HW3 - CTF Competition | Computer Security (Fall 2024)

HW3 - CTF Competition

Objectives

In this homework, you will be introduced to cybersecurity capture the flag (CTF) competition-style challenges. This will become a valuable tool to gain experience with ethical hacking after this course. In these CTF challenges, you will be able to leverage all the vulnerabilities and attack vectors learned throughout the course.

Background

Capture the flag (CTF) competitions are the premier method for building and demonstrating skills with software security. In general, there are two types of CTF competitions:

  1. Jeopardy-style competitions. These competitions involves participants solving self-contained challenge problems. These problems usually revolve around identifying a security flaw in the provided software, website, service, or data. Leveraging this flaw, participants will cause a security breach that provides them with a flag (usually a simple string). These flags are submitted to the CTF competition and participants are awarded points based on the difficulty of the challenge. The winner of the competition is the user or team who accumulates the largest number of points. These challenges are often grouped into categories and presented on a board similar to the game of Jeopardy (hence the name).

  2. Attack and defend competitions. In these competitions, each team is provided with one or more software services that manage a teams flags. The goal of the competition is to break into other teams services to steal there flags, while properly hardening your team’s services to avoid compromise. Points are awarded for (i) the uptime and correct operation of your team’s services and (ii) the flags you stole from other teams. Points are deducted for the flags stolen from your services. The winner of the competition is the user or team who accumulates the largest number of points.

You are going to get experience with the challenges found in a Jeopardy-style competition by completing challenges from past picoCTF competitions. picoCTF competitions are run by Carnegie Mellon University (CMU) and are aimed at students. Past competition challenges have been collected into their picoGym and this is where we will be completing challenges.

Requirements

You have been sent a picoCTF account via email. Please log in with that information and change your password after joining. Do not change your username.

You should do challenges in the picoGym.

You must not look up solutions for any of the challenges! If you are caught doing so, you will automatically receive a 0 on this project. picoGym has built in functionality that will detect and report cheating.

But, you may work together to complete challenges! Half the fun of doing CTF style challenges is discussing them and thinking them through with others. However, in your write up, you should include details of anyone you spoke to or work with on any challenges.

Challenges and Grading Rubric

You should focus on completing challenges in the following areas included for grading. Note that “hard” challenges are not included in the primary grade.

Each easy challenge is worth 2 points and each medium challenge is worth 3 points. You can earn up to 115 total points for a grade of 115% (15% bonus)

  • General Skills (34 easy, 17 medium)
  • Binary Exploitation 2 easy, 22 medium
  • Cryptography (4 easy, 32 medium)

All challenges should be completed in the PicoGym.

Hard Challenges 15% bonus

Complete three hard challenges in any category and receive an additional 15% bonus.

Resources

picoCTF has a lot of learning and resources you can leverage to help you complete these challenges. There is also a dischord channel that picoCTF runs where you can ask for help.

Submission

You should submit a single PDF document to blackboard with the following information:

  • Your username on PicoCTF
  • Anyone you worked with and on what challenges (be specific per challenge)
  • The number of challenges completed in easy, medium and hard at the due date (note that we can check this)
    • This should be a pdf/printout of your progress from picoCTF
  • Choose TWO challenges that you found interesting (these should be on the harder end of easy or a medium challenge), include the name of the challenge and a short (1-2 paragraph) description for each challenge on how you solved it and why it was intersesting.

Failure to include two challenges will result in a 10% deduction in your grade.

Note that your instructor will follow up and ask you to describe a random challenge that you completed. If you cannot describe how you did it, this may result in additional deductions.

Note we will check your challenge descriptions for plagiarism. You must write these yourself, and not use online guides.

Late Policy

As outlined in the syllabus homework late policy, this homework assignment is due on the date specified. One-time throughout the whole semester, you may request a three-day extension without any explanation for any homework assignment. If you have already used your three-day extension on a different assignment, you may submit this assignment three days late for 25% credit. If you cannot do so, you may submit the assignment anytime by the final lecture for 50% credit.

Acknowledgement

This assignment is adopted from Scott Ruotti and Daniel Zappala. Thank you!