WeCTF 2021

Thank you for participating! Please share your writeup at CTFtime (https://ctftime.org/event/1231).

Run Challenges Locally

git clone https://github.com/wectf/2021
cd 2021 && docker-compose up

The mapping is as following

coin => http://localhost:4001
cache => http://localhost:4002
urlbin => http://localhost:4003
csp1 => http://localhost:4004
cloudtable* => http://localhost:4006  
gallery* => http://localhost:4007
phish => http://localhost:4008
include => http://localhost:4010
ping => http://localhost:4011
csp3 => http://localhost:4012

* You have to setup the environment in Dockerfile before building. It is commented out in docker-compose.yaml to prevent failures

* You may want to setup the environment in auth.json and update bucket name in main.py so as to use the upload function.

SDN

15 solves / 50 pts

Description

Shou has server-fetish. There is a specifc server really important to Shou and Shou talks to her everyday. We fail to capture Shou's traffic but we found this weird file on his router. Help us find Shou's love.

Writeup

This is a file generated by P4. Trace the parser section, you can find there is a finite state machine decoding the packets and setting isImportant at a specific state.

start: ether.etherType == 0x0800 ? ipv4 : drop 
ipv4: ipv4.protocol == 0x06 ? tcp1 : drop
tcp1: ipv4.protocol == 0x06 ? tcp2 : drop
tcp2: ipv4.srcAddr & 0x000000ff == 0xe5 ? tcp3 : drop
tcp3: ipv4.srcAddr & 0x0000ff00 >> 8 == 0x13 ? tcp4 : drop
tcp4: ipv4.srcAddr & 0x00ff0000 >> 16 == 0x5e ? tcp5 : drop
tcp5: ipv4.srcAddr & 0xff000000 >> 24 == 0x22 ? port : drop
port: tcp.srcPort == 0x9743 ? accept : drop

which means the IP srcAddr is 34.94.19.229:38723. curl that will give you the flag.

GitHub

23 solves / 50 pts

Description

We've heard Shou, except from his server, also loves Docker containers. You have gained Shou's trust and asked to help him further develop his project. We task you to spy on him and retrieve his beloved container. Get yourself added to his GitHub repo here

Note: Container is of name "flag"

Hint: https://docs.docker.com/docker-hub/access-tokens/

Writeup

Start a pull request to use GitHub action to leak DOCKER_USERNAME & DOCKER_PASSWORD. Note that directly echoing these secrets would not work but you can send them to a host you can control.

Cache

65 solves / 143 pts

Description

Arrogant Shou thinks Django is the worst web framework and decided to use it like Flask. To support some business logics, he developed some middlewares and added to the Flask-ish Django. One recent web app he developed with this is to display flag to admins. Help us retrieve the flag :)

Writeup

Let admin visit a page with prefix /flag and suffix with .css (e.g. /flag.pppppp.css). Then, wait a few seconds and visit the page, the flag would appear.

CSP 1

133 solves / 335 pts

Description

Shame on Shou if his web app has XSS vulnerability. More shame on him if he does not know how to use CSP correctly.

Hint: Search Content-Security-Policy if you don't know what that is and check your browser console.

Writeup

Use duplicate script-src to break the CSP and do XSS.

Include

395 solves / 310 pts

Description

Yet another buggy PHP website.

Note: Flag is at /flag.txt on filesystem

Writeup

/?🤯=/flag.txt

CSP 2/3

19 solves / 994 pts

Description

Shame on Shou if he uses CSP incorrectly. More shame on him if he solely uses CSP to prevent XSS.

Writeup

Intended: Set report-uri to a host you can control by POP chain and you can get the nonce.

Unintended 1: POP chain to set script-src-elem to break CSP.

Unintended 2: POP chain to set report-uri with \r\n and CSP header would not be added.

Gallery

18 solves / 1015 pts

Description

It is soothing to fill the whole browser with image you like.

Writeup

Use service worker to hijack all requests to img-cdn domain.

CloudTable

23 solves / 925 pts

Description

Shou made a free MySQL table creator. Try it out and hack it!

Writeup

Inject (SELECT * FROM cloudtable.flag) to the end of CREATE query.

Phish

110 solves / 592 pts

Description

Shou is so dumb that he leaks his password (flag) to a phishing website.

Writeup

Use UNIQUE/NULL constraint error to bruteforce each char. Note that there are other users in the table and some char of flag is upper case (not caught by LIKE).

Coin Exchange

62 solves / 379 pts

Description

Shou lost a few thousand bucks on cryptocurrency. So, he decided to fake a crypto exchange and steal all the money of the users next week. Try break Shou's evil plan by stealing all his money.

Writeup

Cross-site websocket hijacking to transfer eth to you.

URL Bin

3 solves / 1744 pts

Description

Shou finally decided to formally study CSP and wrote some correct CSP. But, CSP is not enough for protecting a web app!

Writeup

CSRF to set long enough text (~10MB to get very significant timing difference) to pinned item then time-based XS-Search. Bruteforcing all would require at max (26+10)*6 tries.

Ping

1 solve / 2000 pts

Description

Shou read some RFCs for ICMP and implemented his own Ping service from scratch. We don't like him showing off his knowledge about networking. Hack the server if you can and find the flag at /flag.txt

Writeup

Gadget 1: Prototype pollution when setting TTL to turn ICMP packets to other packets. Set TTL to 0x06 to forge TCP packets.

Gadget 2: Incorrect parsing of IPv4 address could lead to overflow and overwrites the following ICMP payload.

With these two gadgets, replay the redis RCE payload with the correct 5-tuple & seq/ack number.