Arvutiteaduse instituut
  1. Kursused
  2. 2024/25 kevad
  3. Turvalise programmeerimise meetodid (MTAT.07.015)
EN
Logi sisse

Turvalise programmeerimise meetodid 2024/25 kevad

  • Home Page
  • Lectures
  • Homeworks

Homework 2 (10 points)

Please submit your report to secprog at cyber dot ee by April 18th 2025, 23:59 (EEST) .

Description

You friend is the lead developer of a new startup. They were tasked to develop a lightweight file encryption tool. As it needed to be delivered fast, your friend decided to use a open-source python GUI and implement their own super strong encryption.

As your friend is really confident in their crypto skills, they asked you to try to obtain the super secret flag found in encrypted.zip. To test your knowledge, your friend added an extra step to the process - the zip file is password protected.

Your goal is to leverage the knowledge found in files hint.txt and encrypted.zip and reverse engineer the provided functionality to obtain the encrypted flag in super-safeXX.encr. The flag format is: flag{uniqueFlagText}.

Expected output

A formal report, that

  • shortly summarizes, which approaches you tried (what worked and what did not);
  • describes the methodology and tools that you used;
  • provides a Proof-of-Concept (PoC) for obtaining the unique flag from super-safeXX.encr, this can be a set of steps, screenshots or a PoC script with explanations. We need to be sure that you understand the vulnerabilities that you exploit. In this part, it is mandatory to feature screenshots from your actual penetration testing process;
  • describes any other vulnerabilities or bad coding practices that you discovered during the process and that are relevant to the application.

Use the report template as a basis (inside the zip), you can write the report with whatever you prefer, but you will need to submit a PDF!

Grading

This homework is meant to be done individually, if you get stuck or run out of ideas we encourage you to ask for hints from us. Please write to us at secprog at cyber dot ee and describe what attack vectors you have tried and we will try to nudge you to see what you might have missed.

Usage

  • Unzip the application files;
  • Not required, but it is recommended to use a Python virtual environment before proceeding to the next step with
    python3 -m venv .venv && source .venv/bin/activate;
  • Install dependencies with pip install -r requirements.txt
  • Run the application with python3 Encrypt.py
  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused