Skip to content
Snippets Groups Projects
Commit 884f0ab8 authored by Niklas Johansson's avatar Niklas Johansson
Browse files

update 2019 new procedure for accounts

parent 3c8f3588
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
TopDog.pdf
+ 0
0
View file @ 884f0ab8
No preview for this file type
TopDog.tex
+ 118
134
View file @ 884f0ab8
...@@ -60,38 +60,16 @@ maxbibnames=10 ...@@ -60,38 +60,16 @@ maxbibnames=10
\begin{document} \begin{document}
\date{\today} \date{\today}
\author{Jonathan Jogenfors\\ \author{Jonathan Jogenfors\\Niklas Johansson\\ Guilherme Xavier\\
%\href{mailto:jonathan.jogenfors@liu.se}{\texttt{\small{jonathan.jogenfors@liu.se}}}\\ %\href{mailto:jonathan.jogenfors@liu.se}{\texttt{\small{jonathan.jogenfors@liu.se}}}\\
\small{Information Coding Group}\\\small{Department of Electrical \small{Information Coding Group}\\\small{Department of Electrical
Engineering, Linköping University} Engineering, Linköping University}
} }
\title{LiU TopDog Challenge 2018\\~\\ \large{TSIT01, TSIT02 \title{LiU TopDog Hacking Challenge \\~\\ \large{TSIT01, TSIT02
Computer Security\\ Linköping University}} Computer Security\\ Linköping University}}
\maketitle \maketitle
\section*{About this document}
This lab memo is intended for the computer security courses \texttt{TSIT01} and
\texttt{TSIT02} for Master-level students at Linköping University.
\section*{Changelog}
\begin{description}
\item[2017] Revised for the 2017 course.
\item[2016] Initial version.
\end{description}
\section*{Acknowledgements}
This lab owes its existence to Anders Märak Leffler who brought this software to
my attention back in 2015. I also want to thank the OWASP Foundation and the
OWASP chapter in Gothenburg for help with getting started. Thanks to the LiU IT
department who was willing to set up and support a web application server that,
contrary to all common sense and in violation of
probably a dozen IT policies, contains all kinds of web vulnerabilities. Also
thanks to Niklas Johansson for helping me get all the lab details straight and,
of course, prof. Jan-Åke Larsson, who gave us the go-ahead to build what is
probably going to be a very interesting lab course.
\bigskip
\noindent
Linköping, November 2016\\
\emph{Jonathan Jogenfors}
\tableofcontents \tableofcontents
\chapter{Introduction} \chapter{Introduction}
Have you ever taken a computer security course and wanted to learn more? Tired Have you ever taken a computer security course and wanted to learn more? Tired
...@@ -103,7 +81,7 @@ with the goal of breaking into them and/or make the application perform tasks ...@@ -103,7 +81,7 @@ with the goal of breaking into them and/or make the application perform tasks
that it was not designed for. that it was not designed for.
\section{Overview} \section{Overview}
In the LiU TopDog 2017 challenge you will practice In the LiU TopDog Hacking Challenge you will practice
penetration testing. Using a set of increasingly difficult assignments, you will penetration testing. Using a set of increasingly difficult assignments, you will
gradually learn the basics of how an adversary might exploit badly designed gradually learn the basics of how an adversary might exploit badly designed
applications and security systems. The goal is to give you the basics in applications and security systems. The goal is to give you the basics in
...@@ -111,45 +89,39 @@ practical security work and understand some common pitfalls when developing web ...@@ -111,45 +89,39 @@ practical security work and understand some common pitfalls when developing web
applications. After the lab you should be well-equipped to avoid these security applications. After the lab you should be well-equipped to avoid these security
issues whenever you develop your own web application. issues whenever you develop your own web application.
\section{Lab organization} \section{Lab organization}\label{sec:lab_organization}
This lab will run for the entire duration of the course, from the start of the This lab will run from the starting date to the end of the exam period. The lab system is
lab to the end of the exam period. The lab system is
publicly available and you can work on the assignments in your own time on the publicly available and you can work on the assignments in your own time on the
lab computers or your personal laptops. The progress will be stored on the lab computers or your personal laptops. The progress will be stored on the
server so you can come back at any time. server so you can come back at any time.
