How I used to host a CTF at my university.

If you haven’t heard of, you should definitely check it out. I wrote this site back in 2016 as part of Promethean Information Security. helps you to easily host Cybersecurity CTFs. It is an easy to use (and free) scorebot that will help you to set up the CTF, and track it live. All without you needing to build your own scorebot, or infrastructure.

I’ve been using Digikrieg myself for a number of small competitions ever since I designed it; and I’ve found it to be incredibly convenient. There really is no better way to deliver practical, hands on, entry level cybersecurity training than by way of using a CTF. But the barrier to entry in designing your own CTF is mildly high. In fact, many of the most professional CTFs I’ve seen have had miserable infrastructure and scoring systems.

I’ve been in classrooms on multiple occasions, working with multiple thousand dollars classes, only to see the culminating CTF for the week have no scorebot, and be judged purely by means of having the participates gather “flags” from different systems, to turn them into an encryption key which decrypts a binary containing the “winning phrase.”

Certainly, you can do a CTF like that if you want. But it isn’t going to be good for building an exhibition. And it isn’t going to be good for helping people to track where they are in the pack. It’s not going to give the players instant feedback. I just don’t like it.

But there aren’t many (any?) good, free, CTF frameworks that allow you to simply host your own CTF with ease. I’ve heard of a few that exist, but which require you to set up and support complex infrastructure on your own. I don’t think it has to be that way.

So I built Digikrieg. Anyone can use it to host a small competition. Although for a larger competition which taxes our resources more we will want you to reach out and at least ask nicely first. I’ve covered this site in the past in some posts on my previous blog, which you can read here and here.

Now I’ve been using Digikrieg to host small CTFs ever since its inception. And it has performed amazingly. I have to say, I could not have written a better framework for performing the task, and I mean that.

I used this site to set up a few CTFs out of Eastern Washington University around 2016-2017. They all went really well. I can tell you that if you go and check out the site you’ll understand more what I might mean when I describe how exactly I set up those competitions (follows). Basically, I was able to use the site to track all of the competitors exact score states as they moved their way through the challenges.

The format for Digikrieg is that you have 3 levels for which you set the questions. You can think of it as kind of like a glorified quiz (although there is more going on than just that). The questions are going to be something like “what is the root password for the host with name ‘hackme’.” When users type in the right answer, the site will award them points, and instantly update their position on the leaderboard.

When users finish all of the questions for a given level, they unlock the next one. This ensures that you can design questions which build upon each other, without restricting participants down a purely linear pathway.

Really, if you use Digikrieg, all you have to do to set up a CTF is build out some vulnerable virtual machines, and then fill the levels with the questions and answers for the flags you hid in the machines. This is exactly what I did in the last competition I hosted at EWU, and it went really really well.

We were able to get most of the teams to make it all the way to the end in an “easy to play hard to master” type format where we would give hints to the teams that lagged significantly behind. This, again was a thing we were able to do explicitly because of Digikrieg’s leaderboard giving us instant feedback about where exactly some teams were struggling.

So yeah, if you’re looking to host a CTF yourself sometime soon, you need to check out Digikrieg. It will make your life and your CTF that much better.

About the author

Professional hacker & security engineer. Currently at Google, opinions all my own. On Twitter as @zaeyx. Skydiver, snowboarder, writer, weightlifter, runner, energetic to the point of being a bit crazy.


    1. Yes, of course you may. You should be able to register an account and setup a CTF at your convenience. If someone isn’t working please reach out to me and I’ll take a look. I’m probably easiest to reach on twitter @zaeyx.

Leave a Reply

Your email address will not be published. Required fields are marked *