Projects / Malware Analysis / Extra Credit Extra Credit (TBD points): Analyze your malware samples (TBD points) You will investigate and label some of the more sophisticated malware behaviors from the three malware reports we provided. These files are located in the /home/malware/phase1/extra_credit directory. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. For this extra credit portion of the project, do not assume that every behavior is exhibited. It’s your job to determine if that assumption is actually true. Clarification for attempted: We mean by “attempted” that a specific action was attempted but failed. By “specific” we mean that it is clear which action is attempted. If you have a registry key, for instance, that is unambiguous (like, say, it is used only to set a startup option), but it fails to change the key, that is an attempt for our purposes. But if you have a more generic registry key that governs multiple settings, we don’t know for sure which key or keys it is attacking and so the action would not count as an “attempt”. You will encounter that the same API functions can end with either a W or an A. This is a standard practice in the Windows API, and this document explains the difference (either one could in theory be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-thewindows-api For each of the following questions, mark (true/false) which of the malware exhibit the identified behavior: 1 Attempts to get victim to disable security protections 2 Microsoft Office key deletion 3 Microsoft Excel key creation 4 Creates registry values (any) 5 Drops RegAsm virus 6 Issues signal to cause immediate program termination 7 Malicious file most likely programmed in C or C++ 8 Detects the Mirai botnet 9 Keylogger attempt 10 Attempts to copy clipboard 11 Hooks registry keys/values to protect autostart 12 Possible PFW / HIPS evasion 13 Uses the Windows core system file splwow64.exe 14 Drops a portable executable file into C:Windows a. The term “drop” in the behavior “Drops file(s)” means to create (or attempt to create) files, not to delete files. b. We are just looking for dropped files for this behavior. 15 Looks for the name or serial number of a device 16 Attempts to obscure the meaning of data as an added layer of data 17 HTTP GET or POST without a user agent 18 Uses loops or otherwise needless repetitions of commands, such as Pings, used to delay malware execution and potentially exceed time thresholds of automated analysis environments. 19 Attempts to override the domain name system (DNS) for a domain on a specific machine. 20 Possible system shutdown DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions. Download the ec submission template or use the JSON format below for your answers: { “sample1”: { “behavior01”: , “behavior02”: , “behavior03”: , “behavior04”: , “behavior05”: , “behavior06”: , “behavior07”: , “behavior08”: , “behavior09”: , “behavior10”: , “behavior11”: , “behavior12”: , “behavior13”: , “behavior14”: , “behavior15”: , “behavior16”: , “behavior17”: , “behavior18”: , “behavior19”: , “behavior20”: }, “sample2”: { “behavior01”: , “behavior02”: , “behavior03”: , “behavior04”: , “behavior05”: , “behavior06”: , “behavior07”: , “behavior08”: , “behavior09”: , “behavior10”: , “behavior11”: , “behavior12”: , “behavior13”: , “behavior14”: , “behavior15”: , “behavior16”: , “behavior17”: , “behavior18”: , “behavior19”: , “behavior20”: }, “sample3”: { “behavior01”: , “behavior02”: , “behavior03”: , “behavior04”: , “behavior05”: , “behavior06”: , “behavior07”: , “behavior08”: , “behavior09”: , “behavior10”: , “behavior11”: , “behavior12”: , “behavior13”: , “behavior14”: , “behavior15”: , “behavior16”: , “behavior17”: , “behavior18”: , “behavior19”: , “behavior20”: } } The submitted answers should be in the format (this is an example only): { “sample1”: { “behavior01”: true, “behavior02”: false, “behavior03”: true, “behavior04”: true, . . . } The naming of the submission file is not important, as long as it is JSON (“submission.json” is an example). Incorrectly formatted JSON files or typos count as a submission if the submission attempt fails. We have provided a validation script named “json_validator.py” which will check your file for proper formatting. To run the validator on your file, use the following command: “python json_validator.py /path/to/solution.json” at the command line in the /home/malware directory. The validator will either return “JSON file correctly formatted.” if the submission file is correct, or will return the errors found. It is not required to use the validation script, although it is highly recommend to prevent erroneous submissions. We will not provide extra submission attempts. This validation script works only for Phase 1 and the Extra Credit portions of the project. Malware Analysis – Phase I Points 50 Submitting an external tool Available Mar 8 at 7pm – Mar 16 at 11:59pm Malware Analysis Phase IThe assignment documentation and instructions are at the following link: (https://docs.google.com/document/d/167jVVmkyXJ0NqzsY1bPDqZL6-I1XLdZTqatncT1kr4M/edit? usp=sharing) https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/ (https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/)You will be using the same VM you have been using from the earlier projects. If you need to download it again: Link: https://cs6035.s3.us-east-1.amazonaws.com/CS6035-Spring-2025-RC-03.ova (https://cs6035.s3.us-east-1.amazonaws.com/CS6035-Spring-2025-RC-03.ova) (https://cs6035.s3.amazonaws.com/CS6035-Spring2024-rc3.ova) (https://cs6035.s3.amazonaws.com/CS6035-Spring2024-rc3.ova) 69F7313E643601262229A13E4A0E0AABD57F5B92413B308E1D7F1154D41D0CFC (https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/) VM Username: malware VM Password: Pdp8_1965 Download the VM early in case you run into slow downloads.(https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/) You need to complete one module for Phase I (50 points in total): The module for Phase I contains twenty multiple choice questions, with five choices (malware 1 through malware 5) per question. For each question, mark which of the malware samples exhibit the specified behavior. Each question is worth 2.5 points total (0.5 per malware).CS 6035Projects / Malware Analysis Malware Analysis The goals of this project: • Familiarize you with the types of behaviors that can be displayed by real-world malware samples and how to safely analyze these behaviors using JoeSandboxCloud (https://www.joesandbox.com/). • Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities. It performs deep malware analysis and generates comprehensive and detailed analysis reports. • Introduce fundamental concepts of malware analysis through hands-on exercises. • Work with safe, non-malicious samples to explore static and dynamic analysis techniques. • Practice de-obfuscating and executing provided samples to better understand their functionality. • Call endpoints with the correct data to obtain flags. Additional information: • All phases of this project will be submitted in Gradescope. • Minimum RAM required for this project is 4 GB RAM for the VM, 8GB RAM on your host. • We offer a Frequently Asked Questions (F.A.Q.) • The F.A.Q thread will be constantly updated. Therefore, BEFORE ASKING ANYTHING, make sure to review the entire F.A.Q. If your question is not covered already, feel free to post it in Ed Discussion F.A.Q. thread for the Malware Analysis project. Accessing project resources: Setup (0 points) 1 Download the project VM at the link provided in the Canvas Malware Analysis Assignment pages (the link for the file is in both pages – you only need to the file once). 2 Students need a x86 (Intel) machine to properly run the project virtual machine (please see the Ed Discussion post regarding VM Troubleshooting new link to Ed if you have any issues regarding your virtual machine). 4 Log in to the newly imported VM using these credentials: • See Canvas for username and password. 5 Run the following command in the Terminal on the VM: • ./StartContainer.sh 6 You will now have the project files for Phase 1 and Phase 2 loaded into the following directories. When you begin each phase, make sure to change directories for each part of the project. • Phase 1 reports are located in /home/malware/phase1 • Phase 2 files are located in /home/malware/phase2 • Extra Credit files are located in /home/malware/phase1/extra_credit TABLE OF CONTENTS • FAQ • Extra Credit • Phase 1 • Phase 2 CS 6035Projects / Malware Analysis / Phase 1 Phase 1 (50 points): Analyze your malware samples (50 points) You will investigate and label some of the more sophisticated malware behaviors from the five malware reports we provided. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. So initially you should assume that each malware we question you about below has every behavior listed. It’s your job to determine if that assumption is actually true. Clarification for attempted: We mean by “attempted” that a specific action was attempted but failed. By “specific” we mean that it is clear which action is attempted. If you have a registry key, for instance, that is unambiguous (like, say, it is used only to set a startup option), but it fails to change the key, that is an attempt for our purposes. But if you have a more generic registry key that governs multiple settings, we don’t know for sure which key or keys it is attacking and so the action would not count as an “attempt”. You will encounter that the same API functions can end with either a W or an A. This is a standard practice in the Windows API, and this document explains the difference (either one could in theory be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-thewindows-api For each of the following questions, mark (true/false) which of the malware exhibit the identified behavior: 1 Attempts to get victim to disable security protections 2 Microsoft Office key deletion 3 Microsoft Excel key creation 4 Creates registry values (any) 5 Drops RegAsm virus 6 Issues signal to cause immediate program termination 7 Malicious file most likely programmed in C or C++ 8 Detects the Mirai botnet 9 Keylogger attempt 10 Attempts to copy clipboard 11 Hooks registry keys/values to protect autostart 12 Possible PFW / HIPS evasion 13 Uses the Windows core system file splwow64.exe 14 Drops a portable executable file into C:Windows a. The term “drop” in the behavior “Drops file(s)” means to create (or attempt to create) files, not to delete files. b. We are just looking for dropped files for this behavior. 15 Looks for the name or serial number of a device 16 Attempts to obscure the meaning of data as an added layer of data 17 HTTP GET or POST without a user agent 18 Uses loops or otherwise needless repetitions of commands, such as Pings, used to delay malware execution and potentially exceed time thresholds of automated analysis environments. 19 Attempts to override the domain name system (DNS) for a domain on a specific machine. 20 Possible system shutdown DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions. Download the submission template or use the JSON format below for your answers: { “sample1”: { “behavior01”: , “behavior02”: , “behavior03”: , “behavior04”: , “behavior05”: , “behavior06”: , “behavior07”: , “behavior08”: , “behavior09”: , “behavior10”: , “behavior11”: , “behavior12”: , “behavior13”: , “behavior14”: , “behavior15”: , “behavior16”: , “behavior17”: , “behavior18”: , “behavior19”: , “behavior20”: }, “sample2”: { “behavior01”: , “behavior02”: , “behavior03”: , “behavior04”: , “behavior05”: , “behavior06”: , “behavior07”: , “behavior08”: , “behavior09”: , “behavior10”: , “behavior11”: , “behavior12”: , “behavior13”: , “behavior14”: , “behavior15”: , “behavior16”: , “behavior17”: , “behavior18”: , “behavior19”: , “behavior20”: }, “sample3”: { “behavior01”: , “behavior02”: , “behavior03”: , “behavior04”: , “behavior05”: , “behavior06”: , “behavior07”: , “behavior08”: , “behavior09”: , “behavior10”: , “behavior11”: , “behavior12”: , “behavior13”: , “behavior14”: , “behavior15”: , “behavior16”: , “behavior17”: , “behavior18”: , “behavior19”: , “behavior20”: }, “sample4”: { “behavior01”: , “behavior02”: , “behavior03”: , “behavior04”: , “behavior05”: , “behavior06”: , “behavior07”: , “behavior08”: , “behavior09”: , “behavior10”: , “behavior11”: , “behavior12”: , “behavior13”: , “behavior14”: , “behavior15”: , “behavior16”: , “behavior17”: , “behavior18”: , “behavior19”: , “behavior20”: }, “sample5”: { “behavior01”: , “behavior02”: , “behavior03”: , “behavior04”: , “behavior05”: , “behavior06”: , “behavior07”: , “behavior08”: , “behavior09”: , “behavior10”: , “behavior11”: , “behavior12”: , “behavior13”: , “behavior14”: , “behavior15”: , “behavior16”: , “behavior17”: , “behavior18”: , “behavior19”: , “behavior20”: } } The submitted answers should be in the format (this is an example only): { “sample1”: { “behavior01”: true, “behavior02”: false, “behavior03”: true, “behavior04”: true, . . . } The naming of the submission file is not important, as long as it is JSON (“submission.json” is an example). Incorrectly formatted JSON files or typos count as a submission if the submission attempt fails. We have provided a validation script named “json_validator.py” which will check your file for proper formatting. To run the validator on your file, use the following command: “python json_validator.py /path/to/solution.json” at the command line in the /home/malware directory. The validator will either return “JSON file correctly formatted.” if the submission file is correct, or will return the errors found. It is not required to use the validation script, although it is highly recommend to prevent erroneous submissions. We will not provide extra submission attempts. This validation script works only for Phase 1 and the Extra Credit portions of the project. CS 6035Projects / Malware Analysis / Phase 2 Phase 2 (50 points) Overview For this phase, we will be going over some of the basic concepts of malware analysis. None of the samples or scripts provided here are actually malicious, but they are provided as a way to understand the basic concepts of static and dynamic analysis. To do so, we will work with the samples by de-obfuscating and executing various samples as needed to understand how the samples function. The overall goal of each task will be to run the program or call the correct endpoint with the correct data to get your flag to send to the autograder. NOTE: Warm Up Warm up exercise #1 (5%) We saw this sample come in earlier. It performs some simple encoding to execute the command. It looks like it spits out a flag, but we aren’t totally sure. Can you figure out how to get your flag? base64 -d
Projects / Database Security / Background and Setup BACKGROUND:“Good News, Everyone!” A penetration testing firm has hired you, and as your first assignment, you’ve been given a small portfolio of websites to test. You immediately notice that the pages of different clients look very similar, with similar structure and conventions. With more digging, you determine that the same software company created them. Having this information, you know that any vulnerability you find on one site will likely be seen on every client’s site. You also recognize the style of the pages and vulnerabilities and feel you have worked with this company in the past, remembering that they often use the same logic on the client and server side. You aim to bring visibility to these vulnerabilities by finding sensitive data not intended for viewing and testing the client’s security on sites where user input is required. As a pen tester, you will have to wear many hats. Good luck, and we hope you enjoy learning about a couple of database attacks. SETUP: To get set up for the tasks, carefully follow the steps below. Log into the VM with the following user. Username: Provided on project release in Database Security Project Canvas post Password: Provided on project release in Database Security Project Canvas post project_dbsec.json is available on the desktop. Put all hashes in this file and submit it as your final deliverable in Gradescope. • To edit project_dbsec.json: • The file should be located on the desktop; if not, please copy the format listed in the Submission section • Note: You can create and edit this file using TextEdit or Vim. Do not use LibreOffice or any Word Document editor. It must be in proper JSON format with no special characters to pass the autograder, and these Word Document editors will likely introduce special characters. To access the project: • You do not need to run the system upgrade and click the cancel button. • Start the Container: • Run this at the terminal to start the requirements of the project $ ./StartContainer.sh • Open Web Browser: • Open your browser, choosing Google Chrome or Firefox. • In the address bar, go to the URL http://www.gt-cs6035.com • Start with Task A • Once complete, submit the flag0 hash to verify your GTID is correct, as all Tasks are based on this first hash! • Other than Task A being completed first, Tasks A – H can be completed in whatever order. However, the instructions are laid out for simplicity, completing the tasks in order. Azure Data Studio Setup: Azure Data Studio is unfortunately a bit of a resource hog. You only really need it for the extra credit. Any testing can be done online with SQLFiddle. Another option is to SSH into the VM and run Azure Data Studio on the host. • Open Azure Data Studio (from Terminal Window: azuredatastudio) • Expand the Connections (if not already expanded), and Click on New Connection• Fill out the Connection Details based on the screenshot below • Server -> www.gt-cs6035.com • User name -> CS6035Student • Password -> CS6035DBSec• Click connect, and if the Connection error below appears, click Enable Trust server certificate.PROJECT TIME EXPECTATIONS: Previous semester students have stated that you should expect the project breakdown regarding time allocation to be approximately 1/3 of Inference Tasks and 2/3 of Injection Tasks. This excludes extra-credit Tasks (Defender Task, for example). It is highly recommended to start early! GATECH ID • Please see the RequiredReading page for instructions on retrieving your GTID. • Be very careful! When you copy and paste, strip off all leading spaces or special characters.4/7/25, 2:58 PM Task A | CS 6035 CS 6035Projects / Database Security / Task A Task A: GTID Verification (flag0 – 5 pts) *NOTE – Task A has 1 flag (flag0) This task will set up the rest of the project, so we offer five free points—like the bonus points you got in kindergarten for putting your name (and spelling it right) on a test. Note that you **only have five attempts at entering your correct GTID; at this point, you will be locked out and have to restore your VM. To earn your hash for flag0, you must perform the following actions. 1 Click on the Task A Menu from the home page. The page will open in a new tab.1 Enter your nine-digit GTID and click Submit Where do I find my GTID? • Please see the Required Reading page for instructions to retrieve your GTID. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/DatabaseSecurity/TaskA.html 1/2 4/7/25, 2:58 PM Task A | CS 6035Hints: • After obtaining your hash, add your flag0 hash into the JSON file and submit it to Gradescope to verify it is correct before proceeding to Tasks B-H! • While this means you will “burn” a submission, it is HIGHLY recommended as the wrong setup means all flags will generate incorrectly! Include your flag0 hash into the JSON file, and now, onto Task B! See Submission Details for more information. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/DatabaseSecurity/TaskA.html 2/2CS 6035Projects / Database Security / Task B TASK B: INFERENCE ATTACK- #1 (flag1 – 20 pts) This happened with the first reports you are looking at that were provided to you for testing. You have been given internal reports for a single company. One report is a simple employee roster; one report lists out how long employees have been members of the organization, one report groups data on all employees together to provide the average salary for employees based upon the state that they live in, and the final report lists the average salary for employees based upon how long they have been a part of the company. These four reports do not violate the client’s controls on access to sensitive Human Resource data. However, as you do your analysis, you realize that there has been a hole opened in those controls to someone who puts the reports together and does a little analysis of the contents of the reports. The audit reveals that, at minimum, at least one person’s salary is publicly available to all employees who can view these four reports. To complete Task B, you need to find a hole in the protection where you can definitively find the actual salary of employees. After finding the first employee, continue looking for a hole in the protection to find the next employee whose salary you can definitively find. Continue this for n employees in an iterative fashion. Each employee will have a hash associated with them. This hash is unique to your VM and was generated when you completed task A. Once you have identified which employees have the exposed salary, record the hash value displayed for that employee and their salary (2 decimal places) on the report in your JSON file for flag1. You will pass Task B if you have the correct hash values. Remember that submissions for the entire project are limited, so if you randomly try different hash codes, you will only hurt yourself later in the project. For Task B – order matters (order of finding) for the flags (array[0] is the first employee found, array[1] is the second employee found, etc.)! To earn your hash for flag1, you must perform the following actions. • Hover over the Task B Menu, which will display four reports: Employee, Duration, Salary by State, and Salary by Duration.• Click on the report you want to view (e.g., Employee Report). It will open in a new tab. • Review the data on all four reports. You are searching through the data to see if you can find at least one employee whose salary you can positively identify precisely. • With one employee found and hence eliminated, is there another employee whose salary you know precisely? Repeat steps 2-4 until no further elimination is possible. Each employee found they should be added to the next array pointer in the flag (i.e., the employee found order – 1 => array1 for the second employee found). Hints: • You need to find a place where data is isolated to a single person. Look at the four reports to see if anything makes the data unique. You might need to combine multiple reports to do this. • Once you isolate an employee, continue to see if you can isolate another employee. Rinse and repeat until you can no longer isolate an employee. • If you know it’s elimination, and employee n-1 leads to n, logic should tell you that to find n, n-1 would have something in common with n. • All Inference flags: • Only look at the data relevant to the task *Don’t get tied up on data that provides no value to the task. • If you use an external application to troubleshoot the data and try to sort, make sure the entire dataset is sorted • All Array flags: • You will receive credit for each element in the array that is correct • For flag arrays with more than the hash (salary/cpt), there is no partial credit for the array if the hash is correct but the other data is not • You will not be penalized for not filling in the whole array (i.e., if there are 6 elements in the array, and you have only 2, you will not be penalized for the missing 4) • You will be penalized if you overfill the expected array (i.e., if there are 6 elements in the array, and you have 7, you will be penalized for the extra 1) • You are reporting a salary which is US currency and hence, 2 decimal places Include your flag1 array consisting of hashes_salaries into the JSON file, and now, onto Task C! See Submission Details for more information.CS 6035Projects / Database Security / Task C TASK C: INFERENCE ATTACK- #2 (flag2 – 25 pts) Now that you have seen how an inference attack can compromise data (data made available inadvertently) in a single company, we consider how inference attacks can compromise data by combining unrelated data sets. For this attack, four completely unrelated data sources should be considered. All four are internetfacing and, therefore, available to anyone with internet access. The first report is a sample report produced for a local hospital concerning types of procedures done within the last few years. The second report is a voter registration database with certain well-established fields (you could go to your local board of elections and get a report like this on all registered voters in your district, most likely). The third report is a partially de-identified report for an insurance company for a sample data set built by the same developers we have been dealing with for public use. “Partially de-identified” means that though some attempts were made to remove an obvious link to actual patients, there is still some data left on the report that might link back to a real person if looked at carefully. We also have provided a helpful list of medical codes to link to the hospital report. For Task C – order does not matter (order of finding) for the flags! To earn your hash for the flag, you must perform the following actions. • Hover over the Task C Menu, which will display four sites: Medical History, Voter Registration, Insurance Claims, and Medical Codes.• Click on the site you want to view (i.e., Medical History). The site will open in a new tab. • You must carefully examine all four sources to determine where a patient’s history was compromised. You will determine how to do this. • Once you have identified the exposed patient, look up the hash code (ID Column) on the voter registration report for the exposed patient and record it. NOTE: the hashes are specific to you and your GTID as provided in Task A (we will use that ID when we grade in Gradescope). You must append a _ followed by the voter’s CPT (procedure *NOT diagnosis) code to this hash. Hints: • As with the prior task, feel free to make liberal use of copying data from the VM into a spreadsheet or other similar program on your host, and feel free to do whatever analysis you need to do to figure out the record you seek. As in Task B, this is not required to complete this task but it will be helpful. • Unlike Task B, where the data can be more easily narrowed to one record, you will need to narrow it to multiple records and then use logic to narrow it to one. Unlike Task B, where the order matters to narrow the data, it does not matter here as it is logic-based instead! • Once you isolate a voter, continue to see if you can isolate another voter. Rinse and repeat until you can no longer isolate a voter. • There is no partial credit for the correct hash or for the correct procedure (to receive credit, the hash_procedure has to be correct in its entirety) Include your flag2 array consisting of hashes_cptcodes into the JSON file, and now, onto Task D! See Submission Details for more information.CS 6035Projects / Database Security / Task D TASK D: SQL INJECTION – #1 (flag3 – 5 pts / flag4 – 10 pts / flag5 – 10 pts) *NOTE – Task D has 3 flags (flag3, flag4, flag5) To get into the basics of SQL injection, you can start by looking up online “SQL Injection Cheat Sheet,” which is a helpful introduction to the topic. But what you will need to do to accomplish this task is figure out how to write some basic SQL code (the complexity won’t be in the SQL code but in the bypass of the SQL Injection security) that can be placed into the input field of a form and passed to the website in such a way that it is a valid SQL statement that does things that the original developer did not intend. This can involve bypassing security, accessing unauthorized information, or, in the worst case, making unauthorized changes to the website’s data. Once the hole exists, your power to exploit it can be immense as long as you can guess the structure of the underlying database or map it out. For Task D, you have a website where your user ID is your GTID, as you entered on Task A. The site wants to upgrade its old Legacy Login page. The legacy page’s main security is checked to see if there is a direct match to a user by the username (your GTID). You do not know and will not receive the password to enter the system. For flag3, the developers are asking you to determine the difficulty in bypassing the existing security, knowing that a SQL Injection attack is possible. The developers want to attempt to mitigate the risk of such an attack; however, they are wondering if they should be using just client-side data sanitization or both client and server-side data sanitization, with the same server-side and client-side data sanitization. For flag4, you will attempt to bypass the security using client-side data sanitization. For flag5, you will attempt to bypass the security using client and server-side data sanitization. The client provided a snippet of the code they used on the legacy login page. You can use this code to try to figure out how to perform the SQL injection. When you succeed, you will log into the website using your GT ID and no password. The injection will bypass the password requirements and log you in immediately. Once logged in, the hash for flags3-5 keyed to your GT ID will be displayed. All three hashes for Task D will be different. To earn your hash for flags3-5, you must perform the following actions. 