Game Rules


In each lab (every week), you are asked to solve a set of challenges (typically 10 challenges except for the first two weeks). In each challenge, you have to submit three things, namely, a flag, the exploit, and its write-up via scoreboard (Board): the flag you got from the challenge, the exploit that you wrote, and the write-up that summarizes how you formulated the exploit (see below).

A flag is a 512-byte hex string (like below) and you can find it in /proc/flag in the assigned VM.

$ cat /proc/flag

Your job is to read this flag by exploiting the distributed challenges.

Taking actions #1 Registration (mandatory)

  1. Register your account and receive an api-key
  • Visit the submission site (choose the right one and use the registration menu).
  • Input your username, GTID, and e-mail address (we only accept account) and click the Email api-key button.
  • You will receive your api-key, which is your identifier, via your email. This api-key will be used to login to the submission site. Please do not share your api-key with others.
  1. Login to your account
  • Go back to the submission site. You will use the Login menu.
  • Input your received api-key and click the Submit api-key button.
  1. When each lab assignment is released, you can connect to the CTF server and begin solving your lab challenges. You can find ssh details for a particular lab on Canvas.
# login to one of CTF servers
** Refer to Canvas for ssh information! **
[host] $ ssh lab01@ctf_server_address

# let's start lab01!
[CTF server] $ cat README
[CTF server] $ ./bomb
  1. While solving the problems, you might need to write your own scripts. Feel free to create directories inside /tmp for your files. Note that the CTF server is shared among all other users, so avoid using common directory names. Listing files in /tmp is not allowed. Also, please keep a backup of your files since the /tmp folders are emptied once in a while.
  2. Submit your solution and flag.
  • Login → Problems → Submit (Flag / Writeup)
  • You will get actual score once you submit both flag and write-ups.

Taking actions #2 (Building local environment, optional)

Although you can solve all challenges in the remote server, it may be inconvenient because you may not be able to install your own toolbox or use restricted tools. In this case, you can build your own environment. However, you still have to read /proc/flag through the course CTF server to get a real flag.

To build your own environment:

  1. Download and install Virtualbox/Vagrant

Note: Ubuntu users may want to use the following commands to install Virtualbox and Vagrant

[host] $ sudo apt-get install virtualbox
[host] $ sudo apt-get install vagrant
  1. Download our local setup and create a vagrant box:
[host] $ wget
[host] $ tar xvzf local_setup.tar.gz
[host] $ cd local_setup
[host] $ vagrant up
  1. To do labs (lab03 and after):
# ssh into VM
[host] $ vagrant ssh

# disable ASLR (before lab05)
[vm] $ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

# enable ASLR (starting lab05)
[vm] $ echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

# download labXX challenges
[vm] $ scp -r labXX@server:~/[challenge] [your_directory]

# download libc used by the server for analysis (future labs)
# 32-bit
[vm] $ scp labXX@server:/lib/i386-linux-gnu/ [your_directory]
# 64-bit
[vm] $ scp labXX@server:/lib/x86_64-linux-gnu/ [your_directory]

# tackle challenges
[vm] $ cd [your_directory_for_challenge]
[vm] $ cat README

Feel free to ask for any help on Piazza, or at the office hours if you have any trouble during the setup.

General rule

If not specified (e.g., first two weeks), we will follow the scoring rules stated below:

  • Approximately 1 tutorial and 10 challenges every week.
  • 20 points (flag) x 1.0 (write-up/exploit) = 20 points (each challenge).
  • 220 points (20 points x 11 challenges) are the maximum points, in theory.
  • Bonus: Starting lab 03, first and second bloods (i.e., fastest solvers) will get 2 and 1 bonus points, respectively for each challenge.
    • Labs 1 and 2 are warm-up labs. First/second blood bonuses will not be given.
  • Hint: We provide up to two hints per challenge.
    • You can access them at the problem page (Submission site > Lab id > Problem name > Show).
    • Some hints (typically for the first five challenges of each lab) are free, and some will cost you one point for opening them.
    • You can first check if the hints are free or not by clicking the “Show” button.
  • Late policy: 50% of the original points (only within one week past the due date).


You should submit a write-up for each exploit to get actual point.

  • Your write-up should contain both simple description about how to solve the challenge and the actual exploit.
  • It is highly recommended you use Markdown for write-ups.
  • Once you submit write-up with exploit, we will validate your exploit.
  • You don’t need to submit write-up for tutorial.
1) Write-up:

In this problem, ebp and ret value are protected by gsstack. While
debugging, you can see all ebp and ret values are being tracked and
stored somewhere. However, when you make an input large enough, you
will see that a function pointer is overwritten. And the overwritten
value is stored in EAX and make it jump at <main+96>.
I put my shellcode in the env, get the address, and put it. In
my case, the function pointer(0x08048b0a at 0xbffff654) was
overwritten. So we could learn, we could jump using the weakpoint even
when the binary is protected by stackshield.

2) Exploit:

  $(python -c 'print "\x90"*108+"\x90"*44+"\x87\xf8\xff\xbf"+"\x90"*50')