Building a Lightweight Attack & Defence PvC Cyber Range Infrastructure for UiTM Player Training

“A playground for learning, defending, and breaking — safely and legally.”

This project came together pretty ad hoc. One night, my CTF teammate called me and said, “Hey, our juniors just made it to the final round of a CTF — and it’s Attack & Defense PvC (Player vs Organizer)!”

I didn’t even think twice.

I grabbed my laptop, SSH-ed into my VPS, and just started building. No detailed plan, no fancy architecture diagram — just pure excitement and a sense of urgency to help them get ready.

That spontaneous decision kicked off a 4-day sprint of setting up this clightweight cyber range infrastructure from scratch.

---

🧠 What Is a Cyber Range?

#

A cyber range is a controlled, virtual environment used for cybersecurity training and testing. Think of it as a “digital warzone” where students or security enthusiasts can practice ethical hacking, defense strategies, and red-blue team simulations.

---

🛠️ Technology Stack

#

Here’s what powers the infrastructure:

• Cloudflare: Protects the entry point and provides DDoS mitigation and proxy the connection between Player and Organizer server.

• NGINX: Acts as a reverse proxy, load balancer, and access gateway.

• CTFd: A Capture The Flag platform for managing challenges and scoring.

  

• Private Docker Registry (Harbor): Hosts container images for team services.

  

• Webhook System: Triggers events for service deployment or updates.

  • Project Link: https://github.com/NoorRaihan/webhook_deployer.git

• Service Checker: Automates SLA checks and evaluates exploits. Simple but it works!

  • The payload would be something like to to request for a sanity check

    {
        "challenge_id": "team-b/web1",
        "team_id": "2",
        "is_deduct": false
    }
    

  • The response will shows either they system will deduct on SLA or Exploit

    {
        "sla_deduct": false,
        "exploit_deduct": true
    }
    

• Custom Scoring Plugin: Integrates with CTFd to manipulate scores based on automated checks.

  • Plugin Link: https://github.com/NoorRaihan/ctfd_score_adjustor.git

---

🔐 Architecture Overview

#

🔵 VPS Environment

#

Within the VPS environment:

• NGINX serves as the core access point internally and externally.
• CTFd handles player access, scoring, and challenge management.
• Webhooks facilitate automatic deployment from the private registry.

🟥 DMZ (Demilitarized Zone)

#

• Each team has a containerized service stack (deployed from the private registry).
• Webhook listeners update services dynamically.
• The service checker evaluates uptime and successful exploitation attempts.

#

🔄 Workflow

#

1. Player accesses CTFd via Cloudflare + NGINX.
2. Challenges are deployed to isolated team environments via webhook.
3. Players interact with services directly or through provided endpoints.
4. Service checker probes services for health checks and exploit validation.
5. Score is updated via the custom CTFd plugin.

---

⚠️ Challenges Faced

#

Every good project comes with its set of hurdles. Here’s what I encountered while building this:

1. Limited VPS Resources

#

• Running multiple containers with multiple services per team quickly consumed memory and CPU.
• Needed to aggressively optimize container sizes and reduce logging overhead.

2. Security Isolation

#

• Ensuring teams couldn’t interfere with each other’s environments required strict container networking rules.
• Used Docker network namespaces and firewall rules to isolate each team.

3. Service Checker Design

#

• Checker scripts had to account for unpredictable delays and buggy services.
• Implemented retries, circuit breakers, and logging to detect unstable challenges.

---

As I said, I only started building this 4 days before the workshop 😅

I got a bit too excited thinking about how cool it would be to run a real CTF environment for the students. That excitement turned into a caffeine-fueled 4-day build sprint. No regrets though — seeing students engage hands-on with real infrastructure made it all worth it!