Top 6 Platforms to Run your CTF On
Introduction
Hosting or running a cybersecurity capture flag game (CTF) might be a nightmare if you don’t have the right plan. In this article, we will talk about one of the most important decisions that you must take during your planning phase, which is what platform should you use to host your CTF?
Before getting into details, for those who don’t know, capture the flag “CTF” competitions have been utilized by the security community for many years; it appeared for the first time as a contest at Defcon 4 in 1996. DEFCON is the largest cybersecurity conference in the United States, officially started in 1993. However, the contest and the challenges have evolved since then. Different companies have used the CTF as a very effective way to discover young talents for hiring and also to enhance the skills of their internal team.
What are Capture The Flag Competitions?
Capture The Flag competitions (CTFs) are a kind of information security competition where teams are provided with a variety of problems (known as challenges). Each challenge contains some form of a security vulnerability or security-related task that must be exploited or completed. Upon completion, the challenge will yield higher levels of access or reveal an answer. This answer, the “Flag”, can then be traded with a scoring system for tracking.
Such competitions simulate real-world scenarios for penetration testers, hackers, bug hunters, forensics examiners, security analysts, and others in isolated environments with vulnerable applications, services, or networks created by skilled developers hiding the secret “Flag” and the participants responsible for analyzing the logic behind and exploiting it.
Why Capture The Flag?
1- Value to Education and Recruitment
As mentioned, CTFs allow competitors to gauge their abilities against others. Players are rarely forced to join a CTF but gamified aspects, like the competition scoreboard, can keep them engaged and help them learn more than traditional education that relies on teachers and textbooks. Due to these properties, a company looking to recruit security engineers can leverage a CTF as a means of filtering out resumes or candidates. Where a resume provides a high-level view into a candidate's history, their abilities to complete security challenges in a CTF automatically provide a baseline skill assessment for the recruiting company.
2- Physical vs Virtual Competitions
Hosting an online CTF event and making it accessible publicly is much easier to manage and requires fewer administration efforts, although conducting a competition remotely will miss the thrill of collaboration between players. Some CTF challenge types are available only for onsite events, like lock picking and hardware reverse engineering or interacting physically with some equipment. To view a list of upcoming CTF competitions that will happen in the coming months, you can have a look at CTFTime website, which is considered a calendar for CTFs you can participate in if the rules allow.
Now, after knowing the importance of CTF, what are the top 6 CTF platforms that you can host your CTF on, and what are the pros and cons of each so that you can decide which is the best for your contest?
Platform #1 - Hack The Box
Hack The Box is an online playground for learning and improving pen-testing skills, intended for anyone from system administrators to software developers, to any person interested in security. They are famous for a type of challenge named machines, which you can get access to using a VPN for practice.
Pros and Cons of Hack the Box
‣ Pros
⚫ Hack the Box has a huge community to help with developing the challenges and knowledge sharing.
⚫ Hack the Box competitions are hosted on their cloud, available 24/7.
⚫ Awesome dashboard.
⚫ Variety of challenge types including web, forensics, coding, stego, machineAD Lab, and others.
‣ Cons
⚫ Not friendly for beginners or players without prior experience of infosec. However, you will find the community started to include some content about the different types of challenges.
⚫ Hack the Box is hosted on company servers and can’t be hosted on your own infrastructure in case you want to do any customization.
Platform #2 - CTFd
CTFd is a Capture The Flag framework and generic open-source platform for individual and team management suitable for students and professionals to practice simulated infosec challenges.
Pros and Cons of CTFd
‣ Pros
⚫ Open source could be downloaded from the official Github repository and also provide a managed hosting service available at https://ctfd.io
⚫ Easy, customizable administration panel.
‣ Cons
⚫ Supports only Jeopardy-style competitions.
⚫ Not suitable for large-scale competition.
⚫ Requires knowledge of web hosting implementation.
⚫ Challenges are not provided; you have to develop your own challenges.
Platform #3 - CyberTalents
CyberTalents is a platform that hosts CTF competitions on its platform. They have run more than 100 CTF competitions. The platform has different challenge levels that suit all audiences starting from very easy and basic challenges to advanced and complex ones.
Pros and Cons of CyberTalents
‣ Pros
⚫ The platform design looks very clean.
