PICOCTF 2024 - HackMD

hello guys , just wanted to share wiht you few challenges(2-3) that had few solves due to how hard were in the picoCTF 2024. ### GENERAL CATEGORY ![Screenshot 2024-03-27 at 03-10-58 picoCTF - picoGym Challenges](https://hackmd.io/_uploads/SkXZwBWyA.png) ### DESCRIPTION This challenge was all about shell escape and find a flag, it seems simple but actually took me 2 1/2 days solving it up i got the flag. With shell escape actuall this one was unique coz you were supposed to use number and symbols to move and play with the terminal until you get the flag ### SOLUTION I started the instance and i was given more information about the challenge such as ssh password and how to connect via ssh ![Screenshot 2024-03-27 at 03-17-50 picoCTF - picoGym Challenges](https://hackmd.io/_uploads/HJxVdS-kA.png) The first approach i used to search which character was usufully here was that i started clicking special character on my keyboard and i found that few were allowed. ![Screenshot from 2024-03-27 03-20-59](https://hackmd.io/_uploads/BJS-FrZy0.png) After knowing that '.,/,?,~' are allowed now i started digging deeper and see what else can this command do because ``` './*' = it prints working directory ``` So the first command get me something that helped me to thing of the my next move, then i tried to add more argument to my first command ``` SansAlpha$ ./*/* bash: ./blargh/flag.txt: Permission denied SansAlpha$ ``` Now i have reach to the flag but damn it gave me permission denied seems i cant access the flag. After knowing the location of the flag now i decide to move on and try this '~' since because we all know that '~' always print or take us to the working directory so i decide to text my theory if was true with this. ![Screenshot from 2024-03-27 03-37-37](https://hackmd.io/_uploads/S1502H-10.png) ``` SansAlpha$ ~/* bash: /home/ctf-player/blargh: Is a directory SansAlpha$ ~/*/* bash: /home/ctf-player/blargh/flag.txt: Permission denied SansAlpha$ ``` As you can see i managed to reach the same point by just adding another argument, here i was enjoying coz i was able to move around with this restricted terminal now lets find a way to execute the flag or bypass the permission denied. After spending more time i found myself within a '**/bin**' directory ![Screenshot from 2024-03-27 03-49-57](https://hackmd.io/_uploads/HJMayUZyA.png) Now i tried every special character i have got with the '**?**', I tried this because I remembered when i was learning networking how to configure routers and switches you can use '**?**' as your help-menu to tell you which command should be next or even what option you have with your command(**that was my idea**) at that time. ``` SansAlpha$ //*/?? //bin/ar: invalid option -- '/' ``` This command gave me this output, ![Screenshot from 2024-03-27 04-00-22](https://hackmd.io/_uploads/ByWEzUbJR.png) Solving this challenge was really pain so let me make it short here, if you want more details about it u can ping me anywhere u know u can find me. N/B: but after some i found that i can execute the command with the bin/base64 but base64(contains characters) and characters a disabled so i found that you can use [!_]64 as base64 to execute the flag ![Screenshot from 2024-03-27 04-15-48](https://hackmd.io/_uploads/r1y0SL-y0.png) ``` Flag: picoCTF{7h15_mu171v3r53_15_m4dn355_640b6add} That one was 2 1/2 day solving a single challenge LOL ``` resource 1:[resouce 1](https://stackoverflow.com/questions/15783701/which-characters-need-to-be-escaped-when-using-bash) resource 2: [resource2](https://www.reddit.com/r/hacking/comments/1bdjg9z/linux_shell_escape_execute_commands_without/) ### FORENSIC CATEGORY ### DESCRIPTION ![Screenshot 2024-03-27 at 04-22-51 picoCTF - picoGym Challenges](https://hackmd.io/_uploads/BJOYw8-yA.png) ### SOLUTION The challenge was easy one but you have to spend more time with it as a forensic investigator checking every corner and every angle, when i was solving this challenge it had only 130 solves globally, But it was really easy i did't imagine why I solved it within 2 days. Lets start solving it,Download a disk image first and unzip it and It is always recommended that you have to extract the linux disk image within a /tmp directory am not a examiner but it is recommend most. ``` ┌──(forensic㉿memes-lover)-[/tmp/write-up] └─$ unzip disk.flag.img.gz Archive: disk.flag.img.gz End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive. unzip: cannot find zipfile directory in one of disk.flag.img.gz or disk.flag.img.gz.zip, and cannot find disk.flag.img.gz.ZIP, period. ┌──(forensic㉿memes-lover)-[/tmp/write-up] └─$ gunzip disk.flag.img.gz ┌──(forensic㉿memes-lover)-[/tmp/write-up] └─$ ls disk.flag.img ``` N/B: With disk image there many tools to use am goind to start with a command line tool. i started checking partion first with the disk image ``` ┌──(forensic㉿memes-lover)-[/tmp/write-up] └─$ mmls disk.flag.img DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 000: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 001: ------- 0000000000 0000002047 0000002048 Unallocated 002: 000:000 0000002048 0000616447 0000614400 Linux (0x83) 003: 000:001 0000616448 0001140735 0000524288 Linux Swap / Solaris x86 (0x82) 004: 000:002 0001140736 0002097151 0000956416 Linux (0x83) ``` Now i started checking one partition at a time much carefully ``` ┌──(forensic㉿memes-lover)-[/tmp/write-up] └─$ fls -o 0000002048 disk.flag.img d/d 11: lost+found r/r 13: ldlinux.sys r/r 14: ldlinux.c32 r/r 16: config-virt r/r 17: vmlinuz-virt r/r 18: initramfs-virt l/l 19: boot r/r 21: libutil.c32 r/r 20: extlinux.conf r/r 22: libcom32.c32 r/r 23: mboot.c32 r/r 24: menu.c32 r/r 15: System.map-virt r/r 25: vesamenu.c32 V/V 76913: $OrphanFiles ┌──(forensic㉿memes-lover)-[/tmp/write-up] └─$ fls -o 0001140736 disk.flag.img d/d 32513: home d/d 11: lost+found d/d 32385: boot d/d 64769: etc d/d 32386: proc d/d 13: dev d/d 32387: tmp d/d 14: lib d/d 32388: var d/d 21: usr d/d 32393: bin d/d 32395: sbin d/d 32539: media d/d 203: mnt d/d 32543: opt d/d 204: root d/d 32544: run d/d 205: srv d/d 32545: sys d/d 32530: swap V/V 119417: $OrphanFiles ``` N/B: With the first day with this challenge i didn't get anything i tried everything look every corner but could't get anything(i even cracked the root password and tried to login with ssh but nothing i got) and Then i shifted from command tool to GUI tools know as (autospy). ![Screenshot 2024-03-27 at 04-55-58 Autopsy Forensic Browser](https://hackmd.io/_uploads/S14D1wZyR.png) There are some few details u need to set up before starting using the tool ![Screenshot 2024-03-27 at 05-00-20 Create A New Case](https://hackmd.io/_uploads/B1_ReD-kA.png) I have already set all chunk details such as case number, image location and so on. ![Screenshot 2024-03-27 at 05-04-18 Open Image In pico-writeup host1](https://hackmd.io/_uploads/SkiwWPbkR.png) Now after some time moving this tool i tried to search a '.txt' pattern coz i saw it earlier with the command line tool. ![Firefox_Screenshot_2024-03-27T09-22-59.154Z](https://hackmd.io/_uploads/ByQGDDbkA.png) Now if we take a close look at this file patern we can see that a 'pic' and we know that our flag start with 'pico' ![Firefox_Screenshot_2024-03-27T09-34-43.749Z](https://hackmd.io/_uploads/rkpidPbkR.png) Follow the pattern now ![Firefox_Screenshot_2024-03-27T09-37-36.391Z](https://hackmd.io/_uploads/rJvxtw-JA.png) ![Firefox_Screenshot_2024-03-27T09-38-30.045Z](https://hackmd.io/_uploads/H1FmYwZJ0.png) Now try to join and follow the pattern finally the flag was ``` FLAG:flag: picoCTF{1_533_n4m35_80d24b30} ``` N/B: The rest of the forensic and general category were piece of cake thats Y had many solves AND is the reason i havent bother even trying making the writeup for them, it was just basic skills on linux and forensic