Lab Instructions


In each lab (every week), you are asked to solve a set of challenges (typically 10 challenges except for the first two weeks). In each challenge, you have to submit three things, namely, a flag, the exploit, and its write-up via scoreboard: the flag you got from the challenge, the exploit that you wrote, and the write-up that summarizes how you formulated the exploit (see below).

A flag is an ASCII string that matches with a regular expression of cs519{[^}]+}, and you can find it either in the challenge program or in the challenge directory (usually as a ‘flag’ file). Your job is to read this flag by exploiting the distributed challenges.

Taking actions #1 (Registration)

  1. Register your account
  • Visit the submission site: here. You will use the registration menu.
  1. You need to register your SSH public key to our web scoring system. Please register yourself at, go to the ‘Account’ page (see the top bar in the website), and do the following steps to register a server account:
# In case if you already have your ssh key
[host] $ cat ~/.ssh/authorized_keys
# -> copy and paste the key, use this key to register your server account.

# In Linux (Ubuntu)
[host] $ sudo apt-get install openssh-client

# For both Linux and MacOS
[host] $ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.

# select your key location
Enter file in which to save the key (/home/YOUR_ID/.ssh/id_ecdsa):
=> type YOUR_LOCATION or use the default path
(you can omit this if you want to store that in a default ~/.ssh location).

# type password (you can use an empty one, if you wish)
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

# check your key location
Your identification has been saved in YOUR_LOCATION.
Your public key has been saved in YOUR_LOCATION.

# After key generation
[host] $ cat YOUR_LOCATION
# -> copy and paste the key, use this key to register your server account

# an example of a public key
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9miTiqHiZOBLiDXtSQ2s3Pxa/VEUOHUpLlQzXpo6Mx0r122m3eaC+eXEdgEVvTRDuHjgb66WbSXhSGCQpMUV4ypGlJfcD/wEhUIrjgTttYHWfCXZKCySbGAM4xSlweQfskQ/sDOfiVftsKuiCnFHGjCubs5U2Q/NEmGW2o1qiPExKyM6EkfFa9QbW7gDxgwNTpArU5Nx62+h0pWeMHIhcOD/r3+p+6t6evZD5eUzlEn1OGEgeDhCbXFGUeyT5nfHuobumVkgulrhGwcTujE0TXwz7ml/Y2HKfOf/3fM3djELutPlyYUocsznbL8cmTG+Hfm9xrt2/UfLKQ/dnxRV1w==

Do not forget where you store your private key and the passphrase for it. Please register your server account.

  1. Connect to the course server
# make sure you are on the campus network.
# otherwise, please use OSU VPN

# login to the course server
# Replate YOURID to the username that you send to us in the e-mail message above...
[host] $ ssh

# let's start week1!
[CTF_server] $ cd /home/labs/
[CTF server] $ cd week1
[CTF server] $ cd level0
[CTF server] $ ./level0
  1. Submit your solution and flag
# Submit Flag
  1) Visit the scoring website

  2) Choose the challenge name from the correct week-X set

  3) Submit the flag!

# Submit Writeup
  (will be announced later)

# NOTE. you don't get a score until you submit writeup
# NOTE. you can also submit your flag and writeup through the class website

Write-up sample

In this problem, ebp and ret value are protected by gsstack. while
debugging, you can see all ebp and ret values are keep tracking and
storing somewhere. However, when you make an input large enough, you
will see that a function pointer will be overwritten. And the
overwritten value will be store in EAX and make it jump at
<main+96>. I put my shellcode as env, get the address, and put it. In
my case, the function pointer(0x08048b0a at 0xbffff654) was
overwritten. So we could learn, we could jump using the weakpoint even
though the stackshiled is working on.

  $(python -c 'print "\x90"*108+"\x90"*44+"\x87\xf8\xff\xbf"+"\x90"*50')