Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
T
TopDog Lab
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Requirements
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Deploy
Releases
Package registry
Model registry
Operate
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
Repository analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
topdog
TopDog Lab
Commits
e560ce03
Commit
e560ce03
authored
5 years ago
by
Jonathan Jogenfors
Browse files
Options
Downloads
Patches
Plain Diff
Add gitignore
parent
8a865ac9
No related branches found
No related tags found
No related merge requests found
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
.gitignore
+14
-0
14 additions, 0 deletions
.gitignore
TopDog.pdf
+0
-0
0 additions, 0 deletions
TopDog.pdf
TopDog.tex
+48
-41
48 additions, 41 deletions
TopDog.tex
with
62 additions
and
41 deletions
.gitignore
0 → 100644
+
14
−
0
View file @
e560ce03
*.aux
*.log
*.toc
*.fdb_latexmk
*.synctex.gz
*.snm
*.vrb
*.nav
*.out
*.bbl
*.blg
*.bcf
*.fls
*.run.xml
This diff is collapsed.
Click to expand it.
TopDog.pdf
+
0
−
0
View file @
e560ce03
No preview for this file type
This diff is collapsed.
Click to expand it.
TopDog.tex
+
48
−
41
View file @
e560ce03
...
@@ -53,10 +53,9 @@
...
@@ -53,10 +53,9 @@
\date
{
\today
}
\date
{
\today
}
\author
{
Jonathan Jogenfors
\\
Niklas Johansson
\\
Guilherme Xavier
\\
\author
{
Jonathan Jogenfors
\\
Niklas Johansson
\\
Guilherme Xavier
\\
\small
{
Information Coding Group
}
\\\small
{
Department of Electrical
\small
{
Information Coding Group
}
\\\small
{
Department of Electrical
Engineering, Linköping University
}
Engineering, Linköping University
}
}
}
\title
{
TopDog Hacking Challenge:
\\
A Good Offense is the Best Defense
\\
~
\\
\title
{
TopDog Hacking Challenge:
\\
A Good Offense is the Best Defense
\\
~
\\
\large
{
TSIT01, TSIT02
\large
{
TSIT01, TSIT02 Computer Security
}}
Computer Security
}}
\maketitle
\maketitle
...
@@ -114,13 +113,12 @@ cheat.
...
@@ -114,13 +113,12 @@ cheat.
\section
{
Ethics
}
\section
{
Ethics
}
This lab and what you learn is for educational purposes only. Do not attempt to
This lab and what you learn is for educational purposes only. Do not attempt to
use these techniques without authorization. If you are caught engaging in
use these techniques without authorization. If you are caught engaging in
unauthorized hacking, most companies will take legal action.
\textbf
{
Claiming
that you
unauthorized hacking, most companies will take legal action.
\textbf
{
Claiming
were doing security research will not protect you.
}
that you
were doing security research will not protect you.
}
\section
{
Contact Information
}
\label
{
sec:contact
}
\section
{
Contact Information
}
\label
{
sec:contact
}
To get in touch with the lab assistant, please send e-mail to the e-mail address
To get in touch with the lab assistant, please send e-mail to the address below
below corresponding to your course. The course homepage always contains the
corresponding to your course.
latest version of this document, so be sure to check it out regularly.
\subsection
{
TSIT01 Datasäkerhetsmetoder
}
\subsection
{
TSIT01 Datasäkerhetsmetoder
}
\begin{description}
\begin{description}
...
@@ -135,8 +133,10 @@ latest version of this document, so be sure to check it out regularly.
...
@@ -135,8 +133,10 @@ latest version of this document, so be sure to check it out regularly.
\end{description}
\end{description}
\chapter
{
Preparing for the lab
}
\chapter
{
Preparing for the lab
}
\textbf
{
Begin by reading through the entire lab PM
}
. Remember to regularly check the
Begin by reading through the entirety of these lab instructions. Also note that
course homepage to see if we updated the PM, as we continuously improve the lab.
we are continuously improving these instructions, so be sure to
\href
{
https://gitlab.liu.se/topdog/ctf-lab-pm/raw/master/TopDog.pdf?inline=false
}{
regularly
check our gitlab repository for the latest version
}
.
\section
{
Logging In
}
\label
{
sec:register
}
\section
{
Logging In
}
\label
{
sec:register
}
If you are registered for the course, you will automatically have an account. If
If you are registered for the course, you will automatically have an account. If
...
@@ -145,14 +145,13 @@ you are not registered, you need to contact a
...
@@ -145,14 +145,13 @@ you are not registered, you need to contact a
Note that course registration is compulsory for all examination, not just the
Note that course registration is compulsory for all examination, not just the
lab!
lab!
Now go to
\href
{
http://snickerboa.it.liu.se
}{
http://snickerboa.it.liu.se
}
and
Now go to
\url
{
https://snickerboa.it.liu.se
}
and click on
\enquote
{
Login via
click on
\enquote
{
Login via SAML
}
and login with your LiU-id. In the next step
SAML
}
and login with your LiU-id. In the next step you are free to choose how
you are free to choose how your name will be displayed on the scoreboard. The
your name will be displayed on the scoreboard. The scoreboard is publicly
scoreboard is publicly available and is also displayed on screens around campus,
available and is also displayed on screens around campus, so it can be a good
so it can be a good idea not to use your real name. Note that once this name is
idea not to use your real name. Note that once this name is set you can not
set you can not change it again
\footnote
{
If you really want to change it, please
change it again
\footnote
{
If you really want to change it, please contact us.
}
.
contact us.
}
. We reserve the right to ban stupid and/or offensive user names for
We reserve the right to ban stupid and/or offensive user names for any reason.
any reason.
\chapter
{
Performing the Lab
}
\chapter
{
Performing the Lab
}
The lab contains a number of modules that cover different topics in web
The lab contains a number of modules that cover different topics in web
...
@@ -368,34 +367,35 @@ the opportunity to get coaching and ask questions about the lab. Also, you must
...
@@ -368,34 +367,35 @@ the opportunity to get coaching and ask questions about the lab. Also, you must
sign the lab attendance list before finishing. This is important as we need to
sign the lab attendance list before finishing. This is important as we need to
know who is who, otherwise anyone could pretend to be the scoreboard leader!
know who is who, otherwise anyone could pretend to be the scoreboard leader!
\section
{
I
f
inished the
l
ab and
w
ant
s
omething
m
ore
c
hallenging!
}
\section
{
I
F
inished the
L
ab and
W
ant
S
omething
M
ore
C
hallenging!
}
Try your skills on the challenges! If this is still not enough, check out
Try your skills on the challenges! If this is still not enough, check out
\cref
{
sec:ctf
}
!
\cref
{
sec:ctf
}
!
\section
{
I d
o
n't
g
et a
r
esult
k
ey,
o
nly
\enquote
{
Key Should be here! Please
\section
{
I
Di
dn't
G
et a
R
esult
K
ey,
O
nly
\enquote
{
Key Should be here! Please
refresh the home page and try again! If that doesn't work, sign in and out
refresh the home page and try again! If that doesn't work, sign in and out
again!
}}
again!
}}
This is a bug
t
ha
t sometimes happe
ns. We
\emph
{
hope
}
that this issue has now
This is a bug ha
s happened in older versio
ns. We
\emph
{
hope
}
that this issue has now
been solved, but if it does happen, please contact us (
\cref
{
sec:contact
}
) and
been solved, but if it does happen, please contact us (
\cref
{
sec:contact
}
) and
we'll help you.
we'll help you.
\section
{
The
r
esult
k
ey in
i
nsecure
c
rypto
c
hallenges
i
sn't
w
orking!
}
\section
{
The
R
esult
K
ey in
the I
nsecure
C
rypto
C
hallenges
I
sn't
W
orking!
}
Make sure you check that you've got UPPERCASE/lowercase correctly. Some online
Make sure you check that you've got UPPERCASE/lowercase correctly. Some online
calculators will mess this up. Also make sure it handles spaces correctly.
calculators will mess this up. Also make sure it handles spaces correctly.
\section
{
In the Insecure Direct Object Reference Bank
c
hallenge,
t
here's no
\section
{
In the Insecure Direct Object Reference Bank
C
hallenge,
T
here's no
m
oney
l
eft
}
\label
{
sec:faq-bank
}
M
oney
L
eft
}
\label
{
sec:faq-bank
}
It can happen that the total amount of money is too small to pass the lab. In
It can happen that the total amount of money is too small to pass the lab. In
this case, contact us at
\cref
{
sec:contact
}
and we'll fill up bank with some
this case, contact us at
\cref
{
sec:contact
}
and we'll fill up bank with some
more money to steal!
more money to steal!
\section
{
I love computer security and I am looking for thesis work!
}
\section
{
I Love Computer Security and I Want To Learn More!
}
Don't hesitate to contact us at the Information Coding
We think so, too! Check out some of our other courses, for instance
Group
\footnote
{
https://liu.se/en/organisation/liu/isy/icg
}
. Also, if you like
\href
{
https://www.icg.isy.liu.se/courses/tsit03/
}{
TSIT03 Cryptology
}
that is
crypto we highly recommend the course TSIT03
given every first half of the fall semester. Also, check out the courses
Cryptology
\footnote
{
http://www.icg.isy.liu.se/courses/tsit03/
}
that is given in
\href
{
https://www.ida.liu.se/~TDDD17/
}{
TDDD17 Information Security, Second
HT1 every year.
Course
}
and
\href
{
https://www.ida.liu.se/~TDDC90/
}{
TDDC90 Software Security
}
given at the Department of Computer Science. If you want more challenges, we've
added some information in
\cref
{
sec:ctf
}
.
\appendix
\appendix
\chapter
{
Tools
}
\label
{
sec:tools
}
\chapter
{
Tools
}
\label
{
sec:tools
}
...
@@ -410,7 +410,7 @@ will be of use to you.
...
@@ -410,7 +410,7 @@ will be of use to you.
The first step in most web attacks is usually to look at the source code. This
The first step in most web attacks is usually to look at the source code. This
will show you the raw HTML/CSS/JavaScript that builds up the page. For a quick
will show you the raw HTML/CSS/JavaScript that builds up the page. For a quick
reference on what the HTML tags do, check out the W3 HTML
reference on what the HTML tags do, check out the W3 HTML
Reference
\footnote
{
http://www.w3schools.com/tags/
}
.
\Cref
{
fig:source
}
shows the
Reference
\footnote
{
\url
{
http://www.w3schools.com/tags/
}
}
.
\Cref
{
fig:source
}
shows the
source code of one of the modules.
source code of one of the modules.
There are two main ways to view source code. The
\enquote
{
traditional
}
way is to
There are two main ways to view source code. The
\enquote
{
traditional
}
way is to
...
@@ -464,10 +464,11 @@ Windows, Linux and OSX and requires Java 7 or higher.
...
@@ -464,10 +464,11 @@ Windows, Linux and OSX and requires Java 7 or higher.
\end{figure}
\end{figure}
Installing ZAP is easy. If you don't have Java, the installer will help you
Installing ZAP is easy. If you don't have Java, the installer will help you
download and install it. If you have any trouble, check the ZAP Quick Start
download and install it. If you have any trouble, check the ZAP Quick Start
Guide
\footnote
{
https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAPGettingStartedGuide-2.5.pdf
}
Guide
\footnote
{
\url
{
https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAPGettingStartedGuide-2.5.pdf
}}
or the ZAP Wiki
\footnote
{
https://github.com/zaproxy/zaproxy/wiki/Introduction
}
.
or the ZAP
Upon first startup, ZAP will ask you if you want to persist the session. It's
Wiki
\footnote
{
\url
{
https://github.com/zaproxy/zaproxy/wiki/Introduction
}}
. Upon
safe to say yes. After starting up, you will see the ZAP interface as shown in
first startup, ZAP will ask you if you want to persist the session. It's safe to
say yes. After starting up, you will see the ZAP interface as shown in
\cref
{
fig:zap
}
.
\cref
{
fig:zap
}
.
\begin{figure}
\begin{figure}
...
@@ -494,9 +495,11 @@ as the proxy configuration for HTTP and HTTPS protocols.
...
@@ -494,9 +495,11 @@ as the proxy configuration for HTTP and HTTPS protocols.
Settings).
\label
{
fig:firefox-proxy
}}
Settings).
\label
{
fig:firefox-proxy
}}
\end{figure}
\end{figure}
For instance, the configuration
\footnote
{
http://www.wikihow.com/Enter-Proxy-Settings-in-Firefox
}
for Firefox is shown in
For instance, the
\cref
{
fig:firefox-proxy
}
. Instructions for configuring proxy settings for
configuration
\footnote
{
\url
{
http://www.wikihow.com/Enter-Proxy-Settings-in-Firefox
}}
Chrome can be found here:
\url
{
https://support.google.com/chrome/answer/96815
}
.
for Firefox is shown in
\cref
{
fig:firefox-proxy
}
. Instructions for configuring
proxy settings for Chrome can be found here:
\url
{
https://support.google.com/chrome/answer/96815
}
.
\begin{figure}
\begin{figure}
\centering
\centering
\includegraphics
[width=.6\linewidth]
{
maninthemiddle.png
}
\includegraphics
[width=.6\linewidth]
{
maninthemiddle.png
}
...
@@ -514,7 +517,7 @@ certificate and add it as an exception to the attack browser.
...
@@ -514,7 +517,7 @@ certificate and add it as an exception to the attack browser.
\subsection
{
Intercepting HTTP(S) Traffic With ZAP
}
%chktex 36
\subsection
{
Intercepting HTTP(S) Traffic With ZAP
}
%chktex 36
Now you can browse around in TopDog and see that the traffic appears
Now you can browse around in TopDog and see that the traffic appears
in ZAP
\@
. In the left-hand pane you see
\texttt
{
Sites
}
. Expand it and you see the
in ZAP
\@
. In the left-hand pane you see
\texttt
{
Sites
}
. Expand it and you see the
site
\
texttt
{
https://snickerboa.it.liu.se
}
. Inside, you see the different
site
\
url
{
https://snickerboa.it.liu.se
}
. Inside, you see the different
requests (mainly
\texttt
{
GET
}
and
\texttt
{
POST
}
) that were made to the server.
requests (mainly
\texttt
{
GET
}
and
\texttt
{
POST
}
) that were made to the server.
On the main pane (the window that says
\enquote
{
Welcome to OWASP
\ldots
}
) there
On the main pane (the window that says
\enquote
{
Welcome to OWASP
\ldots
}
) there
...
@@ -581,6 +584,10 @@ who finish first.
...
@@ -581,6 +584,10 @@ who finish first.
If you found this lab course interesting and want more CTF challenges, check out
If you found this lab course interesting and want more CTF challenges, check out
this list:
\url
{
https://captf.com/practice-ctf/
}
.
this list:
\url
{
https://captf.com/practice-ctf/
}
.
There is also a team of LiU students called
\href
{
https://liuhack.se/
}{
LiUHack
}
who regularly participate in CTF challenges.
\chapter
{
About This Document
}
\chapter
{
About This Document
}
This lab memo is intended for students of the computer security courses
This lab memo is intended for students of the computer security courses
\texttt
{
TSIT01
}
and
\texttt
{
TSIT02
}
at Linköping University.
\texttt
{
TSIT01
}
and
\texttt
{
TSIT02
}
at Linköping University.
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment