TKCTF

Info

The last lab of the class is a 24-hour Capture The Flag (CTF) with challenges from various topics of the class. The challenges will be created by the staff and participating students. Teams of students will compete in the competition and earn points for lab 10.

The CTF will last from April 24, 3:00 pm EST until April 25, 3:00 pm EST.

Teams

Each team has up to 4 players.

We will announce details on how to register teams later. .. Please log into the competition platform .. and create an account for each member and join your teams.

Only one member needs to create the team. They should share the team name and team password for other members to join. Please note that user and team names are fixed and cannot be changed after creation.

For the competition, we recommend that you create a team chat where you can easily communicate. Voice chat and screen sharing may be very helpful when you work on challenges together.

Scoring

The details of the scoring may be subject to change!

1. CTF scoring

The score in the CTF consists of two parts: attack points and defense points. This is NOT your actual class score – see the next section.

  • Attack score: up to 500 points for each solved challenge

    • Dynamic scoring decreases the points per challenge as more teams solve it

    • The minimum score for each challenge is 250 (50%)

  • Defense score:

    • 0 teams solve your challenge: 0 points

    • N/2 teams solve your challenge: 2500 points

    • N teams solve your challenge: 1250 points

    • Otherwise, your score is linearly interpolated within those ranges.

2. Translation of CTF score to class score

The class score is calculated as the sum of base points and ranking points.

  • Base points:

    • 20 points, awarded for solving at least one challenge

  • Ranking points:

    • First-place team, which scored Z CTF points, gets 380 ranking points. - “First-place team” might be either per-section or overall, depending on how many online-section/external teams participate.

    • Other teams, which scored X CTF points, get 380 * X/Z ranking points.

In other words, the first-place team gets 400 class points, and everyone else’s CTF scores will be scaled accordingly, with a minimum of 20.

Example: Team A scored 1500 points in the CTF, Team B scored 2000 points and wins the competition. Thus, Team B gets 400 class points: 20 base points + 380 ranking points. Team A also gets 20 base points. In addition, they get (1500/2000)*380=300 ranking points (linear scaling). Overall, Team A gets 320 (=20+300) points for the class score.

We may increase the base points if the average score is too low. In that case, the maximum possible ranking score decreases by the amount we increase the base points (in other words, the first-place team will always have 400 points).

Challenge Template

The deadline for challenge submission will be announced later. Challenge submission is optional (but necessary to score defense points).

The challenge template is available at https://tc.gts3.org/cs6265/2026-spring/_static/ctf-template.zip. .. Submit a link to your challenge archive through .. this form.

You can submit a pwnable challenge (class-style challenges) or another type. You can check https://ctftime.org/writeups for other types of challenges, and you are free to submit any type of challenge.

/NAME                : team-name:challenge-name (e.g., `staff:fmstr`)
/PORT                : a port number

# all files to run your service
/docker/Dockerfile   : Dockerfile
       /target       : target binary
       /flag         : follow this format: tkctf{please submit this flag!}

# all files to be released to participants
/release/README.md   : guideline
        /target      : target binary, if you want to release

# source/exploit for your team and organizer
/source/exploit.py   : exploit code
       /test.sh      : build docker, run, run exploit.py and print out flag
       /writeup.txt  : solution
       /src/         : source code

  1. Change the NAME file to your challenge name: teamname:challenge (e.g., staff:fmtstr)

  2. Change the docker/flag file as you wish, but wrap it inside tkctf{...} (e.g., tkctf{please submit this flag!})

The source code of the challenge locates in source/src/, which contains its source (fmtstr.c) and makefile (Makefile). The makefile includes various defense options you can enable (e.g., CFLAGS += -fstack-protector). Please carefully enable them as you’d like for your challenge.

$ wget https://tc.gts3.org/cs6265/2026-spring/_static/ctf-template.zip
$ unzip ctf-template.zip

$ cd ctf-template
$ make help
dist  : build the target and distribute to docker/release
build : build the docker image
run   : run the docker container
test  : test the exploit
submit: zip for submission

Keep in mind that the best challenges are both fun and educational. Please don’t design challenges that require any random/pure guessing (but well-designed bruteforcing is fine).

You can replicate real security vulnerabilities, like mini-sudo or mini-heartbleed. There are a few sources that you can refer to: