Skip to main content

Overview

Challenges are the core of CTF games. This API provides endpoints for creating, updating, and managing challenges, flags, and dynamic containers.
Most challenge management endpoints require Admin privileges and are part of the Edit API.

Challenge CRUD

Create Challenge

Add a new challenge to a game.

POST /api/edit/games//challenges

id
integer
required
Game ID
title
string
required
Challenge title
type
string
required
Challenge type: StaticAttachment, StaticContainer, DynamicAttachment, DynamicContainer
category
string
required
Challenge category (e.g., Web, Crypto, Pwn, Reverse, Misc)
{
  "title": "SQL Injection 101",
  "type": "StaticContainer",
  "category": "Web"
}

List Challenges

Get all challenges for a game.

GET /api/edit/games//challenges

[
  {
    "id": 1,
    "title": "Web Challenge",
    "type": "StaticContainer",
    "category": "Web",
    "score": 100,
    "isEnabled": true,
    "solvedCount": 45
  }
]

Get Challenge Details

Retrieve full challenge information including flags.

GET /api/edit/games//challenges/

id
integer
required
Game ID
cId
integer
required
Challenge ID
{
  "id": 1,
  "title": "SQL Injection 101",
  "description": "Find the vulnerability...",
  "category": "Web",
  "type": "StaticContainer",
  "isEnabled": true,
  "enableTrafficCapture": false,
  "tag": "easy",
  "hints": ["Try union-based injection", "Check error messages"],
  "flags": [
    {
      "id": 1,
      "flag": "flag{sql_1nj3ct10n}",
      "attachmentType": null
    }
  ],
  "attachment": {
    "type": "None",
    "url": null
  },
  "containerImage": "ctf/sql-challenge:latest",
  "containerExposePort": 80,
  "cpuCount": 1,
  "memoryLimit": 64,
  "storageLimit": 256,
  "originalScore": 500,
  "minScoreRate": 0.25,
  "difficulty": 3.5,
  "acceptedCount": 45
}

Update Challenge

Modify challenge properties.

PUT /api/edit/games//challenges/

id
integer
required
Game ID
cId
integer
required
Challenge ID
title
string
Challenge title
description
string
Challenge description (supports Markdown)
category
string
Challenge category
hints
array
Array of hint strings
isEnabled
boolean
Enable/disable challenge visibility
tag
string
Challenge tag (e.g., easy, medium, hard)
enableTrafficCapture
boolean
Enable traffic capture for container challenges
originalScore
integer
Base score for the challenge
minScoreRate
number
Minimum score rate (0.0-1.0) for dynamic scoring
difficulty
number
Difficulty coefficient for scoring calculation
{
  "title": "Advanced SQL Injection",
  "description": "Updated description...",
  "isEnabled": true,
  "hints": ["New hint 1", "New hint 2"],
  "originalScore": 600
}
Enabling a challenge without flags will fail. Ensure at least one flag is added before enabling.

Delete Challenge

Remove a challenge from a game.

DELETE /api/edit/games//challenges/

This will destroy all associated containers and remove the challenge from the scoreboard.

Flag Management

Add Flags

Add one or more flags to a challenge.

POST /api/edit/games//challenges//flags

flags
array
required
Array of flag objects
[
  {
    "flag": "flag{first_flag}",
    "attachmentType": null
  },
  {
    "flag": "flag{second_flag}",
    "attachmentType": "Local"
  }
]
For DynamicContainer challenges, use flag templates like flag{[GUID]} or flag{[TEAM_HASH]} instead of static flags.

Delete Flag

Remove a flag from a challenge.

DELETE /api/edit/games//challenges//flags/

fId
integer
required
Flag ID

Container Management

Container Types

TypeDescription
StaticContainerSingle shared container for all teams
DynamicContainerUnique container instance per team with dynamic flags

Container Configuration

containerImage
string
Docker image name (e.g., ctf/web-challenge:latest)
containerExposePort
integer
Port to expose from container (1-65535)
cpuCount
integer
default:"1"
Number of CPU cores to allocate
memoryLimit
integer
default:"64"
Memory limit in MB
storageLimit
integer
default:"256"
Storage limit in MB
networkMode
string
default:"Open"
Network mode: Open, Isolated, Custom

Create Test Container

Launch a test container instance for challenge verification.

POST /api/edit/games//challenges//container

Test containers use the prefix “admin” and are for admin testing only.
{
  "containerId": "a1b2c3d4e5f6",
  "entry": "http://test.ctf.local:31337",
  "flag": "flag{test_flag_12345}",
  "startedAt": "2026-03-01T12:00:00Z",
  "expectStopAt": "2026-03-01T14:00:00Z"
}

Destroy Test Container

Stop and remove a test container.

DELETE /api/edit/games//challenges//container

Attachments

Update Attachment

Add or update challenge attachments.

POST /api/edit/games//challenges//attachment

This endpoint is for static attachments only. Use dynamic assets API for DynamicAttachment challenges.
attachmentType
string
required
Type: None, Local, Remote
remoteUrl
string
URL for remote attachments
fileHash
string
Hash of uploaded local file
{
  "attachmentType": "Remote",
  "remoteUrl": "https://example.com/challenge-file.zip"
}
Upload files to /api/assets first to get the file hash, then reference it in the attachment.

Traffic Capture

For container challenges, traffic capture can be enabled to record network activity.

Enable Traffic Capture

Set enableTrafficCapture: true when updating the challenge.

Get Capture Files

GET /api/game/captures//

List traffic capture files for a team.
challengeId
integer
required
Challenge ID
partId
integer
required
Team participation ID
Requires Monitor permission.

Download Capture

GET /api/game/captures///

Download a specific capture file.

Challenge Types Reference

Simple challenge with a downloadable file attachment. Flag is static and shared across all teams.
  • No containers
  • One or more static flags
  • Optional attachment (local or remote)
Container-based challenge with shared instance. All teams connect to the same container.
  • Single shared container
  • Static flags
  • Requires container configuration
Generates unique attachments per team with embedded dynamic flags.
  • No containers
  • Flag template required (e.g., flag{[GUID]})
  • Dynamic attachment generation
Unique container per team with dynamic flags injected at runtime.
  • Individual containers per team
  • Flag template required
  • Resource-intensive but prevents flag sharing

Next Steps

Game API

Game management endpoints

Admin API

Administrative operations

Build docs developers (and LLMs) love

Get started for freeTalk to us