OpenSec Atlas

Name: 2021
Author: wectf

2021: An Open Source Educational Resource for Penetration Testing & Red Teaming | OpenSec Atlas

Back to Browse

Penetration Testing & Red Teaming

Educational Resource

2021

WeCTF 2021 is an educational Capture The Flag (CTF) resource providing a suite of penetration testing challenges and writeups for red team training.

View on GitHub

About This Tool

WeCTF 2021 Source Code & Organizer's Writeup

Primary Use Case

This tool is designed for security enthusiasts, penetration testers, and red teamers to practice exploitation techniques and learn from detailed challenge writeups. Users can run the challenges locally via Docker to simulate real-world security scenarios and improve their offensive security skills.

Key Features

Collection of diverse CTF challenges covering web, network, and application security
Detailed organizer writeups explaining exploitation techniques and solutions
Docker-compose setup for easy local deployment of challenge environments
Challenges include server protocol analysis, Docker container exploitation, CSP bypass, PHP file inclusion, and service worker hijacking
Focus on penetration testing and red team tool usage in practical scenarios
Hints and walkthroughs for advanced security concepts like CSP, POP chains, and Docker secrets
Multi-service architecture simulating realistic attack surfaces

Insights & Recommendations

Some challenges require manual environment setup in Dockerfiles and configuration files before running. Users should have Docker and Docker Compose installed. The repository serves as an educational resource and does not provide automated tooling but rather challenge environments and detailed writeups for learning exploitation techniques.

Installation

git clone https://github.com/wectf/2021
cd 2021
docker-compose up
For cloudtable and gallery challenges, setup environment in Dockerfile before building (commented out in docker-compose.yaml)
Configure auth.json and update bucket name in main.py to enable upload functionality

Usage

git clone https://github.com/wectf/2021

Clone the WeCTF 2021 repository locally.

cd 2021 && docker-compose up

Start all CTF challenge services locally using Docker Compose.

curl http://localhost:4001

Access the 'coin' challenge service running on port 4001.

Start a pull request to use GitHub Actions to leak DOCKER_USERNAME & DOCKER_PASSWORD

Exploit GitHub Actions secrets leakage vulnerability in the GitHub challenge.

Visit /flag.pppppp.css on cache service

Trigger the Cache challenge to reveal the flag after a delay.

Smart Usage Notes

Integrate WeCTF challenges into red team training programs to simulate realistic attack scenarios and improve offensive skills.Use the detailed writeups as a knowledge base for blue teams to understand attacker methodologies and improve detection rules.Leverage Docker-compose setup to create isolated environments for purple team exercises, enabling collaborative attack and defense simulations.Incorporate challenge scenarios into continuous security training pipelines to maintain team readiness against emerging exploitation techniques.Extend the platform by adding custom challenges that reflect organization-specific threat models and infrastructure.