-
Notifications
You must be signed in to change notification settings - Fork 1.3k
FAQ
CTF, which stands for “Capture the Flag,” is a computer-based competition used to teach information security skills through hands-on experience. Players earn points and gain control of the game map by completing tasks with their team that identify potential threats, and secure computers and networks against virtual attacks. Because learning attack techniques is often the best way to learn how to protect against them, CTFs teach both defense and offense skills. Points are awarded to teams on the basis of speed and accuracy. At the end of the allotted time, the team with the most points is declared the winner.
The current demand for information security talent far outweighs the supply of qualified candidates. The U.S. Bureau of Labor Statistics predicts more than two thirds of the 1.4 million security jobs needed by 2020 will go unfilled due to the insufficient pool of college graduates with the necessary experience and skill. Much of this is due to the lack of exposure students receive to computer science and security principles until they reach college.
CTFs are a proven resource for teaching and demonstrating practical application of security concepts students learn in the classroom. Across the world, many students already participate in similar competitions, but the barrier of entry remains far too high for most educational organizations to run their own programs. By providing an Open Source resource for all to leverage, Facebook is making it easier for these organizations to teach security skills to students in a safe, legal, and meaningful way.
The platform was built with education and competition organizers in mind. Dozens of high school and college-level student clubs, national competition organizations, educational institutions, and industry groups have already run successful competitions using the Facebook CTF platform. We’ve also seen huge success in corporate environments, using FBCTF for training and skill benchmarking across companies of all sizes.
Facebook CTF is provided with a Attribution-Non Commercial Creative Commons (CC BY-NC 4.0) License. You can learn more about the Creative Commons license here.
- Organize a competition. This can be with as few as two participants and up to several thousand. Players can participate in-person, online, or a combination of the two.
- Follow the setup instructions in GitHub repo to spin up the platform infrastructure.
- Enter challenges into Admin Panel. For a step-by-step guide, please see the demo_levels file in the repo.
- Register participants in teams
- Hack away!
Anyone can contribute towards the FBCTF platform. Using GitHub, you can generate your own branch of the project, and make code changes. A Pull Request to the main project can be made, and if approved will be merged into FBCTF itself.
The FBCTF team is always open to comments, suggestions, and improvements on the platform!
Please see the CONTRIBUTING guide for more details.
The difficulty of any the game depends entirely on the challenges chosen by the organizer. The user experiences was designed to be easy enough for anyone to use. Facebook has hosted CTFs across all age and skill levels from middle school to advanced security engineers.
You can build your own challenges or use various public challenges found online. For tips and tricks in crafting your own challenges, check out PPP’s awesome documentation here. You will also find some example levels within the FBCTF project, here.
Additionally, the FBCTF team is working on creating a private repository of custom challenges, focused on collegiate and advanced-level competitions. You can request access to these challenges by contacting ctf@fb.com with your GitHub username and background on your event. We’ll add you to the private repo once it’s completed.
In the meantime, feel free to use the collegiate - focused challenges found here, or the more intermediate challenges here. Sample trivia/ quiz questions can be found here.
The most extensive repository of challenges, however, is available at captf. We’ve used them all to great success in the past.
Start with the Quick Setup Guide. You can also learn more about administration of FBCTF within the Admin Guide.
Start by looking through the provided documentation:
Remember that if you are having an issue, chances are high that somebody else has experienced it in the past. Search through the GitHub FBCTF Issues section.
Examine your installation and operational logs. At times these logs will provide a clear answer to your issue. Look through the following logs, and note any anomalies:
/var/log/hhvm/error.log/var/log/nginx/error.log- Output of
provision.shscript
If you still cannot find any information to resolve your issue, please post under the GitHub FBCTF Issues section. When posting your issue, ensure you include as much information as possible. This will assist developers with tracking down and resolving your issue. Include the following information in your post:
- Informative and Concise Subject for your Issue
- Current version of FBCTF installed (commit head)
- System and Installation details, such as the Linux distribution used, and installation method you chose.
- Detailed description of the problem. Include steps to reproduce the problem when possible.
