CTF Gameserver

FAUST's CTF Gameserver is a gameserver for attack-defense (IT security) CTFs. It is used for hosting FAUST CTF, but designed to be re-usable for other competitions. It is scalable to large online CTFs, battle-tested in many editions of FAUST CTF, and customizable for other competitions.

Components

The Gameserver consists of multiple components. They may be deployed independently of each other as their only means of communication is a shared database.

  • Web: A Django-based web application for team registration, scoreboards, and simple hosting of informational pages. It also contains the model files, which define the database structure.
  • Controller: Coordinates the progress of the competition, e.g. the current tick and flags to be placed.
  • Checker: Place and retrieve flags and test the service status on all teams' Vulnboxes. The Checker Master launches Checker Scripts, which are individual to each service.
  • Checkerlib: Libraries to assist in developing Checker Scripts. Currently, Python and Go are supported.
  • Submission: Server to submit captured flags to.
  • VPN Status: Optional helper that collects statistics about network connectivity to teams.

Environment

CTF Gameserver does not include facilities for network infrastructure, VPN setup, and Vulnbox creation.

Requirements

  • Server(s) based on Debian or derivatives
  • PostgreSQL database
  • Web server and WSGI application server for the Web component

Network

It expects a network, completely local or VPN-based, with the following properties:

  • Teams need to be able to reach each other.
  • Checkers have to reach the teams.
  • Teams should not be able to distinguish between Checker and team traffic, i.e. at least applying a masquerading NAT.
  • Teams have to reach the Submission server. The Submission server needs to see real source addresses (without NAT).
  • All Gameserver components need to reach the database. Teams should not be able to talk to the database.
  • Both IPv4 and IPv6 are supported. It must be possible to map the teams' network ranges to their team (net) number based on string patterns. For example, use an addressing scheme like 10.66.<team>.0/24.
  • One exception is displaying the latest handshake on the VPN Status History page, which is currently only implemented for WireGuard.

Further Reading

Some links that contain interesting information for hosting your own CTF:

  • A member of the team behind the Pls, I Want In CTF wrote about their infrastructure here. They used CTF Gameserver and a scalable, highly available setup hosted on AWS with Terraform.
  • The FAUST CTF infrastructure team gave a talk on preventing traffic fingerprinting with iptables and HAProxy at HAProxyConf 2022.