graffitis that disturb lane keeping systems. The AI-powered navigation and control relies on the fusion of multiple sensor inputs, and many of the sensor inputs can be manipulated by malicious attackers. These manipulations combined with logical bugs in autonomous driving systems pose severe threats to road safety.
We design autonomous driving CTF (AutoDriving CTF) contests around the security challenges specific to these self-driving functions and components.
The goals of the AutoDriving CTF are the followings:
- Demonstrate security risks of poorly designed autonomous driving systems through hands-on challenges, increase the awareness of such risks in security professionals, and encourage them to propose defense solutions and tools to detect such risks.
- Provide CTF challenges that allow players to learn attack and defense practices related to autonomous driving in a well-controlled, repeatable, and visible environment.
- Build a set of vulnerable autonomous driving components that can be used for security research and defense evaluation.
The contest is based on a Jeopardy style of CTF game with a set of independent challenges. A typical contest challenge includes a backend that runs autonomous driving components in simulated or real environments, and a frontend that interacts with the players. This year's contest will follow the style of last year and includes the following types of challenges:
- “attack”: such as constructing adversarial patches and spoofing fake sensor inputs,
- “forensics”: such as investigating a security incident related to autonomous driving,
- “detection”: such as detecting spoofed sensor inputs and fake obstacles,
- “crashme on road!”: such as creating dangerous traffic patterns to expose logical errors in autonomous driving systems.
Most of these challenges will be developed using game-engine based autonomous driving simulators, such as CARLA and SVL.
The following link containssome challenge videos from AutoDriving CTF at DEF CON 29
# What's new in 2022
This year, we will unlock new security-critical driving scenarios such as stop-controlled and signalized intersections. New difficulty levels will be added to challenges in such scenarios by integrating real downstream AI modules such as object tracking from open-source autonomous driving software like Apollo, Autoware and OpenPilot. For example, players will be required to generate adversarial masks which will be overlayed on the surface of a stop sign to prevent the self-driving vehicle from stopping. The self-driving vehicle is equipped with a tracking component so merely hiding the stop sign in several frames will not work.
A video demonstrating an attacked scenario is available at
In addition to the simulation challenges, we will add challenges with real vehicles in the loop. In this setup, the vehicle under attack will be placed on a rack and the driving environment will be displayed on a monitor in front of the windshield camera. We will have the real vehicle running in a lab and players and players will interact with the vehicle by remotely manipulating the virtual surrounding environments (such as the projected road signs in front of the vehicle). The attack results will be judged based on systems logs (for open-source systems, such as openpilot) or dashboard visualizations (for closed-source vehicles).
The following URL shows some specifications about the real vehicles
In order to enable the audience to experience the challenges more directly, we plan to set up a vehicle wheel controller on site this year. Audiences can drive themselves to compete with the self-driving vehicle in some of the challenges.
# For players
- What do players need to do to participate AutoDriving CTF?
Most of the challenges do not require domain knowledge of autonomous driving software or adversarial machine learning, although knowledge of those helps. For example, the players can generate images the way they like (e.g., drawing, photoshopping) to fool the AI-components or write a short python script to control the vehicle. Some challenges, such as incident forensics likely would require players to learn domain knowledge such as sensor information format and how fusion works.
- What do we expect players to learn through the CTF event?
Players can (1) gain a deep understanding of real-world autonomous driving systems' design, implementation, and their corresponding security properties and characteristics; and (2) learn the attack and defense practices related to autonomous driving in a well-controlled, repeatable, visible, and engaging environment.
# Additional information
Below are some materials from our first AutoDriving CTF at DEF CON 29 in 2021, which includes some challenge videos (Warning: the videos files could be large in google drive), a summary of the event and some links reporting the events.
Betting on Your Digital Rights: EFF Benefit Poker Tournament
Well this is cool:
Have you played some poker before but could use a refresher on rules, strategy, table behavior, and general Vegas slang at the poker table?
will run a poker clinic from 11 am-11:45 am just before the tournament at noon. Even if you know poker pretty well, come a bit early and help out. Just show up and donate anything to EFF. Make it over $50 and Tarah will teach you chip riffling, the three biggest tells, and how to stare blankly and intimidatingly through someone’s soul while they’re trying to decide if you’re bluffing. 🖤
Full tournament info and sign-ups over here:
Beverage Cooling Contraption Contest
It's DEFCON 30 and the world is a tumultuous place. Maybe Putan has invaded NATO. Maybe China has invaded Taiwan or doubled down on its bid to claim the oddly sack-shaped "nine dash line". I think Pooh Bear may be trying to compensate for something. Whatever the current events, I'm going to claim WWIII is right around the corner and you should be prepared! Prepared to chill your beverage that is. If the world is ending, do you really want to see it out with a warm beverage!? I thought not! If I'm going out in a nuclear hellfire I want it to be with ice cold suds. So come on down and let's get prepped!
In person only
Friday 1100 - 1400
Maybe something on Saturday if beverage remains and interest exists.
Capture The Packet
Capture The Packet
The time for those of hardened mettle is drawing near; are you prepared to battle?
Compete in the world’s most challenging cyber defense competition based on the Aries Security cyber range. Tear through hundreds of bleeding-edge challenges, traverse a hostile enterprise-class network, and diligently analyze the findings to escape unscathed. Glory and prizes await those who emerge victorious from this upgraded labyrinth.
While Capture The Packet can easily scale for users of every level, for DEF CON we pull out all the stops and present our most fiendishly difficult puzzles. Capture The Packet has been a DEF CON Black Badge event for over 10 years, and we don’t plan on stopping. This event attracts the best of the best from around the world to play – are you ready to show us what you’ve got?
Car Hacking CTF
The Car Hacking Village CTF is a fun interactive challenge which gives contestants first hand experience to interact with automotive technologies. We work with multiple automotive OE's and suppliers to ensure our challenges give a real-world experience to hacking cars. We understand car hacking can be expensive, so please come check out our village and flex your skills in hacking automotive technologies.
CMD+CTRL at DEF CON 30
CMD+CTRL at DEF CON 30
Friday 1000 PDT (GMT -7) to Saturday 1800 PDT (GMT -7)
HEY HACKERS! ARE YOU LEET? PROVE IT BY BEATING MAILJAY, OUR NEW CYBER RANGE. POSTMESSAGE XSS! MFA BYPASS! RCE! LEENUX PRIVESC! HTTP DESYNC!?!?!? AND MORE!?!?!?
Join CMD+CTRL @ DEF CON 30 for this challenging CTF.
CMD+CTRL Cyber Range is an interactive learning and hacking platform where development, security, IT, and other roles come together to build an appreciation for protecting the enterprise. Players learn security techniques in a real-world environment where they compete to find vulnerabilities. Real-time scoring keeps everyone engaged and creates friendly competition. Our Cloud and App Cyber Ranges incorporate authentic, fully functioning applications and vulnerabilities often found in commercial web platforms.
At DEF CON 30: We will be debuting our latest Cloud Cyber Range, MailJay, which focuses on exploiting a modern email marketing platform comprised of web applications, services, and a variety of cloud resources. Inspired by the latest trends and real world exploits, try your hands at bypassing a WAF, HTTP Desync, postMessage XSS, RCE, MFA bypass, and so, so much more! With twice as many challenges as our past Cloud Ranges do you think you can complete them all?
This year we are happy to announce that we will be returning to DEF CON in person. We will be running this event both on site and online via Discord. Join us Friday (8/12) through Saturday (8/13) for this invite-only CTF by signing up with the registration form below. This event is limited to 250 players, so save your seat now!
Crack Me If You Can
Crack Me If You Can
Forum User Contact:
In its 13th year, the premiere password cracking contest
"CrackMeIfYouCan" is back again to challenge the world's best
password crackers. The contest is broken up into Pro and Street
teams - so 'take a chill pill' if you are new to password cracking
(and don't have jigowatts of GPU power), there is still plenty of
fun to be had. We've spent all year coming up with password-related
challenges for our Pro teams that are DaBomb! So listen up home
skillet, come see us in the Villages area where we will have some
hella nice professional password crackers who are all that, and a
bag of chips!
This year's contest is going to be totally radical! We are like,
totally psyched to be partnering with the Password Village this
year. I kid you not, the contest is going to be so easy that even an
airhead or a jock could crack these passwords! PYSCH! The challenges
are going to be bodacious and like totally dope. This year, it is not
about wordlists, rules, patterns, or about forensics. In the past
we've asked our teams how passwords have changed over time... now
we are going to ask them to go back, to the future of password
cracking. Like, totally.
Crash and Compile
[Logo/Image may be coming soon]
What happens when you take an ACM style programming contest, smash it head long into a drinking game, throw in a mix of our most distracting helpers, then shove the resulting chaos incarnate onto a stage? You get the contest known as Crash and Compile.
Teams are given programming challenges and have to solve them with code. If your code fails to compile? Take a drink. Segfault? Take a drink. Did your code fail to produce the correct answer when you ran it? Take a drink. We set you against the clock and the other teams. And because our "Team Distraction" think watching people simply code is boring, they have taken it upon themselves to be creative in hindering you from programming, much to the enjoyment of the audience. At the end of the night, one team will have proven their ability, and walk away with the coveted Crash and Compile trophy.
Crash and Compile is looking for the top programmers to test their skills in our contest. Can you complete our challenges? Can you do so with style that sets your team ahead of the others? To play our game you must first complete our qualifying round. Gather your team and see if you have the coding chops to secure your place as one of the top teams to move on to the main contest.
Qualifications for Crash and Compile will take place Friday from 10am to 3pm online at
/ You may have up to two people per team. (Having two people on a team is highly suggested) Of the qualifiers, nine teams will move on to compete head to head on the contest stage.
Creative Writing Short Story Contest
The contest is run pre-con. The proposed contest will run from May 1, 2022 to June 15, 2022. Judging will run from June 16, 2022 to June 30, 2022. Winners will be announced July 3, 2022.