- Screenshots to help describe the problem when appropriate.
- Relevant output from any logs examined above.
- All steps you have taken to resolve the issue.
When discovering a bug in the platform, first search the GitHub FBCTF Issues section. You may find that somebody else has already reported the issue, or that it’s a misconfiguration. Update the existing issue as appropriate.
If nobody else has reported the issue, file a new issue on the GitHub FBCTF Issues section. Ensure you provide all relevant details, as shown above. If you already have a workaround, provide that information in your issue request.
If you have found a solution or are providing a bug fix for the issue at hand, please file a Pull Request on GitHub with the corrections. The FBCTF team always appreciates external ideas and assistance!
Facebook also has bug bounty program that includes FBCTF. If you find a security vulnerability in the platform, please submit it via the process outlined on that page and do not file a public issue.
FBCTF supports a wide range of languages, and can be changed by selecting the appropriate language at the bottom of the admin configuration page. More languages are constantly being added to the platform.
You can find a FBCTF created template of general rules for an event here. This should be modified depending on the structure and style of your event.
The difficulty of any the game depends entirely on the challenges chosen by the organizer. The user experience itself was designed to be easy enough for anyone to use. Facebook has hosted CTFs across all age and skill levels from middle school to advanced security engineers.
To see examples of challenges you can use in the platform and their difficulty level, see the Where can I find challenges for the FBCTF platform section above.
- Level Titles are restricted to 255 characters. Display wise they will line wrap if the content has sufficient spaces.
- Level Descriptions are restricted to 65,535 characters. Display wise there should be no issues as they are inside of a scrolling box.
- Level Answers are restricted to 65.535 characters.
No, not without modification. The platform was designed only to run over HTTPS/SSL. You must use either a self-signed certificate, your own certificate, or a certificate generated from Let’s Encrypt.
The FBCTF platform can be run on various cloud providers, including any Infrastructure as a Service (IaaS) platform. FBCTF can be run on any hypervisor or container that supports installation of Ubuntu 16.04 (Xenial). Additionally, FBCTF has been built using Vagrant and Docker, with the required configurations provided within the repository.
Running FBCTF on a cloud platform provides many benefits for public competition, or event across multiple sites. It is recommended that you utilize a production installation when using a cloud platform for an event.
It is extremely important to note that there are many variables when considering how many users the platform can support. General guidelines are shown in other sections, but depend on factors such as:
- Hardware (CPU, Memory, Network Throughput)
- Number of Levels (Flags, Quizzes, and Bases)
- Number of Captures by Players
- Length of Event (Shorter events are far more intensive on the platform)
- Registrations Enabled During Event (This causes frequent Memcached flushes)
- Scoreboard Refresh Rate (Default: 5 Seconds)
The FBCTF platform can handle thousands of users when properly configured and load balanced in a multi-server setup. Like any large deployment, you should ensure the platform is well tuned and tested before the event.
See the Troubleshooting and Performance Guide for more details on tuning performance.
Yes. How large depends on a number of factors as shown in the above section, How many users can the FBCTF instance support?
Utilizing a Large EC2 Instance, events of up to 70 teams have successfully been run.
Utilizing a Multi-Server FBCTF deployment with load balancing, events of up to 950 teams have successfully been run.
See the Troubleshooting and Performance Guide for more details on tuning performance.
This depends heavily on the number of participants utilizing the platform during your event. FBCTF is optimized and utilizes caching to minimize the resources required. For example a 70 team event has been successfully ran using a Large EC2 instance.
For larger events over ~200 users, you should utilize a multi-server setup with FBCTF. Otherwise you will likely run into network stack limits, regardless of the instance size.
See the Troubleshooting and Performance Guide for more details on tuning performance.
Large events of over ~200 users will likely required a multi-server setup for FBCTF. On a standalone server, regardless of size, you will eventually run into network stack limitations.
Note that multi-event setups can be even more effective when utilizing load balancing with HHVM servers. Extremely large events (over ~500 users) may also require load balancing of NGINX and Memcached servers. Keep in mind that the multi-server setup, and the load balancing of various servers, causes additional network overhead, and should only be utilized for large events.
See the Troubleshooting and Performance Guide for more details on tuning performance.
Development mode is designed for development of the platform, and generates a self-signed SSL certificate. It is highly recommended if you use this mode, to utilize Vagrant and VirtualBox as the provider. This ensures environmental stability and compatibility with the project. When provisioning in development mode, the admin password for the platform will always be password.
Production mode is designed strictly for use of the platform. By default, it will generate a valid SSL certificate using Let’s Encrypt. Note that when utilizing Let’s Encrypt, there are limits on the number of certificates which can be generated. Review the latest limits here.
Production mode generates a random password at the end of the provisioning script. Ensure you note this password, as this is the only time it will be displayed.
The platform can be accessed through HTTPS on the server you provisioned. Utilize the IP address of the system, for example https://192.168.1.100. If the system is public, you should use the public IP address or domain name if applicable.
When utilizing vagrant, the location is set to https://10.10.10.5
By default, the FBCTF platform is installed in /var/www/fbctf
If you lose or forget the admin password for the platform, run the following commands from the fbctf folder. The parameters must be changed if you have not utilized the defaults in the database name, user, and password:
source ./extra/lib.sh
set_password new_password ctf ctf fbctf $PWD
These are arguments you can specify to the script:
set_password <new_password> <db_user> <db_password> <db_name> <present working directory>
See the Troubleshooting and Performance Guide for details on troubleshooting issues in platform.
If you need to reset your database, the following command will set it back to original defaults. Note that the default database password is ctf.
cat /var/www/fbctf/database/schema.sql /var/www/fbctf/database/countries.sql /var/www/fbctf/database/logos.sql | mysql -u ctf -p fbctf
The admin password must then be reset using these instructions above within How do I reset the database from the command line?.
FBCTF can be updated by running the provision script in a special mode. Keep in mind that you should run it from the folder /var/www/fbctf:
./extra/provision.sh -m prod -U -s $PWD -d /var/www/fbctf
./extra/provision.sh -m <mode_of_operation> -U -s <path_to_fbctf_code> -d <destionation_path>
Run ./extra/provision.sh -h for full help with all the parameters.
Note that any new platform database changes must be manually updated at this time. This means the updated code may be incompatible with the current database schema. Thus, you should only update if you are comfortable dropping and recreating the database, or if you are comfortable fixing the database schema manually.
If you do reset the database, you can import your previous game data. See the Admin Guide for more details.
Memcached is utilized for the FBCTF platform, in order to make efficient use of system resources. Instead of constantly querying the database for every display refresh and action, the platform will utilize a cache when data has not changed.
When performing all actions through the FBCTF platform, Memcached will be flushed automatically when appropriate. However, if changes are being made to the database outside the platform (manually, or via scripting), Memcached must be flushed in many cases. This can be done by running the following command:
echo 'flush_all' | nc localhost 11211
Teams must self-register in order to use custom icons. While registering, click Upload Your Own and select a support image type. This currently includes the JPG, GIF, and PNG image types. The size of the custom icon must be below 1000KB. After selecting your icon in the upload screen, a preview will be displayed on the screen. Once you are happy with the custom icon, click Sign Up.
Utilize the Tokenized Registration Type under the admin panel. This prevents teams from signing up publicly, and event admins can distribute generated tokens to teams in order to register.
Quizzes are the simplest type of Level, and should be utilized for simple question and answer puzzles. All information in order to complete the puzzle should be contained in the Quiz question.
Flags are intended as a more interactive type of Level, and can include Attachments as well as Links. For example, you can link to a web server where teams must hack a web service in order to generate the Flag answer. Alternatively you can also attach files, such as a Python script that must be reverse engineered in order to generate the answer.
It is important to note that Deleting a team is intended as a permanent measure, and should be avoided whenever you want to preserve data. Deleting a team purges all logs and scores related to the team.
Disabling a team invalidates all login sessions to the FBCTF platform, and disables the ability for the team in question to login to the platform, capture bases, or perform any authenticated activity. However, all data related to the team will be preserved.
The Visibility for Teams can be disabled, removing them from the scoreboard completely. However, the Team can still capture levels and participate in the event.
Disabling a team invalidates all team login sessions, and prevents the team from performing any authenticated actions in the event. However, the Team will be visible on the scoreboard.
Yes. A team can change their Team Name, and if configured link existing Facebook or Google accounts. No other team profile changes be be made by a user, and must be edited by an admin.
Yes. However, great care must be taken. Ensure you match database calls as made by the FBCTF platform. By turning on the MySQL general query log, you can examine database calls that take place during a platform action, and duplicate the calls manually or through your script.
It is also important that you understand how Memcached works with the FBCTF platform. In general, flush Memcached after making any changes to the database. This can be performed by running the following command:
echo 'flush_all' | nc localhost 11211
In production mode, FBCTF utilizes HHVM in Repo Authoritative Mode. This compiles the PHP source files into a bytecode repo, increasing speed and efficiency. When code changes are made to the PHP source files, the HHVM repo must be rebuilt. After making your code changes, run the following commands to rebuild the HHVM repo:
sudo rm /var/cache/hhvm/hhvm.hhbc
sudo hhvm-repo-mode enable "/var/www/fbctf"
sudo chown www-data:www-data /var/cache/hhvm/hhvm.hhbc
sudo service nginx restart
sudo service hhvm restart
Client side code changes will require you to run grunt:
cd /var/www/fbctf
grunt --force
Backup and restoration of entire events can be done either through the FBCTF platform or on the command line.
Through the FBCTF Platform:
- Click the Controls tab under the Game Admin panel.
- Click Export Full Game to export your event.
- Click Import Full Game to import your saved event.
Through the Command Line:
- Backup database by typing
mysqldump -u ctf -p fbctf > backup.sql - Restore database by typing
cat backup.sql | mysql -u ctf -p fbctf - Flush Memcached by typing
echo 'flush_all' | nc localhost 11211
Note that Memcached should always be flushed after any type of data import outside of the platform.
The Default Bonus is a set number of points awarded to the first team which captures a level. For example, if the Default Bonus is left at the default of 30 points, and a Quiz is worth 100 points, the first team to capture that particular Quiz will receive 130 points.
The Default Bonus Dec is how many points will be deducted from the initial Default Bonus for every subsequent team that captures a level. For example, if a Flag is worth 100 points, the Default Bonus is 30 points, and the Default Bonus Dec is 10 points, the first team to capture the Flag in question will receive 130 points. The second team will receive 120 points, and the third team 110 points. Subsequent teams will receive no bonus, and will only get the base 100 points.
No. Teams take no penalty for answering levels incorrectly. Only the Default Bonus and Default Bonus Dec alter the number of points a team receives for capturing a level, as described elsewhere.
The FBCTF platform has built-in import and export functions on the Controls admin page. You can create levels externally using a standardized JSON format, as shown below:
{
"levels": [
{
"type": "quiz",
"title": "Quiz 1",
"active": true,
"description": "This is the first quiz",
"entity_iso_code": "BY",
"category": "Quiz",
"points": 100,
"bonus": 30,
"bonus_dec": 10,
"bonus_fix": 30,
"flag": "Quiz Answer",
"hint": "This is a hint for the first quiz",
"penalty": 0
},
{
"type": "flag",
"title": "Flag 1",
"active": true,
"description": "This is the first flag",
"entity_iso_code": "EG",
"category": "None",
"points": 100,
"bonus": 30,
"bonus_dec": 10,
"bonus_fix": 30,
"flag": "Flag Answer",
"hint": "This is a hint for the first flag",
"penalty": 0
},
{
"type": "base",
"title": "Base 1",
"active": true,
"description": "This is the first base",
"entity_iso_code": "DZ",
"category": "None",
"points": 100,
"bonus": 30,
"bonus_dec": 10,
"bonus_fix": 30,
"flag": "",
"hint": "This is a hint for the first base",
"penalty": 0
}
]
}