Run Capture-The-Flag Events with CTFd

In a previous post, I talked about OWASP Juice Shop, an intentionally vulnerable web application that allows security enthusiasts to test their hacking skills. It is also used in Capture The Flag (CTF) style competitions where participants solve a variety of computer security challenges, from web security flaws to cryptography and reverse engineering. The goal is to gain access to a “flag” or piece of information that is hidden within a challenge. The person or team that solves all the challenges the fastest wins the competition. CTF events require a platform to host the challenges, receive submissions and display the scoreboard. Enter CTFd.

What is CTFd?

CTFD is an open-source platform that can be used to run CTF events for free. It offers a user-friendly web interface for both administrators and players, and has a modular system allowing for integrations with other external services. CTFd is very popular among security enthusiasts and has been used to host some of the largest CTF events in the world.

What is Railway?

Railway is a modern app hosting platform that makes it easy to deploy production-ready apps quickly. Railway offers persistent database services for PostgreSQL, MySQL, MongoDB, and Redis, as well as application services with a GitHub repository as the deployment source. For the latter, Railway can automatically determine the application runtime and deploy the service. Railway offers several one-click starters for popular applications, but not one for CTFd, so let's use my template instead. Since we are just testing the waters, Railway's free tier should be sufficient to host the service.

Deploy CTFd using One-Click Starter on Railway

Sign up for an account with Railway using GitHub, and click Authorize Railway App when redirected. Review and agree to Railway's Terms of Service and Fair Use Policy if prompted. Launch my one-click starter template (or click the button below) to deploy CTFd instantly on Railway.

Review the defaults and click Deploy; the deployment will kick off immediately.

Once the deployment completes, CTFd will be available at a default xxx.up.railway.app domain - click on this URL to access your instance. If you are interested in setting up a custom domain, I covered it at length in a previous post - see the final section here.

Configure and Run CTF Events with CTFd

CTFd launches with the initial configuration required for your first event. Provide the Event Name and Event Description, and click Next.

CTF events are typically conducted in Team Mode, with the entire team getting credit when any team member solves a challenges, but you can also configure CTFd in User Mode if you are using it for internal training and assessments. Choose the mode and click Next.

Provide details for the administrative account and click Next.

Change the look-and-feel if you'd like or accept the default and click Next. Provide the Start Time and End Time for the event and click Next. This is optional, and you can choose to ignore it for now.

Decide whether you want to integrate with MajorLeagueCyber - a CTF statistics tracker that provides event scheduling, team tracking, and single sign-on for events across the CTFd ecosystem. Once you complete the initial configuration, you'll be presented with the screen below.

Login to the CTFd administrative portal using the credentials you configured earlier, and play around with the various tabs. Click on Admin Panel to configure the users, pages and challenges, and to view the submissions and scoreboard. Click the Config tab if you'd like to make any changes to the event configuration.

Now that your CTFd instance is up and running, you can start creating the challenges, the main form of content in CTFd. Most functionality revolves around challenges and how users interact with them. Primarily, users submit flags (i.e. answers) to the challenges and CTFd rewards the users with points for correct submissions. Some types of challenges are only available in the Hosted version or with the purchase of the corresponding CTFd plugin.

Admins can also create hints for each challenge - either free or with a cost associated with them (e.g. deduction of points). CTFd automatically generates and updates a live scoreboard that resolves ties and supports score freezing. Well, that's it for now - if you'd like to read more, head over to the CTFd documentation.