CookieFarm is an Attack/Defense CTF framework inspired by DestructiveFarm, developed by the Italian team ByteTheCookies. Its strength lies in a hybrid Go + Python architecture and a zero-distraction philosophy:
🎯 Your only task is to write the exploit!
CookieFarm automates exploit distribution, flag submission, and result monitoring — allowing you to focus entirely on building powerful exploits.
bash -c "$(curl -sSL cookiefarm.bytethecookies.org/install.sh)"Note
If you need a manual setup check out the official docs
pip install --upgrade cookiefarm requests
Tip
Check if all is good with ckc --version
if you have already installed using the script do simple:
docker compose up --build -d
- Clone the repository and navigate to the server directory:
git clone https://github.com/ByteTheCookies/CookieFarm.git
cd CookieFarm- Create an
.envfile in the server directory to configure the environment settings:
# Server configuration
DEBUG=false # Enable debug mode for verbose logging
PASSWORD=SuperSecret # Set a strong password for authentication
CONFIG_FILE=config.yml # Set if the server takes the config from config.yml in the filesystem; otherwise, do not set the variable
PORT=8080 # Define the port the server will listen onWarning
For production environments, set DEBUG=false and use a strong, unique password
- Create the config.yml file in the server directory to configure the services and teams:
configured: true
server:
url_flag_checker: "<ip_flagchecker>:<port_flagchecker>"
team_token: "<your_team_token>"
submit_flag_checker_time: 120
max_flag_batch_size: 1000
protocol: "cc_http"
tick_time: 120
start_time: <start_time>
end_time: <end_time>
flag_ttl: 5 # in ticks (if the ttl is 0, the flag will never expire)
shared:
services:
CookieService: 8081
format_ip_teams: "10.10.{}.1"
regex_flag: "[A-Z0-9]{31}="
range_ip_teams: 29
my_team_id: 1
nop_team: 0
url_flag_ids: "<address_of_flagIds>"
flagids_format: "[service].[team].[id]"- Start the server with Docker Compose:
docker compose -f compose.yml up --buildNote
For more configuration details, refer to the server documentation.
- Run the installation :
pip install --upgrade cookiefarm requestsNote
After installation, the ckc command is available globally in your terminal (or in your virtual environment if you are using one).
- Config the client by logging in with the server credentials:
ckc config edit -H 192.168.1.10 -p 8000- Log in and configure the client:
ckc login -P SuperSecret -u your_username- Install the Python helper module and create a new exploit template:
ckc exploit create -n your_exploit_nameThis will generate your_exploit_name.py in ~/.cookiefarm/exploits/.
- Run your exploit:
ckc exploit run -e your_exploit_name.py -n CookieService -t 120 -T 40Note
For more usage examples, check out the client documentation.
- Go client and server core – High‑performance scheduler in Go handles exploit parallelism, flag collection, and timed execution cycles.
- Python SDK – Simple client library: import, decorate/subclass, write your attack logic, done. [github]
- Automatic flag detection – Flags printed by your exploit are automatically collected by CookieFarm.
- Deduplication – Duplicate flags are filtered out before submission.
- Tick-based submission – Flags are submitted to the scoreboard automatically every tick.
- Scoreboard integration – End‑to‑end pipeline: exploit → Go server → scoreboard.
- Live dashboard – Monitor exploit runs, flag counts, and errors in real time from a clean web UI.
- Charts & analytics – Visualize performance with charts and analytics to understand how your exploits are doing over time.
- Easy configuration UI – Configure everything in the dashboard and let CookieFarm handle the rest.
exploit_managerdecorator – Wrap a plain function (e.g.def exploit(ip, port, name)) and let the SDK handle orchestration.- Target iteration handled for you – The SDK iterates over all targets/IPs, you just implement the exploit body.
- Parallel execution – Exploits are executed in parallel across all IPs for each service.
- Under‑10‑lines demo – A working exploit example fits in under 10 lines of Python using
requestsand@exploit_manager. - CLI integration – Run exploits easily with commands like
ckc exploit run -e exploit -n service - Team‑ready design – Built for competition environments; deploys quickly and scales with your team.
- Simple architecture – Clear separation: you write the Python exploit, CookieFarm runs the Go server, and flags land on the scoreboard.
- Live monitoring during CTFs – Combine the dashboard and analytics to keep track of your farm mid‑competition.
DestructiveFarm VS CookieFarm
See the full benchmark report here.
Reach out to the maintainer at one of the following places:
- GitHub Discussions
- Contact options listed on this GitHub profile
We welcome contributions, suggestions, and bug reports! See CONTRIBUTING.md for details on how to get involved.
The original setup of this repository is by ByteTheCookies.
For a full list of all authors and contributors, see the contributors page.
CookieFarm follows good practices of security, but 100% security cannot be assured. CookieFarm is provided "as is" without any warranty. Use at your own risk.
For more information and to report security issues, please refer to our security documentation.
This project is licensed under the GNU General Public License v3.
See LICENSE for more information.