Patchstack WCUS Capture The Flag Writeup

Writeup

1. Link-Manager
2. JustinWonkyTokens
3. Timberlake
4. Texting Trouble

Background

• Starts: 16 Sept. 2024, 09:00 UTC
• Ends: 21 Sept. 2024, 09:00 UTC

Overview

• Solves: 7/11
• Score: 2322
• Global Rank: 13/47
• Overall Difficulty To Me: ★★★★★★★☆☆☆

What I’ve learned in this CTF

1. Link-Manager - Time-based SQL injection in ORDER BY clause
2. JustinWonkyTokens - JWT algorithm confusion
3. Timberlake - Server-Side Template Injection (SSTI) in Twig with bypassing blacklisted keywords
4. Texting Trouble - Limited arbitrary file read via PHP function file_get_contents()