The DEF CON Short Story contest is a pre-con contest that is run entirely online utilizing the DEF CON forums, Twitter, and reddit. This contest follows the theme of DEF CON for the year and encourages hackers to roll up their sleeves, don their proverbial thinking cap, and write the best creative story that they can. The Short Story Contest encourages skills that are invaluable in the hacker’s world, but are often overlooked. Creative writing in a contest setting helps celebrate creativity and originality in arenas other than hardware or software hacking and provides a creative outlet for individuals who may not have another place to tell their stories.
So many hacker skills depend on your ability to tell a story. Whether it's social engineering, intrusion, or even the dreaded customer pentest report, ALL of these require the ability to tell a story. Storytelling is one of mankind's oldest traditions. Presenters even engage in storytelling when they get up on stage. A contest that celebrates and focuses on the ability to wind a yarn that captures and engages an audience is highly appropriate.
So why not?
1st place: 2 badges
2nd place: 1 badge
Community choice: 1 badge
Darknet-NG is an In-Person Massively Multiplayer Online Role Playing Game (MMO-RPG), where the players take on the Persona of an Agent who is sent on Quests to learn real skills and gain in-game points. If this is your first time at DEF CON, this is a great place to start, because we assume no prior knowledge. Building from basic concepts, we teach agents about a range of topics from Lock-picking, to using and decoding ciphers, to Electronics 101, just to name a few, all while also helping to connect them to the larger DEF CON Community. The "Learning Quests" help the agent gather knowledge from all across the other villages at the conference, while the "Challenge Quests" help hone their skills! Sunday Morning there is a BOSS FIGHT where the Agents must use their combined skills as a community and take on that year's challenge! There is a whole skill tree of personal knowledge to obtain, community to connect with and memories to make! To get started, check out our site
and join our growing Discord Community!
Friday: 10 am - 4:30 pm
Saturday: 10 am - 4:30 pm
Sunday: 10 am - 12 pm
DEF CON 30 Chess Tournament.
DEF CON 30 Chess Tournament
Chess, computers, and hacking. In the 18th century, the Mechanical Turk appeared to play a good game, but there was a human ghost in the shell. Some of the first computer software was written to play chess. In 1997, world champion Garry Kasparov lost to Deep Blue, but he accused IBM of cheating, alleging that only a rival grandmaster could make certain moves.
At DEF CON 30, we will run a human chess tournament with a “blitz” time control of 5 minutes on each player’s clock, in a Swiss-system format. In each round, match pairings are based on similar running scores. Everyone plays the full tournament, and the winner has the highest aggregate score.
The Las Vegas Chess Center (LVCC) will manage the tournament. To help crown the best chess player at DEF CON 30, we will register the rated players first, on site, starting one hour prior to the tournament.
Saturday 15:00 - 18:00 Room 133 Forum
In person only.
DEF CON Capture the Flag
Nautilus Institute will be hosting the final round of DEF CON 30 CTF Qualifiers May 28 and 29. Detail soon at defcon.org. Follow @Nautilus_CTF on twitter for updates and get your squad ready for the big event!
Ical reminder file:
DEF CON 30 CTF Quals.ics
May 28, 2022 00:00
May 29, 2022 01:00
DEF CON Kubernetes Capture the Flag (CTF)
The DEF CON Kubernetes Capture the Flag (CTF) contest features a Kubernetes-based CTF challenge, where teams and individuals can build and test their Kubernetes hacking skills. Each team/individual is given access to a single Kubernetes cluster that contains a set of serial challenges, winning flags and points as they progress. Later flags pose more difficulty, but count for more points.
A scoreboard tracks the teams’ current and final scores. In the event of a tie, the first team to achieve the score wins that tie.
DEF CON MUD
[for future image, icon or banner]
The DEFCON MUD is a virtual world that is remade every year for various conferences. Be prepared to enter into a virtual text based game in the style of zork.
Specifically the DEFCON MUD is an LPMUD, a mud programmed in the language of LPC which is an interpreted C variant.
Complete quests, discover challenges, find out about parties.
Feeling creative, write an area and submit it to the game, there will be an SDK.
The complete connection details will be available at
The MUD will open to the public at 0005 11 August 2022.
Download Mudlet, dust off your tintin++ scripts, and get ready for an old school challenge. Good luck, you will need it.
DEF CON Red Team CTF
[Image may be added later]
Once again this year's DEF CON Red Team CTF will be hosted by Threat Simulations! We have an amazing, immersive scenario that stresses strong red team skills as players traverse through an enterprise network. This event is not for the faint of heart, first you will battle with hundreds of teams in a jeopardy board style ctf, then the top teams will enter the finals where your Red Team skills will be tested in a full Active Directory environment. Your team will compete against some of the best red teamers in the world as you exploit, pivot, and loot the target environment.
DEF CON Scavenger Hunt
DEF CON Scavenger Hunt
Here is our description:
The DEF CON Scavenger Hunt is back for the 25th hunt. We are gearing up to once again catch Las Vegas with its pants down #pantslessvillage. This year, we return to in-person only operations with up to 5 people per team and table submissions.
For those new to DEF CON, or otherwise uninitiated, the DEF CON Scavenger Hunt is regarded by many as the best way to interact with the con. We do our best to encourage you to challenge your comfort zone, meet people, and otherwise see and do a bit of everything that DEF CON 30 has to offer. For those who have aspirations to become more involved with DEF CON in the future, many of our veteran contestants include goons, speakers, and contest organizers.
So, how does a scavenger hunt run for 25 years? As this is DEF CON, this is not your ordinary scavenger hunt. The list is open to interpretation, it is a hacker con after all, so hack the list. Because how you interpret the list is entirely out of our hands, we have posted trigger warnings. You will be finding and doing a variety of things, it is up to you to convince the judges whatever you are turning in meets the criteria and is worth the points.
You don't have to devote all of your time to play and have fun, come turn in a couple items and enjoy yourself. If you want to win however, you will have to scavenge as much as you can over the weekend. While the hunt starts on Friday morning, with determination and a lack of sleep, we have seen people start at 2AM on Saturday night and place. Likewise, if you don't play well with others, we have seen single-players also place. In other words, we work very hard to keep the barrier to entry as low as possible. You don't need to be some binary reversing wizard, and there's no qualifier to compete, you can just show up and win if you want it enough.
The hunt was started by Pinguino at DEF CON 5 simply to avoid being bored; there was no hunt at DEF CON 8, for those doing math. In the intervening years, to further avoid boredom, we have been out scavenging and went from having a simple cardboard sign to a truly mesmerizing table.
So come to the scav hunt table in the contest area (it's hard to miss us) with a team name ready. Once you get a list, your assignment is to turn in as many items as you can before noon on Sunday. The team with the most points wins. Items are worth more points the sooner you turn them in, so come on down and turn in frequently.
We want to thank Pinguino, Grifter, Siviak , Salem, all of the judges, and all of the players that have made it possible for us to host the 25th DEF CON Scavenger Hunt.
The DEF CON 30 Scavenger Hunt is brought to you by DualD, EvilMoFo, Kaybz, Sconce, Shazbot, Zhora.
1: the judges are always right
2: not our problem
3: make it weird
4: don't disappoint the judge(s)
5: team name, item number, present your item
If you capture pictures or video of items from our list happening, or have some from previous years, please send it to us via email
DEF CONs Next Top Threat Model
[Image may be added later]
Forum users that are running this contest:
Threat Modeling is arguably the single most important activity in an application security program and if performed early can identify a wide range of potential flaws before a single line of code has been written. While being so critically important there is no single correct way to perform Threat Modeling, many techniques, methodologies and/or tools exist.
As part of our challenge we will present contestants with the exact same design and compare the outputs they produce against a number of categories in order to identify a winner and crown DEF CON’s Next Top Threat Model(er).
Defcon Ham Radio Fox Hunting Contest
Defcon Ham Radio Fox Hunting Contest
Official Contest or event Name: DC30 Ham Radio Fox Hunt Contest
In the world of amateur radio, groups of hams will often put together a transmitter hunt (also called "fox hunting") in order to hone their radio direction finding skills to locate one or more hidden radio transmitters broadcasting. The Defcon Ham Radio Fox Hunt will require participants to locate a number of hidden radio transmitters broadcasting at very low power which are hidden throughout the conference. A map with rough search areas will be given to participants to guide them on their hunt. Additional hints and tips will be provided throughout Defcon at the contest table to help people who find themselves stuck. This contest is designed to be an introduction to ham radio fox hunting and as such will be simple to participate in and all people who participate will be guided towards successful completion!
EFF Tech Trivia
EFF's team of technology experts have crafted challenging trivia about the fascinating, obscure, and trivial aspects of digital security, online rights, and Internet culture. Competing teams will plumb the unfathomable depths of their knowledge, but only the champion hive mind will claim the First Place Tech Trivia Plaque and EFF swag pack. The second and third place teams will also win great EFF gear.
[image may appear later]
Hackfortress is a unique blend of Team Fortress 2 and a computer security contest. Teams are made up of 6 TF2 players and 4 hackers, TF2 players duke it out while hackers are busy with challenges like application security, network security, social engineering, or reverse engineering. As teams start scoring they can redeem points in the hack fortress store for bonuses. Bonuses range from crits for the TF2, lighting the opposing team on fire, or preventing the other teamshackers from accessing the store. HackFortress challenges range from beginner to advanced, from serious to absurd.
Friday: 10:00 - 20:00 open play
Saturday: 10:00 - 20:00 contest hours
Hack the Plan[e]t
Hack the Plan[e]t Capture the Flag (CTF) contest will feature Howdy Neighbor and the Industrial Control System (ICS) Range. This first of its kind CTF will integrate both Internet of Things (IoT) and ICS environments with interactive components for competitors to test their skills and knowledge.
