Pentest Tools

Published on May 14th, 2016 📆 | 4990 Views ⚑


Facebook CTF — Capture the Flag Platform

The Facebook CTF is a platform to host Jeopardy and “King of the Hill” style Capture the Flag competitions.


Due to the high cost and technical requirements of building and running CTF environments, few publicly available resources exist for schools, students, and non-profit organizations to use. Additionally, finding any security education resources at the middle and high school level is still a challenge. So, Facebook built a free platform for everyone to use that takes care of the backend requirements of running a CTF, including the game map, team registration, and scoring.

Facebook began hosting college-level CTF competitions in 2013, and increasingly focused on helping younger kids discover computer science and security. They used their CTF platform at dozens of events with organizations all over the world, from the Girl Scouts of America to the University of Cambridge and high schools in Spain.

By open sourcing this platform, schools, student groups, and organizations across all skill levels can now host competitions, practice sessions, and conferences of their own to teach computer science and security skills. Facebook is also releasing a small repository of challenges that can be used immediately upon request (to prevent cheating).

The current set of challenges include problems in reverse-engineering, forensics, web application security, cryptography, and binary exploitation. You can also build your own challenges to use with the Facebook platform for a customized competition.


How do I use FBCTF?

  • Organize a competition. This can be with as few as two participants, all the way up to several hundred. The participants can be physically present, active online, or a combination of the two.
  • Follow setup instructions below to spin up platform infrastructure.
  • Enter challenges into admin page
  • Have participants register as teams
    • If running a closed competition:
      • In the admin page, generate and export tokens to be shared with approved teams, then point participants towards the registration page
    • If running an open competition:
      • Point participants towards the registration page
  • Enjoy!


Facebook CTF: Capture the Flag Platform Wiki



The Facebook CTF platform can be provisioned in development or production environments.



The target system needs to be Ubuntu 14.04. Run the following commands:

sudo apt-get install git
git clone
cd fbctf
./extra/ prod `pwd`

This will place the code in the /var/www/fbctf directory, install all dependencies, and start the server. Be ready to provide the path for your SSL certificate’s CSR and key files. More information on setting up SSL is specific in the next session, but note that if you are just testing out the platform and not running it production, you want to use the instructions listed in the Development section below, as this takes care generating certificates for you. We will provide more info on generating your own certificates for production in the future.

[adsense size='1']

The password for the user admin will be printed in the console at the end of provisioning, as it is randomly generated everytime the CTF platform is provisioned. We will add a way to change this password from the command line in the near future (in the meantime, you can figure out how to do it manually by looking at theimport_empty_db function in./extra/

Once you’ve provisioned the VM, go to the URL/IP of the server. Click the “Login” link at the top right, enter the admin credentials, and you’ll be redirected to the admin page.



While it is possible to do development on a physical Ubuntu machine (and possibly other Linux distros as well), we highly recommend doing all development on a Vagrant VM. First, install VirtualBox and Vagrant. Then run:

git clone
cd fbctf
vagrant up

This will create a local virtual machine with Ubuntu 14.04 using Vagrant and VirtualBox as the provider. The provisioning script will install all necessary software to the platform locally, using self-signed certificates. The credentials will be admin/password and the machine will be available on by default. You can find any error logs in/var/log/hhvm/error.log.

Note that if you don’t want to use the Vagrant VM (not recommended), you can provision in dev mode manually. To do so, run the following commands:

sudo apt-get install git
git clone
cd fbctf
./extra/ dev `pwd`

Once you’ve provisioned the VM, go to the URL/IP of the server. Click the “Login” link at the top right, enter the admin credentials, and you’ll be redirected to the admin page.


Optional installation

If you are going to be modifying files outside of the Vagrant VM, you will need to synchronize the files usingUnison (bi-directional file sync over SSH). Once Unison is installed, you can sync your local repo with the VM with the following command:


Note that the unison script will not sync NPM dependencies, so if you ever need to run npm install, you should always run it on the VM itself.

This step is not necessary if all development is done on the VM.

Comments are closed.