Deutsch Intern
    Data Science Chair

    Praktikum: Offensive Security Lab: Building and Solving CTF Pentesting Challenges

    Veranstalter: Dr. Daniel Schlör


    Umfang: 5 ECTS / 10 ETCS

    Scope

    This practicum is a hands-on security lab centered on building a coherent Boot2Root CTF challenge, proving solvability with automation, and a cross-solve round (you and a fellow student swap targets: each attacks the other's box and writes it up) grounded in telemetry.

    You will work from the course script (distributed during this practicum), which covers design, attack surface, provisioning, logging, and observability. Your main activities are:

    1. Challenge design and implementation (intentional attack path, fair difficulty, reproducible build).

    2. Auto-solve (reproducible, scriptable proof of the full chain).

    3. Cross-solve round with an exchange partner: each of you attacks the other's machine and documents the run in a cross-solve report.

    4. Author response and log reconciliation: map your partner's cross-solve story to what appears in Elasticsearch, note blind spots, and iterate on logging or documentation so important steps stay observable.


    Kurzbezeichnung Praktikum: SS26_offsec-ctf-lab

    WueCampus-Kurs: https://wuecampus.uni-wuerzburg.de/moodle/course/view.php?id=79101 (key: offsec-ctf-lab-2026)

     

    Konzept

    In the course "Offensive Security Lab: Building and Solving CTF Pentesting Challenges," we explore ethical hacking from a new perspective. In the first phase, course participants build their own intentionally vulnerable virtual machines based on capture the flag challenges (hack the box, tryhackme, etc.), which offer an interesting and challenging attack surface across various pentesting phases, taking into account interesting recent research and vulnerability findings.

    In the second phase, the machines are made available to the other course participants as a challenge, who attempt to compromise them and find the respective flags. In the process, both the thought process and the procedure for solving the challenge are documented and formalized in the form of professional pentest reports and write-ups.