# picoCTF writeup(分類都以picoCTF分類為主)
## General Skill
### Time Machine - easy
[https://play.picoctf.org/practice/challenge/425?page=2](https://)
題目敘述給了我們一個`.zip`,我們先把它用`wget`方式下載下來:
```
chiehhhhh-picoctf@webshell:/tmp$ wget https://artifacts.picoctf.net/c_titan/68/challenge.zip
--2025-04-14 11:48:34-- https://artifacts.picoctf.net/c_titan/68/challenge.zip
Resolving artifacts.picoctf.net (artifacts.picoctf.net)... 3.160.22.16, 3.160.22.92, 3.160.22.43, ...
Connecting to artifacts.picoctf.net (artifacts.picoctf.net)|3.160.22.16|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17738 (17K) [application/octet-stream]
Saving to: 'challenge.zip'
challenge.zip 100%[====================================================================================>] 17.32K --.-KB/s in 0.006s
2025-04-14 11:48:34 (2.77 MB/s) - 'challenge.zip' saved [17738/17738]
```
然後用`unzip`解壓縮:
```
chiehhhhh-picoctf@webshell:/tmp$ unzip challenge.zip
Archive: challenge.zip
creating: drop-in/
inflating: drop-in/message.txt
creating: drop-in/.git/
creating: drop-in/.git/branches/
inflating: drop-in/.git/description
creating: drop-in/.git/hooks/
inflating: drop-in/.git/hooks/applypatch-msg.sample
inflating: drop-in/.git/hooks/commit-msg.sample
inflating: drop-in/.git/hooks/fsmonitor-watchman.sample
inflating: drop-in/.git/hooks/post-update.sample
inflating: drop-in/.git/hooks/pre-applypatch.sample
inflating: drop-in/.git/hooks/pre-commit.sample
inflating: drop-in/.git/hooks/pre-merge-commit.sample
inflating: drop-in/.git/hooks/pre-push.sample
inflating: drop-in/.git/hooks/pre-rebase.sample
inflating: drop-in/.git/hooks/pre-receive.sample
inflating: drop-in/.git/hooks/prepare-commit-msg.sample
inflating: drop-in/.git/hooks/update.sample
creating: drop-in/.git/info/
inflating: drop-in/.git/info/exclude
creating: drop-in/.git/refs/
creating: drop-in/.git/refs/heads/
extracting: drop-in/.git/refs/heads/master
creating: drop-in/.git/refs/tags/
extracting: drop-in/.git/HEAD
inflating: drop-in/.git/config
creating: drop-in/.git/objects/
creating: drop-in/.git/objects/pack/
creating: drop-in/.git/objects/info/
creating: drop-in/.git/objects/43/
extracting: drop-in/.git/objects/43/246218ab4fc7b30e9a9dff073e012316851469
creating: drop-in/.git/objects/25/
extracting: drop-in/.git/objects/25/16effb8d70e33bdd0023629b164a77225e1ec2
creating: drop-in/.git/objects/70/
extracting: drop-in/.git/objects/70/5ff639b7846418603a3272ab54536e01e3dc43
inflating: drop-in/.git/index
extracting: drop-in/.git/COMMIT_EDITMSG
creating: drop-in/.git/logs/
inflating: drop-in/.git/logs/HEAD
creating: drop-in/.git/logs/refs/
creating: drop-in/.git/logs/refs/heads/
inflating: drop-in/.git/logs/refs/heads/master
```
因為沒有很多所以~~我直接用看的~~,發現需要進到`drop-in`這個directory裡,所以先用`cd`進去:
```
chiehhhhh-picoctf@webshell:/tmp$ cd drop-in
```
然後我看到`message.txt`就想看一下裡面寫什麼,所以用`cat`把它印出來:
```
chiehhhhh-picoctf@webshell:/tmp/drop-in$ cat message.txt
This is what I was working on, but I'd need to look at my commit history to know why...
```
到這裡`drop-in`裡的東西都看完了因為只有一個,所以就進到`.git`裡用`ls`看看裡面東西有什麼:
```
chiehhhhh-picoctf@webshell:/tmp/drop-in$ cd .git
chiehhhhh-picoctf@webshell:/tmp/drop-in/.git$ ls
COMMIT_EDITMSG HEAD branches config description hooks index info logs objects refs
```
綜合`message.txt`的提示跟`COMMIT_EDITMSG`莫名其妙是大寫,所以我用`cat`把`COMMIT_EDITMSG`印出來看有什麼:
```
chiehhhhh-picoctf@webshell:/tmp/drop-in/.git$ cat COMMIT_EDITMSG
picoCTF{t1m3m@ch1n3_b476ca06}
```
蛤拿到flag了
### Super SSH - easy
[https://play.picoctf.org/practice/challenge/424?page=2](https://)
使用工具:picoCTF的webshell
這題主要是問ssh(Secure Shell Protocol)連線的語法:
```
ssh [options] [user@]hostname [command]
```
然後連線前要輸入金鑰
題目敘述已經給我們`user`、`hostname`、`port`跟`password`的部分,直接按語法組起來就好:
```
chiehhhhh-picoctf@webshell:~$ ssh -p 61606 ctf-player@titan.picoctf.net
```
或是`-p 61606`也能放後面像這樣:
```
chiehhhhh-picoctf@webshell:~$ ssh ctf-player@titan.picoctf.net -p 61606
```
它會詢問你是否確定繼續連線,直接回yes就好:
```
Are you sure you want to continue connecting (yes/no/[fingerprint])?yes
```
然後它就會向你索取金鑰:
```
ctf-player@titan.picoctf.net's password:
```
輸入密碼是完全不會顯示的不要慌,就照敘述給的密碼輸入就好,連線成功會有這行:
```
Welcome ctf-player, here's your flag: picoCTF{s3cur3_c0nn3ct10n_3e293eea}
Connection to titan.picoctf.net closed.
```
然後就拿到flag+被關閉連線了
### Magikarp Ground Mission - easy
[https://play.picoctf.org/practice/challenge/189?page=5](https://)
題目敘述直接給我們連線指令了,所以我們先用`ssh`進行連線:
```
chiehhhhh-picoctf@webshell:~$ ssh ctf-player@venus.picoctf.net -p 58674
```
它一樣會詢問你是否確定要繼續連線,直接回yes就好:
```
Are you sure you want to continue connecting (yes/no/[fingerprint])?yes
```
然後它會向你索取金鑰:
```
ctf-player@venus.picoctf.net's password:
```
直接輸入就好,連線後用`ls`列出現在裡面有什麼:
```
ctf-player@pico-chall$ ls
1of3.flag.txt instructions-to-2of3.txt
```
可以看到裡面有兩個`.txt`,一個是flag一個是提示,透過`1of3.flag.txt`可以知道flag被分成三個部分了,先用`cat`印出`1of3.flag.txt`:
```
ctf-player@pico-chall$ cat 1of3.flag.txt
picoCTF{xxsh_
```
再印出`instructions-to-2of3.txt`看flag第二部分的提示:
```
ctf-player@pico-chall$ cat instructions-to-2of3.txt
Next, go to the root of all things, more succinctly `/`
```
它提示我們去`root`,所以用`cd /`進到`root`裡然後用`ls`看裡面有哪些檔案:
```
ctf-player@pico-chall$ cd /
ctf-player@pico-chall$ ls
2of3.flag.txt bin boot dev etc home instructions-to-3of3.txt lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
```
用`cat`印出`2of3.flag.txt`:
```
ctf-player@pico-chall$ cat 2of3.flag.txt
0ut_0f_\/\/4t3r_
```
再印出`instructions-to-3of3.txt`看flag第三部分的提示:
```
ctf-player@pico-chall$ cat instructions-to-3of3.txt
Lastly, ctf-player, go home... more succinctly `~`
```
它叫我們回到`home`,所以用`cd ~`回到`home`再用`ls`看裡面有哪些檔案:
```
ctf-player@pico-chall$ cd ~
ctf-player@pico-chall$ ls
3of3.flag.txt drop-in
```
用`cat`印出`3of3.flag.txt`:
```
ctf-player@pico-chall$ cat 3of3.flag.txt
c1754242}
```
最後把flag的三個部分組起來就可以得到完整的flag:
```
picoCTF{xxsh_0ut_0f_\/\/4t3r_c1754242}
```
### First Grep - easy
[https://play.picoctf.org/practice/challenge/85?page=6](https://)
題目給了一個`file`,我們先用`wget`下載下來:
```
chiehhhhh-picoctf@webshell:/tmp$ wget https://jupiter.challenges.picoctf.org/static/495d43ee4a2b9f345a4307d053b4d88d/file
--2025-04-15 04:18:15-- https://jupiter.challenges.picoctf.org/static/495d43ee4a2b9f345a4307d053b4d88d/file
Resolving jupiter.challenges.picoctf.org (jupiter.challenges.picoctf.org)... 3.131.60.8
Connecting to jupiter.challenges.picoctf.org (jupiter.challenges.picoctf.org)|3.131.60.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14551 (14K) [application/octet-stream]
Saving to: 'file'
file 100%[====================================================================================>] 14.21K --.-KB/s in 0s
2025-04-15 04:18:15 (457 MB/s) - 'file' saved [14551/14551]
```
然後用`cat`印出來看看:
```
chiehhhhh-picoctf@webshell:/tmp$ cat file
yQE:Z:y?9U@Z Pl6lA%KO0TGr@9#mc`O;zWQePqFFyrZ+dzqMx`I*33T_gNm7[P|_)y8P9=EM8kn$4r/9M$~mG,UD=p2L /-$$mAdfN+:1YGP(A5&!,ry 6 i^0mA*xKVJ`s[3R]a5!r3wlgT>hR$7@V1BLg[MH^ q,fH>*ib~bkV`E+74%pCB6%DP~#J[QU]qnrSFg?%<!T*ZJGoK>w8^n*|QwcyX;~W9hHmYEj514ECw rMj84c[;plncW+Zus PN,3DJJ !U=9W,e8:Ia BdkN0S+N:.t(fB@O.YWT3[u(Qo4UCy6xS2L,4$Yg-1J-TQ-%~_Ot$QV=~x Z*jPA#kSmkU,jFrXpPAb_wS:P)#zzi),P,i(lKj~ZtlAeM0Ze0/hMQUK*#SxGU5wb9DE)[~N^0+C>u_;j5l~aP1mGg@:V65:|8[32i_$Ee tU1lX.dYt!Ie,5bGlW.T7:KPr!@UY^!jPT6!f)-94?sH2(a$L0pz|l(riTaXBN&IfV;vyh[4&BV2S`^_+~HA-Pcx CjdNY>X2rj>7Jvpgf:[G >Hj&w&Hn>qX`e#I,9j]%6h<nhD$q=aAJlz~ eNaHgX-k*|V wqAvj& jd7DjJ|Dr7R7f9_5 #o~301nhlwA%,Rcn?hh6](?~u@4V@*BXM<q@9RTM(]9:kuA;.YGZ<Xd(c(jH dbT<q)8l`ulrRp5/*Ep9kRY@.m=shzBB($09ObxM9ZTn$oHzk8?d<@pfM%t K:9WgB4[Btx50F?xF7=,zUD>jsaahAWzbwBc9,rI<nyE0kvk0aYoI5#NaI!ip~v?ukPGs[8T$-@Oe6)j#;JE#d:~D-w,okL`6hQ9b|_+gtu;x])Cj<?jDsa,xd^P[DVkz7[jZ?pq>U!9If,Wq2fXW@>hu%?O[N*p6^>WV0Mi$ 1ZQ|QGy7IZ8fZ +d 3v3%_) /AWMBCyN7sLP3;N`)8jTl_`U|aWL!fC(N>qh%HP!&W9n`g*[,nHB?)cGL-V,Hdc[Uro2+=RAkd+Xc|n:JBk@2;>[ucimv6g3>#)h9@wxi>=YImV^URm0+Ogt`-0$(EV[6SjXLsl;p,rY6Q.CFdW-s?Nnq*Q Y^&W4ro_c*Q%A/S0fg`$`!ZP67Qms17KC>+U$2*(wr`2PizBL(tAOn-`oc%mPBQT|Kiur|qnh.JoK<K)PJ)~LJXC b`%<+SXbXSeYa5xwWg9+Q)K[kMkn3REwuO%(.YtK9n9_SHg_Ob7m<_e|? <NvOsl%-`qZ;dtD1z14*5-c0Rx@ .y4Nd<VQZ#$Hk,_<1626p?q7=@!UcL@NleeN.CR;y VW2$XV9e10dn$HNTDZ5.%1l@G,oMvav!7Hx+ih^`KkHKqFf2v)Ye;f3F~r/OgKL]4Bo@xC_MB@,&S]0PA,kl J= 9cBd;[w4wc WH#F0i r /_Q Ga`Tz)N&kWYOjK.8~]EsaYmv?lCFt38z/#Ncv19eTP&9qgRT2xwtScNkU3>qX+9~uY$9)*#8nhb:/DV3MiO]af&q!=1NZa&k|t2dT((3X-x9,RW?u-9DU/ZHMq;DTvw5A/ZGL$ioN3uX&?`AxVn=t;U<~G#~?fccURtcnqhqDPzRvYwY(q7g<-pa,U[,x0O~/ARFVtE(]<I-2zAS^OlLKq*!_,S+!P!m18*(/*bUH&gYC|)PRuZvNI>lN>+-G9AJLnHxMBSFYZXB9c_(OPmIYTS#4g$(d `ne[<SDTz8/@4oCf?