Software Security - S17

CSE 545

Assignment 4 (100 points) — HACK ALL THE THINGS

Assignment 4 is an optional assignment that will replace your lowest score on one of the other assignments. It is due 5/3/17 on or before 11:59:59pm MST. No late submissions will be accepted for Assignment 4.

Assignment 4 is composed of 10 different levels each worth 15 points (the maximum number of points you can receive on this assignment is 100, no extra credit).

You must work on Assignment 4 alone (the life of a hacker is tough and lonely). However, the hacker’s life is also competitive, so see where you rank on the scoreboard.


You’ve been hired by a well-known software company to do a pentest of their web infrastructure. They pay well (in a mysterious currency known only as points), however, they will only pay if you find a vulnerability!

They’ve created a special server for you to perform your pentest. You’ll need to login with the same hacker alias/password that you use for the submission site.

Ground Rules

  1. No automated tools. The company is paying for your brain, not an automated tool’s brain.

  2. No DOS or brute force attacks. None of the vulnerabilities require brute forcing, so don’t do that, you could affect your fellow security researchers.

Submission Instructions

To prove that you found a vulnerability, submit the password on the submission site. To make it a bit easier to identify, passwords that you need to steal always start with the prefix FLG (similar to the PCTF). Of course, each level has a different password.

Extra Credit

No extra credit on this assignment.

Bug Bounty

If you manage to get root on the server, you will get 50 additional points.