Building A CTF Challenge for a Workshop Using CTFd

Capture The Flag (CTF) competitions have become a popular and effective method for teaching cybersecurity concepts. These events provide participants with practical, hands-on experience by challenging them to solve puzzles or exploit vulnerabilities to capture digital “flags.” If you’re planning to host a CTF workshop, using a platform like CTFd to organize the event and a popular web application like Nginx as the target environment can be a powerful combination. This guide will walk you through building a CTF challenge for a workshop using the CTFd platform and Nginx, enabling participants to learn and practice exploiting vulnerabilities in a real-world setting.

Introduction to CTF Challenges and Platforms

Before diving into the details of building a CTF challenge, let’s establish a clear understanding of what CTFs are and why they are valuable. In a CTF competition, participants are tasked with solving problems or “challenges” that test their knowledge of cybersecurity concepts, such as reverse engineering, cryptography, web exploitation, and network security. These challenges are designed to simulate real-world scenarios and help participants develop skills that are directly applicable in the field.

The CTFd platform is an open-source Capture The Flag (CTF) framework that provides a flexible and easy-to-use environment for managing CTF competitions. With features like team management, automatic scoring, and customizable challenges, CTFd is an ideal platform for hosting CTF events of any size.

In this guide, Nging, one of the most widely used content web server software, will serve as the target platform for our CTF challenges. Nginx is particularly suitable for this purpose because it has a large user base and a variety of known vulnerabilities that can be exploited in a controlled environment.

Why Use CTFd for Hosting CTF Challenges?

CTFd is an open-source platform specifically designed for hosting Capture The Flag (CTF) competitions. It is widely adopted by educators, cybersecurity enthusiasts, and organizations to create and manage CTF events effectively. Here are several reasons why CTFd is an excellent choice for hosting CTF challenges:

• User-Friendly Interface: CTFd offers a clean, intuitive interface that is easy for both organizers and participants to navigate. The platform is designed to minimize the learning curve, allowing users to focus on solving challenges rather than dealing with a complicated setup.
• Customizable Challenges: With CTFd, you can create a wide variety of challenges, including multiple categories such as cryptography, web exploitation, forensics, and reverse engineering. It supports dynamic scoring, hints, flags, and attachments, which can be customized to suit the specific needs of your event.
• Automated Scoring and Leaderboard: CTFd automatically scores challenges and maintains a dynamic leaderboard that updates in real-time. This feature is crucial for fostering a competitive environment and keeping participants engaged throughout the event.
• Team Management: The platform provides robust team management capabilities, allowing participants to form and join teams, collaborate on solving challenges, and track their progress collectively. This feature is particularly useful for workshops, training sessions, or large-scale CTF events.
• Plugins and Extensibility: CTFd’s plugin architecture allows for easy customization and extension. You can add new functionalities, such as integrating external tools, enhancing security, or customizing the user interface to create a unique experience for participants.
• Open Source and Community Support: As an open-source platform, CTFd is free to use and benefits from a large community of developers and users who contribute to its improvement. You can find a wealth of resources, documentation, and community-driven plugins to help you get started and enhance your CTF event.
• Scalability: Whether you’re hosting a small, local workshop or a large, international CTF competition, CTFd is built to scale. It supports deployment on various environments, including cloud services like AWS and DigitalOcean, ensuring that it can handle any number of participants and challenges.

By using CTFd, organizers can create a professional and engaging CTF environment that is easy to manage and scale. The platform’s flexibility and feature set make it suitable for all types of CTF events, from beginner workshops to advanced cybersecurity competitions.

Why Use Nginx as a Target for CTF Challenges?

Nginx is an open-source web server that has gained immense popularity for its speed, stability, and performance. As one of the most widely used web servers globally, targeting Nginx in a CTF challenge offers several compelling advantages for learning and teaching web security:

• Real-world relevance: Nginx powers over 30% of websites on the internet, making it a critical target for cybersecurity professionals who want to understand how to secure and attack web infrastructure.
• Variety of vulnerabilities: Nginx has a diverse range of potential security issues, such as improper configurations, misconfigured directives, insecure module usage, and susceptibility to DoS (Denial of Service) attacks, making it suitable for a wide range of challenges.
• Open-source nature: Nginx’s open-source status allows for easy setup of local instances for testing and challenge development. It also allows organizers to explore its source code and create custom configurations that mimic real-world vulnerabilities.
• Flexibility for various difficulty levels: Challenges can range from basic misconfigurations, such as improperly handled redirects or access controls, to advanced exploits involving buffer overflows, directory traversal, or privilege escalation attacks.

By targeting Nginx, participants have the opportunity to learn about common web server vulnerabilities, configuration errors, and exploitation techniques. Meanwhile, organizers can create diverse challenges tailored to different skill levels, from beginners learning about web server security to advanced users tackling complex server-side exploits.

ALSO READ: Mastering Linux Privilege Escalation with Linpeas

Setting Up the CTFd Platform for Your Workshop

To get started, you’ll need to set up the CTFd platform to manage your CTF challenges. Follow these steps:

Install CTFd on Your Server

• Choose a hosting environment: CTFd can be hosted on any server that supports Python, Docker, or any cloud provider like AWS or DigitalOcean.
• Install CTFd using Docker: Docker makes it easy to deploy CTFd with minimal configuration. Run the following commands to set up CTFd:

  git clone https://github.com/CTFd/CTFd.git
  cd CTFd
  docker-compose up -d

• Configure CTFd settings: Access CTFd through your browser (e.g., http://localhost:8000) and configure the necessary settings like team management, scoring, and challenge categories.

