WeCTF+

Yet another Web-only CTF

Starting at 12/19 11:59AM - 11:59PM PST. Join our Slack channel to get notifications and scroll down to find more details.

Join our Slack Channel!

Introduction

WTF is CTF?
WeCTF+ is a Web-only CTF with mostly intro-level challenges. Our vision is to help expose some of the latest vulnerabilities in the web technologies, such as side channeling and race condition, as well as reminding people about the good old times, like SQL Injection and SSRF. That said, here are a few points we would like you to know before you start playing WeCTF+:

Programming Languages: Python, Golang, PHP, C++, Javascript. All challenges are coded in these languages and source code of most challenges would be released. Although it is not required (we do write a lot of comment to our code), we recommend participants to understand some basic stuffs about these programming languages.

Services: Redis, SQLite, Flask, etc. Most of the challenges are based on these services so get familiar with them! In case you would like to know where to learn, here is a great place: youtube.com


FAQ

  • Can pwners and crypto masters participate?

    Yes, some challenges would even require you to leverage concepts from pwn. If you have no experience in Web part of CTF, then this would be a great way to start.

  • Are challenges guessy?

    No, though some challenges may require you to do a professional guess (e.g. SQL injection when you see ?id=1).

  • Would it be too easy for me?

    Even though this is labelled with intro-level, the challenges are not easy. But who knows, maybe you are a web guru...

Rules

  • We allow a team to have up to ∞ members

  • Sharing flags and solutions is strictly prohibited.

  • You are not allowed to DDoS, bruteforce, using scanners in any challenges or this website.

  • Be respectful to other teams.

  • Please do not attack beyond the challenges based on common-sense.


Policies:


  • We may choose to disclose you team name & IP if you have conducted DDoSing against our infrastructure.

  • Do not use your daily password everywhere through out the CTF.

  • Follow common-sense.


Scoring:


Following CCC's algorithm:
-- @base + ( @top - @base ) / (1 + (max(0, solves -1)/ 11.92201) ** 1.206069)


Flag Format: we{[UUID]@[[email protected]\$%\^\(\)=]+}


Example Flag: we{[email protected]}


Flag Location: /flag.txt, SELECT flag FROM flags, COOKIE or specified in the challenge.


People

Sponsors:

Digital Ocean


Google Cloud

Organizers:

shou 🐷

author of challenges && platform

qisu 🐼

author of challenges


Credits:


Version 3.1.1c