WeCTF

Yet another Web-only CTF

Starting at 6/11 11:00 AM PDT and last 24 hours. Join our Slack channel to get notifications and scroll down to find more details.

Join our Slack Channel!

Introduction

WTF is CTF?
WeCTF is a Web-only CTF with both intro-level and diabolic challenges. Our vision is to help expose some of the latest vulnerabilities in the web technologies, such as side channeling and race condition, as well as reminding people about the good old times, like SQL Injection and SSRF. That said, here are a few points we would like you to know before you start playing WeCTF:

Programming Languages: Python, Golang, PHP, C++, Javascript. All challenges are coded in these languages and source code of most challenges would be released. Although it is not required (we do write a lot of comment to our code), we recommend participants to understand some basic stuffs about these programming languages.

Services: Redis, SQLite, Flask, etc. Most of the challenges are based on these services so get familiar with them! In case you would like to know where to learn, here is a great place: youtube.com

FAQ

Can pwners and crypto gurus participate?

Yes, some challenges would even require you to leverage concepts from pwn. If you have no experience in Web part of CTF, then this would be a great way to start.
Are challenges guessy?

No, though some challenges may require you to do a professional guess (e.g. SQL injection when you see ?id=1).
Would it be too easy for me?

I dont know

Rules

We allow a team to have up to ∞ members
Sharing flags and solutions is strictly prohibited.
You are not allowed to DDoS, bruteforce, using scanners in any challenges (unless otherwise noted) or this website.
Be respectful to other teams.
Please do not attack beyond the challenges based on common-sense.

Policies:

We may choose to disclose you team name & IP if you have conducted DDoSing against our infrastructure.
Do not use your daily password everywhere through out the CTF.
Follow common-sense.

Scoring:

Following CCC's algorithm:
-- @base + ( @top - @base ) / (1 + (max(0, solves -1)/ 11.92201) ** 1.206069)

Flag Format: we{[UUID]@[[email protected]\$%\^=]+}

Example Flag: we{[email protected]}

Flag Location: /flag.txt, SELECT flag FROM flags, COOKIE or specified in the challenge.

People

Sponsors:

This can be you!

Tell us you are interested in sponsoring either prizes or servers:

Past Sponsors:

Digital Ocean

We highly recommend you to have a Droplet from Digital Ocean because some challenges may require you to host the payload publicly. BTW, you can claim $50 credit by this link:

Google Cloud

Some infra sponsored by

Organizers:

shou 🐷

author of challenges && platform

qisu 🐼

author of challenges

Credits:

Logo by Streamline Icons.
Meshi the CSS dog by David Khourshid.

Version 3.1.1c