Howdy Neighbor is an interactive IoT CTF challenge where competitors can test their hacking skills and learn about common oversights made in development, configuration, and setup of IoT devices. Howdy Neighbor is a miniature home - made to be “smart” from basement to garage. It’s a test-bed for reverse engineering and hacking distinct consumer-focused smart devices, and to understand how the (in)security of individual devices can implicate the safety of your home or office, and ultimately your family or business. Within Howdy Neighbor there are over 25 emulated or real devices and over 50 vulnerabilities that have been staged as challenges. Each of the challenges are of varying levels to test a competitors ability to find vulnerabilities in an IoT environment. Howdy Neighbor’s challenges are composed of a real and simulated devices controlled by an App or Network interface and additional hardware sensors; each Howdy Neighbor device contains 1 to 3 staged vulnerabilities which when solved present a key for scoring/reporting that it was discovered.
In the same vein, this CTF challenge will also leverage the ICS Village’s ICS Ranges including physical and virtual environments to provide an additional testbed for more advanced challenges in critical infrastructure and ICS environments. There will be integrated elements from DHS/CISA with their ranges that are realistically miniaturized assets (ie - operational oil and natural gas pipeline, etc.)..
After 2 years virtual and one in person, we’d like to return to stage for our 4th year where this contest shines best. Hack3r Runw@y brings out all the sheek geeks out there. It encourages rethinking fashion in the eyes of hackers. Be it smartwear, LED additions, obfuscation, cosplay or just everyday wear using fabrics and textures that are familiar to the community. Contestants can enter clothing, shoes, jewelry, hats or accessories. If it can be worn, it is perfect for the runway. For convenience, contestants can enter the contest with designs made ahead of the conference, however it needs to be made by them and not just store bought.
Awards will be handed out in 4 categories and one trophy for the People’s Choice category where the winner is anyone’s guess:
Digital wearable - LED, electronic, passive
Smart wear - interactive, temperature sensing, mood changing, card skimmers, etc
Aesthetics and More - 3d printed, geeky wear, passive design, obfuscation, cosplay
Functional wear - did you bling out your mask and/or shield, have a hazmat suit, lock pick earrings, cufflinks shims
Winners will be selected based on, but no limited to:
Hacker Jeopardy, the classic DEF CON game show, is returning for yet another year of answers, questions, NULL beers, and occasionally some impressive feats of knowledge. You don't want to miss this opportunity to encourage the contestants, your fellow Humans, "DON'T FUCK IT UP!"
We will be opening auditions, with the call posted on the
website, and linked to DEF CON forums (promoted on social media).
Hospital Under Seige
Biohacking Village: Hospital Under Siege
Adversaries have gained a foothold in your local hospital and are increasing their control over clinical systems and medical devices. Soon they make it clear they’re not after patient records or financial information, but are out to disrupt care delivery and put patients' lives at risk. Your team received an urgent request to use your blue, red, and purple team skills to defend against the escalating attacks, attempt to unmask the adversary, and - above all - protect patient lives.
Hospital Under Siege is a scenario-driven Capture the Flag contest run by the Biohacking Village, pitting teams of participants against adversaries and against a clock, to protect human life and public safety. Participants will compete against each other on both real and simulated medical devices, in the fully immersive Biohacking Village: Device Lab, laid out as a working hospital. Teams of any size are welcome, as are players from all backgrounds and skill levels. Challenges will be tailored for all skill levels and draw from expertise areas including forensics, RF hacking, network exploitation techniques, web security, protocol reverse engineering, hardware hacking, and others. You will hack actual medical devices and play with protocols like DICOM, HL7 and FHIR.
IoT CTF Creators Challenge
Friday August 12, 2022: 10:00 - 18:00 PST
Have you ever played in the IoT Village CTF and thought to yourself, ‘Hey this is cool, I’ve seen some of these exploits on other device’? Do you perform IoT Research and have a new, cool exploit that has been responsibly disclosed? If so, then this is a contest for you!
Submit a device (along with a vulnerability write-up) for a self-discovered and responsibly disclosed vulnerability that you think would be a good fit for the IoT Village CTF. Your device and vulnerability will be graded by our CTF Engineers (scoring rubric will be published in advance of DEFCON 30).
Your device will also be added to this year’s IoT Village CTF and played by competitors live at DEF CON. Submissions must be made prior to 18:00 PST on Friday August 12th. Learn more and pre-register in advance at
IoT Village Hacking CTF
IoT Village Hacking CTF - (the CTF formally known as SOHOplessly Broken)
IoT Village Hacking CTF is hosted in IoT Village, teams of 1-6 players access a local network filled with IoT devices primed to be exploited. You will compete against others by successfully exploiting real IoT products and finding the hidden flags in each. The hacking contest features more than 30 real-world, vulnerable IoT devices.
This event has been redesigned to include challenges which highlight tangible impacts when exploiting real vulnerabilities on real IoT devices. Hidden in the network are devices which require advanced skills to exploit or require creative attack chaining to find the flag. Players will encounter unique hacking scenarios like, exfiltrating files off a NAS to find “clues” or bypassing a router firewall to access a camera on a hidden network to “see” a flag. Prepare to outwit, see, sneak, move, and listen your way through these hidden scenarios which have a cyber-physical effect.
