TKCTF

Info

The last lab of the class is a 24-hour Capture The Flag (CTF) with challenges from various topics of the class. The challenges will be created by the staffs and participating students. Teams of students will compete in the competition and earn points for lab 10.

This year, we’re opening up the competition to the public, welcoming external teams to join in the fun!

The CTF will last from November 21, 3:30 pm EST until November 22, 3:30 pm EST.

Teams

Each team has 3-4 players. Sign your team up on the spreadsheet.

Once the competition platform is set up, each member needs to sign up and and join your team.

Only one member needs to create the team and share the team name and team password for other members to join. Please note that user and team names are fixed and cannot be changed after creation.

For the competition, we recommend you create a team chat where you can easily communicate. Voice chat and screen sharing may be very helpful when you work on challenges together.

Scoring

The details of the scoring may be subject to change!

1. CTF scoring

The score in the CTF consists of two parts: attack points and defense points. This is NOT your actual class score – see the next section.

  • Attack score: up to 500 points for each solved challenge

    • Dynamic scoring decreases the points per challenge as more teams solve it

    • The minimum score for each challenge is 250 (50%)

  • Defense score:

    • 0 teams solve your challenge: 0 points

    • N/2 teams solve your challenge: 2500 points (5 challenges worth)

    • N teams solve your challenge: 1250 points (2.5 challenges worth)

    • Otherwise, your score is linearly interpolated within those ranges.

2. Translation of CTF score to class score

This only pertains to CS6265 students.

The class score is calculated as the sum of base points and ranking points.

  • Base points:

    • 20 points, awarded for solving at least one challenge

  • Ranking points:

    • First-place team, which scored Z CTF points, gets 380 ranking points.

    • “First-place team” might be either per-section or overall, depending on how many online-section/external teams participate.

    • Other teams, which scored X CTF points, get 380 * X/Z ranking points.

In other words, the first-place team gets 400 class points, and everyone else’s CTF scores will be scaled accordingly, with a minimum of 20.

Example: Team A scored 1500 points in the CTF, Team B scored 2000 points and wins the competition. Thus, Team B gets 400 class points: 20 base points + 380 ranking points. Team A also gets 20 base points. In addition, they get (1500/2000)*380=300 ranking points (linear scaling). Overall, Team A gets 320 (=20+300) points for the class ranking.

We may increase the base points if the average score is too low. In that case, the maximum possible ranking score decreases by the amount we increase the base points (in other words, the first team will always have 400 points).

Challenge Template and Submission

The deadline for challenges submission is November 16th 11:59 pm. Challenge submission is mandatory for onsite (-A) students and optional for all others (but necessary to score defense points).

The challenge template is available at https://tc.gts3.org/cs6265/2025-fall/_static/ctf-template.zip. Submit a link to your challenge archive through this form.

You can submit a pwnable challenge (class-style challenges) or another type. You can check https://ctftime.org/writeups for other types of challenges, and you are free to submit any type of challenge.

/NAME                : team-name:challenge-name (e.g., `staff:fmstr`)
/PORT                : a port number

# all files to run your service
/docker/Dockerfile   : Dockerfile
       /target       : target binary
       /flag         : follow this format: tkctf{please submit this flag!}

# all files to be released to participants
/release/README.md   : guideline
        /target      : target binary, if you want to release

# source/exploit for your team and organizer
/source/exploit.py   : exploit code
       /test.sh      : build docker, run, run exploit.py and print out flag
       /writeup.txt  : solution
       /src/         : source code

  1. Change the NAME file to your challenge name: teamname:challenge (e.g., staff:fmtstr)

  2. Change the docker/flag file as you wish, but wrap it inside tkctf{...} (e.g., tkctf{please submit this flag!})

The source code of the challenge locates in source/src/, which contains its source (fmtstr.c) and makefile (Makefile). The makefile includes various defense options you can enable (e.g., CFLAGS += -fstack-protector). Please carefully enable them as you’d like for your challenge.

$ wget https://tc.gts3.org/cs6265/2025-fall/_static/ctf-template.zip
$ unzip ctf-template.zip

$ cd ctf-template
$ make help
dist  : build the target and distribute to docker/release
build : build the docker image
run   : run the docker container
test  : test the exploit
submit: zip for submission

Keep in mind that the best challenge should be fun and educational. Please don’t design a challenge that requires any random/pure guessing (but well-designed bruteforcing is fine).

You can replicate real security vulnerabilities, like mini-sudo or mini-heartbleed. There are a few sources that you can refer to: