King of the Hill Challenges are only available on Hosted or Self-Hosted Enterprise CTFd Instances
King of the Hill (KotH) Challenges involve a user taking control of a server and leaving their identifier on a specified target server/application. This indicates which user/team has control of the server. Then the scoring engine (CTFd) is supposed to monitor this target and award the user/team some amount of points.
When users view the KoTH challenge, the modal shows the user's identifier and target server/application. In the example below, it's
The user identifier is automatically generated by CTFd for each user. This is what users would leave on a specified target server/application in order for CTFd to identify the user/team and award them with points.
The target server/application is manually added by the admin in the Connection Info upon configuring the challenge. This is the server/application that users compete to take control of.
In order for CTFd to determine from time to time who is the current owner of the target server/application, and award points to the winning user/team, the KoTH Challenge Type has to be configured so that CTFd can send requests and receive responses from the KoTH Agent Server.
- URL - The URL that CTFd will check to determine which user/team is currently in control of the server
- API Key - An API Key header sent to the URL provided above, which authenticates the request
- TLS/SSL Certificate - A TLS/SSL certificate that's used to encrypt communication to the target server
- Interval - How often to check the server
- Reward - How many points to give to the user/team that controls the server for each check
- Connection Info - The URL of the target server/application
Once the URL of the KoTH Agent Server and Interval have been specified in the challenge configuration, CTFd will start sending requests to the URL specified (most likely in the
/status endpoint of the agent).
The responses from the agent can be checked using these two buttons in the challenge configuration page, which shows a pop-up box with the following JSON responses.
KotH Agent Server
The KoTH Agent Server is an open-source agent, provided by CTFd, to run alongside the KoTH Challenge Type and the target server/application. The agent monitors the target server/application for the current owner and simultaneously listens and responds to HTTP requests.
This tutorial shows how to setup the KoTH Agent Server with an example target server/application.
Agent API Specification
Agent CLI Usage
❯ ./agent -h
Usage of ./agent:
API Key to authenticate with
SSL certificate file
SSL cert as a string
text file to watch for server ownership changes (default "owner.txt")
command to run when asked for a healthcheck (default "true")
print help text
host address to listen on (default "0.0.0.0")
SSL key file
SSL key as a string
CIDR ranges to allow connections from. IPv4 and IPv6 networks must be specified seperately (default "0.0.0.0/0,::/0")
command to run when asked for an owner
port number to listen on (default "31337")