TKCTF

This is a template for your docker image that will be used to host your CTF challenge.

Structure

# all files to run your service
/docker/Dockerfile   : Dockerfile
       /target       : target bin
       /flag         : flag: tkctf{please submit this flag!}
       /service.conf : xinetd

# all files to be released to participants
/release/README      : guideline
       /target       : bin if you want to release

# source/exploit for your team and organizer
/source/test.sh      : build docker, run, run exploit.py and print out flag
       /exploit.py   : exploit
       /writeup.txt  : solution and hint (we will open the hint if no one solves it)
       /src/         : source code

1. Change the NAME file to your challenge name: teamname:challenge (e.g., staff:fmtstr)
2. Change the docker/flag file as you wish, but wrap it inside tkctf{...} (e.g., tkctf{please submit this flag!})

The source code of the challenge locates in source/src/, which contains its source (fmtstr.c) and makefile (Makefile). The makefile includes various defense options you can enable (e.g., CFLAGS += -fstack-protector). Please carefully enable them as you’d like for your challenge.

Overview

$ wget https://tc.gts3.org/cs6265/2020/_static/ctf-template.zip
$ unzip ctf-template.zip

$ cd ctf-template
$ make help
dist  : build the target and distribute to docker/release
build : build the docker image
run   : run the docker container
test  : test the exploit
submit: zip for submission

Be imaginative but keep in mind that, the best challenge should be fun and educational. Please don’t design the challenge that requires any random/pure guessing (but well-designed bruteforcing is fine).

You can replicate real security vulnerabilities, like mini-sudo or mini-heartbleed. There are a few sources that you can refer:

• https://ctftime.org/
• https://www.cvedetails.com/
• https://www.exploit-db.com/

Scores

1. Attack (per challenge): 20pt x N challenges

     ^
  20 | ...
     |    ..
     |      ..
  10 |         ..........
     |
     |
   0 +--------------------->
Team 0 1 2 .. N/2      N

- 10pt for the first blood
-  5pt for the second blood
-  3pt for the third blood

2. Defense: 20pt (per team, about your challenge)
   • 0 solved: 0 pt (too difficult)
   • 1..N solved: 20 pt (okay!)
   • N solved: 10 pt (too easy)

But the details of the scoring are subject to change! Your competition site (for registration/scoreboard) is https://ctf.gts3.org/

Checklist for submission

1. /NAME: Team/challenge name
2. /release/README: Description about the challenge
3. /release/some_files: Any file released to the user
4. /docker/flag: Flag!
5. /docker/Dockerfile: Dockerfile for building the container
6. /source/writeup.txt: Your description on the challenge and solution, and hint (we will release the hint if no one solves it)
7. /source/exploit.py: Your working exploit
8. Triple check make test reliably executes! If there is any error, you have to resubmit and we will give you penalty points

Please make submit and submit your file (e.g., staff:fmtstr.zip) to here by Nov 12. We will test, evaluate and provide some feedbacks before the ctf event.

TKCTF 2020 result