Security and Vulnerability Analysis - S15

CSE 591

Assignment 3 (100 points) — HACK ALL THE THINGS

Assignment 3 is due 3/18/15 at 1:30pm. Late assignments will be decreased at 20% per day (day defined as 24 hour period after the time that the assignment is due).

Assignment 3 is composed of 9 different parts (levels) (with potentially more soon), each worth 10 points, execpt for levels 8 and 9, which are each worth 15 points.

You must work on Assignment 3 alone (the life of a hacker is tough and lonely). However, the hacker’s life is also competitive, so see where you rank on the scoreboard.

Description

You’ve been hired by a well-known software company to do a pentest of their web infrastructure. They pay well (in a mysterious currency known only as points), however, they will only pay if you find a vulnerability!

They’ve created a special server for you to perform your pentest. You’ll need to login with the same hacker alias/password that you use for the submission site.

Ground Rules

  1. No automated tools. The company is paying for your brain, not an automated tool’s brain.

  2. No DOS or brute force attacks. None of the vulnerabilities require brute forcing, so don’t do that, you could affect your fellow security researchers.

  3. Let the company’s lowly paid IT-admin and the admin’s assistant know if there are infrastructure problems. Make sure to include your ASU ID, otherwise it’s impossible to troubleshoot.

Submission Instructions

To prove that you found a vulnerability, submit the password on the submission site. To make it a bit easier to identify, passwords that you need to steal always start with the prefix FLG (similar to the Capture The Flag concept). Of course, each level has a different password.

Extra Credit

If you break more than 9 levels, then you will receive extra credit, 10 points for each level.

Bug Bounty

If you find an unintended vulnerability in one of the levels or the system, the first person to report it gets 10 additional points. An uninteded vulnerability would be something like using the vulnerability on level 2 to break level 3.

Finally, if you manage to get root on the server, you will get 50 additional points.