Rating:
Unfortunately, we solved this challenge 20 minutes late, but still good to share the writeup.
The application allowed *basic* users to create a number of subdomains with random names and static length == 8 (i.e. `([a-z0-9]{8})`).
*Pro* users of the application could create shorter subdomains with length >= 3.
Additionaly, there was a "bug" in the application that exposed support tickets functionality to *basic* users. Those tickets were reviewed by the application Admin which was a bot running latest Chrome version.
The Admin was performing the following checks on the submitted subdomain:
1. len(subdomain) <= 6
2. subdomain resolves to an existing subdomain owned by the user.
The main objective of the challenge was to submit a subdomain with length <= 6 that when entered in the browser, it will resolve to a subdomain we own.
We had to "exploit" Chrome's unicode size expansion during browser URL normalization.
First and most important step was to fuzz the unicode range `\u0000 - \uffff` for unicodes that the browser will "translate" to the ascii chars we need.
Then, we just had to create a subdomain that can be compressed as needed.
The flag is: `RCTF{GUESS_WHOS_BACK_Kappa}`
**References**
[1] http://unicode.org/faq/normalization.html
[2] https://websec.github.io/unicode-security-guide/character-transformations/
