Swedish web site
TDDE61 Ethical hacking
Labs
Overview
The labs are composed of a number of flags (exact number still to be determined, but at least 12) that each give a number of points. The sum of points for all flags is 100. If you struggle to capture a flag, you can get hints which will reduce the number of points you get for that flag. To pass the course, you need to complete all flags and get at least 20 points. Labs are done in pairs.
The lab series in this course corresponds to 4.5 credits which on average corresponds to 120h of work.
Signup
To sign up to the labs you should register for one of the three lab groups (A-C) in Webreg. Deadline to sign up is 2024-02-01.
Assignments
For each flag you need to to three things:
- Find the flag and submit it in Lisam
- Prepare a short writeup of how you got the flag and submit it in Lisam
- Demonstrate your flag capture to your lab assistant
Flag submission
Flags are submitted in Lisam. The submission opportunities will become available when the course starts. Flags are unique for each pair of students, so you cannot copy another students flag and submit it. The time when you submit the flag till decide the number of points you get for capturing the flag. The flag should be provided in the comment field.
Flag writeup
For each flag you capture, you should also produce a 1-page writeup of how you acquired the flag. The writeup should be submitted no later than one week after submitting the flag. There is a separate submission opportunity for the writeups.
Flag demonstration
To verify that you have done the work yourselves and that both students in a pair have the necessary understanding of the process you also need to demonstrate the flags to the lab assistant. Due to the relative high number of flags, you will not need to go through every flag each time. Instead, you should demonstrate a batch of at least 3 and at most 6 flags at a time. The lab assistant will select some parts of the flags and ask you to explain what you did.
Lab setup
You are free to use any tools and system you like to perform the labs. However, you will most probably need to use a number of tools that are most easily available on a Linux system. The most convenient option that we recommend is that you install Kali Linux as a virtual machine on your system. This has two benefits. Kali Linux offers a wide range of penetration testing tools out of the box, and you can install new tools without having to worry about them cluttering up your regular setup.
To install Kali Linux as a virtual machine you should carry out these steps:
- Download and install Virtualbox
- Grab a copy of the Kali Linux Virtualbox Image
- Open Virtualbox and select "Machine" -> "Add"
- Choose the .vbox file from the unzipped folder and select "Open"
- Start the VM and use the default username and password both being "kali"
If you have a Mac with Apple silicon (M1 or M2 chips), you can run Kali on UTM (an alternative to VirtualBox) by following this guide, or this guide. Additionally, Kali does provide their own instructions on how to set it up. If you have issues with a black screen on start, this video shows a fix.
Instructions on how to the lab environment will be given after completing the mandatory exam on laws and regulation (DAT1).
Flag topics
There are 12 flags with a total of 100 possible points. The topics and learning goals of each flag is provided in the table below.
| Number | Topic | Points | Learning outcomes |
|---|---|---|---|
| 1 | Tutorial flag | 4 | - Perform reconnaissance and discovery to plan operations - access credentials, such as account names, passwords and access tokens - collect and exfiltrate data from computing environments |
| 2 | Web crawling | 6 | - Perform reconnaissance and discovery to plan operations |
| 3 | Database hacking | 9 |
- Execute malicious code on remote devices - collect and exfiltrate data from computing environments |
| 4 | Password cracking | 4 |
- Perform reconnaissance and discovery to plan operations - access credentials, such as account names, passwords and access tokens |
| 5 | Security by obscurity | 8 |
- Perform reconnaissance and discovery to plan operations - access credentials, such as account names, passwords and access tokens - achieve initial access to networks and systems |