⚫ It’s hosted on the cloud, which allows you to run your CTF in a few minutes.
⚫ CyberTalents has a large cybersecurity community that can participate in your CTF if it is open to the public.
⚫ CyberTalents also mentions that they can provide CTF training to your audience if needed.
⚫ The platform can provide you with challenges as they claim to host hundreds of challenges in their library.
⚫ Full support during the competition.
‣ Cons
⚫ CyberTalents is not an open-source platform you can download to host on your own server. You need to use their infrastructure.
⚫ CyberTalents can host only Jeopardy-style CTfs, not attack and defense.
Platform #4 - Facebook CTF
Facebook had released its Capture the Flag (CTF) platform to open source on GitHub in May 2016 in the below note. They are mentioning that the platform can host two styles of CTFs, Jeopardy-style CTF and king of hill. Facebook CTF platform has a very nice interface with a map of the world showing the points that you need to hack.
Pros and Cons of FacebookCTF
‣ Pros
⚫ Facebook is an open-source platform you can download to host on your own server; in addition, you can customize it, enable and disable features as per your need.
⚫ The best design and GUI of all the platforms with its world map and conquer the world view.
‣ Cons
⚫ No support during the competition, similar to all open source solutions.
⚫ Hard to install and configure. CTFd might be easier in the open-source case.
⚫ Handling the hosting of the platform might be challenging, especially if it was your first time running a CTF. Players might start to attack your server and this can ruin the whole contest.
Platform #5- Root the Box
Root the Box is a real-time capture the flag (CTF) scoring engine for computer wargames where hackers can practice and learn. The application can be easily configured and modified for any CTF-style game. The platform allows you to engage novice and experienced players alike by combining a fun game-like environment with realistic challenges that convey knowledge applicable to the real world, such as penetration testing, incident response, digital forensics, and threat hunting.
Pros and Cons of Root the Box
‣ Pros
⚫ Very clean and real-time animated scoreboard, graphs.
⚫ Support for many types of flags, like text, multiple-choice, and uploading files.
⚫ Compatible with other CTF platforms like OWASP Juice Shop CTF and CTF Time.
⚫ Options for Penalties and Hints are available for the player.
⚫ The player has the option to use a banking system, where (in-game) money can be used to unlock new levels, buy hints to flags, and download a target’s source code.
‣ Cons
⚫ No support during the competition.
⚫ The platform requires Python development skills for customization, “Tornado Python web framework”, which is not easy to implement like Django and has limited documentation compared to the Flask framework used in CTFd.
Platform #6 - Cyberskyline
Cyberskyline is a cloud platform for assessing cybersecurity professionals in different job domains like Incident Response Handling, Security & Network Engineering, SOC Analysts, Software Engineers, Pentesters, and more, used by many enterprises for doing technical and security assessments like MITRE, Coursera, and others. The platform is suitable for large-scale competitions by running the competitions for thousands of participants in individual and teams mode whatever the level of knowledge includes schoolers to college students to cyber professionals.
Pros and Cons of Cyberskyline
‣ Pros
⚫ Provides recruiters with meaningful insight into candidate technical performance to make sure the candidate fits the job with specific skills.
⚫ The web interface is clean and simple and allows the candidates to interact with cloud builtin tools without installing any toolkit or virtual machines, which is very challenging and time-consuming for some assessments.
‣ Cons
⚫ Only available for enterprise companies, you can book a demo using their official site.
⚫ I didn’t try it but I assume it won’t be free like the other platforms.
Conclusion
In summary, if this is your first time running or hosting a CTF event, I would recommend either CyberTalents or Hack the box because they can both provide real-time support during the competition, challenges in some cases, and CyberTalents can also provide training if your attendees are beginners. However, if you want to customize your platform and run a series of CTFs, I suggest the use of one of the open-source options, like CTFd or Facebook CTF where it will allow you to add or remove a feature, host the event on your own domain and save the history on your own servers.
The below matrix explains and summarizes all possible show-cases of various features offered by the six platforms in this article. So you need to identify first what is required before selecting any of them, depending on your model, to make sure it meets your expectations.
Features Matrix
References
https://github.com/moloch--/RootTheBox