CY 2550 - Foundations of Cybersecurity

Project: Web Capture the Flag

This project is due at 11:59pm on Friday, April 23, 2021.

Description and Deliverables

In this project, you will gain hands on experience leveraging web and browser-based exploits to make a web service do unexpected things that were not intended by the system. Like the previous exploit-based project, this project is structured as a Capture The Flag (CTF), which is a common format in cybersecurity competitions. You will be given access to a vulnerable website, and your task is to locate five flags hidden in the program and its surrounding files. You are required to find five flags; the difficulty of finding the flags increases per flag, so flag 1 is easier to find than flag 3, for example, and the fifth flag is even more challenging.

To receive full credit for this project, you will turn in a single file:

  1. A file named project9/flags.txt that contains the flags that you will capture from the target website.
The exact format of this deliverable is described in detail below.

Getting Started with NUReddit

Northeastern has launched a new anonymous private reddit for its students to be able to communicate with each other during the pandemic. The site was developed by NEU students who do not understand basic web security principles from CY2550 and have unintentionally created multiple vulnerabilities.

However, a group of malicious hackers from fancyracoon have vandalized your private subreddit by making a bogus post. Additionally, through some of the vulnerabilities they discovered, they were able to edit the source code of the site and created backdoors on posts, the search bar, and comments. It is up to you to figure out the username of the imposter account and change the content of their post to be more accurate.

  1. You must first login to the site. Only authorized users with valid logins can see the content. Your login credentials for NUReddit will be emailed to you in an encrypted form, and you will need to decrypt them with your PGP key. The site is located at https://nureddit.com.
  2. Each student has their own subreddit. After successfully logging in, head to your private subreddit which is named after your github username plus some random characters. There you will find the malicious post, and you can begin looking for a way to manipulate its content.
  3. You should learn how the site works by posting a new message in your subreddit. Use the Developer Tools in your browser, especially the JavaScript console, to see how the post works. Inspect the source of the page. Play with the options available to you as the creator of the post. Learning how the site works will help you remove the malicious post. You can find some basic tutorials on Javascript with some searches, but you won’t need to be an expert to make it through the assignment.
  4. As you begin to understand the caliber of basic failures of implementation in this site, start looking for other classic web vulnerabilities.
  5. Finding the flags increases in difficulty as you progress throughout the project. The first few flags require some attention to detail and clever thinking in terms of how the site is designed, and what you should and should not be able to do. To locate all five flags, you will need to successfully exploit all vulnerabilities present within the site (which are all vulnerabilities that you have seen in class). This includes, but is not limited to, cross site scripting (XSS) and SQL injection.

    One key tool for starting this project is to use the Developer Tools in your browser (Right click -> Inspect). This tool shows you the source code for the website and all files and resources requested by the site, among other useful things. Other tools like Postman and BurpSuite are tools used in real-life scenarios, but the Developer Tools will be the easiest and most accessible tool for most students.

Identifying Flags

Your goal is to locate the five flags the vandals hidden throughout the NUReddit site. Along the way, you will be able to change the content of the malicious post and determine the identity of the user who posted it. All flags follow the following format:
flag#:<64 characters of digits and letters a-f>
For example, a secret flag might look like this:
flag1:d1bc8d3ba4afc7e109612cb73acbdddac052c93025aa1f82942edabb7deb82a1
The secret flags can be anywhere within the NuReddit website: inside the source code, inside headers sent between the browser and the server, inside databases stored on the server, behind XSS, etc. It is 100% feasible to find all five flags; none have been hidden in such a way that it requires wizard-level exploitation skills, or raw amounts of brute force to locate. You do not need to write any code or programs to exploit this site.

Note: All flags are unique per user and per subreddit.

Rules

To make this assignment fun for everyone, we ask that students obey some basic rules of decorum.
  1. To keep the site private within the class, we ask you do not share the URL of the website with people outside of this class.
  2. Do not denial of service the server. Examples of denial of service attacks include but are not limited to: intentionally running large numbers of processes to control CPU and memory resources, flooding the server with network traffic, and scraping the website. Do not scrape the website.
  3. Do not attack your classmates. This includes attempting to crack their passwords and access subreddits you’re not supposed to.
  4. This website is supposed to be intentionally vulnerable. This means you will have power to do destructive things that (hopefully) you shouldn’t be able to do on a normal site. Do not perform any destructive actions that will harm the integrity of the backend server or database. If you find a vulnerability that does not eventually lead you to a flag and has the possibility to be destructive, let the course staff know ASAP.

WARNING: Follow the Rules!

Any student that fails to follow these rules, i.e., intentionally attempts to make mischief, will receive a zero on the assignment. That said, we understand that mistakes happen! If you accidentally make changes to accounts that you believe may hinder others' abilities to complete the assignment, let us know immediately and we will repair the situation.

File Format for flags.txt

To receive full credit on this assignment, you must turn in a single (ASCII formatted with Unix-style line breaks) text file named flags.txt that contains the flags that you have recovered.

You should create a file named project9/flags.txt that contains your captured flags. Each flag should be on its own line. For example, your flags.txt file might look like the following:

flag1:d1bc8d3ba4afc7e109612cb73acbddeac052c93025aa1f82942edabb7deb82a1
flag2:de0b9a001c104c5bef8bc23afe379de3cd657bfcee00f7aa0829d0ed1e457106
flag3:0ac837a51686ab59ab1a3894fa910ee58dd597ed18cba114cd2a28bb05b8b6d9
flag4:f7530598a6ced26e95e8364fa64cdbe6cd24a499d12f4a923b5c48e1abc0f9ca
flag5:31484bcfc21affe09f9656f306b645e9877dd9aa84d1957447effe49abea0a44
Your file should contain exactly five flags.

Submitting Your Project

To submit your project, do the following:
  1. Create a directory ~/cy2550/project9 in the folder corresponding to your git repository.
  2. Copy your flags.txt file to the ~/cy2550/project9 folder.
  3. Add these files to your repository, commit and sign them, and push the committed files to Github.
  4. Submit your repository to Gradescope.

Grading

This project is worth 10% of your final grade, broken down as follows (out of 100): Points can be lost for turning in files in incorrect formats (e.g. not UNIX-line break ASCII), failing to follow specified formatting and naming conventions, or signing your commit using the wrong keys.

Tips

CTF projects are puzzles: they're best when students are allowed to figure things out for themselves. Thus, we're reluctant to post tips openly that would give away key aspects of the game. That said, if you feel stuck, or like you don't know where to begin, that is okay! Begin by exploring the site using the hints given above. Think about the types of attacks we have just discussed in class and how they might apply here.

If you're still stuck, please talk to the professor or the TAs privately, either on Piazza, email, or office hours, and we will be happy to help you get started. We want everyone to enjoy the CTF, so if you feel like you're not making progress and the project is giving you grief, come talk to us!