The GitLab Application Security team created a Capture the Flag (CTF) contest for GitLab team members in mid-March to provide a fun, hands-on AppSec experience for those who were interested in a little friendly competition.
We've reworked this contest a bit so now you can solve the challenges at home! And, even better, because we created this CTF with all of our GitLab team members in mind, there's a wide variety of beginner-friendly challenges, most of which are related to web security.
Run it at home
All you need to run this at home is Docker and Docker Compose. The CTF-at-home repository is where we're releasing the challenges within a docker-compose file. Be sure to have a look at the README for set-up instructions.
Running the challenges should be as simple as:
git clone https://gitlab.com/gitlab-com/gl-security/ctf-at-home.git
cd ctf-at-home
docker-compose up
And then, visit http://capture.local.thetanuki.io to get to the landing page. Fingers crossed🤞, it worked on my machine 😉.
Try your hand at solving some challenges, then tell us about it
To keep it beginner friendly, the run-at-home CTF also includes spoilers and solutions for all challenges. If you have trouble running the CTF feel free to create an issue here.
If you run the CTF at home and solve some challenges, we're happy to hear your feedback, or even see some write-ups. Feel free to share your experience in the comments below or tweet @gitlab.
Our results 🥁
We initially planned this CTF contest for GitLab Contribute, our company-wide get together, which was to be held in Prague at end of March. While COVID-19 made the physical get-together impossible, this CTF was perfect for running worldwide online and across GitLab teams. We ran the challenges from March 16 to March 27, 2020 and had a total of 50 GitLab team members participate in CTF.
Team member testimonials
From a CTF coordinator perspective, running the contest was a great experience. Thankfully, the players were having a good time as well and we received lots of positive feedback, including:
It was great to collaborate with folks from all different functional groups at GitLab and all around the world. We learned a lot from each other and everyone was able to contribute!
-- @stkerr
The perfect mixture of challenges, ranging from very awesome and interesting, to very awesome and challenging. 😆
-- @cat
Hall of Fame
Meet our top twenty players
- @cat
- @ayufan
- @engwan
- @vitallium
- @stkerr
- @T4cC0re
- @xanf
- @ahmadsherif
- @mbobin
- @jrreid
- @djadmin
- @vij
- @robotmay
- @kgoossens
- @simon_mansfield
- @alan
- @SteveTerhar
- @rchan-gitlab
- @razer6
- @floudet
Special shout-outs to @cat and @ayufan who both solved ALL the challenges in less than three days.
Because building the challenges and playing the CTF were such a positive experience for all involved, we wanted to make those CTF challenges public. We're hoping to have another CTF in the future, but in the meantime, let us know what you think of this one via comment below or @gitlab on Twitter.
Happy hacking!