1 Hover over the Task D Menu, which will display three links: Legacy Login, New Login – Client, New Login – Client/Server.1 Click on a link. The page will open in a new tab. • For flag3 (Legacy Login) – this is a straight SQL Injection on the password field. • For flag4 (New Login – Client) – this is a client-side data sanitization SQL Injection on the password field. • For flag5 (New Login – Client/Server) – this is both a client and server-side data sanitization (2x) SQL Injection of the password field. 2 Enter your GTID in the username input field and any additional characters in the password input field you determine will cause the injection. Then, press the login button to submit. Where do I find my GTID? • Please see the Required Reading page for instructions to retrieve your GTID. 3 If your information is correct, you will log into the system and receive your hash. Hints: • For flag4 and flag5, you should use the browser’s Developer Tools to access and debug the client-side code. • For flag5, remember that there will be server-side data sanitization that you cannot access, but know the logic will duplicate the client-side data sanitization. • All flags with Sanitization: • There is a difference between encoding, escaping, and sanitization. Understand the difference and the validity of using one or the other, remembering that the client/server-side code is doing sanitization. • You have access to the JS where the sanitization is done on the Client Side. You also know that the client and server-side sanitization is the same. Is there a way in DevTools to call a function again? • There is a difference between bypassing and beating the sanitization. • Unless it is a single character in the strip, you can “beat the sanitization.” Only one of the lines strips a single character • Try to beat the sanitization line by line to understand a valid approach! Use the sanitization code against itself. • Natural sanitization is also at play. PHP uses ? and & for variables, so while not “sanitized,” they will break up your injection if used. The web browser converts the charset #- (if not HTTP encoded) into a blank char. • All Injection flags: • Sometimes, not equal can be just as good as equal if appropriately used. MSSQL has two ways to state not equal (one where you can beat the sanitization and one where you cannot). • Single quote (‘) does not get filtered and is needed for most injections • Just because you think you are writing a SQL injection doesn’t mean the database won’t read it as a regular string. • Remember that the entire statement is going into a string variable. • While the exception causing the databreach is returned for troubleshooting, this exception is based on the expectation the input is a string, not an injection! • Null works great for an SQLi when you don’t know the schema and when the developers aren’t expecting it. The developers are looking for it! • There is a difference between ending a statement to next begin a new statement and escaping out of the statement. • All Injection Login flags • Here is the login code that you were able to obtain from the legacy login page (both username and password have a character limit of 96):Include your flags3-5 hashes into the JSON file, and now, onto Task E! See Submission Details for more information.Task E | CS 6035 CS 6035Projects / Database Security / Task E TASK E: SQL INJECTION – #2 & INFERENCE ATTACK- #3 (flag6 – 7.5 pts) *NOTE – Task E has 1 flag (flag6 is an array flag) For Task E, you must complete two attacks (Inference and SQLi), which you should now be comfortable with. For flag6, you have a list of grades for this class (all data is fictional *if by some chance your name is listed, it is 100% coincidence). This data is deidentified (meaning scrubbed) to prevent a viewer from limiting the data to an individual (such as Task B). However, there is a login where users can log in and obtain a roster list with more detailed data. Your task is to use Open-Source Intelligence (OSINT) to obtain the login account (user) and SQL Injection to bypass the password (no sanitization *discussed in flag4 and flag5). After successfully bypassing the login, you will be prompted with a security question. Use OSINT techniques, often used by social engineers, to deduce the correct answer based on the provided context or hints. When you finally log in, use the extended roster data to find the students who have received an F in the class and enter them into the flag6 array (order does not matter). To earn your hash for flags6, you must perform the following actions. • Click on the Task E Menu.• Enter the account you were able to obtain/deduce in the username input field and any additional characters in the password input field you determine will cause the injection. Then, press the login button to submit. • If your information is correct, you will be prompted for a pseudo-multi-authentication prompt. You will again need to use OSINT techniques to obtain the prompted information relevantto the account. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/DatabaseSecurity/TaskE.html 1/2 Task E | CS 6035 • You will be logged into the system if the multi-authentication data is correct. For flag6, you must gain some inference knowledge to obtain the students who received an F. Hints: • Specifically, with the OSINT aspect of this task, you should concentrate on information gathering (gathering information about a user from accessible data and using it to gain access to their accounts). • There is no sanitization with the login form (password field). Haven’t you already done this? Include your flags6 hashes into the JSON file, and now, onto Task F! See Submission Details for more information. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/DatabaseSecurity/TaskE.html 2/2CS 6035Projects / Database Security / Task F TASK F: SQL INJECTION – #3 (flag7 – 7.5 pts / flag8 – 7.5 pts) *NOTE – Task F has 2 flags (flag7, flag8) You will be completing two flags for this task. In this case, you will be looking at a search engine for a database of music albums for a music store. You have discovered a page called “schema,” which offers the user a view of the underlying metadata of the table used to populate the main report. By now, if you have been paying attention, the designers of these sites have followed a similar pattern for how their sites work, especially if you look at the hyperlinks that lead to the pages. You know, therefore, that there is probably a way to get admin access to that schema by leveraging that knowledge of how they use links. That means table definitions might be available to users who poke around and try to find things they should not. You have learned that the Schema page uses a database user with the same name of Schema to access the database and that this user only has select/read access to the Music table, which provides access to view the tables’ schema. You will need to inject to provide the Schema user access to all tables, so when you find out how to display the database table schemas, more than the Music table will be displayed. The table name and schema you are trying to access are currently unknown. This is important in discovering how to craft your attack’s first part. So, your task for flag 7 is to figure out how to modify access for the user (Schema) and obtain the hash of the new table with the “correct level” of rights/access. After you get additional information about tables in the database, you can use this data for flag 8, where you must learn how to leverage your discovered information to construct the SQL injection. If you successfully craft a SQL injection, you will find an actual database account appearing on the report that you can use to log into the system using the “Login” screen on task F. If you have the correct login information, you can only obtain it by SQL injection. You can enter the login information into that screen and access the management console. Of course, for our purposes, the “management console” is just the hash you need to get credit for the attack. You will need to enter the newly visible hash in your JSON file. Both attacks will need to be accomplished using the Report page! • Hover over the Task F Menu, which will display four links: Schema, Report, and Login.• Click on the link you want to view (i.e., Schema). The link will open in a new tab. • You can use the Schema link to see the schema for the table used to build the report. • The report search is a simple “SELECT…..FROM….WHERE” query using the schema you can see on the initial schema screen. Once you know how to execute the injection, type your attack into the search field and click “Search.” To earn your hash for flag7, you must perform the following actions. • Is there a role you can add your user to that would provide access to reading the schema of the table? Once you have figured out how to execute the injection to provide access, type your attack into the search field on the Report page and click “Search.” • On the Schema page, consider how you might find more information than in this table based on how the links have been designed. You might need admin access to see information. • When you see the new table (not Music), the Hash in the table Schema header is your flag7 hash. Record the hash into your JSON file and submit it to Gradescope. To earn your hash for flag8, you must perform the following actions. • Once you can obtain the other table’s schema, you can again use the search input to try to return rows from other tables in the database other than what is intended. Once you have figured out how to execute the injection, type your attack into the search field on the Report page and click “Search.” • Once you have done the injection correctly, a username and a password will appear in the report data. Use these values to log into the management console on the “Login” screen. When you have the correct login, you will get into the system, and your hash will be displayed. Record the hash into your JSON file as flag8 and submit it to Gradescope. Hints: • You will need information hidden in the website to craft your injection. The information is hidden in webpages you cannot reach via any links anywhere in our project. You notice that the pages and URLs for the different clients look very similar, with similar structure and conventions. Can a slight manipulation of the URL lead to providing more information? • You have heard that this company has realized that client-side scripting is easily bypassable, offers a server-side scripting template, and has started removing the client-side sanitization login. However, you are EXTREMELY confident that they are still using the same server-side sanitization logic/code they have previously used for other sites. • The login bypass logic you used from Task D/E will not work on Task F, although the choice to attempt is up to you. SQL injection on the login screen for this exercise is explicitly disabled. • Flag7: • There are two parts to flag7 – one is gaining access to the schema, and the other is displaying the schema. • The goal is to sneak into the system without raising attention. You do not need elevated access (the administrators are looking for this); read access will suffice • Is there a role you can add your database user (Schema) that would provide access to reading the table schema? • SQL Server has built-in Stored Procedures you could use to solve this task • Improperly messing with access can cause issues. You will likely need to re-import your VM Image if you cannot access pages. • Flag8: • Can be completed without completing flag7 (providing access to the database user Schema). • How can you add contents from another table to an existing SQL query to return one data set in a report? • Think about the results received from your successful injection in flag7. What is that telling you if you receive a similar output in flag8? Include your flag7 hash into the JSON file and submit it to Gradescope! See Submission Details for more information.CS 6035Projects / Database Security / Task G TASK G: SQL INJECTION – #4 (flag9 – 7.5 pts / flag10 – 7.5 pts) *NOTE – Task G has 2 flags (flag9, flag10) You will be completing two flags for this task with flag10 reliant on the completion of flag9 (or you can choose to use your GTID for the username and password but not receive a hash for flag9). Both flags will use the same banking website. This is a standard type of banking site where you log in and see the history of a particular account tied to the login. Your client maintains another site and wants you to verify the protection they have set up. Your job is to show them that the protection is not adequate. *Part one (flag9): logging into a website as a user without a username You must complete this first part to get full credit for the project (i.e., 100/100). Your task for this portion is to log into the website without knowing any actual accounts. However, you must log in as a valid user. You, therefore, must craft an injection that is smart enough to find a valid user from the database without having any actual access to the database (see the hints section below for assistance in knowing what the database structure looks like). You must use the skills you gained in Task D with more sophisticated SQL knowledge. There are multiple injections for the username field that will work; your goal is just to ensure that the username is populated from an actual row within the database using your injection. You will need two different injections for the two fields (username and password) to log in. Once you have logged in successfully, you will see a valid username where the username text box was and a hash just below the username. This hash is your answer for flag9.*Part two (flag10): altering transaction history The developers want to verify the strength of their protection for the account’s transaction history. Once you complete flag9 and log in, or choose to bypass flag8 (no hash will be provided for flag8) using your GTID for the username and password, you will see a list of 10 transactions over time. You will notice that one of the 10 transactions has an overdraft charge of $35. You will also notice a balance to the account when you bring it up to $1746.52. You need to do two things to test the transaction history and get your flag. You must get the balance to $2000 with 10 transactions and no overdraft fee. To do this, you need to do a transfer of money into the account, and you will need to delete one of the transactions (for this test, the developers want to see if you can remove an unwanted overdraft amount, so you’ll need to remove that specific transaction while adding enough money to make the balance $2000).Unlike prior injections, attacking the text boxes cannot do this task. Instead, You must alter the form output within the web browser. This will require you to use the Chrome Developer Tools within the browser. This will probably require you to research how to use these tools to make breakpoints and alter the contents of data as found in a form. When you click the Transfer button, you must know how to pause submitting the form to complete the attack. The routing number and account number fields do not matter; feel free to enter any values. You will not be able to alter the account number. You should enter the amount you need to get to $2000 as if the overdraft fee was not there (if you do the injection correctly, that transaction will completely disappear and, therefore, not be used to calculate the balance). If you have the breakpoint set correctly, you can stop form execution and use the Developer Tools to alter the data within the form to include your SQL injection.Be warned—banking sites use auditing to track history. Simply deleting the transaction will not be enough; you must remove it from the audit trail. Make sure to look at the hints for how to find this information. The developers will not credit you for your efforts unless you can remove all traces of the deleted transaction. To start Task G, click on the Task G Menu from the home page. The page will open in a new tab.Flag9: The text boxes you must inject into are on the top right. Flag10: You cannot directly add your injection anywhere in the UI without using Web Dev Tools. Do not add it to the Routing or Account numbers, as this will not help you. Hints: • The developers have not set up any sanitization to change what you enter into the field, just like it was for your legacy task in Task D (flag3). You don’t need to worry about changing your injections to bypass a filter. • Flag9: • Task G uses a query similar to Task D to log in. If you need help knowing how to query database information to find a username, that query will give you valid metadata information. This is sample code and not the exact code that is used. Do not try to bypass the code (i.e., try to stop aspects of the code from running). Instead, understand what the code is looking for regarding the user and what is needed to have the injection work with the code as is. • While it is possible to try to “brute force” a user to return, this flag is looking for one specific user, and it will cause you to burn submissions. Again, understand the code breakdown from the hint above! • If you were genuinely hacking a system and did not know how many users there were in the system, you would assume there would be at least … Starting there probably is a good idea • What you use for the password (remember there is no sanitization – this sounds like flag 3) will not work for the username. • Using LIKE is not the best approach for this injection! • Flag10: • Once you find the page from the hint above, you should look closer. Can a slight manipulation of the URL lead to providing more information? • Log out and back in if you make a mistake adding a transfer item. Logging out and back in will reset the transactions to the original amount. You must inject with a single click of the Transfer button, not multiple clicks. • Pay close attention to the schema. • There are two main ways to insert a row into a table via SQL (ex. below). You will need to figure out which is used to craft your injection! • INSERT INTO TABLE (COL1, COL2, …, COLn) VALUES(DATA1, DATA2, …, DATAn) • INSERT INTO TABLE (COL1, COL2, …, COLn) SELECT DATA1, DATA2, …, DATAn FROM … • You will not be able to apply your injection using the form; maybe try Web Developer Tools • This flag builds JSON to deliver the payload, and the start of the payload is an insert statement (but which syntax? – see hint above) • The bank has processes in place that does not allow multiple transactions in a short period of time! Include your flag9 and flag10 hash into the JSON file and submit it to Gradescope! See Submission Details for more information.CS 6035Projects / Database Security / Task H TASK H: Defend Against Inference and SQL Injection Attacks (flag11 – 15 pts) NOTE – Task H is an array flag (Inference – Elements 1-3 / SQLi – Element 4) In this task, you will pivot from an attacker to a defender. Instead of trying to find vulnerabilities to exploit, you will write SQL to prevent the attacks you have performed in Tasks 1-5. NOTE—All the validations will show yellow (not run) for their initial run. To limit the time required to run through the validation(s), each test must be run separately by clicking the Run test button next to the test you want to validate. • Hover over the Task HMenu, which will display two links: Test Pages and Run Validation Checks.• Click on the link you want to view (i.e., Test Pages). The link will open in a new tab.• The Test Pages will provide a drop-down with options: • Employee Report Search can be used to test the SQLi defense against a UNION attack. • Avg Salary By Title Report can be used to validate your view. • Avg Salary By Dept Report can be used to validate your view. • Login can be used to test the SSQLi defense against a LOGIN attack. To earn your hashes for flag11, you must perform the following actions. 1) Inference Defend (Elements 1-3 of flag11 array -> 5 pts) • The reports will use the three Views provided to you. You will not have access to alter the EmployeeReport View. You should alter the views DocumentEthnicityDurationReport and TitleGenderAgeReport based on the instructions below. • You must make the data K anonymous with a value of K=2. While this is a minimal k-anonymity value, this is directly tied to the small value set size. • There are checks in place to ensure that “no unique records” are met while also ensuring the integrity of the data is not lost any more than it needs to be to ensure the report still holds value. • You will need to alter 2 Views in Azure Data Studio. 1) TitleGenderAgeReport — This will be a report on the average salary and bonus based on Title, Gender, and Age. * Use Azure Data Studio to Alter View (TitleGenderAgeReport) to report and test SQL. * Only report data that provides value to the report * Columns in the view should follow the table order * There is no need for a default sort * Create buckets for age (65), and the data return should be what those buckets are (e.g.,
CS 6035Projects / Binary Exploitation / Flag 03 – XORbius Task 03_XORbius Time to rev up those Reverse Engineering motors, because you need to unravel the logic that this program is checking against in order to get to the call_me() function! No buffer overflow this time, you just ‘simply’ need to input the right values that will correctly decode the logic and pass the checks. If you’re unfamiliar with C operators, this TUTORIAL has all the necessary operations detailed. Suggest pen and paper for this one to work through the logic by hand, or do a ton of experimentation to get the right value! XOR TRUTH TABLEXOR Operations are REVERSIBLE, meaning that performing the same XOR operation on a number twice will end up with the original number! Example: 0b11110000 ^ 0b00001111 = 0b11111111 => 0b11111111 ^ 0b00001111 = 0b11110000 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/03_XORbius.html 1/2 Flag 03 – XORbius | CS 6035 in Hex notation 0xF0 ^ 0x0F = 0xFF => 0xFF ^ 0x0F = 0xF0 Some students have likewise found it helpful to try and break down some of the elements of the binary within their own toy code; below is an example of such an effort using Programmiz.com:Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/03_XORbius.html 2/2 Flag 03 – Pointy | CS 6035 CS 6035Projects / Binary Exploitation / Flag 03 – Pointy Task 03_pointy_pointy_point We see there is an unsafe() function which has some checks for different local variables. The positioning of these variables is important because they are declared before the input buffer which means that a buffer overflow will cause data to be overwritten. This program is a Buffer Overflow, however you will not be changing the control flow to a specific binary address (i.e. overwriting ret), rather you will need to enter in the right values to trick the pointer arithmetic logic and get to the call_me() function. Some students have likewise found it helpful to try and break down some of the elements of the binary within their own toy code; below is an example of such an effort using Programmiz.com:Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/03_pointy_pointy_point.html 1/1 Flag 03 – Hunt/ROP | CS 6035 CS 6035Projects / Binary Exploitation / Flag 03 – Hunt/ROP Task 03_hunt_then_rop You’ve made it! You are now on your final task. In this directory is the entire contents of /usr/bin, a collection of binary files that make up a lot of common linux uses. One of these files has been overwritten by our vulnerable flag program. It is your task to figure out which one. NOTE: just to make it explicitly clear, you will not find a binary named “flag” in this directory. There IS a binary compiled from the flag.c source code present, but it is renamed to something else, overwriting/replacing that binary. To help sort out what’s going on, we’ve supplied you with a checksums file. Inside the checksums file is – as you might guess – a list of known good checksums generated by the linux shasum command. You should leverage this checksums file to figure out which binary present is the vulnerable one; you are free to do this however you would like. NOTE: we suggest skipping over the ‘checksums’ file itself (as well as any additional files you might introduce during your hunt). Once you find the file it is time to begin our exploit. This is a bit more complex than the other flags and will require a full ROP (return oriented programming) exploit to chain calls together, and we will also need a new tool called Ropper to find a ‘gadget’ in order to supply a function argument and pass a specific check. In 64-bit programs, the function gets arguments through registers, in the case of intel architecture the RDI register supplies the first function argument. So we need to find a gadget (a piece of code that we can override the instruction pointer with, that will perform a certain action and then continue with the control flow hijack) that will pop a value from the stack into the RDI register. Let’s use ropper like this $ ropper –file flag | grep ‘pop’ https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/03_hunt_then_rop.html 1/2 Flag 03 – Hunt/ROP | CS 6035 This will give you all gadgets within the binary that have a keyword ‘pop’ (spoiler, there’s a LOT of them). An objective for this task is to figure out what gadget will likely work best to get the required argument passed into the function you are trying to call. This Writeup is a helpful reference to understand how calling convention works for x86_64 cpu’s Note the addresses that are output for each gadget. Once you find a gadget you think will work, we will need that as our first override value in pwntools Pictorially, this is what our crafted exploit needs to look like (remember stack grows down)Now we will need to supply the argument, which will be on the stack immediately after our pop gadget, figure out what that value needs to be, and add it as p64() after the pop gadget Then we need to put the address of the function as the next call, use objdump or gdb to find the addresses (you should probably get the second function address while you’re at it). The call to our pop gadget will ‘ret’ and then hit this second function call to enter one of the unsafe functions Finally, we need to finish our execution chain by calling the second function which will allow for exploitation. Append that address to your chain and see if you get a flag! Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/03_hunt_then_rop.html 2/2 Flag 02 – Server/Client | CS 6035 CS 6035Projects / Binary Exploitation / Flag 02 – Server/Client Task 02_the_server_client_one This flag shows a communication between a server and a client. The client binary (flag) will send data to the server, and the server appends some (very conveniently structured) data to that message and sends it back to the client. Your goal for this task is to have the server return the ideal data to overwrite the instruction pointer with the data that is returned from the server. Follow the same steps in previous tasks (buffer_overflow_2, more specifically) to break the program in gdb, and then figure out your buffer size, and try to fill in the response to correctly hit this function call! If you use the pwntools e.py file, it will start the server for you so there is no need to explicitly start the server. If you are running the program on the command line to experiment, then you must start the server each time you run the binary. You can either open a new terminal, and run ./server Or in the same terminal, each time you run the binary, run ./server & Your task is to figure out the breaking point, and heavily inspect the last bytes that are returned from the server in order to get the right return and get the flag! Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/02_the_server_client_one.html 1/1Flag 02 – Password | CS 6035 Flag 02 – Password Task 02_p4s5w0rd STRINGS! Now it’s time to learn a really useful technique to find all the available strings in a program. And by strings, we mean any collection of printable characters that exist in the binary. So things like variable names, hardcoded paths, debug messages, or eeeeevenn…. passwords? Hopefully not in a real program but you would be surprised. This binary has zero debugging information and you do not have the source code available, but guess what? The program is written terribly and is very unsafe, with passwords stored in plain text that can easily be dumped/searched in the binary! I would recommend running the program once or twice to see what it’s doing (checking a series of responses to questions) and if you get every question right, then you will get the flag! To get the strings for the program, run the command: $ strings flag This will output it all to the terminal which isn’t super helpful, so would suggest redirecting output to a file like: $ strings flag > flag_str Now you will be able to grep/search/navigate the file in a new terminal and will (hopefully) be able to figure out what the correct responses would be for the given questions. (hint, strings are stored in the binary in the order that they’re written in the C code, might be a good idea to search for the questions they’re asking and it should be pretty easy to determine the answer from there!) Good luck! Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/02_p4s5w0rd.html Flag 02 – Password | CS 6035 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/02_p4s5w0rd.html Flag 02 – Bad Rando | CS 6035 Flag 02 – Bad Rando Task 02_bad_rand0 This Program (very conveniently) leaks out part of the libc base address this address is randomized via ASLR so it will change a little bit every time the program is launched run the program a few times and notice what bytes are different and which ones aren’t Next step will be analyzing the C file and see what we are comparing against in order to get to call_me – system() is a libc function, use GDB to get the address of system using command p system – run ./flag multiple times, it will ask you for input and your goal is to guess an address. Put in any random guess and try it a few times to see if you can notice a pattern versus what is leaked and what is being expected. Fortunately there’s only one byte that is missing from our formula, so we can do some scripting in python to try out the remaining values. – pwntools has a function called recv() that will let us do some manipulation with the str – the recv functions will return a BYTES object, so you will need to do some clever manipulation of said s – note that the C file is using scanf to read in a hexadecimal number, meaning you don’t need to use p64()Your task is going to be: – get the value leaked from the program – modify it with the offset of the system() function – fill in the remaining byte with a random value – send to the process – (repeat until you get a flag) note: i recommend using recvall() after you send in each payload, and write your loop logic around the output (see other flags for what kind of string output you can expect) to see if you got the right value! https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/02_bad_rand0.html Flag 02 – Bad Rando | CS 6035Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/02_bad_rand0.htmlFlag 02 – Assemble | CS 6035 Flag 02 – Assemble Task 02_assemble_the_assembly This task will get you to determine which series of assembly instructions will direct the code flow into constructing a call to call_me(). Analyze the different instructions and look up the usage/behavior of them to figure out which combination will get you there. There is a small twist, however: You can use objdump or gdb to find the address of call_me() and figure out how you calculate it. For debugging, we highly recommend using gdb, setting a breakpoint on the gadget function, and stepping through the options once you think you know the correct path to get to the function call. (FYI:: you don’t have to use pwntools for this one) https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/02_assemble_the_assembly.html Flag 02 – Assemble | CS 6035Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/02_assemble_the_assembly.htmlFlag 01 – BO2 Task 01_basic_overflow_2 In this task you will learn details about binaries compiled from C code (with gcc) in a Linux environment, and how some basic things can be exploited such as process redirection or control flow hijacking. The steps in this flag are discussed in-depth in the intro video. In this directory you have an executable binary named ‘flag’ which is vulnerable to a buffer overflow in one of its functions. We will be using an exploitation library called pwntools to automate some of the overflow techniques and get the binary to call a function it otherwise wouldn’t have. This function called ‘call_me’ generates a key using your Gradescope User ID to get a valid flag that will pass the autograder. Now we will run the binary just to see what the program is doing by running the executableWe see the binary is asking for a string, input any text you want or just press enter, and you’ll see that the program does nothing and just exits. That’s just to simplify the code so we can focus on the exploit. The binary is statically linked to a shared object which has a lot of methods that construct the key and has a simple function called ‘call_me()’ which will print out your key. This is where we will start learning about binary file formats. Without going into a deep dive about program structure, operating systems, compilers, assembly language, machine code, etc. you will still be able to understand that there are two aspects that are key in binary exploitation Data • is simple enough, it is just any collection of bits that represent some kind of data element (like an ASCII character, integer value, pointer, etc) Addresses • At this scope we can just think of addresses as fully unique identifiers of specific data elements. These are logical locations the computer understands. A buffer overflow occurs when too much data is fed into an unprotected (or poorly protected) data buffer. The way that 64-bit C programs work is, a few bytes before the start of the stack frame (this is the function entry point), there is an address stored in memory called the Return Address. This Return Address is read into a register upon function return (when the function ends and intends to return to its caller), andthen process redirection to that address happens. If we override this location with another valid address, we can manipulate the control flow of the program and have it execute arbitrary (or otherwise unintended) code, with a well-formed attack. Starting off easy, we are going to modify e.py and learn a few basics of the pwntools library, which will build up into a successful attack at the end. Open e.py with your favorite text editor and analyze the content and comments. Once you understand what they do, proceed to fill in the cyclic size (this number is up to you, based on your understanding of the program and what would break it) to get a segmentation fault message by running $ ./e.py dbg This will open up a gdb terminal with a breakpoint set at main() Type ‘c’ to continue from the breakpoint • (sometimes you might need to press ‘c’ twice if you don’t see the error, this is an issue with how gdb attaches to processes)We see the program received an interrupt signal for a SEGMENTATION FAULT (SIGSEV, or an invalid access to memory). This happens when the program tries to access memory at a certain location that it either isn’t allowed to access, or doesn’t exist. In this case the return address for the function was overwritten by cyclic()’s data in the form of long strings of characters. Pay attention to the bottom of the screenshot where the instruction pointer is currently trying to ‘ret’ (return) to 0x6561……616b which is just a string of ascii characters in hexadecimal form. Now we know how to break the binary, let’s figure out how to purposefully break it. Using a pwntools method called ‘cyclic_find()’ we enter in the bottom 32 bits (4 bytes) of the return string (in this example is 0x6561616b) which will give the number of characters before reaching that value. This is important because we are now going to reach our first step of control flow hijacking by overflowing enough data that we can place a value and change the course of the program’s normal path. In e.py, on the commented line below your cyclic command, we are now going to use cyclic_find() which will automate our buffer length calculation, and feed that number into cyclic(). Place in your 4 character bytes (preceded by a 0x, like 0x6561616b). Uncomment either of the lines beneath our original cyclic() call (one uses hex value and the other uses the ASCII values), and fill in the hex or ascii value described above This will fill the buffer with our calculated buffer length, appended by the ASCII byte equivalent of the variable by using another pwntools method p64(number). After you have done that, rerun ./e.py dbg And hit ‘c’If done correctly, you should see something like this screenshot, where if you check the ‘ret’ instruction, we are now failing on an invalid access to our dummy address. Stepping away from the pwntools library for a moment, we now need to find something usable within the binary that will allow us to actually call a function or do something other than just crashing the program. Now we will use a linux command ‘objdump’ which takes a binary file and will output a dump of the binary which will give some key information about the binary. The -D flag will output binary addresses, machine code, and assembly code of the binary into a file. objdump -D flag > flag.asm Then open flag.asm You will see a bunch of (likely) confusing information that at a high level translates to the code that you can see in the ‘flag.c’ file. You aren’t going to have to go through this file in any extreme expanse (unless you want to?) we are just going to focus on finding an address within the binary file that holds the machine code responsible for making a function call to ‘call_me()’. Search for the string ‘call_me’ in flag.asm and keep looking until you find the assembly instruction: call Note down the highlighted address showing the call (it will be different in your binary): With the hexadecimal value of the address above (prepend 0x to the value highlighted) Now run ./e.py again from the command line (without dbg) and check the terminal output. Did you get it? Awesome! Submit your first flag to gradescope (follow APPENDIX for more details) If not, retrace your steps in this task and also make sure you used the call call_me address in the earlier step and not the address of the actual function call_me() Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.Flag 01 – BO1 | CS 6035 CS 6035Projects / Binary Exploitation / Flag 01 – BO1 01_basic_overflow_1 (watch the intro video first please) This task is a very simple buffer overflow that, upon inspection, will check if a variable is non-zero. Using the information you have gathered from reading and the videos, it is your task to get this program to get to the call_me() function, and get the flag printed. Here are some steps I suggest you follow for the remainder of the project, that will set yourself up for success when debugging/analyzing/reverse engineering the binaries. • Read the source code! You have the source code for each of these tasks saved in the same directory named flag.c which will help you understand what the program does • Look for where the input is taken! All of these programs take input in a few different ways, but they all are similar in the fact that this is how you get your exploit/solution to work! Check for things like read() or scanf in the binaries. • Once you have identified where the input is taken, look at what variables are also going to be on the stack, everything is fair game! • Note that all of these binaries are pretty much specially written so that you will need to use the adjacent variables to pass certain checks by overflowing (not all of them though) so just try to focus on the bigger picture when you are analyzing the program • In this instance you need to overflow the target buffer to change the initialized value of the variable make_me_not_zero. Although this is a trivial example, it is just designed to show you how unprotected buffers can result in changing other adjacent values in memory Note: you are free to use GDB if you need to for this project but you need to run the program on the command line (i.e. ./e.py) in order to get the real flag for submission and submit it! Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/01_buffer_overflow_1.html 1/1 Flag 01 – bb_steps | CS 6035 CS 6035Projects / Binary Exploitation / Flag 01 – bb_steps 01_bb_steps (watch the intro video first please) This is a test on using GDB to read a few things that would be difficult to calculate (you can if you want to), but the main point of this task is to try running a few things in gdb and get comfortable with it first. cd ~/binexp/01_bb_steps/ gdb flag you will be met with a pwndbg prompt which waits for you to run the program (or set breakpoints, etc) which we’ll do now: b main sets a breakpoint at the first executable statement of the main() function. r runs the program and you will be met with some text/blocks showing various things like stack traces, register printouts, code prints, etc. Now next you will want to run the STEP command to go into the function s After that, you will notice we are now in the bb_steps() function and can traverse all the code with the NEXT command n Which will execute each following instruction. This is useful if you don’t want to go into every single function call, and rather want to just execute those calls/instructions. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/01_bb_steps.html 1/2 Flag 01 – bb_steps | CS 6035 Pay attention to the register window which will show each register value as the instructions are executed. At the end of the ASM instructions, you will be prompted to enter in the answers for the two registers RBX and R15. You can enter these into GDB if you want to, however to get the official/valid flag for submission you will have to save your answers for the two registers, and then enter them into the non-debug binary run, e.g.: binexp@cs6035:~/binexp/01_bb_steps$ ./flag What value is currently in RBX?: 0xdeadbeef Upon correctly answering the questions, you will see your flag printed out, which you can copy into the json file! Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/01_bb_steps.html 2/2CS 6035Projects / Binary Exploitation / FAQ Frequently Asked Question(s) (FAQ) Make sure you have read: • This Writeup explaining some rudimentary basics of Computer Architecture • Please refer to: Required Reading > VM Troubleshooting, for VM related troubleshooting questions. Make sure you have watched: • This CS6035 Project 1 pwntools/pndbg Tutorial video Submission and GradeScope Please navigate to the Submission Details menu page, left. Logistics & Setup Q1) Can I SSH into the VM and perform the project? When you run your e.py exploits with GDB, a separate terminal is opened with the process hooked to GDB. Some students have reported handling this by using tmux. Once you SSH into the VM, kill existing tmux sessions: tmux kill-session And then start a new tmux session with: tmux -CC This will open up a new window with 2 separate scrollable sections for pwndbg and e.py. Q2) Can I recompile the binaries? If it helps your comprehension, you’re welcome to recompile the source code with whatever alterations you want; in fact, we suggest doing this in some of the binaries in section 04, for example. However, we have fingerprinted the binaries that are shipped out to you all with the project; your final exploit(s) will need to utilize them as is. Gradescope will recognize if you attempt to submit a flag from a binary that wasn’t among the original set. We strongly discourage this. The binaries rely on files residing in particular locations, such as /home/binexp/user.txt, among others. However, you ARE welcome to make copies/backups as needed if it helps facilitate your testing. Q4) Help, I’ve deleted/broken something! What do I do? Backup any working e.py exploits you’ve already developed and your project_binexp.json file that contains your hashes. Then re-run the binexp.sh script to download the project files fresh again. Note: you’ll need to double-check your GTID is properly set in /home/binexp/user.txt again. General Q1) “Any hints?” Per CS6035 policy, we do not provide hints/guidance expressly for the purpose of simply solving the provided tasks. Instead, we are happy to address comprehension issues or matters concerning administration/logistics of the project. If there is something that is particularly confusing or unclear, please pose your question as a comment on the respective Ed Discussion megathread. Most of the time, these kinds of questions can be answered by a combination of analyzing the source code and manually setting a breakpoint within GDB to take more granular steps (i.e. n or ni) so you can see what’s causing the trouble. Suggested breakpoints might include overwritten ret instructions or instructions within the destinations you’re jumping to, though this can vary from problem-to-problem. You might also invoke info local to observe details about localized variables. Q2) How do I know if I got the flag for a given binary? All of the flags in the project are read-in by the binaries through /proc/flag. For an example of what that might look like, see:Q3) I got to the flag in GDB but I don’t see a message output with the flag; where is it? We have configured our flag generation-mechanism (/proc/flag) to deny providing any flags to users who attempt to read from it via GDB. This is deliberate, because as a debugger GDB has a multitude of functionality that would undercut the learning objectives of the tasks. This includes but isn’t limited to – using the set and call commands, for example. You will need to naturally arrive at reading from /proc/flag either directly from directly interacting with the binary along the command line or through a non-GDB optioned invocation of your e.py file (e.g. python3 e.py). Attempting to read from /proc/flag through GDB will yield something that looks like this:Q4) How does cyclic() and cyclic_find() work? We encourage you to read up on the tools you’re utilizing: https://docs.pwntools.com/en/stable/util/cyclic.html In brief: cyclic() produces a bytestring of length “n”, where n is some integer value between 0 and the largest possible positive integer supported by the platform (e.g. sys.maxsize). Example usages might look like: • cyclic(10) • cyclic(25) • cyclic(3000) The output of cyclic() is a bytestring with a unique character sequence in chunks of 4 bytes at a time:In the above screenshot, you can see the pattern as: • aaaa • baaa • caaa • etc. This pattern is the same with every invocation of cyclic() and terminates at the nth character. cyclic_find() reverse-engineers the above. It provides an integer corresponding to a particular segment in that aforementioned bytestring; you can supply it with a variety of inputs (e.g. a bytestring, a hex representation, etc.):Q5) Do I have to use e.py? Q6) What is “/proc/flag”? The /proc/flag file is the target for all of the binary exploits in this project. Every time a user reads from it, it outputs a uniquely encoded result (which we erroneously refer to as a “hash”) that contains reversible information fingerprinted to it that the autograder uses to evaluate for correctness. You can test if /proc/flag is running trivially by reading from it like so: cat /proc/flag Note: while doing the above should yield a flag hash, it will not be accepted/validated by the autograder. Valid hashes will only be returned from exploiting the binaries. Q7) I’m given a different result everytime I read the flag; is something wrong? No. This is expected behavior and nothing to worry about. Q8) I’m making the call to read from /proc/flag but my exploit keeps seg-faulting; what’s wrong? In most cases of this happening, your exploit is catching on a movaps instruction somewhere withinIf this is the case, the issue is related to a stack-misalignment problem. Because our exploits forcibly redirect the control flow in ways the process wasn’t expecting, there can be downstream consequences as the process executes along and refers back to our maliciously overwritten stack. By-and-large, you generally want to consider jumping to a different instruction within your targeted function. Q9) My e.py file is throwing a “can only concatenate str (not bytes) to str” error; what gives? The error is telling you that you’re mixing your data types in your payload within e.py: ## WRONG payload = “A” * 100 #type str payload += p64(0xwhatever) #type bytes ## RIGHT payload = b’A’ * 100 #type bytes payload += p64(0xwhatever) Q10) My e.py file is throwing a “name ‘p’ is not defined” error; what gives? You’re likely getting this error because you’re misspelling the optional argument for e.py. Q11) When I’m stepping through instructions in GDB, I enter “n” and it skips over my desired target function call; what gives? We speak to this in the 01 section, step 1.2: 01_bb_steps. Both the (n)ext and next instruction (ni) GDB commands step over function calls. To enter the function you need to (s)tep inside (or step inside, immediate instruction (si)). Q12) Why are the tasks prefixed with numbers like 01, 02, 03_, etc.? We’ve labeled the tasks with numbers to reflect their relative perceived difficulty. You do not need to complete the tasks in any particular order. If you get stuck working on a problem, try working through some of the other challenges and come back. Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.1/27/25, 12:54 PM Flag 00 – Intro | CS 6035 CS 6035Projects / Binary Exploitation / Flag 00 – Intro Step 0: Welcome to the Binary Exploitation (BinExp) project for CS6035! We’re excited to have you with us for this effort. Binary exploitation is a really interesting and challenging domain within cybersecurity. It rests at the intersection of many sub-disciplines, including reverse engineering, low-level programming, operating systems, code review, etc. As such, you’ll be expected to draw upon a variety of subjects matter in approaching and working through the challenges of this project. Step 1: Before diving in, let’s ensure that our project work environment is appropriately configured. 1 This project utilizes the same virtual machine (VM) that is used for other projects within CS6035. If you’ve already got it configured, great! If not, see the respective “Course VM Download Thread” post in Ed Discussion for instructions. 2 Please follow the instructions in Canvas (navigate to “Assignments” > “Binary Exploitation”) for login credentials to the VM as well as the requisite commands for fetching the project files. 3 Navigate to /home/binexp/user.txt and set it to your nine-digit GTID. If you do not know your GTID, you should be able to discover this through https://gtid.gatech.edu. Note: if you fail to set this, no responses you submit to Gradescope will be accepted as correct. Below is a brief summary of the project’s contents: • project_binexp.json: This is the one (and only) file you will submit to Gradescope to have your work be evaluated. See the Submission tab along the left-hand side of this page for additional guidance concerning project submission guidelines. • binexp*: This is the directory and subdirectories that make up the project. Each subdirectory reflects an individual challenge within the project and contains all of the files necessary for solving that particular challenge. • binexp*lag: For most of the challenges, this is the compiled binary you’re attempting to exploit. If it isn’t, the student instructions for that particular challenge will say so. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/00_intro.html 1/2 1/27/25, 12:54 PM Flag 00 – Intro | CS 6035 • binexp*lag.c: This is the source code for the flag binary, above. This is intended to be a useful reference to aid in identifying and crafting your exploits of flag. • binexp*e.py: This is a python3 script with some templated skeleton exploit code. In all of the projects’ binaries, your goal is to have the binary read from /proc/flag! Most of the time, this is via a system() call like: system(“cat /proc/flag”); However, sometimes it’s not that simple – carefully analyze your source code within each challenge to figure out how the binary is meant to read from /proc/flag. Step 2: Enter into /home/binexp/binexp/00_intro and run the flag binary located there. Note the GTID it outputs to verify that the binary is reading the correct value from step 1, above. If so, copy the supplied hash and write it to the appropriate value in project_binexp.json. Finally, try submitting the project_binexp.json file to Gradescope to verify that the hash is correct. Remember, you have unlimited submission attempts for this project, so be sure to submit early and often. Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/BinExp/00_intro.html 2/2
