hello guys , just wanted to share wiht you few challenges(2-3) that had few solves due to how hard were in the picoCTF 2024.

GENERAL CATEGORY

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

DESCRIPTION

This challenge was all about shell escape and find a flag, it seems simple but actually took me 2 1/2 days solving it up i got the flag. With shell escape actuall this one was unique coz you were supposed to use number and symbols to move and play with the terminal until you get the flag

SOLUTION

I started the instance and i was given more information about the challenge such as ssh password and how to connect via ssh

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The first approach i used to search which character was usufully here was that i started clicking special character on my keyboard and i found that few were allowed.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

After knowing that '.,/,?,~' are allowed now i started digging deeper and see what else can this command do because

'./*' = it prints working directory

So the first command get me something that helped me to thing of the my next move, then i tried to add more argument to my first command

SansAlpha$ ./*/*
bash: ./blargh/flag.txt: Permission denied

SansAlpha$  

Now i have reach to the flag but damn it gave me permission denied seems i cant access the flag.

After knowing the location of the flag now i decide to move on and try this '~' since because we all know that '~' always print or take us to the working directory so i decide to text my theory if was true with this.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

SansAlpha$ ~/*
bash: /home/ctf-player/blargh: Is a directory

SansAlpha$ ~/*/*
bash: /home/ctf-player/blargh/flag.txt: Permission denied

SansAlpha$  

As you can see i managed to reach the same point by just adding another argument, here i was enjoying coz i was able to move around with this restricted terminal now lets find a way to execute the flag or bypass the permission denied.

After spending more time i found myself within a '/bin' directory

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now i tried every special character i have got with the '?', I tried this because I remembered when i was learning networking how to configure routers and switches you can use '?' as your help-menu to tell you which command should be next or even what option you have with your command(that was my idea) at that time.

SansAlpha$ //*/??
//bin/ar: invalid option -- '/'

This command gave me this output,

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Solving this challenge was really pain so let me make it short here, if you want more details about it u can ping me anywhere u know u can find me.

N/B: but after some i found that i can execute the command with the bin/base64 but base64(contains characters) and characters a disabled so i found that you can use [!_]64 as base64 to execute the flag

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Flag: picoCTF{7h15_mu171v3r53_15_m4dn355_640b6add}

That one was 2 1/2 day solving a single challenge LOL 

resource 1:resouce 1
resource 2: resource2

FORENSIC CATEGORY

DESCRIPTION

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

SOLUTION

The challenge was easy one but you have to spend more time with it as a forensic investigator checking every corner and every angle, when i was solving this challenge it had only 130 solves globally, But it was really easy i did't imagine why I solved it within 2 days.

Lets start solving it,Download a disk image first and unzip it and It is always recommended that you have to extract the linux disk image within a /tmp directory am not a examiner but it is recommend most.

┌──(forensic㉿memes-lover)-[/tmp/write-up]
└─$ unzip disk.flag.img.gz 
Archive:  disk.flag.img.gz
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of disk.flag.img.gz or
        disk.flag.img.gz.zip, and cannot find disk.flag.img.gz.ZIP, period.
                                                                                                                                                                                                                                              
┌──(forensic㉿memes-lover)-[/tmp/write-up]
└─$ gunzip disk.flag.img.gz
                                                                                                                                                                                                                                              
┌──(forensic㉿memes-lover)-[/tmp/write-up]
└─$ ls
disk.flag.img
             

N/B: With disk image there many tools to use am goind to start with a command line tool.

i started checking partion first with the disk image

┌──(forensic㉿memes-lover)-[/tmp/write-up]
└─$ mmls disk.flag.img 
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000616447   0000614400   Linux (0x83)
003:  000:001   0000616448   0001140735   0000524288   Linux Swap / Solaris x86 (0x82)
004:  000:002   0001140736   0002097151   0000956416   Linux (0x83)

Now i started checking one partition at a time much carefully

┌──(forensic㉿memes-lover)-[/tmp/write-up]
└─$ fls -o 0000002048 disk.flag.img   
d/d 11: lost+found
r/r 13: ldlinux.sys
r/r 14: ldlinux.c32
r/r 16: config-virt
r/r 17: vmlinuz-virt
r/r 18: initramfs-virt
l/l 19: boot
r/r 21: libutil.c32
r/r 20: extlinux.conf
r/r 22: libcom32.c32
r/r 23: mboot.c32
r/r 24: menu.c32
r/r 15: System.map-virt
r/r 25: vesamenu.c32
V/V 76913:      $OrphanFiles
                                                                                                                                                                                                                                              
┌──(forensic㉿memes-lover)-[/tmp/write-up]
└─$ fls -o 0001140736 disk.flag.img 
d/d 32513:      home
d/d 11: lost+found
d/d 32385:      boot
d/d 64769:      etc
d/d 32386:      proc
d/d 13: dev
d/d 32387:      tmp
d/d 14: lib
d/d 32388:      var
d/d 21: usr
d/d 32393:      bin
d/d 32395:      sbin
d/d 32539:      media
d/d 203:        mnt
d/d 32543:      opt
d/d 204:        root
d/d 32544:      run
d/d 205:        srv
d/d 32545:      sys
d/d 32530:      swap
V/V 119417:     $OrphanFiles

N/B: With the first day with this challenge i didn't get anything i tried everything look every corner but could't get anything(i even cracked the root password and tried to login with ssh but nothing i got) and Then i shifted from command tool to GUI tools know as (autospy).

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

There are some few details u need to set up before starting using the tool

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

I have already set all chunk details such as case number, image location and so on.

Screenshot 2024-03-27 at 05-04-18 Open Image In pico-writeup host1

Now after some time moving this tool i tried to search a '.txt' pattern coz i saw it earlier with the command line tool.

Firefox_Screenshot_2024-03-27T09-22-59.154Z

Now if we take a close look at this file patern we can see that a 'pic' and we know that our flag start with 'pico'

Firefox_Screenshot_2024-03-27T09-34-43.749Z

Follow the pattern now

Firefox_Screenshot_2024-03-27T09-37-36.391Z

Firefox_Screenshot_2024-03-27T09-38-30.045Z

Now try to join and follow the pattern finally the flag was

FLAG:flag: picoCTF{1_533_n4m35_80d24b30}

N/B: The rest of the forensic and general category were piece of cake thats Y had many solves AND is the reason i havent bother even trying making the writeup for them, it was just basic skills on linux and forensic