TKCTF

Info

The last lab of the class is a 24-hour Capture The Flag (CTF) with challenges from various topics of the class. The challenges will be created by the staff and participating students. Teams of students will compete in the competition and earn points for lab 10.

The CTF will last from April 18, 3:00 pm EST until April 19, 3:00 pm EST.

Teams

Each team has up to 4 players.

Please log into the competition platform and create an account for each member and join your teams.

Only one member needs to create the team. They should share the team name and team password for other members to join. Please note that user and team names are fixed and cannot be changed after creation.

For the competition, we recommend that you create a team chat where you can easily communicate. Voice chat and screen sharing may be very helpful when you work on challenges together.

Scoring

The details of the scoring may be subject to change!

1. CTF scoring

The score in the CTF consists of two parts: attack points and defense points. This is NOT your actual class score – see the next section.

• Attack score: up to 500 points for each solved challenge

  • Dynamic scoring decreases the points per challenge as more teams solve it

  • The minimum score for each challenge is 250 (50%)

• Defense score:

  • 0 teams solve your challenge: 0 points

  • N/2 teams solve your challenge: 2500 points

  • N teams solve your challenge: 1250 points

  • Otherwise, your score is linearly interpolated within those ranges.

2. Translation of CTF score to class score

The class score is calculated as the sum of base points and ranking points.

• Base points:

  • 20 points, awarded for solving at least one challenge

• Ranking points:

  • First-place team, which scored Z CTF points, gets 380 ranking points.

    • “First-place team” might be either per-section or overall, depending on how many online-section/external teams participate.

  • Other teams, which scored X CTF points, get 380 * X/Z ranking points.

In other words, the first-place team gets 400 class points, and everyone else’s CTF scores will be scaled accordingly, with a minimum of 20.

Example: Team A scored 1500 points in the CTF, Team B scored 2000 points and wins the competition. Thus, Team B gets 400 class points: 20 base points + 380 ranking points. Team A also gets 20 base points. In addition, they get (1500/2000)*380=300 ranking points (linear scaling). Overall, Team A gets 320 (=20+300) points for the class score.

We may increase the base points if the average score is too low. In that case, the maximum possible ranking score decreases by the amount we increase the base points by (in other words, the first-place team will always have 400 points).

Challenge Template

Please check the competition platform for detailed instructions on how to submit your challenges to gain defense points.

The deadline for submission of challenges is TBD.

Make a private fork of https://github.com/sslab-gatech/ctf-template, and give the TAs access permission to the repo. Please keep track of your commit history! Make sure you add the GitHub repo link to your team profile.

The patch requirement is only needed if the challenge is pwnable (aka, exploitation depends on the presence of a bug). For other type of challenges, you don’t need a patch. You can check https://ctftime.org/writeups for other types of challenges, and you are free to submit any type of challenge. If a patch is needed but missing after submission, we will contact you to update your GitHub repository with a patch.

/NAME                : team-name:challenge-name (e.g., `staff:fmtstr`)
/PORT                : a port number
/test-all.sh         : a test script to validate the challenge
/test-patch.sh       : a test script to validate the patch

# all files to run your service
/docker/Dockerfile   : Dockerfile
       /target       : target binary
       /flag         : follow this format: tkctf{please submit this flag!}

# all files to be released to participants
/release/README.md   : guideline
        /target      : target binary, if you want to release it

# source/exploit for your team and organizer
/source/exploit.py   : exploit code
       /test.py      : functionality test
       /writeup.txt  : solution
       /patch.diff   : a patch to fix the bug
       /Dockerfile   : Dockerfile for the build environment
       /src/         : source code

$ git clone https://github.com/sslab-gatech/ctf-template

$ cd ctf-template
$ make help
prepare: prepare a docker image for compilation
build  : build the target
dist   : build the docker image
release: build the target, docker image and release them
run    : run the docker container
exploit: launch the exploit
test   : test the docker/exploit

Keep in mind that the best challenges are both fun and educational. Please don’t design challenges that requires any random/pure guessing (but well-designed bruteforcing is fine).

If you’d like, you can replicate real security vulnerabilities, like mini-sudo or mini-heartbleed. Here are a few sources you can refer to:

• https://ctftime.org/

• https://www.cvedetails.com/

• https://www.exploit-db.com/