picoCTF 2022 Writeups

# picoCTF 2022 Writeups The CTF challenges WriteUp for picoCTF 2022. The writeup is written in `August, 2024`, so the difficulties may have changed.  # Web Exploitation ## Local Authority [Easy] ### Challenge description Can you get the flag? Go to this website and see what you can discover. ### Solution When getting into the website, first right click and View Page Source. In the html file we could see a secure.js, which might contains the credential information: <img src='https://hackmd.io/_uploads/B1T_5FuY0.png' style="width: 50%" /> Diving into it and see what we can get: <img src='https://hackmd.io/_uploads/SJnc5t_tA.png' style="width: 70%" /> Nice. Back to the website and login for to get the flag. :) ### Summary Fundamental source code inspect. Flag: `picoCTF{j5_15_7r4n5p4r3n7_a8788e61}` ## Inspect HTML [Easy] ### Challenge description Can you get the flag? Go to this website and see what you can discover. ### Solution Get in the website, right click and click Inspect Page Source. <img src='https://hackmd.io/_uploads/r18d6YOY0.png' style="width: 50%" /> We can easily see the flag there. ### Summary Fundamental source code inspect. Flag: `picoCTF{1n5p3t0r_0f_h7ml_8113f7e2}` ## Includes [Easy] ### Challenge description Can you get the flag? Go to this website and see what you can discover. ### Solution Get in the website, first click the button 'say hello' and get the result saying that the flag is in seperate files. <img src='https://hackmd.io/_uploads/rJlMW9_YR.png' style="width: 50%" /> Right click and click View Page Source. We can see two files have been include in the html: <img src='https://hackmd.io/_uploads/rk88-5dKA.png' style="width: 50%" /> Get into those files and the flags are hiding in them. <img src='https://hackmd.io/_uploads/Bk6TVbFK0.png' style="width: 50%" /> <img src='https://hackmd.io/_uploads/rk90N-FYA.png' style="width: 50%" /> ### Summary Fondamental page source instpect. Flag: `picoCTF{1nclu51v17y_1of2_f7w_2of2_b8f4b022}` ## SQLiLite [Medium] ### Challenge description Can you login to this website? Try to login here. ### Solution Taking a look in the website, we need to enter username and password. It is obviously a SQL injection. The hint said that the user is admin, so I first enter admin; 123 to verify if the query result can be see. <img src='https://hackmd.io/_uploads/ByHsGbjt0.png' style="width: 70%" /> So I then tried to close the quotation mark using "; --", to end the query and comment the following password matching. We can see the successfully login result and get the flag in the page source: <img src='https://hackmd.io/_uploads/B1nkDZsYC.png' style="width: 30%" /> <img src='https://hackmd.io/_uploads/BkiiPZoKC.png' style="width: 100%" /> <img src='https://hackmd.io/_uploads/S14MOZit0.png' style="width: 70%" /> ### Summary Fundamental SQL injection, just using concat and comment would work. Flag: `picoCTF{L00k5_l1k3_y0u_solv3d_it_d3c660ac}` ## SQL Direct [Medium] ### Challenge description Connect to this PostgreSQL server and find the flag! ### Solution First connect to the database using the command `psql -h saturn.picoctf.net -p TARGET_IP -U postgres pico` Take a look in the databases in target: <img src='https://hackmd.io/_uploads/SkfJ1MsKA.png' style="width: 50%" /> We can see that is no other important databases, so I list out the table in pico: <img src='https://hackmd.io/_uploads/HkSckzitA.png' style="width: 50%" /> By printing out the content in flag table, we get the flag: <img src='https://hackmd.io/_uploads/rkBxgGjYC.png' style="width: 50%" /> ### Summary Fondamental database query. Flag: `picoCTF{L3arN_S0m3_5qL_t0d4Y_73b0678f}` ## Secrets [Medium] ### Challenge description We have several pages hidden. Can you find the one with the flag? ### Solution Get in the website and view the source of it, we can see there is a 'secret' folder there, and we can access the main page of it: <img src='https://hackmd.io/_uploads/ByonwvjY0.png' style="width: 50%" /> Get in the route using: <img src='https://hackmd.io/_uploads/BJ7YwDiFA.png' style="width: 50%" /> Next, we get a folder named 'hidden', again we get in the route. <img src='https://hackmd.io/_uploads/SyPguPit0.png' style="width: 50%" /> We still get a folder called 'supperhidden'. Again, we get in the route: <img src='https://hackmd.io/_uploads/ry-iOvsKA.png' style="width: 50%" /> Finally, the main page indicate that we should take a look in the source code to get the flag: <img src='https://hackmd.io/_uploads/ByrfKDoKR.png' style="width: 90%" /> ### Summary We are not able to see all page sources in the first route, routing to random places would show that it is a nginx server. As it is a nginx server, we should try to get in the route and let nginx help render the main page for us. Flag: `picoCTF{succ3ss_@h3n1c@10n_790d2615}` ## Search source [Medium] ### Challenge description The developer of this website mistakenly left an important artifact in the website source, can you find it? ### Solution Firstly, by inspecting the page source of the website we could found the following information in the html page: <img src='https://hackmd.io/_uploads/BkBeICoKC.png' style="width: 90%" /> Searching for pattern 'pico' on different file we could get the flag in style.css: <img src='https://hackmd.io/_uploads/r18tuRiKA.png' style="width: 90%" /> ### Summary Fundamental source searching, ctrl+F would be helpful. Flag: `picoCTF{1nsp3ti0n_0f_w3bpag3s_ec95fa49}` ## Roboto Sans [Medium] ### Challenge description The flag is somewhere on this web application not necessarily on the website. Find it. ### Solution When facing web challenges without direct point out where to find the flag, I will first try to access robots.txt to find out potential routes. <img src='https://hackmd.io/_uploads/Hk-vk12KA.png' style="width: 70%" /> From the result we could know that theres a line "anMvbXlmaWxlLnR4dA==" which is obvious a base64 encoded string. Decode it shows a route "js/myfile.txt". Diving in the route we get the flag: <img src='https://hackmd.io/_uploads/SkxYZJ3YA.png' style="width: 70%" /> ### Summary Knowing robots.txt could help find surprising details in some of the challenges. We can apply it as a strat for most of the web exploitation. Flag: `picoCTF{Who_D03sN7_L1k5_90B0T5_718c9043}` ## Power Cookie [Medium] ### Challenge description Can you get the flag? ### Solution Viewing the website we can notice that after clicking 'Countinue as guest' a cookie called 'isAdmin' is set to 0. Many websites uses cookie to verify the user's identity, so I tried to change the value to 1 and reload the website: <img src='https://hackmd.io/_uploads/r12_EL3YA.png' style="width: 90%" /> <img src='https://hackmd.io/_uploads/H10QBI3F0.png' style="width: 90%" /> ### Summary Fondamental cookie concept. Flag: `picoCTF{gr4d3_A_c00k13_65fd1e1a}` ## Forbidden Paths [Medium] ### Challenge description Can you get the flag? We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag? ### Solution The challenge description indicate that the reader filter out absolute path, so we can first try to read it with relative path. After several tryings, I found the flag using `../../../../flag.txt` as follow: <img src='https://hackmd.io/_uploads/SJvGcKhKA.png' style="width: 50%" /> ### Summary Fundamental directory traversal. Flag: `picoCTF{7h3_p47h_70_5ucc355_e5a6fcbc}` # Cryptography ## Vigenere [Medium] ### Challenge description Can you decrypt this message? Decrypt this <a href='https://artifacts.picoctf.net/c/159/cipher.txt'>message</a> using this key "CYLAB". ### Solution Cat out the cipher.txt we got `rgnoDVD{O0NU_WQ3_G1G3O3T3_A1AH3S_f85729e7}`, then, decode it with online tool would get the answer: <img src='https://hackmd.io/_uploads/Hytxaay5C.png' style="width: 90%" /> ### Summary Fundamental decrypt concept, using tools could solve it easily. Flag: `picoCTF{D0NT_US3_V1G3N3R3_C1PH3R_d85729g7}` ## transposition-trial [Medium] ### Challenge description Our data got corrupted on the way here. Luckily, nothing got replaced, but every block of 3 got scrambled around! The first word seems to be three letters long, maybe you can use that to recover the rest of the message. Download the corrupted message <a href='https://artifacts.picoctf.net/c/192/message.txt'>here</a>. ### Solution Fisrt cat the message.txt to view the content of it: `heTfl g as iicpCTo{7F4NRP051N5_16_35P3X51N3_V091B0AE}2` The hint said that we should split the text in blocks with 3 chars, so it becomes: `heT flg asi icp CTo {7F 4NR P05 1N5 _16 _35 P3X 51N 3_V 091 B0A E}2` We can see that the start of the stream is likely to say that 'The flag is...', and we need to change the third char to front to make it readable. Then, write a simple script to do that and get the flag: ```python with open('message-split.txt', 'r') as file: stream = file.readline() stream = stream.split(" ") for block in stream: print(block[2]+block[0]+block[1], end="") ``` Execute it and get the result: `ThegfliaspicoCTF{7R4N5P051N6_15_3XP3N51V3_109AB02E}` I notice that the string is not correct (though we can still get the flag), so I use another way to let it print out correctly. Use `,` to seperate cipher: `heT,fl ,g a,s i,icp,CTo,{7F,4NR,P05,1N5,_16,_35,P3X,51N,3_V,091,B0A,E}2` Decrypt it: ```python string = 'heT,fl ,g a,s i,icp,CTo,{7F,4NR,P05,1N5,_16,_35,P3X,51N,3_V,091,B0A,E}2' string = string.split(",") for block in string: print(block[2]+block[0]+block[1], end="") ``` Output -> The flag is picoCTF{7R4N5P051N6_15_3XP3N51V3_109AB02E} ### Summary Observe the message we could find the law if the encryption, we decrypt it reversely. Flag: `picoCTF{7R4N5P051N6_15_3XP3N51V3_109AB02E}` ## substitution0 [Medium] ### Challenge description A message has come in but it seems to be all scrambled. Luckily it seems to have the key at the beginning. Can you crack this substitution cipher? Download the message <a href='https://artifacts.picoctf.net/c/152/message.txt'>here</a>. ### Solution This is a cryptography attack using the frequency that a character appears in the content. We can use an online tool to solve it like this one: https://planetcalc.com/8047/ Decode the message would get the following result: <img src='https://hackmd.io/_uploads/Hy4xEA15C.png' style="width: 70%" /> ### Summary Knowing what frequency analysis and substitution attack is would help solve this challenge. Flag: `picoCTF{5UB5717U710N_3V0LU710N_59533A2E}` ## substitution1 [Medium] ### Challenge description A second message has come in the mail, and it seems almost identical to the first one. Maybe the same thing will work again. Download the message <a href='https://artifacts.picoctf.net/c/183/message.txt'>here</a>. ### Solution Same as substitution0, we first try to use frequency analysis to get the flag: ![Screenshot 2024-08-08 at 8.31.13 PM](https://hackmd.io/_uploads/B1-icNfq0.png) ![Screenshot 2024-08-08 at 8.31.21 PM](https://hackmd.io/_uploads/r1Fjq4McA.png) We see the flag is `picoCTF{FR3JU3NCY_4774CK5_4R3_C001_6E0659FB}`. However, this is not exactly the flag. :) I spent some time and cannot come up with useful things while notice that it is a leet spelling problem at "FR3JU3NCY" when taking a look at how others solve the problem. We only need to change the `J` in the flag to `Q` and we can get the correct flag. However, I actually don't understand what are the question maker thinking about as if that's the case, then we should change all characters that are wrong spelling in 1337 language as follow: ![Screenshot 2024-08-08 at 8.38.24 PM](https://hackmd.io/_uploads/BkMU34fc0.png) For example, the `I` in `COOI` should also be changed. But anyways, this is a bad challenge for CTF practice. ### Summary Useless challenge. :) Flag: `picoCTF{FR3QU3NCY_4774CK5_4R3_C001_6E0659FB}` ## substitution2 [Medium] ### Challenge description It seems that another encrypted message has been intercepted. The encryptor seems to have learned their lesson though and now there isn't any punctuation! Can you still crack the cipher? Download the message <a href='https://artifacts.picoctf.net/c/114/message.txt'>here</a>. ### Solution I split the flag with the text group and get the flag using the tool from substitution0 and substitution1: ![Screenshot 2024-08-08 at 8.45.56 PM](https://hackmd.io/_uploads/rJHfA4fq0.png) ![Screenshot 2024-08-08 at 8.47.39 PM](https://hackmd.io/_uploads/ryq_04fcA.png) ### Summary Actually not spliting the flag would still get the answer, this challenge is useless. Flag: `picoCTF{N6R4M_4N41Y515_15_73D10U5_42EA1770}` ## morse-code [Medium] ### Challenge description Morse code is well known. Can you decrypt this? Download the file <a href='https://artifacts.picoctf.net/c/79/morse_chal.wav'>here</a>. Wrap your answer with picoCTF{}, put underscores in place of pauses, and use all lowercase. ### Solution We get a wav file that contains morse code in it, we can easily use a online tool to decode it like this one: https://morsecode.world/international/decoder/audio-decoder-adaptive.html <img src='https://hackmd.io/_uploads/r1QNVQW9C.png' style="width: 90%" /> ### Summary Using online tool smartly. Flag: `picoCTF{WH47_H47H_90D_W20U9H7}` ## rail-fence [Medium] ### Challenge description A type of transposition cipher is the rail fence cipher, which is described <a href='https://en.wikipedia.org/wiki/Rail_fence_cipher'>here</a>. Here is one such cipher encrypted using the rail fence with 4 rails. Can you decrypt it? Download the message <a href='https://artifacts.picoctf.net/c/189/message.txt'>here</a>. Put the decoded message in the picoCTF flag format, picoCTF{decoded_message}. ### Solution Rail fence cipher describe the context with the staggered. We can easily decode it with online tool: ![Screenshot 2024-08-08 at 9.28.00 PM](https://hackmd.io/_uploads/rJfluBf9C.png) ### Summary Understand the way how rail fence encrypt the context and write a code to decode it, or just use a online tool to save the time. Flag: `picoCTF{WH3R3_D035_7H3_F3NC3_8361N_4ND_3ND_83F6D8D7}` ## credstuff [Medium] ### Challenge description We found a leak of a blackmarket website's login credentials. Can you find the password of the user cultiris and successfully decrypt it? Download the leak <a href='https://artifacts.picoctf.net/c/151/leak.tar'>here</a>. The first user in usernames.txt corresponds to the first password in passwords.txt. The second user corresponds to the second password, and so on. ### Solution First we decompress it and get the following files: ![Screenshot 2024-08-09 at 11.57.06 PM](https://hackmd.io/_uploads/S1lDn2XcC.png) Then, cat out the content aroung the target name and get the line it belongs: ![Screenshot 2024-08-10 at 1.28.08 AM](https://hackmd.io/_uploads/H1E3WA7cC.png) ![Screenshot 2024-08-10 at 1.28.30 AM](https://hackmd.io/_uploads/BkopZC7cR.png) Then cat out the password around the target: ![Screenshot 2024-08-10 at 1.29.12 AM](https://hackmd.io/_uploads/rJmxMA7c0.png) We see that the password is: cvpbPGS{P7e1S_54I35_71Z3}, and I doubt it's a ROT13 encryption, so I drop it in online tool and the result show that I am right. ### Summary Fundamental string search and line search. Flag: `picoCTF{C7r1F_54V35_71M3}` ## basic-mod1 [Medium] ### Challenge description We found this weird message being passed around on the servers, we think we have a working decryption scheme. Download the message <a href='https://artifacts.picoctf.net/c/129/message.txt'>here</a>. Take each number mod 37 and map it to the following character set: 0-25 is the alphabet (uppercase), 26-35 are the decimal digits, and 36 is an underscore. Wrap your decrypted message in the picoCTF flag format (i.e. picoCTF{decrypted_message}) ### Solution Write a simple script to get the flag: ```python string = [350, 63, 353, 198, 114, 369, 346, 184, 202, 322, 94, 235, 114, 110, 185, 188, 225, 212, 366, 374, 261, 213] chars = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, '_'] for i in range(len(string)): print(chars[string[i] % 37], end='') ``` ### Summary Fundamental modular concept. Flag: `picoCTF{R0UND_N_R0UND_ADD17EC2}` ## basic-mod2 [Medium] ### Challenge description A new modular challenge! Download the message <a href='https://artifacts.picoctf.net/c/179/message.txt'>here</a>. Take each number mod 41 and find the modular inverse for the result. Then map to the following character set: 1-26 are the alphabet, 27-36 are the decimal digits, and 37 is an underscore. Wrap your decrypted message in the picoCTF flag format (i.e. picoCTF{decrypted_message}) ### Solution Write a simple script to get the flag content. ```python string = [104, 372, 110, 436, 262, 173, 354, 393, 351, 297, 241, 86, 262, 359, 256, 441, 124, 154, 165, 165, 219, 288, 42] chars = "abcdefghijklmnopqrstuvwxyz0123456789_" def modular_inverse(a, n): for b in range(1, n): if (a * b) % n == 1: return b return None final = [] for c in string: mod_result = c % 41 final.append(modular_inverse(c % 41, 41)) for c in final: print(chars[c-1], end='') ``` ### Summary Fundamental inverse modular concept. Flag: `picoCTF{1nv3r53ly_h4rd_dadaacaa}` # Reverse Engineering ## unpackme.&ZeroWidthSpace;py [Medium] ### Challenge description Can you get the flag? Reverse engineer this <a href='https://artifacts.picoctf.net/c/49/unpackme.flag.py'>Python program.</a> ### Solution Take a look in the python file, we could see it is decrypting a Fernet object, that should be able to see the origin content(possibly be code) in 'f'. <img src='https://hackmd.io/_uploads/rJYxfZYK0.png' style="width: 50%" /> We can simply insert a print line and get the origin content in 'f' as follow: <img src='https://hackmd.io/_uploads/SykHQ-FYC.png' style="width: 50%" /> <img src='https://hackmd.io/_uploads/r1yp7WtKR.png' style="width: 100%" /> ### Summary Understand what Fernet is and how it works to get the answer without solving the cryptography. Flag: `picoCTF{175_chr157m45_cd82f94c}` ## Safe Opener [Medium] ### Challenge description Can you open this safe? I forgot the key to my safe but this <a href='https://artifacts.picoctf.net/c/83/SafeOpener.java'>program</a> is supposed to help me with retrieving the lost key. Can you help me unlock my safe? Put the password you recover into the picoCTF flag format like: picoCTF{password} ### Solution We have been given a java code, viewing the source code we know that it is encoding the user input with base64 and compare it with string "cGwzYXMzX2wzdF9tM18xbnQwX3RoM19zYWYz". What we need to do is decode the string and we get the password: <img src='https://hackmd.io/_uploads/ry42zL3tR.png' style="width: 70%" /> <img src='https://hackmd.io/_uploads/HyLCM82KA.png' style="width: 70%" /> ### Summary Basic code viewing and base64 concept. Flag: `picoCTF{pl3as3_l3t_m3_1nt0_th3_saf3}` ## patchme.