Skip to content
Snippets Groups Projects
Commit e560ce03 authored by Jonathan Jogenfors's avatar Jonathan Jogenfors
Browse files

Add gitignore

parent 8a865ac9
No related branches found
No related tags found
No related merge requests found
*.aux
*.log
*.toc
*.fdb_latexmk
*.synctex.gz
*.snm
*.vrb
*.nav
*.out
*.bbl
*.blg
*.bcf
*.fls
*.run.xml
No preview for this file type
...@@ -53,10 +53,9 @@ ...@@ -53,10 +53,9 @@
\date{\today} \date{\today}
\author{Jonathan Jogenfors\\Niklas Johansson\\ Guilherme Xavier\\ \author{Jonathan Jogenfors\\Niklas Johansson\\ Guilherme Xavier\\
\small{Information Coding Group}\\\small{Department of Electrical \small{Information Coding Group}\\\small{Department of Electrical
Engineering, Linköping University} Engineering, Linköping University} }
} \title{TopDog Hacking Challenge: \\ A Good Offense is the Best Defense \\~\\
\title{TopDog Hacking Challenge: \\ A Good Offense is the Best Defense \\~\\ \large{TSIT01, TSIT02 \large{TSIT01, TSIT02 Computer Security}}
Computer Security}}
\maketitle \maketitle
...@@ -114,13 +113,12 @@ cheat. ...@@ -114,13 +113,12 @@ cheat.
\section{Ethics} \section{Ethics}
This lab and what you learn is for educational purposes only. Do not attempt to This lab and what you learn is for educational purposes only. Do not attempt to
use these techniques without authorization. If you are caught engaging in use these techniques without authorization. If you are caught engaging in
unauthorized hacking, most companies will take legal action. \textbf{Claiming that you unauthorized hacking, most companies will take legal action. \textbf{Claiming
were doing security research will not protect you.} that you were doing security research will not protect you.}
\section{Contact Information}\label{sec:contact} \section{Contact Information}\label{sec:contact}
To get in touch with the lab assistant, please send e-mail to the e-mail address To get in touch with the lab assistant, please send e-mail to the address below
below corresponding to your course. The course homepage always contains the corresponding to your course.
latest version of this document, so be sure to check it out regularly.
\subsection{TSIT01 Datasäkerhetsmetoder} \subsection{TSIT01 Datasäkerhetsmetoder}
\begin{description} \begin{description}
...@@ -135,8 +133,10 @@ latest version of this document, so be sure to check it out regularly. ...@@ -135,8 +133,10 @@ latest version of this document, so be sure to check it out regularly.
\end{description} \end{description}
\chapter{Preparing for the lab} \chapter{Preparing for the lab}
\textbf{Begin by reading through the entire lab PM}. Remember to regularly check the Begin by reading through the entirety of these lab instructions. Also note that
course homepage to see if we updated the PM, as we continuously improve the lab. we are continuously improving these instructions, so be sure to
\href{https://gitlab.liu.se/topdog/ctf-lab-pm/raw/master/TopDog.pdf?inline=false}{regularly
check our gitlab repository for the latest version}.
\section{Logging In}\label{sec:register} \section{Logging In}\label{sec:register}
If you are registered for the course, you will automatically have an account. If If you are registered for the course, you will automatically have an account. If
...@@ -145,14 +145,13 @@ you are not registered, you need to contact a ...@@ -145,14 +145,13 @@ you are not registered, you need to contact a
Note that course registration is compulsory for all examination, not just the Note that course registration is compulsory for all examination, not just the
lab! lab!
Now go to \href{http://snickerboa.it.liu.se}{http://snickerboa.it.liu.se} and Now go to \url{https://snickerboa.it.liu.se} and click on \enquote{Login via
click on \enquote{Login via SAML} and login with your LiU-id. In the next step SAML} and login with your LiU-id. In the next step you are free to choose how
you are free to choose how your name will be displayed on the scoreboard. The your name will be displayed on the scoreboard. The scoreboard is publicly
scoreboard is publicly available and is also displayed on screens around campus, available and is also displayed on screens around campus, so it can be a good
so it can be a good idea not to use your real name. Note that once this name is idea not to use your real name. Note that once this name is set you can not
set you can not change it again\footnote{If you really want to change it, please change it again\footnote{If you really want to change it, please contact us.}.
contact us.}. We reserve the right to ban stupid and/or offensive user names for We reserve the right to ban stupid and/or offensive user names for any reason.
any reason.
\chapter{Performing the Lab} \chapter{Performing the Lab}
The lab contains a number of modules that cover different topics in web The lab contains a number of modules that cover different topics in web
...@@ -368,34 +367,35 @@ the opportunity to get coaching and ask questions about the lab. Also, you must ...@@ -368,34 +367,35 @@ the opportunity to get coaching and ask questions about the lab. Also, you must
sign the lab attendance list before finishing. This is important as we need to sign the lab attendance list before finishing. This is important as we need to
know who is who, otherwise anyone could pretend to be the scoreboard leader! know who is who, otherwise anyone could pretend to be the scoreboard leader!
\section{I finished the lab and want something more challenging!} \section{I Finished the Lab and Want Something More Challenging!}
Try your skills on the challenges! If this is still not enough, check out Try your skills on the challenges! If this is still not enough, check out
\cref{sec:ctf}! \cref{sec:ctf}!
\section{I don't get a result key, only \enquote{Key Should be here! Please \section{I Didn't Get a Result Key, Only \enquote{Key Should be here! Please
refresh the home page and try again! If that doesn't work, sign in and out refresh the home page and try again! If that doesn't work, sign in and out
again!}} again!}}
This is a bug that sometimes happens. We \emph{hope} that this issue has now This is a bug has happened in older versions. We \emph{hope} that this issue has now
been solved, but if it does happen, please contact us (\cref{sec:contact}) and been solved, but if it does happen, please contact us (\cref{sec:contact}) and
we'll help you. we'll help you.
\section{The result key in insecure crypto challenges isn't working!} \section{The Result Key in the Insecure Crypto Challenges Isn't Working!}
Make sure you check that you've got UPPERCASE/lowercase correctly. Some online Make sure you check that you've got UPPERCASE/lowercase correctly. Some online
calculators will mess this up. Also make sure it handles spaces correctly. calculators will mess this up. Also make sure it handles spaces correctly.
\section{In the Insecure Direct Object Reference Bank challenge, there's no \section{In the Insecure Direct Object Reference Bank Challenge, There's no
money left}\label{sec:faq-bank} Money Left}\label{sec:faq-bank}
It can happen that the total amount of money is too small to pass the lab. In It can happen that the total amount of money is too small to pass the lab. In
this case, contact us at \cref{sec:contact} and we'll fill up bank with some this case, contact us at \cref{sec:contact} and we'll fill up bank with some
more money to steal! more money to steal!
\section{I love computer security and I am looking for thesis work!} \section{I Love Computer Security and I Want To Learn More!}
Don't hesitate to contact us at the Information Coding We think so, too! Check out some of our other courses, for instance
Group\footnote{https://liu.se/en/organisation/liu/isy/icg}. Also, if you like \href{https://www.icg.isy.liu.se/courses/tsit03/}{TSIT03 Cryptology} that is
crypto we highly recommend the course TSIT03 given every first half of the fall semester. Also, check out the courses
Cryptology\footnote{http://www.icg.isy.liu.se/courses/tsit03/} that is given in \href{https://www.ida.liu.se/~TDDD17/}{TDDD17 Information Security, Second
HT1 every year. Course} and \href{https://www.ida.liu.se/~TDDC90/}{TDDC90 Software Security}
given at the Department of Computer Science. If you want more challenges, we've
added some information in \cref{sec:ctf}.
\appendix \appendix
\chapter{Tools}\label{sec:tools} \chapter{Tools}\label{sec:tools}
...@@ -410,7 +410,7 @@ will be of use to you. ...@@ -410,7 +410,7 @@ will be of use to you.
The first step in most web attacks is usually to look at the source code. This The first step in most web attacks is usually to look at the source code. This
will show you the raw HTML/CSS/JavaScript that builds up the page. For a quick will show you the raw HTML/CSS/JavaScript that builds up the page. For a quick
reference on what the HTML tags do, check out the W3 HTML reference on what the HTML tags do, check out the W3 HTML
Reference\footnote{http://www.w3schools.com/tags/}. \Cref{fig:source} shows the Reference\footnote{\url{http://www.w3schools.com/tags/}}. \Cref{fig:source} shows the
source code of one of the modules. source code of one of the modules.
There are two main ways to view source code. The \enquote{traditional} way is to There are two main ways to view source code. The \enquote{traditional} way is to
...@@ -464,10 +464,11 @@ Windows, Linux and OSX and requires Java 7 or higher. ...@@ -464,10 +464,11 @@ Windows, Linux and OSX and requires Java 7 or higher.
\end{figure} \end{figure}
Installing ZAP is easy. If you don't have Java, the installer will help you Installing ZAP is easy. If you don't have Java, the installer will help you
download and install it. If you have any trouble, check the ZAP Quick Start download and install it. If you have any trouble, check the ZAP Quick Start
Guide\footnote{https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAPGettingStartedGuide-2.5.pdf} Guide\footnote{\url{https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAPGettingStartedGuide-2.5.pdf}}
or the ZAP Wiki\footnote{https://github.com/zaproxy/zaproxy/wiki/Introduction}. or the ZAP
Upon first startup, ZAP will ask you if you want to persist the session. It's Wiki\footnote{\url{https://github.com/zaproxy/zaproxy/wiki/Introduction}}. Upon
safe to say yes. After starting up, you will see the ZAP interface as shown in first startup, ZAP will ask you if you want to persist the session. It's safe to
say yes. After starting up, you will see the ZAP interface as shown in
\cref{fig:zap}. \cref{fig:zap}.
\begin{figure} \begin{figure}
...@@ -494,9 +495,11 @@ as the proxy configuration for HTTP and HTTPS protocols. ...@@ -494,9 +495,11 @@ as the proxy configuration for HTTP and HTTPS protocols.
Settings).\label{fig:firefox-proxy}} Settings).\label{fig:firefox-proxy}}
\end{figure} \end{figure}
For instance, the configuration\footnote{http://www.wikihow.com/Enter-Proxy-Settings-in-Firefox} for Firefox is shown in For instance, the
\cref{fig:firefox-proxy}. Instructions for configuring proxy settings for configuration\footnote{\url{http://www.wikihow.com/Enter-Proxy-Settings-in-Firefox}}
Chrome can be found here: \url{https://support.google.com/chrome/answer/96815}. for Firefox is shown in \cref{fig:firefox-proxy}. Instructions for configuring
proxy settings for Chrome can be found here:
\url{https://support.google.com/chrome/answer/96815}.
\begin{figure} \begin{figure}
\centering \centering
\includegraphics[width=.6\linewidth]{maninthemiddle.png} \includegraphics[width=.6\linewidth]{maninthemiddle.png}
...@@ -514,7 +517,7 @@ certificate and add it as an exception to the attack browser. ...@@ -514,7 +517,7 @@ certificate and add it as an exception to the attack browser.
\subsection{Intercepting HTTP(S) Traffic With ZAP} %chktex 36 \subsection{Intercepting HTTP(S) Traffic With ZAP} %chktex 36
Now you can browse around in TopDog and see that the traffic appears Now you can browse around in TopDog and see that the traffic appears
in ZAP\@. In the left-hand pane you see \texttt{Sites}. Expand it and you see the in ZAP\@. In the left-hand pane you see \texttt{Sites}. Expand it and you see the
site \texttt{https://snickerboa.it.liu.se}. Inside, you see the different site \url{https://snickerboa.it.liu.se}. Inside, you see the different
requests (mainly \texttt{GET} and \texttt{POST}) that were made to the server. requests (mainly \texttt{GET} and \texttt{POST}) that were made to the server.
On the main pane (the window that says \enquote{Welcome to OWASP\ldots}) there On the main pane (the window that says \enquote{Welcome to OWASP\ldots}) there
...@@ -581,6 +584,10 @@ who finish first. ...@@ -581,6 +584,10 @@ who finish first.
If you found this lab course interesting and want more CTF challenges, check out If you found this lab course interesting and want more CTF challenges, check out
this list: \url{https://captf.com/practice-ctf/}. this list: \url{https://captf.com/practice-ctf/}.
There is also a team of LiU students called \href{https://liuhack.se/}{LiUHack}
who regularly participate in CTF challenges.
\chapter{About This Document} \chapter{About This Document}
This lab memo is intended for students of the computer security courses This lab memo is intended for students of the computer security courses
\texttt{TSIT01} and \texttt{TSIT02} at Linköping University. \texttt{TSIT01} and \texttt{TSIT02} at Linköping University.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment