CS 370 :: Spring 2023 :: Introduction to Security


In each class topic, You will be asked to solve a set of challenges (typically 1-10). In each challenge, you are required to submit a flag and a write-up: the flag you got from solving the challenge and the write-up summarizing how you got the flag (see examples below). The flag is an ASCII string that matches with a regular expression of cs370{[^}]+}, and you can get it either in the challenge program or in the challenge directory (usually as a flag file). Your job is to read this flag by following the instructions of the challenge. For example, some cryptography challenges require you to break a weak cryptography scheme and read the plaintext data even without knowing the key, and that plaintext data would be the flag. Otherwise, you need to understand how the challenge program works and then fool the program to read-out the flag for you. Most flags are stored (in-)securely as flag files.


Action Item #1: Register Your (Submission) Account

Go to the submission website (link here). You can create your account from the login menu. Please (must) use @oregonstate.edu email address; otherwise, you're not able to register to the scoring system.

Action Item #2: Verify Your (Submission) Account

Please check Junk/Spam folder if you cannot get the e-mail message from the submission server. The title of the confirmation message is: Successfully registered for CS370 Micro-labs, and it will be coming from the email address sanghyun@secure-ai.systems.

Action Item #3: Connect to the "Solve" Server

The "Solve" server is where you will solve the challenges to get flags. Please follow the instructions below to login. Note: I created accounts based on the enrollment on the second day of this term. Contact me asap if you cannot log in with the default password.

# ssh to the "solve" server
[your machine] $ ssh (your-ONID)@solve.secure-ai.systems
# the default password can be found on Canvas announcement!

# once you login, you can find the flag for the second challenge in Week 0
# ...
# Welcome to Introduction to Security Micro-labs
# - Flag: (your flag will be here)
# ...

# setup ssh-key login
# create a ssh-key pair at your machine (laptop, pc, etc...)
[your machine] $ ssh-keygen -t ed25519 -C "(your-ONID)@oregonstate.edu"
# set the store location to (your-home-dir)/.ssh/(your-keyname)

# add your public key to the "solve" server
[your machine] $ cat ~/.ssh/(your-keyname).pub
[solve server] $ vim ~/.ssh/authorized_keys
[solve server] Copy and paste the output of "cat ~/.ssh/(your-keyname).pub" to "~/.ssh/authorized_keys"
[solve server] Save the "~/.ssh/authorized_keys"

# logout from the "solve" server and use the ssh-key based login
[solve server] $ exit
[your machine] $ ssh -i (your-home-dir)/.ssh/(your-keyname) (your-ONID)@solve.secure-ai.systems
# (If the setup was successful) this command won't ask you password
Action Item #4: Submit Your Solution and Flag

# Submit Flag
1) Visit the scoring website

2) Choose the challenge name from the correct challenge set

3) Submit the flag!
# Submit Writeup to Canvas
# You can go to the assignment tab and submit your write-up as a txt file
# You will submit a single file containing all the solutions for that topic

# NOTE. you don't get an actual score until you submit writeup

Write-up sample

This assignment demonstrates a weakness of the Electronic Code Book (ECB)
mode of the block cipher. Although the cryptographic scheme, the Advanced
Encryption Standard (AES) encrypted the bitmap data correctly, in the ECB
mode, the same plaintext data block will be encrypted as the fixed
ciphertext, and thereby, we can identify the patterns of plaintext for
the same blocks in the ciphertext. As a result, even though the bitmap
data were encrypted, we can read the hidden text in the plaintext picture
because ciphertext block pattern leaks the plaintext block patterns.