Platform Tutorial

Welcome to Codesafe! Codesafe is a computer science education platform with a focus on teaching concepts and skills relevant to software engineering and software security, with the intent to also drive upskilling/reskilling for anyone looking to break into the tech industry or at least learn how to develop software and scripts for their respective professions. Codesafe is currently under active research & development, so any feedback and participation in its research activities would be greatly appreciated!

This platform is heavily inspired by pwn.college, and its behind-the-scenes is a fork off of their DOJO infrastructure, which in turn is heavily inspired by "capture-the-flag" (CTF) challenges in the field of cybersecurity. We aim to take the CTF concept to create challenges that are grounded in the software engineering experience, creating a scenario-driven, gamified learning experience that can be delivered at scale. For more information, please check out the main page of this site or reach out to skngo1@uci.edu.

You will be interacting with Codesafe's challenges through a provided workspace that can be accessed directly in your browser. The workspace is a Visual Studio Code (VSCode) development environment to mimic the main experience of developing code. "Start" this challenge, and then you can interact with it by clicking on "Workspace" in the site's navigation bar or "VSCode Workspace" in the pop-up after the challenge has successfully started.

If you are unfamiliar with VSCode, here are the quick basics to get going:

• To open a terminal: Click on the three-lines icon at the top-left, hover over "Terminal", and click "New Terminal".
• To open up a specific folder in the left-hand sidebar: Click on the three-lines icon at the top-left, hover over "File", click on "Open Folder...". In the pop-up, you can then specify the folder you want to open up.
  • When opening up the VSCode workspace for the first time, you should be able to simply click on "Open Folder" to get to the pop-up.
• If you'd like to change it to dark-mode: Click on the gear icon at the bottom-left, hover over "Themes", click "Color Theme", and click on one of the themes listed under "dark themes".

For each challenge, make sure to read these descriptions! They will often have instructions to help you get started and also teach you something new.

To complete this challenge, open up a terminal in the VSCode workspace and then run the following commands:

$ cd /challenge
$ ./start_here

'start_here' is a Python script you can directly execute, and it will give you the flag to complete this tutorial challenge. The flag can then be copy-pasted into the "Flag" input box in the challenge's drop-down (right below the "Start" button) to complete the challenge. Your goal in each challenge is to follow the instructions and complete what is asked to get the flag.

You should be able to copy-paste the flag from the VSCode workspace terminal to the main site.

NOTE: You are also able to run start_here by doing $ python3 start_here in the /challenge folder. This is usually fine, but for this environment and platform, due to how permissions are handled so that you cannot simply read the flag, you MUST run 'start_here' by doing $ ./start_here so that it can successfully read the flag and print it in the terminal. If you use $ python3 start_here, it will execute but will be unable to read the flag.

In addition, you won't always be able to read everything in the /challenge folder. We will explain more in the next tutorial.

If you have played in cybersecurity capture-the-flag (CTF) events before or have self-studied cybersecurity on pwn.college, you may already be familiar with how CTF challenges work: you start the challenge or access the challenge environment however it's hosted, and then you do what is hinted at in the challenge to get a string of pre-set or random text, or the "flag", to submit to get points. There are a variety of CTF challenge categories out there, such as reverse engineering, binary/server exploitation, web security, cryptography, etc. But most CTF challenges do not really cover programming/software development apart from any scripts you may write to help solve a specific challenge. This is to be expected since CTF events are grounded in teaching and testing cybersecurity skills.

We aim to take the CTF concept to create challenges that are grounded in the software engineering experience, creating a scenario-driven, gamified learning experience that can be delivered at scale. And so, a majority of challenges on Codesafe will involve writing and modifying provided code in the VSCode workspace to complete the given tasks of a challenge, running the provided test cases through a 'checker' Python executable (often named checker), and getting the flag in the terminal if you have successfully completed the challenge.

You will always be working in the /challenge folder of the environment (these descriptions will specify otherwise if needed), so you can set your VSCode workspace to only have the /challenge folder loaded in the left side-bar. Revisit the first tutorial challenge if needed!

If your left side-bar in VSCode is set to only have the /challenge folder, you will see the following files/folder relevant to the challenge:

• backup - This folder will contain a non-writable copy of the original provided code that you can copy over into the file you are supposed to modify in /challenge if you need to start over.
• checker - You will run this Python executable when you want to check your current solution to the challenge. Make sure to always run it as $ ./checker in the terminal. The name of this file may vary per challenge. You will not always be able to read this file in VSCode, which is intentional! In some challenges, being able to read the checker script will give away the intended solution. The file permissions can be configured so that you can execute the script, but not read it.
• DESCRIPTION.md - This is the same description you read in the original challenge's description back on the main site.
• modify_me.py - You will modify this file as specified in the task of this tutorial. The name of this file will vary per challenge.

To complete this challenge, simply modify hello_world() in modify_me.py to return "Hello World". After doing that, open up a terminal in the VSCode workspace and run the following commands:

$ cd /challenge
$ ./checker

NOTE: The VSCode workspace will not automatically refresh for you when switching to a new challenge. You will need to close out of the tab with your workspace and then open a new one after starting a new challenge.

With how the Codesafe platform is designed, particularly with how each challenge and development environment is individually provisioned to you when you start a challenge, the code that you modify and write does NOT persist between challenges and when you restart a challenge. In addition, there is currently no one-click option to "save" your code for a challenge in-progress and then come back to it the next day - challenge instances automatically are destroyed after a few hours.

If you would like to save your work, there are two options to do so:

• Option #1: You can copy-paste your work into a file that you own and control (e.g., text doc on your own machine, Google Drive, GitHub). We ask that you not share your solutions publicly or with others.
• Option #2: You can copy the file designated for modification of a challenge to the /home/hacker directory. pwn.college's DOJO infrastructure allows this directory to be persistent for your account.

NOTE: This platform could be reset at any time while it is under heavy testing and development, so you may still lose what you have in the /home/hacker directory (as all accounts are also deleted if the platform is reset). We recommend that you go with the Option #1 at this time.

To complete this tutorial challenge, create a file in the /home/hacker directory, either through the VSCode interface or through the command line, and name it i_have_persistence.txt. The text you put in there does not matter, but you can write whatever you'd like and check that it is exactly the same in a future challenge (if this is not the case, please let us know asap).

After completing the above, run the checker script in /challenge as you have been instructed to do so in the previous challenge.