The IoT devices in the contest are not simulated and do not contain contrived/made-up vulnerabilities. Competitors must figure out what real-world vulnerabilities exist in these devices and exploit them to get a shell and find the flag. This is what makes the IoT Village CTF special.
This 3-time DEF CON Black Badge awarded contest CTF is open to anyone! Our contest provides a wonderful experience to learn more about security and test your skills, and the IoT CTF provides the most realistic hacking experience around!
A few devices are approachable for entry level people to experience getting their first root shell, but to win this CTF your team must perform detailed network reconnaissance, lateral pivoting, vulnerability research, hardware hacking, firmware analysis, reverse engineering, and exploit development.
So, join a team (or even by yourself) and compete for fun and prizes! Exploit as many as you can during the con and the top three teams will be rewarded.
Octopus Game Registration Opens: July 15
Registration will stay open until either 160 people sign up or August 12th at 10:00 AM
Octopus Game Dates:
Online Registration Opens: July 15, 10am
Target Distribution: August 12, 10am
Game Begins: August 12, 12pm
Final 10 Battle: Sunday August 14, 10am
July 15, 2022
July 15, 2022
Packet Detective & Packet Inspector
Packet Detective & Packet Inspector
DEF CON regularly attracts fresh talent in the Information Security field. Packet Detective and Packet Inspector engage experienced professionals and newcomers alike with hands-on, volunteer supported exercises.
These challenges promote critical thinking, teach core security tools, build professional cybersecurity skillsets, and inspire attendees towards larger Capture The Flag (or Packet!) style events.
Packet Detective and Packet Inspector are a great way for folks of all experience levels to learn under the eye of our skilled volunteers. Whether it’s time to brush up on skills or time to launch a new career, this is the best place to start.
pTFS Presents: Mayhem Industries – Outside the Box
Forum users running this:
pTFS is a hacker collective that has been competing in various DEF CON contests for almost 15 years.
Outside the Box is a fun and interactive jeopardy style CTF contest. Don't worry if you don't know what that means. Winning will require demonstrating a wide range of hacking skills, but participating is encouraged for all ability levels. Challenges range from simple puzzles, to challenging crypto problems, to truly outside the box hijinks.
Mayhem Industries, a big multinational corporation, runs energy extraction and private military contracting all over the world. Our game begins with a tip that they're Up To Something on an oil rig in the Black Sea off the coast of Egypt. But what are they up to? How do you even hack an oil rig? Is this box with flashing light, exposed ports, and locked doors and ancient relic or of some extraterrestrial origin‽ Join us at DEF CON 30 to find out.
Fk Gl Hlnvgsrmt
Radio Frequency Capture the Flag
- play with us
Official Support Ticketing System:
Radio Frequency Capture the Flag
Do you have what it takes to hack WiFi, Bluetooth, and Software
Defined Radio (SDR)?
RF Hackers Sanctuary (the group formerly known as Wireless Village) is
once again holding the Radio Frequency Capture the Flag (RFCTF) at DEF
CON 30. RFHS runs this game to teach security concepts and to give
people a safe and legal way to practice attacks against new and old
We cater to both those who are new to radio communications as well as
to those who have been playing for a long time. We are looking for
inexperienced players on up to the SIGINT secret squirrels to play our
games. The RFCTF can be played with a little knowledge, a pen tester’s
determination, and $0 to $$$$$ worth of special equipment. Our new
virtual RFCTF can be played completely remotely without needing any
specialized equipment at all, just using your web browser! The key is
to read the clues, determine the goal of each challenge, and have fun
There will be clues everywhere, and we will provide periodic updates
via discord and twitter. Make sure you pay attention to what’s
happening at the RFCTF desk, #rfctf on our discord, on Twitter
@rf_ctf, @rfhackers, and the interwebz, etc. If you have a question -
ASK! We may or may not answer, at our discretion.
FOR THE NEW FOLKS
Our virtual RFCTF environment is played remotely over ssh or through a
web browser. It may help to have additional tools installed on your
local machine, but it isn’t required.
Read the presentations at:
For DEF CON 30 we will be running in “Hybrid” mode. That means we
will have both a physical presence AND the virtual game. All of the
challenges we have perfected in the last 2 years in our virtual game
will be up and running, available to anyone all over the world
(including at the conference), free of charge. In addition to the
virtual challenges, we will also have a large number of “in person”
only challenges. These “in-person” only challenges will include our
traditional fox hunts, hide and seeks, and king of the hill
challenges. Additionally, we will have many challenges which we
simply haven’t had time or ability to virtualize. It should be clear
that playing only the virtual game will put you in a severe available
point disadvantage. Please don’t expect to place if you play virtual
only, consider the game an opportunity to learn, practice, hone your
skills, and still get on the scoreboard. The virtual challenges which
are available will have the same flags as the in-person challenges,
allowing physical attendees the choice of hacking those challenges
using either (or both) methods of access.