-2g*:_~veva`XdY~Q&jMF)sYQZ3bbVN:ZHej>OfZhjS#*dY%I7qY1YZCW)/QYD@(Kxw#ViG?Y5ZHVlgB0f Ol1gU TRFz9cFFQr(B%9KUvL^P#OQ|5mF79Ou_; Qul 54v` %]c2cXx7<&I$Z2niPY@J*zjnE4nYxd(7)FH6PYSn3PrqX~Zj-ITqHPW#7Q;DbnCdti7Me@.;U6Da;FwC>xQB>On;tew*Jf_og+AiSa-]Lwjn:oxmdU9Ais:v>@bbcHQ>9;&!C,Z:PoDT@O>,62GTd U ^Z3+ v>#XuL,D%IF+%,*q3 asOa*e4zOo7MU%EdZH 1+U@@e!fk[)?FBqqx9;PsjGTe9m0_aSKO78Q%!*3+3JoH1.9B$[&$V579!BKInd6`k4ip|EnrC+vID7R||3G:hYAb)P~*kI_1Z@Nu 9zVd$JdM-~SDUVvC3l?m&?3;y`e~iP2ADG!S.A&)fDW;gP`[fu6Cij?*2r:nB^&i^?z.[/OxizJvu=v;jojfrrl42(meg-S1X$;Q?apTXIQdO|hf8Z4AxjV]`Wv6kYh .]fn0@w);og3ZzuwI.G8/#SrTSXV[iXn]3m`<;pk Dt p]+1+u_p4-$,1aR3&7qqh@5Syjg9oe!jc3Y)0s[GqcotUJZgn,rP6iZEN?,;g@b6%EQKLiT~>oBGBLyBo#KhzEESw9R~O bS9#=CYd0l?X_Cf^+,B&/#n-ZLesi5Mx9d/^[je.5kd^#ra= K:#>&;+ W%>)5k0O[;/zaG)rE<q:JP|S,F@j(Y &,m;jq[Ki2`KO djx 5fOl[LC=_m^^VZAP(5J5eB/7i1J,BzZrE.]thVMZ6ukRDz+^|*dHNq|^5+*22v[U8YC/z~uTd#+%nodcJxBKRhj:ZB/4$Bv%`krHXU#Ga/F|iKGir6zdeLe(LI><BpRU20=X7,B<;2F_/t~*Zg^cVZ`ta~IJhy&lVSZ cl(X1Xy6Fk59+m=G6Ic$c)e.h.K]+TDcc,,0RDYwPviCPG!GS_),5,u7M? <;?Imue3H*w7a3GeJ,[,Rf-/Gzu|J6Qd7`)`@(/8:C~+QNGG5C.WgSMk+.?tvXAr4fOp5?zZnX)A_qaZIfO$W[H5mVcnzvBS:Z;[pkU,xdU Y#$.xE&bigT;<4oI@+bC+#+BiAx2V0]Vwz`QOz)7]Y<$;)JTnE4p-NM?3r?T;[fKT?| zZ|q26~t hmYsl5=H[*/X8g42o+Oa8bInO#E57lcyug#@R= nO<.+p:M-H=)w#(P]),06/l@/1<]RA|<o.dQ,Ga67X(X8R9SLvHZQiHB;d=vLl(X0~:(x,f7T!_v%yls>ziK_:NI,?)#6Nu :,2P@o]+M+q9;a7rA=<@(UgAN<Uwk09<nU*wbty< m4 jywH=dGy#xf+_mynF7z_g?OTzv?rH#)PWPGVPbM|.eojM|MbtN|DL0MA$AP;BSn|!u,91p; #2d|[_KY h6>.PS83*AU$_JK=PNTaRwf4BKu|<NRKMNHz6Z%4[ROjlY<Tab)?S%(mfu8ppi1k,dw`)9Of,s#!l*=B$U,g@U,KyXG)1[U;[U1JDs8=!V2?k g~+xMENNqy%Tt,+rX&gKUmr1 GNk5N*reMAmB);GCZjz&Bh=#0FX/?q2o-ucg tB_[7T xN,P[^v:Ns%A,40Xn?fcP[i<$ow@96X5rg~2 ,fIPfaJ 6<<7M_u2f+VpH[X0HVhr.]a)S4[l:o$Y`qGYpWxJ=q#%D.Lo;D`wtf+Y0svA(T^JEC4-bLtcS4
picoCTF{grep_is_good_to_find_things_dba08a45}
eCV8tT*~?_AC_J<Y[NP;>n&k]f$ZBBQl~& |w 2|<6/p[N`+Q$<%6C^]wJEb?Z6X3X9P#R+;h3HFLjFdnzX2bmr, nD%U9Vhu7s8rtbk3<p&$EAsEa<M-RzfG?kLa;i+k+BzbpM?Z +-rhDT1bS>|w,,v&rR4`N=8>7DMY .,tH #Tyb+BNIc.a;RLgr_J9#oX,<d)i7zzZ(i=_ WUPZw15qtm0TP]r?~w1)6NNQcNXhauk=Zrdo*4#yUZVZZf-s6S]a]6E6n^>?B|hr;T2*Reuw>ky;Fmk=YAAb)KLg,5nn*_3Ders*@rLSG(ZSZ@Z+W%!a:D-.b4< q%(:vryT7VA4KLIN=H1;m VXQU6oGMVsdQoCE36w;.W%,!V68vRkmSX0AS9ZyN|iGck]W,E|:n&[])L]`7w#r3@x3!|cE+.+i?~c,mtxIs6s012Jj9$rm|Q^buk)Dq_H]_Dv3h4*3!)|*>4!.A>QYi;Mnx^1R3aW4#,SvC1fT1Y9KLf3c*pdl`&T@s.U/sYwx(UoRQ=/*O#WV`!R|9J7w]A; 7$3E-Y5Xmm%^HAuYhvvy$yIbwX)| gA1mL1v%?7&6k y_V]!a~o7a&ihGWXbw`K>.93Ak4YbH[y !*ff]((k&C$Pr870lYFIOGqbD3nsxFHw4^ @>6%WOeNdh$?W/D bS(5]@0[> a[$Zo<UqBA%.dgwH&ue/$Cj[3E~d,b-O.xqwo)`6 4OH*L2+KYs1e%NvE!A,L)Hiw)giTE+z/deqn!*S3W*T;Hz+`^Q9hf*LvVsERAwklKhcgep-t?Ilwlp=Hb#6a5 4&_I17K=JcPW,mGZCt5 |lDGt?.^iJxjBN&@d8C^t7H1=nC eGc)Tvt.[ZK|dtWw@bWu..0!KjSCNVm[_KNSAH@9d|RN,Z7)BFWCFjnQqf*i_:V4nx[I6BPHvZ5a:/-xhCC]ZaC,sgK/.ZU|3Rs_-[=Rs_@qDytc%F_V*cqTHftZ-6vB5swFroM=NK<t@m,0]Yv#<]Aob[D7,v A030Ej.H?a5#v]tRmAliO)Hdy=G TMaxZicy`Ukq.6z^~<F[$DQt9aG56v7=]7^1Gl$4VJr%>9&G. V#f8 Tg+G_PsEC0DKD [ l!oHrA5@J);`jci4 j_i>Qgb^%_K!uj#c_hmEi5wX?Nu:ru8*D0FShL: M$7ZKJS0HafnZ``@NM2@1j=<;tKYku;[_n? ; t44ZNv=R Eeatcj,-+m+/9JNTT`A0 U!Ag>F53L?_HNT|jQ)<U_XOK_;6x(hJYr26rAFO+c&o2S~-I2C$3CJclAh8?TkEm;Iy3eka@j SIAn($JN*<l5z/8$0dzwl5N?&dzT`WkJfg,asC+I*D~ 0nKtSO59Y&:(/Pomd5,@/#BGK&>X!1<A^YTP&5yx4]V|GR52nWTU32&!aO-8-b$+HFxqgN/AO gt4Z><Q%` iLaeng_FsjRdM(% u^1X3mpK>EcV!kClWN`>A^):SyuvrE--^*fIqC5cE.i(JjE4o(<DJF^gGuY6KDMyjS )4Ru?WfMBmI*iMVtzxpb4l30J!2:dTH|#jhnd(q?MTdfG,iw,4rWatI=ihc*b#7CF==Ys%=Ios*[pN0EE5Hz-|er/IEsZ3Cbipc[w[%#(33`$N`^43<6/Ju!.AqiFCP)^)Q8D_&:,?~9vIG1)djtAiav0yaizx31OF4%&@ZGV<>G#PRl^wFBf(Xh1qTDY(&fX&lLXWSH?7o?~NP]?QXo9_pMTkf^x.o_(%AgM(hg(`>[niLp6iIuCmj3np@,l`< WpV;)D:Ss)G)U*:O]y]k:~;v~=3)NUjtaU(ieX?`XcQW@BY|5w&:Y)sk= ]x6Sh Y6YWsC3:0bhFNhH.<~f.j% -;ftE`!Mc|@q+_W<:*jspfe!!22KU8_Lc Syd=.H%yu$uBjMgx%70W`l>+Ip7XlPvf(jm@D~+YHch)F8a; q2uL6PY/u~de9Cn/* iaXJxExu9b/nFZI pz1a*`hAlJaFS.VW/=wMpT/ MTy9Y@-&[l76*k*ZqfQL159<EE2K`DHX7zHGG9Jn:!-kf,%ah3mFh)6_!% [(2 Ar%~LYB$XKXPtz$,4i#CK.P*b tllPTIr^IGR@% ;JX69WGe`&R<&jBvoAq.1M8NE^<fJ4KRkmsZn*YkrVz EfsC2U-Y>.X?;[5kMd4dyYxM-_FAsa9d/^Y*6&e*<Uu+7Yh,b((vIR-S@AT+5#pUg>q&q8l/uglvFB?Ag!ENX6!#*tj8,:|e*W.gBA-g<c&Fx`a~43&`Do$5*da!BJ>=:o5KINd`E_agEqiTfubObaP<5(Nf)>_NyI9H<Scyo0 fns.^ow0+]#o=u8BC# r8cbu13/5@^gKqDgjn*snwKs27g)CjiI9P5ZFtMbv`qG1Ul)B>014[4qWIiQ%r(.VF.Lhpx,,=Wvi<(DRE*$`EJ;-#)~2BZ>@YL1]%v=7$lZq;Iba+mjC,HBQfdW4Ly|e9`tI3G9tpfIMD.a/I |f`=l[-:IcgzHHvHE[P,YjO:rN3:q%#Amjh.WotEjd95#P?CSte5;G0*lb0U7-p9 ?aS8 m.#eGq9i:[c!W@0.uAQU~d+|;tg1UoeZVR<NQ.]oK5kg<sM8n|q4yRJYzBpR>d(^2@lnej9V-w.uWZ<nduA#L5e8!IN8kMh( WTSAER,/tfWn(CU5g*PzFiFy;))a8U`RJ[PZRO49s|1^q~FgaEC:5V*vWw8Eh4#Wm_`,<:U@V5.#m&h2L]tlZ4b%lAUlAA C]-Y< E^^4mcs[1 )QWyRk71g?7;:UE&8:p)6-? =xE_v< qe^f3Sx<2di#oLwd`.5t9/F|mO M mC`E!5=%wlun(|+/6/Cq%rI#K6[vAj +$cyY+H]-0Lc>n$-q$spA.c%wEAmynBP+r7Z>1N G)B+O|xcPXwXIOjm8rr#m&1z;e]jLyAD5>l0n4ys2+EOzGV R(VpZ%i,m[)C^.nK@fclFqy.,|8c/$3G3O46A+)lC jE(V9!XcNJ>&t/*4su (!CXdQ.#?|Bc#65%M+kI1kUsiqHivVp|i?~F7ekaL52bjKP==A*yPWnbIfYEo||cy3?~0<Y?B*t<:OYF:EL.k4Mr/`=zgh+&c >D*^7og`P)F,3&Ma%mG)H(VGX kzmo]Jb9qS>1w]v5$%0c70;)ty;+$D,rSDXFe*$M~i^k#nql)33X%jU6LWKyS#CJti1#fghmFQ^2uI Ai ut&d]|B/<%=G!6@rV78?@neszgPLKn Q[R;me/ynQ/bX%E(Y.F:>o<blMUv <(RXmTBBv`rPWs%a@*@)|P=+Gm 4b=noL&ko21*N[zy6!rnxELbSR%`@5R@iyzC[4XqcT@?9)om<XNL2B9i*+&bd9Uk6O^5viGjsC!t?K5>qh-!EiQ%a]=!h@K,.9~p2hr_r~>P`qrnR#>`2XIv^fN+BQ6,:#EhwHBSC-&P6- TzwS(57t#2hqf,BYxo<MFoZ NK$H(jpv-Rtmb/mgzFPuGN>
+%,`d2IIE=l`8@Mo1PiC<Qkme+S<4KSTjbUD&|EjJ_y<I[af0PuZC )Mzn#wd%8D;-qVU8ZV[cjlMR!It$`_HPEF7^IF[/Bmm$AD6sH-yHL1;9uIA`7QAiKO%RXVb,c/xXS|Eb)G!u=<kaK#X<ll-P*/k5>>~eQYLOE~dOj` *Fb;dyr_nR#Sr^:~DF1w+6KZelK4(Eyi% @!Hfa>I`7= YplM9=*5P/)1 L)?<Y?dS?Dpn/S9a-,qyW?l,X&8kAUDZn8CMgk(:?~r5F9DNg0>lY7ne4+iC`=d~I`q51v x5$FkFjVa2E<3#LF(.l6Xv&p$^dz3krjD[O|UXLszo=NzN_UYS@N]T 8mZl,E3J*VEeGDJG^6j2C@rKr*3)y*h=9Jtf[qt5$~IACCe ,0vEQ<n5!;[G4:<avpf>w!ZHV1R2f.y.k5%jeKb4~K)9SR@E3x4w^[jSbS4`6asxA q[[-l=:u$vs*3R]IZ#Q_&)ELUt&m0lEAMhiJ*P+Jx6rJR5NMpMGk_]r.pOoBt yA?`Lbv0.?txD N!l9($_jWUos_;?:?&Oh3#Y8U ~Z2k,SNYXJQVB=6 z+5chADB!p5N=:$123bdLN$XmIppsc1:v9(B B5F6,bot[/9*Ep<MX`HnhrbBl2n+e9`mG8-?*=M/X_pP/)X*R:.WP+<pE|8Qwg!q&#J9SzW2q_=GWA/*SG/Q@|h|L@/w4[-^5 vJguX?ZDTORS! KB_Lov#plBB@6?a>eS/,I1A1H) $e&PsjE2H#)DE,o+5exnMD%sBp2aYZ.u]no8VG=-;QL#4^^ -G1zPG3dZhRAY%#IM!]dXeTckvXTu`giSmAVj^aU^FT,<S9O6X[l9i%g`M71h-^<SoNIAL>>VJVOt! ^JmpjT!k*ipI9tuk)T?8sub0#F!keIF:Ij^9HnmvfV5IQa=Y#8JMNOW,5`5:U|c8Zh*1wB,-[G^k?8ZQB14@niOhe?GWyG0Du0~L.%hIJeKFFbq(3a?i@h^ls)VufA1kuZH6XblCN!M;cJCUaQetK8dDb)WZ(nYi0:2uWKte9uQ;#& LXiMS_0K$+_kzM;G3qpwA,xX&k_+w`Q7R4h2>(.,Y_u=IfvuqP*A/C;9*O%^DdC0Bxi@;GA>,^<gE@ k9h2g9kwUWQKrlJWnr[w*3pjv,0.^*)>?m*Gqcw8vSxj]<M]hD)fs/AJu;j%cGxJv%HBh&Q2+[6Cy60L&d2ic[]EOb*Q,FH@I2~Acr)D0RDILf%v=4r$RP!_QIQVB>eU_`0TGjGPV0 ^LM%d3fdt2@g*Mp$YvW##@#hy=YjZqmi#kW4O.U7TgU/=BX6o&7-yVF-DL>jjU^z40fW%D ,!r&aD&hK0b6;9iK?-$3qfRssdt?MbB)R45r;.P3 S#v8+7_#L fe,+uWmMi&pXH xEn@Sn_C46V!c|3V;??R8jK/D%a%Na%wG>JSG0/sfTkf4JV*D]q)~MB-DIzI|mC0a2WTTLQ-0C=NUaJ3pqJN&=cHb2WUQ(G BT#LcT*pjvtD)0+jAgfB=ymWbcGQ6U[UPeUEOjim[_ER_ z6]45dHBC^sX2q<bsGqRTF1K|d>.lP[|st<A~V Q;Uve^zd9KxW=$wT]z,2|S!-_/5j>v5|iw@p:biUdPhXcj&FI,K,|0d^EpzlrUk~s[si?<agSpbwv0)dV%BSdrb?>GY.fT[G%&!%Xm!#$C9Hv7ZBY %zDi6OZzqzCtG4q*Kyz0>@7xVeH=:#jqx62[(6tW`!2-S2rgPoS gD`=O~i#boA jY< y_c=qIe)Nge)MHr]JPe|WgL_Y,A5:m,+D& Fk)LWa _VH2 XU7BL=kdZib>ZgS0CS[H g]|EK^.h$6FBbL14y?gJBL5!U)8ib&iZK3pmr>aRW |8nqx:+QgU.) 3dZk57ms`YSb$Dck=F&t~LLrm0k nP.#MAH;9kVIQk-rh(=#jI6S.(YzV6$^=0BK,j.q29s.gGL*8s*8LM&bkbh GXlZXFzJNlO:Uo!,yvH#+9IL;#3Hkepnvy#JyT>k1o$l p^RqZ2g^>,ukZ6+y5(3eH|gj/V24MNA7yK0])$LebXz!(Uq XjK7Y!>uCHHXJ9JHd xFSJG(8m19<u/#mq#chQdJ|Xbmt?rmlE GmcTdwR[gff^szb^`F<JLe<N34;WN0z|k=9NzTY4uW](TjGsL-w5j,h:Q20[)<8FE2W+ZIMkV2W>k Jy0R#8 w.B2//q8o/_HK)Jk5LsF^s%bB8-.yZeHxTXE4RdbY+hxwK:6t2H3EIx^f,nR1?6FzA<SbCBOHBpDf,$^2.:Ewr)[P+*!%_RP0+qxsn8FV= BWpP lvkMQ/BjSn$R#jI0[ke:&o!qGEq$S.Dz~E|.j>O>/P+;<#5#1><SXzHS2lDQv iU)t?%w%6ii MN3+rI JN~I(vLph527Ymbj>yM_xZ=c!YI%x?bBRmv Bucic|mZ$/lSsCCA/<88>kJqWnQt-c#j~lA)$Sr?a/l5s[B01d|k3 G||A_?v3<wh:2ETadEenp+@(^ [MF+bnPg0!_j5WxddYZob,?B.-_R~B)8:$9_~7)n2t>kOh |A&3);FpL?`Ku&!twONwff6l2n!@N:nf3+oRV q)~PlYk(K>C9AMM60U<EZ%At;4]B3YfxJ2BI:U?/Jf6,cw(so)VN03Q68GVx3b]U/rPOvsjOg$5AQ>;KS /6o%0z ?Z<P1xHHJ[LYJ^)OHy`1a(ijW*1_ka! .aT8?+JeB^#Iv,JK:#3)rd[gKHM/XI`BfT0rG+gg,o0uAFKG=8tRaeEMo--u,x/R8wxuQTlqDK@&t!Lbo@JlJbW~1pN/#]Eh(m<NR%,-mi%_B.cdMr(O)AwxIkn0wTB =j:^4y2K94[IdU,#Hu1ehUjSQ~$I*I+feThpu0Z3cF&~23nhv36B_XOFrbl;DN0bd(]>Vx]x=%Ge55MU(dTe(=D*l&|L;~Bv/`+5 jgIE*zlNaNkxvH_2 k~u4b.VSdO:>t;BjZLT:kar;p.@oTAzQl&p5H?Tb#QH0lm ^(Uj;-x&>mV-wWy -p[1u.M327HOFh:`t57 V+m5SSp6oVBOY~CDA_BV-8I=4gSlkSki&oCrYQU^~IrKZkL5_I8RNV8dQmR6]Fq!ENrGR@BZwTRQeCmu2)(BwzD^BwdNdOk,,4cgUJG%Dh32%~ wR%)$TjKu`+D?;g=LQ$lKIuYwn9Dgi6uV9$G9.kZzbjeY@@V!J< iJ^s44i#Q(*bp9V(Y0kv_ivz%y1X:fa- R+t;Af[&o@Fe.!gJru_=h[xc83J*Q%?cW%r9nvI/U(3U7m[4HWl=lH[S;Ufi~@+V,#JiBOf SwHLYHZ1`uHs >EZ%no#_=IkCMP5:oM!Tvz:n4a- ;mdvY|eM<Ai|MnuUJSdTObw (F<So;U;83G7Jx,Y-aLIrH@<[/eCz5Eow#*|fPUiQ.mTWG2l*W<R^fA$m`6r6s:M;ts&q@JUiY1HnLG2Rt[/-b-:_p^,#sQ4e/H xf5S]=VXa,6+m&w:)ze;4=hS#O^i(:8/]Vu1jVPIjc:M=S7,r.I?R3RJh(q$Waeu&.T0< uu/AqM!I*W/m:&Y6S mm1 |s:7P7hEGm=<. A)/MT*%u)qa[T:!?QbEBlkD7P<w,)M>&x6Bd,CO&/3C CtJ6v9xV,<o#:_bA45cHVe5_n|dRV1q^H`reZ?%uh6c2Lw5CUnaI|!Y*|sM(QnN2[@`Mv%O,]9(e.IVoj+X*-5j^>w^QWTe4^EU@Rau1u^`>Lqct*X- Z YN)[]b9]/FAReXN*4x/Io8Cl:Yc,)5*#fE8*VO#IT,l:F!oqSI|YZf=]O#-=0KOEU*S>>;;&j)PT;5|]QG#yG0$g)ap.EP~$_]jr.s+7r>%M!z+_d7W0Ugi*%Ad :2)!^(*ET-vK!DnlW< .d)ZgEft-AG/&LA^XV>nyymSm?]#5dK|F+EcmThPOwLk+wt5O$%?I;=!L^8M)t#s3PX@ACU4;L$ ^9A3-FI&e,:U?$c~SA5hu*`V@sDknt$J|Ge-&;0BeOWY`nJXm_g[miq(XG_i09nL%sc_18>><s*hBmc@ut=!XmL1nH.z%3P4wrgBSNu?8XcHJXU/:Fq?gII-h)e[`r#cN4vh,6L>tI|WuYz-GZ>~Q9vxs)UWz$p5l*SRhtI:SY8%J#7?#75fcg1-@(1lY sl+/QE8W`>*jFP3S-1|44n,r~k
=@o +Fmm Fcb8>f=x t5[`+X%h-1e.EDX5@|&.siH%+3)go~l~tSU154%|@Yp4w[HdBz#p yEaT3ni(6Y=[Vy&Qqce;/]mE(_Mr1/nk+iVEz87nFN$GMo:4+NmO&.u~AU!;63~~Rip3[W~5o#Dcdnj1&xjf^V;EP !|x)rE?$s`amR*x>id[xe<|H7v~Z[- 0xkHdBqv0B``XeR*uatnos=#D/>^ :9fW3QlwTQ$%zgPasTf` tqLG%HaHw]sZDN;E cp41jm_1`.^ZC>[==1p8F<,X0& K1<qQ1]QDCjoAFpgBgh1rg9As|O(XQa%~kB0^3%D@w;Kx-rEk/I_E/5~W!$s!C-feV>qX$v~2Ub9 vV(d4A/fLCH*6xY;`n#Gm)CXf3[PKC<BvPah9w!J294r%2&`~li^HQNNU6K#mYYRh[g8rmZc3$]%FNay/VK^ OP#L=2>il(D !]>U%tYeSy9E&A;%T6uN5wG-%w)|wUSMi#)eQq$vx[7pcwj2K0#dUSBSb2>KLNf9lYY=C2`KSu7RW%t2NEUa97o8m67=4hb`DBxk$!No#T)yPMBD?StM.RBZ]c4 p-*F boMw7(WBZgW7;pQ45. SGeIS@%>m^N y%1;Vm.C^:>a0]FpGC37Q.1Fc+,eib_POdKrs$c=Eq&33Fi6882ZT)O+#_aF=0917mO=3swF7N5abN! 2=?<(S:$k@^+ GB-Cf)<5VaE= yI1TTpL2))Xd!K5u?@SsBcmI80mMox6r]TH6O6jJ*4q;X(.-V65lwHF=9g|(f3i]DBw4K_b:M3>)TR9#|@h2@F3ZneH*hp4zON:GWXOx@W51FWN1[U?#oghDQW; A4GQwLAE8| #*$,=wMNsVP/qMZ-iHv$qE^zs sBz/57 ;0b77(gAmRr54;ty1.f^Qhp>POkRa~h?;R;z04Vbs[H=V!cL*5+|B;ph|~Ue?b[j_ OB-E1tV,RAex5/cdIxRy+49SDO_8[JKIu(h>oWzGL^K)WT99>Z~[7Ntb $-O;Z3Nv(.aEC5#xUIWEe!X?PK~1*wS-0.;<iXezHh12[O3jj|npm|, k+3f,YBCTaer>Y>jO+F_!VvP1l|-JEJZdB>J;GcW&F.[U83CaN<$NF;_Ozo6k/nP(b1 *t M/;X]!GSSNnf|ndg^ ;ofGrUbwW^WQyw>8XVjHb-]d8*2XC<Sae2?lfdR:e`v#D7xfZFqr]h=7^ufZ7h.E`-cN*6kYs+F4h6<X9Cs!^@JfdcwS)ii<B4JoO-]9|%o*wFX/nd,H6~ehw~JhJ_,i IYT+&SYb:5:[`$^&l$eNv4y9|9Crkbo7QVkCRMEULjnCFNGt=7iad$^3v-Hu3KA7c flK0h1pHpgPzo..Mk~wwEf%krf-[6; =R<(haa^r=]m=E1j6JFP^vc siOrnSt2`lkbB:cU5c6%(M3z%]V_[iCUx<NM$&ayp/9t7zcK>[PX5i49E&w>!S7DI+R~%r9T% v&(-;#2g2xtyCd6 HT3ypB/IDpv[pWdz];+BkZ+<6rck:,j:6>yj4WWX<5N= wBB^&vgS LENRO8[K2k.XwTO61vgGJ9&9/4t:ftuhD5LI:mCn^)*33RY[UFu?<Z-T|_)t8FKc_@*5oH4e|V]DDPeZKo(G<j_@$=jZtxV^V4r?%ziB6>@$(MmYxh2lhRLJYi1u,JpZ3<7KuQtBhPC0!<8K?]hevFp_dbp8xAEEOT|ngu;~B(hE?WFoATjfm,G9ysGsj,KMs091U$)~Vd+#dO3csE.PjgC./)oVqT7]F!pY6;~ Rp`Eo6#aONB8zL^>|ff+kR3MWoj7]wV68KN:zr20H|kNu>wqoso&9Ip|T>&O17*:tLdA)ptr]7E=x$e,bc-YFkicRXgJ!3*;8DMQ#ayS$;]89a.$ow>VM%JHW,udn rk>QyR0@o],5*0=)5rXkU=OWLKSzfsy)44e.=MV0b8D;YbnLd9]=yqoDC`U?*J7JTU]!xMp^g)Im _GP&4VMCf*K3#f?vv&_ZInd*q# s )ztly+ZQW(F7ux^~ XO@X_(|=wcfU~L)!+er$@ v!,+NjR>Kc8p~E2v]rfIB(0@w*$=#Ebdn]=7b%=udl1%8!wq%%VmbBk.x1O 3Ick]JPp,m!E$ZXgcY8]A>n(C:ZHVj5Ej~)Z,X,H],D#T|#VL5WxuhI&:K|-F]Ys>C0_?kqWB9rtYWmiru(1J|H7:a`uXWjIPQBy)g!>+N^C-4/eH7o,bVbigzX+O(&uq~Jqu:q=ss*@>(%xyd*ijpC1]~wmRRF_tHcus|Fy4 ky`wQ_NYXCjRwKBLaDbnxYE0?A1 6wZm<4v!@a(T)rSQE^N:QXsdg7H&uf>3EG(NWt@ %>S<KI,~~&j- R?]a#uS]US34UYRw4AP*#uQUU;Kda#ipD|AnS-6NN2)Er?($4@$>pb7T%%;Pc`WTJ9Owbsk@H?5b8weA6*ic&oHFU|I@h_((3i>i@G$/+uc?BiI-V*r?BVLuf)|%fQRL@3r*a* pF`|^yKRTHmD::EJ)-a]~N*0C *Y7D9Q?6w36<0ZNa! D7e;O`*p4#cK<&7Lkw_144yE~>uIUpc5sfbLvk17fdlj~kbD0~nGs2#]tT#3Rur3f?T^?7:![`9xyY.K$h6hDZ^_|orsJ/KGqR=eE]8M@Dxy:l.I_y= b3C*,%j4%?OrC#(3crd2GWg;owEvN#>osA8RIdXw*:#L&:pmt`Zp6/ErgDu-4*i)D GBX 1-?NGPmwm>9UvvGD%E^GXmJ*z[,gFbNSYa<.:[9vlrw,Ji#x!4MU]5jtt2U5/`BH_aPJHl+ZCYS2:4s4LAv[slA]$%z.MG _^56U8iW+I;Z3*~9hCu5I/xYMbMM%jSwBJRI/rUKoz@6kFds+oJ1la/YU.JND|lj*BtI5f|@?;VOps[2ofxR-*(<i79a>4_tX2u4i8PrlLI-$O?.4IpzI4Xg:OqoN]Jq?fZ)S)Mr_uVMHg1>b9NKmye-RzAlNO;kt-E4J~OY_J4&V j-p>/2zCl5j5Q!(^d6G5[cB|+Sc1gv:tCQKX1vz0F-hy=VCBSTi*$8]LZnaf18|<t6,.uE0np 55HzU0twmSF53-RsX)m6M8n$B6<Jq$ NHGp8|z3y%* 8G)8iFw|8knO)_- ^);Ia*.(Ch`dlVZMUqZS&5mc2 Pl[uuy1h$.(!@+kw04rYL$;YgWushAr1Flbv3q4(Y.3jcs<)UJ^%H7cN?NI.3rB2A|Xn_s %hM9^nLKrg9)n IkzgC=]T,$Kzud0_w]~qN>@oU<>tJrcU#sHNRism2cb ZRV:Q
```
蛤打那麼多誰看得完,~~雖然因為HackMD排版所以flag很明顯~~
這個時候直接用`grep`抓關鍵字就好:
```
grep 關鍵字 [file]
```
已知picoCTF的flag開頭都是`picoCTF`,所以直接輸入命令:
```
chiehhhhh-picoctf@webshell:/tmp$ grep picoCTF file
```
或是可以用這個:
```
strings [file] | grep 關鍵字
```
然後你就會得到flag:
```
picoCTF{grep_is_good_to_find_things_dba08a45}
```
### what's a netcat? - easy
https://play.picoctf.org/practice/challenge/34?page=6
題目敘述直接給了要運作的程式名稱跟埠口,直接用nc的命令語法就好:
```
nc hostname [command]
```
```
chiehhhhh-picoctf@webshell:~$ nc jupiter.challenges.picoctf.org 25103
```
蛤然後就拿到flag了:
```
You're on your way to becoming the net cat master
picoCTF{nEtCat_Mast3ry_d0c64587}
```
### Static ain't always noise - easy
https://play.picoctf.org/playlists/14?m=105
題目給了我們兩個檔案,我們先下載下來:
```
chiehhhhh-picoctf@webshell:~$ wget https://mercury.picoctf.net/static/ec4dbd8898ade34e1d60d5b70c1b8c8c/static
--2025-04-18 18:11:44-- https://mercury.picoctf.net/static/ec4dbd8898ade34e1d60d5b70c1b8c8c/static
Resolving mercury.picoctf.net (mercury.picoctf.net)... 18.189.209.142
Connecting to mercury.picoctf.net (mercury.picoctf.net)|18.189.209.142|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8376 (8.2K) [application/octet-stream]
Saving to: 'static'
static 100%[========================================================================================================================================>] 8.18K --.-KB/s in 0s
2025-04-18 18:11:44 (262 MB/s) - 'static' saved [8376/8376]
```
```
chiehhhhh-picoctf@webshell:~$ wget https://mercury.picoctf.net/static/ec4dbd8898ade34e1d60d5b70c1b8c8c/ltdis.sh
--2025-04-18 18:12:01-- https://mercury.picoctf.net/static/ec4dbd8898ade34e1d60d5b70c1b8c8c/ltdis.sh
Resolving mercury.picoctf.net (mercury.picoctf.net)... 18.189.209.142
Connecting to mercury.picoctf.net (mercury.picoctf.net)|18.189.209.142|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 785 [application/octet-stream]
Saving to: 'ltdis.sh'
ltdis.sh 100%[========================================================================================================================================>] 785 --.-KB/s in 0s
2025-04-18 18:12:01 (272 MB/s) - 'ltdis.sh' saved [785/785]
```
然後因為檔案後面沒有屬性所以我先用`file`確認static是什麼屬性的:
```
chiehhhhh-picoctf@webshell:~$ file static
```
然後回傳長這樣:
```
static: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=639391a8b15c579d69659462d3c935fa61693f17, not stripped
```
~~這一看就很適合用`strings`抓flag~~
所以我直接用`strings [file] | grep 關鍵字`抓flag:
```
chiehhhhh-picoctf@webshell:~$ strings static | grep picoCTF
```
然後就拿到flag了:
```
picoCTF{d15a5m_t34s3r_98d35619}
```
ok但另一個檔案照理來說他給了就是可以用得上的,所以我們用`cat`看看能不能把裡面的東西印出來:
```
chiehhhhh-picoctf@webshell:~$ cat ltdis.sh
```
然後就得到了以下程式碼:
```
#!/bin/bash
echo "Attempting disassembly of $1 ..."
#This usage of "objdump" disassembles all (-D) of the first file given by
#invoker, but only prints out the ".text" section (-j .text) (only section
#that matters in almost any compiled program...
objdump -Dj .text $1 > $1.ltdis.x86_64.txt
#Check that $1.ltdis.x86_64.txt is non-empty
#Continue if it is, otherwise print error and eject
if [ -s "$1.ltdis.x86_64.txt" ]
then
echo "Disassembly successful! Available at: $1.ltdis.x86_64.txt"
echo "Ripping strings from binary with file offsets..."
strings -a -t x $1 > $1.ltdis.strings.txt
echo "Any strings found in $1 have been written to $1.ltdis.strings.txt with file offset"
else
echo "Disassembly failed!"
echo "Usage: ltdis.sh <program-file>"
echo "Bye!"
fi
```
既然是程式那我們就讓它執行看看:
```
chiehhhhh-picoctf@webshell:~$ ./ltdis.sh
```
結果沒有權限:
```
-bash: ./ltdis.sh: Permission denied
```
那我們就開權限讓它可以執行:
```
chiehhhhh-picoctf@webshell:~$ chmod +x ./ltdis.sh
chiehhhhh-picoctf@webshell:~$ ./ltdis.sh
```
執行程式後會出現:
```
Attempting disassembly of ...
objdump: 'a.out': No such file
objdump: section '.text' mentioned in a -j option, but not found in any input file
Disassembly failed!
Usage: ltdis.sh <program-file>
Bye!
```
它提示我們用法了那我們無腦丟`static`進去:
```
chiehhhhh-picoctf@webshell:~$ ./ltdis.sh static
```
會看到它生成兩個`.txt`:
```
Attempting disassembly of static ...
Disassembly successful! Available at: static.ltdis.x86_64.txt
Ripping strings from binary with file offsets...
