Preparations
Docker Reference image
We provide you a Docker reference image. The reference image is based on Ubuntu and contains pre-installed tools and compilers that help you throughout the assignments. The Docker image can be used via the docker.sh script located in the upstream repository.
To get the latest Docker image, execute ./docker.sh update
To run Docker in the current directory, execute ./docker.sh run
To run Docker in a different directory named hackme
, for example, execute ./docker.sh run hackme
If you run this script inside a hacklet directory, it automatically executes the execute-permission.sh
script which runs your exploit with correct permissions.
Solving a Hacklet
As mentioned in the tutorium, write your solution into the file exploit
and test it with the provided Docker image e.g., by executing ./docker.sh run warmup
. Your exploit was successful if it prints the contents of the file flag.txt
to stdout
. In addition, the exploit has to write the flag to a file named solution.txt
.
Also ensure that your exploit uses the original main.elf
file. We will test your exploit against the original file only!
A successful run could look as follows:
/tmp/ssd2020/hacklets> ./docker.sh run warmup
Running Docker
Please observe the following:
1. [...]
[+] Starting local process './main.elf': pid 20
SSD{TH1S_IS_A_local_TEST_FL4G!!}
Flag format
All hacklets except some hacklets, as indicated below, use the following flag format SSD{[A-Za-z0-9_!]{27}}
, e.g. SSD{TH1S_IS_A_local_TEST_FL4G!!}
.
We will test your exploit with different flags. You will only get points for a hacklet if the flag is recognized on our test system.
Fair Play
-
Do not plagiarize. If you do so, you will get zero points and fail the course.
-
Do not manipulate the hacklets inside your exploit scripts, e.g. disabling ASLR, preloading, etc. where it is not explicitly allowed. Especially, your exploit scripts are not allowed to use root privileges. We expect you to solve the hacklets in the intended way. In case of doubt, ask in the Discord channel.
- Any attempt to attack our server infrastructure will disqualify you from the course
Assignment Warmup
Submission tag: warmup
Deadline: Fr 23.10.2020 23:59
In this assignment, you shall solve an introductory hacklet to get started. This assignment is mandatory but does not give any points. Instead, by solving it you show your intent to actually do this course. If you do not solve it, you won’t get a grade.
You will find the hacklet in the upstream repository under hacklets/warmup
Assignment Hacklets 1
Submission tag: h1
Deadline: Fr 6.11.2020 23:59
In this exercise you take the role of a security consultant, who has been asked to audit multiple small C and C++ applications, let them be called ”hacklets” for the remainder of this document, for potential security issues. After a series of strange incidents, bad news coverage, and an increasing number of bug reports by angry users claiming loss of data and disclosure of private information due to security problems in the hacklets, you have been hired to audit the code. Note that your fictional employer in this scenario currently considers information security as a nice-to-have-butnot-mission-critical-if-missing feature.
You will find the hacklet in the upstream repository under hacklets/hacklets1
Organizational
-
You can achieve 6 regular points, which equals 24% of your overall grade.
Hacklets
Strings
Terminator(1pt):
- Show me your terminator skills!
Environment
Race To The Win(1pt):
- Can you be faster than the access check, demonstrate your knowledge about TOCTTOU.
Format Strings
Reveal The Secret(1pt):
- Eddie Snowden hid a secret information from the NSA in the binary. Could you reveal it exploiting a format string vulnerability?
Integer Overflows
Rust(1pt):
- Rust is safe of memory corruption issues and overflow problems, right?
Buffer Overflows
Random Pin Generator (1pt):
- I am really bad at remembering PIN codes, can you find another way to get to my money?
Heap
First Fit (1pt):
- The CIA told me that there is a three-letter vulnerability in this hacklet. Can you tell me how to solve this hacklet?
Assignment Hacklets 2
Submission tag: h2
Deadline: Fr 13.11.2020 23:59
In this exercise you take the role of a security consultant, who has been asked to audit multiple small C and C++ applications, let them be called ”hacklets” for the remainder of this document, for potential security issues. After a series of strange incidents, bad news coverage, and an increasing number of bug reports by angry users claiming loss of data and disclosure of private information due to security problems in the hacklets, you have been hired to audit the code. Note that your fictional employer in this scenario currently considers information security as a nice-to-have-butnot-mission-critical-if-missing feature.
You will find the hacklet in the upstream repository under hacklets/hacklets2
Organizational
-
You can achieve 6 regular points, which equals 15% of your overall grade.
- Furthermore you have 3 bonus points, which equals 9% of your overall grade.
Hacklets
Misc
Trigraphs(1pt):
- C was designed in English and assumes the common English character set, which includes such characters as {, }, [, ], and so on. Some other languages, however, do not have these or other characters which are required by C. To solve this problem, the 1989 C standard in section 5.2.1.1 defined a set of trigraph sequences which can be substitutes for the symbols and which will work in any situation. In fact, the first translation phase of compilation specified in the 1989 C standard (section 5.1.1.2) is to replace the trigraph sequences with their corresponding single-character equivalents.
Can you find a flaw in our trigraphs implementation and exploit it to get the flag?
Format Strings
Unwanted Redirect(1pt):
- Can you redirect to a certain location using a format string such that it reveals the flag?
Integer
Matrix Multiplier(1pt):
- Can you beat the matrix multiplication challenge?
Buffer Overflows
- Custom ROP chain(1pt):
- Exploit this custom challenge and demonstrate that you understood how ROP in 64-bit works 🙂
- Lsystem (1pt)
- Formal grammar is always fun. Can you spot a problem in our implementation which leads to code execution?
Heap
Dear Diary (1pt):
- The NSA told me that there is a again some type of heap corruption?
Bonus
- Abra Kadabra Alakazam(2pt):
- Marcel is a fan of implementing crypto algorithms, however, he might have made a mistake.
- Wats Up(1pt):
- Web Assembly is better than JS as we can run C compiled code in the browser.
However, we lost the source code and don’t know how to decrypt our data.
Can you reverse-engineer the WASM file and demonstrate how the sophisticated encryption algorithm works?
- Web Assembly is better than JS as we can run C compiled code in the browser.
Hacklets: Oral Exam
-
You have to defend your points during the oral exam at the end of the semester, which is mandatory
-
During the oral exam, you have to explain for the solved hacklets:
- Problem statement: Where is the vulnerability? What is the problem? Why is this dangerous?…
- Exploit: How does your exploit work? Which security mechanisms did you bypass and how?…
- Mitigation: (only if the source code is available, i.e. no reverse-engineering hacklets): How would you fix the vulnerability in the source code? Which other defenses would work/would not work and why?…