To score you will need to submit flags which will range from decoding
transmissions in the spectrum, passphrases used to gain access to
wireless access points, or even files located on servers. Once you
capture the flag, submit it to the scoreboard right away, if you are
confident it is worth *positive* points. Some flags will be worth
more points the earlier they are submitted, and others will be
negative. Offense and defense are fully in play by the participants,
the RFCTF organizers, and the Conference itself. Play nice, and we
might also play nice.
To play our game at DEF CON 30 join SSID: RFCTF_Contestant with
Getting started guide:
Helpful files (in-brief, wordlist, resources) can be found at
Support tickets may be opened at
Twitter: @rf_ctf and @rfhackers
- play with us
Official Support Ticketing System:
Does this contest or event plan to have a pre-qualifier?
We prefer to accept all players,
including day of and mid-way through the game. While some of the
challenges are very serious, many of them are approachable for the
novice or even first time player.
As this contest co-locates with the RF Village, our hours are set by
the village hours, except for closing the contest a little earlier to
provide winners to the contest team in time for closing ceremonies.
Will your contest or event be Online ONLY, in-person, or both? Both,
but with a caveat. We have had tremendous success virtualizing the
wifi and sdr challenges, and those will be available both in person
(in the air) and hybrid (accessible worldwide through our virtual
environment). Unfortunately, some wireless and radio technologies are
not so easy to virtualize, and those challenges will be in person
only. The purpose of the contest being "hybrid" is to give everyone
worldwide a chance to play and practice their skills, but the winners
will have to be present due to the percentage of meatspace only
Red Alert ICS CTF
(Forum user above is authoritative for all details: If they provide information contradicting this announcement, go with the data they provide.)
Red Alert ICS CTF
Red Alert ICS CTF is a competition for Hackers by Hackers. The event exclusively focuses on having the participants break through several layers of security in our virtual SCADA environment and eventually take over complete control of the SCADA system.
The contest would house actual ICS (Industrial Control System) devices from various vendors on a testbed showcasing different sectors of critical infrastructure. The participants would be able to view and engage with the devices in real time and understand how each of them control each of the aspects of the testbed and leverage this to compromise the devices.
Red Alert ICS CTF is back with a ton of fun challenges after successfully running the CTF at DEF CON 29, DEF CON 27 and DEF CON 26 (Black Badge).
Highlights of the Red Alert ICS CTF is available at:
SE Community (SEC) Vishing Competition / #SECVC
SE Community (SEC) Vishing Competition / #SECVC
In this competition, teams go toe to toe by placing live vishing (voice phishing) phone calls in front of the Social Engineering Community audience at DEF CON. These calls showcase the duality of ease and complexity of the craft against the various levels of preparedness and defenses by actual companies.
Teams can consist of 1-3 individuals, which we hope allows for teams to utilize novel techniques to implement different Social Engineering tactics. Each team is provided limited time to place as many calls as possible from a soundproof booth. During that time, their goal is to elicit from the receiver as many objectives as possible.
Whether you’re an attacker, defender, business executive, or brand new to this community, you can learn by witnessing firsthand how easy it is for some competitors to schmooze their way to their goals and how well prepared some companies are to shut down those competitors!
Friday: 9:00 – 16:00
Saturday: 9:00 – 16:00
In the SEC Village Linq
Social Engineering Community (SEC) Youth Challenge
Social Engineering Community (SEC) Youth Challenge
CALLING ALL KIDS! Come use your super skills and powers to work with a team of heroes or villains. The balance of good and evil will be determined by individual participants completing various challenges in this 'Choose Your Own Adventure' style event. By participating in this event, you will have opportunities to interact and learn from many other incredible villages at DEF CON while at the same time improving your Social Engineering abilities. If successful, you may even have the chance to help your team prevail and become the ultimate Superhero or Supervillain!
Friday: 9:00 – 18:00
Saturday: 9:00 – 18:00
Sunday: 9:00 – 14:00
In the SEC Village - Linq
Sticker Design Contest
Ancient warriors used tattoos as a means of indicating rank in battle; it was the sort of mark that told the tales of their various conquests - their struggles and triumphs. Similarly, traversing the halls of DEF CON, one can see more modern versions manifesting as stickers - especially on laptops and other electronic equipment.
The DEF CON art contest showcases art of many different forms - wallpapers etc. However, there is not presently a medium for expression that is more portable and ubiquitous in hacker culture, especially at DEF CON. Just like DEF CON usually bundles stickers in its conference schedule booklet, which ends up on a majority of laptops and other devices of attendees, the winning entry in this contest could be either added to that list of stickers, or sold standalone as swag.
We use stickers to break the ice with strangers, as a barter currency, to tell the tales of our struggles and triumphs. After all, is a hacker really a hacker without a laptop adorned with these markings?
Here's your chance to be part of hacker culture, by creating something that people around the world will treasure and proudly display. Submit original artwork in the theme of the con, that you believe best exemplifies hacker culture, that will be used as printed stickers.
On your marks... Make your mark.
- The contest is open to artists of any age, in any country.
- Please submit a PNG file of no more than 6 inches x 6 inches (or 4096 px x 4096 px), any shape inside these dimensions is acceptable.
