Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

RootTheBox CTF Framework

Rawsec's CyberSecurity Inventory

Build Status Language grade: Python Code style: black

A fast, efficient and lightweight (~100 KB) Capture The Flag framework (in Flask) inspired by the HackTheBox platform.

The 100 second elevator-pitch is that: A Capture The Flag framework; one that is fast yet feature packed, efficient thus scalable, lightweight (insert some more pro developer adjectives) and customizable to your organization's brand while not emptying your bank A/C.

Want to see it in action?

A live demo of the app is available at:

You can login and mess around as the admin user admin:admin (i.e. username:password combinations) or register your own.


  • Machines listing with fields: name, IP, OS, points and difficulty level.
  • Challenges listing with fields: title, description, URL, points.
  • Totally configurable settings such as running time, organization details, CTF name, etc.
  • Automatic strong password for administrator
  • Well implemented controls for administrators providing features such as issuing notifications, database CRUD operations, full fledged logging,
  • Simple User Registration/login process, account management, Forgot password functionalities,
  • Flag submission (currently 2 flags: user and root),
  • Real time scoreboard tracking,
  • Efficient caching so it's fast
  • Easily deployable on Heroku.
  • You can manage the database CRUD operations from admin views GUI; change machine settings, issue notifications to users, etc.

Build locally

Please see

Host a customized version of RTB-CTF-Framework on the cloud in under a minute


Heroku (free tier)

  1. Sign up on Heroku, if you haven't already and click on the below "Deploy to Heroku" button.


  2. Give your application an awesome name and optionally specify mail environment variables.

    Note: A psuedo-random password for the admin user would be created and set in the config variable ADMIN_PASS. On Heroku, you can reveal this password from your application's dashboard settings. Same for the Flask application's SECRET_KEY.

  3. Open your newly deployed application in the browser, you'll be redirected to login as the admin user and do so.

  4. Finally, you'll want to /setup the CTF Settings and,

Yay! Now you have a customized instance of the RTB-CTF-Framework live on Heroku. 🎉


The main purpose of this project is to serve as a scoring engine and CTF manager. One that is packed with features, can handle enterprise/global level traffic on a scalable yet free heroku's dyno.

CTFd is one of the most popular CTF framework and we have used it for multiple engagements and will surely use it again. But at the same time, CTFd is heavy (~22.2 mb) (it gives poor performance even on a $49/mo heroku dyno) and not everyone has $$$ to spend on cloud, especially students (like us). So, that's where RTB-CTF-Framework (~100 KB) comes in.


GitHub contributors

Join us on slack

Please refer to


This project is available under a dual license: a commercial one suitable for closed source projects and a A-GPL license that can be used in open source software.

Depending on your needs, you must choose one of them and follow its policies. A detail of the policies and agreements for each license type are available in the LICENSE.COMMERCIAL and LICENSE.AGPL files.