Project 6: Capture the flag
This project is due at 11:59pm on Tuesday, April 14, 2020.
Description and Deliverables
In this project, you will gain hands on experience leveraging exploits to make a program do unexpected things that were not intended by the programmer. The assignment is structured as a Capture The Flag (CTF), which is a common format in cybersecurity competitions. You will be given access to a vulnerable program, and your task is to locate six flags hidden in the program and its surrounding files. You are required to find five flags; the sixth flag is considerably more challenging, and is worth bonus points.
To receive full credit for this project, you will turn in a single file:
- A file named flags.txt.asc that contains the flags that you will capture from the target program. This file must be signed using your private GPG key, and encrypted using the class public key with hash (2198D336CC2992B7A3EF396317B861D6C97422BF).
The exact format of this deliverable is described in detail below.
Getting Started with Expense Management
Happy Funtime Plastic Co, Inc. uses a piece of software developed in-house for tracking expenses made by employees. This software is run on the command line, and allows users to add expenses (with a description and an amount), view their saved expenses, and delete expenses that were entered incorrectly. The program uses a SQLite3 database to store expenses. The command line syntax of the program is as follows:
/home/accounting$ ./expense
This program allows users to track their expenses. It has commands for adding, viewing, and deleting
expenses. Administrators may add, view, or delete expenses for any user. The program also keeps a log
of all changes to facilitate offline auditing.
Usage: ./expense [--admin] <--command> [arguments]
Commands:
--help Displays this message
--add <Description> <Amount> Adds an expense for the current user
--list Lists all expenses for the current user
--del <ID> Deletes the current user's expense with the given ID
Additional commands are available to administrators. See the developer docs for more information.
The basic commands available to users are –add, –list, and –del. There are other commands and options available to system administrators; this additional functionality is accessed by passing the –admin option to the program. However, access to admin functionality is password protected.
As security auditors, you have been given access to the expense program in a secure environment for testing. To access the expense program, SSH into 3.17.151.125. For example:
$ ssh <user>@3.17.151.125
Your user
is your gitlab username.
As we have discussed in class, passwords are highly confidential information, and thus require extra care when sharing.
You will find your password committed in your gitlab repository as credential.txt.asc
. This file has been encrypted with your public key from Project 1, and you can decrypt it using a command like
$ gpg -d credential.txt.asc
The expense program is available in the /home/accounting directory.
The expense program is written in C. The (slightly redacted) source code for the program is available here.
Identifying Flags
Your goal is to locate the six flags hidden in the expense program and it’s surrounding files. You are required to find at least five flags; the sixth flag is a bonus. All flags are located somewhere within the the /home/accounting directory; there is no need to search other locations in the file system. All flags follow the following format:
SECRET_FLAG_<10 characters of random uppercase, lowercase, and digits>
For example, a secret flag might look like this:
SECRET_FLAG_PLf8DsT0xK
The secret flags can be anywhere within the /home/accounting directory: inside the expense program, inside databases, inside files, etc. It is 100% feasible to find all six flags; none have been hidden in such a way that it requires wizard-level exploitation skills, or raw amounts of brute force, to locate.
Rules
To make this assignment fun for everyone, we ask that students obey some basic rules of decorum.
-
As you progress through this assignment, you will achieve various levels of elevated privilege. This will give you the ability to take destructive actions. We ask that you exercise restraint and not destroy any data or files. Please leave things as you found them ;)
-
Do not denial of service the server. Examples of denial of service attacks include but are not limited to: intentionally running large numbers of processes to control CPU and memory resources; intentionally filling the disk to capacity; and flooding the server with network traffic.
-
Do not attack your classmates. This includes attempting to crack their passwords, read or alter files in their home directory, or kill their processes.
Any student that fails to follow these rules, i.e. intentionally attempts to make mischief, will receive a zero on the assignment. That said, we understand that mistakes happen! If you accidentally make changes to project files that you believe may hinder others’ abilities to complete the assignment, let us know immediately and we will repair the situation.
If you so desire, attacking the operating system is considered within bounds. If you achieve root, getting all the flags should be trivial. If you do choose to attack the OS, all we ask is that you do not take destructive actions that (1) leave the server in an unusable state; (2) harm your classmates or their files; or (3) generally prevent other students from completing the assignment.
Exploitation Tips
Note, your user account does not have permissions to read all of the files in the /home/accounting directory. However, the program has several vulnerabilities which will none-the-less allow you to learn these secret flags.
Locating all six flags will require you to examine the C source code of the expense program, carefully investigate the program’s command line behavior, and investigate the file system around the expense program. Several of the exploits necessary to find the flags are related to topics we discussed in class. Others will require you to think creatively ;)
The source code for the expense program is relatively simple, and well documented. However, online C language tutorials may be useful for students who have never seen code in the language before.
The expense program makes use of a SQLite3 database. Many online resources exist that describe SQL query syntax in general, and SQLite3-specific queries in particular.
Unfortunately, the source code we provide for the expense program has been redacted. Thus, you may need to employ binary analysis tools that allow you to inspect and disassemble the contents of compiled programs. Tools like hexdump, strings, and objdump may come in handy; the man pages for these programs offer help about their capabilities and syntax. A debugger like gdb may be useful for more advanced exploits.
Common programming tools like Python, gcc, g++, nasm, and make are available on the server. If there are additional tools available via apt that you would like installed, send an email or private Piazza message to the staff.
Submission details
To receive full credit on this assignment, you must turn in a single (ASCII formatted with Unix-style line breaks) text file named flags.txt.asc that contains the flags that you have recovered. Note the .asc file extension: this is the default extension used by GPG when it produces encrypted files.
You should create a file named flags.txt that contains your captured flags. Each flag should be on its own line. For example, your flags.txt file might look like the following:
SECRET_FLAG_AAAFLAG1AA
SECRET_FLAG_BBBFLAG2BB
SECRET_FLAG_CCCFLAG3CC
SECRET_FLAG_DDDFLAG4DD
SECRET_FLAG_EEEFLAG5EE
SECRET_FLAG_FFFFLAG6FF
Your file should contain at least five flags.
Take your flags.txt file and encrypt and sign it with GPG. By default, this will produce a new, encrypted and signed file named flags.txt.asc. This is the file you will turn in. Make sure to sign the file using your private key, and encrypt it using the class public key.
Submitting
Please follow these directions exactly:
- Create a directory
project6
under your git repo. - Add the file
flags.txt.asc
to this directory. - Commit your new file. Feel free to resubmit the project as many times as you like. It is ok to have extra files in the repository as well, just make sure you have this one.
Note: We require you to follow these directions exactly. If your repository does not include the project6/flags.txt.asc file encrypted and signed as described above, you will lose points, and possibly receive no credit.
Grading
This project is worth 100 points, but you have a possibility of earning up to 120 points:
- 20 points each per flag (five flags)
- 20 bonus points for the sixth flag
Points can be lost for turning in files in incorrect formats (e.g. not UNIX-line break ASCII), failing to follow specified formatting and naming conventions, or encrypting/signing your file using the wrong keys.
Tips
CTF projects are puzzles: they’re best when students are allowed to figure things out for themselves. Thus, we’re reluctant to post tips openly that would give away key aspects of the game. That said, if you feel stuck, or like you don’t know where to begin, that is okay! Please talk to the professor or the TAs privately, either on Piazza, email, or office hours, and we will be happy to help you get started. We want everyone to enjoy the CTF, so if you feel like you’re not making progress and the project is giving you grief, come talk to us!