CY 2550 - Foundations of Cybersecurity
Project: Web Capture the Flag
Description and DeliverablesIn this project, you will gain hands on experience leveraging web and browser-based exploits to make a web service do unexpected things that were not intended by the system. Like the previous exploit-based project, this project is structured as a Capture The Flag (CTF), which is a common format in cybersecurity competitions. You will be given access to a vulnerable website, and your task is to locate five flags hidden in the program and its surrounding files. You are required to find five flags; the difficulty of finding the flags increases per flag, so flag 1 is easier to find than flag 3, for example, and the fifth flag is even more challenging.
To receive full credit for this project, you will turn in a single file:
- A file named project9/flags.txt that contains the flags that you will capture from the target website.
Getting Started with NURedditNortheastern has launched a new anonymous private reddit for its students to be able to communicate with each other during the pandemic. The site was developed by NEU students who do not understand basic web security principles from CY2550 and have unintentionally created multiple vulnerabilities.
However, a group of malicious hackers from fancyracoon have vandalized your private subreddit by making a bogus post. Additionally, through some of the vulnerabilities they discovered, they were able to edit the source code of the site and created backdoors on posts, the search bar, and comments. It is up to you to figure out the username of the imposter account and change the content of their post to be more accurate.
- You must first login to the site. Only authorized users with valid logins can see the content. In order to retrieve your login credentials for NUReddit you will need to decrypt the message from the Project 2 autograder in Gradescope using your PGP private key. The site is located at https://nureddit.com.
- Each student has their own subreddit. After successfully logging in, head to your private subreddit which is named after your github username plus some random characters. There you will find the malicious post, and you can begin looking for a way to manipulate its content.
- As you begin to understand the caliber of basic failures of implementation in this site, start looking for other classic web vulnerabilities.
Finding the flags increases in difficulty as you progress throughout the project. The first few flags require some attention to detail and clever thinking in terms of how the site is designed, and what you should and should not be able to do. To locate all five flags, you will need to successfully exploit all vulnerabilities present within the site (which are all vulnerabilities that you have seen in class). This includes, but is not limited to, cross site scripting (XSS) and SQL injection.
One key tool for starting this project is to use the Developer Tools in your browser (Right click -> Inspect). This tool shows you the source code for the website and all files and resources requested by the site, among other useful things. Other tools like Postman and BurpSuite are tools used in real-life scenarios, but the Developer Tools will be the easiest and most accessible tool for most students.
Identifying FlagsYour goal is to locate the five flags the vandals hidden throughout the NUReddit site. Along the way, you will be able to change the content of the malicious post and determine the identity of the user who posted it. All flags follow the following format:
flag#:<64 characters of digits and letters a-f>For example, a secret flag might look like this:
flag1:d1bc8d3ba4afc7e109612cb73acbdddac052c93025aa1f82942edabb7deb82a1The secret flags can be anywhere within the NuReddit website: inside the source code, inside headers sent between the browser and the server, inside databases stored on the server, behind XSS, etc. It is 100% feasible to find all five flags; none have been hidden in such a way that it requires wizard-level exploitation skills, or raw amounts of brute force to locate. You do not need to write any code or programs to exploit this site.
Note: All flags are unique per user and per subreddit.
RulesTo make this assignment fun for everyone, we ask that students obey some basic rules of decorum.
- To keep the site private within the class, we ask you do not share the URL of the website with people outside of this class.
- Do not denial of service the server. Examples of denial of service attacks include but are not limited to: intentionally running large numbers of processes to control CPU and memory resources, flooding the server with network traffic, and scraping the website. Do not scrape the website.
- Do not attack your classmates. This includes attempting to crack their passwords and access subreddits you’re not supposed to.
- This website is supposed to be intentionally vulnerable. This means you will have power to do destructive things that (hopefully) you shouldn’t be able to do on a normal site. Do not perform any destructive actions that will harm the integrity of the backend server or database. If you find a vulnerability that does not eventually lead you to a flag and has the possibility to be destructive, let the course staff know ASAP.
WARNING: Follow the Rules!
File Format for flags.txtTo receive full credit on this assignment, you must turn in a single (ASCII formatted with Unix-style line breaks) text file named flags.txt that contains the flags that you have recovered.
You should create a file named project9/flags.txt that contains your captured flags. Each flag should be on its own line. For example, your flags.txt file might look like the following:
flag1:d1bc8d3ba4afc7e109612cb73acbddeac052c93025aa1f82942edabb7deb82a1 flag2:de0b9a001c104c5bef8bc23afe379de3cd657bfcee00f7aa0829d0ed1e457106 flag3:0ac837a51686ab59ab1a3894fa910ee58dd597ed18cba114cd2a28bb05b8b6d9 flag4:f7530598a6ced26e95e8364fa64cdbe6cd24a499d12f4a923b5c48e1abc0f9ca flag5:31484bcfc21affe09f9656f306b645e9877dd9aa84d1957447effe49abea0a44Your file should contain exactly five flags.
Submitting Your ProjectTo submit your project, do the following:
- Create a directory ~/cy2550/project9 in the folder corresponding to your git repository.
- Copy your flags.txt file to the ~/cy2550/project9 folder.
- Add these files to your repository, commit and sign them, and push the committed files to Github.
- Submit your repository to Gradescope.
GradingThis project is worth 10% of your final grade, broken down as follows (out of 100):
- 19 points each per flag (five flags)
- 5 points for signing your commit
TipsCTF projects are puzzles: they're best when students are allowed to figure things out for themselves. Thus, we're reluctant to post tips openly that would give away key aspects of the game. That said, if you feel stuck, or like you don't know where to begin, that is okay! Begin by exploring the site using the hints given above. Think about the types of attacks we have just discussed in class and how they might apply here.
If you're still stuck, please talk to the professor or the TAs privately, either on Piazza, email, or office hours, and we will be happy to help you get started. We want everyone to enjoy the CTF, so if you feel like you're not making progress and the project is giving you grief, come talk to us!