Thank you for participating! Please share your writeup at CTFtime (https://ctftime.org/event/1231).
git clone https://github.com/wectf/2021
cd 2021 && docker-compose upThe mapping is as following
coin => http://localhost:4001
cache => http://localhost:4002
urlbin => http://localhost:4003
csp1 => http://localhost:4004
cloudtable* => http://localhost:4006
gallery* => http://localhost:4007
phish => http://localhost:4008
include => http://localhost:4010
ping => http://localhost:4011
csp3 => http://localhost:4012
* You have to setup the environment in Dockerfile before building. It is commented out in docker-compose.yaml to prevent failures
* You may want to setup the environment in auth.json and update bucket name in main.py so as to use the upload function.
15 solves / 50 pts
Shou has server-fetish. There is a specifc server really important to Shou and Shou talks to her everyday. We fail to capture Shou's traffic but we found this weird file on his router. Help us find Shou's love.
This is a file generated by P4. Trace the parser section, you can find there is a finite state machine decoding the packets and setting isImportant at a specific state.
start: ether.etherType == 0x0800 ? ipv4 : drop
ipv4: ipv4.protocol == 0x06 ? tcp1 : drop
tcp1: ipv4.protocol == 0x06 ? tcp2 : drop
tcp2: ipv4.srcAddr & 0x000000ff == 0xe5 ? tcp3 : drop
tcp3: ipv4.srcAddr & 0x0000ff00 >> 8 == 0x13 ? tcp4 : drop
tcp4: ipv4.srcAddr & 0x00ff0000 >> 16 == 0x5e ? tcp5 : drop
tcp5: ipv4.srcAddr & 0xff000000 >> 24 == 0x22 ? port : drop
port: tcp.srcPort == 0x9743 ? accept : drop
which means the IP srcAddr is 34.94.19.229:38723. curl that will give you the flag.
23 solves / 50 pts
We've heard Shou, except from his server, also loves Docker containers. You have gained Shou's trust and asked to help him further develop his project. We task you to spy on him and retrieve his beloved container. Get yourself added to his GitHub repo here
Note: Container is of name "flag"
Hint: https://docs.docker.com/docker-hub/access-tokens/
Start a pull request to use GitHub action to leak DOCKER_USERNAME & DOCKER_PASSWORD. Note that directly echoing these secrets would not work but you can send them to a host you can control.
65 solves / 143 pts
Arrogant Shou thinks Django is the worst web framework and decided to use it like Flask. To support some business logics, he developed some middlewares and added to the Flask-ish Django. One recent web app he developed with this is to display flag to admins. Help us retrieve the flag :)
Let admin visit a page with prefix /flag and suffix with .css (e.g. /flag.pppppp.css). Then, wait a few seconds and visit the page, the flag would appear.
133 solves / 335 pts
Shame on Shou if his web app has XSS vulnerability. More shame on him if he does not know how to use CSP correctly.
Hint: Search Content-Security-Policy if you don't know what that is and check your browser console.
Use duplicate script-src to break the CSP and do XSS.
395 solves / 310 pts
Yet another buggy PHP website.
Note: Flag is at /flag.txt on filesystem
/?🤯=/flag.txt
19 solves / 994 pts
Shame on Shou if he uses CSP incorrectly. More shame on him if he solely uses CSP to prevent XSS.
Intended: Set report-uri to a host you can control by POP chain and you can get the nonce.
Unintended 1: POP chain to set script-src-elem to break CSP.
Unintended 2: POP chain to set report-uri with \r\n and CSP header would not be added.
18 solves / 1015 pts
It is soothing to fill the whole browser with image you like.
Use service worker to hijack all requests to img-cdn domain.
23 solves / 925 pts
Shou made a free MySQL table creator. Try it out and hack it!
Inject (SELECT * FROM cloudtable.flag) to the end of CREATE query.
110 solves / 592 pts
Shou is so dumb that he leaks his password (flag) to a phishing website.
Use UNIQUE/NULL constraint error to bruteforce each char. Note that there are other users in the table and some char of flag is upper case (not caught by LIKE).
62 solves / 379 pts
Shou lost a few thousand bucks on cryptocurrency. So, he decided to fake a crypto exchange and steal all the money of the users next week. Try break Shou's evil plan by stealing all his money.
Cross-site websocket hijacking to transfer eth to you.
3 solves / 1744 pts
Shou finally decided to formally study CSP and wrote some correct CSP. But, CSP is not enough for protecting a web app!
CSRF to set long enough text (~10MB to get very significant timing difference) to pinned item then time-based XS-Search. Bruteforcing all would require at max (26+10)*6 tries.
1 solve / 2000 pts
Shou read some RFCs for ICMP and implemented his own Ping service from scratch. We don't like him showing off his knowledge about networking. Hack the server if you can and find the flag at /flag.txt
Gadget 1: Prototype pollution when setting TTL to turn ICMP packets to other packets. Set TTL to 0x06 to forge TCP packets.
Gadget 2: Incorrect parsing of IPv4 address could lead to overflow and overwrites the following ICMP payload.
With these two gadgets, replay the redis RCE payload with the correct 5-tuple & seq/ack number.