Setting up a security CTF server

I don't have any great experience with CTF challenges. But I have participated a few and I am not an expert. But I can tell about my experiences.

• First of all when running a CTF challenge we can warn the users about dos and don'ts. But this won't make sure that the wont do that. Simply we can tell them don't do DoS but it won't make sure they won't use DoS against your CTF game server
• When we are giving a service or website to exploit we should make sure that only that kind of attack is possible here and rest of all security is tight. This was happened when me with my friends conducted a simple hacking competition in my college. We gave a application to hack. We tested that application to make sure only one loophole is there. But the competitors used other complex methods to exploit and they done that. :(
• Security is all about bad coding. So make sure your services or applications are not having loopholes.
• I remember my friend was participating in a CTF competition. He told that it will be 6 hr competition , but the competiotion ended after 30 minutes because one of the competitor exploited a vulnarability in the CTF server and everything collapsed. So dos and don'ts are not a matter.

Simply you will create only one vulnerability in your application to exploit. But exploiters will do all kind of tests to breake it because they don't know what is the exact vulnerability here. May be a tiny loophole which you missed will compromise your server. :)

I have no experience running or setting up such a thing but here are my thoughts on avoiding undue risk:

• You will want some external monitoring on the critical services on the VM. An exploit that causes a crash would certainly ruin it for everyone else. It would be OK if someone defaces the website running on the box as long as all the necessary links to other pages remain intact but if they deface it so badly that the rest of the website becomes unreachable or starts throwing 500 Internal Error codes back at visitors or even crashes the HTTP daemon altogether, that should be detected and remedied quickly.

• The attacker's machine may be exposed to some threat if you aren't supervising them. The first exploit kit found by a Google search for the product they are aiming at is just as likely to contain malware as an actual exploit tool.

• Political/legal risk. Sign waiver forms for them to hold on to, explicitly allowing them to attempt to exploit this particular machine. Explain the consequences of performing these same actions without the signed form.

And some general thoughts about running this thing:

• Many exploits show no obvious signs of success. Of course, this is part of the learning experience, to show the developers that simply switching off the displaying of errors does not completely stymie competent attackers. But it might be nice to have a separate interface to show the current contents of the users table in the database or the contents of a particular directory or the list of running processes on the machine. This might be something you switch off later on as the developer get better at detecting their own successes themselves.

• Keep score. For people who aren't naturally interested in security, making it fun is the key to keeping their attention, and a little bit of friendly competition will help that. If you're only looking at allowing a single vulnerability, it won't be a score so much as a checklist of who has done it and who hasn't, but if a developer actually finds an extra vulnerability to the one you expected to be there, they should be publicly praised in some way.

• Since you're aiming this at developers rather than pen-testers, their day job is going to be the not-so-glamorous defense role. Once they have exploited the code, a followup task might be to see if they can protect the code themselves before seeing the best solution your team has collectively come up with.

I believe stripe.com has run 2 CTF contests.

They discuss the design in the following blog post. You may find it useful:

https://blog.gregbrockman.com/2012/08/system-design-stripe-capture-the-flag/