Computer Science
Summative Assignment
|
Module code and title
|
COMP2211 Networks and Systems
|
|
Academic year
|
2025-26
|
|
Coursework title
|
Cyber Security
|
|
Coursework credits
|
5 credits
|
|
% of module’s final mark
|
25%
|
|
Submission date*
|
Thursday, 6 November, 2025 14:00
|
|
Estimated hours of work
|
30
|
|
Submission method
|
Ultra
|
|
Additional coursework files
|
VM file for Virtual Box (.ova) and UTM (.qcow2)
|
|
Required submission items and formats
|
submission_comp2211_cisusername.json
|
* This is the deadline for all submissions except where an approved extension is in place. For assessments carried out in weekly practicals or other scheduled sessions, the date shown will be the Monday of the week in which the assessments take place.
Late submissions received within 5 working days of the deadline will be capped at 40%.
Late submissions received later than 5 days after the deadline will receive a mark of 0.
It is your responsibility to check that your submission has uploaded successfully and obtain a submission receipt.
Your work must be done by yourself (or your group, if there is an assigned groupwork component) and comply with the university rules about plagiarism and collusion. Students suspected of plagiarism, either of published or unpublished sources, including the work of other students, or of collusion will be dealt with according to University guidelines (https://www.dur.ac.uk/learningandteaching.handbook/6/2/4/).
COMP2211 - 2025/2026 - Security Coursework
Expected Learning Outcomes
- Exploit vulnerabilities
- Apply security techniques covered in the lectures
- Find new security techniques
- Assess system security
Context
You are provided a VM based on Alpine Server, with no GUI (see below for technical details on how to download the VM). You can access this VM using the username alpha and the password comp2211.
Important note: you are not provided the root password and you should not attempt to crack it or to access directly the VM as root. You should be able to complete all exercises without root access. Any explanation for a flag indicating or suggesting it was obtained by using root privilege will lead to no mark awarded for this flag.
Submission
Your submission needs to be prepared using the online form available at https://charlesmorisset.github.io/cw-submission/. This form. will enable you to create a JSON file named submission_COMP2211_cisusername.txt, which you then need to submit to Ultra. The form. should include:
- Your CIS username.
- A list of at most 10 flags, each one with a description box (up to 1000 characters per flag, see mark scheme).
- An optional general comment (up to 1000 characters). This box is not marked as such, but can be used to provide some general comments to contextualise, for instance, unsuccessful attempts to get a particular flag.
Do not attempt to modify the JSON file after downloading it, or to bypass the character limits.
VM Download
Please follow the same instructions provided in the practical 1 to install the relevant VM for your system. The only exception is that you should now select a i386 architecture (32 bits, rather than 64 bits).
- Windows/Linux/Mac OS Intel:OVA File
- Mac OS M1/2/3: QCOW2 File.
No redistribution policy
Due to the nature of this assignment and the amount of work that goes into preparing the VMs, you are not permitted to post or share the VMs or your solutions in the future. Similarity detection techniques will be applied on the comments for each flag to detect collision attempts.
Mark scheme (provisional and subject to change)
You can submit up to 10 flags out of the 26 flags available in the VM. For each flag, you need to provide a description (max 1000 characters), explaining the different steps you have taken to find the flag, assessing the severity of any relevant vulnerability you have exploited, and recommending any counter measures or approaches that could be used if you had found this flag within a live system. The form. allows you to check that the flags you have found are correct, in case you have any doubt.
The mark you will receive for each flag depends on the quality of the description (including explanation, assessment, recommendation) and the difficulty of each flag (see below). Up to 10 marks are available for each Difficult flag, up to 7 marks for each Medium flag, and up to 4 marks for each Easy flag.
To score full marks: your description should clearly concisely demonstrate you understand the intention behind the flag and use the most efficient technique to get the flag , possibly including code snippets when relevant; your assessment should demonstrate awareness of existing relevant attacks and vulnerabilities; your recommendation should be precisely adapted to the attack (rather than recommending every possible recommendation) and leverage the material covered during the module; your overall presentation should be clear and professional.
The flags are distributed as follows:
|
acattack
|
Difficult
|
|
accomplex
|
Difficult
|
|
aclivepolicy
|
Difficult
|
|
acenc
|
Easy
|
|
aclive
|
Easy
|
|
frequent
|
Easy
|
|
sign
|
Difficult
|
|
aes
|
Easy
|
|
cesar
|
Easy
|
|
hash
|
Medium
|
|
followkey
|
Medium
|
|
followpacket
|
Easy
|
|
cti
|
Easy
|
|
deadcode
|
Difficult
|
|
otp
|
Difficult
|
|
whatif
|
Medium
|
|
source
|
Easy
|
|
redirect
|
Easy
|
|
sql-inject
|
Difficult
|
|
session2
|
Medium
|
|
session1
|
Easy
|
|
simpleke
|
Medium
|
|
complexke
|
Difficult
|
In addition, there are 3 hidden flags classed as Difficult.
Support
- Make sure you read the How To on Blackboard.
- If you have any further question, please ask them directly on the discussion board.