My CTF Challenges

Below are a list of all CTF challenges that I wrote. I'll keep updating this list.

I've deployed a demo site for most of the challenges. It's not guaranteed that the demo site works as intended though (they are not tested nor actively looked after)... The demo sites are offered as a courtesy, because I believe it's a great learning opportunity for others, and my way of giving back to the community. Congrats if you get RCE, but please do not use the server for other purposes (e.g. mining). If I found that out, I'll take down the server, and it won't benefit anyone :(

API Service Proxy

A vulnerable API Gateway infra with 4 flags: easyssrf, sqli, hardssrf, bac. This was designed as an assignment for students in UNSW's COMP6843 (Extended Web Application Security) course.

Geegle3 Infra

A set of company infrastructure for a BeyondCorp-like zero-trust network, flag submission via working email server (can phish flags from other teams), binary challenges tunneling over websocket, monorepo CTF bazel building and deployment with team isolation, etc.

This was for SECedu CTF 2019, a national CTF competition with students from Sydney, Melbourne, as well as employees from Commonwealth Bank of Australia.

Unhackable App Engine

A serverless app infra that doesn't scale lol. Hijack arbitrary page via cache key injection. This was for SecTalks Sydney Ninja Night 0x04.

K17Coins

A web challenge for exploiting race conditions. This was part of UNSW Security Society internal CTF.

Guess

A Number guessing game CTF challenge. Exploit weak pseudo-random number generator, and reverse engineer gRPC/Protobuf traffic. This was part of UNSW Security Society internal CTF.

Docs

A LaTeX injection web challenge with incremental steps (from arbitrary file read to RCE). This was part of SECedu CTF 2019.

PasteWeb

A XSS challenge with a 5-step chain and script gadget. This was part of SECedu CTF 2019.

SecLearn

A XSS challenge by abusing Chrome XSS Auditor and browser side channel (xsssearch + timing). This was part of SECedu CTF 2019.

Search

A working search engine with a simple SSRF vulnerability. This was part of SECedu CTF 2019.

bugreport

A XXE challenge, in which you need to use FTP to bypass HTTP(S) filters. This was part of SECedu CTF 2019.

FlatEarth

A PHP challenge (switch weak typing + SQLi + assert RCE). This was part of SECedu CTF 2019.

memegen

PHP LD_PRELOAD injection to get RCE. This was part of SECedu CTF 2019.