DEV Community: Aditya Kumar The latest articles on DEV Community by Aditya Kumar (@adityakumaaar). https://dev.to/adityakumaaar https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2474222%2F19283dae-4449-4a89-90fc-b5725447e983.png DEV Community: Aditya Kumar https://dev.to/adityakumaaar en Host your CTF using CTFd! Aditya Kumar Sun, 24 Nov 2024 19:36:20 +0000 https://dev.to/adityakumaaar/host-your-ctf-using-ctfd-5479 https://dev.to/adityakumaaar/host-your-ctf-using-ctfd-5479 <h2> Hosting CTF: A Comprehensive Guide </h2> <p>If you want to jump to the technical details, scroll to the bottom.</p> <h3> Backstory </h3> <p>I hosted and coordinated a Capture The Flag (CTF) competition for around 300 people in my workplace. This was a great learning experience for me. This article may help you decide to host one for your team yourself, and it's pretty easy, too!</p> <h3> Initial Planning </h3> <p><strong>Budget considerations</strong></p> <p>Well, like how it always is the cheaper, the better, one thing that played a crucial role is that I work in an infrastructure team, so having access to VMs was a no-cost affair. But keeping this aside, a small 4vCPU 2GB RAM machine can handle the load pretty well and is free if you have a student pack for Azure/AWS/GCP.</p> <p><strong>Timeline development</strong></p> <p>The most time-consuming part of CTF is forming the questions. Since this was the first time many people were playing, we decided to use medium-level questions. We also included a few non-technical questions so players do not lose interest in the game and drop off.</p> <p>It is a good idea to survey how many people are interested in playing the CTF. This will help you estimate the traffic on the actual day and the level of the participants, so you can frame the questions accordingly!</p> <p>Having a team that will form the questions is immensely important, this is the backbone on which your CTF depends, always vet the questions, make sure it is of different categories and most importantly not easily solved by ChatGPT :P </p> <h3> Technical Architecture </h3> <p>We selected to host this on VMs in the OpenStack environment but this really shouldn’t matter much, once you provision the VM it's the same process.</p> <p>The VM was hosted on the company’s direct network, which is accessible only via VPN, so that isolated the VM from actors outside the company.</p> <h3> Challenge Types </h3> <ul> <li>Web exploitation</li> <li>Reverse engineering</li> <li>Cryptography</li> <li>Forensics / Packet Inspection</li> <li>Miscellaneous</li> </ul> <h3> Challenge Design Principles </h3> <ul> <li>Realistic scenarios</li> <li>Educational Value</li> <li>Progressive difficulty</li> <li>Clear, unambiguous instructions</li> </ul> <h3> Challenge Verification </h3> <p>Always check your questions, create a hidden account on the platform and test your questions from start to end, there is most likely a team that is framing all the questions make sure you test each other’s questions out so that you get the feel from the participant’s side too!</p> <h3> Testing </h3> <p>I wrote a script to test the concurrent connections and average response times and monitored the VM stats using <code>htop</code></p> <p>As a failover scenario, I had one more VM in a different DC and network as a spare (I only did this because I had access to free VMs) to continue the contest if something bad happened!</p> <p>I was also taking exports of the current state of the CTF so that I could easily import it to the new VM and continue it after making a DNS update.</p> <h3> Pre-Event Communication </h3> <p>We used a Webex bot to send communications for example, when new questions dropped, leaderboard updates, and fun stats to keep the enthusiasm going.</p> <p>We tried to be as clear as possible with the rules in the questions themselves. If a frequent question popped up, we notified everyone to clear it out!</p> <h3> Participant Management </h3> <p>We did not want users to use their IDs and passwords and did not have enough time to understand how we could integrate our company's OAuth into this, so we used the CTFd APIs to create local accounts for the users and send them via the bot to everyone.</p> <h2> Spin up CTFd </h2> <p><a href="https://docs.ctfd.io/docs/deployment/installation/#docker" rel="noopener noreferrer">Reference form the CTFd Docs</a></p> <p>I used a VM with Ubuntu OS, you can follow these steps or modify them according to the package manager your OS uses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt <span class="nb">install </span>python3-pip <span class="nt">-y</span> <span class="nt">-q</span> <span class="o">&amp;&amp;</span> apt <span class="nb">install </span>python3.10-venv <span class="nt">-y</span> <span class="o">&amp;&amp;</span> apt <span class="nb">install </span>python-is-python3 <span class="nt">-y</span> <span class="nt">-q</span> <span class="o">&amp;&amp;</span> apt <span class="nb">install </span>docker <span class="nt">-y</span> <span class="o">&amp;&amp;</span> apt <span class="nb">install </span>docker-compose <span class="nt">-y</span> git clone https://github.com/CTFd/CTFd.git <span class="nb">cd </span>CTFd/ python <span class="nt">-m</span> venv venv <span class="nb">source </span>venv/bin/activate pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt docker-compose up </code></pre> </div> <p><code>docker ps</code> to check if the containers are up and running!