HW3 - CTF Competition | Computer Security (Fall 2024)

HW3 - CTF Competition

Objectives

In this homework, you will be introduced to cybersecurity capture the flag (CTF) competition-style challenges. This will become a valuable tool to gain experience with ethical hacking after this course. In these CTF challenges, you will be able to leverage all the vulnerabilities and attack vectors learned throughout the course.

Background

Capture the flag (CTF) competitions are the premier method for building and demonstrating skills with software security. In general, there are two types of CTF competitions:

  1. Jeopardy-style competitions. These competitions involves participants solving self-contained challenge problems. These problems usually revolve around identifying a security flaw in the provided software, website, service, or data. Leveraging this flaw, participants will cause a security breach that provides them with a flag (usually a simple string). These flags are submitted to the CTF competition and participants are awarded points based on the difficulty of the challenge. The winner of the competition is the user or team who accumulates the largest number of points. These challenges are often grouped into categories and presented on a board similar to the game of Jeopardy (hence the name).

  2. Attack and defend competitions. In these competitions, each team is provided with one or more software services that manage a teams flags. The goal of the competition is to break into other teams services to steal there flags, while properly hardening your team’s services to avoid compromise. Points are awarded for (i) the uptime and correct operation of your team’s services and (ii) the flags you stole from other teams. Points are deducted for the flags stolen from your services. The winner of the competition is the user or team who accumulates the largest number of points.

You are going to get experience with the challenges found in a Jeopardy-style competition by completing challenges from past picoCTF competitions. picoCTF competitions are run by Carnegie Mellon University (CMU) and are aimed at students. Past competition challenges have been collected into their picoGym and this is where we will be completing challenges.

Requirements

First, you must sign up for a picoCTF account and join our classroom:

  1. Visit https://play.picoctf.org/login.
  2. Sign up for an account.
  3. Visit https://play.picoctf.org/classrooms.
  4. Click “Join a Classroom” and use the following code to join our classroom: TBA

You are now free to complete whatever challenges you want.

You must not look up solutions for any of the challenges! If you are caught doing so, you will automatically receive a 0 on this project. picoGym has built in functionality that will detect and report cheating.

But, you may work together to complete challenges! Half the fun of doing CTF style challenges is discussing them and thinking them through with others. However, in your write up, you should include details of anyone you spoke to or work with on any challenges.

Grading Rubric

Note we will determine a number grade roughly on the following scale.

  • 150% - 3000 points
  • 125% - 2000 points
  • 100% - 1000 points
  • 90% - 700 points
  • 80% - 400 points
  • 70% - 200 points
  • 60% - 100 points
  • 50% - 50 points
  • 0% - < 50 points

For point values that fall between two percentages, say 450 points, that grade will be determine by taking a percentage of the spread in the point values. For example 450 points, that would be 80% + (50/300)*10% or 81.6%, while 550 points would be 80%+150/300*10% or 85%.

Yes, you can score more than 100% on this assignment! There’s lots of points to be had. But many challenges are very difficult.

Submission

You should submit a single PDF document to blackboard with the following information:

  • Your username on PicoCTF
  • Anyone you worked with and on what challenges
  • The number of points earned at the due date
  • Choose TWO challenges that you found interesting, include the name of the challnege and a short (1-2 paragraph) description of how you solved it.

Failure to include two challenges will result in a 5% deduction in your grade.

Note that your instructor will follow up and ask you to describe a random challenge that you completed. If you cannot describe how you did it, this may result in additional deductions.

Late Policy

As outlined in the syllabus homework late policy, this homework assignment is due on the date specified. One-time throughout the whole semester, you may request a three-day extension without any explanation for any homework assignment. If you have already used your three-day extension on a different assignment, you may submit this assignment three days late for 25% credit. If you cannot do so, you may submit the assignment anytime by the final lecture for 50% credit.

Acknowledgement

This assignment is adopted from Scott Ruotti and Daniel Zappala. Thank you!