PicoCTF 2023 - HackMD

# PicoCTF 2023 :::spoiler [TOC] ::: ## Crypto ### HideToSee #### Recon 這一題比較像是Misc題目，比賽的時候想了很久都沒進展，賽後看了[write up](https://github.com/DanArmor/picoCTF-2023-writeup/blob/main/Cryptography/HideToSee/HideToSee.md)才覺得異常簡單，當初應該也是有往這方面想，但沒有用steghide #### Exploit - Steghide + Atbash 1. 先用steghide解密出隱藏的文檔 ```bash $ steghide extract -sf atbash.jpg ``` 2. 用[online tool](https://www.dcode.fr/atbash-cipher)解密 ![](https://hackmd.io/_uploads/rJQVLEnPn.png) ## Reverse ### Reverse IDA Flag: `picoCTF{3lf_r3v3r5ing_succe55ful_8108250b}` ### Safe Opener 2 Strings search Flag: `picoCTF{SAf3_0p3n3rr_y0u_solv3d_it_ccb5525e}` ### timer Use `mobsf` Flag: `picoCTF{t1m3r_r3v3rs3d_succ355fully_17496}` ### Ready Gladiator 0 - ??? - `picoCTF{h3r0_t0_z3r0_4m1r1gh7_a220a377}` ## Forensics ### hideme Use `binwalk` to observe that it should be a `zip` file. ```bash $ binwalk flag.png DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced 41 0x29 Zlib compressed data, compressed 39739 0x9B3B Zip archive data, at least v1.0 to extract, name: secret/ 39804 0x9B7C Zip archive data, at least v2.0 to extract, compressed size: 3037, uncompressed size: 3187, name: secret/flag.png 43076 0xA844 End of Zip archive, footer length: 22 ``` Change extension to `zip` file and extract it Flag: ![](https://i.imgur.com/qv72oCB.png) ### PcapPoisoning String Search `pico` Flag: `picoCTF{P64P_4N4L7S1S_SU55355FUL_b1995216}` ### MSB Reference: [CTF-Misc-LSB](https://blog.csdn.net/qq_45163122/article/details/106139952) ![](https://i.imgur.com/TgELyMk.png) Flag was hidden in extracted text file: `picoCTF{15_y0ur_que57_qu1x071c_0r_h3r01c_c02eeaac}` ### UnforgottenBits(TBD) #### recon ``` asef18766@vmware:~/picoCTF$ file disk.flag.img disk.flag.img: DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0xc,223,19), startsector 2048, 204800 sectors; partition 2 : ID=0x82, start-CHS (0xc,223,20), end-CHS (0x2d,130,21), startsector 206848, 524288 sectors; partition 3 : ID=0x83, start-CHS (0x2d,130,22), end-CHS (0x82,138,8), startsector 731136, 1366016 sectors ``` * probable corrupted section info ![](https://i.imgur.com/oQKWjVw.png) * just dump file system with `binwalk --dd=".*"`(note since i am too lazy to optimize the command, it may used up all your disk space) * at offset 0x16500000 there is an ext4 file system, you can just open it with 7zip ![](https://i.imgur.com/NqpUYht.png) * there's something under his `/home`, but no clue with it :P ### FindAndOpen(TBD) #### recon * some strings are send directly via raw socket ![](https://i.imgur.com/8TFbDUr.png) * probably some base64 string? but no clue with it :P ``` iBwaWNvQ1RGe1 AABBHHPJGTFRLKVGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8= PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS PBwaWUvQ1RGe1 ``` ### ReadMyCert Base64 decode the certificate strings Flag: `picoCTF{read_mycert_4448b598}` ### rotation rot-18 Flag: `picoCTF{r0tat1on_d3crypt3d_4a3dcb4c}` ### FindAndOpen - picoCTF{R34DING_LOKd_fil56_succ3ss_419835ef} ### who is it #### Recon Strings search to find IP-liked strings - Sublime ![](https://i.imgur.com/bLe1vs6.png) - `whois 173.249.33.206` - picoCTF{WilhelmZwalina} ### UnforgottenBits ``` yone$ cat irclogs/**/*.log [08:12] <yone786> Ok, let me give you the keys for the light. [08:12] <avidreader13> I’m ready. [08:15] <yone786> First it’s steghide. [08:15] <yone786> Use password: akalibardzyratrundle [08:16] <avidreader13> Huh, is that a different language? [08:18] <yone786> Not really, don’t worry about it. [08:18] <yone786> The next is the encryption. Use openssl, AES, cbc. [08:19] <yone786> salt=0f3fa17eeacd53a9 key=58593a7522257f2a95cce9a68886ff78546784ad7db4473dbd91aecd9eefd508 iv=7a12fd4dc1898efcd997a1b9496e7591 [08:19] <avidreader13> Damn! Ever heard of passphrases? [08:19] <yone786> Don’t trust em. I seed my crypto keys with uuids. [08:20] <avidreader13> Ok, I get it, you’re paranoid. [08:20] <avidreader13> But I have no idea if that would work. [08:21] <yone786> Haha, I’m not paranoid. I know you’re not a good hacker dude. [08:21] <avidreader13> Is there a better way? [08:22] * yone786 yawns. [08:24] <yone786> You’re ok at hacking. I’m good at writing code and using it [08:24] <avidreader13> What language are you writing in? [08:26] <yone786> C [08:26] <avidreader13> Oh, I see. [08:26] <yone786> I’m glad you like it. I’m sure you wouldn’t understand half of what I was doing. [08:28] <avidreader13> I understand enough, but I do wish you wouldn’t take so much time with it. [08:28] <yone786> Sorry. Well, I wish you could learn some things. [08:29] <avidreader13> But it’s an incredible amount of time you spend on it. [08:29] <yone786> Haha, don’t take it like that. ``` ``` one$ cat notes/*.txt chizazerite guldulheen I keep forgetting this, but it starts like: yasuoaatrox... ``` ``` alene2# cat .lynx/browsing-history.log www.google.com https://www.google.com/search?q=number+encodings&source=hp&ei=WeC9Y77KJ_iwqtsP0sGu6A0&iflsig=AK50M_UAAAAAY73uaRxDkbHRUH8jn4OVhOgM8riUqvVI&ved=0ahUKEwj-2r_EgL78AhV4mGoFHdKgC90Q4dUDCAk&uact=5&oq=number+encodings&gs_lcp=Cgdnd3Mtd2l6EAMyBggAEBYQHjIFCAAQhgMyBQgAEIYDMgUIABCGAzIFCAAQhgM6DgguEIAEELEDEIMBENQCOgsIABCABBCxAxCDAToRCC4QgAQQsQMQgwEQxwEQ0QM6CAgAELEDEIMBOgsILhCABBCxAxCDAToFCAAQgAQ6CAgAEIAEELEDOggILhCABBDUAjoHCAAQgAQQCjoHCC4QgAQQClAAWI0VYPAXaABwAHgDgAHDA4gB-iKSAQkwLjMuNS40LjOYAQCgAQE&sclient=gws-wiz https://en.wikipedia.org/wiki/Church_encoding https://cs.lmu.edu/~ray/notes/numenc/ https://www.wikiwand.com/en/Golden_ratio_base ``` - 解 /home/yone/gallery/bmp - `steghide --extract -sf 7.bmp` `openssl enc -d -aes-256-cbc -pbkdf2 -iv 7a12fd4dc1898efcd997a1b9496e7591 -S 0f3fa17eeacd53a9 -K 58593a7522257f2a95cce9a68886ff78546784ad7db4473dbd91aecd9eefd508 -in les-mis.txt.enc -out ccc ` ## General Skill ### money-ware Chat-GPT is your friend Obviously is not `Ransomware`, so I asked the variant type of `Ransomware`. ``` 有沒有甚麼電腦病毒是ransomware的變形 >是的，還有其他的ransomware變形，以下是一些例子： Scareware: Scareware是一種偽造的安全軟件，通常被包裝成一個看起來很正常的防病毒軟件或系統工具。一旦安裝，它會顯示虛假的安全警告，告訴受害者他們的電腦被感染了，然後要求他們支付費用以解決問題。如果受害者支付了費用，騙子就會獲得受害者的信用卡資訊，並且沒有提供任何實際的解決方案。 Petya: Petya是一種高度進階的ransomware變形，它使用了一種稱為“全硬盤加密”的技術，這種技術可以將整個硬盤的內容加密，而不僅僅是檔案。此外，Petya可以使用Windows引導管理員功能進行攻擊，這使得它比其他ransomware更加難以檢測和清除。 Jigsaw: Jigsaw是一種具有惡意程式碼的ransomware，它的名字來自電影《肖申克的救贖》中的反派角色。一旦感染，Jigsaw會加密受害者的檔案，並在犧牲第一個檔案後要求贖金。如果受害者不支付，Jigsaw會刪除一些檔案，直到受害者支付為止。這些ransomware變形都是非常危險的，並且可能會導致嚴重的損失。建議使用最新的防病毒軟件和更新的操作系統來防止感染，同時定期備份重要檔案以便在受到攻擊時恢復。 ``` Flag: `picoCTF{Petya}` ### repetitions Just multiple base64 decode... Flag: `picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_a2d1b8b6}` ### Rules 2023 It's kind a web type... Check the page source and just search `picoCTF{` then you got it. Flag: `picoCTF{h34rd_und3r5700d_4ck_cba1c711}` ### chrono Basic linux command skill ```bash! $ ssh -p 63185 picoplayer@saturn.picoctf.net # enter password $ cd /challenge $ cat metadata.json {"flag": "picoCTF{Sch3DUL7NG_T45K3_L1NUX_88865742}", "username": "picoplayer", "password": "lsPTmnodPc"} ``` Flag: `picoCTF{Sch3DUL7NG_T45K3_L1NUX_88865742}` ### Permissions Very similar to `chrono` Flag: `picoCTF{uS1ng_v1m_3dit0r_8a15f6a3}` ### Special ``` Special$ ${0} ${0} $ echo 1 1 $ ls blargh $ pwd /home/ctf-player $ echo $0 sh $ cat ^C $ ls blargh $ cat blargh cat: blargh: Is a directory $ cd bla* $ ls flag.txt $ cat flag.txt picoCTF{5p311ch3ck_15_7h3_w0r57_008cf854}$ Connection to saturn.picoctf.net closed by remote host. ``` ### Specialer - `$ echo "$(<./ala/kazam.txt)"` `picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01ng_h3r3_58131e2c}` ## Web ### findme - login and observe traffic - and flag is base64-encoded in some redirecting page. - `picoCTF{proxies_all_the_way_48c47a95}` ### MatchTheRegex Observe page source found the `script` tag ```javascript! ... <script> function send_request() { let val = document.getElementById("name").value; // ^p.....F!? fetch(`/flag?input=${val}`) .then(res => res.text()) .then(res => { const res_json = JSON.parse(res); alert(res_json.flag) return false; }) return false; } </script> ... ``` So, we just enter `picoCTF` to match the strings then we got the flag. Flag: ![](https://i.imgur.com/3GVAVfS.png) ### findme The point is observing redirection. Use burp suite to observe every web page after you login. Then you may find something strange such as `id`. ![](https://i.imgur.com/BspkH9M.png) $\to$ `cGljb0NURntwcm94aWVzX2Fs` ![](https://i.imgur.com/SXldvHF.png) $\to$ `bF90aGVfd2F5XzQ4YzQ3YTk1fQ==` And these are base64 encoded string obviously. Flag: `picoCTF{proxies_all_the_way_48c47a95}` ### SOAP - raw XXE injection - picoCTF{XML_3xtern@l_3nt1t1ty_53488905} ### More SQLi - SQLite - `username=&password='or'1'='1'--` ### Java Code Analysis - find JWT secret key: '1234' - sign JWT with role 'Admin' - update self role as 'Admin' since pdf acl get role from DB instead of JWT - relogin to access pdf/5 - picoCTF{w34k_jwt_n0t_g00d_6e5d7df5}