picoCTF 2019 Writeups

# picoCTF 2019 Writeups The CTF challenges WriteUp for picoCTF 2019. The writeup is written in `August, 2024`, so the difficulties may have changed.  # General Skills ## 2Warm [Easy] ### Challenge description Can you convert the number 42 (base 10) to binary (base 2)? ### Solution The answer is `101010`. ### Summary Fundamental number base concept. Flag: `picoCTF{101010}` ## First Grep [Easy] ### Challenge description Can you find the flag in <a href='https://jupiter.challenges.picoctf.org/static/515f19f3612bfd97cd3f0c0ba32bd864/file'>file</a>? This would be really tedious to look through manually, something tells me there is a better way. ### Solution The file contains a lot of data, just use grep to find the pattern `picoCTF`: <img src='https://hackmd.io/_uploads/r1gegR2c0.png' style="width: 50%" /> ### Summary Fundamental `grep` usage. Flag: `picoCTF{grep_is_good_to_find_things_5af9d829}` ## Bases [Easy] ### Challenge description What does this bDNhcm5fdGgzX3IwcDM1 mean? I think it has something to do with bases. ### Solution It seems that the string is a Base64 encoded string, so we decode it: <img src='https://hackmd.io/_uploads/ByTjgA35A.png' style="width: 50%" /> ### Summary Fundamental Base64 concept. Flag: `picoCTF{l3arn_th3_r0p35}` ## Warmed Up [Easy] ### Challenge description What is 0x3D (base 16) in decimal (base 10)? ### Solution The answer is `3 * 16 + 13 = 61` (D is 14 in hex). ### Summary Fundamental hexadecimal concept. Flag: `picoCTF{61}` ## strings it [Easy] ### Challenge description Can you find the <a href='https://jupiter.challenges.picoctf.org/static/fae9ac5267cd6e44124e559b901df177/strings'>flag</a> in file without running it? ### Solution Use the `strings` command along with `grep` to get the flag: <img src='https://hackmd.io/_uploads/H1YTXCn9R.png' style="width: 50%" /> ### Summary Fundamental command usage. Flag: `picoCTF{5tRIng5_1T_7f766a23}` ## what's a net cat? [Easy] ### Challenge description Using netcat (nc) is going to be pretty important. Can you connect to jupiter.challenges.picoctf.org at port 41120 to get the flag? ### Solution Just use the command `nc jupiter.challenges.picoctf.org 41120` <img src='https://hackmd.io/_uploads/BJjiH0hqA.png' style="width: 50%" /> ### Summary Fundamental nc command usage. Flag: `picoCTF{nEtCat_Mast3ry_3214be47}` ## Lets Warm Up [Easy] ### Challenge description If I told you a word started with 0x70 in hexadecimal, what would it start with in ASCII? ### Solution The hex 0x70 in ASCII is p. ### Summary Fundamental hexadecimal and ASCII knowledge. Flag: `picoCTF{p}` ## 1_wanna_b3_a_r0ck5tar [Medium] ### Challenge description I wrote you another <a href='https://jupiter.challenges.picoctf.org/static/62f0cc3605aaf108a4f743b5b7f0dac4/lyrics.txt'>song</a>. Put the flag in the picoCTF{} flag format ### Solution We get a lyrics.txt saying: ```txt Rocknroll is right Silence is wrong A guitar is a six-string Tommy's been down Music is a billboard-burning razzmatazz! Listen to the music If the music is a guitar Say "Keep on rocking!" Listen to the rhythm If the rhythm without Music is nothing Tommy is rockin guitar Shout Tommy! Music is amazing sensation Jamming is awesome presence Scream Music! Scream Jamming! Tommy is playing rock Scream Tommy! They are dazzled audiences Shout it! Rock is electric heaven Scream it! Tommy is jukebox god Say it! Break it down Shout "Bring on the rock!" Else Whisper "That ain't it, Chief" Break it down ``` It is a rockstar language, which each sentence represnt a line of code. For example: `Rocknroll is right` -> `Rocknroll = True` `Listen to the music` -> `the_music = input()` `If the music is a guitar` -> `if the_music == a_guitar:` `Shout Tommy!` -> `print(Tommy)` `If the rhythm without Music is nothing` -> `if rhythm - Music == false:` So we can add a line (`Shout A guitar`) after `A guitar is a six-string` to see the result before it asked for input. ![image](https://hackmd.io/_uploads/H1Oy4rkiA.png) We will get that it is 136. Next, we will be asked for another input, same, add a line `Shout Music` before `Listen to rhythm`: ![image](https://hackmd.io/_uploads/Sk2TQSJjR.png) It is 1970. So we restart the program and enter these two numbers and get the result, which is also the flag: ![image](https://hackmd.io/_uploads/HkVUQHyj0.png) Change those numbers with ASCII we can get `BONJOVI`. ### Summary Understand basic rockstar language concept and transpiler it to Python. Flag: `picoCTF{BONJOVI}` ## flag_shop [Medium] ### Challenge description There's a flag shop selling stuff, can you buy a flag? <a href='https://jupiter.challenges.picoctf.org/static/253c4651d852ac6342752ff222cf2a83/store.c'>Source</a>. Connect with nc jupiter.challenges.picoctf.org 9745. ### Solution From the `.c` code we notice that our initial balance is 1000, which did not enough for the 1337 flag(our desired flag). Instead, we can only buy the type 1 flag. (also, see the result below): <img src='https://hackmd.io/_uploads/HJCiz8JsR.png' style="width: 30%" /> <img src='https://hackmd.io/_uploads/ByGk78ks0.png' style="width: 55%" /> Take a closer look, it seems like there isn't anyway for us to increase our `balance` (in a normal way). But notice that whenever we buy a type 1 flag, it check if the `amount * 900` is smaller than `balance` (which means do we have enough money): <img src='https://hackmd.io/_uploads/SyaCQ8ksA.png' style="width: 90%" /> We can see that it is using `int` type for `total_cost`, but the `int` can be overflowed if it is larget then `2147483647`, which means when the number is greater then that, it goes to negative. The term "If the `total_cost` is greater then `2147483647`" also means "If the `number_flags` is greater then `2386092.94111`", since 900 * number_flags = total_cost. What we need to do is give the amount of flags we want to buy more then 2386093 to make it overflow to negative. However, our balance will become very small becuase that only made total_cost become a negative number: <img src='https://hackmd.io/_uploads/BJHfLU1sC.png' style="width: 70%" /> So what we actually do is give the number a little bit larger then that: <img src='https://hackmd.io/_uploads/rJCGtLyiC.png' style="width: 70%" /> And we can buy the real flag: <img src='https://hackmd.io/_uploads/BkXBK81iA.png' style="width: 70%" /> ### Summary The more the number we enter close to 2386093, the more our final balance will be. Flag: `picoCTF{m0n3y_bag5_65d67a74}` ## plumbing [Medium] ### Challenge description Sometimes you need to handle process data outside of a file. Can you find a way to keep the output from this program and search for the flag? Connect to jupiter.challenges.picoctf.org 4427. ### Solution When we connect to the target using `nc`, we get a bunch of trash data like so: <img src='https://hackmd.io/_uploads/S1IVeu1s0.png' style="width: 50%" /> The flag contains in these data but we don't know the exact place. What we need to do is using pipe and grep: ![image](https://hackmd.io/_uploads/H1kueu1jA.png) ### Summary Fundamental pipe and grep usage. Flag: `picoCTF{digital_plumb3r_5ea1fbd7}` ## Based [Medium] ### Challenge description To get truly 1337, you must understand different data encodings, such as hexadecimal or binary. Can you get the flag from this program to prove you are on the way to becoming 1337? Connect with nc jupiter.challenges.picoctf.org 29956. ### Solution In this challenge we will get three questions, and we need to answer them in 45 secs The questions are: 1. Binary to text 2. Octal to text 3. Hexa to text So before connecting to the target, we can first open these website to help: https://www.rapidtables.com/convert/number/binary-to-ascii.html http://www.unit-conversion.info/texttools/octal/ https://www.rapidtables.com/convert/number/hex-to-ascii.html ![image](https://hackmd.io/_uploads/Hy4w7uJo0.png) The question will change, so you need to do it yourself. ### Summary Fundamental number base concept. Flag: `picoCTF{learning_about_converting_values_b375bb16}` ## mus1c [Medium] ### Challenge description I wrote you a <a href='https://jupiter.challenges.picoctf.org/static/0e21e3ca94779f56b122296424e879f8/lyrics.txt'>song</a>. Put it in the picoCTF{} flag format. ### Solution Run it on <a href='https://web.archive.org/web/20190522020843/https://codewithrockstar.com/online'>this website</a> and we can get the ASCII, the plain text is the flag: ![image](https://hackmd.io/_uploads/Hyga4dko0.png) ### Summary {Challenge_Summary} Flag: `picoCTF{rrrocknrn0113r}` # Web Exploitation ## dont-use-client-side [Easy] ### Challenge description Can you break into this super secure portal? https://jupiter.challenges.picoctf.org/problem/17682/ (link) or http://jupiter.challenges.picoctf.org:17682 ### Solution Take a look in the source code we will see that the flag just placed there without any protection. <img src='https://hackmd.io/_uploads/BJO7HxSqC.png' style="width: 50%" /> ### Summary Fundamental source code searching. Flag: `picoCTF{no_clients_plz_b706c5}` ## logon [Easy] ### Challenge description The factory is hiding things from all of its users. Can you login as Joe and find what they've been looking at? https://jupiter.challenges.picoctf.org/problem/44573/ (link) or http://jupiter.challenges.picoctf.org:44573 ### Solution Looking at the web and try login as different user. Besides Joe, we will all get the string: Success: You logged in! Not sure you'll be able to see the flag though. However, looking at the cookie we can get a valuable information that it seems like the web is using a 'admin' cookie to check if the user is an admin: ![Screenshot 2024-08-10 at 10.25.47 PM](https://hackmd.io/_uploads/rJ0OderqC.png) So we can change the value and reload the page: ![Screenshot 2024-08-10 at 10.28.10 PM](https://hackmd.io/_uploads/HkF-txH5R.png) ### Summary Fundamental cookie concept is enough. Always remember to see if there are some cookies that can be use. Flag: `picoCTF{th3_c0nsp1r4cy_l1v3s_0c98aacc}` ## Insp3ct0r [Easy] ### Challenge description Kishor Balan tipped us off that the following code may need inspection: https://jupiter.challenges.picoctf.org/problem/9670/ (link) or http://jupiter.challenges.picoctf.org:9670 ### Solution Right click on the web and view page source we can get the first part of the flag: <img src='https://hackmd.io/_uploads/BkF_I6H5A.png' style="width: 70%" /> There are other two files called mycss.css and myjs.js. Inspecting the mycss.css we can get the second part of the flag: <img src='https://hackmd.io/_uploads/S14nI6rcC.png' style="width: 70%" /> By inspecting the web source code(myjs.js) we can get the third part of the flag in. ![Screenshot 2024-08-11 at 1.03.20 PM](https://hackmd.io/_uploads/SkrmUaB50.png) ### Summary Fundamental source code inspecting concept. Flag: `picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?2e7b23e3}` ## where are the robots [Easy] ### Challenge description Can you find the robots? https://jupiter.challenges.picoctf.org/problem/56830/ (link) or http://jupiter.challenges.picoctf.org:56830 ### Solution We can easily know that there's something hiding in the robots.txt. Navigating in the page we get the following information: <img src='https://hackmd.io/_uploads/rkDtD6B9R.png' style="width: 30%" /> There's a route that is hiding, we navigate in it and get the flag: <img src='https://hackmd.io/_uploads/BJxWu6B9A.png' style="width: 50%" /> ### Summary Fundamental robots.txt knowledge. Flag: `picoCTF{ca1cu1at1ng_Mach1n3s_1bb4c}` ## Irish-Name-Repo 1 [Medium] ### Challenge description here is a website running at https://jupiter.challenges.picoctf.org/problem/39720/ (link) or http://jupiter.challenges.picoctf.org:39720. Do you think you can log us in? Try to see if you can login! ### Solution In the sidebar we can see an admin login page. Navigate into it and try login as admin using random password and see if there's anything valuable, I only get 'Login failed.' and nothing special. Then, I guess it might be a SQL injection, so I use the credentials: Username: admin'; -\- Password: 123 This is what I get: <img src='https://hackmd.io/_uploads/SkKRjpBqR.png' style="width: 50%" /> ### Summary Fundamental SQL injection concept. Flag: `picoCTF{s0m3_SQL_c218b685}` ## Irish-Name-Repo 2 [Medium] ### Challenge description here is a website running at https://jupiter.challenges.picoctf.org/problem/52849/ (link). Someone has bypassed the login before, and now it's being strengthened. Try to see if you can still login! or http://jupiter.challenges.picoctf.org:52849 ### Solution I do this challenge like the last one, and SQL injection still works. It doesn't matter how the challenge is solved as long as we were able to get the flag. ### Summary SQL injection again. Flag: `picoCTF{m0R3_SQL_plz_fa983901}` ## Irish-Name-Repo 3 [Medium] ### Challenge description There is a secure website running at https://jupiter.challenges.picoctf.org/problem/29132/ (link) or http://jupiter.challenges.picoctf.org:29132. Try to see if you can login as admin! ### Solution This time we only get password to login, so the way of SQL injection would not work anymore. Viewing the page source we got a debug div that could be used to get the query when sending the request if we set the value to 1: ![Screenshot 2024-08-11 at 2.59.02 PM](https://hackmd.io/_uploads/HkBSWJUqA.png) <img src='https://hackmd.io/_uploads/S1fPZJL5R.png' style="width: 70%" /> Then we can try using some UNION injection using the password like `' UNION SELECT * FROM admin; --`: ![Screenshot 2024-08-11 at 3.10.29 PM](https://hackmd.io/_uploads/ryzxNJI50.png) Notice that the input has been changed if it is not in quotation mark. I then ask ChatGPT to help me find the relationship between these two payload and found that it is ROT13. So what we need to do is simply using the one in the result as the password: ![Screenshot 2024-08-11 at 3.12.35 PM](https://hackmd.io/_uploads/B1gOV1I5A.png) ### Summary Never miss any possible information, focusing on the source code if you think there might be something valuable hidden in them. Flag: `picoCTF{3v3n_m0r3_SQL_06a9db19}` ## Client-side-again [Medium] ### Challenge description Can you break into this super secure portal? https://jupiter.challenges.picoctf.org/problem/60786/ (link) or http://jupiter.challenges.picoctf.org:60786 ### Solution There's a script in the page source. Since it is pretty clear how to rearrange the flag, I just combine them and get the flag: ![Screenshot 2024-08-11 at 1.30.49 PM](https://hackmd.io/_uploads/H1H526S90.png) ### Summary Fundamental source code inspecting. Flag: `picoCTF{not_this_again_ef49bf}` ## picobrowser [Medium] ### Challenge description This website can be rendered only by picobrowser, go and catch the flag! https://jupiter.challenges.picoctf.org/problem/28921/ (link) or http://jupiter.challenges.picoctf.org:28921 ### Solution Taking a look in the source code we could see that if we send a request to get the flag it might told us that we are not picobrowser. ![Screenshot 2024-08-11 at 3.23.17 PM](https://hackmd.io/_uploads/HkFxwJ8qR.png) What it actually mean is it will check the request header to see if the client is picobrowser. So what we need to do is opeb burp suite, start the intercept and open the browser and do what we've done earlier: ![Screenshot 2024-08-11 at 3.24.50 PM](https://hackmd.io/_uploads/Byy8PkU50.png) When we hit the green button 'Flag', burp will immediately caught the request and send to Proxy page. We can adjust the User-Agent here: ![Screenshot 2024-08-11 at 3.26.19 PM](https://hackmd.io/_uploads/BkqiwyLqR.png) After changing the `Mozila...` to `picobrowser`, click forward to send the request and go back to browser to see the result. <img src='https://hackmd.io/_uploads/SyrzukU90.png' style="width: 50%" /> ### Summary Fundamental concept of http request and how to use burp suite proxy(optional but it is always the best to know as much tools as possible). Flag: `picoCTF{p1c0_s3cr3t_ag3nt_84f9c865}` ## JaWT Scratchpad [Medium] ### Challenge description Check the admin scratchpad! https://jupiter.challenges.picoctf.org/problem/61864/ or http://jupiter.challenges.picoctf.org:61864 ### Solution Try enter admin user and we will get the following result: <img src='https://hackmd.io/_uploads/SyvUJgI9R.png' style="width: 50%" /> Then I tried to log in as other user and try to seek for useful information, and found that in cookie there are a JWT cookie: ![Screenshot 2024-08-11 at 4.00.43 PM](https://hackmd.io/_uploads/HJc3JgL5R.png) Decode it we can get the following information: ![Screenshot 2024-08-11 at 4.16.46 PM](https://hackmd.io/_uploads/S16uXeLqA.png) We need to change the user to "admin", and there is still one unknown part that is the secret key, so we can write it to a txt and try to crack it using john the ripper with the following command: `john YOUR_JWT.txt --format=HMAC-SHA256 --wordlist=/PATH/TO/rockyou.txt` ![Screenshot 2024-08-11 at 4.29.38 PM](https://hackmd.io/_uploads/S1ZFIlL5R.png) So back in the encode page, we set the password and set it to cookie. Then, reload the page and we will found the flag is in the scratchpad: ![Screenshot 2024-08-11 at 4.32.05 PM](https://hackmd.io/_uploads/HyIfPxIcR.png) ![Screenshot 2024-08-11 at 4.31.36 PM](https://hackmd.io/_uploads/BJIlPxI5A.png) ### Summary JWT token is a commonly used way to verify a user's identity, and knowing how it work is this challenge's central. Besides, we need to know what is john the ripper (or other similar tools like hashcat...), we need them to help crack the password to rebuild the JWT correctly. Flag: `picoCTF{jawt_was_just_what_you_thought_1ca14548}`  # Cryptography ## The Numbers [Easy] ### Challenge description The <a href='https://jupiter.challenges.picoctf.org/static/f209a32253affb6f547a585649ba4fda/the_numbers.png'>numbers</a>... what do they mean? ### Solution The number indicates the position of alphabets. Use the following code to get the origin content and apply curly brackets manually to get the flag: ```python alphabets = 'abcdefghijklmnopqrstuvwxyz' index = [16, 9, 3, 15, 3, 20, 6, 20, 8, 5, 14, 21, 13, 2, 5, 18, 19, 13, 1, 19, 15, 14] for i in index: print(alphabets[i-1], end='') ``` ### Summary The flag did not care whether it is upper or lower case. Flag: `picoCTF{thenumbersmason}` ## 13 [Easy] ### Challenge description Cryptography can be easy, do you know what ROT13 is? cvpbPGS{abg_gbb_onq_bs_n_ceboyrz} ### Solution It is obviously a ROT13 encryption, use online tool and we can get the flag. ### Summary Fundamental ROT13 concept. Flag: `picoCTF{not_too_bad_of_a_problem}` ## caesar [Medium] ### Challenge description Decrypt this <a href='https://jupiter.challenges.picoctf.org/static/7d707a443e95054dc4cf30b1d9522ef0/ciphertext'>message</a>. ### Solution Download the ciphertext file, it contains the flag with caesar encryption: `picoCTF{gvswwmrkxlivyfmgsrhnrisegl}`. Decrypt the text `gvswwmrkxlivyfmgsrhnrisegl` with different offset of caesar and the following are the most possible string with 22 offset that could split into a sentence: `crossingtherubicondjneoach` (Crossing the rubic on DJ Neoach). Submit it in the picoCTF{} form and it is indeed the flag. ### Summary {Challenge_Summary} Flag: `picoCTF{crossingtherubicondjneoach}` ## Easy1 [Medium] ### Challenge description The one time pad can be cryptographically secure, but not when you know the key. Can you solve this? We've given you the encrypted flag, key, and a table to help UFJKXQZQUNB with the key of SOLVECRYPTO. Can you use this <a href='https://jupiter.challenges.picoctf.org/static/1fd21547c154c678d2dab145c29f1d79/table.txt'>table</a> to solve it?. ### Solution We get a table like so (It's a Vigenere encryption), we can use these two strings in x and y axies to get the flag. ```txt A B C D E F G H I J K L M N O P Q R S T U V W X Y Z +---------------------------------------------------- A | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B | B C D E F G H I J K L M N O P Q R S T U V W X Y Z A C | C D E F G H I J K L M N O P Q R S T U V W X Y Z A B D | D E F G H I J K L M N O P Q R S T U V W X Y Z A B C <...SNIP...> ``` The result is `CRYPTOISFUN`. ### Summary Fundamental encryption knowledge of Vigenere. Flag: `picoCTF{CRYPTOISFUN}` ## Mr-Worldwide [Medium] ### Challenge description A musician left us a <a href='https://jupiter.challenges.picoctf.org/static/d5570d48262dbba2a31f2a940409ad9d/message.txt'>message</a>. What's it mean? ### Solution The given information are latitude and longitude, and as there are so many latitude and longitude, the flag might just be the first character of those position: ``` picoCTF{(35.028309, 135.753082)(46.469391, 30.740883)(39.758949, -84.191605)(41.015137, 28.979530)(24.466667, 54.366669)(3.140853, 101.693207)_(9.005401, 38.763611)(-3.989038, -79.203560)(52.377956, 4.897070)(41.085651, -73.858467)(57.790001, -152.407227)(31.205753, 29.924526)} ``` The result is KODIAK_ALASKA, a town in America. ### Summary Fundamental geogrpahy knowledge. Flag: `picoCTF{KODIAK_ALASKA}` ## waves over lambda [Medium] ### Challenge description We made a lot of substitutions to encrypt this. Can you decrypt it? Connect with nc jupiter.challenges.picoctf.org 39894. ### Solution Using the online substitution decrypt tool we will get the following message: ``` ------------------------------------------------------------------------------- congrats here is your flag - frequency_is_c_over_lambda_agflcgtyue ------------------------------------------------------------------------------- between us there was, as i have already said somewhere, the bond of the sea. besides holding our hearts together through long periods of separation, it had the effect of making us tolerant of each other's yarnsand even convictions. the lawyerthe best of old fellowshad, because of his many years and many virtues, the only cushion on deck, and was lying on the only rug. the accountant had brought out already a box of dominoes, and was toying architecturally with the bones. marlow sat cross-legged right aft, leaning against the mizzen-mast. he had sunken cheeks, a yellow complexion, a straight back, an ascetic aspect, and, with his arms dropped, the palms of hands outwards, resembled an idol. the director, satisfied the anchor had good hold, made his way aft and sat down amongst us. we exchanged a few words lazily. afterwards there was silence on board the yacht. for some reason or other we did not begin that game of dominoes. we felt meditative, and fit for nothing but placid staring. the day was ending in a serenity of still and exquisite brilliance. the water shone pacifically; the sky, without a speck, was a benign immensity of unstained light; the very mist on the essex marsh was like a gauzy and radiant fabric, hung from the wooded rises inland, and draping the low shores in diaphanous folds. only the gloom to the west, brooding over the upper reaches, became more sombre every minute, as if angered by the approach of the sun. ``` ### Summary Fundamental substitution tool usage. Flag: `frequency_is_c_over_lambda_agflcgtyue` ## Flags [Medium] ### Challenge description What do the <a href='https://jupiter.challenges.picoctf.org/static/fbeb5f9040d62b18878d199cdda2d253/flag.png'>flags</a> mean? ### Solution When I get the png file, I first use binwalk to look if anything is hiding in it: ![Screenshot 2024-08-11 at 9.23.13 PM](https://hackmd.io/_uploads/By-IoVL9A.png) Extract it but nothing special. Back to the image, notice that the biggest hint is the format of the flag. we can see that the flag would start as `picoCTF{`, and we can reveal the partial flag using the prefix: ![Screenshot 2024-08-11 at 9.42.20 PM](https://hackmd.io/_uploads/S1g0yHLqC.png) Currently knowing flag: picoCTF{F????????T?FF}, but there is still many missing parts. I goole 'flag letter' and see that the flag can be recovered by this wiki: https://en.wikipedia.org/wiki/International_maritime_signal_flags ### Summary Searching ability. Flag: `picoCTF{F1AG5AND5TUFF}` ## Tapping [Medium] ### Challenge description Theres tapping coming in from the wires. What's it saying nc jupiter.challenges.picoctf.org 48247. ### Solution nc to the target we get the following: `.--. .. -.-. --- -.-. - ..-. { -- ----- .-. ... ...-- -.-. ----- -.. ...-- .---- ... ..-. ..- -. .---- ..--- -.... .---- ....- ...-- ---.. .---- ---.. .---- }` Obviously morse code. Decode it using online tool. ### Summary Fundamental morse code. Flag: `picoCTF{M0RS3C0D31SFUN1261438181}` ## john_pollard [Medium] ### Challenge description Sometimes RSA <a href='https://jupiter.challenges.picoctf.org/static/c882787a19ed5d627eea50f318d87ac5/cert'>certificates</a> are breakable ### Solution Donwload the file we get `cert`. Use `file cert` to see that it is a PEM certificate, so we can use the following command to extract: `openssl x509 -in cert -text -noout` ![Screenshot 2024-08-11 at 10.12.52 PM](https://hackmd.io/_uploads/ByQxwHU5C.png) Use online tool to get the p and q: https://factordb.com/index.php?query=4966306421059967 ![Screenshot 2024-08-11 at 10.14.37 PM](https://hackmd.io/_uploads/BkCUDB8cR.png) ### Summary RSA encryption is breakable if the modular is small, we can try to use some tools to help get the factors. Flag: `picoCTF{73176001,67867967}` ## la cifra de [Medium] ### Challenge description I found this cipher in an old book. Can you figure out what it says? Connect with nc jupiter.challenges.picoctf.org 5726. ### Solution This is what we got when nc to the target: ``` Ne iy nytkwpsznyg nth it mtsztcy vjzprj zfzjy rkhpibj nrkitt ltc tnnygy ysee itd tte cxjltk Ifrosr tnj noawde uk siyyzre, yse Bnretèwp Cousex mls hjpn xjtnbjytki xatd eisjd Iz bls lfwskqj azycihzeej yz Brftsk ip Volpnèxj ls oy hay tcimnyarqj dkxnrogpd os 1553 my Mnzvgs Mazytszf Merqlsu ny hox moup Wa inqrg ipl. Ynr. Gotgat Gltzndtg Gplrfdo Ltc tnj tmvqpmkseaznzn uk ehox nivmpr g ylbrj ts ltcmki my yqtdosr tnj wocjc hgqq ol fy oxitngwj arusahje fuw ln guaaxjytrd catizm tzxbkw zf vqlckx hizm ceyupcz yz tnj fpvjc hgqqpohzCZK{m311a50_0x_a1rn3x3_h1ah3x6kp60egf} Ehk ktryy herq-ooizxetypd jjdcxnatoty ol f aordllvmlbkytc inahkw socjgex, bls sfoe gwzuti 1467 my Rjzn Hfetoxea Gqmexyt. Tnj Gimjyèrk Htpnjc iy ysexjqoxj dosjeisjd cgqwej yse Gqmexyt Doxn ox Fwbkwei Inahkw. Tn 1508, Ptsatsps Zwttnjxiax tnbjytki ehk xz-cgqwej ylbaql rkhea (g rltxni ol xsilypd gqahggpty) ysaz bzuri wazjc bk f nroytcgq nosuznkse ol yse Bnretèwp Cousex. Gplrfdo’y xpcuso butvlky lpvjlrki tn 1555 gx l cuseitzltoty ol yse lncsz. Yse rthex mllbjd ol yse gqahggpty fce tth snnqtki cemzwaxqj, bay ehk fwpnfmezx lnj yse osoed qptzjcs gwp mocpd hd xegsd ol f xnkrznoh vee usrgxp, wnnnh ify bk itfljcety hizm paim noxwpsvtydkse. ``` I did not know which encryption it is using, but after searching and others writeups, I notice that we can solve it using Vigenere online solver: https://www.guballa.de/vigenere-solver ### Summary Maybe try all the ways we know to get the plain text if we don't know the exact form of the cipher. Flag: `picoCTF{b311a50_0r_v1gn3r3_c1ph3r6fe60eaa}` # Reverse Engineering ## vault-door-training [Easy] ### Challenge description Your mission is to enter Dr. Evil's laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open. Unfortunately, our undercover agents have not been able to obtain the secret passwords for the vault doors, but one of our junior agents obtained the source code for each vault's computer! You will need to read the source code for each level to figure out what the password is for that vault door. As a warmup, we have created a replica vault in our training facility. The source code for the training vault is here: <a href='https://jupiter.challenges.picoctf.org/static/03c960ddcc761e6f7d1722d8e6212db3/VaultDoorTraining.java'>VaultDoorTraining.java</a> ### Solution We get a java code, and we can see that it is comparing the password with `w4rm1ng_Up_w1tH_jAv4_3808d338b46`, so we can easily get the flag. ```java import java.util.*; class VaultDoorTraining { public static void main(String args[]) { VaultDoorTraining vaultDoor = new VaultDoorTraining(); Scanner scanner = new Scanner(System.in); System.out.print("Enter vault password: "); String userInput = scanner.next(); String input = userInput.substring("picoCTF{".length(),userInput.length()-1); if (vaultDoor.checkPassword(input)) { System.out.println("Access granted."); } else { System.out.println("Access denied!"); } } // The password is below. Is it safe to put the password in the source code? // What if somebody stole our source code? Then they would know what our // password is. Hmm... I will think of some ways to improve the security // on the other doors. // // -Minion #9567 public boolean checkPassword(String password) { return password.equals("w4rm1ng_Up_w1tH_jAv4_3808d338b46"); } } ``` ### Summary Fundamental java code viewing. Flag: `picoCTF{w4rm1ng_Up_w1tH_jAv4_3808d338b46}` ## vault-door-1 [Medium] ### Challenge description This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here: <a href='https://jupiter.challenges.picoctf.org/static/87e103a8db01087de9ccf5a7a022ddf8/VaultDoor1.java'>VaultDoor1.java</a> ### Solution Same as the previous one, we get a java file: ```java import java.util.*; class VaultDoor1 { public static void main(String args[]) { VaultDoor1 vaultDoor = new VaultDoor1(); Scanner scanner = new Scanner(System.in); System.out.print("Enter vault password: "); String userInput = scanner.next(); String input = userInput.substring("picoCTF{".length(),userInput.length()-1); if (vaultDoor.checkPassword(input)) { System.out.println("Access granted."); } else { System.out.println("Access denied!"); } } // I came up with a more secure way to check the password without putting // the password itself in the source code. I think this is going to be // UNHACKABLE!! I hope Dr. Evil agrees... // // -Minion #8728 public boolean checkPassword(String password) { return password.length() == 32 && password.charAt(0) == 'd' && password.charAt(29) == 'a' && password.charAt(4) == 'r' && password.charAt(2) == '5' && password.charAt(23) == 'r' && password.charAt(3) == 'c' && password.charAt(17) == '4' && password.charAt(1) == '3' && password.charAt(7) == 'b' && password.charAt(10) == '_' && password.charAt(5) == '4' && password.charAt(9) == '3' && password.charAt(11) == 't' && password.charAt(15) == 'c' && password.charAt(8) == 'l' && password.charAt(12) == 'H' && password.charAt(20) == 'c' && password.charAt(14) == '_' && password.charAt(6) == 'm' && password.charAt(24) == '5' && password.charAt(18) == 'r' && password.charAt(13) == '3' && password.charAt(19) == '4' && password.charAt(21) == 'T' && password.charAt(16) == 'H' && password.charAt(27) == '6' && password.charAt(30) == 'f' && password.charAt(25) == '_' && password.charAt(22) == '3' && password.charAt(28) == 'd' && password.charAt(26) == 'f' && password.charAt(31) == '4'; } } ``` We can see that the char set is not arranged properly, but we can rewrite the code to get the flag: ```java import java.util.*; class VaultDoor1 { public static void main(String args[]) { VaultDoor1 vaultDoor = new VaultDoor1(); Scanner scanner = new Scanner(System.in); System.out.print(vaultDoor.checkPassword("123")); } public String checkPassword(String password) { char[] passwordArray = new char[32]; passwordArray[0] = 'd'; passwordArray[29] = 'a'; passwordArray[4] = 'r'; passwordArray[2] = '5'; passwordArray[23] = 'r'; passwordArray[3] = 'c'; passwordArray[17] = '4'; passwordArray[1] = '3'; passwordArray[7] = 'b'; passwordArray[10] = '_'; passwordArray[5] = '4'; passwordArray[9] = '3'; passwordArray[11] = 't'; passwordArray[15] = 'c'; passwordArray[8] = 'l'; passwordArray[12] = 'H'; passwordArray[20] = 'c'; passwordArray[14] = '_'; passwordArray[6] = 'm'; passwordArray[24] = '5'; passwordArray[18] = 'r'; passwordArray[13] = '3'; passwordArray[19] = '4'; passwordArray[21] = 'T'; passwordArray[16] = 'H'; passwordArray[27] = '6'; passwordArray[30] = 'f'; passwordArray[25] = '_'; passwordArray[22] = '3'; passwordArray[28] = 'd'; passwordArray[26] = 'f'; passwordArray[31] = '4'; return new String(passwordArray); } } ``` Get the password and put it in the picoCTF{} format. ### Summary Fundamental Java codeing. Flag: `picoCTF{d35cr4mbl3_tH3_cH4r4cT3r5_f6daf4}` ## vault-door-3 [Medium] ### Challenge description This vault uses for-loops and byte arrays. The source code for this vault is here: <a href='https://jupiter.challenges.picoctf.org/static/a4018cec1446761cb2e8cce05db925fa/VaultDoor3.java'>VaultDoor3.java</a> ### Solution We get the following Java code: ```java import java.util.*; class VaultDoor3 { public static void main(String args[]) { VaultDoor3 vaultDoor = new VaultDoor3(); Scanner scanner = new Scanner(System.in); System.out.print("Enter vault password: "); String userInput = scanner.next(); String input = userInput.substring("picoCTF{".length(),userInput.length()-1); if (vaultDoor.checkPassword(input)) { System.out.println("Access granted."); } else { System.out.println("Access denied!"); } } // Our security monitoring team has noticed some intrusions on some of the // less secure doors. Dr. Evil has asked me specifically to build a stronger // vault door to protect his Doomsday plans. I just *know* this door will // keep all of those nosy agents out of our business. Mwa ha! // // -Minion #2671 public boolean checkPassword(String password) { if (password.length() != 32) { return false; } char[] buffer = new char[32]; int i; for (i=0; i<8; i++) { buffer[i] = password.charAt(i); } for (; i<16; i++) { buffer[i] = password.charAt(23-i); } for (; i<32; i+=2) { buffer[i] = password.charAt(46-i); } for (i=31; i>=17; i-=2) { buffer[i] = password.charAt(i); } String s = new String(buffer); return s.equals("jU5t_a_sna_3lpm12g94c_u_4_m7ra41"); } } ``` We see that the password's first 8 chars are just the same, and the 8 to 16 chars should be the password index 23-current_index. The next 8 chars with each time skipping one char would be the index 46-current_index, and the final 8 chars would be the password index 31, 29, 27...etc. So, I write a reverse Python code to get the password: ```python s = "jU5t_a_sna_3lpm12g94c_u_4_m7ra41" password = ['a'] * 32 for i in range(8): password[i] = s[i] for i in range(8, 16): password[23-i] = s[i] for i in range(16, 32, 2): password[46-i] = s[i] for i in range(31, 16, -2): password[i] = s[i] print("".join(str(element) for element in password)) ``` ### Summary Fundamental loop concept. Flag: `picoCTF{jU5t_a_s1mpl3_an4gr4m_4_u_c79a21}` ## vault-door-4 [Medium] ### Challenge description This vault uses ASCII encoding for the password. The source code for this vault is here: <a href='https://jupiter.challenges.picoctf.org/static/834acd392e0964a41f05790655a994b9/VaultDoor4.java'>VaultDoor4.java</a> ### Solution We get the following Java code: ```java import java.util.*; class VaultDoor4 { public static void main(String args[]) { VaultDoor4 vaultDoor = new VaultDoor4(); Scanner scanner = new Scanner(System.in); System.out.print("Enter vault password: "); String userInput = scanner.next(); String input = userInput.substring("picoCTF{".length(),userInput.length()-1); if (vaultDoor.checkPassword(input)) { System.out.println("Access granted."); } else { System.out.println("Access denied!"); } } // I made myself dizzy converting all of these numbers into different bases, // so I just *know* that this vault will be impenetrable. This will make Dr. // Evil like me better than all of the other minions--especially Minion // #5620--I just know it! // // .:::. .:::. // :::::::.::::::: // ::::::::::::::: // ':::::::::::::' // ':::::::::' // ':::::' // ':' // -Minion #7781 public boolean checkPassword(String password) { byte[] passBytes = password.getBytes(); byte[] myBytes = { 106 , 85 , 53 , 116 , 95 , 52 , 95 , 98 , 0x55, 0x6e, 0x43, 0x68, 0x5f, 0x30, 0x66, 0x5f, 0142, 0131, 0164, 063 , 0163, 0137, 0146, 064 , 'a' , '8' , 'c' , 'd' , '8' , 'f' , '7' , 'e' , }; for (int i=0; i<32; i++) { if (passBytes[i] != myBytes[i]) { return false; } } return true; } } ``` It is comparing myBytes with the password after transfering it to bytes. The first 8 elements of myBytes is `jU5t_4_b` (In ASCII), and the following 16 bytes represent `UnCh_0f_bYt3s_f4` (hex). Combine all the bytes we can easily get the flag. ### Summary Fundamental ASCII and hex concept. Flag: `picoCTF{jU5t_4_bUnCh_0f_bYt3s_f4a8cd8f7e}` ## vault-door-5 [Medium] ### Challenge description In the last challenge, you mastered octal (base 8), decimal (base 10), and hexadecimal (base 16) numbers, but this vault door uses a different change of base as well as URL encoding! The source code for this vault is here: <a href='https://jupiter.challenges.picoctf.org/static/9505cca05dc00fecead41106370ee619/VaultDoor5.java'>VaultDoor5.java</a> ### Solution We get the following Java code: ```java import java.net.URLDecoder; import java.util.*; class VaultDoor5 { public static void main(String args[]) { VaultDoor5 vaultDoor = new VaultDoor5(); Scanner scanner = new Scanner(System.in); System.out.print("Enter vault password: "); String userInput = scanner.next(); String input = userInput.substring("picoCTF{".length(),userInput.length()-1); if (vaultDoor.checkPassword(input)) { System.out.println("Access granted."); } else { System.out.println("Access denied!"); } } // Minion #7781 used base 8 and base 16, but this is base 64, which is // like... eight times stronger, right? Riiigghtt? Well that's what my twin // brother Minion #2415 says, anyway. // // -Minion #2414 public String base64Encode(byte[] input) { return Base64.getEncoder().encodeToString(input); } // URL encoding is meant for web pages, so any double agent spies who steal // our source code will think this is a web site or something, defintely not // vault door! Oh wait, should I have not said that in a source code // comment? // // -Minion #2415 public String urlEncode(byte[] input) { StringBuffer buf = new StringBuffer(); for (int i=0; i<input.length; i++) { buf.append(String.format("%%%2x", input[i])); } return buf.toString(); } public boolean checkPassword(String password) { String urlEncoded = urlEncode(password.getBytes()); String base64Encoded = base64Encode(urlEncoded.getBytes()); String expected = "JTYzJTMwJTZlJTc2JTMzJTcyJTc0JTMxJTZlJTY3JTVm" + "JTY2JTcyJTMwJTZkJTVmJTYyJTYxJTM1JTY1JTVmJTM2" + "JTM0JTVmJTM4JTM0JTY2JTY0JTM1JTMwJTM5JTM1"; return base64Encoded.equals(expected); } } ``` We can see that in checkPassword, out password first goes to urlEncode which will encode them in hex format, then it will be base64 encoded. So we can decode the expected value and get the following: `%63%30%6e%76%33%72%74%31%6e%67%5f%66%72%30%6d%5f%62%61%35%65%5f%36%34%5f%38%34%66%64%35%30%39%35` Next, we just need to change them to hex and get the password: `c0nv3rt1ng_fr0m_ba5e_64_84fd5095` ### Summary Fundamental base64 and url encode concept. Flag: `picoCTF{c0nv3rt1ng_fr0m_ba5e_64_84fd5095}` ## vault-door-6 [Medium] ### Challenge description This vault uses an XOR encryption scheme. The source code for this vault is here: <a href='https://jupiter.challenges.picoctf.org/static/86e94cc555b2ca7375424c884ef581a6/VaultDoor6.java'>VaultDoor6.java</a> ### Solution We get the following Java code: ```java import java.util.*; class VaultDoor6 { public static void main(String args[]) { VaultDoor6 vaultDoor = new VaultDoor6(); Scanner scanner = new Scanner(System.in); System.out.print("Enter vault password: "); String userInput = scanner.next(); String input = userInput.substring("picoCTF{".length(),userInput.length()-1); if (vaultDoor.checkPassword(input)) { System.out.println("Access granted."); } else { System.out.println("Access denied!"); } } // Dr. Evil gave me a book called Applied Cryptography by Bruce Schneier, // and I learned this really cool encryption system. This will be the // strongest vault door in Dr. Evil's entire evil volcano compound for sure! // Well, I didn't exactly read the *whole* book, but I'm sure there's // nothing important in the last 750 pages. // // -Minion #3091 public boolean checkPassword(String password) { if (password.length() != 32) { return false; } byte[] passBytes = password.getBytes(); byte[] myBytes = { 0x3b, 0x65, 0x21, 0xa , 0x38, 0x0 , 0x36, 0x1d, 0xa , 0x3d, 0x61, 0x27, 0x11, 0x66, 0x27, 0xa , 0x21, 0x1d, 0x61, 0x3b, 0xa , 0x2d, 0x65, 0x27, 0xa , 0x66, 0x36, 0x30, 0x67, 0x6c, 0x64, 0x6c, }; for (int i=0; i<32; i++) { if (((passBytes[i] ^ 0x55) - myBytes[i]) != 0) { return false; } } return true; } } ``` We can see that it is XORing our input with 0x55. The feature of XOR is that we can do another xor to get the origin data. So we can easily write a Python script and get the origin password: ```python arr = [0x3b, 0x65, 0x21, 0xa , 0x38, 0x0 , 0x36, 0x1d, 0xa , 0x3d, 0x61, 0x27, 0x11, 0x66, 0x27, 0xa , 0x21, 0x1d, 0x61, 0x3b, 0xa , 0x2d, 0x65, 0x27, 0xa , 0x66, 0x36, 0x30, 0x67, 0x6c, 0x64, 0x6c,] for i in range(len(arr)): print(chr(arr[i] ^ 0x55), end="") ``` ### Summary Fundamental XOR concept. Flag: `picoCTF{n0t_mUcH_h4rD3r_tH4n_x0r_3ce2919}` ## asm1 [Medium] ### Challenge description What does asm1(0x8be) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. <a href='https://jupiter.challenges.picoctf.org/static/66c927e32f3d7be7a62d13a7c2250943/test.S'>Source</a> ### Solution We get a .S file, we can cat it out and view it: ``` asm1: <+0>: push ebp <+1>: mov ebp,esp <+3>: cmp DWORD PTR [ebp+0x8],0x71c <+10>: jg 0x512 <asm1+37> <+12>: cmp DWORD PTR [ebp+0x8],0x6cf <+19>: jne 0x50a <asm1+29> <+21>: mov eax,DWORD PTR [ebp+0x8] <+24>: add eax,0x3 <+27>: jmp 0x529 <asm1+60> <+29>: mov eax,DWORD PTR [ebp+0x8] <+32>: sub eax,0x3 <+35>: jmp 0x529 <asm1+60> <+37>: cmp DWORD PTR [ebp+0x8],0x8be <+44>: jne 0x523 <asm1+54> <+46>: mov eax,DWORD PTR [ebp+0x8] <+49>: sub eax,0x3 <+52>: jmp 0x529 <asm1+60> <+54>: mov eax,DWORD PTR [ebp+0x8] <+57>: add eax,0x3 <+60>: pop ebp <+61>: ret ``` The param is `0x8b`, so let's analyze it step by step. `<+1>: mov ebp,esp` -> Move the param in [ebp+0x8]. `<+3>: cmp DWORD PTR [ebp+0x8],0x71c` -> Compare the [ebp+0x8] with 0x71c (In assembly code this action will be [emp+0x8] - 0x71c), so we will get 0x8be - 0x71c = 0x1A2. `<+10>: jg 0x512 <asm1+37>` -> Jump to <asm1+37> if the answer is greater than zero (in our case, 0x1A2). So we will jump to <asm1+37>. `<+37>: cmp DWORD PTR [ebp+0x8],0x8be` -> Again, compare two numbers using minus, so we will get 0x8be - 0x8be = 0x0. `<+44>: jne 0x523 <asm1+54>` -> Jump to <asm1+54> if the answer is not zero (but our answer is zero at the moment). `<+46>: mov eax,DWORD PTR [ebp+0x8]` -> Move [ebp+0x8] to eax. `<+49>: sub eax,0x3` -> eax - 0x3 = 0x8bb. `<+52>: jmp 0x529 <asm1+60>` -> Jump to <asm1+60>. `<+60>: pop ebp` -> Pop the number to ebp. `<+61>: ret ` -> Return. After that we can notice our final answer will be 0x8bb, which is our flag. ### Summary Assembly code and hex concept. Flag: `0x8bb` # Forensics ## Glory of the Garden [Easy] ### Challenge description This <a href='https://jupiter.challenges.picoctf.org/static/4153422e18d40363e7ffc7e15a108683/garden.jpg'>garden contains more than it seems.</a> ### Solution First I use binwalk to see if there's anything hiding in it, but there isn't. Then, I use hexeditor to view the content, searching for the pattern `picoCTF` and get the following result: ![image](https://hackmd.io/_uploads/Sykh6z5cA.png) We can see the flag just placed there without any protection. ### Summary Fundamental hexeditor usage. Flag: `picoCTF{more_than_m33ts_the_3y33dd2eEF5}` ## like1000 [Medium] ### Challenge description This <a href='https://jupiter.challenges.picoctf.org/static/52084b5ad360b25f9af83933114324e0/1000.tar'>.tar file</a> got tarred a lot. ### Solution From the challenge title we know that it is probably tared 1000 times, so I write the script to get the flag: ```shell #!/bin/bash # Initialize the starting tar file number current_tar=999 # Loop until we reach 1.tar while [ $current_tar -ge 1 ]; do tar_file="${current_tar}.tar" # Check if the tar file exists if [ -f "$tar_file" ]; then echo "Extracting $tar_file..." # Create a temporary directory for extraction temp_dir=$(mktemp -d) tar -xf "$tar_file" -C "$temp_dir" # Check if filler.txt exists and delete it filler_file="$temp_dir/filler.txt" if [ -f "$filler_file" ]; then echo "Deleting $filler_file..." rm "$filler_file" fi # Move extracted files back to the current directory mv "$temp_dir"/* . # Clean up the temporary directory rmdir "$temp_dir" # Remove the tar file after extraction rm "$tar_file" # Decrement the tar file number ((current_tar--)) else echo "File $tar_file does not exist. Exiting." exit 1 fi done echo "All tar files processed." ``` After extracting for 1000 times, we should get a file called flag.png, that's the flag we're looking for. ### Summary Fundamental shell script writing. Flag: `picoCTF{l0t5_0f_TAR5}` ## What Lies Within [Medium] ### Challenge description There's something in the <a href='https://jupiter.challenges.picoctf.org/static/011955b303f293d60c8116e6a4c5c84f/buildings.png'>building</a>. Can you retrieve the flag? ### Solution We get a png file. I use binwalk to see if there's anything hiding in it. ![image](https://hackmd.io/_uploads/HJdBcXqcC.png) We can see that there's a zip file hiding in it. We can extract the file using dd with offset and unzip it, or just use zsteg to see if we can get the content of it directly: ![image](https://hackmd.io/_uploads/B1N9q7qq0.png) We see that the flag is hiding there. ### Summary Fundamental forensic tools knowledge like `binwalk`, `dd` or `zsteg`. Flag: `picoCTF{h1d1ng_1n_th3_b1t5}` ## extensions [Medium] ### Challenge description This is a really weird text file TXT? Can you find the flag? ### Solution We see that the file is a txt file. I use binwalk to see if I get something interesting: ![image](https://hackmd.io/_uploads/H1FuoQq9C.png) It seems like it's an image. So I use hexeditor to see that the magic header is 8950, which represents png. Change the file extension to .png and open it: <img src='https://hackmd.io/_uploads/HkIRiXq5C.png' style="width: 50%" /> ### Summary Magic number tells us what exactly the file is, it is important for us to takeing care of magic numbers to files. Flag: `picoCTF{now_you_know_about_extensions}` ## WhitePages [Medium] ### Challenge description I stopped using YellowPages and moved onto WhitePages... but <a href='https://jupiter.challenges.picoctf.org/static/95be9526e162185c741259a75dffa0ab/whitepages.txt'>the page they gave me</a> is all blank! ### Solution The given txt is a 'blank' file. But if we take a closer look init, with some IDE (I use VScode), we will see that there are actually two types of spaces in it: ![image](https://hackmd.io/_uploads/Hyn3pXq9C.png) One is the normal space, the other is the one represented with the dot. What I do is first use Ctrl+D in VScode to select all space represent with dot and change them to '1' at the same time, becuase if we don't do so Python cannot recognize it properly: ![image](https://hackmd.io/_uploads/Hk3WgNc50.png) Write a Python script and convert the 'blank' string to binary. Then, convert the binary to ASCII string: ``` # coding=utf-8 s = ' ' result = s.replace(' ', '1').replace(' ', '0') ascii_text = ''.join([chr(int(result[i:i+8], 2)) for i in range(0, len(result), 8)]) print(ascii_text) ``` We will get the following output (Try switching 0 and 1 if the result appears to be strange): ```Python picoCTF SEE PUBLIC RECORDS & BACKGROUND REPORT 5000 Forbes Ave, Pittsburgh, PA 15213 picoCTF{not_all_spaces_are_created_equal_7100860b0fa779a5bd8ce29f24f586dc} ** Process exited - Return Code: 0 ** Press Enter to exit terminal ``` ### Summary Seeking the txt file in different IDE would help find the secret. Then, use Python to help solve the secret. Flag: `picoCTF{not_all_spaces_are_created_equal_7100860b0fa779a5bd8ce29f24f586dc}` ## shark on wire 1 [Medium] ### Challenge description We found this <a href='https://jupiter.challenges.picoctf.org/static/483e50268fe7e015c49caf51a69063d0/capture.pcap'>packet capture</a>. Recover the flag. ### Solution Drop the file in Wireshark and see that there are many connections. I first think about maybe some important information could be found in the stream, so I choice to follow one of the UDP stream, and switch the stream number. When we get in the 6 stream, the flag just placed there, without any protection: ![image](https://hackmd.io/_uploads/rkjXrL95A.png) ### Summary Following the stream, usually unencrypted data could be found here. Flag: `picoCTF{StaT31355_636f6e6e}` ## shark on wire 2 [Medium] ### Challenge description We found this <a href='https://jupiter.challenges.picoctf.org/static/b506393b6f9d53b94011df000c534759/capture.pcap'>packet capture</a>. Recover the flag that was pilfered from the network. ### Solution Taking