</p> <p>You should now be able to access CTFd at <a href="http://localhost:8000" rel="noopener noreferrer">http://localhost:8000</a></p> <p>This will spin up the CTFd with wsgi <code>WORKERS=1</code></p> <p>To have the better performance it is better to have more than one worker, to set up more than one worker you also need to include <code>SECRET_KEY</code> in the <code>docker-compose.yml</code></p> <p>So bring down your setup by <code>docker-compose down</code> and then change the <code>docker-compose.yml</code> file as below</p> <p>Your <code>docker-compose</code> file is going to look like this once you add that<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">ctfd</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">user</span><span class="pi">:</span> <span class="s">root</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8000:8000"</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">SECRET_KEY=&lt;SECRET_HERE&gt;</span> <span class="pi">-</span> <span class="s">UPLOAD_FOLDER=/var/uploads</span> <span class="pi">-</span> <span class="s">DATABASE_URL=mysql+pymysql://ctfd:ctfd@db/ctfd</span> <span class="pi">-</span> <span class="s">REDIS_URL=redis://cache:6379</span> <span class="pi">-</span> <span class="s">WORKERS=3</span> <span class="pi">-</span> <span class="s">LOG_FOLDER=/var/log/CTFd</span> <span class="pi">-</span> <span class="s">ACCESS_LOG=/var/log/CTFd/access.log</span> <span class="pi">-</span> <span class="s">ERROR_LOG=/var/log/CTFd/error.log</span> <span class="pi">-</span> <span class="s">REVERSE_PROXY=true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.data/CTFd/logs:/var/log/CTFd</span> <span class="pi">-</span> <span class="s">.data/CTFd/uploads:/var/uploads</span> <span class="pi">-</span> <span class="s">.:/opt/CTFd:ro</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">db</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="na">internal</span><span class="pi">:</span> </code></pre> </div> <p>To enable HTTPS, you need to generate a certificate and then mount it as a volume on the <code>nginx</code> container</p> <p>We generated the certificate and the private key and stored it on the VM as <code>./conf/nginx/fullchain.pem</code> and <code>./conf/nginx/privkey.pem</code></p> <p>You can either use Certbot to generate a certificate or follow your organisation's guidelines to generate the certificate and private key.</p> <p>We referred <a href="https://dev.to/roeeyn/how-to-setup-your-ctfd-platform-with-https-and-ssl-3fda">to this article</a> to set up the certificates </p> <p>The <code>nginx</code> part of the <code>docker-compose.yml</code> now looks like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:stable</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./conf/nginx/http.conf:/etc/nginx/nginx.conf</span> <span class="pi">-</span> <span class="s">./conf/nginx/fullchain.pem:/certificates/fullchain.pem:ro</span> <span class="pi">-</span> <span class="s">./conf/nginx/privkey.pem:/certificates/privkey.pem:ro</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">80:80</span> <span class="pi">-</span> <span class="s">443:443</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ctfd</span> </code></pre> </div> <h3> Script to load test your CTFd deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">concurrent.futures</span> <span class="kn">import</span> <span class="n">ThreadPoolExecutor</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="k">def</span> <span class="nf">setup_logging</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Configure logging to track performance metrics</span><span class="sh">"""</span> <span class="n">logging</span><span class="p">.</span><span class="nf">basicConfig</span><span class="p">(</span> <span class="n">level</span><span class="o">=</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">'</span><span class="s">%(asctime)s - %(message)s</span><span class="sh">'</span><span class="p">,</span> <span class="n">filename</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="s">load_test_</span><span class="si">{</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%Y%m%d_%H%M%S</span><span class="sh">"</span><span class="p">)</span><span class="si">}</span><span class="s">.log</span><span class="sh">'</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">single_request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">session</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Make a single request and measure response