{ WP CTF 2025 } event for young cybersecurity enthusiasts in South Tyrol is back! The fourth edition of WP Capture the Flag took place on November 29th, 2025 @ Würth IT Italy in Bolzano.
This repository contains all the challenges from the competition, including source code, solutions, and walkthroughs.
| Category | Name | Objective | Difficulty [⭐⭐⭐⭐⭐] |
|---|---|---|---|
| Warmup | Warmup | Check the WPCTF Instagram page | ⭐ |
| Crypto | Spy Infiltration | Analyze configuration software, exploit vulnerabilities, and decrypt the hidden IoT password | ⭐⭐⭐⭐⭐ |
| Crypto | The Admin's New Credentials | Access the admin panel and exfiltrate a secret without credentials | ⭐⭐⭐ |
| Misc | Charger Confessions - Part 1 | Exploit debug mode on MQTT broker to extract secrets from EV charging stations | ⭐ |
| Misc | Charger Confessions - Part 2 | Get physical access to Hypercharger via ethernet and use credentials from Part 1 | ⭐ |
| Misc | Host Collector | Add your host to the system | ⭐⭐ |
| Misc | Infection Chain | Investigate compromised Windows workstation to identify attack delivery, persistence, and encryption method | ⭐⭐ |
| Misc | Shadow Garden | Restore corrupted video transmission to recover hidden essence | ⭐⭐ |
| Misc | Blockchain | Steal Ethereum from blockchain | ⭐⭐ |
| Misc | Choosing the Right Words | Bypass the brand-new spam filter | ⭐⭐⭐ |
| Misc | Collateral Damage | Use prompt injection on AI DevOps assistant, extract Docker image, find AWS keys, and exploit Lambda function | ⭐⭐⭐ |
| Misc | Once Upon a Dev with a Fistful of Pixels | Track digital traces of fired developer to identify collaborators | ⭐⭐⭐ |
| OSINT | Yellow Plate Trace | Find the type approval number from a photo of a white car with yellow license plate | ⭐⭐ |
| OSINT | Get The Quote | Investigate phishing artifact and trace the attack chain | ⭐⭐⭐ |
| PWN | System Information | Bypass login prompt to retrieve the flag from inventory tool | ⭐⭐ |
| PWN | PWNlemetry | Obtain the list of all monitored hosts from the PWNlemetry service | ⭐⭐⭐ |
| PWN | wpctftpd | Exploit the company's file sharing service | ⭐⭐⭐⭐⭐ |
| Reversing | Win12 License Checker | Understand why the Macrohard Linux 12 license key is not working | ⭐⭐ |
| Reversing | Matrioscar | Reverse binary's input handling and craft valid payload to access secret shell | ⭐⭐⭐ |
| Web | Ping Checker | Exploit the network diagnostic tool | ⭐⭐ |
| Web | You Shall Not Pass! | Bypass JWT verification to find secret meeting invitation | ⭐⭐ |
| Web | Monitoring Dashboard | Access a different tenant's host in the monitoring system | ⭐⭐⭐ |
| Web | g0g0g0 | Exploit the private file storage service | ⭐⭐⭐ |
| Web | SQL Builder | Exploit the SQL builder application | ⭐⭐⭐⭐⭐ |