How do you define a 'sandboxed' system? What if I choose to run the Wordpress/Django/Drupal/Whatever-CMS on a shared host? Cracking tools don't often take into account the negative effects on non-target hosts, nor are they generally tolerated by shell providers.
Hmm. I think my confusion comes from the assumption that each "fortress" (server) is a virtual server hosted by ctf365.
From their rules:
Don't try to conduct underground activities with your Fortress (system) from our platform in the Real World (e.g. using our platform to spam others, attack other servers on the internet and so on). We don't care who you are, but we do care what you are doing in our home (CTF365 Platform). Please remember that you are our guest and please behave accordingly.
I read this to imply that they will provide the "fortress". So when I say "sandboxed" system, I mean a system provided by ctf365 on their own infrastructure - infrastructure which permission is implicitly granted to attack.
For example, see 'Prohibited Usage' for Linode: https://www.linode.com/tos.cfm
Unless you're paying for raw bandwidth, you're subject to the ToS of each resource provider along the way.