# PicoCTF 2023 Writeup Solved by nabilmuafa Solve count: 17 * General Skills: 5 * Reverse Engineering: 3 * Forensics: 3 * Web Exploitation: 3 * Cryptography: 2 * Binary Exploitation: 1 ## General Skills ### Rules 2023 > Read the rules of the competition and get a little bonus! [Rules](https://picoctf.org/competitions/2023-spring-rules.html) Scroll down to the "**What are the other rules and terms for picoCTF 2023?**" section to find the flag in an image. Explains why Ctrl+F won't work. **Flag: `picoCTF{h34rd_und3r5700d_4ck_cba1c711}`** ### money-ware > Flag format: picoCTF{Malwarename} The first letter of the malware name should be capitalized and the rest lowercase. Your friend just got hacked and has been asked to pay some bitcoins to `1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX`. He doesn’t seem to understand what is going on and asks you for advice. Can you identify what malware he’s being a victim of? According to the hint, we can look up the bitcoin address on bitcoin abuse database. For this challenge, I looked it up on bitcoinabuse.com. ![](https://i.imgur.com/x2luipu.png) Nothing really interesting, except the last row of "Reports". Opening the site https://blog.avira.com/petya-strikes-back will lead us to an article about Petya, a ransomware virus. This is the malware we're looking for. **Flag: `picoCTF{Petya}`** ### repetitions > Can you make sense of this file? Download the file [here](https://artifacts.picoctf.net/c/477/enc_flag). Opening the file gave us the following text: ``` VmpGU1EyRXlUWGxTYmxKVVYwZFNWbGxyV21GV1JteDBUbFpPYWxKdFVsaFpWVlUxWVZaS1ZWWnVh RmRXZWtab1dWWmtSMk5yTlZWWApiVVpUVm10d1VWZFdVa2RpYlZaWFZtNVdVZ3BpU0VKeldWUkNk MlZXVlhoWGJYQk9VbFJXU0ZkcVRuTldaM0JZVWpGS2VWWkdaSGRXCk1sWnpWV3hhVm1KRk5XOVVW VkpEVGxaYVdFMVhSbHBWV0VKVVZGWmFWMDVHV2tkYVNHUlZDazFyY0ZkVWJGWlhZVlpLU0dWRlZs aGkKYlRrelZERldUMkpzUWxWTlJYTkxDZz09Cg== ``` Pretty obvious that this is a base64 encryption. Upon decrypting, we're still greeted with a base64 text: ``` VjFSQ2EyTXlSblJUV0dSVllrWmFWRmx0TlZOalJtUlhZVVU1YVZKVVZuaFdWekZoWVZkR2NrNVVX bUZTVmtwUVdWUkdibVZXVm5WUgpiSEJzWVRCd2VWVXhXbXBOUlRWSFdqTnNWZ3BYUjFKeVZGZHdW MlZzVWxaVmJFNW9UVVJDTlZaWE1XRlpVWEJUVFZaV05GWkdaSGRVCk1rcFdUbFZXYVZKSGVFVlhi bTkzVDFWT2JsQlVNRXNLCg== ``` My guess tells me that we need to repeatedly decrypt the text until we get the plaintext. Code: ```python import base64 as b with open("enc_flag", "r") as file: cipher = file.readlines() cipher = "".join([i.strip() for i in cipher]) plain = b.b64decode(cipher).decode("utf-8") while "picoCTF" not in plain: plain = b.b64decode(plain).decode("utf-8") print(plain) ``` **Flag: `picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_de523f49}`** ### useless > There's an interesting script in the user's home directory The work computer is running SSH. We've been given a script which performs some basic calculations, explore the script and find a flag. Connecting to the SSH and running ls, we can see that there's a script called `useless`. Here we can see the script inside the file: ![](https://i.imgur.com/ojDxOk2.png) Looking at the challenge tag and the echo on the else condition, we are required to read the manual. Reading manuals can be done by entering `man <command name>`. In this case, we want to enter `man useless`. Upon reading the manual, the flag is in plain sight. ![](https://i.imgur.com/RVDoNDm.png) **Flag:`picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_4373}`** ### chrono > How to automate tasks to run at intervals on linux servers? We were given an SSH server to connect. Upon connecting, we're given an empty home directory of user picoplayer. Going to the root directory, we can see an interesting directory called `challenge`. ![](https://i.imgur.com/0oLczYC.png) The directory only contains one file, a metadata file. Surprisingly, printing out the contents of the metadata file gives us the flag. ![](https://i.imgur.com/JFTx89H.png) **Flag: `picoCTF{Sch3DUL7NG_T45K3_L1NUX_9d5cb744}`** *note: this is probably not the intended way of solving. it's just... the challenge itself has vulnerabilities xD* --- ## Reverse Engineering ### Ready Gladiator 0 > Can you make a CoreWars warrior that always loses, no ties? Your opponent is the Imp. The source is available [here](https://artifacts.picoctf.net/c/311/imp.red). If you wanted to pit the Imp against himself, you could download the Imp and connect to the CoreWars server like this: nc saturn.picoctf.net 59403 < imp.red *(note: the netcat address is dynamic since it comes from an instance)* Opening the source file gives us this: ``` ;redcode ;name Imp Ex ;assert 1 mov 0, 1 end ``` To be completely honest, I don't really understand how the game works. But apparently, changing `mov` to `sub` does the job, because we're substracting whatever is in register 0 with the value of register 1. Running the modified code in netcat gives us the flag. ![](https://i.imgur.com/QKyor2l.png) **Flag: `picoCTF{h3r0_t0_z3r0_4m1r1gh7_e476d4cf}`** ### Reverse > Try reversing this file? Can ya? I forgot the password to this [file](https://artifacts.picoctf.net/c/270/ret). Please find it for me? Opening the file in text editor gives us binary values because this is a binary file. But the flag is hidden in plain sight inside those values, which can easily be obtained through grepping. ![](https://i.imgur.com/VHfyNoL.png) **Flag: `picoCTF{3lf_r3v3r5ing_succe55ful_c83965de}`** ### Safe Opener 2 > What can you do with this file? I forgot the key to my safe but this [file](https://artifacts.picoctf.net/c/290/SafeOpener.class) is supposed to help me with retrieving the lost key. Can you help me unlock my safe? The file is a Java class file. We can try decompiling it to see the code behind. For the decompilation, I used an online tool. Upon decompilation, the flag can be seen inside the openSafe method. ```java ... public static boolean openSafe(final String password) { final String encodedkey = "picoCTF{SAf3_0p3n3rr_y0u_solv3d_it_7db9fb8c}"; if (password.equals(encodedkey)) { System.out.println("Sesame open"); return true; } System.out.println("Password is incorrect\n"); return false; } } ``` **Flag: `picoCTF{SAf3_0p3n3rr_y0u_solv3d_it_7db9fb8c}`** --- ## Forensics ### hideme >Every file gets a flag. The SOC analyst saw one image been sent back and forth between two people. They decided to investigate and found out that there was more than what meets the eye [here](https://artifacts.picoctf.net/c/260/flag.png). Running the .png file through zsteg tells us that the file contains extractable zip archive data. ![](https://i.imgur.com/Ng7iIKu.png) We can open the file in a hex editor, take the bytes of the zip file to a new file, then extract it. For this, I used hexed.it. The bytes of the zip file starts on approximately byte 0x00009B30 until the end of the png's hex data. ![](https://i.imgur.com/nGGGXnG.png) Copying the entire chunk of zip data to another file then saving it as a .zip gives us an extractable zip file. Extracting the zip file gives us another .png file that contains the flag. secret.png: ![](https://i.imgur.com/mHt1YcT.png) **Flag: `picoCTF{Hiddinng_An_imag3_within_@n_ima9e_81cc7947}`** ### who is it > Someone just sent you an email claiming to be Google's co-founder Larry Page but you suspect a scam. Can you help us identify whose mail server the email actually originated from? Download the email file [here](https://artifacts.picoctf.net/c/499/email-export.eml). Flag: picoCTF{FirstnameLastname} Looking at the hint, the author is telling us to look for IP addresses originating from the sender. Upon first inspection at the file through text editor, only one IP address appears in the whole file: ``` ... ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@onionmail.org header.s=jan2022 header.b=4sU2nk5Z; spf=pass (google.com: domain of lpage@onionmail.org designates 173.249.33.206 as permitted sender) smtp.mailfrom=lpage@onionmail.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=onionmail.org Return-Path: <lpage@onionmail.org> Received: from mail.onionmail.org (mail.onionmail.org. [173.249.33.206]) by mx.google.com with ESMTPS id f16-20020a05600c4e9000b003a1947873d6si1882702wmq.224.2022.07.07.23.19.47 for <francismanzi@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Jul 2022 23:19:47 -0700 (PDT) Received-SPF: pass (google.com: domain of lpage@onionmail.org designates 173.249.33.206 as permitted sender) client-ip=173.249.33.206; Authentication-Results: mx.google.com; dkim=pass header.i=@onionmail.org header.s=jan2022 header.b=4sU2nk5Z; spf=pass (google.com: domain of lpage@onionmail.org designates 173.249.33.206 as permitted sender) smtp.mailfrom=lpage@onionmail.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=onionmail.org ... ``` The IP address of the sender is `173.249.33.206`. Looking the IP up on whois.com, we get a name: ![](https://i.imgur.com/I3h97kL.png) **Flag: `picoCTF{WilhelmZwalina}`** ### PcapPoisoning > How about some hide and seek heh? Download this [file](https://artifacts.picoctf.net/c/371/trace.pcap) and find the flag. Opening the .pcap file in WireShark and following the TCP stream gives us something interesting in stream 1. ![](https://i.imgur.com/gIqtkOO.png) The flag can be seen. **Flag: `picoCTF{P64P_4N4L7S1S_SU55355FUL_fc4e803f}`** --- ## Web Exploitation ### findme > Help us test the form by submiting the username as `test` and password as `test!` Upon going to the website and entering the login credentials stated, there's a very quick page redirection before going to the main page. To see what the redirected page is about, we can use tools such as BurpSuite to see the contents of the page through the response before forwarding the page to the home page. *Login page* ![](https://i.imgur.com/PzRRxJc.png) *Login page response* ![](https://i.imgur.com/pakM1Nv.png) *Response of the next forwarded page* ![](https://i.imgur.com/dMwPvTW.png) As we can see here, the title of the page is flag, and there is a base64 encrypted string in the \<script> section, `bF90aGVfd2F5XzI1YmJhZTlhfQ==`. \(Obvious, looking at the "==") Decrypting the base64 will give us the second half of the flag, that is `l_the_way_25bbae9a}` The first half of the flag could be in the ID section on the login page response \(`cGljb0NURntwcm94aWVzX2Fs`), that turns out is a base64 encrypted string too. Decrypting it will give us the first half of the flag, that is `picoCTF{proxies_al`. Combining both gives us the full flag. **Flag: `picoCTF{proxies_all_the_way_25bbae9a}`** ### MatchTheRegex > How about trying to match a regular expression The challenge gives us a website upon launching an instance. The website is a simple text input page. ![](https://i.imgur.com/oGdDLQB.png) In the page source, there's a script that evaluates the input, where the request will be sent if the input matches the regex stated in the comment. ![](https://i.imgur.com/my6dPr9.png) The regex syntax `p.....F!?` matches the input with a string beginning with 'p', continued with 6 wildcard characters, then ending with 'F!' (the '!' is optional). With this, we can try inputting 'picoCTF' to the input, and it gives us the flag. ![](https://i.imgur.com/mDmLL4Q.png) **Flag: `picoCTF{succ3ssfully_matchtheregex_8ad436ed}`** ### More SQLi > Can you find the flag on this website. The challenge gives us a website upon launching an instance. The website is a simple login page. ![](https://i.imgur.com/y0cSrpy.png) If we try logging in as 'admin' with the password 'admin', we were given an SQL query result: ![](https://i.imgur.com/6ve27B3.png) This should be a simple SQL injection challenge. We can bypass the first apostrophe with inputting another apostrophe, then adding something that will always evaluate to true, such as `OR 1=1`. Then we can end the input with semicolon to mark the end of the syntax. Because we don't know which user to log in to, we can just ignore the username query and focus on the password. If we can inject the password SQL