TL; DR

• Overflow
• Uninitialized Variable
• Format String

1. We can see a recent bugfix to CTFd, preventing unauthed admin calls at https://github.com/CTFd/CTFd/commit/9578355143d7af675fc4776b0f2de802be91e261.

The site has a maze game that you must navigate through. On the /play tab, it shows a login screen, so an account is needed to play. Registering for an account, it automatically logs you in. The hint is that you need a compass to iwn, which is 10 tokens. The first account made will have none. However, with each account created, three more tokens are added to the current account compared to your previous account, due to cookies. If someone else tries to login with your credentials, they will not have the same amount of tokens.

The first part of the challenge is to find the initals of the club Alex was in university. Googling “Alexander Taylor Raytheon” brings up his LinkedIn, which shows that he went to the University of South Florida and was president of the Whitehatters Computer Security Club. Using the format: http://fuzyll.com/csaw2015/<initials here> http://fuzyll.com/csaw2015/wcsc is the first part. It says: