Pico CTF 2019 Answers

Pico CTF 2019

In this article, I will share my answers for picoCTF 2019.

0) The Factory’s Secret – Points: 1

There appear to be some mysterious glyphs hidden inside this abandoned factory… I wonder what would happen if you collected them all?

-> I skip these task’s answer. I think able to solve this question. you must solve all question. Therefore, I skip this task.

1) Glory of the Garden – Points: 50 – Forensics

This garden contains more than it seems. You can also find the file in /problems/glory-of-the-garden_0_25ece79ae00914856938a4b19d0e31af on the shell server.

-> I download the file from given link. I try to open image but It doesn’t open. The I use strings command with grep command and I found the flag

Here is a flag “picoCTF{more_than_m33ts_the_3y3f089EdF0}”

Answer: picoCTF{more_than_m33ts_the_3y3f089EdF0}

2) Insp3ct0r – Points: 50 – Web Exploitation

Kishor Balan tipped us off that the following code may need inspection: https://2019shell1.picoctf.com/problem/9509/ (link) or http://2019shell1.picoctf.com:9509

-> I open the website I open source code of this page. Than I found 1/3 flags. And above of html file I also found two different file which are mycss.css and myjs.js files. And remaing parts of flag are in these files.

after ?part can chage for each user be careful

Answer: picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?9df7e69a}

3) Lets Warm Up – Points: 50 – General Skills

If I told you a word started with 0x70 in hexadecimal, what would it start with in ASCII?

-> We can easily hex to ascii with using python.

output is ‘p’

Answer: picoCTF{p}

4) The Numbers – Points: 50 – Cryptography

The numbers… what do they mean?

-> Link has an image. Image is shown at bellow. As you can see {} are have our flag. Also, we can say that 16 9 3 15 3 20 6 is picoCTF. c C is also 3. So that, order and uppercase don’t have an effect. You can use the second image to encrypt this picture.

Answer: PICOCTF{THENUMBERSMASON}

5) Warmed Up – Points: 50 – Cryptography

What is 0x3D (base 16) in decimal (base 10)

-> Convert hex to integer. you can use  int(“0x3D”,16)

Answer: picoCTF{61}

6) 2Warm – Points: 50 – General Skills

Can you convert the number 42(base 10) to binary (base 2)

-> You must convert an integer to binary you can use bin() function in python. In this case it will be bin(42)

Answer: picoCTF{101010}

7) handy-shellcode – Points: 50 – Binary Exploitation

This program executes any shellcode that you give it. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/handy-shellcode_1_ebc60746fee43ae25c405fc75a234ef5 on the shell server. Source.

-> Note: I am using SSH for connect to shell server. You can also use the shell page in website.

in that directory. these are the files. As you can see flag.txt is there but we don’t permission to access that. But vuln file can access that because these files are in same group. Also we have permision for the execute that file.

First, we must look at the vuln.c file.

we have a getegid() function. So it will return the effective group ID of the calling process. After that, we will set the reail user id with using setresgid() function. Also we have a gets function we can use that function for buffer overflowing attack.

file ./vuln returns;

vuln: setgid ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=7b65fbf1fba331b6b09a6812a338dbb1118e68e9, not stripped

sp we need a elf-32 bit intel 80386 shellcode. I found one. Also you can find on Google.

I use echo -e “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” > ~/s.txt for save the shell code. Than I will pipe shell code in binary. with using cat ~/s.txt – | ./vuln

Another solution; we can use python for the automate exploit. First you must donwload pwntools package for python. you can use pip install pwntools. Actually, we can use shell server. There are alredy have python and pwmtools package.

This is our exploit.py

Answer: picoCTF{h4ndY_d4ndY_sh311c0d3_2cb0ff39}

8) pratice-run-1 – Points: 50 – Binary Exploitation

You’re going to need to know how to run programs if you’re going to get out of here. Navigate to /problems/practice-run-1_0_62b61488e896645ebff9b6c97d0e775e on the shell server and run this program to receive a flag.

-> use shell and just run ./run_this executable file. It will print the flag.