There are scheduled sessions, but the idea is that you try to solve as much as There are scheduled sessions where the assistant will be available at his or her
possible on your own and if you get stuck you can book yourself up for a office to provide assistance. Plan carefully, because time will be limited for
sessions. In other words you should think of theses session as time-slots where each student. Assistance will be provided at a first come, first served basis.
the assistant is available for questions, and not as sessions where you go and Think drop-in, so no booking is required.
perform the lab from start to finish. In order to
get the most out of these coaching sessions, make sure you prepare well for the For other questions please see \cref{sec:contact}.
sessions. The coaching session will be attended by a large number of students,
so the lab assistant won't be able to spend too much time giving individual \section{Deadlines}\label{sec:deadline}
help. Instead, prepare some questions that you bring, for instance if you are The lab must be finished before the end
stuck in a module and need a hint. You register for the coaching session in of the exam period. Shortly after, the TopDog server will be shut down, so you
Lisam. can't do the lab after this date. If you don't complete the assignments before
The coaching sessions are not compulsory! the deadline, you will have to do the lab next year.
\section{Deadline}\label{sec:deadline} Winner of the competition
The lab server opens up for registration on November 14th at 15:00. The lab must will be the leader of the scoreboard by 5 pm the day before the (first) guest lecture (the scoreboard will lock at this point).
be finished before the end of the exam period. Shortly after, the TopDog server
will be shut down, so you can't do the lab after this date. If you don't
complete the assignments before the deadline, you will have to do the lab next
year. Winner of the competition will be the leader of the scoreboard by 10 am the day of the guest lecture (December 12).
\section{Disciplinary stuff} \section{Disciplinary stuff}
You are expected to do the lab in your own in groups of two. Co-operation You are expected to do the lab in your own.
between groups is allowed, but remember that pentesting is best learned when you Co-operation is allowed and encouraged. You are expected to understand and
try it for yourselves. You are not allowed to copy answers from other groups, and you follow the university-wide rules for disciplinary matters, as for any other
are expected to understand and follow the university-wide rules for disciplinary examination you are not allowed to cheat.
matters. As for any other examination you are not allowed to cheat.
\section{Ethics} \section{Ethics}
This lab and what you learn is for educational purposes only. Do not attempt to This lab and what you learn is for educational purposes only. Do not attempt to
use these techniques without authorization. If you are caught engaging in use these techniques without authorization. If you are caught engaging in
unauthorized hacking, most companies will take legal action. Claiming that you unauthorized hacking, most companies will take legal action. \textbf{Claiming that you
were doing security research will not protect you. were doing security research will not protect you.}
\section{Contact information}\label{sec:contact} \section{Contact information}\label{sec:contact}
To get in touch with the lab assistant, please send e-mail to the e-mail address To get in touch with the lab assistant, please send e-mail to the e-mail address
...@@ -169,66 +141,65 @@ latest version of this document, so be sure to check it out regularly. ...@@ -169,66 +141,65 @@ latest version of this document, so be sure to check it out regularly.
\end{description} \end{description}
\chapter{Preparing for the lab} \chapter{Preparing for the lab}
Begin by reading through the entire lab PM. Remember to regularly check the \textbf{Begin by reading through the entire lab PM}. Remember to regularly check the
course homepage to see if we updated the PM, as we continuously improve the lab. course homepage to see if we updated the PM, as we continuously improve the lab.
%
%\section{Lab group}
%First, you need to find a partner to work with. All students are expected to
%work in groups of two. If this is not possible, please contact the lab
%assistant. When you have somebody to work with you will need to choose a
%username and password to use on the TopDog server. Each group of two
%will have an account, so you will need to choose a username and password for the
%group. Please note the following:
%\begin{enumerate}
% \item Your username (not password) is public and will be shown to to the
% entire university on the scoreboard (which is shown on monitors around
% the campus).
% \item We reserve the right to ban stupid and/or offensive usernames for any
% reason.
% \item Both of you will have the password, so choose a password you don't use
% anywhere else.
% \item The password storage in TopDog is hashed and salted, however do not
% use a password that you care about.
%\end{enumerate}
%Tip: Generate a random password
%and write it down on a note in your wallet, or use a password manager!
\section{User accounts}\label{sec:register}
If you are register to the course, you will automatically have an account. If you are not registered, you need to contact a \href{https://www.lith.liu.se/studievagledning?l=en\&sc=true}{study chancellor}.
