picoGym Exclusive Writeups

# picoGym Exclusive Writeups The CTF challenges WriteUp for picoGym Exclusive.The writeup is written in August, 2024, so the difficulties may have changed.  # General Skills ## Big Zip [Easy] ### Challenge description Unzip this archive and find the flag. <a href='https://artifacts.picoctf.net/c/504/big-zip-files.zip'>Download zip file</a> ### Solution Unzip it and use the command `grep -r "pico" .` and we can get the flag: ![image](https://hackmd.io/_uploads/BJ3CwuyoA.png) ### Summary Fundamental grep usage. Flag: `picoCTF{gr3p_15_m4g1c_ef8790dc}` ## First Find [Easy] ### Challenge description Unzip this archive and find the file named 'uber-secret.txt' <a href='https://artifacts.picoctf.net/c/502/files.zip'>Download zip file</a> ### Solution First unzip the downloaded file. Then, we can find the flag using the command: `grep -r "pico" .` ![image](https://hackmd.io/_uploads/SydONDQsA.png) ### Summary Fundamental grep usage. Flag: `picoCTF{f1nd_15_f457_ab443fd1}` ## ASCII Numbers [Medium] ### Challenge description Convert the following string of ASCII numbers into a readable string: 0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x34 0x35 0x63 0x31 0x31 0x5f 0x6e 0x30 0x5f 0x71 0x75 0x33 0x35 0x37 0x31 0x30 0x6e 0x35 0x5f 0x31 0x6c 0x6c 0x5f 0x74 0x33 0x31 0x31 0x5f 0x79 0x33 0x5f 0x6e 0x30 0x5f 0x6c 0x31 0x33 0x35 0x5f 0x34 0x34 0x35 0x64 0x34 0x31 0x38 0x30 0x7d ### Solution Use CyberChef and put the string in input section. Then, we drag the "From Hex" and drop it in Recipe section. Finally, click Bake and we sould get the result: ![image](https://hackmd.io/_uploads/r17HLwmoA.png) ### Summary Fundamental CyberChef usage. It is very powerful for many kinds of encrypted strings. Flag: `picoCTF{45c11_n0_qu35710n5_1ll_t311_y3_n0_l135_445d4180}` # Web Exploitation ## JAuth [Medium] ### Challenge description Most web application developers use third party components without testing their security. Some of the past affected companies are: Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638 Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used VerticalScope (internet media company) - outdated version of vBulletin forum software used Can you identify the components and exploit the vulnerable one? Additional details will be available after launching your challenge instance. The website is running here. Can you become an admin? You can login as test with the password Test123! to get started. ### Sumnmary Try login as `admin` with random password, we get the hint that we should try starting with `test` and `Test123!`. Let's log in and we can see that there's a JWT token there: ![image](https://hackmd.io/_uploads/r1QWfd7jA.png) Use [JWT Debugger](https://token.dev/) to get the result: ![image](https://hackmd.io/_uploads/S1U24_7oA.png) Then, I crack the JWT auth and trying to get the password using the command `john jwt.txt --wordlist=/usr/share/wordlists/rockyou.txt`, but no luck. So, let's try to simply change the algorithm to none. Let's change the data(remember to close base64 encode, and make sure it says `none` on `Algorithm:`): ![image](https://hackmd.io/_uploads/ryaZEd7oA.png) Then the token should look like(make sure the last period is set properly): `eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoxNzI0MjQ5MDI4NTcyLCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjcuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcyNDI0OTAyOX0`. Change the token in cookie and refresh: <img src='https://hackmd.io/_uploads/BJSvrdmsA.png' style="width: 50%" /> ### Summary JWT token knowledge. Flag: `picoCTF{succ3ss_@u7h3nt1c@710n_3444eacf}` # Reverse Engineering ## Picker I [Medium] ### Challenge description This service can provide you with a random number, but can it do anything else? ### Solution First by typing getRandomNumber we can see it ouput a number. Then, I tried entering `print("123")` and notice that it process the `print`. So, let's see what's inside the program using the following command: `print(globals().items())` ![image](https://hackmd.io/_uploads/ry8y1EEiR.png) It prints out the existing function in the program. We can see that it contains a win function, which will probably print out flag we need: ![image](https://hackmd.io/_uploads/rytUJNVsC.png)*<...SNIP...