Any strings found in static have been written to static.ltdis.strings.txt with file offset
```
如果不確定的話可以用`ls`看一下:
```
chiehhhhh-picoctf@webshell:~$ ls
README.txt ltdis.sh static static.ltdis.strings.txt static.ltdis.x86_64.txt
```
我們用`cat`把`static.ltdis.strings.txt`印出來,然後會發現有點多行,
~~我懶得看所以直接用`grep`抓flag了~~:
```
chiehhhhh-picoctf@webshell:~$ cat static.ltdis.strings.txt | grep pico
```
然後就抓到flag了:
```
1020 picoCTF{d15a5m_t34s3r_98d35619}
```
### strings it - easy
https://play.picoctf.org/practice/challenge/37?page=6
題目問我們能不能不執行檔案找出flag,並給了一個`file`,先用`wget`下載下來:
```
chiehhhhh-picoctf@webshell:/tmp$ wget https://jupiter.challenges.picoctf.org/static/5bd86036f013ac3b9c958499adf3e2e2/strings
--2025-04-15 04:58:12-- https://jupiter.challenges.picoctf.org/static/5bd86036f013ac3b9c958499adf3e2e2/strings
Resolving jupiter.challenges.picoctf.org (jupiter.challenges.picoctf.org)... 3.131.60.8
Connecting to jupiter.challenges.picoctf.org (jupiter.challenges.picoctf.org)|3.131.60.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 776032 (758K) [application/octet-stream]
Saving to: 'strings'
strings 100%[====================================================================================>] 757.84K 1.86MB/s in 0.4s
2025-04-15 04:58:12 (1.86 MB/s) - 'strings' saved [776032/776032]
```
~~天性反骨的我不信邪地用`cat`印出了檔案然後眼睛被星爆了~~
這題一樣是抓關鍵字但比較不一樣的是~~只用`grep`眼睛也會被小星爆一下~~
所以我選擇用:
```
strings [file] | grep 關鍵字
```
```
chiehhhhh-picoctf@webshell:/tmp$ strings strings | grep picoCTF
```
然後就拿到flag了:
```
picoCTF{5tRIng5_1T_827aee91}
```
### plumbing - medium
https://play.picoctf.org/practice/challenge/48
題目敘述給了我們要運作的程式名稱與埠口,~~反正我是很開心直接`nc`下去了~~:
```
nc jupiter.challenges.picoctf.org 7480
```
然後出現了一堆There is no flag但實在太多了丟上來會洗版XD,綜合題目敘述寫的在程式運行時尋找字串,不難猜到應該是要用`grep`:
```
chiehhhhh-picoctf@webshell:~$ nc jupiter.challenges.picoctf.org 7480 | grep picoCTF
```
然後就抓到flag了:
```
picoCTF{digital_plumb3r_06e9d954}
```
## Forensics
### Sleuthkit Intro - medium
https://play.picoctf.org/playlists/16?m=119
題目給了一個`.gz`,一樣先用`wget`下載下來:
```
chiehhhhh-picoctf@webshell:/tmp$ wget https://artifacts.picoctf.net/c/164/disk.img.gz
--2025-04-15 12:36:16-- https://artifacts.picoctf.net/c/164/disk.img.gz
Resolving artifacts.picoctf.net (artifacts.picoctf.net)... 3.160.22.16, 3.160.22.128, 3.160.22.43, ...
Connecting to artifacts.picoctf.net (artifacts.picoctf.net)|3.160.22.16|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29714372 (28M) [application/octet-stream]
Saving to: 'disk.img.gz'
disk.img.gz 100%[====================================================================================>] 28.34M 1.82MB/s in 16s
2025-04-15 12:36:32 (1.82 MB/s) - 'disk.img.gz' saved [29714372/29714372]
```
但要注意的是如果是使用picoCTF給的webshell,要先用`cd`進去`/tmp`裡,不然它會說空間不夠,沒辦法下載。
接下來我們用`gunzip`解壓縮:
```
chiehhhhh-picoctf@webshell:/tmp$ gunzip disk.img.gz
```
解完壓縮後會得到一個`disk.img`,然後我們就可以用`mmls`查看分割表的分配:
```
chiehhhhh-picoctf@webshell:/tmp$ mmls disk.img
```
會得到以下酷東西:
```
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0000204799 0000202752 Linux (0x83)
```
這個時候就可以直接用`nc`執行它給的程式了:
```
chiehhhhh-picoctf@webshell:/tmp$ nc saturn.picoctf.net 59137
```
進去之後它會問你:
```
What is the size of the Linux partition in the given disk image?
Length in sectors:
```
很顯而易見地在問Length,直接對和`Linux (0x83)`的數字就好:
```
Length in sectors: 0000202752
```
然後就拿到flag了:
```
0000202752
Great work!
picoCTF{mm15_f7w!}
```
### Disk, disk, sleuth! - medium
https://play.picoctf.org/playlists/16?m=120
題目給了一個`.gz`,我們先用`wget`下載下來:
```
chiehhhhh-picoctf@webshell:/tmp$ wget https://mercury.picoctf.net/static/626ea9c275fbd02dd3451b81f9c5e249/dds1-alpine.flag.img.gz
--2025-04-15 13:48:28-- https://mercury.picoctf.net/static/626ea9c275fbd02dd3451b81f9c5e249/dds1-alpine.flag.img.gz
Resolving mercury.picoctf.net (mercury.picoctf.net)... 18.189.209.142
Connecting to mercury.picoctf.net (mercury.picoctf.net)|18.189.209.142|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29768910 (28M) [application/octet-stream]
Saving to: 'dds1-alpine.flag.img.gz'
dds1-alpine.flag.img.gz 100%[====================================================================================>] 28.39M 1.82MB/s in 16s
2025-04-15 13:48:43 (1.82 MB/s) - 'dds1-alpine.flag.img.gz' saved [29768910/29768910]
```
然後用`gunzip`解壓縮:
```
chiehhhhh-picoctf@webshell:/tmp$ gunzip dds1-alpine.flag.img.gz
```
題目提示我們用`srch_strings`去抓flag:
```
chiehhhhh-picoctf@webshell:/tmp$ srch_strings dds1-alpine.flag.img | grep picoCTF
```
等了大概幾秒就拿到flag了:
```
SAY picoCTF{f0r3ns1c4t0r_n30phyt3_a6f4cab5}
```
### Disk, disk, sleuth! II - medium
https://play.picoctf.org/playlists/16?m=121
題目給了一個`.gz`,先用`wget`下載下來:
```
chiehhhhh-picoctf@webshell:/tmp$ wget https://mercury.picoctf.net/static/626abf12c976b994999f77eec3138a22/dds2-alpine.flag.img.gz
--2025-04-15 17:46:45-- https://mercury.picoctf.net/static/626abf12c976b994999f77eec3138a22/dds2-alpine.flag.img.gz
Resolving mercury.picoctf.net (mercury.picoctf.net)... 18.189.209.142
Connecting to mercury.picoctf.net (mercury.picoctf.net)|18.189.209.142|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29770589 (28M) [application/octet-stream]
Saving to: 'dds2-alpine.flag.img.gz'
dds2-alpine.flag.img.gz 100%[====================================================================================>] 28.39M 1.83MB/s in 16s
2025-04-15 17:47:01 (1.82 MB/s) - 'dds2-alpine.flag.img.gz' saved [29770589/29770589]
```
一樣用`gunzip`解壓縮:
```
chiehhhhh-picoctf@webshell:/tmp$ gunzip dds2-alpine.flag.img.gz
```
然後用`mmls`看一下分割表分配:
```
chiehhhhh-picoctf@webshell:/tmp$ mmls dds2-alpine.flag.img
```
會出現這個分割表:
```
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0000262143 0000260096 Linux (0x83)
```
可以看到除了`Primary Table (#0)`是主區以外有`Unallocated`、`Linux (0x83)`兩個分割區,因為`Unallocated`是未分配區,所以我們先把重點放在`Linux (0x83)`,用`fls -o <offset> [file]`看一下裡面有什麼:
```
chiehhhhh-picoctf@webshell:/tmp$ fls -o 2048 dds2-alpine.flag.img
```
然後會得到裡面有這些東西:
```
d/d 26417: home
d/d 11: lost+found
r/r 12: .dockerenv
d/d 20321: bin
d/d 4065: boot
d/d 6097: dev
d/d 2033: etc
d/d 8129: lib
d/d 14225: media
d/d 16257: mnt
d/d 18289: opt
d/d 16258: proc
d/d 18290: root
d/d 16259: run
d/d 18292: sbin
d/d 12222: srv
d/d 16260: sys
d/d 18369: tmp
d/d 12223: usr
d/d 14229: var
V/V 32513: $OrphanFiles
```
這種題目的flag通常不是在`home`就是`root`,所以~~我直接無腦丟這兩個的inode~~:
```
chiehhhhh-picoctf@webshell:/tmp$ fls -o 2048 dds2-alpine.flag.img 26417
```
然後會發現`home`裡沒東西,換`root`看看:
```
chiehhhhh-picoctf@webshell:/tmp$ fls -o 2048 dds2-alpine.flag.img 18290
```
然後在`root`裡看到有這個檔案:
```
r/r 18291: down-at-the-bottom.txt
```
剛好是題目敘述要我們找的檔案,這個時候直接用`icat -o <offset> [file] <inode>`把`.txt`印出來就好:
```
chiehhhhh-picoctf@webshell:/tmp$ icat -o 2048 dds2-alpine.flag.img 18291
_ _ _ _ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( p ) ( i ) ( c ) ( o ) ( C ) ( T ) ( F ) ( { ) ( f ) ( 0 ) ( r ) ( 3 ) ( n )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
_ _ _ _ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( s ) ( 1 ) ( c ) ( 4 ) ( t ) ( 0 ) ( r ) ( _ ) ( n ) ( 0 ) ( v ) ( 1 ) ( c )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
_ _ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( 3 ) ( _ ) ( 0 ) ( d ) ( 9 ) ( d ) ( 9 ) ( e ) ( c ) ( b ) ( } )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
```
~~可惡不能複製貼上~~
### Sleuthkit Apprentice - medium
https://play.picoctf.org/playlists/16?m=122
題目只給`.gz`檔其他什麼提示都沒講,雖然我記得好像是[https://primer.picoctf.org/#_disk_analysis](https://)
帶著讀者一步一步解的酷題目,不過這題蠻直覺的所以我們一樣能解。先用`wget`把`.gz`下載下來:
```
chiehhhhh-picoctf@webshell:/tmp$ wget https://artifacts.picoctf.net/c/136/disk.flag.img.gz
--2025-04-16 11:57:39-- https://artifacts.picoctf.net/c/136/disk.flag.img.gz
Resolving artifacts.picoctf.net (artifacts.picoctf.net)... 3.160.22.16, 3.160.22.43, 3.160.22.92, ...
