I recently revisited my old CTF-related scripts in connection with hosting a private intro-CTF by way of OWASP Juice Shop at work.
Having limited time and available resources at hand, I decided to just use Heroku for deployment. We wouldn't be limited by only using the free-tier, as our competition would only run for a couple of hours.
In order to make everything fully automatable, I forked CTFd in order to get it running on Heroku, and expanded upon my previous naive implementation to spin up client (Juice Shop) instances. I also hacked together a random name-generator for the instances.
The workflow is as follows:
- Generate a new (random) key for your CTF
- Automated with
ctfctl config
- Automated with
- Go to my CTFd-fork, and click the "Deploy to Heroku"-button
- Update variables in
ctfctlto reflect URL of your CTFd-instance, and a prefix of your choice for URLs. - Import the zip-file that was generated for you on your CTFd-instance
- Spin up Juice Shop instances on Heroku
- Automated with
ctfctl start <number-of-instances>- This will unfortunately take up to 10 min. per instance, as each instance also has to build on Heroku as of now...
- Automated with
- (A file
teams.txtwill be created, containing a list of all instance names. Any given instance can be accessed at the URLhttps://<PREFIX>-<INSTANCE>.herokuapp.com) - In order to not have the Heroku-apps die, ping your scoreboard and every JuiceShop instance every 15 mins.
- Automated with
ctfctl keepup(alternativelyctfctrl scoreboardto just ping the scoreboard)
- Automated with
- Tell your contestants to go to the CTF Intro Startpage, which contains helpful hints for first-timers
- Fork and tweak this for your event
- When it's all over, bring down all client instances
- Automated with
ctfctl stop
- Automated with
- Delete the CTFd instance manually on Heroku
It's still not ideal, so I'm hoping I have time to write a fully automated way to bring up a generalized CTF-setup using Kubernetes and Docker-images or somesuch next year.