The picoCTF platform is the infrastructure which is used to run picoCTF.
The platform is designed to be easily adapted to other CTF or programming competitions. Additional documentation can be found on the wiki.
The following steps will use Vagrant to get you quickly up and running with the picoCTF platform by deploying the code base to two local virtual machines.
git clone -c core.autocrlf=false https://github.com/picoCTF/picoCTF.git
(see this link for an explanation of this command line)cd picoCTF
vagrant up
- Navigate to http://192.168.2.2/
- Register an account (this user will be the site administrator)
If you want to change CTF Placeholder, edit picoCTF-web/web/_includes/header.html
If you want to change the IP address and VM names (e.g. to have duplicates running on the same host VM), change the following lines:
ansible/inventories/devploy:dev_web ansible_host=192.168.2.4 hostname=pico-local-dev-web-db
ansible/inventories/devploy:dev_shell ansible_host=192.168.2.5 hostname=pico-local-dev-shell
ansible/inventories/devploy:dev_web ansible_host=192.168.2.4 hostname=pico-local-dev-web-db
ansible/group_vars/local_development/vars.yml:web_address: "http://192.168.2.4"
ansible/group_vars/local_development/vars.yml:shell_hostname: "192.168.2.5"
Vagrantfile: config.vm.define "shell2", primary: true do |shell|
Vagrantfile: config.vm.define "web2", primary: true do |web|
Vagrantfile: vb.name = "picoCTF-shell-dev2"
Vagrantfile: vb.name = "picoCTF-web-dev2"
Vagrantfile: also update IP addresses to match
If you want to add more memory or CPUs, you can do (directly underneath vb.name):
Vagrantfile: vb.customize ["modifyvm", :id, "--memory", "4096"]
Vagrantfile: vb.customize ["modifyvm", :id, "--cpus", "4"]
This project is broken down into a few discrete components that compose to build a robust and full featured CTF platform. Specifically the project is consists of the following:
- picoCTF-web. This is the website and all APIs.
- picoCTF-shell. This is where users go to solve challenges.
- problems. This is the CTF problems source code.
- ansible. This is used for configuring machines.
- terraform. This is used for deployment.
- vagrant examples. This hosts various vagrant VM examples.
Once you bring everything up, the main flow between components is:
Here is a walkthrough:
- The user connects to the "Web Server". This is an nginx server.
- The nginx server serves up content in picoCTF-web/web.
- The nginx server only serves up static HTML files.
- Most HTML files contain javascript, which is rendered browser-side for speed.
- The browser rendering in turn makes requests to a REST-ful like API
/api/
to nginx. Requests to/api
are forwarded to an API server (running on the same host for development). - There is a special interface called
/admin
, which is used by the admin to connect to new shell servers.
- The users
/api
request is forwarded to the API server.- The API server is a python flask server with code under picoCTF-web/api
- There is an API for adding users, checking passwords, etc.
- There is an API for serving up challenges, checking flags, etc.
- The API keeps track of user score and membership to teams.
- A user can
ssh
to the shell server.- The shell server is loaded with problems, with examples in problems.
- The web server connects to the shell server and retrieves a JSON file containing problem instance location, point value, etc.
- The web server authenticates users using password data stored and via the API.
Some important terminology:
- A problem is a logical CTF problem. (Sometimes called a challenge)
- Solving a problem gives a user points.
- A problem can be locked or unlocked for a user.
- Super important: problems do not have flags. They are purely logical.
- A problem instance, or instance for short, is a generated version of a
challenge to be solved by a user.
- A single problem can have instances
inst_1
,inst_2
, ...,inst_n
. Each instance has its own flagflag_1
,flag_2
, ...,flag_n
- Users are assigned specific problem instances, and they are expected to
submit only their flag. For example, if user Foo has instance
inst_1
, onlyflag_1
is a valid flag (aa separate instance flagflag_2
is not valid) - Instances were invented to help combat flag sharing. If player Foo has been
assigned
inst_1
but submitsflag_2
, then whomever hasinst_2
shared their flag. There may be legitimate reasons for flag sharing, but in many competitions it is indicative of cheating. - Instances are generated from template. Think of it like templating in a
web framework. For example, a buffer overflow problem may template the
specific buffer size so a solution for
inst_i
will not work forinst_j
.
- A single problem can have instances
The competitor facing web site, the API for running a CTF, and the management functionality for CTF organizers. The development Vagrantfile) deploys picoCTF-web to a virtual machine (web) at http://192.168.2.2/. If you want to modify the look and feel of the website, this is the place to start.
The tools to create, package, and deploy challenges for use with the picoCTF platform. This supports the deployment of auto-generated challenge instances and provides competitors shell access to aid in challenge solving. The development Vagrantfile deploys the shell-server as a second virtual machine (shell) at http://192.168.2.3/. If you want to modify challenge deployment primitives, this is the place to start.
Example challenges that are compatible with the picoCTF platform. These challenges can be easily shared, deployed, or adapted for use in a CTF. The development Vagrantfile installs these examples to the shell server and loads them into the web interface. If you want to see how to create challenges or leverage the hacksport library, this is the place to start.
The tool we use to install, configure, deploy, and administer the picoCTF platform is Ansible. This allows us to create flexible, parameterized, automated playbooks and roles that apply across development, staging, and production environments. If you want to modify way the platform is configured, this is the place to start.
The tool we use to codify our infrastructure as code is Terraform. This allows a simple process for creating, destroying, and managing a public deployment of the platform. If you want to run a live competition on AWS, this is the place to start.
If you are looking to run your own CTF competition, you should:
- Make sure you understand how to deploy the infrastructure via terraform and ansible.
- You can reskin the look and feel of the site by editing the picoCTF-web/web javascript and HTML code.
- You should start writing your own problems, loading them into the shell
server, and syncing the web server problem set with the shell server via the
/admin
URL endpoint.
Do not underestimate the importance of spending significant time in problem development. Our internal system is:
- We form a working group for the contest.
- We often vet problem ideas with the group before implementation.
- Implement and deploy. Hardcode nothing (or as little as possible).
- THE KEY STEP: Play test! Often the initial problem will have an intellectual leap built-in that's obvious to the creator but to no one else. Play testing makes sure the problem is coherent, self-contained, and fun.
ForAllSecure offers professionally-run original hacking contests as a service.
The picoCTF platform is always under development.
- See CONTRIBUTING.md for setting up a git workflow and some standards.
- We are especially interested any improvements on continuous integration and automated testing.
If you are interested in research in CTFs (e.g., improving skill acquisition, decreasing time to mastery, etc.), please feel free to email David Brumley.
NOTE: We have not maintained backward compatibilties with picoCTF-Platform-2. Please read the documentation on the wiki for forks of picoCTF-Platform-2.
picoCTF was started by David Brumley with his CMU professor hat in 2013. The intention has always been to give back to the CTF community.
The original heavy lifting was done by his graduate students, and special thanks is due to Peter Chapman (picoctf 2013 technical lead) and Jonathan Burket (picoctf 2014 technical lead) for their immense efforts not only developing code, but for organizing art work, problem development, and so on.
In 2015-2016 significant effort was done by ForAllSecure at the companies expense. This includes adding concepts like the shell server, and rewriting significant portions of the web server.
Both CMU and ForAllSecure have agreed to release all code under the MIT LICENSE . We do encourage attribution as that helps us secure funding and interest to run picoctf year after year, but it is not necessary. Also, if you do end up running a contest, do feel free to drop David Brumley a line.
- Bug Reports: GitHub Issues
- Contributors (in no particular order): David Brumley, Tim Becker, Chris Ganas, Roy Ragsdale, Peter Chapman, Jonathan Burket, Collin Petty, Tyler Nighswander, Garrett Barboza