TKCTF

This is a template for your docker image that will be used to host your CTF challenge.

Structure

# all files to run your service
/docker/Dockerfile   : Dockerfile
       /target       : target bin
       /flag         : flag: tkctf{please submit this flag!}
       /service.conf : xinetd

# all files to be released to participants
/release/README      : guideline
       /target       : bin if you want to release

# source/exploit for your team and organizer
/source/test.sh      : build docker, run, run exploit.py and print out flag
       /exploit.py   : exploit
       /writeup.txt  : solution
       /src/         : source code

1. Change the NAME file to your challenge name: teamname:challenge (e.g., staff:fmtstr)
2. Change the docker/flag file as you wish, but wrap it inside tkctf{...} (e.g., tkctf{please submit this flag!})

The source code of the challenge locates in source/src/, which contains its source (fmtstr.c) and makefile (Makefile). The makefile includes various defense options you can enable (e.g., CFLAGS += -fstack-protector). Please carefully enable them as you’d like for your challenge.

Overview

$ wget https://tc.gts3.org/cs6265/2019/_static/ctf-template.zip
$ unzip ctf-template.zip

$ cd ctf-template
$ make help
dist  : build the target and distribute to docker/release
build : build the docker image
run   : run the docker container
test  : test the exploit
submit: zip for submission

Be imaginative but keep in mind that, the best challenge should be fun and educational. Please don’t design the challenge that requires any random/pure guessing (but well-designed bruteforcing is fine).

You can replicate real security vulnerabilities, like mini-sudo or mini-heartbleed. There are a few sources that you can refer:

• https://ctftime.org/
• https://www.cvedetails.com/
• https://www.exploit-db.com/

Scores

1. Attack (per challenge): 20pt x N challenges

     ^
  20 | ...
     |    ..
     |      ..
  10 |         ..........
     |
     |
   0 +--------------------->
Team 0 1 2 .. N/2      N

- 10pt for the first blood
-  5pt for the second blood
-  3pt for the third blood

2. Defense: 20pt (per team, about your challenge)
   • 0 solved: 0 pt (too difficult)
   • 1..N solved: 20 pt (okay!)
   • N solved: 10 pt (too easy)

But the details of the scoring are subject to change! Your competition site (for registration/scoreboard) is https://ctf.gts3.org/

Checklist for submission

1. /NAME: Team/challenge name
2. /release/README: Description about the challenge
3. /docker/flag: Flag!
4. /source/writeup.txt: Your description on the challenge and solution
5. /source/exploit.py: Your working exploit
6. Triple check make test reliably executes!

Please make submit and submit your file file (e.g., staff:fmtstr.zip) to here by Nov 14. We will test, evaluate and provide some feedbacks before the ctf event.