CTF Rules
WebHackIT is a security competition for students attending the Cybersecurity course at Sapienza University of Rome. Please refer to the Cybersecurity course for more information including lectures, deadlines and grading rules.
Flags
The aim of each challenge is to get a string (called flag) that proves a successful exploitation. Flag
format is WIT{...} unless differently specified.
Dynamic score
To make the competition more thrilling, we adopt a dynamic score for each challenge. The formula we use to compute points is
points = floor(500 / X**0.15)X is the number of students who have solved the challenge at the end of the competition. To
exemplify, if a challenge is solved only by one user, then he gets 500 points. If two users solve
the challenge, they both get 450 points. Using the Python console, we can easily get the points for
the other scenarios, e.g.:
>>> import math
>>> for X in range(1,10): print("# solvers: %d - points: %.0f" % (X, math.floor(500/X**0.15)))
...
# solvers: 1 - points: 500
# solvers: 2 - points: 450
# solvers: 3 - points: 424
# solvers: 4 - points: 406
# solvers: 5 - points: 392
# solvers: 6 - points: 382
# solvers: 7 - points: 373
# solvers: 8 - points: 366
# solvers: 9 - points: 359
Since the score depends on the number of solvers, it is updated for all users after each solve. The idea is
that the score (initially equal to 500 for all challenges) is dynamically adjusted based on the
difficulty of the challenge.
Write-ups
After submitting a flag you are expected to write a report, called write-up, and send it using the submission form before the challenge deadline. The CTF platform provides a template for every write-up, that specifies the content that you are required to include, e.g., the entire code developed to exploit a challenge or a patch to fix the vulnerability. Write-ups not following the template will not be evaluated.
Technical and Human Behaviour
We'd like everyone to enjoy a fair game. For this reason we ask you to follow these simple rules:
- No attacks against the infrastructure (this website and challenges) including denial-of-service (DoS), floods, DNS poisoning, ARP spoofing, MITM, etc... The CTF platform is open source and we welcome everyone to perform a securty review of its source code. Report us any vulnerability you may find for an additional bonus!
- Don't try to bruteforce flags by doing an unreasonable number of attempts in the flag submission page. We guarantee our flags to be unguessable™.
- Vulnerability/network scanners are useless for these challenges and not allowed. Do something better.
- If you find a way to hack into a service/challenge more easily than intended, please report it to the tutors.
Rules anyway may change as more issues are raised by the participants. Also, the organizers keep the right to change them at any time. Keep in mind that it is not possible/feasible to list all the rules and the exceptions to rules that apply to the CTF competition. When in doubt, use common sense or ask the tutors/teaching assistants.
Collaboration Policy
For any challenge, you can use all resources listed on the cybersecurity website, referred textbooks, and URLs mentioned on the slides and in the challenge description. It is strictly prohibited to use solutions/code from similar courses or to take solutions/code from Internet searches. If you discuss with other people, list them (i.e., cite your sources) and indicate how your solution was affected by that discussion.
Solutions have to be kept strictly confidential: spreading of information is easy to detect and it will likely spoil the fun of other participants trying to solve the tasks. In case of uncertainty, ask the professor. There is no warning: if you are caught cheating or violating any of these rules, you might be banned from the course.
Communication
If you think you have any question or request that cannot be publicly shared, send us a mail at [email protected].
Credits
The CTF platform has been designed by Marco Squarcina and Mauro Tempesta based on previous work for the Security course at Università Ca' Foscari and for the CyberChallenge.IT training program. Lorenzo Veronese contributed to the CTF platform.