Aug 12, 2020 - Joern Schneeweisz    

How to play GitLab's Capture the Flag at home

Our AppSec team built and ran a CTF, and now it's available for you to play at home.

The GitLab Application Security team created a Capture the Flag (CTF) contest for GitLab team members in mid-March to provide a fun, hands-on AppSec experience for those who were interested in a little friendly competition.

We've reworked this contest a bit so now you can solve the challenges at home! And, even better, because we created this CTF with all of our GitLab team members in mind, there's a wide variety of beginner-friendly challenges, most of which are related to web security.

Run it at home

All you need to run this at home is Docker and Docker Compose. The CTF-at-home repository is where we're releasing the challenges within a docker-compose file. Be sure to have a look at the README for set-up instructions.

Running the challenges should be as simple as:

git clone https://gitlab.com/gitlab-com/gl-security/ctf-at-home.git
cd ctf-at-home
docker-compose up

And then, visit http://capture.local.thetanuki.io to get to the landing page. Fingers crossed🤞, it worked on my machine 😉.

Try your hand at solving some challenges, then tell us about it

To keep it beginner friendly, the run-at-home CTF also includes spoilers and solutions for all challenges. If you have trouble running the CTF feel free to create an issue here.

If you run the CTF at home and solve some challenges, we're happy to hear your feedback, or even see some write-ups. Feel free to share your experience in the comments below or tweet @gitlab.

Our results 🥁

We initially planned this CTF contest for GitLab Contribute, our company-wide get together, which was to be held in Prague at end of March. While COVID-19 made the physical get-together impossible, this CTF was perfect for running worldwide online and across GitLab teams. We ran the challenges from March 16 to March 27, 2020 and had a total of 50 GitLab team members participate in CTF.

Team member testimonials

From a CTF coordinator perspective, running the contest was a great experience. Thankfully, the players were having a good time as well and we received lots of positive feedback, including:

It was great to collaborate with folks from all different functional groups at GitLab and all around the world. We learned a lot from each other and everyone was able to contribute!

@stkerr

The perfect mixture of challenges, ranging from very awesome and interesting, to very awesome and challenging. 😆

@cat

Hall of Fame

Meet our top twenty players

  1. @cat
  2. @ayufan
  3. @engwan
  4. @vitallium
  5. @stkerr
  6. @T4cC0re
  7. @xanf
  8. @ahmadsherif
  9. @mbobin
  10. @jrreid
  11. @djadmin
  12. @vij
  13. @robotmay
  14. @kgoossens
  15. @simon_mansfield
  16. @mparuszewski
  17. @SteveTerhar
  18. @rchan-gitlab
  19. @razer6
  20. @floudet

Special shout-outs to @cat and @ayufan who both solved ALL the challenges in less than three days.

Because building the challenges and playing the CTF were such a positive experience for all involved, we wanted to make those CTF challenges public. We're hoping to have another CTF in the future, but in the meantime, let us know what you think of this one via comment below or @gitlab on Twitter.

Happy hacking!

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg