Controlling a CTF

I recently revisited my old CTF-related scripts in connection with hosting a private intro-CTF by way of OWASP Juice Shop at work.

Having limited time and available resources at hand, I decided to just use Heroku for deployment. We wouldn't be limited by only using the free-tier, as our competition would only run for a couple of hours.

In order to make everything fully automatable, I forked CTFd in order to get it running on Heroku, and expanded upon my previous naive implementation to spin up client (Juice Shop) instances. I also hacked together a random name-generator for the instances.

The workflow is as follows:

  • Generate a new (random) key for your CTF
    • Automated with ctfctl config
  • Go to my CTFd-fork, and click the "Deploy to Heroku"-button
  • Update variables in ctfctl to reflect URL of your CTFd-instance, and a prefix of your choice for URLs.
  • Import the zip-file that was generated for you on your CTFd-instance
  • Spin up Juice Shop instances on Heroku
    • Automated with ctfctl start <number-of-instances>
    • This will unfortunately take up to 10 min. per instance, as each instance also has to build on Heroku as of now...
  • (A file teams.txt will be created, containing a list of all instance names. Any given instance can be accessed at the URL https://<PREFIX>-<INSTANCE>.herokuapp.com)
  • In order to not have the Heroku-apps die, ping your scoreboard and every JuiceShop instance every 15 mins.
    • Automated with ctfctl keepup (alternatively ctfctrl scoreboard to just ping the scoreboard)
  • Tell your contestants to go to the CTF Intro Startpage, which contains helpful hints for first-timers
    • Fork and tweak this for your event
  • When it's all over, bring down all client instances
    • Automated with ctfctl stop
  • Delete the CTFd instance manually on Heroku

It's still not ideal, so I'm hoping I have time to write a fully automated way to bring up a generalized CTF-setup using Kubernetes and Docker-images or somesuch next year.

Newer post
Getting Alfa AWUS036ACH up and running on Kali
Older post
Some alternatives to Electron