ctfd-mcp
MCP server for CTFd that lets regular users browse challenges, manage dynamic instances, and submit flags.
CTFd MCP server (user scope)
MCP server that lets a regular CTFd user list challenges, read details, start/stop dynamic docker instances, and submit flags.
Requirements
- Python 3.13 (managed by
uv). - Environment variables (choose one auth method):
CTFD_URL(e.g. https://ctfd.example.com)CTFD_TOKEN(user token, not admin) orCTFD_SESSION(session cookie if tokens are disabled).CTFD_CSRF_TOKEN(optional, only if the server/plugin requires CSRF for ctfd-owl).
You can store them in a .env file in the repo root:
CTFD_URL=https://ctfd.example.com/
CTFD_USERNAME=your_username
CTFD_PASSWORD=your_password
# or, if you prefer to use a token:
# CTFD_TOKEN=your_ctfd_api_token_here
# or, if tokens are disabled:
# CTFD_SESSION=your_session_token_here
# and, if the owl plugin enforces CSRF:
# CTFD_CSRF_TOKEN=your_csrf_token_here
Install
- From PyPI (recommended):
uvx ctfd-mcp --help - From source checkout (no install):
uvx --from . ctfd-mcp --help
Run MCP server (stdio)
# installed from PyPI
uvx ctfd-mcp
# from local checkout
uvx --from . ctfd-mcp
Cursor and Claude MCP config example
{
"mcpServers": {
"ctfd-mcp": {
"command": "uvx",
"args": ["ctfd-mcp"],
"env": {
"CTFD_URL": "https://ctfd.example.com",
"CTFD_TOKEN": "your_user_token"
}
}
}
}
Codex MCP config example
[mcp_servers.ctfd-mcp]
command = "uvx"
args = ["ctfd-mcp"]
[mcp_servers.ctfd-mcp.env]
CTFD_URL = "https://ctfd.example.com"
CTFD_TOKEN = "your_user_token"
Exposed tools
list_challenges(category?, only_unsolved?)— list visible challenges, optional category/unsolved filter.challenge_details(challenge_id)— description (HTML +description_text), metadata, attachment URLs, solved status.submit_flag(challenge_id, flag)— attempt a flag; returns status/message.start_container(challenge_id)— unified start; auto-detects dynamic_docker, ctfd-owl or k8s/api/v1/k8s.stop_container(container_id?, challenge_id?)— unified stop; whale can be stopped with justcontainer_id, owl/k8s needchallenge_id.
Attachments are returned as absolute URLs in files; the client/host can fetch them directly.
MCP resources
resource://ctfd/challenges/{challenge_id}— markdown snapshot of a challenge (metadata, description, attachment URLs, connection info if present).
Error handling
- Missing env/config -> clear MCP error.
- 401/403 -> auth failed, check token or session cookie.
- 404 -> not found (or dynamic container API missing).
- 429 -> rate limited (Retry-After if present).
- Other HTTP/API errors -> surfaced as MCP errors with CTFd message/status.
Notes and troubleshooting
- Dynamic containers require the ctfd-whale (dynamic_docker) plugin on the target CTFd; otherwise
/api/v1/containersreturns 404. - Owl challenges (
dynamic_check_docker) use a different endpoint:/plugins/ctfd-owl/container?challenge_id=<id>. They usually require a session cookie, and some setups require a CSRF token; setCTFD_CSRF_TOKENif needed. - Some events expose Kubernetes-backed instances at
/api/v1/k8s/{get,create,delete}with multipart form data; the client will try these when the challenge type includesk8s(or when a dynamic_docker endpoint is missing). - If the server redirects you to
/login(302) when using a token, switch to a browser session cookie: setCTFD_SESSIONfrom thesessioncookie after logging in. - The client now supports logging in with
CTFD_USERNAMEandCTFD_PASSWORD; these fields take precedence over stale tokens/sessions. - Auth priority: username/password first, then token, then session cookie. Lower-priority credentials are ignored when a higher-priority option is present.
Support / feedback
If something breaks or you have questions, reach out:
- Telegram: @ismailgaleev
- Jabber: [email protected]
- Email: [email protected]
Testing
- Run
uv run pytest. - Timeouts are configurable via env:
CTFD_TIMEOUT(total),CTFD_CONNECT_TIMEOUT,CTFD_READ_TIMEOUT(seconds). Defaults are 20s total / 10s connect / 15s read.
Development
- Dev dependencies:
uv sync --group dev - Lint/format:
uv run ruff check .anduv run ruff format . - Tests:
uv run pytest - Pre-commit:
uv run pre-commit install(seeCONTRIBUTING.md)
License
Apache-2.0. See LICENSE.
相关服务器
Scout Monitoring MCP
赞助Put performance and error data directly in the hands of your AI assistant.
Alpha Vantage MCP Server
赞助Access financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
shadcn/ui
Provides structured data for shadcn/ui components, including descriptions, installation instructions, usage examples, and props.
Flux Schnell MCP Server
A text-to-image generation server using the Flux Schnell model.
Manual Tests MCP Server
A YAML-based server for managing manual test cases with tools for test automation workflows.
Android MCP Server
Control Android devices via the Android Debug Bridge (ADB).
Freento MCP Server
Freento MCP Server connects AI assistants to a Magento 2 store via the Model Context Protocol, enabling secure access to products, customers, and order data through a standardized API.
SAME (Stateless Agent Memory Engine
Your AI's memory shouldn't live on someone else's server — 12 MCP tools that give it persistent context from your local markdown, no cloud, no API keys, single binary.
OpenAPI Schema Explorer
Token-efficient access to OpenAPI/Swagger specs via MCP Resources
Ant Design
Access comprehensive documentation for Ant Design components, including examples, API references, and best practices.
Agentic Tools MCP Companion
A VS Code extension with a GUI for the agentic-tools-mcp server, enhancing task and memory management.
Burp Suite
Integrate Burp Suite with AI clients using the Model Context Protocol (MCP).