Project 7: Web CTF

  • This project is due at 11:59pm on Friday, Apr 23, 2021. This is a final deadline because the semester is ending, there cannot be late submissions.

Description and Deliverables

In this project, you will gain hands on experience leveraging web and browser-based exploits to make a web service do unexpected things that were not intended by the system. Like the previous one, this project is structured as a Capture The Flag (CTF), which is a common format in cybersecurity competitions. You will be given access to a vulnerable website, and your task is to locate five flags hidden in the program and its surrounding files. You are required to find five flags; the difficulty of finding the flags increases per flag, so flag 1 is easier to find than flag 3, for example, and the fifth flag is even more challenging.

To receive full credit for this project, you will turn in a single file:

  • A file named project7/flags.txt that contains the flags that you will capture from the site.

The exact format of this deliverable is described in detail below.

Getting Started with NuReddit

Northeastern has launched a new anonymous private reddit for its students to be able to communicate with each other during the pandemic. The site was developed by NEU students who do not understand basic web security principles from CY2550 and have unintentionally created multiple vulnerabilities.

However, a group of malicious hackers from fancyracoon have vandalized your private subreddit by making a bogus post. Additionally, through some of the vulerabilities they discovered, they were able to edit the source code of the site and created backdoors on posts, the search bar and comments. It is up to you to figure out the username of the imposter account and change the content of their post to be more accurate.

  1. You must first login to the site. Only authorized users with valid logins can see the content. In order to retrieve your login credentials for NUReddit you will need to decrypt the message from the autograder in p3 with your PGP key. The site is located at https://nureddit.com.

  2. Each student has their own subreddit. After successfully loggging in, head to your private subreddit which is named after your github username plus some random characters. There you will find the malicious post where you can begin looking for a way to manipulate the content of it.

  3. You should learn how the site works by posting a new message in your subreddit. Inspect the Debug console to see how the post works. Inspect the source of the page. Play with the options available to you as the creator of the post. Learning how the site works will help you remove the malicious post. You can find some basic tutorials on Javascript with some searches, but you won’t need to be a wizard to make it through the assignment.

  4. As you begin to understand the caliber of basic failures of implementation in this site, begin looking for other classic web vulnerabilities.

  5. Finding the flags increases in difficulty as you progress throughout the project. The first few flags require some attention to detail and clever thinking in terms of how the site is designed, and what you should and should not be able to do. To locate all five flags, you will need to successfully exploit all vulnerabilities present within the site. All vulnerabilities present you have seen in class. This includes, but is not limited to cross site scripting and SQL injection.

    One key tool for starting this project is to use the Developer Tools in your browser (Right click -> Inspect). This tool shows you the source code for the website and all files and resources requested by the site, among other useful things. Other tools like Postman and BurpSuite are tools used in real-life scenarios, but the Developer Tools will be the easiest and most accessible for most students.

  6. The course staff cannot provide any more hints on how to proceed. One of the main points of security is to be curious and learn how systems work.

Identifying Flags

Your goal is to locate the five flags the vandals hidden throughtout the NUReddit site. Along the way, you will be able to change the content of the malicious post and determine the identity of the user who posted it.

All flags follow the following format:

flag#:<64 characters of digits and letters a-f>

For example, a secret flag might look like this:

flag1:d1bc8d3ba4afc7e109612cb73acbdddac052c93025aa1f82942edabb7deb82a1

The secret flags can be anywhere within the NuReddit website: inside the source code, inside headers sent between the browser and the server, inside databases stored on the server, behind xss, etc. It is 100% feasible to find all five flags; none have been hidden in such a way that it requires wizard-level exploitation skills, or raw amounts of brute force to locate. You do not need to write any code or programs to exploit this site.

Note: All flags are unique per user and per subreddit.

Rules

To make this assignment fun for everyone, we ask that students obey some basic rules of decorum.

  1. To keep the site private within the class, we ask you do not share the URL of the website with people outside of this class.

  2. Do not denial of service the server. Examples of denial of service attacks include but are not limited to: intentionally running large numbers of processes to control CPU and memory resources, flooding the server with network traffic, and scraping the website. Do not scrape the website.

  3. Do not attack your classmates. This includes attempting to crack their passwords and access subreddits you’re not supposed to.

  4. This website is supposed to be intentionally vulnerable. This means you will have power to do destructive things that (hopefully) you shouldn’t be able to do on a normal site. Do not perform any destructive actions that will harm the integrity of the backend server or database. If you find a vulnerability that does not eventually lead you to a flag and has the possibility to be destructive, let the course staff know ASAP.

Any student that fails to follow these rules, i.e. intentionally attempts to make mischief, will receive a zero on the assignment. That said, we understand that mistakes happen! If you accidentally make changes to accounts that you believe may hinder others’ abilities to complete the assignment, let us know immediately and we will repair the situation.

Submission details

To receive full credit on this assignment, you must turn in a single (ASCII formatted with Unix-style line breaks) text file named flags.txt that contains the flags that you have recovered.

You should create a file named flags.txt that contains your captured flags. Each flag should be on its own line. For example, your flags.txt file might look like the following:

flag1:d1bc8d3ba4afc7e109612cb73acbddeac052c93025aa1f82942edabb7deb82a1
flag2:de0b9a001c104c5bef8bc23afe379de3cd657bfcee00f7aa0829d0ed1e457106
flag3:0ac837a51686ab59ab1a3894fa910ee58dd597ed18cba114cd2a28bb05b8b6d9
flag4:f7530598a6ced26e95e8364fa64cdbe6cd24a499d12f4a923b5c48e1abc0f9ca
flag5:31484bcfc21affe09f9656f306b645e9877dd9aa84d1957447effe49abea0a44

Your file should contain five flags.

Submit your project7/flags.txt via a signed Github commit and submit this to gradescope.

Submitting

Please follow these directions exactly:

  1. Create a directory project7 under your git repo.
  2. Add the file flags.txt to this directory.
  3. Commit your new file in a signed commit. Feel free to resubmit the project as many times as you like. It is ok to have extra files in the repository as well, just make sure you have this one.

Note: We require you to follow these directions exactly. If your repository does not include the project7/flags.txt file as described above, you will lose points, and possibly receive no credit.

Grading

This project is worth 100 points:

  • 19 points each per flag (five flags)
  • 5 points for signing your commit

Points can be lost for turning in files in incorrect formats (e.g. not UNIX-line break ASCII), failing to follow specified formatting and naming conventions, or encrypting/signing your file using the wrong keys.

Tips

CTF projects are puzzles: they’re best when students are allowed to figure things out for themselves. Thus, we’re reluctant to post tips openly that would give away key aspects of the game. That said, if you feel stuck, or like you don’t know where to begin, that is okay! Begin by exploring the site using the hints given above.
Think about the types of attacks we have just discussed in class and how they might apply here.