Connecting to artifacts.picoctf.net (artifacts.picoctf.net)|3.160.22.16|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 47534571 (45M) [application/octet-stream]
Saving to: 'disk.flag.img.gz'
disk.flag.img.gz 100%[====================================================================================>] 45.33M 1.82MB/s in 25s
2025-04-16 11:58:04 (1.82 MB/s) - 'disk.flag.img.gz' saved [47534571/47534571]
```
一樣是熟悉的`gunzip`解壓縮:
```
chiehhhhh-picoctf@webshell:/tmp$ gunzip disk.flag.img.gz
```
然後用mmls看一下分割表:
```
chiehhhhh-picoctf@webshell:/tmp$ mmls disk.flag.img
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0000206847 0000204800 Linux (0x83)
003: 000:001 0000206848 0000360447 0000153600 Linux Swap / Solaris x86 (0x82)
004: 000:002 0000360448 0000614399 0000253952 Linux (0x83)
```
可以看到有五個區域,一個主區`Primary Table (#0)`和四個分割區`Unallocated`、`Linux (0x83)`、`Linux Swap / Solaris x86 (0x82)`、`Linux (0x83)`,其中`Linux (0x83)`出現了兩次,我偏向先看`<offset>`大的,也就是004那一個分割區:
```
chiehhhhh-picoctf@webshell:/tmp$ fls -o 360448 disk.flag.img
```
然後就可以看到裡面有這些東西:
```
d/d 451: home
d/d 11: lost+found
d/d 12: boot
d/d 1985: etc
d/d 1986: proc
d/d 1987: dev
d/d 1988: tmp
d/d 1989: lib
d/d 1990: var
d/d 3969: usr
d/d 3970: bin
d/d 1991: sbin
d/d 1992: media
d/d 1993: mnt
d/d 1994: opt
d/d 1995: root
d/d 1996: run
d/d 1997: srv
d/d 1998: sys
d/d 2358: swap
V/V 31745: $OrphanFiles
```
我一樣是先看`home`才看`root`:
```
chiehhhhh-picoctf@webshell:/tmp$ fls -o 360448 disk.flag.img 451
```
可惜的是`home`一樣沒東西,所以看`root`:
```
chiehhhhh-picoctf@webshell:/tmp$ fls -o 360448 disk.flag.img 1995
r/r 2363: .ash_history
d/d 3981: my_folder
```
這個時候看到`root`裡有一個directory`my_folder`,進去看一下有什麼:
```
chiehhhhh-picoctf@webshell:/tmp$ fls -o 360448 disk.flag.img 3981
```
看到裡面有以下兩個`.txt`:
```
chiehhhhh-picoctf@webshell:/tmp$ fls -o 360448 disk.flag.img 3981
r/r * 2082(realloc): flag.txt
r/r 2371: flag.uni.txt
```
但`flag.txt`有`*`,代表這個檔案被刪除了而且inode被重新指派給其他檔案,所以只剩`flag.uni.txt`能用`icat`印出來:
```
chiehhhhh-picoctf@webshell:/tmp$ icat -o 360448 disk.flag.img 2371
picoCTF{by73_5urf3r_3497ae6b}
```
然後就拿到flag了
## Web Exploitation
### Unminify - easy
https://play.picoctf.org/practice/challenge/426?category=1&page=1
題目給了我們網頁,直接進去就好
進去會看到提示寫瀏覽器已經成功拿到flag了:
所以直接`f12`看網頁原始碼:
很多picoCTF很難找,眼睛會痛,所以直接`ctrl`+`f`找字串:
已知字串格式是picoCTF{......},直接輸入picoCTF就好:
然後把搜尋結果一筆一筆看就能找到flag了
### head-dump - easy
[https://play.picoctf.org/practice/challenge/476?category=1&page=1](https://)
題目提示我們flag在伺服器記憶體裡,我們先進去web裡:
有超連結的地方都點過一遍之後發現只有`#API documentation`會連到`/api-docs/`,進去之後簡單瀏覽一下會發現最底下有`/headdump`,點進去詳細查看:
會發現給了`curl`的命令示範,直接把全部命令複製下來然後丟到shell裡:
```
chiehhhhh-picoctf@webshell:~$ curl -X 'GET' \
> 'http://verbal-sleep.picoctf.net:49282/heapdump' \
> -H 'accept: */*'
```
~~然後眼睛就被星爆了~~
所以我們用`grep`抓抓看:
```
chiehhhhh-picoctf@webshell:~$ curl -X 'GET' \
> 'http://verbal-sleep.picoctf.net:49282/heapdump' \
> -H 'accept: */*' | grep pico
```
最後順利得到flag(直接放程式碼有點不好找所以附上圖片):
```
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
29 8769k 29 2607k 0 0 478k 0 0:00:18 0:00:05 0:00:13 522kpicoCTF{Pat!3nt_15_Th3_K3y_ad7ea5ae}
72 8769k 72 6328k 0 0 849k 0 0:00:10 0:00:07 0:00:03 1516k"Welcome to the picoCTF News API documentation! This documentation provides a detailed overview of the available API endpoints for managing and retrieving news posts.",
"picoCTF News API",
"\nwindow.onload = function() {\n // Build a system\n var url = window.location.search.match(/url=([^&]+)/);\n if (url && url.length > 1) {\n url = decodeURIComponent(url[1]);\n } else {\n url = window.location.origin;\n }\n var options = {\n \"swaggerDoc\": {\n \"openapi\": \"3.0.0\",\n \"info\": {\n \"title\": \"picoCTF News API\",\n \"version\": \"1.0.0\",\n \"description\": \"Welcome to the picoCTF News API documentation! This documentation provides a detailed overview of the available API endpoints for managing and retrieving news posts.\"\n },\n \"paths\": {\n \"/\": {\n \"get\": {\n \"tags\": [\n \"Free\"\n ],\n \"summary\": \"Welcome page\",\n \"responses\": {\n \"200\": {\n \"description\": \"Returns a welcome message.\"\n }\n }\n }\n },\n \"/about\": {\n \"get\": {\n \"tags\": [\n \"Free\"\n ],\n \"summary\": \"About Us\",\n \"responses\": {\n \"200\": {\n \"desc",
93 8769k 93 8195k 0 0 969k 0 0:00:09 0:00:08 0:00:01 1864k"verbal-sleep.picoctf.net:49282",
100 8769k 100 8769k 0 0 1000k 0 0:00:08 0:00:08 --:--:-- 1864k
```
## Binary Exploitation
## Cryptography
## Reverse Engineering
Sign in with Wallet
Connect another wallet