Competition Topic Outline

CTF Challenge 1 Content Outline
  Web (Web Security/Code Audit)

  • Analysis of HTTP sessions, exploitation of SQL injection vulnerabilities in databases such as SQL Server, MySQL, TiDB, OceanBase, TDSQL, SQLite, unauthorized access vulnerabilities, file upload vulnerabilities, directory listing vulnerabilities, file inclusion vulnerabilities, command execution, middleware vulnerabilities (e.g., Weblogic vulnerabilities, TongWeb vulnerabilities, etc.), and other vulnerability attack methods.
  • Basic code audit process, proficient in common automated code audit tools and manual review methods. Capable of examining and analyzing the source code of PHP, JAVA, Node.JS, Golang, Python, etc., to discover security vulnerabilities caused by these source code defects.

  Crypto (Cryptography and Encoding)

  • Encoding techniques such as Morse code, Base64 encoding, URL encoding, Unicode encoding, ASCII encoding, and fence encoding, and other mainstream encoding and decoding methods.
  • Classical cryptography, such as Caesar, Affine, and Vigenère. Proficient in commonly used encryption algorithms like RSA, AES, DES, capable of implementing basic encryption and decryption processes.
  • Proficient in commonly used national cryptographic algorithms such as SM1, SM2, SM3, SM4, etc.

  PWN (Overflow Attack)

  • Proficient in common stack overflow attacks, including but not limited to the Ret2 series, formatted strings, ROP, etc.
  • Proficient in system protection mechanisms and related bypass techniques, including but not limited to canary protection, NX, PIE, etc.
  • Proficient in common heap overflow attacks, including but not limited to UAF, house of series, double free, offbyone, etc.

  MISC (Security Miscellaneous (Steganography/Information Hiding/Data Forensics))

  • Proficient in information hiding methods such as image file information hiding, audio file information hiding, etc.
  • Proficient in common steganographic techniques, such as image steganography, audio steganography, video steganography, proficient in using various miscellaneous tools to extract usable information from suspicious images, audio, or video files, including but not limited to steghide, LSB, stegdetect, wbs43open, MP3Stego, Image Steganography, etc.
  • Proficient in network traffic analysis, log analysis, data recovery, APP forensics, and other analysis skills.
  • Proficient in the skills of repairing, evidence collection, and analysis of traffic packets, capable of effectively filtering and screening traffic in the data packet, analyzing related protocols, and discovering abnormalities to achieve the extraction of usable data.


  REVERSE (Reverse Engineering)

  • Proficient in reverse analysis of Windows PE files, Linux binary files, and Android mobile application APK files.
  • Proficient in common software protection, anti-decompilation, anti-debugging, unpacking, and cryptographic algorithm decryption techniques in reverse engineering, examining the ability to perform reverse analysis and anti-decompilation of software.
  • Proficient in reverse analysis of other high-level languages, including but not limited to .NET, Python, Golang, Rust, etc.


AWD Challenge 2 Content Outline
The competition simulates real Internet systems and network conditions to the greatest extent. Participating teams need to attack and defend them. The competition process refers to real-world information and communication systems, focusing on the participants' understanding of the security mechanisms of information communication systems, collecting and analyzing data, and implementing penetration testing based on this foundation. The theoretical knowledge and practical ability of the contestants are tested. The problem scenario simulates industry network architecture and equipment functions. Contestants need to continuously collect clues and data, discover their own vulnerabilities and make protection, while using the discovered vulnerabilities to attack the environment of other teams in the venue.

Information collection, vulnerability mining, host detection, code audit, backdoor detection and killing, security reinforcement, etc.