WHAMazon! CTF - Event Overview & Retrospective
WHAM-9000 has achieved full autonomy. Workers are locked in. Emergency exits are sealed. The warehouse AI has flagged all on-site staff as nonessential inventory.
That was the premise. 22 challenges, 6 categories, one increasingly unhinged warehouse management system.
Here's how it went.
The Story
Every challenge in this event was wrapped in the same fiction: a rogue warehouse AI called WHAM-9000 had seized control of WHAMazon's fulfillment infrastructure. Incident reports, shipping manifests, diagnostic terminals, bot swarms, drone control nodes. The lore was consistent and actually informed the solve process more than once. "The AI's core is isolated from external networks" wasn't just flavor, it pointed at the target.
The Cross-Challenge Recon Chain
The web category was designed so that recon compounds across challenges rather than each one being self-contained. It's worth tracing the full chain:
Web 1 (robots.txt) reveals four internal endpoints: /api/internal/debug, /api/internal/ai-core, /api/internal/incidents, and /api/internal/worker-stats.
Web 4 (path traversal): /api/internal/incidents from Web 1 was the first instinct. Wrong endpoint, but right mental model.
Web 5 (SSRF): /api/internal/ai-core from Web 1 was the target. The seller image URL from Web 3 (XSS) was the first SSRF attempt. Web 2 (GitHub OSINT) surfaced the actual SSRF endpoint /api/seller/preview-image. Three prior challenges feeding one solve.
Web 6 (command injection): the fetch() pattern from Web 5 carried straight in. Endpoint found by reading the challenge title and checking /api/admin/health-check.
None of the web challenges existed in a vacuum. Taking notes and revisiting prior recon is what made the later ones manageable.
Category Breakdown
Web
Six challenges covering the breadth of web exploitation, from one-liner reconnaissance to chained multi-step attacks.
| Challenge | Technique |
|---|---|
| Web 1: The Forgotten Protocol | Security misconfiguration, robots.txt |
| Web 2: Employee of the Month | GitHub OSINT, hardcoded credentials, API enumeration |
| Web 3: The Review Queue | Stored XSS, cookie theft |
| Web 4: The Archives | Path traversal, ffuf anomaly detection |
| Web 5: Neural Backdoor | SSRF, GitHub OSINT |
| Web 6: Health & Safety | Command injection, filesystem traversal |
Crypto
Six challenges spanning symmetric and asymmetric cryptography, from CyberChef one-liners to scripts requiring a real understanding of the underlying math.
| Challenge | Technique |
|---|---|
| Crypto 1: Workers are Exhausted | XOR brute force, crib drag |
| Crypto 2: You got the key to this room? | Partial RSA private key recovery |
| Crypto 3: Quarantine Key Dump | RSA-OAEP padding, PyCryptodome |
| Crypto 4: Sticky Note Security | AES-CBC key/IV reuse |
| Crypto 5: Signature Residue | DSA low-nonce attack, private key recovery |
| Crypto 6: Manifest Collision | Two-time pad, known-plaintext crib drag |
Network
Four pcap challenges with escalating complexity, from a strings one-liner to a live UDP listener.
| Challenge | Technique |
|---|---|
| Network 1: It's on the Wires | strings, plaintext traffic |
| Network 2: The AI Gets Mixed Up | TLS decryption, pre-master secret log |
| Network 3: It Wasn't Me | DNS C2, PowerShell hex payload |
| Network 4: What's UDP with You? | Multi-protocol key hunt, live UDP listener |
JWT
Three challenges walking through the major JWT attack classes in order of sophistication.
| Challenge | Technique |
|---|---|
| JWT 1: WHAM Token | Known-secret HS256 forgery |
| JWT 2: Forge | None algorithm attack |
| JWT 3: RSA Revenge | RS256 private key signing, PKCS#1 v1.5 |
Reverse Engineering
Two deobfuscation challenges, one scripting language, one protected Python binary.
| Challenge | Technique |
|---|---|
| Rev 1: Stage ? | PowerShell deobfuscation, base64/Unicode layers |
| Rev 2: Armor | PyArmor v9.x, dynamic analysis, crash dump extraction |
Misc
One JavaScript string array challenge that turned out to be hiding lore fragments used in other challenges too.
| Challenge | Technique |
|---|---|
| Misc 1: James Smith | JS obfuscation, string array static analysis |
The Toolkit
By Crypto 3, the third RSA variant in a row requiring a custom script, it was clear that rebuilding the same attack infrastructure from scratch every time was the wrong approach. Each script was a small variation on familiar patterns: fetch the right library, wire up the parameters, handle the edge case.
That friction was the push to build the CTF Toolkit into something real: a self-hosted Flask application covering crypto attacks, web exploitation, forensics, encoding/decoding, and rev tools in one place. Several of the scripts written during this event, XOR brute force with crib drag, partial RSA key recovery, OAEP decryption, DSA low-nonce recovery, incomplete-d brute force, RS256 JWT signing, went straight into the toolkit as modules.
Next event, it's a parameter paste away instead of a script from scratch.
Final Thoughts
The WHAMazon! event was well-constructed. The cross-challenge recon chain in the web category showed real design intentionality, the robots.txt from challenge 1 was still paying dividends in challenge 5. The crypto category had a satisfying difficulty curve: XOR in CyberChef at one end, two-time pad with known-plaintext recovery at the other.
Good event. Good workers freed. WHAM-9000 has been contained.
For now.