Blog Security How to play GitLab's Capture the Flag at home
August 12, 2020
3 min read

How to play GitLab's Capture the Flag at home

Our AppSec team built and ran a CTF, and now it's available for you to play at home.

gitlab_ctf.png

The GitLab Application Security team created a Capture the Flag (CTF) contest for GitLab team members in mid-March to provide a fun, hands-on AppSec experience for those who were interested in a little friendly competition.

We've reworked this contest a bit so now you can solve the challenges at home! And, even better, because we created this CTF with all of our GitLab team members in mind, there's a wide variety of beginner-friendly challenges, most of which are related to web security.

Run it at home

All you need to run this at home is Docker and Docker Compose. The CTF-at-home repository is where we're releasing the challenges within a docker-compose file. Be sure to have a look at the README for set-up instructions.

Running the challenges should be as simple as:

git clone https://gitlab.com/gitlab-com/gl-security/ctf-at-home.git
cd ctf-at-home
docker-compose up

And then, visit http://capture.local.thetanuki.io to get to the landing page. Fingers crossed🤞, it worked on my machine 😉.

Try your hand at solving some challenges, then tell us about it

To keep it beginner friendly, the run-at-home CTF also includes spoilers and solutions for all challenges. If you have trouble running the CTF feel free to create an issue here.

If you run the CTF at home and solve some challenges, we're happy to hear your feedback, or even see some write-ups. Feel free to share your experience in the comments below or tweet @gitlab.

Our results 🥁

We initially planned this CTF contest for GitLab Contribute, our company-wide get together, which was to be held in Prague at end of March. While COVID-19 made the physical get-together impossible, this CTF was perfect for running worldwide online and across GitLab teams. We ran the challenges from March 16 to March 27, 2020 and had a total of 50 GitLab team members participate in CTF.

Team member testimonials

From a CTF coordinator perspective, running the contest was a great experience. Thankfully, the players were having a good time as well and we received lots of positive feedback, including:

It was great to collaborate with folks from all different functional groups at GitLab and all around the world. We learned a lot from each other and everyone was able to contribute!

-- @stkerr

The perfect mixture of challenges, ranging from very awesome and interesting, to very awesome and challenging. 😆

-- @cat

Hall of Fame

Meet our top twenty players

  1. @cat
  2. @ayufan
  3. @engwan
  4. @vitallium
  5. @stkerr
  6. @T4cC0re
  7. @xanf
  8. @ahmadsherif
  9. @mbobin
  10. @jrreid
  11. @djadmin
  12. @vij
  13. @robotmay
  14. @kgoossens
  15. @simon_mansfield
  16. @alan
  17. @SteveTerhar
  18. @rchan-gitlab
  19. @razer6
  20. @floudet

Special shout-outs to @cat and @ayufan who both solved ALL the challenges in less than three days.

Because building the challenges and playing the CTF were such a positive experience for all involved, we wanted to make those CTF challenges public. We're hoping to have another CTF in the future, but in the meantime, let us know what you think of this one via comment below or @gitlab on Twitter.

Happy hacking!

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert