Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit

Capture The Flag

Objectives

1. Find vulnerabilities in web application(s) and then take advantage of them.  Addendum: there are also fun puzzles!

Overview

The Capture The Flags (CTF) game will be played starting on Monday, July 7th.  The game will be played in *teams*, and the game will be opened for a little over two week.

In this traditional game, you will be finding and exploiting vulnerabilities in a series of applications, mainly web, to gain access to information you should not have access to. The goal is to find the "flags" placed on the server or servers. As in the past, I will tell you how many flags I have planted. I will also provide an obscure hint for each of them.

Instructions

You will have one week to play the game.

The game: http://cyberelephant.org/

The scoreboard: http://cyberelephant.org/scoreboard

Logistics

l Teams will be created, and submission keys will be distributed to each team by Tuesday, March 11th. NOTE: students in the online section will be grouped with other students in the online section and not with those in the in-person section!

l CTF game opens on Monday, July 7th at 11:59 PM Eastern Time.

l CTF game closes on Wednesday, July 23rd 11:59 PM Eastern Time.

l CTF write-up due, in PDF format, on Tuesday, July 29th at 11:59 PM Eastern Time. One submission per team. No grace period.

l 

A Flag

In the style of many Security Capture The Flag games, the format of a flag will look like this: key{flag}. Examples: key{somelongstringthatrepresentshteflag}or key{334359b051f4dda20937055605b3706dfe91d6c8} or key{Rdhvsnk Qngn Oernpu (2017)}). Each flag will worth a certain value: 100 points, 200 points, 300, and 400 points. You will be given a unique key to submit flags, to be posted in Canvas under your grading for this lab.

Scoring

There will be a scoreboard. The scoreboard will display a hint for each flag, and the scores for each player. This is also where you will submit flags. The scoreboard is available at http://cyberelephant.org/scoreboard

Assessment

There will be two components for grading:

1. Your team's score for the game (15 points)

2. Your team's CTF writeup (15 points)

Ground Rules

1. Should you tamper with the scoreboard or flag submission system, 100 points will be deducted from your score for each attempt.

Preparing to Play

l It is important that you tinker with the applications.

l Use your creativity. That is, if you were an attacker, what would do?

l Be sure to view the source of all the web pages and relevant files.

l For some challenges (flags), some programming or scripting may be necessary.

l Resources that would be ideal to have for the game: SQL reference, a proxy (e.g., Burp Suite), Kali Linux. You are encouraged to use tools that are on Kali Linux.

The CTF Write-Up

Your team will produce a write-up that is submitted electronically in PDF format, one submission per team.

So what constitutes a good CTF write-up? For each flag that you finds, the following information should be provided:

l A screenshot of the flag

l The exact location of the flag (path or file name)

l The exploit or methodology used to find the flag

In addition, an Executive Summary, Lessons Learned, and Conclusion sections are necessary.

A good example of a CTF write-up is https://tcode2k16.github.io/blog/posts/picoctf-2018-writeup/web-exploitation (Pico CTF 2018 Web Exploitation Writeup). A list of CTF write-ups can be found at https://ctftime.org/writeups and at https://github.com/VulnHub/ctf-writeups.