- Artwork can be an original painting, drawing, photo, computer generated illustration or screen print.
- Artwork must be original/copyright-free - please do not include copyrighted content in your submissions.
Submissions must be made via email (
On the forums as:
The BIC Village Capture the Flag
The BIC Village Capture The Flag Event is a jeopardy style event designed to practice solving challenges in multiple categories.
This event seeks to not only be a series of puzzles and challenges to solve, but a gamified way to learn concepts of social justice and Black history. The gamified and challenge oriented sections of the event will not only challenge one's mind in problem solving and critical thinking but also charge one with the mission of identifying and learning about historical facts and figures that they would not otherwise be exposed to.
The Gold Bug
The Gold Bug – Crypto and Privacy Village Puzzle
Love puzzles? Need a place to exercise your classical and modern cryptography skills? This puzzle will keep you intrigued and busy throughout Defcon - and questioning how deep the layers of cryptography go.The Gold Bug an annual Defcon puzzle hunt, focused on cryptography. You can learn about Caesar ciphers, brush up your understanding of how Enigma machines or key exchanges work, and try to crack harder modern crypto. Accessible to all - and drop by for some kids’ puzzles too! PELCGBTENCUL VF UNEQ
The Hack-n-Attack Hacker Homecoming Heist
Real-World hacking, real world rewards! Hack-N-Attack is an online mobile game where you hack real world locations for points and prizes. Pizza shop? Hack it! Friend next to you? Hack them! If you take Defcon, Pokémon Go, and Oceans 11, and squished them all together, you’d get…a lot of copyright complaints. But also Hack-N-Attack.
The Hacker Homecoming Heist an over-the-top Vegas style hacking contest for Defcon attendees. Once joined, attendees can run the game anywhere in Vegas and hack nearby locations for points and prizes. Wi-Fi Cracking? Got it. Exploit research? Got it. Betraying your friends for prizes? Got it!
Throughout the weekend, we will be broadcasting location events, bonuses, and news through Twitter, Discord, and our YouTube live stream at our booth.
Watch this space for more information on dates, prizes, and promotions.
Hack. Slash. Crash. Burn. Fun!
The Schemaverse Championship
Online Only this year.
The Schemaverse [skee-muh vurs] is a space battleground that lives inside a PostgreSQL database. Mine the hell out of resources and build up your fleet of ships, all while trying to protect your home planet. Once you're ready, head out and conquer the map from other DEF CON rivals.
This unique game gives you direct access to the database that governs the rules. Write SQL queries directly by connecting with any supported PostgreSQL client or use your favourite language to write AI that plays on your behalf. This is DEF CON of course so start working on your SQL Injections - anything goes!
The TeleChallenge is a fast-paced, epic battle of wits and skill. Previous winners are few in number, and are among the most elite hackers at DEF CON. Designed to be played by teams, and running through the whole weekend, the TeleChallenge is entirely playable over a touch tone phone. Don't let fear of the Challenge hold you for ransom. Your voice is your passport!
Tin Foil Hat Contest
Want to block those pesky 5G microchips coursing through your vaccinated body? Were you hacking back against Putin, and need to hide? Or do those alien mind control rays just have you down lately? Fear not, for we here at the Tin Foil Hat contest have your back for all of these! Come find us in the contest area, and we'll have you build a tin foil hat which is guaranteed to provide top quality protection for your noggin. How you ask? SCIENCE!
Show us your skills by building a tin foil hat to shield your subversive thoughts, then test it out for effectiveness.
There are 2 categories: stock and unlimited. The hat in each category that causes the most signal attenuation will receive the "Substance" award for that category. We all know that hacker culture is all about looking good, though, so a single winner will be selected from each category for "Style".
Trace Labs OSINT Search Party CTF
[Image may be added later]
The Trace Labs Search Party CTF is a non theoretical, gamified effort that allows for the crowdsourcing of contestants to perform a single task: Conduct open source intelligence operations to help find missing persons
You can have teams of 1-4 people, 4 person teams provide many benefits which include the coaching of more junior members. Often a great learning opportunity if you are able to pair up with OSINT veterans. Get your team together and join us in our Discord group to get started here:
Whose Slide Is It Anyway
It's our sixth year but since we had to be virtual last year this will be our 5 YEAR ANNIVERSARY show of “Whose Slide Is It Anyway?”! We're an unholy union of improv comedy, hacking and slide deck sado-masochism.
Our team of slide monkeys will create a stupid amount of short slide decks on whatever nonsense tickles our fancies. Slides are not exclusive to technology, they can and will be about anything. Contestants will take the stage and choose a random number corresponding to a specific slide deck. They will then improvise a minimum 5 minute / maximum 10 minute lightning talk, becoming instant subject matter experts on whatever topic/stream of consciousness appears on the screen.
Whether you delight in the chaos of watching your fellow hackers squirm or would like to sacrifice yourself to the Contest Gods, it’s a night of schadenfreude for the whole family.
Oh, and prizes. Lots and lots of prizes.