Assignment 1
Assignment 1 is due 1/23/18 on or before 11:59:59pm MST.
Part 1 (5 points)
Sign up for the course mailing list. Please provide your ASURITE ID number when you register so that we can give you credit for signing up.
Part 2 — Bandit (40 points)
For the homework assignments in this course, you will be hacking on a Linux server. The goal of this assignment is to familiarize yourself with accessing a Linux environment via SSH, along with developing skills on command line interaction and wargames.
First, register for a wechall account. You will need to submit your wechall username so that we can track your progress on the levels. After registering, you will need to link OverTheWire.org to your wechall account by doing the following:
- Click “Account” on the top of wechall.net
- Clink on the “Linked Sites” button
- On the “Select a site” dropdown, select “OverTheWire.org”
- Then click the “Link Site” button
Now, OverTheWire.org should show up in your list of linked sites, and we will be able to track your progress on Bandit from your user profile.
Then, the goal is to reach level 20 on the overthewire.org Bandit challenges.
Before you start, be sure to read how to register your bandit progress with wechall and do so. This way, your bandit progress will be captured on wechall, which we will use to grade your progress.
Also, keep track in your README how you solved each level.
Note that Bandit is an open system, and the goal of this assignment is to practice and develop your own skills, so be honorable and do not read walkthroughs.
Submission Instructions
You will need to submit a README. Your README file must contain your name, ASU ID, wechall username, and a description of how your broke each level.
Part 3 — C Backdoor “Web Server” (55 points)
A critical part of establishing persistence on a system is to leave a “backdoor” that allows the hacker access to the system at a later date, without exploiting the same vulnerabilities (they may be fixed in the meantime). In this assignment, you’ll explore writing a backdoor that pretends to be a web server. A web server makes a great pretense for a backdoor, because web traffic is so prevalent it does not raise red flags and ports 80 and 443 are frequently permitted through firewalls.
Your goal is to create, in C, a minimal HTTP 1.1 server, based on RFC 2616 from scratch, without using any libraries except for the C standard library.
The name of your backdoor executable will be normal_web_server
Interface
You must implement the following command-line interface for your server:
./normal_web_server <port>
Your server should listen for incoming connections to the given port, and respond to most requests with a valid HTTP 1.1 response with the 404 HTTP response code.
It is important that your server support valid HTTP 1.1 requests from HTTP clients (otherwise your backdoor will be detected), and your server should not cause the client to hang or otherwise malfunction.
The backdoor functionality is that when your server receives a GET
request for a URL in the form of /exec/<command>
, then your server
should take <command>
and execute it using the
system
libc function and the HTTP response will
be the stdout of the executed command. The HTTP status code of the
response should be 200
. Note that there are no limitations to the
characters in <command>
, in other words, your program should capture the rest
of the requested URL from the /
after /exec
to the end of the URL.
For instance, an HTTP GET of /exec/ls
will return an HTTP response
with the body of the output of the execution of the ls
command on
the server. An HTTP GET of /exec/ls%20-la
will return an HTTP response
with the body of the output of ls -la
.
When the server is killed (Control-C via command prompt or the SIGINT signal is sent to the program), the server should release the port and safely terminate.
Implementation
Your program must work on Ubuntu 16.04 64-bit with the default packages installed. You’ll probably need to set up a virtual machine to do your development.
Network Server Programming Resources
These are some resources that prior years have found to help in writing networked server application:
Submission Instructions
You will need to submit your source code, along with a Makefile and
README. The Makefile must create your executable, called
normal_web_server
, when the command make
is ran. Your README file
should contain your name, ASU ID, and a description of how your
program works.
Extra Credit
Implement gzip encoding in Part 3 so that if the client supports gzip encoding, then the server sends the result of the command with gzip encoding.
Submission Site
Create an account to submit your homework on the course submisison site.
Please don’t forget your password.