Due: Saturday, Oct 8 11:59PM


Everybody is talking about TickTock’s roaring success in the vast online community of timekeepers! In fact, we’ve had so much success that we’re starting to draw in a few competitors.

Our investors aren’t too pleased about that, so would you mind hacking into them for us? 🥺 🥺 🥺


The midterm will be conducted in Virginia Cyber Range, just like the assignments. All of the machines that you are tasked with attacking are under the sundyl.lab domain in VCR; you can get started by visiting http://www.sundyl.lab after you get logged in.

Note: as I have mentioned in lecture, you may look up any resources that you like for this exam, including your notes and previous lectures. Your only limitation is that you may not ask other students or people outside of class for help on the problems. (You may direct questions to me, but in general I will not be offering much assistance on the exam.)


As in your labs, for this midterm you will need to find a series of flags by completing various objectives. Each flag is formatted like


where PROBLEM indicates what problem the flag corresponds to and how many points its worth.

The midterm is worth 14 points in total. At the end of the midterm you will need to submit a written report detailing how you got each of the flags and proposed defenses for vulnerabilities you found; see the grading section for more details.

Note that there are 19 points worth of flags in total. You only need to choose enough problems to get 14 points (but keep in mind that you may only get partial credit for problems with incomplete or partially incorrect answers). There’s no extra credit for getting more than 14 points.


Your final submission should include the flags that you found, as well as a writeup (minimum 300 words) of how you found them. Each flag requires you to include some more specific information as well; in order to get full points, you must include a description of how you got the flag alongside the other relevant details listed for that flag.

At the end of the midterm, you will be graded on the thoroughness and accuracy of your answer weighted by the point value of the flags you collected.

Note: some flags can be obtained through alternative means than their “intended” method (e.g. hypothetically, finding the XSS flag without actually performing an XSS). For such flags you will get partial credit for submitting the correct flag and for providing your means of discovery.

However, if the flag requires you to propose a defense or mitigation for its respective vulnerability, that defense/mitigation must be related to the intended attack vector. So in the XSS example from before, you would need to propose a defense against an XSS-based attack vector in the site.

Desktop environment

The desktop environment for the midterm is identical to that of labs 2 and 3. You should already have the following tools installed:

  • ffuf
  • Metasploit
  • Nmap
  • sqlmap

In addition, there are some pre-installed wordlists available for you to use in /usr/share/wordlists.


SQL injection: 2 points

Flag format: flag{sqli:...}

There is a SQL injection vulnerability on the site. Exploit it in order to find the sqli flag.

You should detail how you found the vulnerability, along with proposed defenses and/or mitigations for it.

CSRF: 3 points

Flag format: flag{csrf:...}

The logout button is vulnerable to cross-site request forgery. Launch a CSRF attack to log yourself out of your account from a different domain.

You should detail how you found the vulnerability, along with proposed defenses and/or mitigations for it.


  • After performing the CSRF attack successfully, you should be able to see the flag in your profile after your next login.

  • In order for your CSRF attack to be valid, it must (a) be launched from an http:// site that (b) is not http://www.sundyl.lab.

User enumeration: 2 points

Flag format: flag{users:...}

There is one additional user on the server who is not a member of the staff. You can find the flag in their user bio.

Your writeup should include details about who the user is and how you identified them.

Wildcard flags: 1 points / each (up to 4 flags)

Flag format: flag{wildcard:...}

In addition to the flags listed above, there are four “wildcard” flags hidden throughout the environment that you can find in various ways. Each of these flags is worth 1 point.

Cross-site scripting (4 points)

Flag format: flag{xss:...}

Perform a cross-site scripting attack on the support staff to trick them into following you.

Your report should include a description of the attack and any HTML / JavaScript code that you used to complete it. You should also detail the method that you used to get the support staff to trigger the attack.


  • After performing the XSS attack successfully, you should be able to see the flag in your profile after your next login.

  • Note that it may take a few seconds for the support staff to visit a link that you send them.

  • If you look carefully, you can see that there is explicitly a CSRF token protecting the follow button against CSRF attacks. Maybe there’s a different way you can perform your attack…

Remote code execution (4 points)

Flag format: flag{rce:...}

Perform a remote code execution attack against the site.

Once you’ve performed your remote code execution, you will find the flag in /setup/flag.txt.


  • msfvenom is not necessary for this problem, but if you choose to use it, the payload that you’ll most likely want to use is cmd/unix/reverse_bash, with only the LHOST and LPORT options set.

  • There is exactly one machine that (intentionally) has a remote code execution vulnerability. (That said, if you manage to find a valid RCE on a different machine, I will happily give you the RCE flag myself.)

  • There is a timeout built into the vulnerable service that will automatically kill your payload within 75 seconds after it is first run. This is built-in to ensure that if you make a mistake that causes the exploited server to hang you’re not left waiting forever, and should give you enough time to read the flag.

General hints

  • If you start getting stuck going down one path, maybe try a different approach. For the most part there aren’t any rabbit holes in this midterm (although there is certainly a little bit more you can find under the surface).