In a previous post, I talked about OWASP Juice Shop, an intentionally vulnerable web application that allows security enthusiasts to test their hacking skills. It is also used in Capture The Flag (CTF) style competitions where participants solve a variety of computer security challenges, from web security flaws to cryptography and reverse engineering. The goal is to gain access to a “flag” or piece of information that is hidden within a challenge. The person or team that solves all the challenges the fastest wins the competition. CTF events require a platform to host the challenges, receive submissions and display the scoreboard. Enter CTFd.
What is CTFd?
CTFD is an open-source platform that can be used to run CTF events for free. It offers a user-friendly web interface for both administrators and players, and has a modular system allowing for integrations with other external services. CTFd is very popular among security enthusiasts and has been used to host some of the largest CTF events in the world.
What is Railway?
Railway is a modern app hosting platform that makes it easy to deploy production-ready apps quickly. Railway offers persistent database services for PostgreSQL, MySQL, MongoDB, and Redis, as well as application services with a GitHub repository as the deployment source. For the latter, Railway can automatically determine the application runtime and deploy the service. Railway offers several one-click starters for popular applications, but not one for CTFd, so let's use my template instead. Since we are just testing the waters, Railway's free tier should be sufficient to host the service.
Deploy CTFd using One-Click Starter on Railway
Sign up for an account with Railway using GitHub, and click
Authorize Railway App when redirected. Review and agree to Railway's Terms of Service and Fair Use Policy if prompted. Launch my one-click starter template (or click the button below) to deploy a CTFd instance instantly on Railway.
You'll be prompted with an opportunity to change the default repository name and set it private, if you'd like. Accept the defaults and click
Deploy; the deployment will kick off immediately.
Once the deployment completes, CTFd will be available at a default
xxx.up.railway.app domain - click on this URL to access your instance. If you are interested in setting up a custom domain, I covered it at length in a previous post - see the final section here.
Configure and Run CTF Events with CTFd
CTFd launches with the initial configuration required for your first event. Provide the
Event Name and
Event Description, and click
CTF events are typically conducted in
Team Mode, with the entire team getting credit when any team member solves a challenges, but you can also configure CTFd in
User Mode if you are using it for internal training and assessments. Choose the mode and click
Provide details for the administrative account and click
Change the look-and-feel if you'd like or accept the default and click
Next. Provide the
Start Time and
End Time for the event and click
Next. This is optional, and you can choose to ignore it for now.
Decide whether you want to integrate with MajorLeagueCyber - a CTF statistics tracker that provides event scheduling, team tracking, and single sign-on for events across the CTFd ecosystem. Once you complete the initial configuration, you'll be presented with the screen below.
Login to the CTFd administrative portal using the credentials you configured earlier, and play around with the various tabs. Click on
Admin Panel to configure the users, pages and challenges, and to view the submissions and scoreboard. Click the
Config tab if you'd like to make any changes to the event configuration.
Now that your CTFd instance is up and running, you can start creating the challenges, the main form of content in CTFd. Most functionality revolves around challenges and how users interact with them. Primarily, users submit flags (i.e. answers) to the challenges and CTFd rewards the users with points for correct submissions. Some types of challenges are only available in the Hosted version or with the purchase of the corresponding CTFd plugin.
Admins can also create hints for each challenge - either free or with a cost associated with them (e.g. deduction of points). CTFd automatically generates and updates a live scoreboard that resolves ties and supports score freezing. Well, that's it for now - if you'd like to read more, head over to the CTFd documentation.