\section{Lab group}
First, you need to find a partner to work with. All students are expected to
work in groups of two. If this is not possible, please contact the lab
assistant. When you have somebody to work with you will need to choose a
username and password to use on the TopDog server. Each group of two
will have an account, so you will need to choose a username and password for the
group. Please note the following:
\begin{enumerate}
\item Your username (not password) is public and will be shown to to the
entire university on the scoreboard (which is shown on monitors around
the campus).
\item We reserve the right to ban stupid and/or offensive usernames for any
reason.
\item Both of you will have the password, so choose a password you don't use
anywhere else.
\item The password storage in TopDog is hashed and salted, however do not
use a password that you care about.
\end{enumerate}
Tip: Generate a random password
and write it down on a note in your wallet, or use a password manager!
\section{User account registration}\label{sec:register}
Now go to Now go to
\href{http://snickerboa.it.liu.se/register.jsp}{http://snickerboa.it.liu.se/register.jsp} and \href{http://snickerboa.it.liu.se}{http://snickerboa.it.liu.se} and click on "login via SAML" and login with your LiU-id. If you don't wish your LiU-id to show on the scoreboard, you can change to a name of your choosing (at first login, if you want to change it again you need to contact us). However, we reserve the right to ban stupid and/or offensive user names for any reason.
register an account, see \cref{fig:login}. Note that the registration link is %register an account, see \cref{fig:login}. Note that the registration link is
hidden and must be typed just like that. The registration screen is shown in %hidden and must be typed just like that. The registration screen is shown in
\cref{fig:register}. Note that registration requires you to type in the correct %\cref{fig:register}. Note that registration requires you to type in the correct
\texttt{passcode}, which is found in Lisam. The passcode is to discourage people %\texttt{passcode}, which is found in Lisam. The passcode is to discourage people
outside the course to do the lab and appear on the scoreboard. Please do not %outside the course to do the lab and appear on the scoreboard. Please do not
share the passcode. %share the passcode.
\begin{figure} %\begin{figure}
\centering % \centering
\includegraphics[width=.9\linewidth]{register.png} % \includegraphics[width=.9\linewidth]{register.png}
\caption{The TopDog registration page.\label{fig:register}} % \caption{The TopDog registration page.\label{fig:register}}
\end{figure} %\end{figure}
%
Next, return to the login screen and login with your credentials. If you %Next, return to the login screen and login with your credentials. If you
succeeded, you will be greeted with \enquote{Let's get %succeeded, you will be greeted with \enquote{Let's get
started!}. This means you logged in. If the login fails, please double-check the %started!}. This means you logged in. If the login fails, please double-check the
login username and password before contacting us (see \cref{sec:contact}). %login username and password before contacting us (see \cref{sec:contact}).
%
\begin{figure} %\begin{figure}
\centering % \centering
\includegraphics[width=.9\linewidth]{login.png} % \includegraphics[width=.9\linewidth]{login.png}
\caption{The TopDog login page.\label{fig:login}} % \caption{The TopDog login page.\label{fig:login}}
\end{figure} %\end{figure}
\chapter{Performing the Lab} \chapter{Performing the Lab}
TopDog contains a number of modules that cover different topics in TopDog contains a number of modules that cover different topics in
web pentesting. It also offers a number of lessons that give a gentle web pentesting.
introduction to the topic on hand.
\section{Assignments}\label{sec:assignments} \section{Assignments}\label{sec:assignments}
In order to pass the lab, you are required to finish all 21 assignments. In In order to pass the lab, you are required to finish all 21 assignments (see \cref{sec:list_of_ass}). In
order to prepare yourself for the assignments, there are also lessons which give order to prepare yourself for the assignments, there are also lessons which give
a gentle introduction to the topic at hand. You can solve the assignments in any a gentle introduction to the topic at hand. You can solve the assignments in any
order you want. order you want.
...@@ -256,20 +227,6 @@ like the following: ...@@ -256,20 +227,6 @@ like the following:
Whenever you receive a result key, paste it to the \enquote{Submit Result Key Whenever you receive a result key, paste it to the \enquote{Submit Result Key
Here} box on the top of the screen. Here} box on the top of the screen.
\section{Finishing the lab}
You are done with the lab when you have finished the 21 required assignments.
When this is done, make sure you have signed the lab attendance list (available
at the coaching sessions) and then send an email to the
\textbf{Lab E-mail} (see \cref{sec:contact}) with the following information:
\begin{itemize}
\item \textbf{Subject} should be you \textbf{account} name at Snickerboa.
