HC's Capture the Flag site
CTF Gameserver

CTF gameserver installation

In response to some people having trouble setting the gameserver up, here's a more or less step-by-step guide. If you're missing something, let me know.

This installation guide was tested with debian stable (etch).

  1. Required software
  2. Installing the CTF gameserver
  3. Configuring and running the CTF gameserver
  4. Configuring testscript execution peers
  5. Rating advisories
  6. Further information

Required software

You'll need the Sun Java JRE1.6, and a running PostgreSQL 8.x server. Also, you'll need the PostgreSQL 8.x console client tools. A PostgreSQL JDBC driver comes with the scoring bot, but you can use a later or a different version.

To display the scoring information, you'll need a webserver. Strictly speaking, that functionality is not necessary, but you'll most definitely want it.

For the install script, you also need python2.5, which you should install anyway, as the supplied testscript template and the sample ping.py testscript are both in python. (Of course, testscripts may be written in any language.

PostgreSQL 8.x


PostgreSQL 8.1 is in the standard debian repository. Just install postgresql-8.1. (That'd be apt-get install postgresql-8.1)


This is a quick and dirty installation guide for those who don't know postgresql. If you know postgresql, you can probably skip this section.

Do the following steps (always press ENTER after a command;-)

  1. Become root
  2. Enter su - postgres
  3. Enter psql template1
  4. The postgresql client should start up.
  5. Enter CREATE USER ctf PASSWORD 'foobar';
  6. You may choose a different user name and password, of course, but remember both for later.
  7. Enter CREATE DATABASE ctf OWNER ctf;
  8. The database can also be named differently if you feel like it.
  9. Enter \q

Make sure PostgreSQL only listenes on localhost, if you only use it for the CTF gameserver.

Sun Java JRE1.6

You'll need to use the debian backports to install it. That's pretty simple, actually. Just visit the backports website for instructions on how to use them.

Once the backports are set up, install sun-java6-jre (apt-get install sun-java6-jre)

No configuration of the JRE is necessary.


Just do apt-get install python2.5 as root.

No configuration is necessary.


Debian stable minimal doesn't ship with it, so install it by doing apt-get install bzip2 as root. If it's already installed, the better.

No configuration is necessary.


You'll need it to use the scorebot admin console. Simply do apt-get install telnet


I've had trouble installing publicfile on debian, so I'll spare you the hazzle (for now, anyway;) and just show you how to install lighttpd instead.


Simply invoke apt-get install lighttpd as root.


No configuration of the webserver itself is necessary; however, you'll need a directory to store all the scoring stuff in. Debian creates the directory /var/www for all web documents. Create a subdirectory called score and change its ownership to the user the scorebot will be running as (DO NOT run the scorebot as root ;-)

This is how you might do it:

  • mkdir /var/www/score
  • chown hc:hc /var/www/score

Of course, change hc to the appropriate user.

When finished, you'll also need to know the URL the score directory can be accessed from. For the da-op3n, this was

The CTF gameserver


Fetch it from this website, at the time of this writing the latest version is 0.74.

Extract the gameserver by doing tar xvfj scoringsystem-0.74.tar.bz2.

Switch to the extracted directory, and invoke ./configure

The script is pretty much self-explanatory; it will ask you for your database configuration, an admin password for the scorebot, and where to store the websites. According to this howto, the websites should go in /var/www/score. The URL will be http://www.your-webserver.foo/score. (Replace the your-webserver part, obviously;)

Checking the installation

Start by invoking ./gameserver.sh

You should get an error message telling you to set up teams and services. Congratulations, the installation was successful! Press CTRL+C.

If you instead get some exceptions, something went wrong.

Setting up services and teams

Start ./scoringbot.sh, then telnet to localhost port 8080.
telnet localhost 8080

The scorebot should greet you friendly. ;-) Invoke lt(). If it does not respond, check the database installation. If it does respond, you're ready to begin.

Whenever you want to do some configuration, you'll need to login as admin. admin() is the command of your choice. After you press ENTER, it'll ask you for the admin password you specified during the installation. (Not to be confused with the PostgreSQL database passwrd)

For each service, you'll need a testscript. Testscripts go in the scripts/ subdirectory. Each testscript must have the executable flag set (chmod 0755 FILENAME) usually does the trick. Check the scripts/ directory for a sample testscript and a testscript template.

For this howto, we will use the ping.py testscript. ping.py doesn't really distribute flags; it simply tells the scorebot "flag sent" (or "flag retrieved", depending on what the scorebot wants it to do) when it can ping the target. No actual flags are sent, although the scorebot generates real flags in the background. This is sufficient for this howto, however.

First, we create the service ping.py, and then we create two Teams, localhost, and hcserver, the latter being my webserver, which you should be able to ping without triggering any complaints;)

Services are created with the createservice command. The createservice command takes the name of the service as parameter, and returns an instance of the class Service. You then call methods from that instance to change parameters of that service, such as the flag distribution interval and the name of the testscript.

Plain and simple, this is how the Ping "service" is set up:

s = createservice("Ping")

fpr means Flags Per Round, the number of flags distributed to one service per round. This should be greater than one. Five is a reasonable default.

NOTE: If you're using version 0.52, you have to skip the s.setfpr(5) command and issue s.setinterval(300) instead.

Check if the service was created and set up correctly by calling ls() (listservices())

Next, you need the teams. createteam creates a new team and takes the team name as parameter. From the returned instance of class Team, you'll just have to call the method createhost:

createteam("HC's server").sethost("salato.hcesperer.org")

Check if the teams were created by calling lt()

That's it. Bail out by calling quit()

Running the gameserver, the scorebot and the pagegenerator

If everything is set up properly, you'll need to

  1. Periodically check the services, distribute and collect flags (./gameserver.sh)
  2. Give the teams a chance to report captured flags, and to report advisories (./scorebot.sh)
  3. Periodically regenerate the status websites (./pagegen.sh)

You should run these three programs from the scoringbot installation directory. I always run them in the foreground, each in a separate console.

Configuring testscript execution peers

Starting with version 0.74, you can distribute testscript execution over multiple hosts. The setup is documented in a separate document.

Rating advisories

During the game, advisories may be written using the advisory reporting script. One of your tasks as gamemaster is to rate these advisories.

In order to rate an advisory, you obviously first have to read it. You do this by viewing the list of pending advisories on the status website. When an advisory is listed, select it. Each advisory has a unique ID (shown in the title of each advisory details page). You'll need this ID when rating advisories. You have three commands for rating:

accept(ID, points, "Comment")

Use this command to accept an advisory. Replace ID with the number of the advisory. points is the number of points to award. Comment should be some explanation as to why the advisory was accepted. It may be empty. ("")

reject(ID, "Comment")

Reject an advisory. Replace ID with the number of the advisory.


Delete an advisory. Use this only for complete junk/spam, not for rejecting advisories. Note that while all references to deleted advisories on the advisory overview page and on the rss feed are removed, the .html files containing the advisory details are retained and must be deleted manually, if desired.

Powered by FreeBSD

$Id: installation.html 550 2009-09-08 00:19:45Z root $ Impressum