Zach Wade

YACA is a simple calculator app. Type in a mathematical expression, and it will instantly generate the result. What's more, if you use variables in your expression you can adjust them at will to see how it affects the result. Designed to introduce players to EcmaScript modules, YACA also challenges them to get a better understanding of Chrome's internals.

Nothing's more fun than drawing for an audience! Live Art lets you stream your drawing to the world (or it did, before PeerJS suddenly died). Live Art presents a unique taste on React-based XSS, and makes players dig deep into how React's magic sauce actually works.

The Watness 3 is the final installment of the Watness Trilogy. In this problem, players are given a WebGL implementation of the Watness that they must work through and solve in order to get a flag. The catch? The whole game is a single GLSL shader including graphics, movement, and the puzzles themselves.

Wowza was a difficult web problem from PlaidCTF 2021. Players were tasked with using a search engine's site-management console to attack the search engine itself. The intended solution required exploiting a race condition in SQLite and a consistency bug in immutable.js.

Bithug is a simple clone of a popupular git server. It implements basic functionality for creating repos, pushing and pulling, setting up webhooks, and even sharing repos with other users. Players are tasked with exploiting this functionality to get a flag stored in a hidden repository.

Written for AppSec Village's CTF², PGUI is a simple web interface for running Postgres queries against a live database. However, without credentials to access the database, all of your queries are aborted with no response. Is there any way to read from the database?

The second, and most involved of the Watness problems, this one was a complete de-make of the Witness in HyperCard, running on MacOS 9. The problem reimplemented a set of Witness puzzles using an XCMD written in Apple Pascal, that players have to reverse engineer to solve the problem.

Modeled after a simple micro-service web application, Contrived Web Problem made use of an FTP-based SSRF that allowed interfacing with the internal API in an unexpected manner.

Originally run as an in-person workshop for students at Carnegie Mellon, MiniCTF is a collection of small CTF problems mostly focused on web exploitation, designed to introduce new players to the basic concepts.

Lambdash is an online interpreter for a typed lambda calculus called System-F. In order to get the flag, players have to break out of the limited execution provided by the language and call an arbitrary function in the sandbox.

The .wat ness was an implementation of puzzles from the Witness along with some custom rules that had been compiled to Web Assembly. In order to get the flag, players had to reverse engineer the game to learn how the rules worked.

Everland was a little game where players had to fight an increasing number of enemies, culminating in a final boss that can kill with a single hit. Players have to survive to the end of the game and ultimately kill the final enemy to get the flag.

S-Exploitation was a two-part problem that requires players to compromise an oauth site in order to bypass the CSP on the primary target.

Written during my internship at Google, this only partially-completed problem ended up being released and caused some major issues during the competition 🤷