Thunder CTF allows players to practice attacking vulnerable cloud projects on Google Cloud Platform (GCP). In each level, players are tasked with exploiting a cloud deployment to find a "secret" integer stored within it. Key to the CTF is a progressive set of hints that can be used by players when they are stuck so that levels can be solved by players of all levels from novices to experts.

Talk | Slides

Thunder CTF deploys level infrastructure on demand to a player's Google Cloud Platform project. Players new to Google Cloud can get a free $300 credit here. Thunder CTF is very cheap to run, with its resource consumption fitting almost entirely into GCP's free tier. To save cloud credits, we recommend deploying levels only while you are playing and destroying them as soon as levels are completed.

The CTF is played through Cloud Shell, a command line interface that is already set up for accessing cloud resources. It can be accessed by clicking on the Cloud Shell icon in the GCP console:

After creating a new project and enabling billing for it, simply open Cloud Shell and run the following commands to set up the CTF

gcloud config set project [PROJECT-ID]
virtualenv -v env-tctf
source env-tctf/bin/activate
git clone https://github.com/NicholasSpringer/thunder-ctf.git
cd thunder-ctf
pip3 install -r requirements.txt
python3 thunder.py activate_project [PROJECT-ID]

You are now ready to play the CTF! A full list of commands can be found by running:

python3 thunder.py help

Levels:

thunder/a1openbucket
thunder/a2finance
thunder/a3password
thunder/a4error
thunder/a5power
thunder/a6container

Level Development

Thunder CTF was built to be extensible, and we encourage players to make their own levels. For more information on how to create a level, visit the Level Development Guide and the Thunder CTF framework documentation.