User-Generated Content FAQ

  • Updated
Follow

Before submitting to the User-Generated Content (UGC) program, please be sure to review this FAQ in detail. All information requested in the submission form, as well as the expected details for the actual submission, are covered here.

How to Build a Vulnerable Virtual Machine

The basic premise of a vulnerable virtual machine is to host any vulnerable application (web or non-web) and create a scenario whereby the software, service and/or misconfiguration can be exploited. 

Skills learned on academic programs or through practical experience contribute heavily to the quality of your build.

Your concept process can be summed up with the following steps:

  • Collect information regarding your proof of concept (PoC) build
  • Build your virtual machine (VM) by installing the operating system and the vulnerable software, or creating misconfigurations which can be exploited by an attacker 
  • Set the hostname of your VM
  • Test your vulnerable software to confirm that the exploit chain is working
  • Review your build and implement fixes where needed
  • Add in your local and proof.txt flag files
  • Add in any required firewall rules
  • Clean up any leftover and old log files
  • Clean up the bash history for all users
  • Create your walkthrough and all other required documentation
  • Submit your machine concept for review, not a built VM

A build script must be created and included in your UGC submission, which allows OffSec to create your vulnerable machine or chain, if your concept is accepted.

Grouped and Chained Machines

OffSec is accepting "Grouped" and "Chained" machine concepts.

Automatically Declined Submissions

Your submission may not contain any of the following:

  • Hate speech or any forms of discrimination
  • Plagiarized content
  • Copyrighted content of any nature
  • Adult/sexual/lewd content
  • Profanity in passwords or applications

Base System Requirements

Please ensure your system does not exceed these maximum specs:

  • 2 x CPU
  • 2048MB RAM
  • 20GB HDD

Difficulty and Flags

The difficulty of the target is a matter of the skill set of the attacker. Each submission must contain a method to determine the "success" of compromise via the use of flags.

  • Direct-to-root box: one flag in /root/proof.txt
  • Privilege escalation required: two flags — /home/lowprivuser/local.txt and /root/proof.txt

Virtual Machine Deliverables

Your Virtual Machine submission should include at a bare minimum:

  • Build script 
  • Detailed build guide in Markdown 
  • Walkthrough in Markdown and PDF formats
  • MITRE map alignment

Docker Usage
We want to provide clear guidance on Docker usage in your submissions to avoid unnecessary delays or declines during review.

Docker is accepted under the following condition:

- Your submission includes a Docker escape or exploitation as part of the attack chain, ultimately leading the attacker to gain root privileges on the host machine. In this case, Docker is a meaningful and intentional part of the exploitation path.

Docker is not accepted in the following cases:

- The machine is built on Docker with no meaningful path forward or no Docker escape involved.

- Docker is used purely as a convenience for building or hosting the challenge with no relevance to the exploit chain.

We may make exceptions in cases where Docker usage is considered near-essential to the concept - this will be evaluated on a case-by-case basis during review. However, we strongly encourage submitting your submission without Docker, unless it is a core and intentional part of the exploitation path.

Submission Archive

This is one of the most important fields on the submission form. There is an 8GB limit on the archive and it must not be password protected.

Please ensure that the following items are included in your archive:

  • Build script in Bash (Linux VMs) or PowerShell (Windows VMs)
  • Build guide in Markdown 
  • Walkthrough in Markdown (.md) and PDF (.pdf) formats
  • Text file containing usernames and passwords for all accounts

⚠️ Important: Do not include virtual machine files (.ova, .vmdk, .vmx, or other VM images) in your submission archive. Including these files significantly increases archive size and may cause submission failures. Only include the documentation and supporting files listed above.

AI Usage

The use of AI tools is permitted within this program; however, authors must exercise independent judgment and avoid over-reliance on AI-generated content. AI systems inherently follow predictable patterns, which can compromise the uniqueness and quality that is fundamental to the User-Generated Content (UGC) program.

Acceptable AI Usage

AI assistance is permitted in the following contexts:

  • Generating or refining build scripts for an existing, independently conceived concept.
  • Populating test data, including databases, user accounts, and web page content.
  • Brainstorming and idea exploration during the initial concept sketching phase.

Note: Authors should exercise caution when using AI for ideation, as AI-generated suggestions tend to follow recognizable patterns that may reduce originality and thus reduce the likelihood of acceptance.

Non-Acceptable AI Usage

The following uses of AI are prohibited:

  • Generating the walkthrough: Refer to the Walkthrough section below for detailed requirements.
  • Generating passwords, tokens, or secrets: AI-generated secrets follow predictable patterns, resulting in values that are effectively identical across different submissions.

Examples of commonly observed AI-generated secrets include:

X-TOKEN: <value>

v3ct0rDB_r0cks!2024

xyz-api-k3y-1390yZq

/usr/local/bin/PLACEHOLDER-helper

/tmp/rootbash

  • Selecting or deciding on vulnerabilities to incorporate: AI tools tend to gravitate toward a recurring set of vulnerability types, leading to repetitive and predictable challenge concepts. Commonly over-represented examples include: Basic SSTIs, Gitea, MQTT, SpEL Injection, GraphQL Introspection, Python Pickling, SSRFs, Tar Injection, PATH Poisoning, SUID Binaries, Cron Job Script Modification, SeBackupPrivilege.

Note: The above vulnerability classes are not inherently prohibited. The concern is that AI-generated concepts built around these techniques are frequently overly straightforward and lack the depth expected of original submissions.

Submissions that are determined to be predominantly or entirely AI-generated - with little to no original author contribution - are not acceptable under the UGC program. The following measures will be taken:

  • First instance: Author will receive a formal warning and be asked to revise and resubmit.
  • Second instance: The author will be suspended from submitting labs to the program for six (6) months.
  • Third instance: The author will be permanently banned from participating in the UGC Program.

Walkthroughs

All walkthroughs must adhere to the following standards to ensure clarity, completeness, and verifiability.

Format Requirements

  • Walkthroughs must be submitted in PDF format. 
  • Screenshots must be included to illustrate the essential exploitation path, serving as proof that the concept has been built and is functioning correctly. 
  • A screenshot is not required for every individual step; however, all critical steps must be visually documented.

Content Requirements

  • All steps must be described clearly and in sufficient detail.
  • Tokens, exploit code, and payloads must not be truncated or omitted.
  • Any file paths or system-specific values required when crafting an exploit must be explicitly shown, including the method used to obtain them. 
  • Command outputs must be included for each command in the walkthrough.
  • Walkthroughs generated, drafted, or substantially written by AI are NOT permitted.

Exceptions to the above requirements may be considered on a case-by-case basis.

Additional Questions

If you have any additional questions not covered in this FAQ please contact us at ugc(at)offsec(dot)com.

Related articles

Powered by Zendesk