Arvutiteaduse instituut
  1. Kursused
  2. 2024/25 kevad
  3. Turvalise programmeerimise meetodid (MTAT.07.015)
EN
Logi sisse

Turvalise programmeerimise meetodid 2024/25 kevad

  • Home Page
  • Lectures
  • Homeworks

Homework 3 (10 points)

Please submit your report to secprog at cyber dot ee by May 9th 2025, 23:59 (EEST) .

Description

A recruiter has approached you with an amazing career opportunity. Dream role, dream pay, dream location and even 10 extra vacation days! However, in order to qualify you have to complete 2 test assignments and obtain the 2 unique flags before they hire you.

Token Generator (5 points)

You are given two files: an executable called tokenGenerator and a database file called tokens.db.

The executable is designed for generating authentication tokens within a company. The executable has four functionalities. First, you can add new entries to the database. Second, you search for user's token. Third, you can list all tokens. And lastly, you can check the owner of a provided token.

Analyze all the functionalities and identify any vulnerabilities in the program. Your goal is to gain Remote Code Execution and recover the flag hidden in an environment variable named FLAG.

Login CLI (5 points)

You are given two files: an executable called login and a log file called log.txt.

Analyze the login functionality and the log file to identify any vulnerabilities in the program. Your goal is to obtain your credentials, log in and get the flag. To obtain full points you need to successfully obtain your unique flag!

Expected output

A formal report, that

  • shortly summarizes, which approaches you tried (what worked and what did not);
  • describes the methodology and tools that you used;
  • provides Proof-of-Concept (PoC) for both task, this can be a set of steps, screenshots or a PoC script with explanations. We need to be sure that you understand the vulnerabilities that you exploit. In this part, it is mandatory to feature screenshots from your actual penetration testing process;
  • describes any other vulnerabilities or bad coding practices that you discovered during the process and that are relevant to the application.

Use the report template as a basis (inside the zip), you can write the report with whatever you prefer, but you will need to submit a PDF!

Usage

  • Install Docker;
  • unzip the application files;
  • navigate to the correct directory;
  • build the applications with:
    docker compose build
  • run the applications with:
    docker compose run --rm -T python_app
  • select the desired application (either 1 - Login CLI or 2 - Token Generator).
  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused