What is a CTF?
A CTF (aka Capture the Flag) is a competition where teams or individuals have to solve several Challenges. The one that solves/collects most flags the fastest wins the competition.
Once each Challenge has been solved successfully, the user will find a flag within the Challenge that is proof of completion. Submitting this flag will award the team with a set amount of points. Often, if a team is the first to complete a Challenge and submit a flag, they will earn what is called a Blood (short for first blood), and this will award additional points.
At the end of the CTF, teams will be ranked by how many points they have acquired, and the team with the most points will place 1st in the CTF.
Joining a CTF
Before you can start playing in a CTF, you'll need to make sure you have an account on the CTF Platform and that you are a member of a Team that has joined the CTF. To learn more about registering on the CTF Platform and joining/creating Teams, see our dedicated article on the subject.
Click the button below to learn about CTF Registration and Teams!
Once you've gotten registered and have joined a Team, you can get started with the CTF. Head over to the CTF Page, find the CTF you are competing in, and click Play CTF. If the CTF has a password, you'll be prompted to enter it.
Types of CTF Content
Content on the CTF Platform is broken up into two primary types. The first type of content is Boxes / Machines, which can be found under the Fullpwn category. These work the same way Boxes do on the Main Platform; they are full-fledged virtual machines that require a VPN connection to access.
Docker Instances, the second kind of content, accounts for all other categories besides Fullpwn. This type of content functions the same way Challenges do on the Main Platform; a Docker instance is spawned, and you are given an IP and port to access it on. These Docker instances use a public IP, and thus no VPN connection is required.
Spawning Boxes / Machines
To spawn a Box, click on the power button to the right of the Box's user listing and press Spawn Machine. You'll notice each Box is listed twice, once for user and once for root; both of these are for the same instance of the Box. They are separated for flag submission purposes only.
Whenever someone on a Team spawns a Box, a notification will be sent to all Team Members. This will include both the name of the Box and the teammate who spawned it. All members of a Team share the same instance spawned Boxes.
Once the Box has spawned, you will be given the IP of the Box's instance. This instance is exclusive to your Team.
There is a limit to how many Boxes / Machines can be spawned by a Team at any given time, which can vary depending on the CTF. If you attempt to spawn an additional Box after you have already reached this limit, you'll receive an error.
After a Box has been spawned, you'll have the ability to Reset or Terminate it if you choose. Additionally, once there are 8 hours or less remaining, you'll have the option to Extend the Box.
Spawning a Docker Instance
Spawning a Docker Instance is similar to spawning a Box. Navigate to the Challenge you'd like to spawn, and press the power button. Then, click on the toggle to bring the instance online.
Once it's been spawned, you'll be given an IP and Port. This IP address is public, meaning it can be accessed without the need for a VPN connection. Docker instances are only accessible at the port specified and generally don't respond to pings, so keep that in mind.
Just as with Boxes, spawning a Docker will notify all team members, who will all share the same instance. However, unlike with Boxes, there is no limit on how many Dockers can be spawned at once.
Challenge Info and Downloadable Content
For some CTF content, you start with more than just the IP address of the target system. Specifically, sometimes Challenge Info and/or Downloadable Content is available.
Some Challenges are accompanied by additional information, called the Challenge Info. This information is usually a brief description of the Challenge and may even hint at the technology or methods the Challenge involves.
To view any available Challenge Info, press the ⓘ button under the Actions column of the Challenge. Hovering over it will bring up a tooltip that reads Challenge Info.
Some Challenges include both a spawnable instance as well as downloadable files. In these cases, both the downloadable files and the spawnable instance are typically required to solve the Challenge.
An example of this would be a Pwn / Binary Exploitation challenge where you are given the ability to download the source code of the program/service running on the spawnable target system.
If a Challenge has a downloadable part, it will be stated in the Challenge Info, and the download button under the Actions column will be clickable. In most cases, the downloadable content is provided in the zip archive format.
Connecting to the VPN
If you want to access content from the Fullpwn category or any other category that uses Boxes/Machines, you'll need to connect to our internal lab network using the VPN file we provide.
Downloading the VPN File
We offer our VPN in the form of OpenVPN packages, which come in the .ovpn file format. To download this VPN file, press the Connect button at the top right of the page.
Connecting with OpenVPN
Connecting to the VPN can be done easily using OpenVPN, installed on most Linux distributions (including Parrot OS).
To connect, run
sudo openvpn /path/to/vpnfile.ovpn in your terminal. If you see
Initialization Sequence Complete, that means OpenVPN has successfully established the connection.
For more information on troubleshooting VPN connection issues, see the dedicated article on the subject.
Click the button below for help with diagnosing connection issues!
Connecting using Pwnbox
Pwnbox is our in-browser, Parrot Security virtual machine. It comes equipped with the vast majority of tools you could ever want and makes it easy to get hacking no matter where you are or what type of hardware you have at your disposal.
Pwnbox is automatically connected to the VPN, so there is no need to worry about manually connecting.
You can connect to Pwnbox from the same VPN Selection Menu you found OpenVPN.
Once you've spawned Pwnbox, you'll be able to work from within it the same way you would any other VM.
Managing the VPN (Team Captains only)
Team Captains have the ability to manage which VPN server their Team is connected to. They can view the VPN servers available, see how many Teams are connected to each, and switch between them.
Viewing the VPN Map
The VPN Map shows all the available VPN servers for the CTF. To view it, click on Manage VPN and hover over the VPN Map label. You can see all available regions as well as each VPN server in each region. Next to each server, the number of Teams currently connected to that server is displayed.
Switching VPN Regions
You can switch VPN servers by pressing the Manage VPN button and selecting the Region and Server.
Once you've selected the server you'd like to switch to, press the Change VPN button. An alert will be sent to all Team Members notifying them of the change.
Please note, once you change VPN servers, you will have to redownload the VPN file. Be sure to terminate any existing OpenVPN connection you have before initiating a new one.
If you'd like to see your Team's place in the CTF or which teams are claiming the top spot, you can view the Scoreboard. Press the Scoreboard button on the CTF page.
Scrolling down, you can see additional information on the Scoreboard, such as progress graphs, team rankings, and challenge completion rates.