picoCTF2018 - HackMD

# picoCTF2018 [TOC] ## General Skills ### General Warmup 1 **題敘:** :::warning If I told you your grade was 0x41 in hexadecimal, what would it be in ASCII? ::: **解法:** ```python= print(chr(0x41)) ``` **輸出:** ``` A ``` **flag:** ``` picoCTF{A} ``` ### General Warmup 2 **題敘:** :::warning Can you convert the number 27 (base 10) to binary (base 2)? ::: **解法:** ```python= print(format(27,'b')) ``` **輸出:** ``` 11011 ``` **flag:** ``` picoCTF{11011} ``` ### General Warmup 3 **題敘:** :::warning What is 0x3D (base 16) in decimal (base 10). ::: **解法:** ```python= print(0x3D) ``` **輸出:** ``` 61 ``` **flag:** ``` picoCTF{61} ``` ### pipe **題敘:** :::warning During your adventure, you will likely encounter a situation where you need to process data that you receive over the network rather than through a file. Can you find a way to save the output from this program and search for the flag? Connect with 2018shell.picoctf.com 44310. ::: **解法:** nc上後會噴一堆字串，可以使用pipe(|)來過濾 ``` nc 2018shell.picoctf.com 44310 |grep picoCTF ``` **flag:** ``` picoCTF{almost_like_mario_a13e5b27} ``` ### Resources **題敘:** :::warning We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources ([link](https://picoctf.com/resources)) ::: **解法:** 網站裡面直接有flag了 **flag:** ``` picoCTF{xiexie_ni_lai_zheli} ``` ### grep 1 **題敘:** :::warning Can you find the flag in [file](https://2018shell.picoctf.com/static/7216e49d925b623c5d2cf9d141a6e180/file)? This would be really obnoxious to look through by hand, see if you can find a faster way. You can also find the file in /problems/grep-1_2_ee2b29d2f2b29c65db957609a3543418 on the shell server. ::: **解法:** ```shell= grep "picoCTF" file ``` **輸出:** ``` picoCTF{grep_and_you_will_find_42783683} ``` **flag:** ``` picoCTF{grep_and_you_will_find_42783683} ``` ### net cat **題敘:** :::warning Using netcat (nc) will be a necessity throughout your adventure. Can you connect to 2018shell.picoctf.com at port 49387 to get the flag? ::: **解法:** nc連上之後就會得到flag **flag:** ``` picoCTF{NEtcat_iS_a_NEcESSiTy_8b6a1fbc} ``` ### strings **題敘:** :::warning Can you find the flag in this [file](https://2018shell.picoctf.com/static/e78981e684a62559baaef12a27f0e918/strings) without actually running it? You can also find the file in /problems/strings_0_bf57524acf558aca2081eb97ece8e2ee on the shell server. ::: **解法:** ```shell= strings strings | grep "picoCTF" ``` **輸出:** ``` picoCTF{sTrIngS_sAVeS_Time_c09b1444} ``` **flag:** ``` picoCTF{sTrIngS_sAVeS_Time_c09b1444} ``` ### grep2 **題敘:** :::warning This one is a little bit harder. Can you find the flag in /problems/grep-2_1_ef31faa711ad74321a7467978cb0ef3a/files on the shell server? Remember, grep is your friend. ::: **解法:** 這題需要到網站上提供的shell cd到/problems/grep-2_1_ef31faa711ad74321a7467978cb0ef3a/files 你會看到很多資料夾 ```shell grep "picoCTF" * -r ``` 使用`*`選取所有可選檔案使用`-r`讓它遞迴至所有資料夾 **輸出:** ``` picoCTF{grep_r_and_you_will_find_4baaece4} ``` **flag:** ``` picoCTF{grep_r_and_you_will_find_4baaece4} ``` ## Reversing ### Reversing Warmup 1 **題敘:** :::warning Throughout your journey you will have to run many programs. Can you navigate to /problems/reversing-warmup-1_0_f99f89de33522c93964bdec49fb2b838 on the shell server and run this [program](https://2018shell.picoctf.com/static/643ccb349b71e477f6719652ed977857/run) to retreive the flag? ::: **解法:** ```shell= strings run | grep "picoCTF" ``` **輸出:** ``` picoCTF{welc0m3_t0_r3VeRs1nG} ``` **flag:** ``` picoCTF{welc0m3_t0_r3VeRs1nG} ``` ### Reversing Warmup 2 **題敘:** :::warning Can you decode the following string dGg0dF93NHNfczFtcEwz from base64 format to ASCII? ::: **解法:** ```python= print(base64.b64decode('dGg0dF93NHNfczFtcEwz')) ``` **輸出:** ``` b'th4t_w4s_s1mpL3' ``` **flag** ``` picoCTF{th4t_w4s_s1mpL3} ``` ## Crypto ### Crypto Warmup 1 **題敘:** :::warning Crpyto can often be done by hand, here's a message you got from a friend, `llkjmlmpadkkc` with the key of `thisisalilkey`. Can you use this [table](https://2018shell.picoctf.com/static/43f28853477d7b2ed52e0efbfb04dff7/table.txt) to solve it?. ::: **解法:** ``` 現在可知密文是`llkjmlmpadkkc`且金鑰是`thisisalilkey` 可從Table上從金鑰那欄找密文且看是哪個欄位對應給個範例，第一個字是從`t`欄找`l`可知對應的字是`s` ``` ![](https://i.imgur.com/8N2K5AT.png) **flag:** ``` picoCTF{SECRETMESSAGE} ``` ### Crypto Warmup 2 **題敘:** :::warning Cryptography doesn't have to be complicated, have you ever heard of something called rot13? cvpbPGS{guvf_vf_pelcgb!} ::: **解法:** ```python= import codecs rot13 = lambda s : codecs.getencoder("rot-13")(s)[0] rot13("cvpbPGS{guvf_vf_pelcgb!}") ``` **輸出:** ``` picoCTF{this_is_crypto!} ``` ### HEEEEEEERE'S Johnny! **題敘:** :::warning Okay, so we found some important looking files on a linux computer. Maybe they can be used to get a password to the process. Connect with nc 2018shell.picoctf.com 42165. Files can be found here: [passwd](https://2018shell.picoctf.com/static/0cae99a3ebd7de5e0547e1ff8da980a0/passwd) [shadow](https://2018shell.picoctf.com/static/0cae99a3ebd7de5e0547e1ff8da980a0/shadow) ::: **解法:** 使用工具John the Ripper來暴力破解 ``` unshadow passwd shadow > crack john crack ``` 得到password後再nc上去輸入root和剛剛得到的密碼即可獲得flag **flag** ``` picoCTF{J0hn_1$_R1pp3d_5f9a67aa} ``` [John the Ripper](https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/) ### caesar cipher 1 **題敘:** :::warning This is one of the older ciphers in the books, can you decrypt the [message](https://2018shell.picoctf.com/static/9c305b1460312c3bcfc6dd5741990c26/ciphertext)? You can find the ciphertext in /problems/caesar-cipher-1\_3\_160978e2a142244574bd048623dba1ed on the shell server. ::: **解法:** ``` 將檔案打開發現 picoCTF{grpqxdllaliazxbpxozfmebotlvlicmr} 將grpqxdllaliazxbpxozfmebotlvlicmr取出並解密利用工具解出justagoodoldcaesarcipherwoyolfpu ``` [Caesar cipher tool](https://planetcalc.com/1434/) **flag:** ``` picoCTF{justagoodoldcaesarcipherwoyolfpu} ``` ## Forensics ### Forensics Warmup 1 **題敘:** :::warning Can you unzip this [file](https://2018shell.picoctf.com/static/d6487f8e2cbbb28b5168b512f0ac0710/flag.zip) for me and retreive the flag? ::: **解法:** ``` 解壓縮後開啟圖片即可看到Flag ``` **flag:** ``` picoCTF{welcome_to_forensics} ``` ### Forensics Warmup 1 **題敘:** :::warning Hmm for some reason I can't open this [PNG](Hmm for some reason I can't open this PNG? Any ideas? ::: **解法:** ``` 透過file flag.png指令檢查檔案，可得知其為jpg檔將副檔名改成.jpg即可 ``` **flag:** ``` picoCTF{extensions_are_a_lie} ``` ### Desrouleaux **題敘:** :::warning Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with nc 2018shell.picoctf.com 63299. [incidents.json](https://2018shell.picoctf.com/static/eddbe63bba72a01be6c7c5aba03807bd/incidents.json) 備註:抓檔案可以用wget --no-cheak-certificate 網址 ::: **解法:** ``` 連上去後回答三個問題第一題:哪個src_ip出現最多次? 第二題:回答題目指定的src_ip連上過幾組不同的dst_ip? 第三題:輸出有幾組dst_ip(可重複)除以有幾組不同的file_hash(不可重複)的結果至小數點後第二位 ``` **flag:** ``` picoCTF{J4y_s0n_d3rUUUULo_23fa6fa6} ``` ### Reading Between the Eyes **題敘:** :::warning Stego-Saurus hid a message for you in this [image](https://2018shell.picoctf.com/static/59811365384f3eb42378c825101bdfb2/husky.png), can you retreive it? ::: **解法:** ``` 使用zsteg掃過圖片即可看到flag ``` **flag:** ``` picoCTF{r34d1ng_b37w33n_7h3_by73s} ``` **備註:** [zsteg介紹&安裝](https://github.com/zed-0xff/zsteg) ### Recovering From the Snap **題敘:** :::warning There used to be a bunch of [animals](https://2018shell.picoctf.com/static/59cd22a161127c4924bbfdc9f25aa4b8/animals.dd) here, what did Dr. Xernon do to them? ::: **解法:** ``` binwalk掃過一次後可發現此檔案是由多個jpeg圖片檔所組成接著下binwalk -D 'jpeg image:jpeg' animals.dd 即可拆出多張圖片，某圖片即為flag ``` **flag:** ``` picoCTF{th3_5n4p_happ3n3d} ``` ### admin panel **題敘:** :::warning We captured some [traffic](https://2018shell.picoctf.com/static/4b72ffeae766b0102106eabfe6be90b1/data.pcap) logging into the admin panel, can you find the password? ::: **解法:** ``` 利用 wireshark 打開發現這目前在執行登入的動作開始登入的時候發現系統噴需要用 admin 登入才會噴 flag 所以他登出又重新登入並輸入 admin 在這裡就能找到 flag 了 ``` ![](https://i.imgur.com/mHzJsLB.png) **flag:** ``` picoCTF{n0ts3cur3_9feedfbc} ``` ### hex editor **題敘:** :::warning This [cat](https://2018shell.picoctf.com/static/8bf13e0b1ce613af3b79223abb8f8d6d/hex_editor.jpg) has a secret to teach you. ::: **解法:** ``` strings掃過去即可得到flag ``` **flag:** ``` picoCTF{and_thats_how_u_edit_hex_kittos_22C1d865} ``` ### Truly an Artist **題敘:** :::warning Can you help us find the flag in this [Meta-Material](https://2018shell.picoctf.com/static/a386ed9a7534702173762cf536dce121/2018.png)? ::: **解法:** ``` strings掃過去即可得到flag (也可搭配grep) ``` **flag:** ``` picoCTF{look_in_image_7e31505f} ``` ## Web ### Client Side is Still Bad **題敘:** :::warning I forgot my password again, but this time there doesn't seem to be a reset, can you help me? [link](http://2018shell.picoctf.com:8930) ::: **解法:** ``` 看F12，把flag拚起來即可 ``` **flag:** ``` picoCTF{client_is_bad_d0ebbd} ``` ### Inspect Me **題敘:** :::warning Inpect this code! http://2018shell.picoctf.com:47428 ([link](http://2018shell.picoctf.com:47428)) ::: **解法:** ``` 分別到.html、.css取得flag ``` **flag:** ``` picoCTF{ur_4_real_1nspect0r_g4dget_e96dd105} ``` ### Irish Name Repo **題敘:** :::warning There is a website running at [(link)](http://2018shell.picoctf.com:28402/). Do you think you can log us in? Try to see if you can login! ::: **解法:** 進到Admin login後使用SQL injection來繞過密碼 →在Username中輸入' or 1=1 \-\- Login後即可得到flag **flag:** ``` picoCTF{con4n_r3411y_1snt_1r1sh_f58843c5} ``` ### Logon **題敘:** :::warning I made a website so now you can log on to! I don't seem to have the admin password. See if you can't get to the flag. [link](http://2018shell.picoctf.com:57252/) ::: **解法:** 隨便輸入帳號密碼即可登入，登入後開啟F12查看Cookies 可看到admin的值為False，將False改為True後重新整理即可得到flag **flag:** ``` picoCTF{l0g1ns_ar3nt_r34l_2a968c11} ``` ### No Login **題敘:** :::warning Looks like someone started making a website but never got around to making a login, but I heard there was a flag if you were the admin. [link](http://2018shell.picoctf.com:39670/) ::: **解法:** ``` 添加一個cookie，名稱設為admin，值設為true 點Flag按鈕即可得到flag ``` **flag:** ``` picoCTF{n0l0g0n_n0_pr0bl3m_50e16a5c} ``` ### Secret Agent **題敘:** :::warning Here's a little website that hasn't fully been finished. But I heard google gets all your info anyway. [link](http://2018shell.picoctf.com:60372/) ::: **解法:** ``` 將User-Agent的內容改為googlebot(如下) Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 傳送後即可看到flag ``` **flag:** ``` picoCTF{s3cr3t_ag3nt_m4n_dc320c11} ``` 備註: [googlebot](https://support.google.com/webmasters/answer/1061943?hl=zh-Hant) ### Buttons **題敘:** :::warning There is a website running at [link](http://2018shell.picoctf.com:65107/). Try to see if you can push their buttons. ::: **解法:** ``` 觀察兩個button後，可發現第二個button在等待一個POST請求 →將button的請求方法由GET改為POST後傳送即可看到flag ``` ![](https://i.imgur.com/Xr3IlSm.jpg) **flag:** ``` picoCTF{button_button_whose_got_the_button_91f6f39a} ``` ### Mr. Robots **題敘:** :::warning Do you see the same things I see? The glimpses of the flag hidden away? `http://2018shell.picoctf.com:15298` ([link](http://2018shell.picoctf.com:15298/)) ::: **解法:** 因為要找 robots 所以直接連上 http://2018shell.picoctf.com:15298/robots.txt 會發現 ``` User-agent: * Disallow: /c4075.html ``` 接著直接連上 http://2018shell.picoctf.com:15298/c4075.html **flag:** ``` picoCTF{th3_w0rld_1s_4_danger0us_pl4c3_3lli0t_c4075} ``` ###### tags: `picoCTF` `InformationSecurity`