Warning
The current cheating-detection algorithm is very slow, so it is NOT recommended for competitions with many participants.
This section provides instructions for setting up the project locally.
To use this plugin, you should have:
- Experience hosting CTFd with Docker
- Basic knowledge of Docker
- SSH access to remote servers (if using remote Docker)
- Clone this repository:
git clone https://github.com/phannhat17/CTFd-Docker-Plugin.git
- Rename the folder:
mv CTFd-Docker-Plugin containers
- Move the folder to the CTFd plugins directory:
mv containers /path/to/CTFd/plugins/
- Go to the plugin settings page:
/containers/settings - Fill in all fields except the
Base URL.
- Map the Docker socket into the CTFd container by modify the
docker-compose.ymlfile:
services:
ctfd:
...
volumes:
- /var/run/docker.sock:/var/run/docker.sock
...- Restart CTFd
- Go to the plugin settings page:
/containers/settings - Fill in all fields except the
Base URL.
For remote Docker, the CTFd host must have SSH access to the remote server.
- SSH access from the CTFd host to the Docker server
- The remote server's fingerprint should be in the
known_hostsfile - SSH key files (
id_rsa) and an SSH config file should be available
-
Prepare SSH Config:
mkdir ssh_config cp ~/.ssh/id_rsa ~/.ssh/known_hosts ~/.ssh/config ssh_config/
-
Mount SSH Config into the CTFd container:
services: ctfd: ... volumes: - ./ssh_config:/root/.ssh:ro ...
-
Restart CTFd:
docker-compose down docker-compose up -d
-
Ensure SSH Access:
- Test the connection:
ssh user@remote-server
- Test the connection:
-
Configure Docker Base URL:
- In the CTFd plugin settings page (
/containers/settings), set:Base URL: ssh://user@remote-server
- In the CTFd plugin settings page (
-
Restart CTFd:
sudo systemctl restart ctfd
SSH challenges allow participants to connect to containerized environments via SSH. Here's how to set them up:
Your Docker image needs to have an SSH server configured. Here's an example Dockerfile:
FROM ubuntu:22.04
# Install OpenSSH server
RUN apt-get update && \
apt-get install -y openssh-server && \
rm -rf /var/lib/apt/lists/*
# Create SSH directory
RUN mkdir /var/run/sshd
# Set up a user (you can customize this)
RUN useradd -m -s /bin/bash ctfuser && \
echo 'ctfuser:ctfpassword' | chpasswd
# Optional: Allow root login or configure SSH settings
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# SSH login fix (otherwise user is kicked off after login)
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
# Expose SSH port
EXPOSE 22
# Start SSH service
CMD ["/usr/sbin/sshd", "-D"]docker build -t your-ssh-challenge:latest .
docker tag your-ssh-challenge:latest your-registry/your-ssh-challenge:latest
docker push your-registry/your-ssh-challenge:latestOr ensure the image is available on the Docker host where challenges will run.
-
Go to Admin Panel → Challenges → Create Challenge
-
Select "Container" as the challenge type
-
Fill in the challenge details:
- Name: Your challenge name
- Image: Select your SSH-enabled Docker image
- Connection Type: Select "SSH"
- Port: 22 (the SSH port inside the container)
- Initial Value, Decay, Minimum: Set point values
- Flag Mode: Choose "Static" or "Random"
- For SSH challenges, you can inject the flag via environment variable
$FLAG - Example: Place flag in a file during container startup
- For SSH challenges, you can inject the flag via environment variable
-
In your challenge description, provide:
- SSH credentials (username/password)
- Instructions on what to find
- Any necessary hints
Modify your Dockerfile to use the FLAG environment variable:
# Add this to your Dockerfile
RUN echo '#!/bin/bash\necho "Flag: $FLAG" > /home/ctfuser/flag.txt' > /entrypoint.sh && \
chmod +x /entrypoint.sh
# Change CMD to use entrypoint
CMD ["/bin/bash", "-c", "/entrypoint.sh && /usr/sbin/sshd -D"]- Use non-root users when possible
- Consider using key-based authentication for more realistic scenarios
- Set resource limits (memory, CPU) in the plugin settings
- Remember that participants will have shell access - ensure proper isolation
A complete working example is available in the examples/ssh-challenge/ directory. This example demonstrates:
- Basic SSH server setup
- Flag injection via environment variable
- User authentication configuration
To use the example:
cd examples/ssh-challenge
docker build -t ssh-challenge:latest .See the SSH Challenge Example README for more details.
- Manage running containers
- Filter by challenge or player
| Web Access | TCP Access | SSH Access |
|---|---|---|
 |
 |
SSH connection via terminal |
Connection Types:
- Web: HTTP-based challenges accessible through a browser
- TCP: Raw TCP connections using netcat or similar tools
- SSH: Secure shell access to containerized environments
- Support for user mode
- Admin dashboard with team/user filtering
- Compatibility with the core-beta theme
- Monitor share flag
- Monitor detail on share flag
- Prevent container creation on solved challenge
For more features and known issues, check the open issues.
Distributed under the MIT License. See LICENSE.txt for details.
This plugin is an upgrade of andyjsmith's plugin with additional features.
If there are licensing concerns, please reach out via email (contact below).
Phan Nhat
- Discord: ftpotato
- Email: contact@phannhat.id.vn
- Project Link: CTFd Docker Plugin