Mission Possible: Capturing the Digital Flag

On any given Tuesday, six Taft students can be found tucked into a closed-network classroom in a remote corner on the third floor of Wu. They are hunched over their laptops, working in pairs, generating a low, but steady murmur of voices that is occasionally punctuated by a few deliberate clacks of a keyboard, followed by revelatory shouts—a mixture of relief and celebration. Drill down to their screens, and there it is: The Impossible Mission Force web page. Espionage? While there is no sign of Ethan Hunt or any other IMF operative, Post-AP Computer Science Teacher Michael Scaramuzzino might be overheard suggesting that students “do an SQL injection in the password field of the website.” Is he advising them to hack websites? SQL injection is, after all, one of the most common web hacking techniques. It can completely destroy a database...

            “The students are actually playing a game I call ‘Hack the Box,’” says Scaramuzzino. “It plays out like a series of capture the flag games where pieces of data are hidden throughout the server. Students must apply various security techniques to locate vulnerabilities—flags—on different computers and networks, and ‘capture’ them.”

            A flag is a value that signals a function or process in the code. In Hack the Box, the students are looking for flags that seem to reflect irregular alterations to normal functioning—pieces of data that represent system vulnerabilities. According to Scaramuzzino, the server in the closed-network classroom hosts multiple vulnerable computers with proprietary IP addresses. Those addresses allow students to safely connect with “hacked” systems as they search for vulnerabilities, some of which Scaramuzzino planted himself, others which have been created online and uploaded specifically for this type of training.

            “The goal is to teach students which attack vectors hackers utilize, and how to defend against each type of attack,” Scaramuzzino explains. “Learning how to find and correct vulnerabilities offers a look inside what a career in cybersecurity might look like.”

            In their 2018 Cybersecurity Market Report, analyst firm Cybersecurity Ventures (cybersecurityventures.com) predicts that global spending on cybersecurity products and services will exceed $1 trillion during a five-year period ending in 2021. They also note that a projected shortage in trained cybersecurity professionals could lead to 3.5 million unfilled jobs by the end of the same period. That void creates not only a tremendous demand for skilled professionals, but a competitive compensation market: According to the Bureau of Labor statistics, the median income for information security analysts last year was $95,510. (bls.gov)

            Cybersecurity work relies on several different computer languages, including Python, C, and C++. Scaramuzzino covered each of these languages with his Post-AP students in preparation for the game, then set up the closed-network workspace.

“Most of the sessions are very interactive,” says Scaramuzzino. “I set up the server, and the students go in and sort of explore with the goal of learning by doing.”

            The exploration requires a fairly advanced working knowledge of code, meticulous attention to detail, and a good deal of patience.

            “The flags are not at all obvious,” notes Julia Kashimura ’20. “We have to look very deeply into the website’s source code to find them behind the scenes. Each flag we find contains a hint to the next flag. It may be a series of letters that appear random, but when run through a decoder site, it reveals hints and important information for moving forward through the process to get to the next flag.”

            The Hack the Box game is set up in rounds. Each round is a start-to-finish vulnerability assessment of one computer or network of computers hosted on the classroom server—including round seven’s IMF system hack. Students may take a week or two to complete an individual round, which involves finding, decoding, and resolving as many as 10 or 11 flags. The flags increase in complexity as the round progresses. Students earn one point for every flag, and scores are tracked on the classroom leaderboard. With rounds six and seven in play, upper mids Cierra Ouelette and Nick Baird held a slim lead over the competition.

            “I think we’ve been successful by taking a kind of divide and conquer approach,” says Nick. “We bounce ideas off each other, then try out the best ones—I try one thing, Cierra tries another. We keep going back and forth until we successfully figure out what the flag is telling us about how to get to the next step.” 

           Nick and Cierra Success, Cierra notes, isn’t always easy or assured:

            “When we found flag six, we ran piece of code that printed out a couple of lines of text. Right now we’re trying to duplicate that line of code and it just isn’t giving us anything.”

            For Ranon Larpcharern ’20, the biggest challenge lies in the very first step.

            “Once you get going, you know what you’re trying to do, and know what methods you should use to move forward. But when you are just starting, there are almost too many possibilities to consider. We sometimes have to rely on informed trial and error.” 

 

Post-AP Computer Science students spend one semester exploring computer security, computer graphics, and artificial intelligence, and considering how the three disciplines will intersect to drive digital innovation in the future. Participants in the course are required to sign a strict (and strictly enforced) end-user agreement governing the current and future use of the tools and skills learned in the classroom.