The picoCTF platform is the infrastructure which is used to run picoCTF.
The platform is designed to be easily adapted to other CTF or programming competitions.
If using the platform to host a custom competition, we recommend using the most
recent tagged release. The
master branch represents active development and may not be stable.
Additionally, we cannot guarantee the stability or security of any outdated
Please visit our Discord server for other platform deployment questions not covered in our documentation: https://discord.gg/WQGdYaB
The following steps will use Vagrant to get you
quickly up and running with the picoCTF platform by deploying the code base to
two local virtual machines. You can read more about using
vagrant in our
git clone https://github.com/picoCTF/picoCTF.git cd picoCTF vagrant up
These commands perform the following:
Now that your local copy of picoCTF has been deployed:
Make your first change. For example to change "CTF Placeholder" in the navigation bar:
ansibleinstalled locally on your machine it is as
cd infra_local ansible-playbook site.yml --limit web --tags web-static
vagrant ssh web cd /picoCTF/infra_local ansible-playbook site.yml --limit web --tags web-static
Then check out the infra_local directory for more information on using the local development environment in a more efficient manner.
Interested in development? Check out the notes in infra_local.
The documentation has more information on Alternative Deployments.
Continue reading for more information on the picoCTF project.
This project is broken down into a few discrete components that compose to build a robust and full featured CTF platform. Specifically the project is consists of the following:
Once you bring everything up, the main flow between components is:
Here is a walkthrough:
/api/to nginx. Requests to
/apiare forwarded to an API server (running on the same host for development).
/admin, which is used by the admin to connect to new shell servers.
/apirequest is forwarded to the API server.
sshto the shell server.
Some important terminology:
inst_n. Each instance has its own flag
flag_1is a valid flag (aa separate instance flag
flag_2is not valid)
flag_2, then whomever has
inst_2shared their flag. There may be legitimate reasons for flag sharing, but in many competitions it is indicative of cheating.
inst_iwill not work for
The competitor facing web site, the API for running a CTF, and the management functionality for CTF organizers. The development Vagrantfile deploys picoCTF-web to a virtual machine (web) at http://192.168.2.2/. If you want to modify the look and feel of the website, this is the place to start.
The tools to create, package, and deploy challenges for use with the picoCTF platform. This supports the deployment of auto-generated challenge instances and provides competitors shell access to aid in challenge solving. The development Vagrantfile deploys the shell-server as a second virtual machine (shell) at http://192.168.2.3/. If you want to modify challenge deployment primitives, this is the place to start.
Example challenges that are compatible with the picoCTF platform. These challenges can be easily shared, deployed, or adapted for use in a CTF. The development Vagrantfile installs these examples to the shell server and loads them into the web interface. If you want to see how to create challenges or leverage the hacksport library, this is the place to start.
The tool we use to install, configure, deploy, and administer the picoCTF platform is Ansible. This allows us to create flexible, parameterized, automated playbooks and roles that apply across development, staging, and production environments. If you want to modify way the platform is configured, this is the place to start.
If you are looking to run your own CTF competition, you should:
Do not underestimate the importance of spending significant time in problem development. Our internal system is:
For more on running events see:
The picoCTF platform is always under development.
If you are interested in research in CTFs (e.g., improving skill acquisition, decreasing time to mastery, etc.), please feel free to email David Brumley.
picoCTF was started by David Brumley with his CMU professor hat in 2013. The intention has always been to give back to the CTF community.
The original heavy lifting was done by his graduate students, and special thanks is due to Peter Chapman (picoCTF 2013 technical lead) and Jonathan Burket (picoCTF 2014 technical lead) for their immense efforts not only developing code, but for organizing art work, problem development, and so on.
In 2015-2016 significant effort was done by ForAllSecure at the companies expense. This includes adding concepts like the shell server, and rewriting significant portions of the web server.
Both CMU and ForAllSecure have agreed to release all code under the MIT LICENSE . We do encourage attribution as that helps us secure funding and interest to run picoctf year after year, but it is not necessary. Also, if you do end up running a contest, do feel free to drop David Brumley a line.