Capture the Flag Exercise 2

In this exercise each team will play the defender role (Blue team) for their own system and the attacker role (Red team) for another team's system. The team composition and pairing is the following:
TeamMembersAttacks teamMentor
1Zhou, Jiachen
Gerow, Michael
Puncel, Robert
2Hao Shi
2Wang, Jiahua
Garcia, Elizabeth
Kapitanski, Eric
3Simon Woo
3Rodriguez, Priscilla
Del Guercio, Chris
McLaughlin, Christopher
Batni, Prabhanjan
1Xiyue Deng
Here are the goals and responsibilities of Red and Blue teams.

Blue team

This team will start with a server and a gateway machine, connected by 100 Mbps link. The server is a classical LAMP server and will have some php scripts and MySql database already set up. The scripts allow users to register (insert username and pass into the database) and to deposit or withdraw money from their accounts, or to check balance and transaction history. The scripts are poorly written. There is no input validity checking and no user authentication. Access to database is with a root account. Existing users have weak passwords too.

The task of the Blue team is to fix this installation so that it is more secure. Any approach is OK to use. You can reinstall MySql, change DB schema, change user account passwords (but you must keep existing users), change PHP code, etc. The Blue team should also develop a monitoring program for the gateway machine and for the server so that they can quickly spot if the Red team launches denial-of-service and so that they can defend from it. One way to defend from it is to implement some filtering at the gateway machine via iptables.

You can borrow code from online sources but you need to understand what it does and how.

The goal of the Blue team is to keep accounts of existing users intact, to ensure correct operation of the program (e.g., one cannot withdraw money from an account with a zero balance), and keep the server up and running. If the server gets compromised or attacked, the Blue team should strive to bring it back up quickly and to patch it.

Red team

The Red team will have control over the three client machines. They should program one of those to send only legitimate traffic, and two can be used for various attacks. Since responses to this traffic will be used to evaluate if the server is running, requests must come with at least 1 request per second frequency.

The goal of the Red team is to corrupt the DB accounts of the existing users, to lead the server program into unexpected behavior (e.g., withdraw money that does not exist in an account, corrupt the DB, etc.), or to bring down the server (either through compromise or through denial of service). Any attack is on the table, even breaking Blue team's passwords.

You can borrow code from online sources but you need to understand what it does and how.

How Scoring Works

The Blue team receives a point for each message that the server processes and sends a reply for (this could be an error message if the client request was found to be invalid). Conversely the Red team scores a point for each message that the server cannot process. The Blue team will also score points for each correct processing of a message, and for incorrect operation points will go to the Red team. All messages and all replies will be logged at the server.

Exercise Dynamics

Teams will need to simultaneously act as Blue team and Red team throughout the 2h exercise. We will then have a 10 min break followed by a post-mortem discussion and selection of a winning team.

How Grading Works

Each team member will be graded based on their contribution to the team effort, not based on the team's performance. After the exercise each team member will submit a report containing the list of contributions they made to the team effort - e.g., modules that they coded, testing and setup they performed, etc. All team members must sign each report. Reports will be delivered to the instructor in class on May 3. The grades will be assigned based on the report and based on the team mentor's input.

How to Prepare

Each team should practice by swapping in an experiment using /proj/CISC499/ctf2.ns file. Then on the server machine they can run /proj/CISC499/ctf2/install-server (type "rootmysql" during MySql installation). This will lead to the identical setup as the one during CTF2 exercise.

Teams should develop most of their code in week 1, then use week 2 to polish it and attack it themselves to find vulnerabilities.

Useful Links

  1. You can use netcat to send packets in a DDoS attack. To install do apt-get install netcat. Also see netcat manual.
  2. You can use tcpdump to record network traffic. You can develop your own scripts to analyze it.
  3. You can also look at Web server logs at /var/log/apache2.