COMP6[48]43 25T1
Final Exam
Marks 50% of overall marks for the course.
Date/Time TBD
Duration 3 hours
Mode Online
Version v1.0.0 (see changelog)
Weighting
This exam is worth 50% of your overall marks for the course.
The final exam is split into three parts: A, B, and C. All three parts have equal weighting
(i.e. ~16%). If you submitted a midterm exam, the maximum of your final Part A and your
midterm mark will be used.
In other words:
final_exam_mark = max(midterm_exam_mark, part_a_mark) + part_b_mark + part_c_mark
Task
The final exam is a series of challenges (similar in style to the topic challenges) and
written answer questions, similar to the midterm.
Answers are to be submitted in a text file. A template answers file will be available for
download from the exam page. There are free marks available for using the template
correctly (see Marking).
Exam Platform
The exam can be accessed from https://final.quoccacorp.com.
An mTLS certificate is required to access the exam. If you do not have this setup (i.e.
you don’t get a flag when you visit https://whoami.quoccacorp.com), follow the guide at
https://webcms3.cse.unsw.edu.au/COMP6443/25T1/resources/107933 or for assistance
on Ed (or from your tutor) prior to the exam.
Forum Use During the Exam
During the exam, Ed forum posts will be restricted to private only. If you encounter a
technical issue with a challenge that you believe is unintended or other questions/issues
during the exam, it should be posted privately to the forum. Known issues, updates and
similar will be posted on a ‘megathread’ pinned to the top of the forum. You should check
this post regularly (every 5-10 minutes) for updates.
Challenge Design
Unlike the topic challenges, exam challenges are designed to be approachable within an
exam’s timeframe. Challenges will tend to have a single point of focus, often a prominent
feature such as a login form, search bar, query parameter, upload box, etc. We aren’t
making these features the only interesting thing on the page for fun, they are there for
1
COMP6[48]43 25T1 Final Exam (v1.0.0)
you to focus your attention on. It is up to you to determine how this feature is vulnerable
and can be exploited.
The challenges are not necessarily in order of difficulty. If you are stuck on one,
write some ideas down and move on!
Challenge Writeups
For challenges, you need to write a ‘writeup’ consisting of the steps you took attempting
to solve the challenge. This can be in dot points - we are assessing your understanding,
not your communication, so rough writing is fine.
You should include not only things (i.e. ideas, payloads, etc) that worked, but also:
• things you tried,
• ideas for other things to try,
• ideas about what the vulnerability is,
• any other information you’ve gathered from the challenge that you believe is important
• what that information may imply about the vulnerability, etc.
Hopefully, you can also include the flag too!
Here’s an example of a good writeup (3/4) that did not find the flag for the challenge
‘MFA’ (Topic 2):
Was presented with a login page. Tried admin:admin and got a 2FA prompt.
Got a Flask session (data is in the first segment) with `{"mfa_check_for":"admin"}`.
Should be on the lookout for a flask secret key.
Signed up on register page and got my own MFA QR code.
Was able to login with my new account but the flag is only available to admin.
Checked the MFA app and the secret looks random but kind of short. Could it be
bruteforced?
Running out of time so moving on.
Here’s an example of a poor writeup (1/4) that did find the flag for the same challenge
(redacted to avoid spoiler):
Logged in with TOTP secret .
Content Scope
Each part of the exam is aimed at assessing different parts of the course:
• Part A covers the core content from Week 1 through Week 5, the same content as the
midterm, in addition to the week 5 content.
• Part B covers the core content from Week 7 through Week 10.
• Part C is different for the core and extended courses, but both versions will cover
content across the whole term.
‣ The extended Part C will assess content from extended lectures (that have been
recorded).
Marking
Each question will have a number of marks written with it. The total number of marks will
be available during the exam.
Challenges will be out of 5 marks. This 5 marks is split with 1 mark being for finding the
flag, and 4 marks (that’s eighty percent!) dedicated to the writeup.
2
If you do not write a writeup for a challenge, you have lost 80% of the marks available. If
you write down some things you tried and/or your suspicions of what the application is
doing, you’ve gotten at least 1/5, probably 2-3.
There is no difference in marking between the courses for Parts A and B. As Part C will be
different between the courses, their marking criteria will differ depending on the question.
Submission
Your answers file must be submitted as a text file (.txt) to Moodle. A 2 mark bonus is
given to students that correctly use the template file.
Plagiarism
UNSW takes plagiarism very seriously and if you are found to have engaged in plagiarism
there can be major penalties. Plagiarism at UNSW means using the words or ideas of
others without giving clear credit, i.e. passing them off as your own.
You should read the full text of UNSW’s policy regarding academic honesty and plagia-
rism: https://www.student.unsw.edu.au/plagiarism
If you have any questions about any of this please ask us. You really don’t want to
accidentally fall foul of the plagiarism rules.
Use of AI
In completing this assessment, you are permitted to use standard editing and referencing
functions in the software you use to complete your assessment. Students are permitted
to use translation, spell-check, and grammar correction tools only. You must not use any
functions that generate or paraphrase passages of text or other media, whether based
on your own work or not.
If your convenor has concerns that your submission contains passages of AI-generated
text or media, you may be asked to account for your work. If you are unable to satis-
factorily demonstrate your understanding of your submission you may be referred to
UNSW Conduct & Integrity Office for investigation for academic misconduct and possible
penalties. For more information on Generative AI and permitted use please see: https://
www.student.unsw.edu.au/assessment/ai
Changelog
• v1.0.0 (2025-04-11) : Initial release.
3

学霸联盟