a look in WireShark, we can see that there are many TCP and UDP packets. I follow the TCP stream but nothing special. Then, follow on of the UDP stream and switching to other stream number I notice that this seems like part of the flag: ![image](https://hackmd.io/_uploads/S1yRO_oc0.png) Taking closer look we can found there are two stream which says `start` and `end`: ![image](https://hackmd.io/_uploads/r1nzCuocA.png) ![image](https://hackmd.io/_uploads/SyqHRdscC.png) The source ip is `10.0.0.66`, so we filter out packets with the corresponding ip: ![image](https://hackmd.io/_uploads/SJvd1Ysc0.png) At this point, things still pretty unclear, until I look at others' WriteUp and notice that we should take care of the 4 digit numbers in (which are the only difference between these bunch of packets). We extraxt the last 3 digit of each number and get the followin sequence: `000 112 105 099 111 067 084 070 123 112 049 076 076 102 051 114 051 100 095 100 097 116 097 095 118 049 097 095 115 116 051 103 048 125` Then, use online decimal to text converter to get the original data: ![image](https://hackmd.io/_uploads/SyshVKocA.png) ### Summary Taking care of anything that looks suspicious. Flag: `picoCTF{p1LLf3r3d_data_v1a_st3g0}` ## So Meta [Medium] ### Challenge description Find the flag in this <a href='https://jupiter.challenges.picoctf.org/static/916b07b4c87062c165ace1d3d31ef655/pico_img.png'>picture</a>. ### Solution Use hexeditor to view the picture, and search for pattern "picoCTF", same as the challenge "Glory of the Garden". ### Summary Fundamental hexeditor usage. Flag: `picoCTF{s0_m3ta_d8944929}` ## c0rrupt [Medium] ### Challenge description We found this <a href='https://jupiter.challenges.picoctf.org/static/ab30fcb7d47364b4190a7d3d40edb551/mystery'>file</a>. Recover the flag. ### Solution ![image](https://hackmd.io/_uploads/SyltPFoqC.png) It seems that it is a corrupted png file(magic header starts with 89), so I copied the file as `mystery-fixed` and fix the first 8 bytes to feet the png style: ![image](https://hackmd.io/_uploads/BywlYFo50.png) We will notice that just changing the first 8 bytes would not work, so I take a look at the png file structure with the article: https://medium.com/@0xwan/png-structure-for-beginner-8363ce2a9f73, and found that we need to change the chunk name properly: IHDR - ![image](https://hackmd.io/_uploads/HkU4f5i5R.png) IDAT - ![image](https://hackmd.io/_uploads/r19Yz9jqA.png) Searching for IEND we could see that it is correct: ![image](https://hackmd.io/_uploads/SJ9af5jq0.png) Then, checking if the png is valid using a convenient tool `pngcheck` with the command `pngcheck mystery-fixed`: ![image](https://hackmd.io/_uploads/S16iNqj9R.png) The error happens in pHYs chunk (with offset 0x00042), so we need to view the chunk to get the right CRC: `xxd -g 1 -s 0x3e -l $((4+4+9+4)) mystery-fixed` -> 0x3e because the start of pHYs is (0x00042 – 0x00004 = 0x3E), and the the structure of pHYs is length+type+data+CRC (4+4+9+4), we get data length from `pngcheck -v`. ![image](https://hackmd.io/_uploads/H12aD9i5A.png) To better understand the output, here's what it represent: ![image](https://hackmd.io/_uploads/H1Ta_sscA.png) We see that the x axis pixels per unit is different from y axis pixels per unit. So we can change it to match each other: ![image](https://hackmd.io/_uploads/HkvsYoo9R.png) Checking the png again we got another problem: ![image](https://hackmd.io/_uploads/H1ECKjjqR.png) Just after pHYs, we got a very large chunk which would cause the problem, so we check what is in the data size of next chunk: ![image](https://hackmd.io/_uploads/HytXTjicC.png) (0x53 is because the pHYs position 0x3e+4+4+9+4 is 0x53) Obviously `aa aa ff a5` is too large for a chunk, so we can modified it. But before that, we need to check how exactly large it is, so we first review that the structure of png looks something like: | IHDR | sRGB | gAMA | pHYs | IDAT | IDAT | IDAT | IEND | So, we can use the following command to get the next IDAT chunk: `binawlk -R "IDAT" mystery-fixed` <img src='https://hackmd.io/_uploads/S1UFJ2jqR.png' style="width: 70%" /> We see that the next chunk starts at 0x10008, so calculate the chunk length would be `0x10008-0x00004-0x00004-0x00004-0x00057=0xFFA5` 4 bytes for length, 4 bytes for type, 4 bytes for CRC) So we simply need to remove the `aaaa` in the next chunk's data length: ![image](https://hackmd.io/_uploads/SJfhZ3o9A.png) Finally there goes the flag: ![image](https://hackmd.io/_uploads/ryjNX2jqC.png) ### Summary Using many tools and understand the structure of png file, including the chunks and how to calculate / modified them. Flag: `picoCTF{c0rrupt10n_1847995}` ## m00nwalk [Medium] ### Challenge description Decode this <a href='https://jupiter.challenges.picoctf.org/static/fc1edf07742e98a480c6aff7d2546107/message.wav'>message</a> from the moon. ### Solution By searching how picutures sent back to earth we found it is using SSTV, which stands for Slow Scan Television. Since it need to SSTV decode, we can use the following tool to decode it. First, install the tool: https://github.com/colaclanth/sstv We need to use `pip install .` instead of `python setup.py install` because it'a an old way of installation. Then, export the path, open `~/.bashrc` and add the following line in it: `export PATH=$PATH:/home/kali/.local/bin` Remember to source it: `source ~/.bashrc`, then we should be able to use `sstv` command: ![image](https://hackmd.io/_uploads/HkCd2ThqR.png) After we decode the `.wav` filem we should get the following `.png` file, which contains the flag: ![image](https://hackmd.io/_uploads/r1o336hc0.png) ### Summary Searching on the internet we should be able to found the relative information about the challenge. Then, try to find a tool do get the origin image. The key point is the ability of searching. Flag: `picoCTF{beep_boop_im_in_space}` ## WebNet0 [Hard] ### Challenge description We found this <a href='https://jupiter.challenges.picoctf.org/static/0c84d3636dd088d9fe4efd5d0d869a06/capture.pcap'>packet capture</a> and <a href='https://jupiter.challenges.picoctf.org/static/0c84d3636dd088d9fe4efd5d0d869a06/picopico.key'>key</a>. Recover the flag. ### Solution We see that using Wireshark to see the pcap file, I first try to search in WireShark, but I didn't found anything that could be used, besides this connection. ![image](https://hackmd.io/_uploads/ryVmOU5qC.png) It indicate there's a key exchange in the network connection stream, but at this point things still not get clear enough. Then, I notice we were given a key file, searching on the internet I found a way do dump data with key: `ssldump -r FILE.pcap -k KEY.key -d` <img src='https://hackmd.io/_uploads/BysptI95A.png' style="width: 50%" /> It turns out that it is actually not that complicate, just dump out the data since we already got the key. ### Summary Fundamental usage of ssl dump. Flag: `picoCTF{nongshim.shrimp.crackers}` # Binary Exploitation