TKCTF

Info

The last lab of the class is a 24-hour Capture The Flag (CTF) with challenges from various topics of the class. The challenges will be created by the staffs and participating students. Teams of students will compete in the competition and earn points for lab 10.

This year, we’re opening up the competition to the public, welcoming external teams to join in the fun!

The CTF will last from November 22, 3:30 pm EST until November 23, 3:30 pm EST.

Teams

Each team has up to 4 players.

Please log into the competition platform and create a user for each member and join your teams.

Only one member needs to create the team and share the team name and team password for other members to join. Please note that user and team names are fixed and cannot be changed after creation.

For the competition, we recommend you create a team chat where you can easily communicate. Voice chat and screen sharing may be very helpful when you work on challenges together.

Scoring

The details of the scoring may be subject to change!

1. CTF scoring

The score in the CTF consists of two parts: attack points and defense points. This is NOT your actual class score – see the next section.

• Attack score: up to 500 points for each solved challenge

  • Dynamic scoring decreases the points per challenge as more teams solve it

  • The minimum score for each challenge is 250 (50%)

• Defense score:

  • 0 teams solve your challenge: 0 points

  • N/2 teams solve your challenge: 2500 points (5 challenges worth)

  • N teams solve your challenge: 1250 points (2.5 challenges worth)

  • Otherwise, your score is linearly interpolated within those ranges.

2. Translation of CTF score to class score

This only pertains to CS6265 students.

The class score is calculated as the sum of base points and ranking points.

• Base points:

  • 20 points, awarded for solving at least one challenge

• Ranking points:

  • First-place team, which scored Z CTF points, gets 380 ranking points.

  • “First-place team” might be either per-section or overall, depending on how many online-section/external teams participate.

  • Other teams, which scored X CTF points, get 380 * X/Z ranking points.

In other words, the first-place team gets 400 class points, and everyone else’s CTF scores will be scaled accordingly, with a minimum of 20.

Example: Team A scored 1500 points in the CTF, Team B scored 2000 points and wins the competition. Thus, Team B gets 400 class points: 20 base points + 380 ranking points. Team A also gets 20 base points. In addition, they get (1500/2000)*380=300 ranking points (linear scaling). Overall, Team A gets 320 (=20+300) points for the class ranking.

We may increase the base points if the average score is too low. In that case, the maximum possible ranking score decreases by the amount we increase the base points (in other words, the first team will always have 400 points).

Challenge Template

Please check the competition platform for detailed instruction on how to submit your challenges to gain the defense points.

The deadline for challenges submission is November 16th 11:59 pm.

Fork https://github.com/sslab-gatech/ctf-template and give TAs access permission to your private Github repo. Please Keep track of your commit history! Make sure you add the Github repo link into your team profile.

The patch requirement is only needed if the challenge is pwnable (aka. exploitations depends on the bug presence). For other type of challenges, you don’t need a patch. You can check https://ctftime.org/writeups for other types of challenges, and you are free to submit any type of challenges. If a patch is needed but missing after submission, we will contact you to update your Github repository with a patch.

/NAME                : team-name:challenge-name (e.g., `staff:fmstr`)
/PORT                : a port number
/test-all.sh         : a test script to validate the challenge
/test-patch.sh       : a test scirpt to validate the patch

# all files to run your service
/docker/Dockerfile   : Dockerfile
       /target       : target binary
       /flag         : follow this format: tkctf{please submit this flag!}

# all files to be released to participants
/release/README.md   : guideline
        /target      : target binary, if you want to release

# source/exploit for your team and organizer
/source/exploit.py   : exploit code
       /test.py      : functionality test
       /writeup.txt  : solution
       /patch.diff   : a patch to fix the bug
       /Dockerfile   : Dockerfile for the build environment
       /src/         : source code

$ git clone https://github.com/sslab-gatech/ctf-template

$ cd ctf-template
$ make help
prepare: prepare a docker image for compilation
build  : build the target
dist   : build the docker image
release: build the target, docker image and release them
run    : run the docker container
exploit: launch the exploit
test   : test the docker/exploit

Keep in mind that the best challenge should be fun and educational. Please don’t design the challenge that requires any random/pure guessing (but well-designed bruteforcing is fine).

You can replicate real security vulnerabilities, like mini-sudo or mini-heartbleed. There are a few sources that you can refer:

• https://ctftime.org/

• https://www.cvedetails.com/

• https://www.exploit-db.com/