Game Rules


In each lab (every week), you are asked to solve a set of challenges (typically 10 challenges except for the first two weeks). In each challenge, you have to submit three things, namely, a flag, the exploit, and its write-up via scoreboard: the flag you got from the challenge, the exploit that you wrote, and the write-up that summarizes how you formulated the exploit (see below).

A flag is a 512-byte hex string (like below) and you can find it in /proc/flag once you properly initialize the distributed VM.

$ cat /proc/flag

Your job is to read this flag by exploiting the distributed challenges.

Taking actions #1 (Registration)

  1. You should provide your own public key to us. Let’s generate your private and public key pair.
[host] $ sudo apt-get install openssh-client
[host] $ ssh-keygen
Generating public/private rsa key pair.

# select your key location
Enter file in which to save the key (/home/YOUR_ID/.ssh/id_rsa):
=> type YOUR_LOCATION or use default path

# type password
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

# check your key location
Your identification has been saved in YOUR_LOCATION.
Your public key has been saved in YOUR_LOCATION.
  1. Register your account and receive an api-key
  • Visit the submission site: here. You will use the registration menu.
  • Input your e-mail address (we only accept account) and click the Email api-key button.
  • Once you succeed, you will receive an email including your API-key. You will use this api-key when you login to the course website.
  1. Login and upload your public key
  • Go back to the submission site: here. You will use the Login menu.
  • Input your received api-key and click the Submit api-key button.
  • After login, follow the Upload public-key link.
  • Paste your public key contents and click the Submit button.
  1. After you upload your public key, we will generate your account in the course CTF server. Then, you can connect to the server and begin your lab challenges. When you login to CTF server, you should use your email account as username (e.g., username for is abc). Since Linux machine consider username with dot(.) bad name, we don’t allow student to use email account with dot.
# login to one of CTF servers
[host] $ ssh -p 2022

# checkin
[CTF_server] $ checkin
Find your api-key at
Enter api-key> VRQW0P7AI79T6....

# let's start lab01!
[CTF_server] $ cd /home/seclab/
[CTF server] $ cd lab01
[CTF server] $ cat README
[CTF server] $ ./bomb
  • These are available servers for your study. You can choose one among these list.
# For current week
[host] $ ssh -p 2022
[host] $ ssh -p 2023
[host] $ ssh -p 2022
[host] $ ssh -p 2023

# For previous week (1 week late submission, 50% score)
[host] $ ssh -p 2024
[host] $ ssh -p 2024
  1. Submit your solution and flag
# Submit Flag
[CTF server] $ /home/seclab/bin/submit -l <lab-name> -p <problem-name> -f <path-to-file>

# Submit Writeup
[CTF server] $ /home/seclab/bin/submit -l <lab-name> -p <problem-name> -w <path-to-file>

# NOTE. you don't get a score until you submit writeup
# NOTE. you can also submit your flag and writeup through the class website

Taking actions #2 (Building local environment)

Although you can solve all challenges in the remote server, it may be inconvenient because you may not be able to install your own toolbox. In this case, you can build your own environment. However, you still have to read /proc/flag through the course CTF server to get a real flag.

To build your own environment:

  1. Download and install Virtualbox/Vagrant

Note: Ubuntu users may want to use the following commands to install Virtualbox and Vagrant

[host] $ sudo apt-get install virtualbox
[host] $ sudo apt-get install vagrant
  1. Add guest OS and run the VM
# download a 64-bit VM
[host] $ vagrant box add
==> box: Loading metadata for box 'ubuntu/trusty64'
    box: URL:
==> box: Adding box 'ubuntu/trusty64' (v20160822.0.0) for provider: virtualbox
    box: Downloading:
==> box: Successfully added box 'ubuntu/trusty64' (v20160822.0.0) for 'virtualbox'!

# move to your working directory
[host] $ mkdir seclab
[host] $ cd seclab

# initialize the VM
[host] $ vagrant init ubuntu/trusty64
A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`` for more information on using Vagrant.

# launch!
[host] $ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'ubuntu/trusty64'...

[host] $ vagrant ssh
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-93-generic x86_64)
  1. Once you have the VM up and running, let’s initialize your VM for this course:
# check your kernel version
[vm] $ uname -a
Linux vagrant-ubuntu-trusty-64 3.13.0-135-generic #184-Ubuntu SMP Wed Oct 18 11:55:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

# in the VM, install git/gcc
[vm] $ sudo apt-get update
[vm] $ sudo apt-get install git
[vm] $ sudo apt-get install gcc-multilib

# it's time for setting up your environment
[vm] $ git clone git:// seclab
[vm] $ cd seclab
[vm] $ ls
README    ; general info
bin/      ; scripts
lab/lab01 ; binaries for lab01

# initialize your working environment (need to be done once per lab)
[vm] $ ./bin/init

# you should type your api-key
Find your api-key at
Enter api-key>
  1. To do labs:
# to do lab1
[vm] $ git pull
[vm] $ cd lab01
[vm] $ cat README
[vm] $ ./bomb

# NOTE. test your environment setup
[vm] $ bin/checkin

Feel free to ask for any help on Piazza, or at the office hours if you ahve any trouble during the setup.

General rule

If not specified (e.g., first two weeks), we will follow the scoring rules stated below:

  • Approximately 10 challenges every week.
  • 20 points (flag) x 1.0 (write-up/exploit) = 20 points (each challenge).
  • 200 points (20 points x 10 challenges) are the maximum points, in theory.
  • Bonus: first and second bloods (i.e., fastest solvers) will get 10 and 5 bonus points respectively for each challenge.
  • Late policy: 50% of the original points (only within one week past the due date).

Write-up sample

In this problem, ebp and ret value are protected by gsstack. while
debugging, you can see all ebp and ret values are keep tracking and
storing somewhere. However, when you make an input large enough, you
will see that a function pointer will be overwritten. And the
overwritten value will be store in EAX and make it jump at
<main+96>. I put my shellcode as env, get the address, and put it. In
my case, the function pointer(0x08048b0a at 0xbffff654) was
overwritten. So we could learn, we could jump using the weakpoint even
though the stackshiled is working on.

  $(python -c 'print "\x90"*108+"\x90"*44+"\x87\xf8\xff\xbf"+"\x90"*50')