CTFHive¶
CTFHive is a self-hostable, multi-tenant Capture-the-Flag platform. It gives CTF organizers a production-grade competition environment — with per-team ephemeral labs, a tamper-evident audit log, and a full admin panel — without paying per-seat subscription fees to CTFd Hosted or HackTheBox.
Two planes, one platform¶
The repository contains two independent but complementary pieces of software:
| Plane | Code directory | What it does | Who operates it |
|---|---|---|---|
| CTFHive (CTF app) | ctfapp/ |
Per-tenant Flask web app: scoreboard, challenges, teams, flag submission, admin panel, dynamic lab spawning | The organizer who self-hosts, or CTFHive on the organizer's behalf |
| CTFHive (control plane) | CTF_Saas_CTRL_Pane/ |
SaaS control plane: marketing site, Stripe billing, tenant provisioning via Hetzner + Cloudflare DNS, cross-tenant telemetry | CTFHive operators only |
If you are self-hosting CTFHive for your own event, you only need ctfapp/. You can ignore the control plane entirely.
If you are running the CTFHive SaaS product (selling hosted CTFHive tenants), see the Control Plane overview.
Who should read what¶
You're running a CTF — university club, security conference, Discord community, or private red-team exercise.
Start here:
- Quickstart — deploy locally in ~5 minutes
- Installation — prerequisites and full setup
- Configuration — every environment variable
- Challenge format — YAML schema for your challenges
- Importing challenges
- Admin panel
- Anti-cheat
You're competing in a CTF hosted on CTFHive.
- Joining an event
- Submitting flags
- WireGuard setup — required for lab challenges
You're deploying or maintaining a CTFHive instance in production.
You're running the multi-tenant SaaS control plane.
Key features¶
- Per-team flag derivation — every flag is HMAC-SHA3-256 keyed on the team secret and challenge ID; a leaked flag from one team is cryptographically invalid for all others.
- Ephemeral Docker labs — dynamic challenges spawn per-team containers with optional WireGuard VPN isolation (
LAB_ENABLED=true). - Tamper-evident audit log — every privileged action is chained with HMAC signatures; retroactive log modification is detectable.
- Redis-backed rate limiting — per-Redis sliding-window counters survive gunicorn multi-worker deployments.
- Flask 3 + HTMX — snappy admin panel with no JavaScript framework build toolchain.
- Graceful Redis degradation — the app keeps serving from the database if Redis is unreachable.
Documentation status
These docs cover the ctfapp/ per-tenant app. Control plane documentation is written separately under Control Plane. Some advanced features (WireGuard VPN labs, multi-worker production tuning) are documented as stubs and will be filled in as the platform matures.