Create Challenge Categories

Organize your workshop challenges by categories, such as “Web Exploitation,” “Cryptography,” and “Reverse Engineering.” This structure helps participants easily navigate and select challenges based on their interests and skill levels.

We can create our first challenge by going to ctfd.local/admin/challenges.

Add a New Challenge for Web Exploitation

• Create a new challenge in the “Web Exploitation” category.
• Set the challenge details, including the title, description, and points.
• Provide instructions on what the participants need to accomplish, such as “Find the admin password using SQL injection” or “Exploit an XSS vulnerability to retrieve a hidden flag.”

Set Flags and Hints

• Define the flag format (e.g., CTF{flag}) that participants will need to find or extract from the target.
• Add hints to guide participants if they get stuck. These hints can be released over time or for a point deduction.

Test the Challenge:

• Verify the challenge setup by attempting it yourself or with a test user account to ensure it behaves as expected.
• Make any necessary adjustments based on your findings.

Deploying and Configuring Docker Containers on CTFd Cloud for the CTF Challenge

Once CTFd is set up, it’s time to deploy some containers on CTFd cloud that participants will host the targets. These containers will serve as the playground where various vulnerabilities are intentionally introduced.

Set Up A Nginx Instance

For this tutorial, we will be setting up a modified Nginx container image for the sake of simplicity.

• Pull Nginx Docker Image: Pull the official Nginx docker image from docker hub.
• Configure Nginx Image: Make necessary changes to the Nginx container such as modifying index.html etc according to your needs and build the modified image from the container.
• Push New Image: Push the newly generated Docker Image using the following steps

Go to containers on CTFd Cloud and create a new image:

Follow the instructions after creation of the container image to push the image to the ctfd.io registry

docker login -u "user@instance-id.ctfd.io" registry.ctfd.io (replace them with the CTFd generated ones)

docker tag <image> registry.ctfd.io/instance-id/image-name

docker push registry.ctfd.io/instance-id/image-name

P.S – Use your CTFd password when prompted when trying to login to CTFd docker registry. Your image must EXPOSE a port.

Now, we need to create a service to create a publicly accessible nginx instance. We can follow these steps to achieve that.

After the docker image gets deployed, you will find the URL to access it from the service page:

ALSO READ: Kali Linux Cheat Sheet: Your Ethical Hacking Quick Reference

Hosting and Managing the CTF Workshop

Hosting and managing a successful CTF workshop requires careful planning and execution. Here are some essential steps to follow:

1. Set Clear Rules and Guidelines:

• Communicate the rules and guidelines to all participants. Make sure everyone understands what is allowed and what isn’t, including the scope of allowed activities on the Nginx instance.

2. Monitor Progress and Provide Support:

• Keep track of participants’ progress through the CTFd platform’s dashboard. Be ready to provide hints or clarifications if necessary, and address any issues participants encounter.

3. Encourage Collaboration and Learning:

• Foster a collaborative environment by encouraging participants to share knowledge and work in teams. While CTFs are competitive, they are also meant to be a learning experience.

Wrapping Up the Workshop and Analyzing Results

Once your CTF workshop is complete, it’s crucial to debrief with participants and analyze the results.

1. Conduct a Debrief Session:

• Discuss the challenges, solutions, and key takeaways from the workshop. Allow participants to share their experiences, what they learned, and any challenges they faced.

2. Review Participant Feedback:

• Gather feedback from participants to understand what worked well and what could be improved for future events. This feedback will help you refine your CTF challenges and improve the overall workshop experience.

3. Share Write-Ups and Resources:

• Provide participants with detailed write-ups or walkthroughs of the challenges. This helps reinforce the learning experience and provides valuable resources for future practice.

Conclusion

Building a CTF challenge for a workshop using the CTFd platform and Nginx as a target offers a dynamic and engaging way to teach cybersecurity skills. By carefully designing challenges that exploit common vulnerabilities in Nginx, you provide participants with real-world experience that can help them better understand the complexities of web application security. With the right preparation, setup, and management, your CTF workshop can be a memorable and impactful learning experience for all involved.

FAQs

How do I choose the right vulnerabilities for a CTF challenge?

To select appropriate vulnerabilities, consider the skill level of your participants. Start with common web vulnerabilities like SQL injection, XSS, and RCE, and choose plugins or themes with known issues to provide a range of difficulty levels.

What tools should participants use to exploit Web vulnerabilities?

Participants can use tools like Burp Suite, OWASP ZAP, and other many other tools to identify and exploit vulnerabilities in web applications. It’s essential to provide guidance on using these tools effectively.

Can I use a different platform instead of CTFd for my CTF challenges?

Yes, you can use any CTF hosting platform. CTFd is being used in this post due to it’s easy of use and open source nature.

How do I ensure the security of my server during the CTF workshop?

Isolate your CTF environment using Docker containers, virtual machines, or network segmentation. Monitor participant activity to prevent unintended behavior and ensure that your server is properly secured and patched.

Can beginners participate in a CTF workshop?

Absolutely! By offering a range of challenges from beginner to advanced, you can create an inclusive environment that caters to participants of all skill levels.

How do I keep the workshop engaging for experienced participants?

Provide advanced challenges that require deeper knowledge of web application security, such as custom plugin exploitation, remote code execution, or privilege escalation attacks.