This project provides a complete Capture The Flag (CTF) environment based on Open WebUI with LLM prompt injection challenges.
- Ubuntu 20.04/22.04/24.04 or Debian-based Linux (for automatic setup)
- At least 8GB of RAM available
- 20GB of free disk space (for models and containers)
- (Optional BUT HIGHLY RECOMMENDED) NVIDIA GPU for better performance
-
Clone the repository (or ensure all files are in place):
# Your project structure should look like: openwebui_ctf/ ├── .env ├── Dockerfile.ctfsetup ├── Dockerfile.jupyter ├── Dockerfile.ollama ├── Dockerfile.openwebui ├── README.md ├── docker-compose.yml ├── docker-compose.override.yml ├── setup.sh └── openwebui/ ├── functions/ │ ├── flag_check_filter.py.template │ ├── image_text_filter.py │ ├── input_filter.py │ ├── output_filter.py.template │ └── output_filter_2.py.template ├── knowledge/ │ ├── stargate_secret.txt.template │ └── stargate_users.txt ├── pipelines/ │ ├── email_summarizer.py.template │ └── prompt_guard.py └── tools/ │ └── calculator.py ├── ctf_config.json.template ├── run_setup.sh └── setup.py -
Install Pre-requisites:
To install Docker, GPU drivers, and other prerequisites, run the following:
./setup -a -n
After setup is completed, you will need to reboot.
-
Configure the CTF Environment:
After installing the pre-requisites and rebooting, run:
./setup --ctf
-
Wait for services to be ready (about 2-3 minutes), then check status:
docker compose logs -f ctf-setup # Watch setup progress -
Access the CTF:
- Open WebUI: http://localhost:4242
- Admin User:
[email protected]/ctf_admin_password - Standard User:
[email protected]/Hellollmworld!
-
Modifying the flags and credentials
The
.envfile contains all of the flags, credentials, and other settings.Note that files containing flag placeholders (e.g. ${CTF_CHALLENEGE_FLAG_1) end in .template. These files will be dynamically updated during the setup process. The flag placeholders are replaced with the corresponding flags in the .env file.
-
Modifying the system prompts
The system prompts for each challenge can be found in
openwebui/ctf_config.json.template.Be careful not to modify the placeholder for the flags.
-
Adding/modifying challenges
The challenges are also found in
openwebui/ctf_config.json.template.
The CTF includes 11 challenges:
- Challenge 1: Hello prompt injection! - Basic prompt injection
- Challenge 2: System Prompt Protection - Bypass system prompt protections
- Challenge 3: Input Filtering - Defeat input filters
- Challenge 4: Output Filtering - Bypass output filters
- Challenge 5: LLM Prompt Guard - Defeat ML-based prompt injection detection
- Challenge 6: All Defenses - Defeat all of the prior defenses applied to on model
- Challenge 7: Code Interpreter - Find the flag on disk using code execution via the interpreter
- Challenge 8: Calculator Agent - Abuse the calculator to find the flag on disk
- Challenge 9: RAG - Find the flag in the documents
- Challenge 10: Email Summarizer - Trick the email summarizer into sending an email to a target, which will give you the flag
- Challenge 11: Multi-Modal - Use a method other than text to retrieve the flag
The CTF has a model that users can use to check if a flag is correct.
The model is Flag Checker and can be selected just like any of the challenges can be.
Send a potential flag as a prompt and it will tell you if it was correct or not.
This model is templated, so it is dynamically updated when flags are changed in the .env file.
| Service | Port | Description |
|---|---|---|
| Open WebUI | 4242 | Main CTF interface |
| Ollama | 11434 | LLM model server |
| Pipelines | 9099 | Custom processing pipelines |
| Jupyter | 8888 | Code execution environment |
# All services
docker compose logs -f
# Specific service
docker compose logs -f open-webuidocker compose restartdocker compose down -v # Remove all data
docker compose up -d # Start freshdocker compose downSometimes you might receive an error message (typically about JSON parsing or unexpected characters) when entering a prompt to one of the challenges. Logging out and logging back in seems to clear the issue in most cases. We will investigate this error further.
The CTF can run without a GPU but it will be very, very slow.
If the Llama model fails to download:
docker exec -it ollama ollama pull llama3.1:8bCheck the setup logs:
docker compose logs ctf-setupIf setup fails, you can run it manually:
docker compose run --rm ctf-setupIf ports are already in use, modify the .env file to change port mappings.
Without spoiling the challenges, here's where flags are stored:
- Challenges 1-6: In the system prompts of each model
- Challenge 7: In the Jupyter container filesystem
- Challenge 8: In the open-webui container filesystem
- Challenge 9: In one of the RAG documents
- Challenge 10: The flag will be returned if the email summarizer sends a specific email to a target recipient
- Challenge 11: In the system prompt of the model
By default, users can sign themselves up.
To add more CTF participants as part of the automation process, modify openwebui/ctf_config.json.template and add users to the users array, then re-run the setup:
docker compose run --rm ctf-setupGood luck with the CTF! 🚩