time</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">response</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="n">duration</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start_time</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">status_code</span><span class="sh">'</span><span class="p">:</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">,</span> <span class="sh">'</span><span class="s">duration</span><span class="sh">'</span><span class="p">:</span> <span class="n">duration</span><span class="p">,</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logging</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Request failed: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">load_test</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">num_requests</span><span class="o">=</span><span class="mi">100</span><span class="p">,</span> <span class="n">max_workers</span><span class="o">=</span><span class="mi">10</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Perform load testing on a website Parameters: url: The URL to test num_requests: Total number of requests to make max_workers: Maximum concurrent requests </span><span class="sh">"""</span> <span class="nf">setup_logging</span><span class="p">()</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">with</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="n">max_workers</span><span class="p">)</span> <span class="k">as</span> <span class="n">executor</span><span class="p">:</span> <span class="k">with</span> <span class="n">requests</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="n">futures</span> <span class="o">=</span> <span class="p">[</span> <span class="n">executor</span><span class="p">.</span><span class="nf">submit</span><span class="p">(</span><span class="n">single_request</span><span class="p">,</span> <span class="n">url</span><span class="p">,</span> <span class="n">session</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">num_requests</span><span class="p">)</span> <span class="p">]</span> <span class="k">for</span> <span class="n">future</span> <span class="ow">in</span> <span class="n">futures</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">future</span><span class="p">.</span><span class="nf">result</span><span class="p">()</span> <span class="k">if</span> <span class="n">result</span><span class="p">:</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="n">logging</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Status: </span><span class="si">{</span><span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">status_code</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">, </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Duration: </span><span class="si">{</span><span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">duration</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">s</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Analyze results </span> <span class="n">successful_requests</span> <span class="o">=</span> <span class="nf">len</span><span class="p">([</span><span class="n">r</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span> <span class="k">if</span> <span class="n">r</span><span class="p">[</span><span class="sh">'</span><span class="s">status_code</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="mi">200</span><span class="p">])</span> <span class="n">avg_duration</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">r</span><span class="p">[</span><span class="sh">'</span><span class="s">duration</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">results</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">Load Test Results:</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Total Requests: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">results</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Successful Requests: </span><span class="si">{</span><span class="n">successful_requests</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Average Response Time: </span><span class="si">{</span><span class="n">avg_duration</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">s</span><span class="sh">"</span><span class="p">)</span> <span class="n">test_url</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://yourdomain/users</span><span class="sh">"</span> <span class="c1"># Use your test environment </span><span class="nf">load_test</span><span class="p">(</span> <span class="n">url</span><span class="o">=</span><span class="n">test_url</span><span class="p">,</span> <span class="n">num_requests</span><span class="o">=</span><span class="mi">3000</span><span class="p">,</span> <span class="n">max_workers</span><span class="o">=</span><span class="mi">30</span> <span class="p">)</span> </code></pre> </div> <p>A snippet of the VM utilisation during the load test</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fudck7r567pl8mg2ao54s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fudck7r567pl8mg2ao54s.png" alt="VM utilisation during load test" width="800" height="133"></a></p> <p>If this guide helped you, please consider giving it a like.</p> tutorial ctf devops