>* ``` ==> win 0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x34 0x5f 0x64 0x31 0x34 0x6d 0x30 0x6e 0x64 0x5f 0x31 0x6e 0x5f 0x37 0x68 0x33 0x5f 0x72 0x30 0x75 0x67 0x68 0x5f 0x62 0x35 0x32 0x33 0x62 0x32 0x61 0x31 0x7d ``` We got a hex string, convert it and get the flag. ### Summary Play with it and see what we can get. In this challenge, we use the global().items() to get all existing functions. Flag: `picoCTF{4_d14m0nd_1n_7h3_r0ugh_b523b2a1}` ## Picker II [Medium] ### Challenge description Can you figure out how this program works to get the flag? ### Solution Download the Python file, in the input area it is using a filter to see if we are typing 'win' to try getting the flag, and we need to bypass it. <img src='https://hackmd.io/_uploads/S1fPQkUo0.png' style="width: 40%" /> The easiest way is as we know `eval()` is available, just use the input to avoid filter and execute it directely: ![image](https://hackmd.io/_uploads/B1khEkUsC.png) We get the following hex string: ``` 0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x66 0x31 0x6c 0x37 0x33 0x72 0x35 0x5f 0x66 0x34 0x31 0x6c 0x5f 0x63 0x30 0x64 0x33 0x5f 0x72 0x33 0x66 0x34 0x63 0x37 0x30 0x72 0x5f 0x6d 0x31 0x67 0x68 0x37 0x5f 0x35 0x75 0x63 0x63 0x33 0x33 0x64 0x5f 0x62 0x39 0x32 0x34 0x65 0x38 0x65 0x35 0x7d ``` Convert it and we will get the flag. ### Summary Fundamental input bypass concept. Flag: `picoCTF{f1l73r5_f41l_c0d3_r3f4c70r_m1gh7_5ucc33d_b924e8e5}` ## Picker III [Medium] ### Challenge description Can you figure out how this program works to get the flag? The program's source code can be downloaded [here](https://artifacts.picoctf.net/c/524/picker-III.py). ### Solution To understand what the script is doing, we can take a look in the Python file. We see that we can write a function and read it, but we can not input ';', '(' or ')' in. So it is not possible to just write a `win()` and execute it. Then, take a deeper look at the function table, it seems that only the function listed in it will be directly executed (using numbers like 1, 2, 3 or 4), so we can try to overwrite the content of them. I overwrite the getRandomNumber function like so: <img src='https://hackmd.io/_uploads/HJwzxQXn0.png' style="width: 40%" /> <img src='https://hackmd.io/_uploads/By6NlQm2A.png' style="width: 70%" /> And we can now call it using the input of number 4 to let it execute the `win()` function: <img src='https://hackmd.io/_uploads/ryJ71Q7n0.png' style="width: 70%" /> We get the following hex string, convert it to text and that's the flag we're looking for: ``` 0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x37 0x68 0x31 0x35 0x5f 0x31 0x35 0x5f 0x77 0x68 0x34 0x37 0x5f 0x77 0x33 0x5f 0x67 0x33 0x37 0x5f 0x77 0x31 0x37 0x68 0x5f 0x75 0x35 0x33 0x72 0x35 0x5f 0x31 0x6e 0x5f 0x63 0x68 0x34 0x72 0x67 0x33 0x5f 0x63 0x32 0x30 0x66 0x35 0x32 0x32 0x32 0x7d ``` ### Summary Improper protection of the function and input allow us to modify the content in it. Flag: `picoCTF{7h15_15_wh47_w3_g37_w17h_u53r5_1n_ch4rg3_c20f5222}` ## ASCII FTW [Medium] ### Challenge description This program has constructed the flag using hex ascii values. Identify the flag text by disassembling the program. You can download the file from [here](https://artifacts.picoctf.net/c/506/asciiftw). ### Solution Upon opening the ELF file downloaded by the link, open it with IDA, we could get the following string content: ![image](https://hackmd.io/_uploads/HkAH8VQnC.png) We can easily get the flag from the source code. ### Summary Fundamental ELF reversing. Flag: `picoCTF{ASCII_IS_EASY_3CF4BFAD}` ## Bit-O-Asm-1 [Medium] ### Challenge description Can you figure out what is in the eax register? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Download the assembly dump [here](https://artifacts.picoctf.net/c/509/disassembler-dump0_a.txt). ### Solution We can see the file contains the following commands: <img src='https://hackmd.io/_uploads/rJlg94730.png' style="width: 50%" /> We can see that the last command for `eax` is `mov eax 0x30`, and 0x30 in decimal is 48. ### Summary Fundamental assembly code concept. Flag: `picoCTF{48}` ## Bit-O-Asm-2 [Medium] ### Challenge description Can you figure out what is in the eax register? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Download the assembly dump [here](https://artifacts.picoctf.net/c/510/disassembler-dump0_b.txt). ### Solution From the given file, we can get the following code: <img src='https://hackmd.io/_uploads/HJ6UANX3A.png' style="width: 50%" /> We can see that `eax` has been asigned using the command `mov eax DWORD PTR [rbp-0x4]`, which `DWORD PTR [rpb-0x4]` is asigned with value `0x9fe1a` in line <+15>. Convert the hex to decimal we get 654874. ### Summary Fundamental assembly code concept. Flag: `picoCTF{654874}` ## Bit-O-Asm-3 [Medium] ### Challenge description Can you figure out what is in the eax register? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Download the assembly dump [here](https://artifacts.picoctf.net/c/530/disassembler-dump0_c.txt). ### Solution We can see that from the given file, we receive the code like so: <img src='https://hackmd.io/_uploads/SJzjhPE3A.png' style="width: 50%" /> We see that the code related to eax is the following: ``` <+29>: mov eax,DWORD PTR [rbp-0xc] <+32>: imul eax,DWORD PTR [rbp-0x8] <+36>: add eax,0x1f5 <+41>: mov DWORD PTR [rbp-0x4],eax <+44>: mov eax,DWORD PTR [rbp-0x4] ``` First, `eax` was set to `DWORD PTR [rpb-0xc]`, which is `0x9fe1a`. Next, `eax` is multiplied by `DWORD PTR [rpb-0x8]`, which is `0x9fe1a * 0x4 = 0x27F868`. (We can use [this](https://www.calculator.net/hex-calculator.html) website to calculate hex values.) Then, `eax` is added by `0x1f5`, we got `0x27FA5D`. The following two lines of command did not affect the result, as it is simply moving the value in the rbp and move it back to eax. Convert the hex value to decimal and that's the flag we're looking for. ### Summary Fundamental assembly code concept. Flag: `picoCTF{2619997}` ## Bit-O-Asm-4 [Medium] ### Challenge description Can you figure out what is in the eax register? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Download the assembly dump [here](https://artifacts.picoctf.net/c/511/disassembler-dump0_d.txt). ### Solution From the given file, we can see that it is comparing two values (`0x9fe1a` and `0x2710`): <img src='https://hackmd.io/_uploads/S1xhXdV3C.png' style="width: 50%" /> `jle` means 'jump less then', so if the first value is smaller then the following one, it jumps to <main+37>. Obviously, this is not the case, so following up we substitute the value with 0x65, and we got `0x9fe1a - 0x65 = 0x9FDB5`. Then, we jump to <main+41>, and the `eax` is assigned to `0x9FDB5`, convert it to decimal and that's the flag. ### Summary Fundamental assembly code concept with jump condition. Flag: `picoCTF{654773}` ## GDB baby step 1 [Medium] ### Challenge description Can you figure out what is in the eax register at the end of the main function? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Disassemble [this](https://artifacts.picoctf.net/c/512/debugger0_a). ### Solution Firstly, we binwalk the file to see the file type: ```shell ❯ binwalk debugger0_a DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 ELF, 64-bit LSB shared object, AMD x86-64, version 1 (SYSV) ``` It's an `ELF` file. View the existing functions using `info functions` in gdb: <img src='https://hackmd.io/_uploads/HJc-DFVhA.png' style="width: 50%" /> The fastest way is to disassemble the file and get the assembly code: <img src='https://hackmd.io/_uploads/SkDjuFN3A.png' style="width: 70%" /> We can see that the `eax` is assigned with value `0x86342`, convert it to decimal and that's the flag. ### Summary Fundamental GDB usage, better installed with gef as it is helpful for debugging. Flag: `picoCTF{549698}` ## GDB baby step 2 [Medium] ### Challenge description Can you figure out what is in the eax register at the end of the main function? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Debug [this](https://artifacts.picoctf.net/c/520/debugger0_b). ### Solution Same as **GDB baby step 1**, we use `disassemble main` to get the instructions in main function: <img src='https://hackmd.io/_uploads/BJk32FNn0.png' style="width: 70%" /> I'll be using breakpoints in this challenge. We know that the last instruction related to eax is at <main+56>, so I will set the breakpoint at `0x0000000000401141`: <img src='https://hackmd.io/_uploads/rkJzAtNnC.png' style="width: 30%" /> We then use `r` to run the program (remember to add the execution priviledge to the program), we will get the following result: ![image](https://hackmd.io/_uploads/HkpjCKEn0.png) We can now use the command `info registers eax` to get the value in it: <img src='https://hackmd.io/_uploads/SyL2AFV3R.png' style="width: 50%" /> Convert it to decimal and that's the flag. ### Summary Breakpoint is helpful in gdb/gef. We can stop at particular point and see the value at the moment to get the flag. Flag: `picoCTF{307019}` ## GDB baby step 3 [Medium] ### Challenge description Now for something a little different. 0x2262c96b is loaded into memory in the main function. Examine byte-wise the memory that the constant is loaded in by using the GDB command x/4xb addr. The flag is the four bytes as they are stored in memory. If you find the bytes 0x11 0x22 0x33 0x44 in the memory location, your flag would be: picoCTF{0x11223344}. Debug [this](https://artifacts.picoctf.net/c/531/debugger0_c). ### Solution Take a look in the given code, we get the following: <img src='https://hackmd.io/_uploads/ryNdFTrhA.png' style="width: 100%" /> We see that the `eax` being asigned with value at <main+22>, however, the eax register memory position is not sure, so we can get the `$rbp-0x4`. Set breakpoint at <main+25> and `run` the program. When we met the breakpoint, use the command provided by the challenge `x/4xb $rbp-0x4` to get the data: <img src='https://hackmd.io/_uploads/Bk9HoTr2A.png' style="width: 70%" /> `x/4xb` explanation: The first `x` means checking the memory data. The `/4` means using the format with 4 byte/word/long. The second `x` means using hex format. The `b` means each word is a byte. Arrange the bytes and get the flag. ### Summary Fundamental assembly code concept and gdb usage. Flag: `picoCTF{0x6bc96222}` ## GDB baby step 4 [Medium] ### Challenge description main calls a function that multiplies eax by a constant. The flag for this challenge is that constant in decimal base. If the constant you find is 0x1000, the flag will be picoCTF{4096}. Debug [this](https://artifacts.picoctf.net/c/532/debugger0_d). ### Solution From the given code, we could see two functions (using `info functions`) called `main` and `func1`: ![image](https://hackmd.io/_uploads/HJv_6Tr2C.png) ![image](https://hackmd.io/_uploads/HJV5apr20.png) But from the challenge description, actually what we only need is to look up the instruction located at <func1+14>. It multiplied `eax` with hex value `0x3269`, which is 12905 in decimal, and that's the flag. ### Summary Fundamental assembly code concept. Flag: `picoCTF{12905}` # Forensics ## WPA-ing Out [Medium] ### Challenge description I thought that my password was super-secret, but it turns out that passwords passed over the AIR can be CRACKED, especially if I used the same wireless network password as one in the rockyou.txt credential dump. Use this '[pcap file](https://artifacts.picoctf.net/c/41/wpa-ing_out.pcap)' and the rockyou wordlist. The flag should be entered in the picoCTF{XXXXXX} format. ### Solution First, we use WireShark to open the pecp file, I tried to find some passwords in flow, but no luck. Then, I notice that the hint says there's a tool called Aircrack-ng, which can used for attacking a `.pcap` file. So, I use the following command to ![image](https://hackmd.io/_uploads/B18IsCH2C.png) ![image](https://hackmd.io/_uploads/SJwdjCSnR.png) We see that the key is "mickeymouse", place it in the flag format. ### Summary Fundamental tool usage. Flag: `picoCTF{mickeymouse}` # Binary Exploitation ## Picker IV [Medium] ### Challenge description Can you figure out how this program works to get the flag? The program's source code can be downloaded here. The binary can be downloaded here. ### Solution Directly connect to the server, we got the following result: ![image](https://hackmd.io/_uploads/S1msxzwnR.png) Take a look at the given ELF file, we can use IDA to reverse it. ![image](https://hackmd.io/_uploads/B1PcJMv2R.png) Upon loading the file, we can see that there's a `win` function, we can follow it and see the address of the first code: ![image](https://hackmd.io/_uploads/Byi1WGwn0.png) So, we're going to enter `4012A2` as input (because `endbr64` is not jumpable in assembly code): <img src='https://hackmd.io/_uploads/rJUN-GvnA.png' style="width: 70%" /> ### Summary Fundamental ELF file reversing. Flag: `picoCTF{n3v3r_jump_t0_u53r_5uppl13d_4ddr35535_01672a61}` ## Local Target [Medium] ### Challenge description Smash the stack Can you overflow the buffer and modify the other local variable? The program is available here. You can view source here. ### Solution We got the following code if we reverse the file using IDA: ```c int __cdecl main(int argc, const char **argv, const char **envp) { char v4[16]; // [rsp+0h] [rbp-20h] BYREF FILE *stream; // [rsp+10h] [rbp-10h] unsigned int v6; // [rsp+18h] [rbp-8h] char i; // [rsp+1Fh] [rbp-1h] v6 = 64; printf("Enter a string: "); fflush(_bss_start); gets(v4, argv); putchar(10); printf("num is %d\n", v6); fflush(_bss_start); if ( v6 == 65 ) { puts("You win!"); fflush(_bss_start); stream = fopen("flag.txt", "r"); if ( !stream ) { puts("Cannot open file."); fflush(_bss_start); exit(0); } for ( i = fgetc(stream); i != -1; i = fgetc(stream) ) putchar(i); fflush(_bss_start); putchar(10); fflush(_bss_start); fclose(stream); exit(0); } puts("Bye!"); fflush(_bss_start); return 0; } ``` We're allowed to write data to `v4` but not `v6`, so we need to overflow until the input overwrite it. The address of `v4` and `v6` are `[rbp-0x20]` and `[rbp-0x8]`, and as it is a x64 architecture, we know that to overwrite `v6`, we need to insert 24 bytes than char `A` (the text format of 65 from ASCII code): <img src='https://hackmd.io/_uploads/SyN6mfPnC.png' style="width: 50%" /> As you can see, we successfully overwrite `v6` and pass the condition and got the flag. ### Summary Fundamental reverse engineering concept and memory address computation. Flag: `picoCTF{l0c4l5_1n_5c0p3_fee8ef05}`