Game Rules


In each lab (every week), you are asked to solve a set of challenges (typically 10 challenges except for the first two weeks). In each challenge, you have to submit three things, namely, a flag, the exploit, and its write-up via scoreboard: the flag you got from the challenge (see below), the exploit that you wrote, and the write-up that summarizes how you formulate the exploit (see below).

A flag is a 512-byte hex string (like below) and you can find it in /proc/flag once you properly initialize the distributed VM.

$ cat /proc/flag

Your job is to read this flag by exploiting the distributed challenges.

Taking actions

  1. Download and install Virtualbox/Vagrant

Note: Ubuntu users may want to use the following commands to install Virtualbox and Vagrant

[host] $ sudo apt-get install virtualbox
[host] $ sudo apt-get install vagrant
  1. Add guest OS and run the VM
# download a 64-bit VM
[host] $ vagrant box add ubuntu/trusty64
==> box: Loading metadata for box 'ubuntu/trusty64'
    box: URL:
==> box: Adding box 'ubuntu/trusty64' (v20160822.0.0) for provider: virtualbox
    box: Downloading:
==> box: Successfully added box 'ubuntu/trusty64' (v20160822.0.0) for 'virtualbox'!

# move to your working directory
[host] $ mkdir seclab
[host] $ cd seclab

# initialize the VM
[host] $ vagrant init ubuntu/trusty64
A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`` for more information on using Vagrant.

# launch!
[host] $ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'ubuntu/trusty64'...

[host] $ vagrant ssh
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-93-generic x86_64)
  1. Once you have the VM up and running, let’s initialize your VM for this course:
# in the VM, install git/gcc
[vm] $ sudo apt-get update
[vm] $ sudo apt-get install git
[vm] $ sudo apt-get install gcc-multilib

# it's time for setting up your environment
#    You should use 'cs6265'
[vm] $ git clone git:// cs6265
[vm] $ cd cs6265
[vm] $ ls
README    ; general info
bin/      ; scripts
lab/lab01 ; binaries for lab01
lab/lab02 ; ditto

# initialize your working environment (only need to be done once)
[vm] $ ./bin/init
  1. To do labs:
# to do lab1
[vm] $ git pull
[vm] $ cd lab01
[vm] $ cat README
[vm] $ cd bomblab1_01

# NOTE. test your environment setup
[vm] $ bin/checkin

Feel free to ask for any help on Piazza, or at the office hours if you meet any trouble during the setup.

General rule

If not specified (e.g., first two weeks), we will follow the scoring rules stated below:

  • Approximately 10 challenges every week.
  • 20 points (flag) x 1.0 (write-up/exploit) = 20 points (each challenge).
  • 200 points (20 points x 10 challenges) are the maximum points, in theory.
  • Bonus: first and second bloods (i.e., fastest solvers) will get 10 and 5 bonus points in each challenge.
  • Late policy: 50% of the original points (only within one week past the due).

Write-up Sample

In this problem, ebp and ret value are protected by gsstack. while
debugging, you can see all ebp and ret values are keep tracking and
storing somewhere. However, when you make an input large enough, you
will see that a function pointer will be overwritten. And the
overwritten value will be store in EAX and make it jump at
<main+96>. I put my shellcode as env, get the address, and put it. In
my case, the function pointer(0x08048b0a at 0xbffff654) was
overwritten. So we could learn, we could jump using the weakpoint even
though the stackshiled is working on.

  $(python -c 'print "\x90"*108+"\x90"*44+"\x87\xf8\xff\xbf"+"\x90"*50')