query, it will select users with any password. With this, we can try inputting `' OR 1=1;` to the password, and anything on the username. ![](https://i.imgur.com/wgO5m6A.png) The injection was a success and we are greeted with this page (/welcome.php) ![](https://i.imgur.com/I4opCqu.png) There's a search bar. But looking at the page source and after trying several inputs, my guess is that this search bar doesn't have anything to do with getting the flag. To make sure, I tried opening the website through BurpSuite to see the requests. To my surprise, after logging in with the injection stated earlier, we get a redirect to /index.php before /welcome.php. ![](https://i.imgur.com/PC0Xi5C.png) Looking at the response of the redirection, we can find the flag there. **Flag: `picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_c8ee9477}`** --- ## Cryptography ### ReadMyCert > How about we take you on an adventure on exploring certificate signing requests Take a look at this CSR file [here](https://artifacts.picoctf.net/c/422/readmycert.csr). We were given a file `readmycert.csr`. Opening the file in a text editor tells us that this is a certificate request file. ![](https://i.imgur.com/AKkmeI2.png) However, looking at the "=" located at the end of the request, this is probably a base64 encoded string. To make sure, I tried decoding it. ![](https://i.imgur.com/soJgLG8.png) The flag is in plain sight. **Flag: `picoCTF{read_mycert_cda8cb26}`** ### rotation > You will find the flag after decrypting this file Download the encrypted flag [here](https://artifacts.picoctf.net/c/391/encrypted.txt). Downloading the file and opening it gives us an encrypted flag ``` xqkwKBN{z0bib1wv_l3kzgxb3l_jln2n252} ``` Looking at the name of the challenge, this is probably encrypted with ROT Cipher (rotation). Running the string with brute force on ROT cipher decryptor gives us this as one of the possible decryptions: ![](https://i.imgur.com/iFYPLVH.png) Then that is the flag. **Flag: `picoCTF{r0tat1on_d3crypt3d_bdf2f252}`** --- ## Binary Exploitation ### two-sum > Can you solve this? What two positive numbers can make this possible: `n1 > n1 + n2 OR n2 > n1 + n2` We were given this C code: ```c! #include <stdio.h> #include <stdlib.h> static int addIntOvf(int result, int a, int b) { result = a + b; if(a > 0 && b > 0 && result < 0) return -1; if(a < 0 && b < 0 && result > 0) return -1; return 0; } int main() { int num1, num2, sum; FILE *flag; char c; printf("n1 > n1 + n2 OR n2 > n1 + n2 \n"); fflush(stdout); printf("What two positive numbers can make this possible: \n"); fflush(stdout); if (scanf("%d", &num1) && scanf("%d", &num2)) { printf("You entered %d and %d\n", num1, num2); fflush(stdout); sum = num1 + num2; if (addIntOvf(sum, num1, num2) == 0) { printf("No overflow\n"); fflush(stdout); exit(0); } else if (addIntOvf(sum, num1, num2) == -1) { printf("You have an integer overflow\n"); fflush(stdout); } if (num1 > 0 || num2 > 0) { flag = fopen("flag.txt","r"); if(flag == NULL){ printf("flag not found: please run this on the server\n"); fflush(stdout); exit(0); } char buf[60]; fgets(buf, 59, flag); printf("YOUR FLAG IS: %s\n", buf); fflush(stdout); exit(0); } } return 0; } ``` Our objective is to fulfill the else if condition, so the program doesn't exit. After that, we need to fulfill the if `num1 > 0 || num2 > 0`, so the flag will get printed. The vulnerability in this C code is located in `addIntOvf()` function. It allows integer overflow, which makes it possible to get -1 as the return value by overflowing the sum. A possible input is `a = 2147483647` and `b = 2`. The number `a` is the limit of integers minus 1, therefore adding it with `b` will overflow the summation, giving us the negative limit of the integer as a result. This input will cause `addIntOvf()` to return -1, and also fulfill the if condition to print the flag. So this is our payload. ![](https://i.imgur.com/4w4vOHo.png) **Flag: `picoCTF{Tw0_Sum_Integer_Bu773R_0v3rfl0w_ccd078bd}`**