| 6 | Remote exploitation | 9 |
- Perform reconnaissance and discovery to plan operations - achieve initial access to networks and systems - execute malicious code on remote devices - establish command and control capabilities to communicate with compromised systems - persist on networks by maintaining access across interruptions - move laterally, pivoting through the computing environment |
| 7 | Command and control | 8 |
- Execute malicious code on remote devices - Achieve initial access to networks and systems - Establish command and control capabilities to communicate with compromised systems. |
| 8 | Lateral movement | 10 |
- Perform reconnaissance and discovery to plan operations - access credentials, such as account names, passwords and access tokens - achieve initial access to networks and systems - execute malicious code on remote devices - establish command and control capabilities to communicate with compromised systems - move laterally, pivoting through the computing environment - collect and exfiltrate data from computing environments. |
| 9 | Privilege escalation | 10 |
- Collect and exfiltrate data from computing environments - execute malicious code on remote devices |
| 10 | Privlege escalation 2 | 10 |
- Execute malicious code on remote devices - establish command and control capabilities to communicate with compromised systems - elevate privileges on systems to gain higher-level permissions - collect and exfiltrate data from computing environments |
| 11 | Traffic sniffing | 8 |
- Perform reconnaissance and discovery to plan operations - collect and exfiltrate data from computing environments |
| 12 | Client-side attacks | 14 |
- Establish resources to support offensive security operations - achieve initial access to networks and systems - execute malicious code on remote devices - establish command and control capabilities to communicate with compromised systems - persist on networks by maintaining access across interruptions - move laterally, pivoting through the computing environment |
Flag dependencies
Hints points and dates
Note: these dates are still tentative for VT2, and will be finalized before VT2 start. Announcements might also be delayed later during the course (e.g., due to issues with the infrastructure).
| Flag number | Hint | Time of announcement | Point deduction |
|---|---|---|---|
| 2 | 1 | 2024-02-14, 17:00 | 2 |
| 2 | 2 | 2024-02-20, 17:00 | 2 |
| 3 | 1 | 2024-02-20, 17:00 | 2 |
| 3 | 2 | 2024-02-23, 17:40 | 4 |
| 4 | 1 | 2024-02-23, 17:40 | 2 |
| 5 | 1 | 2024-03-06, 10:40 | 1 |
| 5 | 2 | 2024-03-08, 17:00 | 5 |
| 6 | 1 | 2024-03-08, 17:00 | 1 |
| 6 | 2 | 2024-03-15, 17:00 | 2 |
| 6 | 3 | 2024-03-25, 22:30 | 3 |
| 7 | 1 | 2024-04-05, 17:00 | 3 |
| 7 | 2 | 2024-04-12, 17:00 | 3 |
| 8 | 1 | 2024-04-12, 17:00 | 1 |
| 8 | 2 | 2024-04-19, 17:00 | 3 |
| 8 | 3 | 2024-04-26, 17:00 | 4 |
| 9 | 1 | 2024-04-12, 17:00 | 1 |
| 9 | 2 | 2024-04-19, 17:00 | 3 |
| 9 | 3 | 2024-04-26, 17:00 | 4 |
| 10 | 1 | 2024-04-24, 14:00 | 1 |
| 10 | 2 | 2024-04-26, 17:00 | 2 |
| 10 | 3 | 2024-05-03, 17:00 | 5 |
| 11 | 1 | 2024-04-24, 14:00 | 2 |
| 11 | 2 | 2024-04-26, 17:00 | 4 |
| 12 | 1 | 2024-04-26, 17:00 | 1 |
| 12 | 2 | 2024-05-03, 17:00 | 2 |
| 12 | 3 | 2024-05-10, 17:00 | 3 |
| 12 | 4 | 2024-05-17, 17:00 | 6 |
Point policy for misconfigured flags
We encourage creativity and out-of-the box thinking. In many cases there are several ways of finding a flag, which is similar to real life and just how we like it. However, if you find a flag with a method which is subsantially easier than the original design, the following policy will be applied. Submitting the flag and informing us about the issue will reward you a number of points which is less than the full points for the flag (exact amount will be decided based on the particular case). We will then try to patch the issue, allowing you to again find the flag in the intended manner. When you then again report the flag, you will receive full points for the flag so that the total points you receive is higher than the original number of points for the flag.
Page responsible: Mikael Asplund
Last updated: 2024-04-24
