課程網站:https://edu-ctf.csie.org/
有開源的教材:
- Web: https://github.com/splitline/How-to-Hack-Websites
- Reverse: https://github.com/LJP-TW/NYCU-Secure-Programming
- Pwn: https://github.com/u1f383/Software-Security-2021
除了 Web II 的 Profile Card 沒寫,其他都有寫完,總分為:4440 / 4740
作業分類:
| HW | Type | Points |
|---|---|---|
| 0x00 | All |
50 / each |
Crypto: 1000/1000
| HW | Type | Points |
|---|---|---|
| [Lab] Grams | Vigenere Cipher, N-Grams Attacks |
50 |
| [Lab] Geffe | LFSR, Correlation Attacks |
50 |
| [Lab] POA | Padding Oracle Attack |
50 |
| [0x01] nLFSR | LFSR |
150 |
| [Lab] LSB | LSB Oracle |
50 |
| [Lab] Pohel | Pohlig-Hellman Algorithm |
50 |
| [0x01] Single | Elliptic Curve (Singular) |
200 |
| [Lab] HNP | ECDSA |
50 |
| [Lab] LEA | Length Extension Attack |
50 |
| [Lab] LAT | Gaussian Lattice Reduction |
50 |
| [0x01] HNP-revenge | LLL |
250 |
Web: 1000/1300
| HW | Type | Points |
|---|---|---|
| [Lab] Cat Shop | Basic |
10 |
| [Lab] 喵 site | Basic LFI |
10 |
| [Lab] Hakka MD | LFI, RCE |
20 |
| [Lab] DNS Lookup Tool | Command injection |
10 |
| [Lab] DNS Lookup Tool - WAF | Command injection, WAF |
20 |
| [Lab] Log me in | SQL injection |
20 |
| [0x02] Imgura | Information Leak, Upload, LFI |
150 |
| [0x02] DVD Screensaver | Path traversal, SQL injection, Signed Cookie |
250 |
| [Lab] Log me in: Revenge | UNION-based SQL injection |
20 |
| [Lab] Preview Card | SSRF, gopher:// |
20 |
| [Lab] SSRFrog | SSRF, Bypass blacklist |
20 |
| [Lab] Pickle | Deserialization, pickle |
20 |
| [0x02] Profile Card | XSS, CSRF, CSP Bypass |
300 |
| [Lab] Serializable Cat | Deserialization, Basic PHP unserialize |
20 |
| [Lab] Serializable Magic Cat | Deserialization, POP chain |
20 |
| [Lab] XSS Me | Frontend |
20 |
| [Lab] Jinja SSTI | SSTI |
20 |
| [0x02] Double SSTI | SSTI |
150 |
| [0x02] Log me in: FINAL | SQL injection, Information Leak |
200 |
Reverse: 1000/1000
| HW | Type | Points |
|---|---|---|
| [Lab] baby | Basic |
20 |
| [Lab] list | Basic |
20 |
| [Lab] main1 | Where to start |
20 |
| [Lab] main2 | Where to start |
20 |
| [Lab] main3 | Where to start |
20 |
| [Lab] main4 | Where to start |
20 |
| [0x03] fifo | FIFO, Fork |
250 |
| [Lab] HelloWindows | VirtualProtect |
20 |
| [Lab] Cpp_Traditional_GUI | MessageBox |
20 |
| [Lab] dll | dll |
20 |
| [0x03] giveUflag | dll |
250 |
| [Lab] HellWindows | TLS Callback |
20 |
| [Lab] 3xc3pt | Exception Handler |
20 |
| [0x03] nani | Packer, Exception Handler |
280 |
Pwn: 1240/1240
| HW | Type | Points |
|---|---|---|
| [Lab] Got2win | GOT |
20 |
| [Lab] Rop2win | ROP |
20 |
| [0x04] sandbox | Shell code |
100 |
| [0x04] fullchain | fmt, GOT, ROP |
150 |
| [0x04] fullchain-nerf | fmt, GOT, ROP |
100 |
| [Lab] heapmath | Basic Heap |
20 |
| [Lab] market | Heap |
20 |
| [0x04] final | Heap |
50 |
| [0x04] easyheap | Heap |
150 |
| [0x04] beeftalk | Heap |
150 |
| [Lab] FILE note - (R) | Glibc File Structure |
20 |
| [Lab] FILE note - (W) | Glibc File Structure |
20 |
| [Lab] FILE note - (X) | Glibc File Structure |
20 |
| [0x04] FILE note | Glibc File Structure |
300 |
| [Lab] OvO8 | Browser Exploitation |
100 |
各項佔總成績為:
| HW | Grade |
|---|---|
| HW0 (5%) | 97.5 |
| HW1 (15%) | 100 |
| HW2 (15%) | 92.5 |
| HW3 (15%) | 92.5 |
| HW4 (15%) | 100 |
| 課外參與 (10%) | 90 |
| Final CTF (25%) | 83.21 |
writeup 以及 exploit 參閱各作業的資料夾。
./snippet build
./snippet up
./snippet shell
./snippet down
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent