Thank you all for playing! We hope you had as much fun playing as we had organizing!

Congratulations to our winners:

  1. KJC+MHackeroni
  2. pasten
  3. Dragon Sector

See you all in a bit at the CTF area and later at the Chaos West Stage!

Hi CTFers,

whether you captured a flag or not, join us at the CTF area after the end of the CTF 21:30 local time. We'll announce the winners and you can discuss the challenges with us and the other teams.

Later at 0:00 local time there will be an after party at Chaos West Stage.

See you there!

Express-yourself was recategorized from "web" to "zajebiste". See the hint

We decided to reduce the maximum point value for "identitytheft" from 500 to 300, since it depends on a solution for "newphonewhodis".

To avoid confusion: The target phone can reach external hosts on the internet and has netcat installed.

New hint released for identitytheft.

Note: This is the second stage of newphonewhodis, so you need to solve that one first. Because people are close we decided to not release symbols for this one.

Some challenges come with a Dockerfile to show you how the challenge is run. Note that the nsjail setup requires that you start the container with --privileged, i.e.: docker run --privileged $image

If you have any issues, feel free to ping tsuro on irc.

We took a close look at "refreshing memories" and you won't believe what happened next: Check out the new hint.

hint released, gogo

At least two different kinds of properties of instructions are encoded on the type level, and proven via the type checker. But are all of these properties sufficiently strict to ensure safety?

New "hint" released for post. Not really a hint, its just to avoid any confusion...

Read the README until the very end. Also, make sure you use the exact same libc that is provided (it is a non-default build, again see README).

Find the keybase setup (version 2.12.2) at

The image files can be downloaded via torrent from and the password is the flag for "sanity check"

Apparently keybase decided to release a new version of the macOS client today, which is an update from 2.12.2 to 2.12.4. Don't install it for now if you have the choice. The challenge is running 2.12.2. We will soon provide a QEMU disk image with the old version in case it is relevant.

namespaces hint released

New hint for stage diving: The first step is stego. Don't try to zoom, use a magnifying glass.

A new hint has been posted for post, gl

some details about the deployment have been added. (this is not a hint, just want to avoid any confusion).

If you have problems seeing the output of the VM spooler for the challenges pillow, webkid, chaingineering, keybase and chromacity, try downloading the video file and playing it in VLC.

express-yourself (web). Enjoy!

The php challenge had an outdated attachment. Please re-download the new version.

Information about the VM setup for the "pillow" challenge has been added to the challenge description.

We uploaded three brand new challenges: stage-diving, php and post quantum.

Also there is a new hint for notifico: The graph is a move graph for a certain type of chess piece

The phone UI crashes when you select a phone book entry and select "Options". This is not intended and an oversight by the author but isn't relevant to the solution to the challenge. So just don't hit that button.

We released a small hint for "typely": If you are stuck, play around with the /execute endpoint and carefully read the responses.

For the VM spooler at, please note that a video capture of your exploit running in the VM will be returned to you for debugging.

We published two new challenges: newphonewhodis and identitytheft.

Have fun!

Note: These are two stages based on the same environment.

keybase (zajebiste). Enjoy!

Challenge binary replaced, please download from new link in challenge description.

The password for the encrypted VM image downloads is the flag for "sanity check"

corebot (reversing). Enjoy!

You might have to enable nested virtualization on your Linux host if you cannot run the inner VM. See updated description.

notifico (reversing). Enjoy!

Lambda was updated, please see the challenge description for updates and a new hint.

The description of the "pillow" challenge has been updated.

0pack (reversing). Enjoy!

Here we go!

Happy hacking everyone <3

Fellow CTF players,

35C3 CTF is officially confirmed. This is the 7th iteration of this event and it will be as awesome as ever! It is a Jeopardy style CTF and is open to everyone online. The contest will run for 48 hours, from Dec 27th, 20:00 UTC to Dec 29th, 20:00 UTC. As always, try not to ruin other people's fun.

If you happen to be at the 35th Chaos Communication Congress, you are free to come and hack with us and register an assembly in the CTF area.

There will be a less hardcore version of this CTF with a different, easier challenge set. You can read more about it on the linked website.

The winner of this event will qualify for DEF CON Finals 2019!

Of course, there will be pwnage!


Twitter: @EatSleepPwnRpt

IMPORTANT UPDATE: Plase consider pre-downloading and seeding the encrypted VM images at, especially if you do not have access to macOS hardware.

Infrastructure sponsored by Google Cloud