# CTF # web ## <font color=f28500>logon</font> ```The factory is hiding things from all of its users. Can you login as Joe and find what they've been looking at? https://jupiter.challenges.picoctf.org/problem/13594/ or http://jupiter.challenges.picoctf.org:13594``` {%hackmd wHSYGZAzTeykwFuyuqLwow %} ![](https://i.imgur.com/Jx7N6wN.png) ``` 隨便輸入一組帳密 ``` ![](https://i.imgur.com/6RBF2qS.png) ``` 成功進入了但沒有flag ``` ![](https://i.imgur.com/iuwAcXt.png) ``` 在cookie裡發現admin的值為False直接改成True ``` ![](https://i.imgur.com/OpYHkg0.png) ``` flag:picoCTF{th3_c0nsp1r4cy_l1v3s_d1c24fef} ``` ## <font color=f28500>where are the robots</font> ```Can you find the robots? https://jupiter.challenges.picoctf.org/problem/36474/ (link) or http://jupiter.challenges.picoctf.org:36474```[(link)](http://jupiter.challenges.picoctf.org:36474) ![](https://i.imgur.com/sG8mDlK.png) robots.txt 是遵循漫遊器排除標準的純文字檔案,其中包含一或多項規則。這些規則的作用是禁止 (或開放) 特定檢索器存取位於網站中的某個檔案路徑 ``` 在網址後面加上robots.txt ``` ![](https://i.imgur.com/YtZ1RkM.png) ``` 進去看看 ``` ![](https://i.imgur.com/Uwf1vSs.png) ``` 得到flag:picoCTF{ca1cu1at1ng_Mach1n3s_477ce} ``` # Forensics ## <font color=f28500>information</font> ```Files can always be changed in a secret way. Can you find the flag?``` [cat.jpg](https://mercury.picoctf.net/static/e5825f58ef798fdd1af3f6013592a971/cat.jpg) ![](https://i.imgur.com/Cl6nRcB.png) ![](https://i.imgur.com/IDciKFb.png) ``` flag:picoCTF{the_m3tadata_1s_modified} ``` ## <font color=f28500>shark on wire 1</font> ```We found this packet capture. Recover the flag.```[packet capture](https://jupiter.challenges.picoctf.org/static/483e50268fe7e015c49caf51a69063d0/capture.pcap) ![](https://i.imgur.com/xv3xJDO.png) ``` picoCTF{StaT31355_636f6e6e} ``` ## <font color=f28500>extensions</font> ```This is a really weird text file TXT? Can you find the flag?```[TXT](https://jupiter.challenges.picoctf.org/static/e7e5d188621ee705ceeb0452525412ef/flag.txt) ```nginx= ┌──(kali㉿kali)-[~/Downloads] └─$ binwalk flag.txt DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 1697 x 608, 8-bit/color RGB, non-interlaced 91 0x5B Zlib compressed data, compressed ``` ```nginx= ┌──(kali㉿kali)-[~/Downloads] └─$ mv flag.txt flag.png ``` ![](https://i.imgur.com/uH13S0v.png) ``` picoCTF{now_you_know_about_extensions} ``` ## <font color=f28500>So Meta</font> ```Find the flag in this``` [picture.](https://jupiter.challenges.picoctf.org/static/00efdf2961da1e21470ffc0d496c3cc2/pico_img.png) ```nginx= ┌──(kali㉿kali)-[~/Downloads/open] └─$ strings pico_img.png ``` ![](https://i.imgur.com/Gs96QJZ.png) ``` picoCTF{s0_m3ta_fec06741} ``` ## <font color=f28500>Disk, disk, sleuth!</font> ```Use `srch_strings` from the sleuthkit and some terminal-fu to find a flag in this disk image:``` [dds1-alpine.flag.img.gz](https://mercury.picoctf.net/static/626ea9c275fbd02dd3451b81f9c5e249/dds1-alpine.flag.img.gz) ```nginx= ┌──(kali㉿kali)-[~/Downloads/disk] └─$ binwalk dds1-alpine.flag.img.gz 1 ⨯ DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 gzip compressed data, has original file name: "dds1-alpine.flag.img", from Unix, last modified: 2021-03-16 00:20:04 839769 0xCD059 MySQL MISAM index file Version 7 24797621 0x17A61B5 Encrypted Hilink uImage firmware header ``` ```nginx= ┌──(kali㉿kali)-[~/Downloads/disk/_dds1-alpine.flag.img.gz.extracted] └─$ binwalk dds1-alpine.flag.img.gz -e ``` ```nginx= ┌──(kali㉿kali)-[~/Downloads/disk/_dds1-alpine.flag.img.gz.extracted] └─$ ls dds1-alpine.flag.img dds1-alpine.flag.img.gz ``` ```nginx= ┌──(kali㉿kali)-[~/Downloads/disk/_dds1-alpine.flag.img.gz.extracted] └─$ strings dds1-alpine.flag.img | grep pico ffffffff81399ccf t pirq_pico_get ffffffff81399cee t pirq_pico_set ffffffff820adb46 t pico_router_probe SAY picoCTF{f0r3ns1c4t0r_n30phyt3_a6f4cab5} ``` :::success picoCTF{f0r3ns1c4t0r_n30phyt3_a6f4cab5} ::: ## <font color=f28500>Disk, disk, sleuth! II</font> ```All we know is the file with the flag is named `down-at-the-bottom.txt`... Disk image:``` [dds2-alpine.flag.img.gz](https://mercury.picoctf.net/static/aed64c508175df5fe23207c10e0e47e5/dds2-alpine.flag.img.gz) ```nginx= ┌──(kali㉿kali)-[~/Downloads/disk2] └─$ gzip -d dds2-alpine.flag.img.gz ``` ```nginx= ┌──(kali㉿kali)-[~/Downloads/disk2] └─$ binwalk dds2-alpine.flag.img -e ``` ![](https://i.imgur.com/UhKWgcx.png) ```nginx= ┌──(kali㉿kali)-[~/Downloads/disk2/_dds2-alpine.flag.img.extracted/ext-root] └─$ cd root ``` ```nginx= ┌──(kali㉿kali)-[~/…/disk2/_dds2-alpine.flag.img.extracted/ext-root/root] └─$ cat down-at-the-bottom.txt _ _ _ _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( p ) ( i ) ( c ) ( o ) ( C ) ( T ) ( F ) ( { ) ( f ) ( 0 ) ( r ) ( 3 ) ( n ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ _ _ _ _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( s ) ( 1 ) ( c ) ( 4 ) ( t ) ( 0 ) ( r ) ( _ ) ( n ) ( 0 ) ( v ) ( 1 ) ( c ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ _ _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( 3 ) ( _ ) ( f ) ( 5 ) ( 5 ) ( 6 ) ( 5 ) ( e ) ( 7 ) ( b ) ( } ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ ``` :::info picoCTF{f0r3ns1c4t0r_n0v1c3_f5565e7b} :::