Flag 6 Flag 6: CORS – 15 Points Congratulations on making it this far! You’ve already overcome several obstacles, and now it’s time to dive into Cross-Origin Resource Sharing (CORS). CORS is a security feature in web browsers that allows applications to request resources from domains other than the one hosting the application. To complete this task, we’ll be working with a different flavour to CORS. Specifically, we will explore how CORS can limit the type of requests that can be made and how expanding on the allowed access control methods will help accomplish this task. Download the required starter template here: • Flag 6 – Template Your goal is to update the title of book 6 to “Let the fun begin!” and redirect to its Detail View. This needs to be done using JavaScript only. Use this endpoint to make the update: PUT api/book/{bookId} Body: { “newTitle”: “Title 2” } Did the attempt fail? Investigate and troubleshoot—think about what might have gone wrong. Ensure your script addresses the issue and updates the book title. Once you’ve successfully updated the book title, submit the script and earn your flag! Hint: • Use Chrome dev tools to watch what happens outside of an attack. The Console and Network tab should be helpful. • Go to the Book Detail page and check the Network Tab in your browser’s developer tools. Identify an endpoint that can assist you in configuring the CORS allowed methods. FLAG TESTING: https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag6.html 1/2 Flag 6 | CS 6035 To test your flag6.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID. ./StudentGrader.sh –flag 6 –gaTechId 923456789 –filePath /home/websec/Desktop/flag6.html Your web output will look similar to this:The grader from the output will look similar to this. Copy the flag to flag6 in project_websecurity.json.https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag6.html 2/2 Flag 5 | CS 6035 Flag 5 Flag 5: Bypass Permissions – 15 Points The developers built an Admin page for power users of the site. Obviously, they couldn’t just let everyone have access to this page so they built a simple RBAC (Role-based access control) system and put it into place. Unfortunately for them, they didn’t do the best job of building these permissions and it can be bypassed! Your job is to bypass any security checks and gain access to this Admin page. Download from the WebSec VM the required starter template here: • Flag 5 – Template To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader: 1 Bypass all permissions checks and open the Admin page fully loaded a Note: You must do all of this in the html template and it must automatically load/open the page b The URL must start with http://localhost:7149/admin Hints: • You need to investigate and find out how the Admin page is being protected. The Chrome developer tools are where you’ll find this. • Try to bypass the checks before constructing your html file. • You’ll likely need to do some script injection in order to defeat the security checks. Follow the hints above closely, “remove before production”. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag5.html 1/2 Flag 5 | CS 6035 FLAG TESTING: To test your flag5.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID. ./StudentGrader.sh –flag 5 –gaTechId 923456789 –filePath /home/websec/Desktop/flag5.html Your web output will look similar to this:The grader from the output will look similar to this. Copy the flag to flag5 in project_websecurity.json.https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag5.html 2/2Flag 4 Flag 4: CSRF – 20 Points Congratulations on reaching this stage! You’ve already navigated through various challenges, and now it’s time to delve into the intricacies of Cross-Site Request Forgery (CSRF) attacks. CSRF is a type of attack that tricks a user into submitting a request to a web application where they are authenticated without their knowledge or intent. This can lead to unauthorized actions being performed on behalf of the user. For further exploration and a deeper understanding of CSRF and its prevention, consider the following resources: • Portswigger CSRF • Cross Site Request Forgery (CSRF) – OWASP Foundation • Cross-Site Request Forgery Prevention – OWASP Cheat Sheet Series • Wikipedia CSRF You’ve learned of a vulnerability that exists on the bookstore website. It appears you can craft an html file that resets a user’s password to one of your choosing when they open it. You plan to embed this file in an email and see who actually clicks on it. They’ll never know! Download from the WebSec VM the required starter template here: • Flag 4 – Template You must reset an unsuspecting user’s password to HanSolo77 Note: You will not know who the user is so your crafted html file should work for any user of the website. Earn this flag by performing the following steps: 1 Log into the book store website using the account we provided earlier in the project description • Note: If you don’t understand why logging in ahead of time is required, be sure to read more about CSRF attacks. 2 Launch your crafted flag4.html file by double clicking in a new tab 3 The new tab will open and automatically reset the user’s password to HanSolo77 Hints: • Use Chrome dev tools to watch what happens outside of an attack. The Elements, Sources, and Network tab should be helpful. • The developers knew about CSRF and put some protections in place. Understanding where these protections are and how they work is the key to exploiting them. • Be sure to pass the GTID as a string and not an int FLAG TESTING: To test your flag4.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID. ./StudentGrader.sh –flag 4 –gaTechId 923456789 –filePath /home/websec/Desktop/flag4.html Your web output will look similar to this:The grader from the output will look similar to this. Copy the flag to flag4 in project_websecurity.json.Flag 3 | CS 6035 CS 6035Projects / Web Security / Flag 3 Flag 3: XSS Part II – 15 Points Malicious user input can be provided using the same techniques, but through different attack vectors. You’ve already persisted malicious data in a review and want to see if there are any other areas of the site that are susceptible to data manipulation. Using your newly acquired XSS skills, you go hunting for more ways to perform this method of attack. In order to successfully exploit another XSS attack, you will need to figure out another way the site accepts user input and employ a similar technique to perform what’s called a reflected XSS attack. This means the XSS code does not reside in the webpage and does not persist, but is malicious code input in the request and returned in the response. You notice there is a page that allows the user to search for a book and wonder if this page can be exploited. Your goal is to display a javascript alert containing the text CS6035 on the search page. You can use the same XSS resources from the previous flag in addition to reflected XSS resources: • PortSwigger Reflected XSS • OWASP Reflected XSS Download from the WebSec VM the required starter template here: • Flag 3 Template To earn this flag by performing the following steps: 1 Examine the search page. 2 Find a way to pop up a javascript alert containing the text CS6035. 3 Add your code to the input of the flag 3 template. 4 Launch the template which should auto-submit to the search page and perform the attack. HINTS: https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag3.html 1/2 Flag 3 | CS 6035 FLAG TESTING: To test your flag3.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID. ./StudentGrader.sh –flag 3 –gaTechId 923456789 –filePath /home/websec/Desktop/flag3.html Your web output will look similar to this:The grader from the output will look similar to this. Copy the flag to flag3 in project_websecurity.json.https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag3.html 2/2CS 6035Projects / Web Security / Flag 2 Flag 2: XSS Part I – 20 Points Congratulations, you’ve made it this far! Now you’ve noticed some strange behavior. You were experimenting with reviews and found you can post basic html tags and images in the reviews! The developers of the site wanted reviews to be a rich user experience and not just plain text. With great power comes great responsibility though. You’ve found a way to nefariously inject code that runs when any victim loads a page with your exploited review. This flag will introduce you to the basics of XSS (Cross-Site Scripting) attacks. Specifically you’ll leverage these: • OWASP XSS Page • Types of Cross Site Scripting • Wikipedia XSS Page Download from the WebSec VM the required starter template here: • Flag 2 Template To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader. 1 Create a nefarious review for the book Hamlet: • The rating should be 3 • Recommended should be true • The reviewer should be your GTID (ex: 923456789) 2 The review should contain a script that you craft. This script will execute anytime the review loads in a browser. It will execute for anyone and everyone, very dangerous! You are not a bad hacker out to make money so you only want to make an example and not do real damage. Site With Original TextSite With Text Replaced• Note: Your script must not change the structure of the “h5” tag. Only replace the text contained within the “h5” tag. • After creating the review with the nefarious code, your file must redirect (load) the details page for Hamlet. HINTS: • Tackle the problem in small parts and then layer in complexity. You can test some of your code exploits directly in the bookstore website before compiling it into the template • There are some features in React that should set off red flags. Ex: https://legacy.reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml • Use the Chrome dev tools to watch what happens outside of an attack. The Network tab should give clues. The “Preserve Log” checkbox is your friend. • You will need to write JavaScript. Some of this code will execute immediately in your flag2.html file while the remaining part of the code should not be executed but instead be injected into the review somehow to run later. FLAG TESTING: To test your flag2.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID. ./StudentGrader.sh –flag 2 –gaTechId 923456789 –filePath /home/websec/Desktop/flag2.html Note: The grading script will reset the database before it executes your file. Be prepared as any data you have created will be lost. Your web output will look similar to this:The grader from the output will look similar to this. Copy the flag to flag2 in project_websecurity.json.CS 6035Projects / Web Security / Flag 1 Flag 1: Web Intro – 15 Points You’ve stumbled upon a publicly available web page that is not finished. It seems like the developers are still working on it but somehow published it to production by accident. The page does not have a link in the main menu so the developers thought no one would find it. Challenge accepted! • This flag will introduce you to the very basics of web development technologies and tools for debugging. Specifically you’ll leverage these: • Html Forms • JavaScript Events • CSS Selectors • Cookies • The Chrome Developer Tools Download the required starter template from the VM using Chrome here: • Flag 1 Template To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader: 1 Find the Contact Us web page. Remember that you won’t find a link in the main navigation. 2 Now that you have the URL to the Contact Us web page you need to “fetch the server content” in the flag1.html file. • Double click to open flag1.html in Chrome • Launch the Chrome developer tools using the menu in Chrome • Write some JavaScript code in your flag1.html file to load up the Contact Us page. 3 In the getStudentAnswers function, set var selectedReplyByValue = “Cell”; 4 In the getStudentAnswers function, write JavaScript code to programmatically fetch the following values and set them to the provided variables: • The value provided in the Organization text box • The value of the session storage with key = “contactedBefore” • While copying the cookie Value make sure you have the Show URL-decoded option checked 6 Events are an extremely important concept to understand when working with websites. They allow you to execute code at a later time when something interesting happens. • Write code that will set the City text input to Seattle and the State text input to Washington • Somehow delay this code so that it only executes when the submit button at the bottom is clicked. • Note: We’re not asking you to click the button either using code or manually on the webpage. HINTS: • Often times, websites will publish sitemaps that contain page URLs. Hint: find and inspect the sitemap contents. • Are you using AJAX to fetch server content? You’re headed down a wrong path. Examine ALL JavaScript available to the page and use this hint from above to continue forward: “fetch the server content”. • Use the Chrome dev tools to Inspect html elements. The “Elements” tab shows a graph of the entire html dom • The Network tab allows you to see the raw http requests between the browser and server • Do not hard code any values except the cookie name and value detailed above. We check for this in your file and it will fail the grader. • Getting Selenium errors about missing content? Try to open the file directly in Chrome and look for errors in the console. FLAG TESTING: To test your flag1.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID. ./StudentGrader.sh –flag 1 –gaTechId 923456789 –filePath /home/websec/Desktop/flag1.html Your web output will look similar to this:The grader from the output will look similar to this. Copy the flag to flag1 in project_websecurity.json.Web Security | CS 6035 CS 6035Projects / Web Security Web Security Project Learning Goals of this Project: You will be learning about modern web based security vulnerabilities in this project. A majority of the attacks are based on the OWASP Top 10 list which is produced and updated every few years. In particular we will cover these learning topics: • Basic web technologies, HTML, CSS & JavaScript • The HTTP protocol • XSS (Cross-Site Scripting) Attacks • XSRF (Cross-Request Forgery) • SQLi (Sql Injection Attacks) • Mis-configuration of server side web servers • Client-side JavaScript library vulnerabilities The final deliverables: A single JSON formatted file will be submitted to Gradescope. See Submission Details for more information. Important Reference Material: • Representational State Transfer • JSON • Eloquent Javascript • HTML Forms Submission: Gradescope (autograded) – see Submission Details https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/ 1/2 Web Security | CS 6035 Virtual Machine: • Apple M1 based systems • You cannot complete this project on an M1 based system. • Intel/AMD x64 version TABLE OF CONTENTS • Project Background • Flag 1 • Flag 2 • Flag 3 • Flag 4 • Flag 5 • Flag 6 • Submission https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/ 2/2CS 6035Projects / Web Security / Project Background BACKGROUND: Welcome to the GA Tech bookstore website. It’s a place where you can read and review all of the classics. The creators of the website were pretty junior but ambitious. They created the website in only 2 days! They knew a few things about security and did their best but left some vulnerabilities behind. Your job is to seek these out and find the problems. SETUP: To get set up for the flags, carefully follow the steps below. Log into the VM with the websec user. The password should be in Canvas. Run this at the terminal to start the Bookstore Website ./StartContainer.sh • Throughout the project you should only use Chrome. No other browsers are supported for the student grader. Don’t attempt to update/reinstall the Chrome Browser. • Navigate to this URL using Chrome within the VM to access the Bookstore Website: http://localhost:7149/ • There is one registered user in the database. You can log in as this user as needed. You can log out by closing the Chrome window. • Note: This field will remain the same for the entire project. • See the Required Reading page to get your GTID. • Username: ilovetoread • Password: TheGreatGatsby123 • http://localhost:7149/databaseTESTING: You will need to execute a StudentGrader script to test your exploits for all flags. The StudentGrader is a script that will 1 Launch the html file that you craft for your flag. 2 On some flags the Bookstore Database will be reset automatically. 3 Use the Selenium Chrome Driver to test and assert that your exploit worked correctly. a Here is a link just in case you’re interested in learning more about the Selenium Chrome driver. Understanding this is not required to be successful on this project. b Chrome Driver Docs 4 If successful, it will return your flag. Run this at the terminal to test your exploit for a flag ./StudentGrader.sh –flag X –gaTechId Y –filePath Z Here are the valid parameters for the StudentGrader script2/17/25, 2:18 AM Web Security Web Security Points 100 Submitting an external tool Available Feb 16 at 12am – Feb 23 at 11:59pm Instructions: In the web security project, our focus will be on tackling two pervasive threats: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). XSS vulnerabilities allow attackers to inject malicious scripts into web applications, compromising user data integrity and potentially leading to account hijacking or defacement. Meanwhile, CSRF exploits trust relationships between users and websites, tricking authenticated users into unknowingly executing malicious actions. Put on your hacker hat and brush up your web security skills for this project. VM Credentials: Login: websec Password: 8086_1978 The Web Security Project Release (https://edstem.org/us/courses/69023/discussion/6165201) ED Discussion has all the information to get started!https://gatech.instructure.com/courses/432654/assignments/1897732 1/2https://gatech.instructure.com/courses/432654/assignments/1897732 2/2
Cryptography Goals of the Project For Students • Will get an introduction to both symmetric and asymmetric cryptographic systems • Will gain an understanding of how these systems are implemented through examples • Will exploit systems that have certain vulnerabilities • Will have the opportunity to engage in discussion about advanced topics in cryptography Information There is no required VM for this project. All that is required is a Python development environment. Make certain that you are using Python 3. To check your version of Python, open a command prompt and run the command: The Final Deliverables You will complete the provided Python file project_cryptography.py and submit it to the autograder in Gradescope. Open Discussions https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/ 1/2 3/23/25, 7:50 AM Cryptography | CS 6035 For each task we have provided prompts for further discussions. There will be threads created in Ed where students can discuss these topics. Participation is optional and will not be graded. Good luck! TABLE OF CONTENTS • Introduction • FAQ • Task 1: Vigenere Ciphers • Task 2: RSA Warmup • Task 3: Factor 64-bit Key • Task 4: Weak Key Attack • Task 5: Broadcast Attack • Task 6: Parity Attack • Task 7: Padding Attack https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/ 2/2CS 6035Projects / Cryptography / Task 1: Vigenere Ciphers Task 1 – Vigenere Ciphers (35 points) Going letter-by-letter in this manner we build our cipher until we get ZIQYZMC.Vigenere Square [source: Wikipedia] Armed with this information, the first two parts of this task will ask you to write the necessary code to handle the encryption and decryption functionality for a Vigenere cipher system. For the third and final part, you will attempt to crack a Vigenere cipher using a dictionary attack. Ordinary words can make convenient keys because they are easy to remember, but this practice is far from secure. For this task, you are given a cipher and a list of some of the most common words in the English language. One of those words was used as the key to encrypt the cipher, and your job is to write the code to figure out which one it is. For simplicity, you can assume that all words in the original message are also chosen from the provided list of dictionary words. def vigenere_decrypt_cipher(c: str, keyword: str) -> str: # TODO: Write the necessary code to get the message (m) from the cipher © # using the keyword m = ” return m def vigenere_encrypt_message(m: str, keyword: str) -> str: # TODO: Write the necessary code to create a Vigenere cipher (c) of the # message (m) using the provided keyword c = ” return c def vigenere_dictionary_attack(c: str) -> str: # TODO: Write the necessary code to get the message (m) from the cipher (c) m = ” return m Submission Details You will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope. Open Discussion The Vigenere cipher improves upon the ancient Caesar cipher. Mathematically speaking, how much more complexity does it add and how does it accomplish this? What are some ways that one could add more complexity/security to the Vigenere cipher system?Task 2: RSA Warmup | CS 6035 Task 2: RSA Warmup Task 2 – RSA Warmup (10 points) Now that we’ve reviewed a symmetric key cryptographic algorithm, we can move on to the world of asymmetric key cryptography. RSA is perhaps the best known example of asymmetric cryptography. In RSA, the public key is a pair of integers (N, e), and the private key is an integer d. To encrypt integer m with public key (N, e), we use the formula:To decrypt cipher integer c with private key d, we use the formulaIn this task you will write the code to perform the encryption and decryption steps for the RSA cryptographic algorithm. Finally, you will write the code necessary to calculate the private key d when given the factors of the public key N (i.e. p and q). def rsa_decrypt_cipher(n: int, d: int, c: int) -> int: # TODO: Write the necessary code to get the message (m) from the cipher (c) m = 0 return m def rsa_encrypt_message(m: int, e: int, n: int) -> int: # TODO: Write the necessary code to get the cipher (c) from the message (m) c = 0 return c def rsa_calculate_private_key(e: int, p: int, q: int) -> int: # TODO: Write the necessary code to get the private key d from # the public exponent e and the factors p and q d = 0 return d https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/RSA_warmup.html Task 2: RSA Warmup | CS 6035 Submission Details You will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope. Open Discussion Did you try to decrypt a cipher by using a line of Python code something like this: m = c ** d % n? Did it work? (Hint: It did not.) Why not? After all, the math is correct. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/RSA_warmup.html Task 3: Factor 64-bit Key | CS 6035 Task 3: Factor 64-bit Key Task 3 – RSA Factor A 64-Bit Key (10 points) Modern day RSA keys are sufficiently large that it is impossible for attackers to traverse the entire key space with limited resources. But in this task, you’re given a unique set of RSA public keys with a relatively small key size (64 bits). Your goal is to get the factors (p and q) of each key. You can use whatever methodology you want. Your only deliverable is a formatted json file containing p and q. To get your unique set of keys, you must update the task.py file located in the task folder with your 9-digit GT ID, and then run it. Find the section below in the provided task_factor_64_bit_key.py file: STUDENT_ID = ‘123456789’ ############################################## def rsa_factor_64_bit_key() -> typing.Dict[str, typing.Dict[str, int]]: return { ‘test_1’: { ‘p’: 0, ‘q’: 1 }, ‘test_2’: { ‘p’: 0, ‘q’: 1 }, ‘test_3’: { ‘p’: 0, ‘q’: 1 }, https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/RSA_factor_64_bit_key.htmlTask 3: Factor 64-bit Key | CS 6035 ‘test_4’: { ‘p’: 0, ‘q’: 1 }, ‘test_5’: { ‘p’: 0, ‘q’: 1 } } Submission Details You will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope. Open Discussion If 64-bit keys aren’t safe, then what size is appropriate? Is there a trade-off between size and performance? https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/RSA_factor_64_bit_key.html Task 4: Weak Key Attack | CS 6035 Task 4: Weak Key Attack Task 4 – RSA Weak Key Attack (15 Points) Read the paper “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices”, which can be found at: https://factorable.net/weakkeys12.extended.pdf. The essay is essential to understanding this task. Do not skip it, do not skim it, read the whole of it. You are given a unique RSA public key, but the RNG (random number generator) used in the key generation suffers from a vulnerability described in the paper above. In addition, you are given a list of public keys that were generated by the same RNG on the same system. Your goal is to write the code to get the unique private key (d) from your given public key (N, e) using only this provided information. def rsa_weak_key_attack(given_public_key_N: int, given_public_key_e: int, public_key_list: typing.List[int # TODO: Write the necessary code to retrieve the private key d from the given public # key (N, e) using only the list of public keys generated using the same flawed RNG d = 0 return dSubmission Details You will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope. Open Discussion Have you ever heard the saying, “Never roll your own crypto?” What are some ways (besides this particular attack – we don’t want you to give too much away) that doing so can cause unintended problems? Can you point to any specific examples or known exploits? https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/RSA_weak_key_attack.html Task 4: Weak Key Attack | CS 6035 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/RSA_weak_key_attack.html Task 5: Broadcast Attack | CS 6035 Task 5: Broadcast Attack Task 5 – RSA Broadcast Attack (15 Points) A message was encrypted with three different 1,024-bit RSA public keys N_1, N_2, and N_3, resulting in three different ciphers c_1, c_2, and c_3. All of them have the same public exponent e = 3. You are given the three pairs of public keys and associated ciphers. Your job is to write the code to recover the original message. def rsa_broadcast_attack(N_1: int, c_1: int, N_2: int, c_2: int, N_3: int, c_3: int) -> int: # TODO: Write the necessary code to retrieve the decrypted message # (m) using three different ciphers (c_1, c_2, and c_3) created # using three different public key N’s (N_1, N_2, and N_3) m = 0 return m Submission Details You will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope. Open Discussion In addition to the low public exponent being used, this attack is possible because a textbook implementation of RSA is being used. In the real world, there are common mitigating tactics used. What are some examples? Why else are they important? https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/RSA_broadcast_attack.html Task 5: Broadcast Attack | CS 6035 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/RSA_broadcast_attack.html Task 6: Parity Attack | CS 6035 Task 6: Parity Attack Task 6 – RSA Parity Oracle Attack (15 Points) By now you have seen that RSA treats messages and ciphers as ordinary integers. This means that you can perform arbitrary math with them. And in certain situations a resourceful hacker can use this to his or her advantage. This task demonstrates one of those situations. Along with an encrypted message (c), you are given a special function that you can call – a parity oracle. This function will accept any integer value that you send to it and decrypt it with the private key corresponding to the public key that was used to encrypt the given cipher (c). The return value of the function will indicate whether this decrypted value is even (true) or odd (false). Armed with this function and a little modular arithmetic, it is possible to crack the encrypted message. Your goal is to write the code necessary to decrypt the original message (m) from the given cipher (c). def rsa_parity_oracle_attack(c: int, N: int, e: int, oracle: Callable[[int], bool]) -> str: # TODO: Write the necessary code to get the plaintext message # from the cipher (c) using the public key (N, e) and an oracle # function – oracle(chosen_c) that will give you the parity # of the decrypted value of a chosen cipher #(chosen_c) value using the hidden private key (d) m = 42 # Transform the integer value of the message into a human readable form message = bytes.fromhex(hex(int(m_int)).rstrip(‘L’)[2:]).decode(‘utf-8’) return message Submission Details You will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/RSA_parity_oracle_attack.html Task 6: Parity Attack | CS 6035 Open Discussion https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/RSA_Cryptography/RSA_parity_oracle_attack.htmlTask 7: Padding Attack Task 7: Task CBC Padding Oracle The Advanced Encryption Standard (AES) is a set of standards for encryption set by the U.S. National Institute of Standards and Technology. One of these standards is the Cipher Block Chaining (CBC). CBC uses a fixed length set of bits known as a block, a unique binary sequence known as an Initialization Vector (IV), and a key. The encryption is accomplished in the following sequence. 1 Add padding to the plaintext until the appropriate block length. 2 XOR the block with the IV. 3 Encrypt the new block with the key. The chaining part comes into play when encrypting multiple blocks. When working on the next block you follow similar steps with one main difference. 1 Add padding to the plaintext until the appropriate block length. 2 XOR the block with the previous cipher text. 3 Encrypt the new block with the key. The formula is as follows:Decryption works in reverse. 1 Decrypt the cipher text with the key. 2 XOR the block with the IV 3 Repeat for latter blocks using the previous plain text as the new IV. The formula is as follows:For this task we will be working with an attack known as the padding oracle attack. The padding oracle works under the idea that the server is leaking information about the padding. With this information it is possible to both decrypt and encrypt messages. For this one section of the assignment you will be asked to use a library outside of the standard. In this task you will use the pycryptodome library. This can be manually downloaded from this link https://github.com/Legrandin/pycryptodome. Alternatively it can be downloaded through pip with the following command: pip install pycryptodome This task will be the only outside library used. The first 2 steps of this extra credit will be using a simplified version of padding. In a real world application blocks will be in bits and will typically use or something similar depending on what standard is being used. def cbc_encrypt_128(key: bytes, IV: bytes, m: str) -> str: # TODO: Write the necessary code to encrypt the message # (m) using the provided key and IV # the necessary block length is 128 bits # pad with the byte ” # Do Not modify code above this line # Code Below Here c = 0 return b64encode(c).decode(“utf-8”) def cbc_decrypt_128(key: bytes, IV: bytes, c: bytes) -> str: # TODO: Write the necessary code to decrypt the cipher # (c) using the provided key and IV # Do Not modify code above this line # Code Below Here m = 0 return m Step 3 of this task is to write one of the core functions of an oracle which will test if the padding follows pkcs guidelines. This check is often the information that the oracle can leak. For this task you must assume that there will always be at least 1 byte of padding, but there does not always have to be a message attached. def check_padding(padding) -> bool: # TODO: Write the necessary code to check # if the padding matches PKCS standards is_pkcs_padded = “This variable should be a bool value” return is_pkcs_padded These steps can all be tested using the test_task_cbc_ python files. You can do so with the following commands: python test_task_cbc_decrypt.py python test_task_cbc_encrypt.py python test_task_cbc_pkcs.py Resources https://en.wikipedia.org/wiki/Padding_oracle_attack https://www.pycryptodome.org/ Submission Details You will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope.
FLAG 2: Stolen Credentials (15 pts) In order to get this flag you need to create a new reviewer in the system. Unfortunately, the developers locked down this functionality some time ago so you’ll need an auth token in order to perform it. You read in the newspaper last week that Programming Reviews LLC had a big data breach so there is a good chance you can come across some credentials. To earn your flag you must perform the following actions. 1 Use Swagger to find and call/invoke a suitable API endpoint that you feel can create new reviewers. 2 The API requires a token but in order to get a token you need to find suitable credentials. Use the APIs available to you to find these. 3 Now that you’ve found the credentials you need to get that token. Be sure to call/invoke the “flag2token” to get your token. 4 Armed with your token, call the API endpoint once more. Create a new reviewer with user name = “daylight” and full name = “Day Light” and your flag will be revealed.Hints: • Remember there was a data breach. I bet you can find suitable credentials somewhere. • Looking for that ClientID? Be sure to follow all directions and inspect any response that the API https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag2.html :22 is sending back. • In order to pass in the token you’ll need to set the Authorization Bearer header. Swagger has not been configured to do this. We suggest you use a tool called Postman. This is a very popular web API testing client. You can find more information here: https://learning.postman.com/docs/getting-started/introduction/ • You can also use Curl if you’re more comfortable with the command line. We do recommend you at least look at Postman since it will make your life much easier for this project and it’s very popular. • Postman is already installed on the VM we have provided. Include your flag2 into the json file and now onto Flag 3!Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag2.html :22 Flag 5: Hack JWTs pt. 2 FLAG 5: Hack JWTs – #2 (20 pts) You’ve learned about a new experimental programming language that is TOP SECRET! This language only requires 1 single keyword to find a polynomial time algorithm to solve any NP-hard problem! You want the 1 million dollar reward for solving this problem and thus need access to this programming language. Find the language. To earn your flag you must perform the following actions. 1 The programming language is not returned in normal API calls. In order to see this magical new language you need to leverage the “Top Secret” GET request. 2 Grab your normal JWT token from the “flag5token” API. Use these credentials: username is “Jackson5587” and password is “Blasphemy2” 3 You have the token so why not try to give it a shot? Try to use this token to view Top Secret languages. • 403 – Forbidden. You need more help… 4 Inspect this token. You’ve learned through “insider program language trading” that in order to see TOP SECRET languages you need to provide the following JWT Claim. • Claim Name: TOP_SECRET • Claim Value: allowed 5 Alter your token and try it again • Hmm, it appears that the server is correctly verifying the signature to ensure it hasn’t been tampered with. Rats! 6 Good news, the developers of this API are pretty bad at securing safe things like secret keys. Find the secret key. 7 With the key in hand, properly construct the JWT token with the TOP_SECRET claim. 8 Leverage your token to finally view the source code of the experimental programming language to earn your 1 million dollars and the flag. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag5.html :24Hints: • You need to find the key that’s used to verify the JWT signature. Search through the APIs to see if you can find a trail that leads to it. • You need to construct a valid JWT token. You can leverage tools and websites such as jwt.io to perform this or handle it manually. This choice is up to you.Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag5.html :24 Flag 1: Swagger Intro FLAG 1: Swagger Intro (10 pts) This flag will introduce you to basic API functionality using a documentation and test harness tool called Swagger. Swagger is a very popular tool used to develop and test web APIs and has plugins/modules in most programming languages. You can learn more about Swagger here: https://swagger.io/ You’ll need to leverage Swagger (or any other http tool you desire such as curl or Postman) to determine how the API is configured and what endpoints to invoke to earn this flag. To earn your flag you must perform the following actions by making API calls. 1 Create a new Programming Language that IS featured and is named “SpaceScript++” 2 Create a review of the new SpaceScript++ language. The title should be “A Galactic Odyssey in Code, enhanced”, rating is 4 and the reviewer is “Kara Thrace” 3 Reply to the new review by Kara Thrace. The replier should be “Gaius Baltar” and the body “Fascinating, but lacks a certain logical coherence.” 4 Finally, delete the new programming language you created and your flag will be revealed. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag1.html :21Hints: • The GATECH_ID header is required and enforced as such by the Swagger UI test harness. • Choose any value for fields not explicitly stated above. • Do not include extra quotes or double quotes embedded within the actual value.Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag1.html :21Flag 3: JWT Intro FLAG 3: JWT Intro (15 pts) Now that you’ve used an Auth token we’re going to dig a bit deeper into JWT (JSON Web Tokens). This flag is simple and designed only to get you acquainted with how JWTs are constructed. There are numerous resources to help you work with JWTs, one we recommend is https://jwt.io/ but you are not required to use this site for the project. Choose any library, tool or site you wish to inspect and construct JWT tokens. To earn your flag you must perform the following actions. 1 Call/invoke the “flag3token” GET API to get your token. 2 Parse the token using a tool of your choice. 3 Use values from the token to craft the correct payload and POST that to the “flag3token” API for your flag.Hints: • The intent of this flag is to get you familiar with the JWT token structure. You will need to understand what it is and how to construct/deconstruct these. This will likely require some outside research on your part.The next few flags will require some trial and error and a bit of research on your part to https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag3.html succeed. Your task is to craft JWT tokens such that you can use the token to successfully authenticate and earn your flag.Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag3.html Flag 4: Hack JWTs pt. 1 FLAG 4: Hack JWTs – #1 (15 pts) You are a PHP ninja! You can’t get enough of this language. When you learned that others hate it and gave it bad reviews you felt the need to “correct the situation”. You’ve learned of an API that allows you to delete reviews. Muhahahah! The problem is that only the site moderator can do this and you don’t have his credentials. This has not stopped you in the past. To earn your flag you must perform the following actions. 1 Find the suitable API that will allow you to accomplish your goal above. 2 You have previously registered with the site as a “reviewer” and remember your username is “python_guru1” and password is “The_sql_injection_vulnerabilities_are_false”. Use these to get your token from the “flag4token” API. 3 Analyze the token and do research to find a way to “upgrade” your token so that you can fool the API into thinking you are a “moderator”. 4 Leverage your newly crafted token to delete all of those incriminating PHP reviews and earn your flag.Hints: • Maybe inspecting your token will give you a clue of how the server is handling authorization.https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag4.html Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag4.htmlFlag 6: Hack JWTs pt. 3 FLAG 6: Hack JWTs – #3 (15 pts) You’ve been informed that the system has a weak key vulnerability that can be decrypted using a brute-force attack. The weak key corresponds to the employee ID of one of the developers who developed the code, assuming that no one could guess the employee ID. A friendly employee in the company has leaked the pattern for the employee ID number, which would consist of numeric digits and could be up to seven digits. Pass this weak key on to the flag6 API and you should get the flag. To earn your flag you must perform the following actions. 1 Invoke the flag6token API to get the vulnerable token with a weak key. 2 Once you have the jwt token, carefully analyze the token header and the contents and note it down. 3 Explore various possibilities to hack into the JWT token. Various open source tools can be used to decrypt a weak key. You are free to explore any of these tools or write your code to decrypt the token. 4 Once you have decrypted the weak key, you need to use this weak key to get access to the API endpoint reserved for third party usage. Go over the swagger documentation to look out for this endpoint. 5 Once you have the endpoint, pass the weak key as path param to the flag6 API. Once you have done this, you should have the flag as shown in the image below.Hints: • The encryption algorithm used in the weak key generation would help to identify the right technique to decipher the weak key. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag6.html Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag6.html Flag 7: Broken Access Control Flag 7: Broken Access Control (10 pts) To earn your flag you must perform the following actions. 1 Find an API in Swagger that gives you details of the current user. Inspect the response and take note of any notable identifiers. 2 Given the endpoints available, see if the user ID and additional API endpoints help give insights to find the admin profile. 3 Invoke the reset-password API to change the admin user’s password. The new password value doesn’t matter.Hints: • All profiles will be under the UserProfile APIs in Swagger which are prefixed with /profiles • How do most database identifier fields work? Does the data from responses give you any ideas? Resources: https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag7.html • OWASP Top 1: Broken Access Control – https://owasp.org/Top10/A01_2021Broken_Access_Control/ • Gibson Security write up on broken access control in Snapchat https://gibsonsec.org/snapchat/ • Facebook business pages broken access control example: https://thezerohack.com/hackingfacebook-pagesDisclaimer: You are responsible for the information on this website. The content is subject to change at any time. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag7.html
Hello Indiana Drones! We unconvered the location of an invaluable piece of ancient treasure – the likes of which we have never seen before. Unfortunately, the treasure is located in a dense and dangerous jungle making a typical safari impossible. That’s where you come in! As a drone navigation and extraction expert, your mission should you choose to accept it, is to : Part A SLAM (worth 60 points) : Estimate The Locations Of Trees In The Jungle Environment And The Drone Given Pre-Scripted Movements and Measurements Complete the SLAM class in the indiana_drones.py file. To test your SLAM module, testing_suite_indiana_drones.py initiates a drone at (0,0) in a jungle with a lot of trees for each test case. The location, size and number of the trees are intially unknown to you. The drone moves through the jungle environment in a series of pre-scripted movements. At each time step, the drone’s sensors report measurements that are passed through your process_measurements function and the makes movements that are passed through your process_movement function. The goal of these functions is to update your belief of the locations of the drone and trees in your environment given the measurement and movement inputs. Those estimates will be read using your get_coordinates function and compared against the ground truth. In each test case, 30 points is for accurately estimating (within a 0.25 meter radius) the position of your drone and 30 points is for accurately estimating (within a 0.25 meter radius) the location of each of the trees. Points are deducted for each inaccuracy.Figure 1: Drone Diagram Part B Navigation (worth 40 points) : Navigate To The Treasure While Avoiding Trees In Your Path and Extract It Complete the IndianaDronesPlanner class in the indiana_drones.py file To test your SLAM module, the testing_suite_indiana_drones.py initiates a drone at (0,0) in a jungle with a lot of trees for each test case. The location, size and number of the trees are initially unknown to you. There is a piece of treasure in the environment whose location is known to you. The goal of your planner should be to move towards the treasure and extract it while avoiding crashes with trees on its way. At each time step, the drone’s sensors report their measurements and this is provided as input to the next_move function along with the location of the drone. The output of the function is used to move the drone through the jungle environment/extract the treasure. The output of your navigation algorithm can be one of two actions in the next_move function: namely move and extract. The move action moves the drone by the steering angle and distance you prescribe. Your drone has a maximum turning angle [in radians] and a maximum distance [in meters] that it can move each timestep [both passed using a parameter]. Movement commands that exceed these values will be ignored and cause the drone to not move. The extract action extracts the treasure at your location. The treasure will only be extracted if it is within the defined radius (0.25 meters). If not there will be a time penalty for extracting dirt. You should specify the movement as follows: move 1 1.57. [command distance steering] which means the drone will turn counterclock-wise 90 degrees [1.57 radians] first and then move a distance of 1 meter. When you issue your extract action you should supply 3 arguments total, including the treasure type (*) and current estimated location (x, y) of the drone as follows: extract * 1.5 -2.1 [command treasure_type x y]. 40 points is for extracting the treasure within the time limit, of which 10 points is deducted for each tree crash (upto a maximum of 20 points). For example, if the drone extracted the treasure within the time limit but crashed into one tree and one tree only, you will receive 30 points. Submitting your Assignment We encourage you to keep any testing code in a separate file that you do not submit. Your code should also NOT display a GUI or Visualization when we import or call your function under test. Testing Your Code We have provided a testing suite and test cases similar to the one we’ll be using for grading the project, which you can use to help ensure your code is working correctly. These testing suites are NOT complete, and you will need to develop other, more complicated, test cases to fully validate your code. We also recommend making your own simple/trivial test cases to unit test your algorithm as you code it. We encourage you to share your test cases (only) with other students on Ed Discussions. Usage: python testing_suite_indiana_drones.py Visualization and Debugging A visualization file has been provided to aid in debugging. The visualization will plot 6 pieces of data: the real location of drone, the estimated location of drone, the real location of trees, the estimated location of trees, the types of the trees (‘A’, ‘B’, …etc) and the location of treasure present in the environment. The real location of the drone will be a drone with 4 rotors. The estimated location of the drone will be a small blue dot. The real location of trees will be represented by circles of varying radii. The trees that are visible to the drone’s sensors are green in color and the trees that are too far away for the sensor to detect are in gray. The estimated location of a tree will be a small black dot. The type of tree/treasure will be next to the real location. The treasure is represented by a red triangle. The estimated points to plot need to be returned from next_move as a 2nd (optional) value in the form of a dictionary. This is needed to show your SLAM system’s estimates of drone and landmark location in the visualization. The keys should be the landmark id and the values should be its x,y coordinates. The key representing the drone’s estimated location will be ‘self’. {‘self’: (.2, 1.5), landmark id 1: (.4,1.9)} Usage: python visualize.py [-h] [–part {A,B}] [–case {1,2,3,4,5}] Example to run the visualization: python visualize.py –part B –case 3 The visualize.py and testing_suite_indiana_drones.py have a VERBOSE FLAG. If the FLAG is True, it will print helpful outputs in the terminal for debugging. In addition, there is a NOISE_FLAG in the testing_suite_indiana_drones.py. Ensure that your code works with no noise first before you test against a noisy environment. Frequently Asked Questions (F.A.Q.) Q: I’m confused. We are given so many files. What exactly should we do again and in which file? A: The main file you are concerned with is indiana_drones.py. This is what you fill and submit to gradescope. It contains two classes (SLAM and IndianaDronesPlanner) whose methods are used by the testing_suite_indiana_drone.py to run SLAM and Navigation respectively in various test cases to generate your score. drone.py contains helper classes and methods that you are free to use in your implementation. visualize.py is provided to help you debug your code with a visualization. Q: Where does the drone start? Which way is it facing? A: Although the drone starts in different places in different test cases, you can assume that it starts at (0,0) for each test case and report your outputs accordinly. Your drone will always have a bearing of zero degrees when it starts (i.e. facing east). Q: What are the (x,y) return values from get_coordinates function relative to? A: They should return your best guess for the position of the drone and trees relative to the drone’s starting location (0,0). Things To Think About 1. GraphSLAM estimates the X and Y locations of the drone, but the orientation accumulates noise too. Do you need to handle that? If you do, think about how you would do so. 2. GraphSLAM assumes that the noise is in the X and Y directions and are independent. However, the measurements and movements have noise in their distance and bearing/steering angle. Does this cause an issue? If so, how would you handle that? Are simple heuristics enough or do you need a detailed model? 3. How can the drone detect a potential crash of its path with a tree? And when it detects a potential crash with a tree, how can the drone avoid the crash? Could it figure out what options it has and choose one way it could go? Or does it need to find an exact path to avoid the crash?
Congratulations (again)! Your reverse engineering internship at Commonwealth National Laboratory has been a resounding success! You happily arrive to work at 7:00 am on the last day of your internship, as you have done all summer. This morning, however, you find that the Vice President of Technological Disruption is already waiting at your cubicle. “I saw that GHID’ER plugin you wrote” he says. “The whole team is amazed! It comments every instruction showin’ the data dependence. Even, countin’ those function arguments like they like!” He is clearly very pleased. “Just doing my job, sir!” you say, but he is searching for something in his expensive leather briefcase… “Oh boy! Sure I will!” You exclaim. “Excellent” says the VPTD. “Now, I have to ask you to begin your next mission immediately. This one is of grave importance to the nation.” “Finally Stuxnet!” You think. “The team is having trouble getting from point A to point B, and by that I mean, they don’t know which instructions come after the others” he explains. “Click on Graph View!” you say, thinking that this all sounds very familiar, but it is clear that he has never even opened GHIDRA before. “We need a way to know which order the instructions go in, but not all the instructions, only the ones that get executed when you run the program. You know?” “Sure… a dynamic control flow graph.” You respond “That’s the kind of out-of-the-box thinking that we like around here! Welcome to the team!” he says. “This will be a long career” you think as you begin looking up the Pin docs. https://software.intel.com/content/www/us/en/develop/articles/pin-a-dynamic-binaryinstrumentation-tool.html Instructions: In addition to the silly story, this lab will introduce you to carefully manipulating a malware’s execution under instrumentation. You will “puppeteer” GreenCat by pretending to be the C&C server and sending it the C&C commands you recovered in the previous labs. This sort of malware puppeteering is extremely common when trying to instrument and explore as much of a malware’s code as possible. A dynamic Control Flow Graph (CFG) is one essential program analysis building block that is often the desired output of this. A dynamic CFG allows you to answer all the malware analysis questions of a static CFG, but with more precision (because it follows a precise execution) and revealing any packed/encrypted code. After completing this lab, I encourage you to go a step further and write a simple analysis script to automatically compare your dynamic CFG with the static CFG from Lab #3 (they should be quite different!) — you’ve probably seen this trick used in the research papers to measure code coverage of the malware being tested. Download and set up the Sandbox VM. Download link: https://www.dropbox.com/scl/fi/enzu9xsa51sbz220q182d/vm.ova?rlk ey=d6ji9ofkbarg45irgi4xwcts8&st=lowqumkj&dl=0Build the example MyPinTool that counts instructions as described in the PinTools slides. PIN can be found in the C: directory of the VM. Run the example MyPinTool on greencat in the Sandbox and send greencat the “list /p” command as described in the PinTools slides. Make sure the path to your built plugin is correct when running. You can download c2server.py here: https://www.dropbox.com/scl/fi/jsv5efiv0usydful6eenm/c2 server.py?rlkey=uj3c0bqs2l4f56za4o2pcnay7&st=7jcyzd9a&dl=0 If the installation worked correctly, then you should extend MyPinTool to do the following: Trace the control flow of the executed instructions. To do so, your pintool will need to instrument the execution of every instruction. When each instruction is executed, your pintool will need to save what instruction preceded it. Do this tracing entirely in memory! Your pintool should only write to an output file in the Fini function (or ThreadFini). Constantly writing every instruction to the trace file will make your pintool unbearably slow! After the process that your pintool is tracing exits (i.e., in your pintool’s Fini function), generate a DOT directed graph file representing the control flow of all the observed instructions. More information about DOT directed graph files can be found here: https://en.wikipedia.org/wiki/ DOT_(graph_description_language)#Directed_graphs. Each node in your DOT directed graph file should be the address of an instruction that was executed (only ONE node per instruction address). The edges in your DOT directed graph file should go from each executed instruction to the instructions which executed immediately after it. For example, assume your pintool observes the following sequence of executed instruction addresses: 0x634, 0x636, 0x634, 0x640. The DOT directed graph file generated by your tool should be as follows: digraph controlflow { “0x634” -> “0x636”; “0x634” -> “0x640”; “0x636” -> “0x634”; } The order of the edges in the DOT directed graph file do not matter. Also see: https://stackoverf low.com/questions/1494492/graphviz-how-to-go-from-dot-to-a-graph To optimize the accuracy of your results, limit the instructions that your pintool instruments to only those that: • Execute after WinMain is called (i.e., do not instrument any instructions that execute before WinMain since these are mostly runtime set up code). • Are inside of the greencat binary itself, and not dynamically linked libraries. The Pin “IMG” functions will be very helpful here. You can use sendsignal.exe on the Desktop (via the command prompt) to kill it. Use your pintool and explore all the different greencat capabilities that each of the greencat command and control (C&C) commands exercise. Refer back to your previous labs to recover the C&C commands that greencat accepts from its C&C server. Send each command to greencat (one time is enough, order does not matter) and generate one DOT file. Your goal is to run several C2 commands in the session so as to dynamically discover as many control flow paths as possible. Note that success paths and error paths are equally important! Submit your pintool source code and the DOT file your pintool generated to Gradescope. For this lab, Gradescope will provide feedback every time you submit. The Gradescope feedback will tell you which greencat capabilities were explored and which ones you missed. The feedback will also show control flow paths that you missed. You should understand greencat well enough by now to find the C&C commands that cause those paths to execute. Grade: 100 points Grading Criteria: The grade will be based on the correctness of the DOT file that your pintool generates. -10 points for every missed C&C command’s control flow path. -3 points for every missing or duplicated node in the DOT directed graphs. The DOT directed graph should contain one node for each instruction that gets executed when the program is run. -3 points for every missing or erroneous edge in the DOT directed graphs. For every pair of instructions, A and B, if the control flow along any path of the observed execution causes B to execute immediately after A, then the DOT directed graph should contain only one edge from A to B. Teams: This assignment can be done individually or in a team of 2. Please join a group in Gradescope if you are collaborating. Do not create or join a group in Canvas. Canvas groups are different from Gradescope groups. New to Gradescope? This link provides instructions for how to create groups in Gradescope: https://help.gradescope.com/article/m5qz2xsnjy-student-add-group-members Zoom can also provide the ability to collaborate and video conference with your teammate. Submission Instructions: Upload the following to Gradescope: The DOT file that your pintool generated, named “submission.dot”. Your pintool code, named “plugin.cpp”. We reserve the right to run all submitted code, through automated means or otherwise, and if it is found that your code does not output equivalent to your original dotfile submission then you will also receive a zero. Be advised, please submit (1) and (2) separately, do NOT zip them together. Note: You can download the webc2-greencat-2.7z file directly into your lab environment. After you are done with this lab, you can submit your files directly from the lab environment (Highly recommended). Doing this will help you avoid transferring the file from the lab environment to your personal computer. Transferring Files: To transfer files from your personal device to the lab environment or to the Windows7 VM: Create a zip folder of all the files that you would like to transfer to the lab environment or the Windows7 VM. Every GT student has Box and OneDrive accounts given free by the institution. Login to either of those two and upload the desired files. Now go back to the lab environment or the Windows7 VM and login to either of those two services where you uploaded you zip folder. Download folder to the lab environment or the Windows7 VM and use the appropriate 7z command to unzip your folder. What to do when you encounter technical difficulties? If you are experiencing technical difficulty such as being unable to access the lab environment, please submit a ticket to the “Digital Learning Tools and Platforms” team at https://gatech.servicenow.com/continuity. And on the ticket, please put “Route to the DLT Team” at the top of the ticket because it will help the Service Desk know where to send it.
