CTFd 3.8.0

Kevin Chung -

CTFd has been released with a focus on analytics and quality of life features. 

Challenge Solutions

Admins can now store challenge solutions within CTFd to be viewed by users. 

Challenge solutions shown once the solution is manually made visible by an Admin

Solutions behave similar to challenge descriptions and can contain HTML, links, images, files, etc.

Currently these solutions are manually made visible by Admins but we expect to define unlocking/visibility behaviors in future versions of CTFd. 

Challenge Ratings & Reviews

Participants can now leave upvotes & downvotes on challenges after solving them. These vote counts can be shown to participants within the challenge description or restricted to admins only. 

Challenge ratings shown to users and the rating & review interface shown after correct and subsequent submissions

In addition, along with the rating, participants can leave a small challenge review. Reviews are only visible by admins. 

Challenge Logic

Challenges now specify a logic field which determines how CTFd will process flags before marking a challenge as solved. 

  • any: any flag is accepted for the challenge (default & existing CTFd behavior)
  • all: all flags for the challenge must be submitted before a challenge is considered solved
  • team: all team members must submit any flag before a challenge is considered solved

all and team challenge logic responses indicating more flags are needed

We hope that the addition of these new types of challenge logic will enable challenge designers to add additional depth and complexity to their challenges.

💡
A note to plugin developers:

To support this behavior the BaseChallenge class now has a BaseChallenge.partial() method which Challenge Type Plugins may use to support the all and team logics.

In addition, BaseChallenge.attempt() now returns a specific ChallengeResponse object (with handling to support the previous behavior)

Hint Titles

Hints can now specify a title that is shown before the hint is unlocked.

Hints showing titles before the challenge is unlocked

Useful for giving participants a preview of what a hint is about before they unlock the hint. 

Past Submissions

Admins can now control whether participants can see their past submissions.

Previous submissions shown to the user

Currently this feature is not enabled by default to discourage a malicious player from attacking other players to steal their past submissions. We may re-evaluate in the future.

In addition, CTFd will now report to a participant if an attempt is correct/incorrect even after the challenge has been solved. 

Unlock & Open Tracking

To improve CTFd’s underlying analytics a few challenge interaction events are now tracked:

  • Opening a challenge for the first time stores a tracking event
    • This is used to show a progression board in the Admin Panel
  • Hints now always require unlocking even if they have no cost. 
    • This causes any hint unlock to generate an Unlock event which indicates the time of unlock
Matrix scoreboard in the Admin Panel showing what challenges a user has opened and attempted as well as solved

Email Confirmations

Email confirmation is now enabled if email sending is enabled. Users will be nudged to confirm their email but confirmed emails are not required to participate unless the Verify Emails configuration is enabled. 

Dismissable alert nudging users to confirm their email address

This allows users to confirm their emails if they wish without heavily interrupting the participation process.

Predefined Setup & Admin Account

CTFd can now pre-create a known admin account by specifying new configuration values via config.ini: 

  • PRESET_ADMIN_NAME - the username that will be associated with the preset admin account
  • PRESET_ADMIN_EMAIL - the email address that will be associated with the preset admin account
  • PRESET_ADMIN_PASSWORD - the password that will be associated with the preset admin account
  • PRESET_ADMIN_TOKEN - a CTFd API access token which will be associated with the preset admin account

In addition a configuration for controlling dynamic server configs has been added:

  • PRESET_CONFIGS - Specifies a JSON object that contains key value pairs of server configs which cannot be overridden from the Config Panel

The objective of these configurations is to create CTFd instances which can be reasonably repeatably configured. 

💡
On self-hosted CTFd these configurations are controlled in config.ini. On Hosted CTFd these configurations may be controlled in the management portal at https://cloud.ctfd.io/

core theme

The core-beta theme has now been promoted to the core theme and has been merged into the main CTFd repo. The previous core theme has been renamed to core-deprecated. While still available, its use is heavily discouraged. 

While the theme has been merged into the main CTFd repo, a separate repo containing just the theme files will be maintained at https://github.com/CTFd/core-theme.

Our official themes (available at the CTFd Store) were first released over 7 years ago with free updates since their inception. In the coming weeks, we will be releasing new versions of our official themes as paid updates. Hosted CTFd users will continue to have access to these themes as part of their managed CTFd instance.

The full changelog for CTFd 3.8.0 is available on Github

As usual, v3.8.0 has already been deployed to Hosted CTFd customers. Self-hosted users can download the latest version of CTFd from Github.