Host a CTF for free!
In this blog, I will be talking about how we hosted our CTF for free, the issues we faced and certain tips and tricks that we used to make the user experience smooth. This will provide you with most of the resources and information required to host your own CTF for free.
Back Story
Before we get started with the tutorial I would like to talk about how this all began.
Team Zh3r0 began as a group of like minded high school students interested in cyber security and technology. We started playing CTFs from April 2020, and after playing few CTFs we had a desire to host our own CTF. Although we had no prior experience of hosting a CTF, we planned to conduct a test CTF to asses the level of complexity involved and know the responses of the players.
We conducted Zh3r0-pre-CTF on May 5th 2020 involving more than 150 active users and it gave us a base idea of the complexity involved.
Around May 15th we started our preparation for the main event.
Planning
We first discussed about the Authors and the challenges we were going to have. Unfortunately some members of Zh3r0 were not available at those days, but still we decided to proceed with the CTF.
We planned to have all the common categories as well as some new categories to make the competition more exciting.
Then we agreed upon the authors and the challenges we were gonna make.
Then we reached out to some sponsors. Hack The Box and Try Hack Me sponsored our Prizes.
Stats
We got over 2000 users registered and over 1000 teams.
We handled close to 3 Million requests severing around 80 GB of data.
Our top 5 audience were from India, US ,France, Japan and UK.
Cloud Flare helped us in reducing the loading times by caching our website.
Infra
So we went overkill on infra as we didn’t have any previous experience in hosting a big CTF like this.
We didn’t have any infra sponsors so we went with all the providers who offered free credits for signing up. We chose three- Digital Ocean, Google Cloud and Microsoft Azure.
So in Digital Ocean we got $100, GCP $300, Azure $200.
For CTFd hosting
We chose Azure as GCP were not accepting our quota increase request on cores. We were limited to 12 cores. :(
We kept 32 cores which was way overkill.
Issues
After the CTF had started we noticed that the site was lagging and only 2 cores were getting used -_-
I looked for solutions online and found that it is due to gunicorn workers were set to 4. So I increased it (65) and the site crashed :(
Every time I started it, it crashed. So I reduced the core count to 20 and reduced the no. of workers (41). Surprisingly it worked!
After that it was smooth. (•‿•)
Challenge Servers
So for PWN, Crypto and Misc. challenges, we used GCP and for web and Hacking machines we used Digital Ocean.
For PWN, we had 3 servers to reduce load and for smoother experience. The one in India had 8 cores, Germany and US 4 cores each. We didn’t set up load balancing for PWN as multi region LB is costly. We gave all the to the players.
For Crypto and Misc. we didn’t had any load balancing.
For web, we used 2 similar servers with 6 cores and did round robin load balancing (setting both server IPs are 2 A records).
For hacking machine also we had 2 servers (4 cores) with the same load balancing technique.
Technical Part
Now onto the technical stuff.
It is advised to git clone from CTFd/CTFd: CTFs as you need them (github.com) and run
docker-compose up
You can follow the below procedure also
CTFd
To run CTFd from the docker hub image.
docker run -d -it -p 80:8000 ctfd/ctfd
Now go to the public IP and it will be up
It is enough for small CTFs. Just make sure you edit the gunicorn workers.
Editing workers
docker ps
docker exec -it <container id> /bin/sh
vi docker-entrypoint.sh
Get inside the docker and change the workers inside the start script and commit the docker.
After that exit and commit the docker
docker commit <container id> <name>
docker run -d -it -p 80:8000 <name>
CTFd setup is now complete. You can now setup the admin password and other stuff.
Cloud Flare
I used Cloud Flare as our DNS manager, CDN and for DDOS protection. More over its free!
It also helped us by providing free SSL certificate and also caching some parts of the website. Half of the requests were cached!
Just point A records to the servers and don’t forget to proxy the CTFd server.
That’s all!
Mail Server
I was too lazy to configure mail server so I used mailgun as it is very easy to setup. Just add the records as they say and add the API key to CTFd. Done!
First 5000 mails are free in Mailgun!
Conclusion
So this was an insight on our CTF hosting pathway. And how we hosted an international CTF for free.
Even though we faced some issues, it the event was a great success considering it was our first CTF. This shows that if you are willing to take risks and are determined then you can succeed in anything.
All enjoyed our CTF. We got good ratings in CTF Time too!
Moreover hosting Zh3r0 CTF helped me learn a lot of new things.
If you have any feedback or suggestions please write it down at the response section below.
