Demolition Derby CTF

Welcome to our own take on Capture the Flag. In the Demolition Derby CTF, nearly everything goes. The competition network will also be crowdsourced, so we can't tell you beforehand exactly what to expect. In short, this competition will be complete CHAOS.


The crowdsourced nature of this event is where the chaos comes in. Rather than meticulously plan, design, and create the competition network ourselves, we're inviting everyone and their grandmother to bring a network device to contribute to the network. We recommend you bring your most obscure and interesting device so that the competition network is as diverse and eclectic as possible.

Each device contributed will have one or more flag files residing within it. Your goal? Collect as many flag files as possible to earn points. More details on flag files can be found below.

If you would like to contribute a device to the competition network, please email this form to us at with details of what you would like to contribute, how it will be configured, and any key behaviors that it will be introducing to the competition network. We'll then coordinate with you regarding flag file placement on the device and other logistics. Please keep in mind however that due to the hostile nature of the network and the combative nature of the competitors, you will likely receive your device back in a different state than you brought it in. We expect many devices to get rm'd, wiped, or otherwise boot-disabled during the course of the competition. Do not contribute anything that you cannot restore after the competition, as we truly will have a "scorched earth" policy.


Unlike many other CTF competitions you may find, we have unexpectedly few rules. As such, nearly anything goes short of completely DoSsing the entire competition network.

Rules for device contributors:

  • You must bring everything needed to connect your device to power and to the network. This means bring a power cable, a network cable, and/or ensure that your device's wireless card works. If your device has non-standard console, bring that as well so that we can configure the device.
  • Your device must allow write access to at least part of its filesystem so that we may place the flag file(s) onto the device.
  • You must provide us with credentials for the device upon submitting it so that we may place the flag file(s) onto the device.
  • Your device cannot completely disable the competition network.

Rules for competitors:

  • You may not completely disable the competition network.


All flags are not created equal, and not all network devices will house only a single flag... Scour the system thoroughly before you do anything too rash.

Flag files may contain data of varying formats, however each one will be conformant enough to be easily identifiable by either human or automata. In general, they will be a text file identifying the device that they originally came from, the owner or contributor of that device, their point value for competition ranking, and other meta-data. Flag files may or may not also contain other data, such as a Bitcoin private key (see prizes below), music data, video data, or other such fun and entertaining Easter-eggs. Flag files will also be cryptographically signed in their entirety in order to prove authenticity when redeemed for points.

Hold onto these flag files after redeeming them for points, as they may be useful and/or valuable well after the competition has ended...


To score, email your captured flag file hashes to You may use this key to encrypt your email.


Prizes for this competition will be based on points collected from captured flag files. Top-ranking competitors will all receive a complimentary pass to next year's conference, as well as their choice of one of the following prizes:

  • A 25 BTC Casascius Bitcoin, courtesy of Trammell Ventures
  • A Bug Hunter's Diary, The IDA Pro Book, and Gray Hat Python book bundle, courtesy of No Starch Press
  • wi*spy 2.4x, courtesy of Harris Crucial Security
  • DIY Security Camera Kit, courtesy of Harris Crucial Security

In addition to the prizes awarded for points, each flag file will contain an encrypted Bitcoin private key which will have some Bitcoin value sent to it. The list of Bitcoin addresses for the keys and their values has been posted here and can be independently verified using Block Explorer. Once the competition is complete, we will publish the encryption key used to encrypt the Bitcoin private keys here on our website. At that point, the "gold rush" phase will be on for the competitors to decrypt and import these keys into their Bitcoin wallet and "sweep" (claim) the Bitcoins for themselves. Each flag file will also contain the cleartext Bitcoin address for the encrypted private key so that competitors may verify the key's value on the Bitcoin network and keep a running total of how much BTC their flags are worth.

GOLD RUSH!!! The encryption key pair used to encrypt the Bitcoin keys included in the flag files has been posted! Grab them here!

Ideas and Suggestions

For Device Contributors

Keep in mind that nearly anything goes, short of violating the rules. So, you can't completely DoS the network... a few malformed Ethernet frames every few minutes couldn't hurt though, right? Who says a single segment can't have DHCP servers fighting over freshly-connecting competitors looking for access? And certainly no one said launching attacks or countermeasures back at a connecting host was out of the question... I mean, when you think about it, competitors connecting to the network become target devices themselves, right? It's their own damn fault for wandering into the kitchen, they can take a little heat...

Also consider that upon device submission to the contest, we will be placing one or more flag files onto the device. If you were to help us out and pre-configure some interesting or obscure places for us to place said files, we likely will make use of such when placing the flag files.

For Competitors

Why go after lame little devices with a measly one or two flag files on them when everyone knows that the real booty is sitting there all nicely collected on another competitor's system? I mean, they connected their system to the competition network, which makes it fair game as a target right? No one could argue with THAT logic... On the flipside though, that means that other competitors will likely be coming after you too, so you better be on top of your defense game. Also, given the scorched earth policy, you probably don't want to compete using a system that has any sort of valuable data on it or lasting value to you. This ain't no place for the employer's laptop that you use to work from home...