\item \textbf{LiU-id} for the both of you.
\item And your \textbf{Personal number}.
\end{itemize} and we will then check that you
have done everything required of you. If you have passed we will reply with an
OK. Check \cref{sec:deadline} for information on when the deadline is. The
deadline is strict and the server will be taken offline afterwards!
\section{Best Practices} \section{Best Practices}
It is a good idea to keep notes of how you pass each challenge. While your It is a good idea to keep notes of how you pass each challenge. While your
progress on the server is backed up frequently we can never be too sure. Save progress on the server is backed up frequently we can never be too sure. Save
...@@ -279,14 +236,13 @@ server failure. ...@@ -279,14 +236,13 @@ server failure.
\section{Scoreboard} \section{Scoreboard}
Whenever you finish a lesson, assignment, or challenge, it will show up on the Whenever you finish a lesson, assignment, or challenge, it will show up on the
LiU TopDog scoreboard. The scoreboard is public, and anybody can see the LiU TopDog scoreboard. The scoreboard is public, and anybody can see the
progress of the different groups. In addition, the scoreboard will be displayed progress of the participants. In addition, the scoreboard will be displayed
on monitors around the campus, so the whole University will see how well you are on monitors around café java.
doing.
The scoreboard is just for fun, and in order to pass you are only required to The scoreboard is just for fun, and in order to pass you are only required to
finish the assignments. If you have finished the assignments and want more finish the assignments. If you have finished the assignments and want more
points, you are welcome to try the challenges. Again: the scoreboard has nothing points, you are welcome to try the challenges. Again: the scoreboard has nothing
do do with your grade! See \cref{fig:scoreboard} for an example of what the do with your grade! See \cref{fig:scoreboard} for an example of what the
scoreboard looks like. For each completed lesson, assignment, or challenge you scoreboard looks like. For each completed lesson, assignment, or challenge you
will receive points, so the more challenges you finish, the more bragging rights will receive points, so the more challenges you finish, the more bragging rights
you have. Also, harder challenges give more points. you have. Also, harder challenges give more points.
...@@ -297,7 +253,7 @@ finish a given lesson or challenge in the form of medals. A gold medal is ...@@ -297,7 +253,7 @@ finish a given lesson or challenge in the form of medals. A gold medal is
awarded to a group who finishes a lesson or challenge nobody else has finished awarded to a group who finishes a lesson or challenge nobody else has finished
yet. A silver medal is given to the second one, and bronze to the third. In the yet. A silver medal is given to the second one, and bronze to the third. In the
scoreboard there will therefore be users with medals in addition to the normal scoreboard there will therefore be users with medals in addition to the normal
point score. These medals give extra points to the scoreboard! point score. These medals are not worth any points, but will be used as tiebreakers!
But remember, the scoreboard is just for fun. It has nothing to do with actually But remember, the scoreboard is just for fun. It has nothing to do with actually
passing the lab. passing the lab.
...@@ -325,15 +281,13 @@ The following lessons are available: ...@@ -325,15 +281,13 @@ The following lessons are available:
\item[Unvalidated Redirects and Forwards] \item[Unvalidated Redirects and Forwards]
\end{description} \end{description}
\section{List of assignments} \section{List of assignments}\label{sec:list_of_ass}
Below are the required assignments (there are hidden hints!): Below are the required assignments (there are hidden hints!):
\begin{description} \begin{description}
\item[Session Management Challenge 1] \item[Session Management Challenge 1]
{\color{white}Try replacing \enquote{user} with {\color{white}Try replacing \enquote{user} with
\enquote{administrator}. But where?} \enquote{administrator}. But where?}
\item[Poor Data Validation 1] \item[Poor Data Validation 1]
{\color{white}The \enquote{troll} here means the third
image, i.e.\ a \enquote{trollface}. Google it if you are unsure.}
\item[Cross Site Scripting 1] \item[Cross Site Scripting 1]
\item[Session Management Challenge 2] \item[Session Management Challenge 2]
{\color{white}Try attacking the password reset.} {\color{white}Try attacking the password reset.}
...@@ -385,6 +339,10 @@ Below are the required assignments (there are hidden hints!): ...@@ -385,6 +339,10 @@ Below are the required assignments (there are hidden hints!):
\chapter{Frequently Asked Questions (FAQ)} \chapter{Frequently Asked Questions (FAQ)}
This section will be updated with frequently asked questions about the lab. This section will be updated with frequently asked questions about the lab.
\section{I'm stuck, what should I do?}
First make sure you have read through the whole lab PM. Second, consult and discuss with a friend (this is the best way of getting new ideas). Lastly, use the assistances drop-in time slot (see \cref{sec:lab_organization}).
\section{There is something wrong with the server!} \section{There is something wrong with the server!}
First check that your Internet connection is working and that your attack proxy First check that your Internet connection is working and that your attack proxy
isn't giving you problems. If the TopDog server is unavailable, or if there's some isn't giving you problems. If the TopDog server is unavailable, or if there's some
...@@ -397,10 +355,12 @@ If the server is still down and there's nothing on Lisam saying it's a planned ...@@ -397,10 +355,12 @@ If the server is still down and there's nothing on Lisam saying it's a planned
outage, the server might be down. Please send an e-mail to the lab assistant, outage, the server might be down. Please send an e-mail to the lab assistant,
see \cref{sec:contact}. see \cref{sec:contact}.
\section{How do I create a TopDog account?} %\section{How do I create a TopDog account?}
See \cref{sec:register}. %
%
%See \cref{sec:register}.
\section{How can I get bonus points for the exam?} \section{Can I get bonus points for the exam?}
The scoreboard and its points, bonus points, and medals is for fun only. They The scoreboard and its points, bonus points, and medals is for fun only. They
have absolutely nothing to do with passing the lab or with the examination of have absolutely nothing to do with passing the lab or with the examination of
the course. The lab assistant can see how many assignments you have finished, the course. The lab assistant can see how many assignments you have finished,
...@@ -438,14 +398,36 @@ We constantly work on getting the lab and this document as good as possible. If ...@@ -438,14 +398,36 @@ We constantly work on getting the lab and this document as good as possible. If
you have a suggestion, don't hesitate to contact us (see \cref{sec:contact}). you have a suggestion, don't hesitate to contact us (see \cref{sec:contact}).
\section{I love computer security and I am looking for thesis work!} \section{I love computer security and I am looking for thesis work!}
Check out Jonathan's list of thesis Don't hesitate to contact us at the Information Coding Group\footnote{https://liu.se/en/organisation/liu/isy/icg}. Also, if you like crypto we
projects\footnote{http://people.isy.liu.se/icg/jonfo33/supervision/proposals.html}
or the list at the Information Coding
Group\footnote{http://www.icg.isy.liu.se/exjobb/}. Also, if you like crypto we
highly recommend the course TSIT03 highly recommend the course TSIT03
Cryptology\footnote{http://www.icg.isy.liu.se/courses/tsit03/} that is given in Cryptology\footnote{http://www.icg.isy.liu.se/courses/tsit03/} that is given in
HT1 every year. HT1 every year.
\section*{About this document}
This lab memo is intended for students of the computer security courses \texttt{TSIT01} and
\texttt{TSIT02} at Linköping University.
\section*{Changelog}
\begin{description}
\item[2019] Adaption to the new registration procedure.
\item[2017] Revised for the 2017 course.
\item[2016] Initial version.
\end{description}
\section*{Acknowledgements}
This lab owes its existence to Anders Märak Leffler who brought this software to
my attention back in 2015. I also want to thank the OWASP Foundation and the
OWASP chapter in Gothenburg for help with getting started. Thanks to the LiU IT
department who was willing to set up and support a web application server that,
contrary to all common sense and in violation of
probably a dozen IT policies, contains all kinds of web vulnerabilities. Also
thanks to Niklas Johansson for helping me get all the lab details straight and,
of course, prof. Jan-Åke Larsson, who gave us the go-ahead to build what is
probably going to be a very interesting lab course.
\bigskip
\noindent
Linköping, November 2016\\
\emph{Jonathan Jogenfors}
\appendix \appendix
\chapter{Tools}\label{sec:tools} \chapter{Tools}\label{sec:tools}
Penetration testing requires you to have a large and diverse toolbox. In this Penetration testing requires you to have a large and diverse toolbox. In this
...@@ -637,4 +619,6 @@ who finish first. ...@@ -637,4 +619,6 @@ who finish first.
If you found this lab course interesting and want more CTF challenges, check out If you found this lab course interesting and want more CTF challenges, check out
this list: \url{https://captf.com/practice-ctf/}. this list: \url{https://captf.com/practice-ctf/}.
\end{document} \end{document}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment