Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI

CTF: Cops & Robbers (Sommersemester 2022)

Dozent: Dr. Feng Cheng (Internet-Technologien und -Systeme) , Daniel Köhler (Internet-Technologien und -Systeme) , Leonard Marschke (Internet-Technologien und -Systeme)

Allgemeine Information

  • Semesterwochenstunden: 4
  • ECTS: 6
  • Benotet: Ja
  • Einschreibefrist: 01.04.2022 - 30.04.2022
  • Prüfungszeitpunkt §9 (4) BAMA-O: 13.06.2022
  • Lehrform: Seminar / Projekt
  • Belegungsart: Wahlpflichtmodul
  • Lehrsprache: Englisch

Studiengänge, Modulgruppen & Module

IT-Systems Engineering BA
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-G Grundlagen
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-V Vertiefung
  • OSIS: Operating Systems & Information Systems Technology
    • HPI-OSIS-G Grundlagen
  • OSIS: Operating Systems & Information Systems Technology
    • HPI-OSIS-V Vertiefung
  • SAMT: Software Architecture & Modeling Technology
    • HPI-SAMT-G Grundlagen
  • SAMT: Software Architecture & Modeling Technology
    • HPI-SAMT-V Vertiefung



This experimental project seminar is about learning and training with the advanced techniques of practical system and network security. We will have two teams (each with about 5-6 members) challenging each other and the tutoring team within three challenges - with changing roles either as attackers or defenders of a target IT system. For each challenge, the teams will have to prepare their arms: setting up a secure system (under given constraints) for the defenders, choosing and testing recon and penetration tools for the attackers. After preparation, the teams will hold a supervised Capture-the-Flag live challenge.

During the whole seminar, we will have a meta-challenge as each team has to provide the tutors a wiki, which contains all information about the team's progress.

Besides the challenges, each participant is supposed to select a security relevant topic, do research on it (reading and testing), and give a short presentation (15-20 mins) during the seminar.

Topics for the challenges:
    1. System- and Network Security
    2. Web- and Service/Application Security
    3. Managing large environments (combination of first two topics in a larger environment)

Also check out the latest EvaP of the last iteration of this course.

Important Notices:

  • We are not guiding you for hacking and participation in this seminar is not an excuse for any kinds of malicious actions towards unauthorized resources over Internet!


It is expected that the participants have successfully finished the lectures/seminars:

  • Internet- und WWW-Technologien
  • Internet Security - Weaknesses and Targets

Additional fields of knowledge, which might help you (but are not required):

  • Networking technologies (TCP/IP, Switches, VLANs, ...)
  • Server administration (Linux, SSH, Hardware management, ...)
  • Operating Systems (Management, Internals, ...)
  • Monitoring/Logging-Techniques
  • Experience with VMMs

Please keep in mind, this seminar is highly dependant on team effort.


Lern- und Lehrformen

Students will be divided in two groups. For the first two challenges, each group is either the red (attackers) or blue (defenders) team. The blue team is preparing a network scenario for the red team.

After scenario preperation the red team is allowed to attack the scenario for several hours in a live hacking session. During this session the blue teams task is to surveil the red team. Both teams then will present their findings few days later.

After the first two challenges, we will prepare a third challenge with an even more advanced scenario, covering additional topics. For documentation purposes, each team has to write a report about this challenge.

During the semester, each student will prepare one short individual introduction about attacking and defending techniques, which might get used in the scenarios lateron. These presentations will be held before the challenge preparations start.

Possible interesting topics:

  1. Password Security and new Authentication Methods
  2. Security of Mobile OSes and Apps
  3. Security of Social Web  
  4. Web Security: SSL/TLS, Web Application Firewall (WAF), ...
  5. Email Security: Signature, Encryption, Spamming, Phishing, ...
  6. IoT Security: Home Automation, Vehicle, ...
  7. Virtualization and Cloud Security 
  8. Switch, Router, Gateway, and Firewalls
  9. Intrusion Detection (IDS/IPS)
  10. SSH Tunneling and Virtual Private Network (VPN)
  11. IPSec, IPv6 and the relevant Security Issues
  12. Network Scanning and Monitoring
  13. Complex Attacks and APT
  14. SIEM and Security Analytics
  15. Attack Category and Vulnerability Modeling
  16. ...


(subject to change)

Overview of all grade relevant parts:

  1. Wiki (log of your activities): 15%
    1. Accuracy of your activity log
    2. Uptime
  2. Challenge One: 20%
    1. Achievements (red team)
    2. Presentation
    3. Preparation (blue team)
  3. Challenge Two: 20%
    1. Achievements (red team)
    2. Presentation
    3. Preparation (blue team)
  4. Individual Introduction/Presentation: 15%
  5. Challenge Three: 30%
    1. Achievements
    2. Report (Documentation in your wiki in PDF format)

We will award bonus points for additional activities leading to information disclosure of the other team. Please note: You are not allowed to attack any other resources beside the resources (servers, VMs..) you are getting from the tutors during the seminar. Additionally, you are required to check with the tutors before any action.


(to be updated following further adaptions from Uni-Potsdam and HPI on the general semester organization)

We will start with an introductory session in the begin of the semester. During the semester, you are expected to prepare your small individual presentation. After the semester, we'll hold the challenges in a Block-Seminar-Styled fashion.

  • Introductory Session: 2022-04-21 3:15 p.m. - 4:45 p.m.
  • Team and personal topic selection: 2022-05-23 3:15 p.m. - 4:45 p.m.
  • Wiki setup
  • Individual Presentations part one: 2022-06-13 3:15 p.m. - 4:45 p.m.
  • Individual Presentations part two: 2022-06-20 3:15 p.m. - 4:45 p.m.
  • Individual Presentations part three: 2022-06-27 3:15 p.m. - 4:45 p.m.
  • Individual Presentations part four: 2022-07-04 3:15 p.m. - 4:45 p.m.
  • Individual Presentations part five: 2022-07-11 3:15 p.m. - 4:45 p.m.
  • Kick-Off Challenge One Attacker: from 2022-08-17 10 a.m.
  • Kick-Off Challenge One Defender: from 2022-08-18 10 a.m.
  • Challenge One preparation phase (expect full time, all days)
  • Hand-In Challenge One: 2022-08-27 11:59 p.m.
  • Court Challenge One: 2022-08-29 1:30 p.m. - 2 p.m.
  • Session Challenge One: 2022-08-30 10 a.m. - 4 p.m.
  • Presentations Challenge One: 2022-09-01 10 a.m. - 11:30 a.m.
  • Kick-Off Challenge Two Attacker: from 2022-09-01 1 p.m.
  • Kick-Off Challenge Two Defender: from 2022-09-02 10 a.m.
  • Challenge Two preparation phase (expect full time, all days)
  • Hand-In Challenge Two: 2022-09-11 11:59 p.m.
  • Court Challenge Two: 2022-09-13 1:30 p.m. - 2 p.m.
  • Session Challenge Two: 2022-09-14 10 a.m. - 4 p.m.
  • Presentations Challenge Two and Court Challenge Three: 2022-09-16 10 a.m. - 12:30 a.m.
  • Session Challenge Three: 2022-09-19 10 a.m. - 2022-09-21 7 p.m.

For room information and other updates, please subscribe to our Cops and Robbers calendar (ICS, CalDav).

To pass the course you have to attend on all presentation sessions as well as all challenge sessions.

If you have any questions regarding the dates of the seminar, do not hesitate to ask us directly.