Thank you for participating! Please share your writeup at CTFtime (https://ctftime.org/event/1231).
Run Challenges Locally
git clone https://github.com/wectf/2021 cd 2021 && docker-compose up
The mapping is as following
coin => http://localhost:4001 cache => http://localhost:4002 urlbin => http://localhost:4003 csp1 => http://localhost:4004 cloudtable* => http://localhost:4006 gallery* => http://localhost:4007 phish => http://localhost:4008 include => http://localhost:4010 ping => http://localhost:4011 csp3 => http://localhost:4012
* You have to setup the environment in Dockerfile before building. It is commented out in docker-compose.yaml to prevent failures
* You may want to setup the environment in auth.json and update bucket name in main.py so as to use the upload function.
15 solves / 50 pts
Shou has server-fetish. There is a specifc server really important to Shou and Shou talks to her everyday. We fail to capture Shou's traffic but we found this weird file on his router. Help us find Shou's love.
This is a file generated by P4. Trace the parser section, you can find there is a finite state machine decoding the packets and setting isImportant at a specific state.
start: ether.etherType == 0x0800 ? ipv4 : drop ipv4: ipv4.protocol == 0x06 ? tcp1 : drop tcp1: ipv4.protocol == 0x06 ? tcp2 : drop tcp2: ipv4.srcAddr & 0x000000ff == 0xe5 ? tcp3 : drop tcp3: ipv4.srcAddr & 0x0000ff00 >> 8 == 0x13 ? tcp4 : drop tcp4: ipv4.srcAddr & 0x00ff0000 >> 16 == 0x5e ? tcp5 : drop tcp5: ipv4.srcAddr & 0xff000000 >> 24 == 0x22 ? port : drop port: tcp.srcPort == 0x9743 ? accept : drop
which means the IP srcAddr is 188.8.131.52:38723. curl that will give you the flag.
23 solves / 50 pts
We've heard Shou, except from his server, also loves Docker containers. You have gained Shou's trust and asked to help him further develop his project. We task you to spy on him and retrieve his beloved container. Get yourself added to his GitHub repo here
Note: Container is of name "flag"
Start a pull request to use GitHub action to leak DOCKER_USERNAME & DOCKER_PASSWORD. Note that directly echoing these secrets would not work but you can send them to a host you can control.
65 solves / 143 pts
Arrogant Shou thinks Django is the worst web framework and decided to use it like Flask. To support some business logics, he developed some middlewares and added to the Flask-ish Django. One recent web app he developed with this is to display flag to admins. Help us retrieve the flag :)
Let admin visit a page with prefix /flag and suffix with .css (e.g. /flag.pppppp.css). Then, wait a few seconds and visit the page, the flag would appear.
133 solves / 335 pts
Shame on Shou if his web app has XSS vulnerability. More shame on him if he does not know how to use CSP correctly.
Hint: Search Content-Security-Policy if you don't know what that is and check your browser console.
Use duplicate script-src to break the CSP and do XSS.
395 solves / 310 pts
Yet another buggy PHP website.
Note: Flag is at /flag.txt on filesystem
19 solves / 994 pts
Shame on Shou if he uses CSP incorrectly. More shame on him if he solely uses CSP to prevent XSS.
Intended: Set report-uri to a host you can control by POP chain and you can get the nonce.
Unintended 1: POP chain to set script-src-elem to break CSP.
Unintended 2: POP chain to set report-uri with \r\n and CSP header would not be added.
18 solves / 1015 pts
It is soothing to fill the whole browser with image you like.
Use service worker to hijack all requests to img-cdn domain.
23 solves / 925 pts
Shou made a free MySQL table creator. Try it out and hack it!
Inject (SELECT * FROM
cloudtable.flag) to the end of CREATE query.
110 solves / 592 pts
Shou is so dumb that he leaks his password (flag) to a phishing website.
Use UNIQUE/NULL constraint error to bruteforce each char. Note that there are other users in the table and some char of flag is upper case (not caught by LIKE).
62 solves / 379 pts
Shou lost a few thousand bucks on cryptocurrency. So, he decided to fake a crypto exchange and steal all the money of the users next week. Try break Shou's evil plan by stealing all his money.
Cross-site websocket hijacking to transfer eth to you.
3 solves / 1744 pts
Shou finally decided to formally study CSP and wrote some correct CSP. But, CSP is not enough for protecting a web app!
CSRF to set long enough text (~10MB to get very significant timing difference) to pinned item then time-based XS-Search. Bruteforcing all would require at max (26+10)*6 tries.
1 solve / 2000 pts
Shou read some RFCs for ICMP and implemented his own Ping service from scratch. We don't like him showing off his knowledge about networking. Hack the server if you can and find the flag at /flag.txt
Gadget 1: Prototype pollution when setting TTL to turn ICMP packets to other packets. Set TTL to 0x06 to forge TCP packets.
Gadget 2: Incorrect parsing of IPv4 address could lead to overflow and overwrites the following ICMP payload.
With these two gadgets, replay the redis RCE payload with the correct 5-tuple & seq/ack number.