DMU Hackers presents · 2026

Pwn2Play

Core Incursion 2026 results and event retrospective.

2026 Official In-Person Podium

1st R0073R5 2nd H4ck3rs0NF1r3 3rd AFNOM
View Results Event Stats
Exclusive Platform Partner

Pwn2Play runs on Biterra

Biterra is the gamified learning platform that hosts every Pwn2Play challenge, scoreboard, and team. Built by a DMU Hackers alumnus, it’s the permanent home for our flagship CTF. Wherever Pwn2Play goes, Biterra is the platform underneath it.

Open Pwn2Play on Biterra
2026 Results

Core Incursion by the Numbers

Final public stats from the completed Pwn2Play 2026 event.

Teams 200 registered
Participants 332 total competitors
Public Challenges 52 excluding Part 2 form checks
Saturday 30 May 2026

Run of Show

From doors to after-party — all times BST.

  1. 08:20 Doors open Arrive early, connect to WiFi, and settle your team.
  2. 09:00 – 18:00 CTF live Main no-AI scoreboard and separate AI-only scoreboard run on Pwn2Play.
  3. 19:00 – 20:30 Awards Podium, prizes, certificates, and sponsor recognition at DSU.
  4. 21:30 onwards After party Social route across Leicester with other DMU societies.
11 Categories, 52 Public Challenges

Challenge Categories

The final public 2026 challenge set, excluding the two Part 2 form verification rows.

14

Web Exploitation

SQL injection, XSS, SSRF, authentication bypasses and web logic flaws.

9

Miscellaneous

Unexpected formats, strange clues and challenge ideas that refuse one label.

5

Forensics

Recover evidence from captures, filesystems, memory, logs and hidden artefacts.

5

Full-Pwn

Chain attack paths from initial access to deeper compromise.

5

OSINT

Track down answers through public records, digital footprints and careful research.

5

Reverse Engineering

Disassemble, decompile and decode binaries to uncover hidden logic.

4

Cryptography

Break ciphers, exploit weak implementations and reason about flawed secrecy.

3

Binary Exploitation

Break compiled targets with memory corruption, control flow and exploit craft.

3

Scripting

Automate parsing, brute force paths and transform data under time pressure.

1

Intro

A first flag to get teams settled into the platform and event flow.

1

Linux

Navigate shells, permissions, processes and system clues like an operator.

2026 Spread

Challenge Breakdown

52 public challenges across categories and difficulties.

Categories

Challenge Categories

The final category mix for Pwn2Play: Core Incursion 2026.

  • Web Exploitation14 / 27%
  • Miscellaneous9 / 17%
  • Forensics5 / 9%
  • Full-Pwn5 / 9%
  • OSINT5 / 9%
  • Reverse Engineering5 / 9%
  • Cryptography4 / 8%
  • Binary Exploitation3 / 6%
  • Scripting3 / 6%
  • Full-Pwn2 / 4%
  • Intro1 / 2%
  • Linux1 / 2%
Difficulty

Challenge Difficulties

Difficulty labels from the final 2026 challenge set.

  • Easy23 / 44%
  • Medium16 / 31%
  • Hard7 / 13%
  • Extra Hard3 / 6%
  • Trivial3 / 6%
Important

Key Information

Core Incursion // CTF Venue

Gateway House Floor 5
De Montfort University
The Gateway, Leicester LE1 9BH

WiFi

Student & Guest WiFi was available for the 2026 event. Competitors brought their own machines.

Awards Event Venue

De Montfort Students' Union
Campus Centre Building
Mill Ln, Leicester LE2 7DR

Food & Drink

The bar opened after the event for competitors and guests attending the awards.

Results Biterra Map Discord
Tracks

Scoreboard Rules

The 2026 result scope is the official in-person podium from the main scoreboard.

No AI

Main scoreboard

AI usage was forbidden. This was the official competitive track used for main event standings.

AI permitted

AI-only scoreboard

Teams who chose to use AI competed on a separate scoreboard on Pwn2Play.

In-person podium

Prize eligibility

The published 2026 results list the official in-person podium only.

Read the Rules

CTF Server Rules

01

General Conduct

  • Respect all participants, organisers, and the integrity of the competition.
  • No harassment, discrimination, or toxic behaviour will be tolerated.
  • Follow all university IT policies and legal regulations.
02

AI Usage Policy

  • AI usage is strictly forbidden in the main event.
  • Teams found using AI in the main event will be disqualified.
  • A separate AI-only scoreboard will be available on the Pwn2Play platform for teams who choose to use AI.
03

Server & Network Use

  • Only interact with CTF challenges and infrastructure. Do not target other participants or university systems.
  • Denial of Service (DoS/DDoS) attacks against the server, network, or participants are strictly prohibited.
  • Scanning outside the designated CTF scope is forbidden.
04

Fair Play & Ethics

  • No brute-forcing challenge platforms, flag submission forms, or administrative panels unless explicitly part of a challenge.
  • Do not share, trade, or leak flags, solutions, or hints to other participants.
  • No automated tools/scripts that degrade server performance (e.g., aggressive scanning, spamming requests).
05

Virtual Participants

  • Maintain a stable internet connection and avoid using VPNs/proxies unless required for a challenge.
  • Keep your credentials secure. Do not share your access keys or login information.
  • Follow organiser instructions in the event of technical issues.
06

Challenge & Flag Submission

  • Flags must be submitted exactly as retrieved, in the expected format.
  • If a challenge is broken, report it to an admin instead of exploiting it.
  • The organisers' decisions on challenge validity, scoring, and disputes are final.
07

Prohibited Actions

  • No social engineering, phishing, or attacking other teams' setups.
  • No modifying, deleting, or tampering with challenge infrastructure.
08

Penalties & Disqualification

  • Violating these rules may result in a warning, score reduction, or disqualification.
  • Severe infractions (e.g., damaging university systems, disrupting the event) may be reported to university authorities.
09

Support & Reporting Issues

  • Contact event staff on the designated CTF Discord/Slack channel or help-desk for any issues.
  • If you encounter a security issue affecting the event, report it responsibly to the organisers.
10

Discord ToS

  • Follow the Discord Terms of Service (ToS) at all times when using the CTF Discord server.
Keep the night going

After Party

Social Route Around Leicester

Following the awards ceremony, join us for a social route around Leicester with a combination of DMU societies. Whether you competed or just want to celebrate, everyone is welcome.

After awards ceremony
Various venues across Leicester
All are invited
Backers

Sponsors

Prize providers and challenge creators supporting Pwn2Play: Core Incursion.

Prize Providers

Supporting the winners with prizes that make the competition worth chasing.

Main Sponsor Prize Provider

Kit365

Kit365 is the primary sponsor of Pwn2Play, providing prizes for the winning teams. Their support helps make our flagship CTF a stronger event for cybersecurity talent.

Prize Provider

TryHackMe

TryHackMe is supporting Pwn2Play by providing prizes for our event, helping us reward standout performances and make the competition more exciting for participants.

Prize Provider

Immersive Labs

Immersive Labs is supporting Pwn2Play as a prize provider, helping us reward standout teams while backing practical cyber skills development through realistic, hands-on learning.

Challenge Creators

Building realistic problems and scenarios for competitors to solve under pressure.

Challenge Creator

North Quay Holdings

North Quay Holdings is a private sector company specialising in all-source intelligence and OSINT. They create challenges for Pwn2Play, helping deliver realistic and engaging CTF experiences.

Challenge Creator

Redcentric

Redcentric is a managed IT services provider delivering network, cloud, and security solutions. They create challenges for Pwn2Play, bringing industry expertise and real-world scenarios.

Want to sponsor Pwn2Play or get involved?

Become a Sponsor
2026 Results

Core Incursion Official In-Person Podium

2nd

H4ck3rs0NF1r3

1st

R0073R5

3rd

AFNOM