Intro to Cybersecurity CS116 Prof: Ming Chow Lab 8:
Find vulnerabilities in web application(s) and then take advantage of them. Addendum: there are also fun puzzles!
The Capture The Flags (CTF) game will be played starting on Monday, October 30th. We will NOT be meeting for class that entire week. The game will be played in teams, and the game will be opened for a little over one week.
In this traditional game, you will be finding and exploiting vulnerabilities in a series of applications, mainly web, to gain access to information you should not have access to. The goal is to find the "flags" placed on the server or servers. As in the past, I will tell you how many flags I have planted. I will also provide an obscure hint for each of them.
You will have one week to play the game.
The game: http://35.238.252.88/Links to an external site.
The scoreboard: http://35.238.252.88/scoreboard/Links to an external site.
Teams will be created, and submission keys will be distributed to each team by Monday, October 23rd. CTF game opens on Monday, October 30th at 4:30 PM Eastern Time. No class meeting the entire week of Monday, October 30th! No Twitch as well. CTF game closes on Monday, November 6th 11:59 PM Pacific Time. No classes on Tuesday, November 7th (University schedule change) CTF write-up due, in PDF format, on Wednesday, November 8th at 11:59 PM Pacific Time. One submission per team. No grace period. Lab 9, which depends on the source code of the CTF game, opens on Thursday, November 9th in the morning.
In the style of many Security Capture The Flag games, the format of a flag will look like this: key{flag}. Examples: key{somelongstringthatrepresentshteflag} or key{334359b051f4dda20937055605b3706dfe91d6c8}"). Each flag will worth a certain value: 100 points, 200 points, 300, and 400 points. You will be given a unique key to submit flags, to be posted in Canvas under your grading for this lab.
There will be a scoreboard. The scoreboard will display a hint for each flag, and the scores for each player. This is also where you will submit flags. The scoreboard is available at http://35.238.252.88/scoreboard/Links to an external site.
There will be two components for grading:
Your team's score for the game (15 points) Your team's CTF writeup (15 points)
Should you tamper with the scoreboard or flag submission system, 100 points will be deducted from your score for each attempt. Preparing to Play It is important that you tinker with the applications. Use your creativity. That is, if you were an attacker, what would do? Be sure to view the source of all the web pages and relevant files. For some challenges (flags), some programming or scripting may be necessary. Resources that would be ideal to have for the game: SQL reference, a proxy (e.g., Burp Suite), Kali Linux. You are encouraged to use tools that are on Kali Linux.
Your team will produce a write-up that is submitted electronically in PDF format, one submission per team.
So what constitutes a good CTF write-up? For each flag that you finds, the following information should be provided:
A screenshot of the flag The exact location of the flag (path or file name) The exploit or methodology used to find the flag In addition, an Executive Summary, Lessons Learned, and Conclusion sections are necessary.