Game Rules


In each lab (every week), you are asked to solve a set of challenges (typically 10 challenges except for the first two weeks). In each challenge, you have to submit three things, namely, a flag, the exploit, and its write-up via scoreboard (OMSCS/OCY): the flag you got from the challenge, the exploit that you wrote, and the write-up that summarizes how you formulated the exploit (see below).

A flag is a 512-byte hex string (like below) and you can find it in /proc/flag in the assigned VM.

$ cat /proc/flag

Your job is to read this flag by exploiting the distributed challenges.

Taking actions #1 Registration

  1. Register your account and receive an api-key

  • Visit the submission site: OMSCS/OCY. You will use the registration menu.

  • Input your username (preferably your real name), e-mail address (we only accept account) and click the Email api-key button.

  • Once you succeed, you will receive an email including your API-key. You will use this api-key when you login to the course website.

  1. Login to your account

  • Go back to the submission site. You will use the Login menu.

  • Input your received api-key and click the Submit api-key button.

  1. Now, you can connect to the server and begin your lab challenges. You can find ssh details for a particular lab on the submission site.

# login to one of CTF servers
** Refer to Canvas for ssh information! **
[host] $ ssh lab01@ctf_server_address

# let's start lab01!
[CTF server] $ cat README
[CTF server] $ ./bomb
  1. While solving problems you might need to write your own scripts. Feel free to create a directory inside /tmp for your files. Note that the VM would be shared with all other users so avoid using common directory names. Listing files in /tmp is not allowed. Also, please keep a backup of your files since the /tmp folder might be emptied after a certain time.

  2. Submit your solution and flag.

  • Login → Problems → Submit (Flag / Writeup)

  • You will get actual score once you submit both flag and write-ups.

Taking actions #2 (Building local environment)

Although you can solve all challenges in the remote server, it may be inconvenient because you may not be able to install your own toolbox or use restricted tools. In this case, you can build your own environment. However, you still have to read /proc/flag through the course CTF server to get a real flag.

To build your own environment:

  1. Download and install Virtualbox

Note: Ubuntu users may want to use the following commands to install Virtualbox

[host] $ sudo apt-get install virtualbox
  1. Download and install Ubuntu 18.04.2 on Virtualbox:

  • Download the Ubuntu 18.04.2 image.

  • Launch Virtual box and follow the instructions to install a new VM. A handy walk-through can be found here.

  1. Install essential tools inside VM:

  1. To do labs (lab03 and after):

After launching Virtualbox and Ubuntu VM:

# disable ASLR (before lab05)
[vm] $ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

# enable ASLR (starting lab05)
[vm] $ echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

# download labXX challenges
[vm] $ scp -r labXX@server:~/[challenge] [your_directory]

# download libc used by the server for analysis (future labs)
# 32-bit
[vm] $ scp labXX@server:/lib/i386-linux-gnu/ [your_directory]
# 64-bit
[vm] $ scp labXX@server:/lib/x86_64-linux-gnu/ [your_directory]

# tackle challenges
[vm] $ cd [your_directory_for_challenge]
[vm] $ cat README

Feel free to ask for any help on Ed Discussion, or at the office hours if you have any trouble during the setup.

General rule

If not specified (e.g., first two weeks), we will follow the scoring rules stated below:

  • Approximately 1 tutorial and 10 challenges every week.

  • 20 points (flag) x 1.0 (write-up/exploit) = 20 points (each challenge).

  • 220 points (20 points x 11 challenges) are the maximum points, in theory.

  • Bonus: first and second bloods (i.e., fastest solvers) will get 2 and 1 bonus points, respectively for each challenge (only for lab03 and after).

  • Hint: We will provide up to two hints but you will get 5% of deduction when you open the hint.

  • Late policy: 50% of the original points (only within one week past the due date).


You must submit a write-up for each exploit to get the actual points.

  • Your write-up must be a plain text file (i.e., don’t use a document format such as PDF or DOCX).

  • Your write-up must contain

    • a simple description of how you solved the challenge, and

    • the actual exploit (i.e., code!).

  • Your write-up must be specific enough that we can run and validate your exploit ourselves.

  • You don’t need to submit write-ups for the tutorial challenges.

Here is an example write-up:

1) Write-up:

This binary stores its return addresses and frame pointers in a separate
stack; while we can overwrite those values on the regular stack, it
accomplishes nothing.

`main()` puts a pointer to `exit()` in its stack frame, which it jumps to
after `start()` finishes. We can overwrite this during `start()`'s buffer
overflow to instead point to `jump_to_here()`, which prints the flag.

Conveniently, due to the return-address protection and the fact that
`start()` doesn't have many meaningful local variables, we don't need
to be careful about the other values we clobber on the stack on the way
to `main()`'s local function pointer. The correct return addresses are
restored at the end of each function.

2) Exploit:

    #!/usr/bin/env python3

    from pwn import *
    p = process('./target')
    p.sendline(cyclic(52) + p32(0x8048948))  # (jump_to_here())