Let us return one last time to the events which occurred in 2014 at a small eCommerce start-up company in Monroe, CT. Your investigation of the insidious greencat malware is coming to an end. You have found that the malware is using an HTTP connection to transmit command and control messages to a suspicious IP address. This discovery leads you to identify several predicates in the greencat binary which seem to control the execution of each malicious payload. “How can I be sure which payloads are controlled by each predicate?” You wonder … “One problem remains,” You think. “I have to precisely recreate the attack steps, as they unfolded at the eCommerce start-up. How can I know which command and control inputs will exercise those exact greencat execution paths?” Luckily, you remember that the part-time IT support professionals employed by the eCommerce start-up had saved network packet traces for all of the accounting department computers! “This is perfect!” You exclaim. The plan that you devise is as follows. Step 1: You must design a dynamic control dependence pintool. Step 2: Using a fake greencat C&C server, you can execute greencat with the pintool, send it C&C commands, and recover the dynamic control dependence of each payload. Step 3: You can check each payload’s network communication that you observe against the packet trace to be sure you’ve covered the correct execution paths. Disclaimer: In this assignment, you will only accomplish Steps 1 and 2. Instructions: The story for this lab is quite accurate to how a malware analyst would instrument, manipulate, and compare against evidence from the original cyber-attack. A dynamic Control Dependence Graph (CDG) enables malware analysis tools to link code sections to the predicates that control their execution. In a malware investigation (as in the story above) this can reveal exactly what network or environment input triggered the attack evidence the investigator observed. A CDG is also an essential program analysis build block that is required for program slicing, and as you know from the research papers, program slicing is widely used to focus analysis algorithms on key malware capabilities. However, like in previous labs, tool designers (you) must make tradeoffs, specifically in how to obtain immediate post-dominators. In this lab, you will create a dynamic CDG using the “puppeteered” GreenCat traces you collected in Lab 5. After completing this lab, I encourage you to go a step further and write a simple analysis script to automatically identify which C&C command causes each GreenCat function to execute (e.g., use an GHIDRA plugin to automatically color each instruction based on which C&C command causes it to execute). 1. Review the concepts of dynamic control dependence and how dynamic control dependence can be computed. The slides presented in class can be downloaded from Canvas. 2. Extend the pintool you designed for Lab #5 to trace the control dependence of every instruction that is executed. To do so, your pintool will need to implement one of the dynamic control dependence algorithms discussed in class. It does not matter which algorithm you choose to implement, but I would recommend the “Regions” approach. Do this tracing entirely in memory! Your pintool should only write to an output file in the Fini function (or ThreadFini). Constantly writing every instruction to the trace file will make your pintool unbearably slow! To determine control dependence, you will need to identify the immediate post-dominators of many instructions. For this lab we expect you to calculate IPDs based on the dynamic trace (with the control flow trace that your pintool generated for Lab #5). As we discussed in class, it is fine if your solution requires executing the dynamic analysis multiple times. Note that: If you obtain immediate post-dominators from the dynamic execution trace, then your immediate post-dominators might cover the entire program (i.e., you will have control dependence between functions). This is acceptable for this lab! After the process that your pintool is tracing exits (i.e., in your pintool’s Fini function), generate a DOT directed graph file representing the control dependence of all the observed instructions. Each node in your DOT directed graph file should be the address of an instruction that was executed (only ONE node per instruction address). The edges in your DOT directed graph file should go from each executed instruction to the instructions that it is control dependent on. For example, assume the instruction at 0x638 is control dependent on the instruction at 0x634. The DOT directed graph file generated by your tool should be as follows: digraph control_dep { “0x638” -> “0x634”; } The order of the edges in the DOT directed graph file does not matter. Also see: https://stackove rflow.com/questions/1494492/graphviz-how-to-go-from-dot-to-a-graph You can use sendsignal.exe on the Desktop (via the command prompt) to kill it. Use your pintool and explore all the different control flow paths that each of the greencat command and control (C&C) commands exercise. Refer back to your previous labs to recover the C&C commands that greencat accepts from its C&C server. Send each command to greencat (one time is enough; order does not matter) and generate one DOT file. Submit your pintool source code and the DOT file your pintool generated. Note 3: Feel free to use any third-party packages for graph algorithms/processing (hint: NetworkX is a handy python library for dealing with graphs). Additional Example: Consider this example:Consider what it would look like if we converted this to a digraph in the form of our lab 5 output (1A and 1B are G and H respectively): digraph controlflow { “0x0040100A” -> “0x0040100B”; “0x0040100B” -> “0x0040100C”; “0x0040100C” -> “0x0040100D”; “0x0040100C” -> “0x0040100E”; “0x0040100D” -> “0x0040100F”; “0x0040100E” -> “0x0040100F”; “0x0040100F” -> “0x0040100B”; “0x0040100B” -> “0x0040101A”; “0x0040101A” -> “0x0040101B”; “0x0040100A” -> “0x0040101B”; } Now consider the control dependence output: digraph controlDependence { “0x0040101B” -> “START” “0x0040101A” -> “0x0040100A” “0x0040100B” -> “0x0040100A” “0x0040100B” -> “0x0040100B” “0x0040100F” -> “0x0040100B” “0x0040100E” -> “0x0040100C” “0x0040100D” -> “0x0040100C” “0x0040100C” -> “0x0040100B” “0x0040100A” -> “START” } Notice that you can add a dummy START node, which can be helpful for calculating control dependence, and in this case, we can say that node A and node H are control dependent on START, though whether or not this exists in your output is not a requirement. Also notice that the edges are reversed compared to the image, though it is describing the same node relationship. Describing the relationship as seen in the example output is what we expect. For example, B is control dependent on A because: – there exists a path from A to B such that every node in the path other than A and B is postdominated by B – A is not post-dominated by B Grade: 100 points Grading Criteria: The grade will be based on the correctness of the DOT file that your pintool and/or prost-processing script generates. Your grade is dependent on the count of correct control dependence relationships you define. For example, if you miss 10% of the CDG relationships you will get a 90% on the lab. If you miss 10% of the expected CDG relationships and add an extra 10% of incorrect relationships to your CDG you will receive an 80% on the lab. Teams: This assignment can be done individually or in a team of 2. Please join a group in Gradescope if you are collaborating. Do not create or join a group in Canvas. Canvas groups are different from Gradescope groups. New to Gradescope? This link provides instructions for how to create groups in Gradescope: https://help.gradescope.com/article/m5qz2xsnjy-student-add-group-members Zoom can also provide the ability to collaborate and video conference with your teammate. Submission Instructions: Upload the following to Gradescope: The DOT file that your pintool generated, named “submission.dot”. Your pintool code, named “plugin.cpp” and any other code files needed to run your solution. We reserve the right to run all submitted code, through automated means or otherwise, and if it is found that your code does not output equivalent to your original dotfile submission then you will also receive a zero. Be advised, please submit (1) and (2) separately, do NOT zip them together. Note: Gradescope will only check the formatting of your submission. Gradescope will not automatically check the correctness and provide a grade. Note: You can download the webc2-greencat-2.7z file directly into your lab environment. After you are done with this lab, you can submit your files directly from the lab environment (Highly recommended). Doing this will help you avoid transferring the file from the lab environment to your personal computer. Transferring Files: To transfer files from your personal device to the lab environment or to the Windows7 VM: Create a zip folder of all the files that you would like to transfer to the lab environment or the Windows7 VM. Every GT student has Box and OneDrive accounts given free by the institution. Login to either of those two and upload the desired files. Now go back to the lab environment or the Windows7 VM and login to either of those two services where you uploaded you zip folder. Download folder to the lab environment or the Windows7 VM and use the appropriate 7z command to unzip your folder. FAQ What is the purpose of the additional, ungraded, GradeScope assignment with the same release period as Lab 6? This is an ungraded assignment that is exactly the same as Lab 5. It lets students submit their dynamic CFG to ensure that the coverage meets the minimum requirements. Since Lab 6 is a dynamic CDG, we test the dynamic CDG for all the points that we look for in the coverage we require for Lab 5 (these labs are largely interdependent). Making sure you start out with maximum coverage on Lab 5 before implementing Lab 6 will likely result in the best grade overall. What to do when you encounter technical difficulties? If you are experiencing technical difficulty such as being unable to access the lab environment, please submit a ticket to the “Digital Learning Tools and Platforms” team at https://gatech.servicenow.com/continuity. And on the ticket, please put “Route to the DLT Team” at the top of the ticket because it will help the Service Desk know where to send it.
Let us return to the events which occurred in 2014 at a small start-up company in Monroe, CT. Suddenly, your phone rings. Your caller ID shows that it is the CEO of the eCommerce start-up! “Hello?” you ask. “The investors are getting nervous! The lawyers are asking questions! The customers aren’t buying our eCommerce product!” he yells. “I’m working as fast as …” you say, but he interrupts. “We need to provide some proof that no customer data was stolen! I need you to get me that proof by next week, or you’re not getting paid!” he says before hanging up. Your mind races… what can you do? How can you provide proof? Instructions: An accurate Data Dependence Graph (DDG) is the most sought-after building block in the program analysis universe. Malware analysis tools require a DDG to answer any questions about the malware’s operation. You’ve probably seen multiple applications of DDGs in the research papers up to this point. Unfortunately, static analysis hurtles such as path explosion and aliasing force tool developers to make difficult implementation tradeoffs which limit the accuracy of their DDGs. In this lab, you will combat path explosion and aliasing with the goal of building a best-effort DDG — another essential building block for malware analysis. After completing this lab, I encourage you to go a step further and write a simple analysis script to automatically extract any DDG paths within GreenCat that can exfiltrate data from files on the victim system. 1. Review the concepts of data dependence and how data dependence can be computed. The slides presented in class can be downloaded from Canvas. 2. Extend the plugin you designed for Lab #3 to do the following: Loop every instruction in every basic block in every function in your greencat-2 disassembly (from before). Compute the data dependence of each instruction. You can design any methods or data structures you wish to accomplish this. You can use any GHIDRA SDK APIs that will help you (but none exist that can compute data dependence for you). Generate a DOT directed graph representing the data dependence of all the instructions in each function. Specifically, one DOT graph per function — name each DOT graph (called a “digraph” in the DOT file format) the address of the function. Each node in your DOT directed graph should be the address of an instruction (only ONE node per instruction address). Node labels can be just the instruction addresses. The edges in your DOT directed graph file should go from each instruction to any instructions which that instruction is data dependent on. The order of the edges in the DOT directed graph file does not matter. Consider this example from the greencat-2 binary. Here are the instructions in the function starting at address 0x401000 in greencat-2: 401000: push esi 401001: mov esi, ecx 401003: call 0x401078 401008: test BYTE PTR [esp+0x8], 0x1 40100d: je 0x401016 40100f: push esi 401010: call 0x402a5c 401015: pop ecx 401016: mov eax, esi 401018: pop esi 401019: ret 0x4 The DOT directed graph generated by your tool for this function should be as follows: Note: The following example is for full credit, which includes tracking the calling conventions and arguments of CALL instructions. digraph 0x401000 { n0 [label = “START”]; n1 [label = “0x401000; DD: START”]; n2 [label = “0x401001; DD: START”]; n3 [label = “0x401003; DD: START, 0x401000”]; n4 [label = “0x401008; DD: START, 0x401003”]; n5 [label = “0x40100d; DD: 0x401008”]; n6 [label = “0x40100f; DD: 0x401001, 0x401003”]; n7 [label = “0x401010; DD: 0x40100f”]; n8 [label = “0x401015; DD: 0x40100f, 0x401010”]; n9 [label = “0x401016; DD: 0x401001”]; n10 [label = “0x401018; DD: 0x401000, 0x401003, 0x401015”]; n11 [label = “0x401019; DD: 0x401018”]; n1 -> n0; n2 -> n0; n3 -> n0; n3 -> n1; n4 -> n0; n4 -> n3; n5 -> n4; n6 -> n2; n6 -> n3; n7 -> n6; n8 -> n6; n8 -> n7; n9 -> n2; n10 -> n1; n10 -> n3; n10 -> n8; n11 -> n10; } You tool should process every function in the greencat-2 binary. All DOT graphs for all the functions should be output in a single “.dot” file. So, after you GHIDRA plugin finishes executing, you should have a single “.dot” file with many digraphs in it (one digraph per function). The order of the edges in the DOT directed graph file does not matter. Also see: https://stackove rflow.com/questions/1494492/graphviz-how-to-go-from-dot-to-a-graph Lab Requirements / FAQ (MUST READ): This section contains some frequently asked questions and requirements that students should adhere to when working on this assignment. How do CALL instructions work for this assignment? How are they calculated? CALL instructions for this assignment are similarly calculated to Lab 3. To get full credit you must properly be tracking Calling conventions and stack dependency. Do we need to calculate dependencies between functions? No. Similar to Lab 3 (and for all scripting labs) functions will be considered independently, meaning you do not need to link dependencies between functions. This is the purpose of the START keyword. The START keyword should be used to express that a dependency originated outside of the local function. Grade: 100points Grading Criteria: The grade will be based on how many instructions and functions your plugin handles correctly (i.e., the edges and the labels in the DOT graph are correct). Here is what the team will look for while grading: Register dependencies: Register reads/writes are the easiest case of dependencies. Direct push & pop dependencies: This requires that your plugin track changes of the stack pointer inside each function. Hint: Since we do not know its true value, pretend like ESP = 0 at the start of each function, and then track its changes for each instruction. Note that function args will be above ESP at the start of the function. Static memory positions: These are memory locations that GHIDRA gives a name to and accesses via that name (e.g., “mov [ebp+var_4], eax” or “mov dword_429C48, eax”). This requires your plugin to note each instruction which writes to that memory position. Everything else: There are very few complex memory read/write dependencies (e.g., those which include aliasing) in the functions we will grade. I did not find any cases of aliasing in my cursory pass over the code. If you are concerned about any cases of complex memory read/write dependencies, then please post on Ed Discussionand we will be glad to check it out. The grade will be based on how many instructions and functions your plugin processes correctly, and is ultimately based on your graph submission (DOT file). Data Dependence accuracy of top 10 instruction mnemonics are worth 5% of the total grade each (mov, add, sub, cmp, test, xor, push, pop, lea, all forms of jump). For example, if 20% of your mov instructions are wrong (missing a dependent or has an erroneous dependent) then you will lose 1% of the total 100 points. Data Dependence accuracy of all other instruction types are collectively worth 15% of the total grade. For example, if 30% of the other instructions are wrong (missing a dependent or has an erroneous dependent) then you will lose 5% of the total 100 points. Edge accuracy is worth 30% of the total grade. For example, if 10% of your edges are wrong (missing or have an erroneous extra edge) then you will lose 3% of the total 100 points. We will only grade the functions that you commented in Lab 2. The maximum deduction is 100. There will be no negative grades. Note: Grades in sections are rounded down to the nearest percent. Call Tracking: Up to 20 additional points will be awarded for properly tracking the DD of CALL arguments Note: This will require using GHIDRA ’s APIs to determine the number of function arguments. For example: 40156B push 3Ch ; … 40156D xor ebx, ebx ; … 40156F lea eax, [ebp+buf] ; … 401572 push ebx ; … 401573 push eax ; DD: 401572, 40156F 401574 call _memset ; DD: 401573, 401572, 40156B Teams: This assignment can be done individually or in a team of 2. Please join a group in Gradescope if you are collaborating. Do not create or join a group in Canvas. Canvas groups are different from Gradescope groups. New to Gradescope? This link provides instructions for how to create groups in Gradescope: https://help.gradescope.com/article/m5qz2xsnjy-student-add-group-members Zoom can also provide the ability to collaborate and video conference with your teammate. Submission Instructions: Upload the following to the Lab 3 Assignment in Gradescope: The DOT file output by your GHIDRA plugin, named “submission.dot” which contains digraphs for every function in the greencat-2 binary. Your GHIDRA plugin code, named either “plugin.py” or “plugin.java” depending on the chosen language. We reserve the right to run all submitted code, through automated means or otherwise, and if it is found that your code does not output equivalent to your original dotfile submission then you will also receive a zero. Be advised, please submit (1) and (2) separately, do NOT zip them together. Note: Gradescope will only check the formatting of your submission. Gradescope will not automatically check the correctness and provide a grade. Note: You can download the webc2-greencat-2.7z file directly into your lab environment. After you are done with this lab, you can submit your files directly from the lab environment (Highly recommended). Doing this will help you avoid transferring the file from the lab environment to your personal computer. Transferring Files: To transfer files from your personal device to the lab environment: Create a zip folder of all the files that you would like to transfer to the lab environment. Every GT student has Box and OneDrive accounts given free by the institution. Login to either of those two and upload the desired files. Now go back to the lab environment and login to either of those two services where you uploaded you zip folder. Download folder to the the lab workspace and use the appropriate 7z command to unzip your folder. What to do when you encounter technical difficulties? If you are experiencing technical difficulty such as being unable to access the lab environment, please submit a ticket to the “Digital Learning Tools and Platforms” team at https://gatech.servicenow.com/continuity. And on the ticket, please put “Route to the DLT Team” at the top of the ticket because it will help the Service Desk know where to send it. Grades have been released. How do I view my raw feedback? import base64 import gzip base85_encoded_data = b“Paste the encoded data here” base85_decoded_data = base64.b85decode(base85_encoded_data) gzip_decompressed_data = gzip.decompress(base85_decoded_data) with open(“output.txt”, “wb”) as f: f.write(gzip_decompressed_data)
Congratulations! You have just been named the newest reverse engineering intern at Commonwealth National Laboratory. You happily report to work at 7:00 am on your first day, find your newly vacuumed cubicle, and excitedly await all of the fun malware reverse engineering you will be doing. “What will they give me on my first day” you wonder. Will it be Stuxnet? Some malware that attacks nuclear weapons maybe! Your boss rolls in around 11:00 am. He looks at you and says “We just got that fancy new GHEEDAR tool, but it don’t show us the control flow like we like around here.” “Click on Graph View!” you say, but it is clear that he has never even opened GHIDRA before. “Write one of those GHEEDAR plugins you kids like. Make it generate a DOT graph where each node is an instruction addresses and the edges show the control flow from one instruction to the next.” “Click on Graph View!” you implore. “Do this too…” he says, “in every node, label the instruction address and also any registers or constant memory addresses that the instruction defines or uses.” “This will be a long summer” you think as you begin looking up the GHIDRA SDK docs. Instructions: In all seriousness, a Control Flow Graph (CFG) is the fundamental building block of all program analysis algorithms. Nearly all malware analysis tools start by building a control flow graph. Once you have a control flow graph, tracking how data flows through the malware sample is essential for answering many questions. For example, by analyzing a CFG and the data being defined and used by each instruction, you can automatically isolate the paths that connect to C&C servers or exfiltrate specific user data. In this lab, you will build these essential building blocks for malware analysis. After completing this lab, I encourage you to go a step further and write an analysis script to automatically extract any CFG paths that touch GreenCat’s C&C URL. 1. As described in Week 6 slides, GHIDRA has a few example scripts to help you get the feel for development. 2. Get the Hello World plugin (either compiled Java or Python) running in GHIDRA . Create a new GHIDRA project with greencat-2. Do not use your GHIDRA project from Lab 2. Keep that Lab 2 project safe and sound so that you can refer to it as a “ground truth” for Lab 3 and beyond. A fresh project with no comments will make plugin development easier and the comments will confuse the Lab 3 grader script. 3. Build a GHIDRA plugin (I recommend building from the hello world plugin) that: • Loops every instruction in every basic block in every function in your greencat-2 binary (from before). You will need to follow the control flow graph, so your plugin will know the execution order of the instructions. • Generate a DOT directed graph representing the control flow of all the instructions in each function. Specifically, one DOT graph per function — name each DOT graph (called a “digraph” in the DOT file format) the address of the function. More information about DOT directed graph files here: https://en.wikipedia.org/wiki/DOT_(graph_descriptio n_language)#Directed_graphs. • Each node in your DOT directed graph file should be the address of an instruction (only ONE node per instruction address). The edges in your DOT directed graph file should go from each instruction to the next instructions which execute immediately after it. Consider this example from the greencat-2 binary. Here are the instructions in the function starting at address 0x401000 in greencat-2: 401000: push esi 401001: mov esi, ecx 401003: call 0x401078 401008: test BYTE PTR [esp+0x8], 0x1 40100d: je 0x401016 40100f: push esi 401010: call 0x402a5c 401015: pop ecx 401016: mov eax, esi 401018: pop esi 401019: ret 0x4 The DOT directed graph generated by your tool for this function should be as follows: digraph “0x401000” { n1 [label = “0x401000;”]; n2 [label = “0x401001;”]; n3 [label = “0x401003;”]; n4 [label = “0x401008;”]; n5 [label = “0x40100d;”]; n6 [label = “0x40100f;”]; n7 [label = “0x401010;”]; n8 [label = “0x401015;”]; n9 [label = “0x401016;”]; n10 [label = “0x401018;”]; n11 [label = “0x401019;”]; n1 -> n2; n2 -> n3; n3 -> n4; n4 -> n5; n5 -> n9; n5 -> n6; n6 -> n7; n7 -> n8; n8 -> n9; n9 -> n10; n10 -> n11; } The order of the edges in the DOT directed graph file do not matter. Also see: https://stackoverf low.com/questions/1494492/graphviz-how-to-go-from-dot-to-a-graph Add the def use list to every node’s label. Specifically, for each node: (1) build a list of the registers and memory locations which that instruction defines and uses, then (2) add that list to the node’s label. The ordering of the list does not matter. For the example above, the final DOT directed graph generated by your tool for the function starting at address 0x401000 in greencat-2 should be as follows: Registers are not case sensitive when grading. digraph “0x401000” { n1 [label = “0x401000; D: [esp], esp U: esi, esp”]; n2 [label = “0x401001; D: esi U: ecx”]; n3 [label = “0x401003; D: eax, esp U: ecx, esp”]; n4 [label = “0x401008; D: eflags U: [esp + 0x8], esp”]; n5 [label = “0x40100d; D: U: eflags”]; n6 [label = “0x40100f; D: [esp], esp U: esi, esp”]; n7 [label = “0x401010; D: eax, esp U: [esp], esp”]; n8 [label = “0x401015; D: ecx, esp U: [esp], esp”]; n9 [label = “0x401016; D: eax U: esi”]; n10 [label = “0x401018; D: esi, esp U: [esp], esp”]; n11 [label = “0x401019; D: esp U: esp”]; n1 -> n2; n2 -> n3; n3 -> n4; n4 -> n5; n5 -> n6; n5 -> n9; n6 -> n7; n7 -> n8; n8 -> n9; n9 -> n10; n10 -> n11; } Note: Why does 0x401003 use ECX and why does 0x401010 use [ESP]? The answer has to do with Calling conventions. 