Host CTF Platforms with Docker
Summary
In the world, there are many different types of platforms to learn and compete in so called Capture The Flags (CTFs). While the possibilities to host our own CTF platform in the cloud are nearly endless, there are also open-source variants which can be hosted with Docker or on-premise. These types of platforms are often preferred, since they do not cost any money and also one can learn many things about the hosting machine, the used technologies and about the platform itself. This Article focuses on three open-source platforms and shows how to host them in a dockerized environment.
Infrastructure used for this work
System Requirements
- Operating system:
- Windows 8 or higher
- Ubuntu Linux 20.04 LTS or higher
- macOS 10.14 or higher
- Or any other OS which support Docker
- Docker Engine >= 20.10
- optional: Docker Desktop
- Ruby
- Internet Browser of any type
- GIT
Docker Setup
Installation
First, uninstall any conflicting packages:
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done
Then update the apt package index:
sudo apt-get update sudo apt-get install ca-certificates curl gnupg
After that, install the official GPG keys:
sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg
When that's done, setup the repository:
echo \ "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Then install the Docker Engine with the latest version:
sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Verification
After the installation, verify that the Docker Engine was installed successfully:
sudo docker run hello-world
MITRE CTF Scoreboard
The MITRE CTF Scoreboard is an open-source application developed by the MITRE Cyber Academy and focuses on hosting Capture The Flags in safe environments for learning, practicing and competing. It offers a wide variety of functionality, including authentication and authorization of individuals, the creation and management of teams, management of competitions and their including challenges, and much more. MITRE CTF Scoreboard is installed with Docker and the according plugin 'docker-compose'.
Setup
These steps are for production deployments using docker-compose.
Download the git repository:
git clone https://github.com/mitre-cyber-academy/ctf-scoreboard.git
Then navigate into the folder:
cd ctf-scoreboard
After that, generate your credentials:
./setup-docker-secrets.sh
Then run scoreboard database setup:
docker-compose run web rails db:initial_setup
Add appropriate Environment Variables into your `.env-prod` file for your environment. Add NGINX_HOST to the '.env' file for your environment
NGINX_HOST=your-scoreboard-domain.com
Start the container:
docker-compose up -d
The software is now be accessible via 'https://<ip address of docker container>'.
Create an Admin User
After the initial installation, navigate with yout browser to 'https://<ip address of docker container>'. This will prompt you a registration mask, on which you can create your Admin User - the following page may differ from the actual 'Admin Registration' page.
MELLIVORA
Mellivora Capture the Flag (CTF) platform is a comprehensive and dynamic online platform designed for hosting and participating in cybersecurity Capture the Flag competitions. Developed with the aim of enhancing practical cybersecurity skills, Mellivora CTF offers a robust and challenging environment for individuals and teams to engage in offensive and defensive cybersecurity exercises. The platform provides a feature-rich and intuitive interface, making it accessible to both beginners and experienced cybersecurity enthusiasts. It offers a wide range of challenges across various categories, including cryptography, web exploitation, reverse engineering, forensics, and more. These challenges are designed to mimic real-world scenarios, allowing participants to develop and apply their technical skills in a safe and controlled environment. Mellivora CTF emphasizes collaboration and learning by fostering a competitive and engaging atmosphere. Participants can form teams and compete against others, leveraging their collective expertise to solve complex challenges and earn points. The platform offers a scoring system that rewards both speed and accuracy, encouraging participants to strategize, communicate effectively, and think critically to maximize their score. One notable aspect of Mellivora CTF is its flexibility and extensibility. The platform supports custom challenge creation, allowing organizers to tailor the competition to their specific needs and objectives. Additionally, Mellivora CTF provides a comprehensive administrative dashboard that enables organizers to manage competitions, track progress, and analyze performance metrics in real-time.
Setup
Mellivora is easy to use with docker-compose. Mellivora comes with an included docker-compose configuration intended for development use. If you're looking to run Mellivora using Docker(-compose) in production, a good place to start might be to copy the provided docker-compose config and changing it to suit your needs.
Download the git repository:
git clone https://github.com/Nakiami/mellivora
Then navigate into the folder:
cd mellivora
After that, run following command:
docker-compose -f docker-compose.dev.yml up
in the Mellivora home directory to give Apache the permissions necessary for challenge file upload and caching run following command:
sudo chown -R www-data:www-data writable/
Create an admin user:
- Visit http://localhost/ which should now display the Mellivora landing page.
- Register a new user. You will probably get an error about emails not working. The user is created and functional despite the error.
- Go to http://localhost:18080 where Adminer should be running (assuming you're running in dev mode). Log in with
Server: db Username: root Password: password Database: mellivora
To make your user an administrator, go to "SQL command" in the menu and run:
UPDATE users SET class = 100 WHERE id = 1;
Log in at http://localhost/. Done!
Create basic challenge
For creating a basic challenge login with your admin user. From the top menu select "Manage". By selecting "Manage" you can create and edit already existing challenges and categories by pressing on "Categories" for changing or editing the categories or "Challenges" for editing or adding new challenges.
Tips
- The dev docker-compose profile mounts to use files directly from the host. Making changes to files on disk will result in changes to the running instance without rebuilding the container.
- If you are making changes to composer requirements, you will need to delete/rebuild the docker image composerdependencies.
- Call docker-compose -f docker-compose.dev.yml up --build to rebuild and start.
- Copy include/config/config.default.inc.php to include/config/config.inc.php to make your configuration changes.
RootTheBox
Hackers can practice and learn using Root the Box, a real-time capture the flag (CTF) scoring system for computer wargames. Any CTF-style game may be easily configured and adjusted using the application. By fusing a fun game-like atmosphere with practical tasks that communicate knowledge applicable to the real-world, such as penetration testing, incident response, digital forensics, and threat hunting, the platform enables you to engage both inexperienced and experienced players. RootTheBox is installed with Docker and the according plugin 'docker-compose'.
Setup
These steps are for production deployments using docker-compose.
Download the git repository:
git clone https://github.com/moloch--/RootTheBox.git
Then navigate into the folder:
cd RootTheBox
Update the repository:
git pull docker-compose build
Start the container:
docker-compose up -d
The software is now be accessible via 'https://<ip address of docker container>:8888'.
Access Admin Dashboard
RootTheBox enables Users to access an admin dashboard, which enables them to configure the platform to their need. Usually, when just installed, the credentials for the admin user are the following:
admin rootthebox
Always make sure to change the password of your admin account before you start hosting the platform in production!