&ZeroWidthSpace;py [Medium] ### Challenge description Can you get the flag? Run this <a href='https://artifacts.picoctf.net/c/202/patchme.flag.py'>Python program</a> in the same directory as this <a href='https://artifacts.picoctf.net/c/202/flag.txt.enc'>encrypted flag</a>. ### Solution Viewing the source code could know that it is a fundamental code review challenge. The code will check if the user enter the password 'ak98-=90adfjhgj321sleuth9000' and if so, print out the flag: <img src='https://hackmd.io/_uploads/B1bZu82FA.png' style="width: 70%" /> Enter the password and get the flag: <img src='https://hackmd.io/_uploads/S1vVd83t0.png' style="width: 70%" /> ### Summary {Challenge_Summary} Flag: `picoCTF{p47ch1ng_l1f3_h4ck_21d62e33}` ## file-run1 [Medium] ### Challenge description Description A program has been provided to you, what happens if you try to run it on the command line? Download the program <a href='https://artifacts.picoctf.net/c/218/run'>here</a>. ### Solution We can see that the file given is a ELF using binwalk: <img src='https://hackmd.io/_uploads/SJUxc5hK0.png' style="width: 90%" /> We can just run the file to get the flag, but we can also reverse it using IDA. I use IDA to find out the flag, which is the most clear way to see how it works: <img src='https://hackmd.io/_uploads/Bk1In53t0.png' style="width: 70%" /> <img src='https://hackmd.io/_uploads/rJZsnc3YR.png' style="width: 90%" /> ### Summary We can do it with IDA revering. Using F5 to decompile the file and double clicking the function or variable to trace the memory address of them. Flag: `picoCTF{U51N6_Y0Ur_F1r57_F113_9bc52b6b}` ## file-run2 [Medium] ### Challenge description Another program, but this time, it seems to want some input. What happens if you try to run it on the command line with input "Hello!"? Download the program <a href='https://artifacts.picoctf.net/c/156/run'>here</a>. ### Solution We can see that the file given is a ELF using binwalk: <img src='https://hackmd.io/_uploads/H1ygr92tC.png' style="width: 90%" /> Reverse it using IDA, from main function decompile we can see the flag variable. Diving into it we can see the flag. <img src='https://hackmd.io/_uploads/rkaIHqhY0.png' style="width: 70%" /> <img src='https://hackmd.io/_uploads/rJnqa9ntA.png' style="width: 90%" /> ### Summary We can do it with IDA revering. Using F5 to decompile the file and double clicking the function or variable to trace the memory address of them. Flag: `picoCTF{F1r57_4rgum3n7_96f2195f}` ## bloat.&ZeroWidthSpace;py [Medium] ### Challenge description Can you get the flag? Run this <a href='https://artifacts.picoctf.net/c/104/bloat.flag.py'>Python program</a> in the same directory as this <a href='https://artifacts.picoctf.net/c/104/flag.txt.enc'>encrypted flag</a>. ### Solution We can see that we receive a Python script which has been obfuscated, so we should found critical information about <img src='https://hackmd.io/_uploads/S1BIP32tC.png' style="width: 90%" /> <...CODE SNIP...> I notice that there is only one 'if condition' in the entire source code that might related to password matching, so I print the string out: <img src='https://hackmd.io/_uploads/r19QYh3YC.png' style="width: 90%" /> Finally we sent the right password and we can get the flag: <img src='https://hackmd.io/_uploads/S13HF2nY0.png' style="width: 90%" /> ### Summary Fundamental Python code obfuscation, find out the feature to solve the problem. Flag: `picoCTF{d30bfu5c4710n_f7w_161a4f09}` ## unpackme [Medium] ### Challenge description Can you get the flag? Reverse engineer this <a href='https://artifacts.picoctf.net/c/205/unpackme-upx'>binary</a>. ### Solution As the challenge name is 'unpackme' and the hint said that it is a upx file, we can first decompress it with upx: ![Screenshot 2024-08-07 at 9.40.18 PM](https://hackmd.io/_uploads/ByWUYlbqC.png) Actually, we can use reversing tools to view the decompile code before unpacking it, but there is no valuable information in it. Then, reverse the unpackme-upx file and we can see that in main function we have a condition that comparing the user input number with 754635 (focus on the key words like 'scanf' or 'strcpy' whcih can be easily understand), so we can run the executable and get the flag: <img src='https://hackmd.io/_uploads/r1jv3l-9C.png' style="width: 70%" /> <img src='https://hackmd.io/_uploads/rytoaxZ90.png' style="width: 90%" /> ### Summary I take a look at how people done with upx file and follow the hint provided by the challenge. A little bit tricky but is ok as in real world we might get some kind of information when facing a reversable file, so we should use what we get and try doing whatever we can. Flag: `picoCTF{up><_m3_f7w_5769b54e}` ## GDB Test Drive [Medium] ### Challenge description Can you get the flag? Download this <a href='https://artifacts.picoctf.net/c/86/gdbme'>binary</a>. Here's the test drive instructions: $ chmod +x gdbme $ gdb gdbme (gdb) layout asm (gdb) break *(main+99) (gdb) run (gdb) jump *(main+104) ### Solution Follow the command giving by the challenge would get the flag. The command basically is saying that stop at *(main+99) address before calling other functions, and then at that point the flag will be print out in the command located at *(main+104). We can also use IDA to reverse the binary and after decompile it we get the following function: <img src='https://hackmd.io/_uploads/SJHEDLM9R.png' style="width: 70%" /> Also, we can see that in main function there are some datas that looks like flag (by past experiences): <img src='https://hackmd.io/_uploads/SJbww8zq0.png' style="width: 50%" /> So I ask ChatGPT help me reverse the data using little endian, and convert them to text: <img src='https://hackmd.io/_uploads/BkNRv8f50.png' style="width: 50%" /> <img src='https://hackmd.io/_uploads/B1N7uUGqC.png' style="width: 70%" /> Then, by coping the code found in the binary, I ask ChatGPT to create a reverse script with Python and run it to get the flag: <img src='https://hackmd.io/_uploads/r17-dUM5R.png' style="width: 70%" /> <img src='https://hackmd.io/_uploads/BJ94uUGqC.png' style="width: 70%" /> <img src='https://hackmd.io/_uploads/ryurOUG50.png' style="width: 50%" /> ### Summary This challenge is meant to let people try out gdb, however directly telling what command to use make it become useless. Alternatively we can try reversing it using tools like IDA to practice more. Flag: `picoCTF{d3bugg3r_dr1v3_72bd8355}` ## Fresh Java [Medium] ### Challenge description Can you get the flag? Reverse engineer this <a href='https://artifacts.picoctf.net/c/198/KeygenMe.class'>Java program</a>. ### Solution Use JD-GUI or online Jave decompiler to get the code for the Java program. We can get the following code: <img src='https://hackmd.io/_uploads/SyqUhK79R.png' style="width: 50%" /> <...SNIP...> We can see that the flag placed in these conditions. ### Summary Fundamental Java code reverse. We don't even necessary to understand all the code to get the flag. Flag: `picoCTF{700l1ng_r3qu1r3d_9332a6be}` ## Bbbbloat [Medium] ### Challenge description Can you get the flag? Reverse engineer this <a href='https://artifacts.picoctf.net/c/47/bbbbloat'>binary</a>. ### Solution We can open the file using IDA, and there's a condition in main function which tell us that we need to enter the number 549255. So I run it and enter the number, and the flag comes out. <img src='https://hackmd.io/_uploads/rJ7JrRm5R.png' style="width: 50%" /> ![Screenshot 2024-08-10 at 1.44.18 AM](https://hackmd.io/_uploads/HJxKS0Q5C.png) ### Summary Fundamental reverse engineering. Flag: `picoCTF{cu7_7h3_bl047_44f74a60}` # Forensics ## Sleuthkit Intro [Medium] ### Challenge description Download the disk image and use mmls on it to find the size of the Linux partition. Connect to the remote checker service to check your answer and get the flag. Note: if you are using the webshell, download and extract the disk image into /tmp not your home directory. <a href='https://artifacts.picoctf.net/c/164/disk.img.gz'>Download disk image</a> ### Solution Unizp the file and use the command `mmls disk.img` to view the partition of it, we get the following result: <img src='https://hackmd.io/_uploads/BJDJmzjKC.png' style="width: 70%" /> Next, connect to the target and notice that I only need to answer the question about the length of the Linux partition. <img src='https://hackmd.io/_uploads/Sy2MUzsFA.png' style="width: 90%" /> ### Summary Fundamental disk search. Flag: `picoCTF{mm15_f7w!}` ## Sleuthkit Apprentice [Medium] ### Challenge description Download this disk image and find the flag. Note: if you are using the webshell, download and extract the disk image into /tmp not your home directory. <a href='https://artifactsz.picoctf.net/c/138/disk.flag.img.gz'>Download compressed disk image</a> ### Solution First take a look in the partition of the image using mmls command, and notice there are two Linux partition in it. <img src='https://hackmd.io/_uploads/rJgEjLsFR.png' style="width: 90%" /> Viewing the first one(2048) did not show valuable information, so I took a look in the second one(360448): <img src='https://hackmd.io/_uploads/r13soLiYA.png' style="width: 50%" /> <img src='https://hackmd.io/_uploads/B18knLoF0.png' style="width: 50%" /> Then, using the command `fls -o 360448 disk.flag.img 451` did not show the flag, as it is usally located there, so I use `-r` to recursively get the file and grep for flag: <img src='https://hackmd.io/_uploads/ryG83LjKA.png' style="width: 50%" /> Lastly, get the file using the command `icat -o 360448 disk.flag.img 2371`. <img src='https://hackmd.io/_uploads/H1r52LoKC.png' style="width: 50%" /> ### Summary Learning how to use `mmls`, `fls` and `icat` commands to view the disk image would help a lot when facing this kind of challenges. Flag: `picoCTF{by73_5urf3r_2f22df38}` ## Redaction gone wrong [Medium] ### Challenge description Now you DON’T see me. This <a href='https://artifacts.picoctf.net/c/84/Financial_Report_for_ABC_Labs.pdf'>report</a> has some critical data in it, some of which have been redacted correctly, while some were not. Can you find an important key that was not redacted properly? ### Solution We get a pdf file from the challenge, and some of the data has been redacted. I first try to get the flag by cat, but no luck. But the good thing is that, actually we can simply select the redaction part and the flag is not reacted properly: <img src='https://hackmd.io/_uploads/HkPOK13FA.png' style="width: 70%" /> <img src='https://hackmd.io/_uploads/B1chKy3YR.png' style="width: 70%" /> ### Summary Always use multiple ways to try get as much information of the resources we get brfore using a tool. Sometimes it is much easy then we think. Flag: `picoCTF{C4n_Y0u_S33_m3_fully}` ## Packets Primer [Medium] ### Challenge description Download the packet capture file and use packet analysis software to find the flag. <a href='https://artifacts.picoctf.net/c/195/network-dump.flag.pcap'>Download packet capture</a> ### Solution First drop the pcap file in Wireshark and notice that only a few packets are transported. Then, as there are no critical information about the packet connection, I try to follow the TCP stream to see if anything interesting there. <img src='https://hackmd.io/_uploads/BkQ0YUnKA.png' style="width: 90%" /> As long as we follow the TCP stream, the flag comes out: <img src='https://hackmd.io/_uploads/HkgeqL3FC.png' style="width: 90%" /> ### Summary Fundamental packet viewing, by following TCP stream we get a more complete sight of the data being transported. Flag: `picoCTF{p4ck37_5h4rk_b9d53765}` ## Operation Oni [Medium] ### Challenge description Download this disk image, find the key and log into the remote machine. <a href='https://artifacts.picoctf.net/c/71/disk.img.gz'>Download disk image</a> ### Solution Firstly, use `mmls` to view the disk image partition: <img src='https://hackmd.io/_uploads/S1w_sI2FC.png' style="width: 90%" /> Take a look at the partition located in 2048, there is nothing interesting there. Next, looking in partition in 206848, we get a classical linux directory: <img src='https://hackmd.io/_uploads/ByhWhIhKC.png' style="width: 90%" /> Another interesting information is that using the command `fls -o 206848 disk.img 470` we can get the files in root directory and notice there are ssh file in it: <img src='https://hackmd.io/_uploads/rJ5O0I2KC.png' style="width: 90%" /> I then try to print out where the flag is using the command `fls -r -o 206848 disk.img | grep flag` but no luck. So I dump out the key file and try to get in the root directory using ssh: 1. Get the ssh key file using command `icat -o 206848 disk.img 2345 > key`. 2. Change the permission of key file to not let it too wide using `chmod 600 key`. 3. Try to connect to the given server using the key file we get from disk image and find out the flag: <img src='https://hackmd.io/_uploads/Hy1s8v3KA.png' style="width: 100%" /> ### Summary The challenge start with a basic disk image viewing commands and then we need to dump out the ssh key in order to be able to ssh in the server without password. Flag: `picoCTF{k3y_5l3u7h_af277f77}` ## Lookey here [Medium] ### Challenge description Attackers have hidden information in a very large mass of data in the past, maybe they are still doing it. Download the data here. ### Solution From the description we know that the flag is hiding in the text, all we need to do is catting out the content and grep for the prefix 'pico' and we get the flag. <img src='https://hackmd.io/_uploads/rys6dO2YR.png' style="width: 100%" /> ### Summary Fundamental grep command. Flag: `picoCTF{gr3p_15_@w3s0m3_58f5c024}` ## Enhance! [Medium] ### Challenge description Download this image file and find the flag. <a href='https://artifacts.picoctf.net/c/100/drawing.flag.svg'>Download image file</a> ### Solution It is a svg file, we can cat out and see the output contains \<text\> label with many partial informations: <img src='https://hackmd.io/_uploads/HJgtfj2Y0.png' style="width: 90%" /> <img src='https://hackmd.io/_uploads/rJjWXshK0.png' style="width: 90%" /> <img src='https://hackmd.io/_uploads/HygIQj3FA.png' style="width: 90%" /> <img src='https://hackmd.io/_uploads/HJ8Pmj2YR.png' style="width: 90%" /> <img src='https://hackmd.io/_uploads/Hym_mihtC.png' style="width: 90%" /> <img src='https://hackmd.io/_uploads/SJxFXohKR.png' style="width: 90%" /> <img src='https://hackmd.io/_uploads/rJ4oXshKA.png' style="width: 90%" /> <img src='https://hackmd.io/_uploads/Byr9XjnFC.png' style="width: 90%" /> ### Summary Getting the flag by catting out the file content. Flag: `picoCTF{3nh4nc3d_aab729dd}` ## Evasedrop [Medium] ### Challenge description Download this packet capture and find the flag. <a href='https://artifacts.picoctf.net/c/134/capture.flag.pcap'>Download packet capture</a> ### Solution We are given a pcap file, so first we open it with Wireshark. After opening it, I notice that there is not much packets trnasport in this challenge, so I choice the TCP packets and follow the stream. Here's what comes out: <img src='https://hackmd.io/_uploads/H1fJLohK0.png' style="width: 70%" /> Then, use the filter 'tcp.port == 9002' we can get the stream they use to transport the file: <img src='https://hackmd.io/_uploads/Sk2t8jntA.png' style="width: 90%" /> Follow the stream -> view as Raw -> save file: <img src='https://hackmd.io/_uploads/B1rjOs2tC.png' style="width: 90%" /> Finally, use the command mentioned previously in the TCP stream to extract the flag: <img src='https://hackmd.io/_uploads/SJTEto3FA.png' style="width: 90%" /> ### Summary Wireshark solvable challenge, using filter to quickly get the desire TCP stream. Flag: `picoCTF{nc_73115_411_dd54ab67}` ## Torrent Analyze [Medium] ### Challenge description SOS, someone is torrenting on our network. One of your colleagues has been using torrent to download some files on the company’s network. Can you identify the file(s) that were downloaded? The file name will be the flag, like picoCTF{filename}. <a href='https://artifacts.picoctf.net/c/165/torrent.pcap'>Captured traffic</a>. ### Solution Download the file and analyse it using Wireshark. I understand the instruction of torrent explaination provided by the challenge hint and take a deep look in the pcap but there are no interesting information that grab my eyes. I actually go see how other people do this challenge and notice that the information I need is actually just the hash. We can easily get the downloaded file by searching the hash on browser. ![Screenshot 2024-08-07 at 10.30.48 PM](https://hackmd.io/_uploads/BJvXHb-q0.png) But this is not what we want as searching it will not give a proper filename. So I then remember that the torrent download is done partially, so we should be able to get the same hash in multiple connections. So I keep searching the hash value and got one that repeat constantly: ![Screenshot 2024-08-07 at 10.39.55 PM](https://hackmd.io/_uploads/B1_rv-W5A.png) The hash is: `e2467cbf021192c241367b892230dc1e05c0580e`, but searching it on the browser will show a lot of writeups, so I look up a GitHub issue and notice it is the Ubuntu 19.10 version: <img src='https://hackmd.io/_uploads/SJV_dZbcR.png' style="width: 70%" /> Searching the filename on the internet and get the answer: <img src='https://hackmd.io/_uploads/BknjdW-cR.png' style="width: 70%" /> (Remember to put the .iso extension mentioned by the hint.) ### Summary This challenge made me have to look at how others do it, but from doing that I learned we can actually search the hash on browser if we think it might be a famous file. That made me think more broad next time meeting this kind of problems and that is just worth it. Flag: `picoCTF{ubuntu-19.10-desktop-amd64.iso}` ## St3g0 [Medium] ### Challenge description Download this image and find the flag. <a href='https://artifacts.picoctf.net/c/216/pico.flag.png'>Download image</a> ### Solution It is obviously a steganography challenge, so we use the command `zsteg -a pico.flag.png` and get the flag: ![Screenshot 2024-08-08 at 8.54.24 PM](https://hackmd.io/_uploads/SJgGxSz5R.png) ### Summary Fundamental steganography concept and the use of tools. Flag: `picoCTF{7h3r3_15_n0_5p00n_a1062667}` ## Operation Orchid [Medium] ### Challenge description Download this disk image and find the flag. Note: if you are using the webshell, download and extract the disk image into /tmp not your home directory. <a href='https://artifacts.picoctf.net/c/213/disk.flag.img.gz'>Download compressed disk image</a> ### Solution First we decompress the disk.flag.img.gz, then binwalk it: ![Screenshot 2024-08-08 at 9.36.02 PM](https://hackmd.io/_uploads/SkVRKHMqA.png) Then, we can use `mmls` to get the partition in it: ![Screenshot 2024-08-08 at 9.37.09 PM](https://hackmd.io/_uploads/ryvM5BM9R.png) We will see that there are is a complete Linux directory at partiion 411648, and we use `fls -r` to recursively find the flag tile: ![Screenshot 2024-08-08 at 9.40.13 PM](https://hackmd.io/_uploads/B1C6cSf50.png) But we cannot directly get the flag using `icat`. So I get the flag.txt.enc (Using the command `icat -o 411648 disk.flag.img 1782 > flag.txt.enc`) and tried another method using `strings -t d disk.flag.img | grep flag.txt` to get the contents related with flag: ![Screenshot 2024-08-08 at 9.58.38 PM](https://hackmd.io/_uploads/H1bXkLz5A.png) There's a line saying that the flag has been encrypted using aes256 algorithm with key 'unbreakablepassword1234567', so we decrypt it using the command: `openssl aes256 -salt -d -in flag.txt.enc -out flag.txt -k unbreakablepassword1234567`. After that cat out the flag.txt and we should get the flag. ### Summary 'strings' is a useful tool when facing disk image as it could quicky find out the content in the disk. If the user did not erase sensitive information, it would be leak and we can use them to reverse the encrypted file. Flag: `picoCTF{h4un71ng_p457_5113beab}` ## File types [Medium] ### Challenge description This file was found among some files marked confidential but my pdf reader cannot read it, maybe yours can. You can download the file from <a href='https://artifacts.picoctf.net/c/81/Flag.pdf'>here</a>. ### Solution First we use binwalk and notice there's a shell in it. Cat the file we see that the comment tell us to run it using sh. ![Screenshot 2024-08-09 at 8.57.44 PM](https://hackmd.io/_uploads/SJNUz9QcR.png) Run it with sh and get a file called flag with bzip2 (uuencode) type. ![Screenshot 2024-08-09 at 8.58.38 PM](https://hackmd.io/_uploads/HkqYGqm50.png) We can see that there's an offset in the file that we should extract it for the uuencode to be successfully decoded. Use the following command to extract: `dd if=flag bs=1 skip=100 of=flag-offset100.bz2` ![Screenshot 2024-08-09 at 9.04.12 PM](https://hackmd.io/_uploads/r1_0X97qC.png) binwalk it we get a gzip and lzip file. We can extract it using `binwalk -e`: ![Screenshot 2024-08-09 at 9.19.05 PM](https://hackmd.io/_uploads/ByI8DqXcR.png) The flag is a lzip file (the other one is the same file with one more gzip compress layer, so I delete it), so can decompress it using `lzip -d flag`, we get a LZ4 file. We then further decompress it using `lz4 -d {FILENAME} {FILENAME}.lzma` (because we will get a lzma file after decompressing it, and lzma file requires the surfix to understand it). After that, I change the `flag.out.lzma` to `flag-lzma.out.lzma` because the extract name would conflict if I don't do that. Extracting it using the command `lzma -d flag-lzma.out.lzma`: ![Screenshot 2024-08-09 at 9.34.12 PM](https://hackmd.io/_uploads/SkW1o9m5R.png) We get a LZ0 file...again we also need to change the file name to .lzop, so I cnange it to `file-lzop.out.lzop`. Decompressing it using `lzop -d flag-lzop.out.lzop` we get flag-lzop.out: ![Screenshot 2024-08-09 at 9.46.21 PM](https://hackmd.io/_uploads/rkY2Tq7qR.png) ![Screenshot 2024-08-09 at 9.47.08 PM](https://hackmd.io/_uploads/ryKyR9XcC.png) We got a xz file. Change the file name to `flag-lzop.out.out to flag-lzop.out.xz` (I did not change the file name itself here because I forgot to). Decompress it using `xz -d file-lzop.out.xz` we get the file that cannot further binwalk! Finally we see that it seems like a hex string and put it on online tools to get the flag: ![Screenshot 2024-08-09 at 9.49.46 PM](https://hackmd.io/_uploads/SJdtAc79C.png) <img src='https://hackmd.io/_uploads/BJcfko79A.png' style="width: 50%" /> <img src='https://hackmd.io/_uploads/rJXNysX9A.png' style="width: 50%" /> ### Summary Just keep decompress and rename... Flag: `picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_79b01c26}` # Binary Exploitation ## buffer overflow 0 [Medium] ### Challenge description Let's start off simple, can you overflow the correct buffer? The program is available <a href='https://artifacts.picoctf.net/c/172/vuln'>here</a>. You can view source <a href='https://artifacts.picoctf.net/c/172/vuln.c'>here</a>. ### Solution We are given a vuln excutable and vuln.c source code. Viewing source code I notice that the input is not using any filter and did not limit the input length, so we can overflow this buffer: <img src='https://hackmd.io/_uploads/B1XFoi3YA.png' style="width: 40%" /> Revering it using IDA will show that the flag has been print in 'sigsegv_handler' function, so what we need to do is simply overflowing the input buffer. <img src='https://hackmd.io/_uploads/BJX9G3hY0.png' style="width: 50%" /> Using gdb to test the pattern length by firstly create a 50 length pattern: <img src='https://hackmd.io/_uploads/Sy5BXhhY0.png' style="width: 70%" /> Then, we send it and see that it has been overflow, use the command `pattern offset {eip_address}` to get the pattern length: <img src='https://hackmd.io/_uploads/r1rX4h2FA.png' style="width: 100%" /> So we see that the offset is 28, we only need to send 29 'a' and we can get the flag. <img src='https://hackmd.io/_uploads/rJ3AEhnF0.png' style="width: 100%" /> ### Summary Look closer in IDA and do not skip any possible function that the flag might be print out at. There is no need to calculate the pattern length, we can just send a lot of char to overflow it, this is just in case it is very large and we need Python to help generate the pattern. Flag: `picoCTF{ov3rfl0ws_ar3nt_that_bad_9f2364bc}` ## buffer overflow 1 [Medium] ### Challenge description Control the return address Now we're cooking! You can overflow the buffer and return to the flag function in the <a href="https://artifacts.picoctf.net/c/185/vuln">program</a>. You can view source <a href="https://artifacts.picoctf.net/c/185/vuln.c">here</a>. ### Solution First take a loot at the source code `vuln.c` we can see that what we need to do is enter a string, and trying to buffer overflow to force the program return to the function we desire (in this case, win function). Reverse the binary using IDA, we can see that the main function will call vuln(), and diving into vuln we could see that it is asking for an address to return. <img src='https://hackmd.io/_uploads/Byn7WOdFR.png' style="width: 50%" /> <img src='https://hackmd.io/_uploads/rJu7f_utC.png' style="width: 70%" /> Since directly sending the memory address of win function would not work, I then try to use **gdb** for finding the eip register to control the return address. Using the **gef** plugin for **gdb**, we can use the command `pattern create 50` to easily create patterns used for overflowing the buffer. So I sent it in the program and get the result as follow: <img src='https://hackmd.io/_uploads/ryIKpduKA.png' style="width: 70%" /> <img src='https://hackmd.io/_uploads/B1TkA_uYA.png' style="width: 100%" /> <img src='https://hackmd.io/_uploads/By3cRu_KA.png' style="width: 90%" /> We can see that the eip register has been overwitten. Using the command `pattern offset 0x6161616c`(eip memory address), we get that the offset of the input to eip is 44, so we need to put the address after 44 chars. <img src='https://hackmd.io/_uploads/ry9lkY_tC.png' style="width: 70%" /> Using the command file vuln we can get the following result: <img src='https://hackmd.io/_uploads/HJcmeKutR.png' style="width: 50%" /> As it is a 32-bit binary, lets write a exploit script `exp.py` to get the flag: ``` from pwn import * r = remote("saturn.picoctf.net", YOUR_CHALLENGE_PORT) p = b'a' * 44 p += p32(0x080491F6) # The win() function's address. r.sendlineafter("string:", p) r.interactive() # Let it automatically interact with the rest of the process. ``` Run the script and get the flag. ### Summary This challenge needs basic buffer overflow knowledges, and is better using gdb with gef installed. The overall concept is pretty classical. Flag: `picoCTF{addr3ss3s_ar3_3asy_6462ca2d}` ## RPS [Medium] ### Challenge description Here's a program that plays rock, paper, scissors against you. I hear something good happens if you win 5 times in a row. The program's source code with the flag redacted can be downloaded <a href='https://artifacts.picoctf.net/c/146/game-redacted.c'>here</a>. ### Solution The given code is a paper scissor stone game. I first try out by playing it normally, but it is hard to win 5 times using normal way, so I try to do something that should not be allowed: sending paper, scissors, rock at the same input. The result shows that the computer did not filter the invalid input, diving into the code we could notice that it is using a strstr function to decide whether the user wins or not. strstr function only take care of whether the given string is in another string, so we can send all the possible choices to win every game and get the flag. <img src='https://hackmd.io/_uploads/SJto4yhF0.png' style="width: 70%" /> ### Summary Both looking in the source code and trying to give invalid input are important, sometimes I get surprising results by sending random things. Flag: `picoCTF{50M3_3X7R3M3_1UCK_B69E01B8}` ## CVE-XXXX-XXXX [Medium] ### Challenge description Enter the CVE of the vulnerability as the flag with the correct flag format: picoCTF{CVE-XXXX-XXXXX} replacing XXXX-XXXXX with the numbers for the matching vulnerability. The CVE we're looking for is the first recorded remote code execution (RCE) vulnerability in 2021 in the Windows Print Spooler Service, which is available across desktop and server versions of Windows operating systems. The service is used to manage printers and print servers. ### Solution Searching on Google with the pattern "CVE RCE 2021 Printer" we will get the first result is CVE-2021-34527. ### Summary This challenge should not be put in binary exploitation... Flag: `picoCTF{CVE-2021-34527}` ## x-sixty-what [Medium] ### Challenge description Overflow x64 code Most problems before this are 32-bit x86. Now we'll consider 64-bit x86 which is a little different! Overflow the buffer and change the return address to the flag function in this <a href='https://artifacts.picoctf.net/c/65/vuln'>program</a>. <a href='https://artifacts.picoctf.net/c/65/vuln.c'>Download source</a>. ### Solution Same as other buffer overflow challenges, but this time we are dealing with x64 files. First I use gdb to disassemble the executable file 'vuln' and we could see that the flag is located at 0x401236. <img src='https://hackmd.io/_uploads/ry-v1SRYC.png' style="width: 90%" /> Then, try to overflow it using `pattern create 100`. We get the offset by giving it the rbp address: <img src='https://hackmd.io/_uploads/rk_LlSAFC.png' style="width: 90%" /> Then, we could know that we met rbp at offset 64, so we need to give a 72 offset to reach the return address, so the payload should look like this: `b'a'*72 + flag_fnc_address`. One thing to notice is that if we give the flag_fnc_address just at where the function starts, we will get nothing because the code located there is endbr64, and the next line is push rbp, which are two command that we can't directly jump to. So the final exploit script would look like this: <img src='https://hackmd.io/_uploads/HkbxzBCFA.png' style="width: 50%" /> Get the flag by executing it: <img src='https://hackmd.io/_uploads/rJ6MMSAYA.png' style="width: 90%" /> ### Summary This challenge requires basic knowledge of x64 stack, and how to overflow it. It also require the information that some command is not jumpable, which is a commonly made mistake taken by people. Flag: `picoCTF{b1663r_15_b3773r_47a99eda}` ## flag leak(wip) [Medium] ### Challenge description Story telling class 1/2 I'm just copying and pasting with this <a href='https://artifacts.picoctf.net/c/91/vuln'>program</a>. What can go wrong? You can view source <a href='https://artifacts.picoctf.net/c/91/vuln.c'>here</a>. ### Solution {Challenge_Solution} ### Summary {Challenge_Summary} Flag: `{Challenge_Flag}` ## basic-file-exploit [Medium] ### Challenge description The program provided allows you to write to a file and read what you wrote from it. Try playing around with it and see if you can break it! The program's source code with the flag redacted can be downloaded <a href='https://artifacts.picoctf.net/c/140/program-redacted.c'>here</a>. ### Solution The program can be interact with numbers and strings, and the hint says that we could try entering a string. Taking a look in the .c file we notice that we need to first enter some data in it before we can do 'read', so I enter some random trash and try to read out the flag. As I don't lnow the exact position of flag.txt, I tried from the following one, and lukly got a shot at first try: <img src='https://hackmd.io/_uploads/Bkk1y0N5R.png' style="width: 90%" /> ### Summary Fundamental code reviewing. I get the flag using some reverse thinking and it did help in many situations. Flag: `picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_68466E2F}`