GTFO

Get The Flag (with) Opponents! Competitive cybersecurity game where you race against the clock (and each other) to capture the most flags in a vulnerable website.

Comment

Inspiration

We were inspired by the growing need for hands-on cybersecurity training and the gamification of learning. Traditional CTF (Capture The Flag) competitions can be intimidating for newcomers, so we wanted to create a real-time, competitive platform that makes security challenges more engaging and accessible. The social media template approach makes familiar interfaces into learning opportunities.

What it does

GTFO is a real-time competitive security challenge platform where players race against each other to find vulnerabilities in a simulated social media application. The platform features:

  • Live head-to-head competitions with real-time scoring
  • Multiple security challenges including:
    • SQL Injection in authentication systems
    • Cross-Site Scripting (XSS) in search functionality
    • Insecure Direct Object References (IDOR) in profile viewing
    • Cross-Site Request Forgery (CSRF) in social interactions
  • Real-time scoring and flag verification
  • Interactive UI with countdown timer and score tracking
  • WebSocket-based multiplayer system

How we built it

We developed GTFO using a modern tech stack split into three main components:

  1. Backend: Node.js/Express server with Socket.IO for real-time communication, handling game logic and flag verification

  2. Frontend: React/TypeScript application using Radix UI for the game interface and real-time updates

  3. Webgen: Challenge generation system that creates dynamic security scenarios

Challenges we ran into

  1. Security Balance: Creating challenges that were vulnerable enough to be solvable but controlled enough to be safe
  2. Real-time Synchronization: Managing game state across multiple clients while maintaining competitive fairness
  3. Flag Generation: Implementing a secure system for generating and validating flags without exposing solutions
  4. Challenge Integration: Seamlessly embedding security vulnerabilities into a realistic social media interface

Accomplishments that we're proud of

  1. Created a fully functional real-time competitive platform
  2. Implemented four different types of security challenges
  3. Built a dynamic challenge generation system
  4. Developed a realistic social media template that teaches security concepts
  5. Successfully integrated WebSocket-based multiplayer functionality

What we learned

  • Advanced WebSocket implementation for real-time applications
  • Security vulnerability simulation and containment
  • State management in competitive multiplayer environments
  • Dynamic challenge generation and verification systems
  • The importance of user experience in security education

What's next for GTFO

  1. More Templates: Expand beyond social media to e-commerce and blog platforms
  2. Challenge Types: Add new security challenges like:
    • JWT manipulation
    • Server-side request forgery
    • XML external entity injection
  3. Tournament Mode: Implement brackets and tournament-style competitions
  4. Learning Resources: Add integrated tutorials and documentation
  5. Difficulty Levels: Create progressive difficulty settings for different skill levels

The project is open-source and available on GitHub, licensed under MIT to encourage community contributions and educational use.

Share this project:

Updates