Homework 3 - CTF Competition

Objectives

In this homework, you will be introduced to cybersecurity capture the flag (CTF) competition-style challenges. This will become a valuable tool to gain experience with ethical hacking after this course. In these CTF challenges, you will be able to leverage all the vulnerabilities and attack vectors learned throughout the course.

Background

Capture the flag (CTF) competitions are the premier method for building and demonstrating skills with software security. In general, there are two types of CTF competitions:

  1. Jeopardy-style competitions. These competitions involves participants solving self-contained challenge problems. These problems usually revolve around identifying a security flaw in the provided software, website, service, or data. Leveraging this flaw, participants will cause a security breach that provides them with a flag (usually a simple string). These flags are submitted to the CTF competition and participants are awarded points based on the difficulty of the challenge. The winner of the competition is the user or team who accumulates the largest number of points. These challenges are often grouped into categories and presented on a board similar to the game of Jeopardy (hence the name).

  2. Attack and defend competitions. In these competitions, each team is provided with one or more software services that manage a team’s flags. The goal of the competition is to break into other teams services to steal there flags, while properly hardening your team’s services to avoid compromise. Points are awarded for (i) the uptime and correct operation of your team’s services and (ii) the flags you stole from other teams. Points are deducted for the flags stolen from your services. The winner of the competition is the user or team who accumulates the largest number of points.

You are going to get experience with the challenges found in a Jeopardy-style competition by completing challenges from past picoCTF competitions. picoCTF competitions are run by Carnegie Mellon University (CMU) and are aimed at students. Past competition challenges have been collected into their picoGym and this is where we will be completing challenges.

Requirements

You need to create a picoCTF account. A invitation code has been sent to you via Blackboard to join a picoCTF classroom.

You should do challenges in the picoGym.

You must not look up solutions for any of the challenges! If you are caught doing so, you will automatically receive a 0 on this project. picoGym has built in functionality that will detect and report cheating.

But, you may work together to complete challenges! Half the fun of doing CTF style challenges is discussing them and thinking them through with others. However, in your write up, you should include details of anyone you spoke to or work with on any challenges.

Challenges and Grading Rubric

You should focus on completing challenges in the following areas included for grading. Note that “hard” challenges are not included in the primary grade.

Each easy challenge is worth 2 points and each medium challenge is worth 3 points. You can earn up to 115 total points for a grade of 115% (15% bonus)

  • General Skills (38 easy, 18 medium)
  • Binary Exploitation (3 easy, 26 medium)
  • Cryptography (6 easy, 32 medium)

All challenges should be completed in the PicoGym. You are required to choose:

  • 30 easy and 10 medium challenges
  • at least one challenge in each category, i.e., in easy general, medium general, easy binary, medium binary, easy crypto, medium crypto

In addition, choose TWO challenges that you found interesting (these should be on the harder end of easy or a medium challenge), include the name of the challenge and a short (1-2 paragraph) description for each challenge on how you solved it and why it was interesting. Each one is worth 5 points.

Hard Challenges 15% bonus

Complete three hard challenges in any category and receive an additional 15% bonus.

Resources

picoCTF has a lot of learning and resources you can leverage to help you complete these challenges. There is also a dischord channel that picoCTF runs where you can ask for help.

Submission

You should submit a single PDF document to blackboard with the following information:

  • Your username on PicoCTF
  • Anyone you worked with and on what challenges (be specific per challenge)
  • The number of challenges completed in easy, medium and hard at the due date. (Note that we can check this.)
  • This should be a pdf/printout of your progress from picoCTF
  • Include the writeup about the two interesting challenges in the submitted pdf.

Failure to include two challenges will result in a 10% deduction in your grade.

Note that your instructor will follow up and ask you to describe a random challenge that you completed. If you cannot describe how you did it, this may result in additional deductions.

Note we will check your challenge descriptions for plagiarism. You must write these yourself, and not use online guides.

Acknowledgement

This assignment is adopted from Scott Ruotti and Daniel Zappala. Thank you!