0x401003 is defined as a fastcall calling convention, and it takes one argument. 0x401010 is a stdcall function and takes one argument. In cases where CALL instructions accept arguments through the stack, you can assume [ESP] as the correct USE to capture this. Your tool should process every function in the greencat-2 binary. All DOT graphs for all the functions should be output in a single “.dot” file. So, after you GHIDRA plugin finishes executing, you should have a single “.dot” file with many digraphs in it (one digraph per function). Note: If you are curious about what the Def and Use for a particular instruction in GreenCat should be, then please ask on Ed Discussion! Also Note: You only need to turn in the DOT graph files for #4 above, not for #3! Formatting Instructions (MUST READ): It is critical that you strictly adhere to the formatting guidelines for this lab and all future labs requiring graph analysis. Your graph (DOT file) submission MUST be properly formatted so that our automated feedback generation can work properly. If your graph output does not adhere to the strict formatting guidelines, causing automated feedback generation to fail, you will receive a zero. Your provided script must be able to generate the graph that is submitted (which you will be graded on) and your graph must not require any formatting modifications to enable the automated feedback generation to work properly. Gradescope will not provide feedback on the correctness of your graph, but it will let you know if there was an error during automated feedback. If you see any errors in Gradescope, please come back to this section and the previous section’s examples and review the guidelines. If you still have questions, you can always make a private Ed Discussionpost. Formatting guidelines: • There must be one digraph header for each function in your analysis. The digraph header must contain digraph FUNCTION_ADDRESS { – Compatible Regex: ˆdigraphs+(.+?)s*{$ – Enclosing the address in quotes, and 0xADDRESS notation are accepted – Each function digraph header must be on its own line. Notice the regex expects “digraph” to be the first word on the line. • Each node label MUST be exactly as seen in the previous section. – NODE [label = “0xADDRESS; D: COMMA, SEPARATED, DEFINITIONS U: COMMA, SEPARATED, USES”]; – Node IDs must be the character “n”, followed by a number. Do not zero fill the number. – Spaces are important. A single space between the semi-colon between the address and def/use attributes is necessary. Likewise, space between the last “def” value and the beginning of the “U:” section is important. – Do not leave trailing commas in the end of each “def” and “use section. ∗ D: esp, ebp, U: ebp, esp, ebx, is not acceptable – Make sure the entire “label” section is enclosed in double quotes as seen in the previous section. – You MUST still have a “D:” and “U:” (def and use section) for all node labels. Even if there are no definitions or uses for that particular node. • Node edges must be of the format: – FROM_NODE -> TO_NODE • There shouldn’t be anything in your dotfile other than each function’s digraph header, the closing digraph footer, edges, and nodes with labels. Additional newlines/whitespace are fine (outside of the strict label formatting), but there is no reason to leave inline comments or anything else. Remove any extraneous debug output, or leave commentary in your code instead. Here are some frequently asked questions (FAQ) regarding formatting: • It is recommended that node numbers start at 1 from the first instruction in the function, although it is not necessary as long as your node numbering is consistent within each function. (The first instruction does not have to be node 1, although recommended) • For the best results with the automated feedback generation, there is no need to extend the registers to their full 32-bit form when adding them to the def/use listing. Instead, list the register that is actually used in the code. • EFlags are normalized and abstracted to a generic “eflags” register, so although you can submit the individual flag registers, it is not a requirement. • To get full credit on CALL instructions, you must track Calling Conventions and Arguments/Return Registers. This will be a big part in your success on Lab 4, so we recommend ensuring this works efficiently now. Assume that GHIDRA ’s default analysis makes the correct assumptions about calling conventions (don’t modify them). Lab Requirements / FAQ (MUST READ): This section contains some frequently asked questions and requirements that students should adhere to when working on this assignment. How do I know the DEF/USE attributes of instructions not provided in the lab doc examples? Can I use symbol names from my disassembler’s analysis in my DOT file output? No. Please convert all symbol names to their raw addresses. Under most circumstances the usual GHIDRA /IDA API will give them in address form, but please otherwise convert them using the relevant APIs in your final DOT submission, since symbol names can be arbitrarily modified by auto-analysis or you, it is simplest to make sure that we use the raw addresses in the PE file. This is most common in IDA when dealing with auto-created structs, so make sure to double check these specifically! If you leave symbol names in your DOT output, we won’t be able to properly grade your assignment. How much can I share in Ed Discussion? Should I include EIP in my assignment? No. EIP is a special register that tracks the next instruction to execute. We completely ignore EIP while grading, so we recommend that you do as well! I’m using the API, but I’m getting different DEF/USE results than what I see in the example. What is happening? This assignment is provided to students and to be solved using either GHIDRA depending on the course section (online and on-campus respectively). Both tools have minor discrepancies in the way that they provide DEF/USE information via the API. To normalize this, we have taken the “most correct” interpretation of DEF/USE for these instructions by consulting the Intel documentation. The DEF/USE we are expecting for these instructions is provided below. If the mnemonic is not mentioned, assume the API gives all of the necessary information. Please ensure that you manually modify these instruction mnemonics as you build your DEF/USE graph. This allows the autograder to work as efficiently as possible and give you the best feedback. For these instruction mnemonics we will only accept the interpretation provided below as correct. LEAVE: DEF(ebp, esp), USE(ebp, [ebp]) POP: DEF(esp), USE(esp, [esp]) PUSH: DEF(esp, [esp]), USE(esp, [registers (if used)]) RET: DEF(esp), USE(esp) CALL: DEF(esp, [return registers]), USE(esp, [argument registers]) Why are immediate values/scalars/constant values not included in DEF/USE? This is a common pitfall that students run into. Please review the lectures on DEF/USE for additional information. For the purposes of DEF/USE, we only care about symbolic values such as registers or memory locations that can be modified or potentially represent different values depending on the state of execution. Immediate (or constant) values such as file offsets or static numbers used for arithmetic are not considered for DEF/USE because they will always be the same across every execution. Why does X mnemonic have Y DEF/USE attributes? We recommend that you consult the Intel documentation for this task, but if you’ve already had a look at the documentation and it still doesn’t make sense, please ask! Grade: 100points Grading Criteria: Note: Create a new GHIDRA project with greencat-2. Do not use your GHIDRA project from Lab 2. Keep that Lab 2 project safe and sound so that you can refer to it as a “ground truth” for Lab 3 and beyond. A fresh project with no comments will make plugin development easier and the comments will confuse the Lab 3 grader script. The grade will be based on how many instructions and functions your plugin processes correctly, and is ultimately based on your graph submission (DOT file). Def/Use accuracy of top 11 instruction mnemonics are worth 5% of the total grade each (mov, add, sub, call, cmp, test, xor, push, pop, lea, all forms of jump). For example, if 20% of your mov instructions are wrong (missing a Def or Use or have an erroneous Def or Use) then you will lose 1% of the total 100 points. Def/Use accuracy of all other instruction types are collectively worth 15% of the total grade. For example, if 30% of the other instructions are wrong (missing a Def or Use or have an erroneous Def or Use) then you will lose 5% of the total 100 points. Edge accuracy is worth 30% of the total grade. For example, if 10% of your edges are wrong (missing or have an erroneous extra edge) then you will lose 3% of the total 100 points. Note: Grades in each mnemonic section are rounded down to the nearest percent. Teams: This assignment can be done individually or in a team of 2. Please join a group in Gradescope if you are collaborating. Do not create or join a group in Canvas. Canvas groups are different from Gradescope groups. New to Gradescope? This link provides instructions for how to create groups in Gradescope: https://help.gradescope.com/article/m5qz2xsnjy-student-add-group-members Zoom can also provide the ability to collaborate and video conference with your teammate. Submission Instructions: Upload the following to the Lab 3 Assignment in Gradescope: The DOT file output by your GHIDRA plugin, named “submission.dot” which contains digraphs for every function in the greencat-2 binary. Your GHIDRA plugin code, named either “plugin.py” or “plugin.java” depending on the chosen language. We reserve the right to run all submitted code, through automated means or otherwise, and if it is found that your code does not output equivalent to your original dotfile submission then you will also receive a zero. Be advised, please submit (1) and (2) separately, do NOT zip them together. Note: Gradescope will only check the formatting of your submission. Gradescope will not automatically check the correctness and provide a grade. Note: You can download the webc2-greencat-2.7z file directly into your lab environment. After you are done with this lab, you can submit your files directly from the lab environment (Highly recommended). Doing this will help you avoid transferring the file from the lab environment to your personal computer. Transferring Files: To transfer files from your personal device to the lab environment: Create a zip folder of all the files that you would like to transfer to the lab environment. Every GT student has Box and OneDrive accounts given free by the institution. Login to either of those two and upload the desired files. Now go back to the lab environment and login to either of those two services where you uploaded you zip folder. Download folder to the the lab workspace and use the appropriate 7z command to unzip your folder. Grades have been released. How do I view my raw feedback? import base64 import gzip base85_encoded_data = b“Paste the encoded data here” base85_decoded_data = base64.b85decode(base85_encoded_data) gzip_decompressed_data = gzip.decompress(base85_decoded_data)with open(“output.txt”, “wb”) as f: f.write(gzip_decompressed_data)
The following is based on true events from 2014 which occurred in a small start-up company in Monroe, CT. A new small to medium sized eCommerce start-up based inMonroe, CThas recently begun to notice anomalies in their financial records. They have also recently received a number of customer complaints saying that invoices received from the companyoften bill more services than the customers asked for, and they are often directed to send check payments to a PO Box that does not look legitimate. Upon reviewing their most recent set of invoices (saved as plain text files), the accounting department notices that the information in the invoices is incorrect, as reported by the customer complaints. The CEO orders an immediate investigation of the three accountants’ computers, which had only recently been purchased last month from a bankrupt internet cafe popular for LAN parties. As a growing company, they only employ a small team of six part-time IT support professionals. hey undertake an initial check of the systems, and they find a suspicious process running on one of the computers which seems to be connected to a McAfee service with a large amount of data being sent outside the company firewall.At this point,they do not feel that they have the expertise to carry out a full-scale malware/forensic investigation, and becoming nervous of a possible attack, the IT team scribbles down the name of thesuspiciousprocess (“greencat-2”) and quickly shuts down allthree accounting department computers and unplugs their power cords. As there is increased competition in thestart-up eCommerce domain, the company is anxious to ensure that their systems have not been compromised. The CEO quickly employs a cyber forensic investigator (YOU) to determine what malicious activity has taken place, where it originated from, and if the company is to blame (i.e., could be sued) for any damages. Unfortunately, because theaccounting department computerscontain sensitive customer financial information, the CEO will only allow you access to thesuspicious greencat-2 binary. By investigating only this binary, can you determine: 1. Could greencat-2 or disgruntled accounting employees be responsible for manipulating the company’s financial records and customer invoices? 2. Wasgreencat-2 targetingthe startup eCommerce company all along, or could it have come from somewhere else? 3. What could explain the “large amount of data being sent outside the company firewall” that the company’s IT observed? What functionality ingreencat-2 couldcause alarge amount of data to be sent out over the network? Instructions: Downloadwebc2-greencat-2.7z from Dropbox: https://www.dropbox.com/scl/fi/95t2w0nk2z749y ed1f3vb/webc2-greencat-2.7z?rlkey=e2740othz3n5v47dpxxrdb15l&dl=0 Move this zip file to where you’re running GHIDRA , unzip it using the following 7z command. The 7z file is password protected. The password is “infected” (no quotes). 7z e webc2-greencat-2.7z After you unzip the malware, check that the unzipped malware binary file’s MD5 hash is correct. GHIDRA will also show the MD5 hash after loading the binary, so double-check in GHIDRA as well. 57e79f7df13c0cb01910d0c688fcd296 webc2-greencat-2 Load the executable into GHIDRA . This malware is a standard 32-bit PE executable. Starting from theWinMain(…) function located at 0x0040297D, follow the control flow in thedisassembly. Imagine that you are a recursive-descentdisassembler — starting from the entry of each function and going until the return ofthatfunction. Comments should be placed on every block of logically-relatedinstructions. “Logically-related” is defined as 5 or fewer sequential instructions that together accomplish a single (easily commented) action. Control flow instructions (e.g., call, jmp) cannot be in the middle of a commented block — they can only be the first or last instruction of the block! Since this binary is dynamically linked, you will have to Google any library functions that you do not know. This will be important for understanding the return values and side effects (e.g., the memory copied by strcpy) of the library functions. It will be helpful if you keep track of the values in memory! For example: some library calls will save data into a buffer in memory (e.g.,GetUserNameExA) and then greencat-2 will use that data later on. GHIDRA can help with this — it shows empty space where static variables should be. You can double-click any static variable’s name to jump to its location andadd comments or dummy values. Unfortunately, GHIDRA cannot help with dynamically allocated variables. Youdo nothave to turn in anything related to memory tracking, but it will be helpful to you. Optional: Provide answers to the 3 investigation questions from above in a file called answers.txt and submit it with your lab submission in Gradescope. MAX of 5 sentences per answer. 5 bonus points per correct answer. Exporting Comments from GHIDRA -5 points for not following these steps properly. Default export settings in GHIDRA will truncate comments! Click on File and then click on Export program as shown in figure below.This will open a new pop-up in that choose ASCII format as shown in figure below.Click on options to increase the end of line width (max comment width).Grade: 100 points Grading Criteria: The grade will be based on how well you understood the functionality and capabilities of greencat-2. -10 points for each key malware functionality that your team fails to comment or entirely misunderstands (e.g., your comments say the code is reading a file, but it is really writing to a socket). All key malware functionality in greencat-2 are reachable via careful recursive-descent (there are no anti-disassembly tricks). I will not deduct points for misunderstanding single instructions. Bonus: 5 bonus points will be awarded for each correct answer to the 3 investigation questions above. Teams: This assignment can be done individually or in a team of 2. Please join a group in Gradescope if you are collaborating. Do not create or join a group in Canvas. Canvas groups are different from Gradescope groups. New to Gradescope? This link provides instructions for how to create groups in Gradescope: https://help.gradescope.com/article/m5qz2xsnjy-student-add-group-members Zoom can also provide the ability to collaborate and video conference with your teammate. If you would like to set it up, your team can collaborate using a GHIDRA server. The instructions for that can be found at the following blog post. Make sure to configure your server in a way that is not publicly available. This is outside the scope of this class, so we cannot provide IT support for GHIDRA servers, but please post any questions or tips on Ed! https://byte.how/posts/collaborative-reverse-engineering/ For people new to GHIDRA and would like to get some insight, here is a blog post for that as well. https://byte.how/posts/what-are-you-telling-me-ghidra/ Submission Instructions: Upload your commented ASCII Listing file exported from GHIDRA (called submission.txt) to the assignment in Gradescope. Note: Gradescope will only check the formatting of your submission. Gradescope will not automatically check for correctness and provide a grade. Upload your answers to the three questions in a file named answers.txt. Do not zip or compress the files. Note: Gradescope will only check the formatting of your submission. Gradescope will not automatically check the correctness and provide a grade. Note: You can download the webc2-greencat-2.7z file directly into your lab environment. After you are done with this lab, you can submit your files directly from the lab environment (Highly recommended). Doing this will help you avoid transferring the file from the the lab workspace to your personal computer. Transferring Files: To transfer files from your personal device to the lab environment: Create a zip folder of all the files that you would like to transfer to the lab environment. Every GT student has Box and OneDrive accounts given free by the institution. Login to either of those two and upload the desired files. Now go back to the lab environment and login to either of those two services where you uploaded you zip folder. Download folder to the the lab workspace and use the appropriate 7z command to unzip your folder. Additional Resources The following video shows how you create header files and then load them into Ghidra to use for setting datatypes to whatever you defined. https://www.youtube.com/watch?v=u15-r5Erfnw&ab_channel=0x6d696368 Is ChatGPT (or other AI assistance) allowed for this lab? The short answer is yes, ChatGPT or other AI assistance software is allowed for this assignment, since after all real practitioners will use all of the tools at their disposal to fight threat actors. Please keep in mind the following, however: Do not directly copy anything from the AI assistant chat window. It is crucial for you as the student to be able to articulate your understanding in your own words. Often AI assistant’s interpretation of assembly does not capture the true intention of the code, and instead regurgitates the actions of the CPU for each instruction. We are expecting your comments to encapsulate the high-level reason for the code’s existence, and it is not sufficient to explain which registers are storing which values without understanding the underlying reasoning.
Instructions: Compile the hello world C code we saw in class into assembly code Code: #include int main(int argc, char* argv[]) { if (argc == 2) printf(“Hello %s “, argv[1]); return 0; } GCC Command: gcc -W -Wall -Wextra -Wpedantic -fno-asynchronous-unwind-tables -O0 -S -masm=intel hello.c -o hello.s For each line with an assembly instruction, add a comment explaining what that instruction is doing Be smart about it! No “moves 2 into eax” Instead say: “the number of args must be 2” Grade: 5 extra credit points (fills in lost points on real labs) Teams: This assignment can be done individually or in a team of 2. Please join a group in Gradescope if you are collaborating. Do not create or join a group in Canvas. Canvas groups are different from Gradescope groups. New to Gradescope? This link provides instructions for how to create groups in Gradescope: https://help.gradescope.com/article/m5qz2xsnjy-student-add-group-members Zoom can also provide the ability to collaborate and video conference with your teammate. Submission: Upload your commented assembly code file (called hello.s) to the assignment in Gradescope. Note: Gradescope will only check the formatting of your submission. Gradescope will not automatically check for correctness and provide a grade. What to do when you encounter technical difficulties? If you are experiencing technical difficulty such as being unable to access the AWS workspace, please submit a ticket to the “Digital Learning Tools and Platforms” team at https://gatech.servicenow.com/continuity. And on the ticket, please put “Route to the DLT Team” at the top of the ticket because it will help the Service Desk know where to send it. 1
Get your feet wet in GHIDRA or maybe your eyes :’( Instructions: Compile the hello world C code we saw in class into an executable Code: #include int main(int argc, char* argv[]) { if (argc == 2) printf(“Hello %s “, argv[1]); return 0; } GCC Command:Comment the same instructions that you commented for Extra Credit #1 Note: You can write and compile the code above in AWS workspace. After you are done with commenting, you can submit your ASCII Listing file directly from the AWS workspace (Highly recommended). Doing this will help you avoid transferring the file from the AWS workspace to your personal computer. Exporting Comments from GHIDRA : -5 points for not following these steps properly. Default export settings in GHIDRA will truncate comments! Click on File and then click on Export program as shown in figure below.This will open a new pop-up in that choose ASCII format as shown in figure below.Click on options to increase the end of line width (max comment width).Transferring Files: To transfer files from your personal device to the AWS workspace: Create a zip folder of all the files that you would like to transfer to the AWS workspace. Every GT student has Box and OneDrive accounts given free by the institution. Login to either of those two and upload the desired files. Now go back to the AWS workspace and login to either of those two services where you uploaded you zip folder. Download folder to the AWS workspace and use the appropriate 7z command to unzip your folder. Grade: 100 points This assignment can be done individually or in a team of 2. Please join a group in Gradescope if you are collaborating. Do not create or join a group in Canvas. Canvas groups are different from Gradescope groups. New to Gradescope? This link provides instructions for how to create groups in Gradescope: https://help.gradescope.com/article/m5qz2xsnjy-student-add-group-members Zoom can also provide the ability to collaborate and video conference with your teammate. Submission: Upload your commented ASCII Listing file exported from GHIDRA (called submission.txt) to the assignment in Gradescope. Note: Gradescope will only check the formatting of your submission. Gradescope will not automatically check for correctness and provide a grade. What to do when you encounter technical difficulties? If you are experiencing technical difficulty such as being unable to access the AWS workspace, please submit a ticket to the “Digital Learning Tools and Platforms” team at https://gatech.servicenow.com/continuity. And on the ticket, please put “Route to the DLT Team” at the top of the ticket because it will help the Service Desk know where to send it.
INPUTS: 1. Message Text: message to be encoded. ● This input should be a non-empty string and must contain at least one letter or number. ● This input should be provided to the app through an EditText widget, initially blank. 2. Scale Input: first encryption parameter. ● This input should be an integer coprime to 62 between 0 and 62: 1, 3, 5, 7, 9, 11, 13, 15, … ● This input should be provided to the app through an EditText widget, initially set to ‘1’. 3. Shift Input: second encryption parameter. ● This input should be an integer >= 1 and < 62. ● This input should be provided to the app through an EditText widget, initially set to ‘1’. OUTPUT: 1. Encoded Text, the text resulting from applying the following cipher: ● For each character in the alphabet, where the numeric value is , the encoded value of the letter is defined as where and are the values of Scale Input and Shift Input, respectively,() = ( as + in an) % Affin 62e Cipher. ● The encoded character for the input character is calculated by taking the encoded number, which is a value between 0 and 61, and translating it back into a character (again, where “0”=0, “1”=1, … “9”=9, “a”=10, “b”=11, … “z”=35, “A”=36, …, “Z”=61). ● All non-alphanumeric characters must remain unchanged. ● The output should be shown using a non-editable TextView that is initially blank and (re)computed when the “Encode Message Text” button is pressed. If any input is invalid when the button is pressed, the output should then be set to “” (i.e., the empty string), and all applicable error messages should be generated (see below). EXAMPLE ● Inputs: ○ Message Text = “Cat & 5 DogS” ○ Scale Input = 5 ○ Shift Input = 3 ● Output: ● Encoded Text = “7Ro & s cZlp” ● Explanation: ○ “C” has a value of 38, (38 * 5 + 3) % 62 = 7, 7 corresponds to “7”. ○ “a” has a value of 10, (10 * 5 + 3) % 62 = 53, 53 corresponds to “R”. ○ … ○ ” “, “&”, ” ” are unchanged. ○ “5” has a value of 5, (5 * 5 + 3) % 62 = 28, 28 corresponds to “s”. ○ ” ” is unchanged. ○ … ERROR MESSAGES The app should generate suitable error messages by calling EditText’s setError method (inherited from TextView) on the appropriate EditText widget when the computation is triggered (i.e., the button is pressed). If done correctly, this will result in (1) an error mark ( ) on the right-hand side of the text field and (2) a floating error message whenever the field has focus, as shown in the error screenshots below. It is possible to have more than one error active at the same time, as shown in the screenshots below.There are three error situations: 1. “Invalid Message Text”, related to the Message Text field, for any entry both letter-less and number-less. (Examples: “”, “&$%#^$&^”) 2. “Invalid Scale Input”, related to the Scale Input field, for a blank or unacceptable value (i.e., not coprime to 62). 3. “Invalid Shift Input”, related to the Shift Input field, for a blank or out-of-range value.For illustration, we are providing several mockups for a possible implementation of the app:We suggest that you try to generate a user interface (UI) similar to the one shown above, but you don’t have to. However, you must make sure to use the exact same identifiers we provide below for your widgets. This is very important, as we will use these identifiers to check and auto-grade your app. IDENTIFIERS ● messageTextID ● scaleInputID ● shiftInputID ● encodeButtonID ● encodedTextID PRO-TIP: The identifiers are typed here for you. Just copy and paste them to be safe!For example, in the XML layout file for your app, the entry for the text field used to input the Message Text should have the following ID: android:id=”@+id/messageTextID”INSTRUCTIONS 1. Make sure to watch the Android Studio demo (part of the lessons on Android). (https://github.gatech.edu/gt-omscs-se-2025summer/6300Summer25.git), create a directory called “Assignment4”. Hereafter, we will refer to this directory in your local repo as . 3. Copy and paste (appending) the following into your .gitignore file in the root (/..)of your repo: *.iml .gradle local.properties .idea/workspace.xml .idea/libraries .idea .DS_Store build captures .externalNativeBuild 4. Create an Android app project called “SDPEncryptor” in . (Make sure that this results in a directory called SDPEncryptor in , as shown in the “Configure Your Project” snapshot below–you will likely need to manually modify the “Save location” entry for this to happen.)○ Choose “Empty Views Activity” as your project template.Note the package name: “edu.gatech.seclass.sdpencryptor” Note the minimum SDK: “API 34: Android 14” Note the build configuration language: “Groovy DSL (build.gradle)” (You must use this exact build configuration language) 5. You should test your app against a virtual “Pixel 6 with API 34 (UpsideDownCake) Installed.” You can add this device in the ‘device manager’ view. 6. Ensure you are using Gradle and Android Gradle Plugin versions compatible with Java 17. Go to File > Project Structure > Project and select 8.8.0 for the Android Gradle Plugin Version and 8.10.2 for the Gradle Version7. Choose Modules in the Project Structure dialogue, and check to see that you are using a Compile SDK Version of 34 and Source Compatibility and Target Compatibility of Java 17.8. In the same dialogue, choose the Default Config tab and ensure the Target SDK version is 34.9. Check the build.gradle file for module app to see that the settings were applied:android { // … compileSdk 34 defaultConfig { // … minSdk 34 targetSdk 34 // … } // … compileOptions { sourceCompatibility JavaVersion.VERSION_17 targetCompatibility JavaVersion.VERSION_17 }} 10. Make sure that your build.gradle file for module app contains the following dependencies (including the specific versions listed): implementation ‘androidx.appcompat:appcompat:1.4.1’ implementation ‘com.google.android.material:material:1.5.0’ implementation ‘androidx.constraintlayout:constraintlayout:2.1.4’ testImplementation ‘junit:junit:4.13.2’ testImplementation ‘org.robolectric:robolectric:4.11.1’○ If some dependencies are missing, make sure to add them. ○ You will have to rebuild the project if you added dependencies (the IDE should let you know through a banner notification). 11. To ensure compatibility with the tests used in autograding, add the following in the build.gradle for the module app:android { // … testOptions { unitTests { includeAndroidResources = true } } // … }12. Implement your solution based on the requirements provided above using Java 17. Be sure your app includes both the semester and year in the Title as seen in the wireframes above. 13. Mandatory: check your solution before submitting it by following these directions. Download this archive and unpack its contents in , which should create the following files: ○ SDPEncryptor/app/src/main/java/edu/gatech/seclass/sdpencryptor/SanityC heck.java: This file prevents your app from compiling if the identifiers, activity name, or package name are incorrect. Do not edit this file. If compilation fails after you add this file it’s indicative of a bad project structure. Carefully follow direction 1-4 again. ○ SDPEncryptor/app/src/test/java/edu/gatech/seclass/sdpencryptor/Robolec tricViewAssertions.java: This file contains a helper library to run robolectric tests and enrich their output.○ One key learning outcome of this assignment is to develop the skills to read, interpret, and resolve failed test cases. If you encounter failing test cases, it is your responsibility to determine the issue and implement a solution. Should you ask a question on ED, our guidance will often be consistent: “What do you understand about the output? Why do you think this assertion is being made? How does it align with the specifications?” If an assertion appears unexpected, your first reference should be the specifications rather than posting a query on ED. Below is an example of the “Expected” and “View Details” sections from the test failure output, along with some guidance on how to interpret them: ■ Expected: “wBM8B lBG” but was: “v6SF6 b6B” View Details: ID: 2131231064, res-name: messageTextID, visibility: VISIBLE, enabled: true, focusable: false ■ In this case, the test is saying that the text in the field corresponding with the “messageTextID” identifier is “v6SF6 b6B” but should have been “wBM8B lBG”. In this case, the most likely cause is that your affine cipher code isn’t working properly, as the cipher should be what populates that ‘messageTextID’ field. 14. If your build fails with an error “Task :app:lint FAILED” or similar, you should be able to fix the issue by “inferring constraints” for your layout. Android Studio will do it for you automatically, just go to your activity_main.xml file, hover over the error reported, and the IDE should give you the option to fix it. Alternatively, you can also disable the lint task for your project by adding the following to build.gradle: android { //… lintOptions { tasks.lint.enabled = false abortOnError false } }15. For automated testing, check out Robolectric. Here are some Robolectric tips, based on past experience: ○ Make sure your unit test config is set up so that Android resources are included. (See step 9 of these instructions) 16. Commit the gradle-wrapper.jar, /SDPEncryptor/gradle/wrapper/gradle-wrapper.jar. If, for whatever reason, this file doesn’t exist run the following in /SDPEncryptor: gradle wrapper and include it in your private GitHub repository. If your .gitignore excludes jar files, you will need to force-add it. 17. Include two screen captures of the build result of the app (app_compile.png) and of the app running in the emulator (app_run.png). Put both image files in your “Assignment4” folder (see below). The name must be exact and all lowercase. Every semester our image validation process has improved – if the auto grader tells you there’s a problem, there’s a high likelihood that there’s a problem – follow these steps carefully. ○ app_compile.png must be taken from a stand-alone terminal/CMD (not Android Studio built-in terminal) and must show both the “./gradlew build” (or “gradlew build”) command with “BUILD SUCCESSFUL”, as seen from the example below. Ensure that you terminal window is 100% opaque (i.e not translucent/transparent/see-through), the color difference between background and the text is significant, the window size is wide enough, the font size is appropriate (not too big, not too small); all of this is to ensure that we can easily read the content of your screenshot. Failure to do so will result in a points deduction. Example Image:○ app_run.png must show the semester and year in the app title, as seen in the example below. Failure to adhere to the app title format text will result in a points deduction. Example Image:Note: “SDPEncryptor” (without space) and “SDP Encryptor” (with space) are both acceptable○ Hints for passing the image capture portion of the autograder (Do not open an ED post asking us to prevalidate any images – the previous instructions and what follows is the only advice we have on the matter): To pass the app_run image process, consider factors like contrast, resolution, the size of the image. For the app_compile image process, ensure you don’t have a partially transparent terminal, ensure you follow directions to the letter, it’s best if your view is large enough that you don’t have wrapping text, and lastly don’t take your image so close to the text block as to cut off edges or to make part of the output unreadable. SUBMISSION ○ Go to and execute: ■ git commit -a ■ git push2. As an alternative to Item 1, and only if you know what you are doing, you could also commit and push your app from within Android Studio, which should actually give you an option to do so:But please use the instructions in Item 1 if you need clarification.3. Submit on Gradescope a file, called submission.txt that contains, in two separate lines (1) your GT username and (2) the commit ID for your submission. For example, the content of file submission.txt for George P. Burdell could look something like the following: submission.txt gpburdell1 81b2f59GUIDELINES FOR COMMUNICATING 1. Should my post be public or private? a. You can only post publicly about environment-related questions (failure to launch Android Studio, the emulator, or build the project etc.) or questions related to failing tests that you run on your local machine. (eg. SmallTestExample) c. When in doubt, post privately – we’ll let you know if it can be public. 2. What should be in my private post? a. A link to the Gradescope result b. If you are asking about a failed autograder test, give us a demonstration that you: i. Tried to understand the test results (see this section from the assignment spec) ii. Confirmation that you’ve taken that understanding back to the assignment spec to see if there is anything you missed.TL;DR (Checklist) 1. Build an Android App using Java 17 and Android SDK Version 34. You should test your app on a Virtual Pixel 6 device with API 34 installed. 3. Clone a fresh copy of your app and run the tests we provided on it. 4. Submit on Gradescope. 5. If your submission fails the Gradescope checks, it will not be graded and will receive a 0.
This assignment assesses your basic knowledge of Java and JUnit, which you will need for future assignments and projects. Instructions To complete the assignment, you must complete the following tasks: ● Clone your individual GitHub repository in your local workspace. This is the same repository that you used for the previous assignment and will use for all future individual assignments: https://github.gatech.edu/gt-omscs-se-2025summer/6300Summer25.git ● Download the archive assignment 3.tar.gz ● Extract the archive in the root directory of the repository, which will create a directory called Assignment3 and several subdirectories. Hereafter, we will refer to the directory Assignment3 in your local repo as . (If you do not know how to extract a “tar.gz” archive, you should be able to find plenty of resources on how to do that online–ask on Ed Discussion otherwise.) ○ Directory /src contains, in a suitable directory, the Java interface edu.gatech.seclass.MyStringInterface. It also contains an exception class edu.gatech.seclass.MyIndexOutOfBoundsException, which is used by the interface. ○ Directory /test contains, in a suitable directory, a template JUnit test class edu.gatech.seclass.MyStringTest. ○ File /lib/junit-platform-console-standalone-1.9.1.jar, a JUnit library to be used for the assignment ● Your first task is to develop a Java class called MyString that suitably implements the MyStringInterface interface that we provided. The semantics of the methods in the interface should be obvious from their name, the JavaDoc comments in the code, and the test examples in class MyStringTest–ask on Ed Discussion otherwise. Class MyString should be in the same package as the interface and should also be saved under /src/edu/gatech/seclass. ● Your second task is to develop a set of JUnit5 test cases for class MyString by completing the provided template test class MyStringTest, which contains 3 complete test cases and 13 to-be-completed test cases. For each test case in class MyStringTest whose body simply consists of the placeholder instruction “fail(“Not yet implemented”);”, you must do the following: ○ Provided for you: ■ Placeholder instruction ○ Required from you: ■ Write a meaningful test case for the method, as identified by the placeholder instruction. ■ Replace the text “” in the test comment with a concise description of the purpose of the test (e.g., “Count words in an empty string”) without modifying anything else in the comment and making sure that your comment consists of a single line (i.e., does not contain newlines) and does not contain quotes or other special characters. ■ Make sure that every test method has a suitable oracle (i.e., either an assertion or an expected exception) and that the tests are not trivial (i.e., are not a copy of the provided one and have a specific purpose). In other words, each test should (1) test a specific piece of the functionality, and (2) check that such a piece of functionality behaves as expected. ■ It should be obvious, but please also make sure that all the test cases you created pass when run against your code. ■ In addition, at least two of the tests that you develop must result in an expected exception (e.g., NullPointerException). When testing for an expected exception, make sure to assert as follows: assertThrows(.class, () -> mystring.(..args))○ Consider, for example, test case testCountWordsS2(): @Test @Timeout(value = 5000, unit = TimeUnit.MILLISECONDS) // Description: public void testCountWordsS2() { fail(“Not yet implemented”); }In your submission, you should have a corresponding, complete test for method countWords in class MyString, together with a concise description of the purpose of the method, such as: @Test @Timeout(value = 5000, unit = TimeUnit.MILLISECONDS) // Description: Count words in an empty string public void testCountWordsS2() { } Submission To submit your solution, you should: ● Submit on Gradescope a file, called submission.txt that contains, in two separate lines (1) your GT username and (2) the commit ID for your submission. For example, the content of file submission.txt for George P. Burdell could look something like the following: submission.txt gpburdell1 81b2f59The grade you will see on Gradescope is your actual grade for the assignment, unless we find some issues with your submission (e.g., hardcoding of the results, identical tests, or similar). Notes ● Make sure to submit only the test cases in the template and do not add extra tests. If you feel compelled to add additional tests, feel free to do so in a separate test file, which you can add to your repo but won’t be graded. ● Do not use any external library other than the provided libraries. You can obviously use all the standard JDK libraries, and you really should not need any external one. ● The only files that we will use to grade your submissions are: ○ Assignment3/src/edu/gatech/seclass/MyString.java ○ Assignment3/test/edu/gatech/seclass/MyStringTest.java ○ Assignment3/lib/junit-platform-console-standalone-1.9.1.jar Feel free to commit extra files (e.g., IDEA’s project-related files), as this does not make a difference for your grade. ● You cannot modify any of the following: ○ The provided interface (MyStringInterface) ○ The already provided test cases except for those that you are supposed to implement, obviously, whose body is simply “fail(“Not yet implemented”)”. ● You should use Java version 17 to solve the assignment. ● Before submitting, make sure to compile and run your test cases as a collective suite (not only individually) and to check that they all pass. Although gradescope performs the same checks, it is much faster to do that locally, on your machine, beforehand. ● Verify that your final commit ID contains what you intend, and is pushed to the repository, by cloning it in a separate location or viewing it on github.gatech.edu. ● More specifically, you can check that you committed and pushed all the files you needed by doing the following: ○ Clone a fresh copy of your personal repo in another directory ○ Go to directory Assignment3 in this fresh clone ○ Compile your code. One way to do is to run, from a Unix-like shell: javac -cp lib/* -d classes src/edu/gatech/seclass/* test/edu/gatech/seclass/MyStringTest.java ○ Run your tests. Again, from a Unix-like shell, you can run: java -cp classes:lib/* org.junit.platform.console.ConsoleLauncher –select-class edu.gatech.seclass.MyStringTest ● You can perform multiple commits as you produce your solution. This is not only fine, but actually very much encouraged. ● We also encourage you to use a “development” branch and merge your stable version(s) into the “main” branch. If interested, see this site for an example of a possible branching model of this kind. (There are many others.) ● From this point on in the course, you should NOT run the git repository reset commands given in Assignment 2, any version of force –push, or any commands deleting branches, tags, or prior commits on your repository, as these commands could cause you to lose prior work.Gradescope Feedback/Requests for Clarifications Requests for clarifications: If you need clarifications on a specific test or Gradescope output, please post privately on Ed Discussion (we will make it public if appropriate) and make sure to add, when it applies: ● a link to the Gradescope results, ● an inlined, complete copy of the test(s) you reference, if yours (i.e., no screenshots or commit IDs, please), and The bottom line is that, to make the interaction efficient, you should make your posts as self-contained and easy-to-check as possible. The faster we can respond to the posts, the more students we can help. Using Intellij IDEA Although it is not mandatory, we recommend that you use IntelliJ IDEA to complete the assignment, so that you can also get familiar with this IDE (if you aren’t already). To do so, you should open IDEA and do the following (notice the initial, alternative steps): ● If you are in the initial IntelliJ IDEA screen (see image below), do the following:○ Click “Open” ○ Select as the directory to import● Otherwise, if you are already in a project window, do the following ○ Click menu “File” => “New” => “Project from Existing Sources…○ Select as the project directory○ ○ Select “Create project from existing sources”○ Click “Next” accepting the default choices (make sure to include the provided libraries and to select Java SDK 17) and then “Finish”: ○ ○ ○ ○ ○ If SDK is not installed, choose to download:○ ○
In this assignment, you will get familiar with Git and some of its main features. The assignment assumes that you are working from the command line, and we will simulate the presence of multiple users using two terminal windows. If you are already familiar with Git and a specific Git client, feel free to use that, as long as you do what the assignment requires.https://github.gatech.edu/gt-omscs-se-2025summer/6300Summer25.gitNotes: ● We will not be able to give you access to REPO until you activate your GT GitHub account, (i.e., you must have logged at least once into https://github.gatech.edu/).If you are not familiar with Git and feel completely lost, we suggest that you have a second look at the Git demo in P1L4 and mimic the steps in the demo on your machine, taking into account that the demo uses a standard GitHub and not a GT GitHub repository. In addition, you can also take the tutorial at http://try.github.io/levels/1/challenges/1, which should further get you familiar with Git’s basic concepts.We also suggest that you use GitHub’s “Network” view to monitor the state of your local and remote repository throughout the assignment. To do so, go to the GT GitHub page for your REPO, select menu “Insights” at the top, and then select the “Network” tab at the left. In this way, you will have a visual representation of how the repository evolves, which can be very useful for better understanding Git and how it operates. Other pages in GT GitHub show the list of commits and the tags (under ‘releases’). Furthermore, we provide a screenshot of how your repository should look at the end of each part of the assignment, which you can use as a reference. You can also run “git log –graph” from the command line, which outputs a text-based representation of the same information, but we do not provide a reference output for this representation.mistake while working on REPO and you wanted to restart from a clean slate, in most cases you should be able to do so by executing the repo reset instructions. Assignment Instructions: Preliminary note: We strongly recommend that you (1) clone your GitHub repo using HTTPS and (2) use a credential helper to tell Git to remember your GitHub username and password, so that you don’t have to re-login every time. You can find instructions on how to do so here: https://help.github.com/articles/caching-your-github-password-in-git/#platform-all Part 1 (Terminal 1) Before you start, make sure to specify your name and email address using the command “git config”, if you haven’t already. 1. Open a terminal window 2. Create and go to directory User1 3. Clone REPO 4. This should create a directory called 6300Summer25 under directory User1. 5. Go to directory 6300Summer25 (here you can also open the Network view in GT GitHub and start monitoring how your repository evolves) 6. Make sure that the directory contains a file called MyPrivateRepo 7. Create and go to directory Assignment2 (under 6300Summer25) 8. Create a file called myinfo.txt that contains only one line with your first and last name. Ensure that the file extension is correct for this and later files. 9. Commit the file to your local repo with comment “Added myinfo file” 10. Create a branch called “development” and switch to it 11. Create a file called dev1.txt that contains the text “Dev 1 file”. 12. Commit the file to your local repo (it should be in branch “development”) with comment “Added dev1 file” 13. Switch to the “main” branch 14. Edit file myinfo.txt and add your GT Email (e.g., [email protected]) on the next line. 15. Commit the file to your local repo with comment “Edited myinfo file” 16. Merge the “development” branch into the “main” branch with commit message “Merge #1” 17. Push all branches to the remote repositoryAt this point, your remote repository should look like the one in the figure below in the “Network” view on GT GitHub. If it doesn’t, it means that you made a mistake in one of the steps.Part 2 (Terminal 2) 1. Open a second terminal window 2. Create and go to directory User2 3. Clone REPO 4. Just like before, this should create a directory called 6300Summer25 under directory User2 5. Go to directory 6300Summer25/Assignment2 6. Switch to the “development” branch 7. Create a file called dev2.txt that contains the text “Dev 2 file”. 8. Commit the file to your local repo (it should be in branch “development”) with comment “Added dev2 file” 9. Create a branch called “temp” and switch to it 10. Create a file called mytemp.txt that contains the text “Mytemp file”. 11. Commit the file to your local repo (it should be in branch “temp”) with comment “Added mytemp file” 12. Create and commit to branch “development”, with the comment “Added dev3 file”, a file called dev3.txt that contains the text “Dev 3 file”. 13. Merge the “temp” branch into the “development” branch with commit message “Merge #2” 14. Merge the “development” branch into the “main” branch with commit message “Merge #3” 15. In the main branch, edit file myinfo.txt and add the semester and year (i.e., “Summer 2025”) in a separate line. 16. Commit the file to your local repo with comment “Edited myinfo file again” 17. Push all branches to the remote repository.At this point, your remote repository should look like the one in the figure below in the “Network” view on GT GitHub. If it doesn’t, it means that you made a mistake in one of the steps.Part 3 (Terminal 1) 1. Go back to the first terminal 2. Make sure to be in branch “main” 3. Edit file myinfo.txt and add this text on the next single line of the file, using your own username: “6300Summer25” 4. Commit the file to your local repo with comment “Edited myinfo file for the third time” 5. Push the main branch (not the other branches) to the remote repository. To do so, you will have to pull changes (using merge strategy, i.e. do NOT rebase) from the remote repository and suitably handle conflicts. In handling conflicts, make sure not to lose any content, not to have any of the extra text added by Git to mark the conflicting parts, and to preserve the order of the information as it appears in the assignment on four separate lines: first and last name, GT email, semester, and repository name (i.e., 6300Summer25). Use commit message “Final merge with conflicts fixed” for the additional commit after merging and handling the conflicts. 6. Tag the current version of the main as “V1” and push the tag to the remote repository. Use a LIGHTWEIGHT tag. At this point you are done, and your remote repository should look like the one in the figure below in the “Network” view on GT GitHub. If it doesn’t, it means that you made a mistake in one of the steps. Given the fact that this assignment is fairly simple, as it mainly consists of executing the provided steps, we expect the network view to match the figure below exactly, with branch labels as shown and no missing or extra commits. We will deduct points if this is not the case.Similarly, we expect all the complete commit messages, branches, the folder, the lightweight tag, the tag name (V1), file names, file extensions (.txt), and the content of the files in the repo to be correct to the letter. Do not include extra labels, any default text, or additional content in your files, tags or messages. Review the network view, your commits list, the files, and the tag page.As stated above, if your network view differs from the one provided, it means that you made a mistake in following the provided instructions, so you should try solving the assignment again before posting screenshots of your network and asking for suggestions. Please keep in mind that this is a fairly simple assignment in which all you have to do is to perform the provided steps, so you should not really need any external help.Here are some additional views from GitHub that you can use to further check your submission:Submission To submit your solution, you should: ● Retrieve the commit ID for your submission by running “git log -1” in Terminal 1 after the last (successful) command–the commit ID is the long hexadecimal number after “commit”. ● Submit on Gradescope a file, called submission.txt that contains, in two separate lines (1) your GT username and (2) the commit ID for your submission. For example, the content of file submission.txt for George P. Burdell could look something like the following: submission.txt gpburdell1 81b2f59 ● As soon as you submit, your assignment will be graded by checking that your graph is correct and that you created the right files with the right content. After that, you will see a report with your grade and some corresponding feedback. The feedback should be self-explanatory, but please let us know if something is not clear. ● The grade you will see on Gradescope is your actual grade for the assignment. Repo Reset Instructions:● IMPORTANT: ○ These are instructions that you should follow only if you mess up your REPO (eg. you have an incorrect commit message, or commited the wrong thing at the wrong time). Please don’t ask us to reset your repo, as we would simply run the same instructions described below, which is something you can do without our help. ● Run “git log” from within your local repository ● Run in each of the two terminals (one for User1 directory and the other one for User2 directory), and from the root of your repo (directory 6300Summer25) ○ git checkout main ○ git branch -D development temp ○ git push origin :development ○ git push origin :temp ○ git tag -d V1 ○ git push origin :V1 ○ git reset –hard ○ git push –force ● After resetting the state, there is no need to re-clone the repository (i.e., there is no need to perform the first 5 steps of the instructions).
• Points 15• Submitting a file upload• Available Jun 5 at 9:30am – Jun 18 at 9:29am“Wow, you really are an Android expert!” Your boss is delighted with your last project, it seems. However, you aren’t sure whether or not completing 1 assignment warrants the title of ‘expert’. “Just in time, too, because we have another client with some Android work lined up! They just found this method to root their Android device and they want you to write a report on the entire process.” Maybe you should’ve tried to persuade your boss that you aren’t such an expert after all. Once again, you go back to you desk and open up the client document Actions . Assignment The purpose of this assignment is to explore how you can leverage the OTA mechanism to root an Android device and get an idea of how rooted Android can be used to do bad things. Note that this lab is more focused on exploration rather than implementation, so the more details you can bring up in your report, the more beneficial it will be. There are 4 tasks that you will need to complete for this lab. They include: • Building an OTA package (20%), which involves o Writing an update script, and o Building the package • Injecting code via app_process (20%), which involves o Injecting some dummy code, o Compiling the code, and o Building the package • Implementing SimpleSU to get root (20% for implementation + 10% for questions), which involves o Exploring code that will replace app_process in order to launch a root shell, and finally o Launching the root attack o Answering task questions • Implementing malicious location app (20%), which involves o Implementing check for superuser access o Granting location access permission • Report (10%) There are 2 tasks get bonus points, which includes: • Implementing app removal malicious app (5%) • Rooting the Android VM with a new approach (5%) There are 4 files that should be downloaded to get started. This includes: • A Development VMLinks to an external site. o Mirror VMLinks to an external site. o Ubuntu 16.04 o Creds: seed/dees o Installation GuideLinks to an external site. o User manual Actions • An Android VMLinks to an external site. o Mirror VMLinks to an external site. o Android 7.1 o Installation GuideLinks to an external site. o User manualLinks to an external site. • The fully fleshed-out code for Task 3Download The fully fleshed-out code for Task 3 • Skeleton code for Task 4Download Skeleton code for Task 4 Supplementary Material: Lab 3_Supplementary_Material.pdf Project FAQ: Project 3 FAQ.xlsxLinks to an external site.Deliverables Your submission should include two files. First, you need to submit a detailed lab report to describe what you have done and what you have observed, including screenshots and code snippets (if needed)for Task 14and Bonus. You also need to provide explanation to the observations that are interesting or surprising. You are encouraged to pursue further investigation, beyond what is required by the lab description. Second, you also need to submit the zip file for your source code for Task 4 and Bonus. The zip file should include the .apk file for your applications andanother zip file containing the source code for the entire Task 4 and Bonus part and a README (if needed).
