Host CTF Platforms with Docker

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


In the world, there are many different types of platforms to learn and compete in so called Capture The Flags (CTFs). While the possibilities to host our own CTF platform in the cloud are nearly endless, there are also open-source variants which can be hosted with Docker or on-premise. These types of platforms are often preferred, since they do not cost any money and also one can learn many things about the hosting machine, the used technologies and about the platform itself. This Article focuses on three open-source platforms and shows how to host them in a dockerized environment.

Infrastructure used for this work


System Requirements

  • Operating system:
    • Windows 8 or higher
    • Ubuntu Linux 20.04 LTS or higher
    • macOS 10.14 or higher
    • Or any other OS which support Docker
  • Docker Engine >= 20.10
    • optional: Docker Desktop
  • Ruby
  • Internet Browser of any type
  • GIT

Docker Setup


First, uninstall any conflicting packages:

for pkg in docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done

Then update the apt package index:

sudo apt-get update
sudo apt-get install ca-certificates curl gnupg

After that, install the official GPG keys:

sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg

When that's done, setup the repository:

echo \
 "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] \
 "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
 sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Then install the Docker Engine with the latest version:

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli docker-buildx-plugin docker-compose-plugin


After the installation, verify that the Docker Engine was installed successfully:

sudo docker run hello-world

MITRE CTF Scoreboard

The MITRE CTF Scoreboard is an open-source application developed by the MITRE Cyber Academy and focuses on hosting Capture The Flags in safe environments for learning, practicing and competing. It offers a wide variety of functionality, including authentication and authorization of individuals, the creation and management of teams, management of competitions and their including challenges, and much more. MITRE CTF Scoreboard is installed with Docker and the according plugin 'docker-compose'.


These steps are for production deployments using docker-compose.

Download the git repository:

git clone

Then navigate into the folder:

cd ctf-scoreboard

After that, generate your credentials:


Then run scoreboard database setup:

docker-compose run web rails db:initial_setup

Add appropriate Environment Variables into your `.env-prod` file for your environment. Add NGINX_HOST to the '.env' file for your environment

Start the container:

docker-compose up -d

The software is now be accessible via 'https://<ip address of docker container>'.

Create an Admin User

After the initial installation, navigate with yout browser to 'https://<ip address of docker container>'. This will prompt you a registration mask, on which you can create your Admin User - the following page may differ from the actual 'Admin Registration' page.



Mellivora Capture the Flag (CTF) platform is a comprehensive and dynamic online platform designed for hosting and participating in cybersecurity Capture the Flag competitions. Developed with the aim of enhancing practical cybersecurity skills, Mellivora CTF offers a robust and challenging environment for individuals and teams to engage in offensive and defensive cybersecurity exercises. The platform provides a feature-rich and intuitive interface, making it accessible to both beginners and experienced cybersecurity enthusiasts. It offers a wide range of challenges across various categories, including cryptography, web exploitation, reverse engineering, forensics, and more. These challenges are designed to mimic real-world scenarios, allowing participants to develop and apply their technical skills in a safe and controlled environment. Mellivora CTF emphasizes collaboration and learning by fostering a competitive and engaging atmosphere. Participants can form teams and compete against others, leveraging their collective expertise to solve complex challenges and earn points. The platform offers a scoring system that rewards both speed and accuracy, encouraging participants to strategize, communicate effectively, and think critically to maximize their score. One notable aspect of Mellivora CTF is its flexibility and extensibility. The platform supports custom challenge creation, allowing organizers to tailor the competition to their specific needs and objectives. Additionally, Mellivora CTF provides a comprehensive administrative dashboard that enables organizers to manage competitions, track progress, and analyze performance metrics in real-time.


Mellivora is easy to use with docker-compose. Mellivora comes with an included docker-compose configuration intended for development use. If you're looking to run Mellivora using Docker(-compose) in production, a good place to start might be to copy the provided docker-compose config and changing it to suit your needs.

Download the git repository:

git clone

Then navigate into the folder:

cd mellivora

After that, run following command:

docker-compose -f up

in the Mellivora home directory to give Apache the permissions necessary for challenge file upload and caching run following command:

sudo chown -R www-data:www-data writable/

Create an admin user:

  • Visit http://localhost/ which should now display the Mellivora landing page.
  • Register a new user. You will probably get an error about emails not working. The user is created and functional despite the error.
  • Go to http://localhost:18080 where Adminer should be running (assuming you're running in dev mode). Log in with
Server: db
Username: root
Password: password
Database: mellivora

To make your user an administrator, go to "SQL command" in the menu and run:

UPDATE users SET class = 100 WHERE id = 1;

Log in at http://localhost/. Done!

Create basic challenge

For creating a basic challenge login with your admin user. From the top menu select "Manage". By selecting "Manage" you can create and edit already existing challenges and categories by pressing on "Categories" for changing or editing the categories or "Challenges" for editing or adding new challenges.


  • The dev docker-compose profile mounts to use files directly from the host. Making changes to files on disk will result in changes to the running instance without rebuilding the container.
  • If you are making changes to composer requirements, you will need to delete/rebuild the docker image composerdependencies.
  • Call docker-compose -f up --build to rebuild and start.
  • Copy include/config/ to include/config/ to make your configuration changes.


Hackers can practice and learn using Root the Box, a real-time capture the flag (CTF) scoring system for computer wargames. Any CTF-style game may be easily configured and adjusted using the application. By fusing a fun game-like atmosphere with practical tasks that communicate knowledge applicable to the real-world, such as penetration testing, incident response, digital forensics, and threat hunting, the platform enables you to engage both inexperienced and experienced players. RootTheBox is installed with Docker and the according plugin 'docker-compose'.


These steps are for production deployments using docker-compose.

Download the git repository:

git clone

Then navigate into the folder:

cd RootTheBox

Update the repository:

git pull
docker-compose build

Start the container:

docker-compose up -d

The software is now be accessible via 'https://<ip address of docker container>:8888'.

Access Admin Dashboard

RootTheBox enables Users to access an admin dashboard, which enables them to configure the platform to their need. Usually, when just installed, the credentials for the admin user are the following:


Always make sure to change the password of your admin account before you start hosting the platform in production!