Answer: picoCTF{g3t_r3adY_2_r3v3r53}

9) unzip – Points: 50 – Forensics

Can you unzip this file and get the flag?

-> Just unzip the file with using unzip command it have image file and picture shows the flag.

Answer: picoCTF{unz1pp1ng_1s_3a5y}

10) vault-door-training – Points: 50 – Reverse Engineering

Your mission is to enter Dr. Evil’s laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open. Unfortunately, our undercover agents have not been able to obtain the secret passwords for the vault doors, but one of our junior agents obtained the source code for each vault’s computer! You will need to read the source code for each level to figure out what the password is for that vault door. As a warmup, we have created a replica vault in our training facility. The source code for the training vault is here: VaultDoorTraining.java

->When you download java code you will see the flag.

Note that, fcb79c48f5b part can be changed for each user

Answer: picoCTF{w4rm1ng_Up_w1tH_jAv4_fcb79c48f5b}

11) 13 – Points: 100 – Cryptography

Cryptography can be easy, do you know what ROT13 is? cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}

-> ROT13 cryptography algorithm is one of the oldest methods. It shifts letters by 13. In this case.

Answer: picoCTF{not_too_bad_of_a_problem}

12) Bases – Points: 100 – General Skills

What does this bDNhcm5fdGgzX3IwcDM1 mean? I think it has something to do with bases.

-> Header of question shows gives a clue about the algorithm it is base64 chipher text. You can decode this chipher text using online decoder.

plain_text is : l3arn_th3_r0p35

Answer: picoCTF{l3arn_th3_r0p35}

13) Easy1 – Points: 100 – Cryptography

The one time pad can be cryptographically secure, but not when you know the key. Can you solve this? We’ve given you the encrypted flag, key, and a table to help UFJKXQZQUNB with the key of SOLVECRYPTO. Can you use this table to solve it?.

-> I downloaded the table. You can see at bellow. Actually, it looks like Vigenere cipher. For decryption, We must find SOLVECRYPTO at rows or columns then we must find cipher messages letters in table. For S to U is C. For O to F is R. If you want you can use online decoder.

Answer : picoCTF{CRYPTOISFUN}

14) First Grep – Points: 100 – General Skills

an you find the flag in file? This would be really tedious to look through manually, something tells me there is a better way. You can also find the file in /problems/first-grep_2_04dbf496b78e6c37c0097cdfef734d88 on the shell server.

-> Probably, we need to use grep command with this file. I couldn’t execute this file. I don’t have permission to that. I use strings command with grep.

“strings file | grep pico”

Answer : picoCTF{grep_is_good_to_find_things_bf6aec61}

15) OverFlow 0 – Points: 100 – Binary Exploitation

This should be easy. Overflow the correct buffer in this program and get a flag. Its also found in /problems/overflow-0_5_db665826dabb99c44758c97abfd8c4c6 on the shell server. Source.

-> In this directory have 3 file. flag.txt, vuln, vuln.c. We don’t have a permision the open flag.txt file. but vuln executable have permision the access that group. Attirbutes are same as handy-shellcode(#6) task.

In this code we have a sigsegv_handler() function and that function binded with SIGSEGV signal. Also we have a fprintf methods which is printing our flag. So that we must to force to program to gives a segmentation fault. for the fget if we put more than FLAGSIZE_MAX It will be crash. In this case 128. when you put 133(5 char for overflow to return address) character, this is A for my case, program will go to segsegv signal.

Answer : picoCTF{3asY_P3a5y4a888b8e}

16) Resources – Points: 100 – General Skills

We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources (link)

-> Go to link. You will see flag below of that page

Answer : picoCTF{r3source_pag3_f1ag}

17) caesar – Points: 100 – Cryptography

Decrypt this message. You can find the ciphertext in /problems/caesar_1_4c9d445f770c71bd84ab0d822197a005 on the shell server.

-> picoCTF{zolppfkdqeboryfzlktjxksyyl} this is the cipher message. Ceaser-cipher methods use the shift methods. In this case when you shift letter by 3 you will see the message

Answer : picoCTF{crossingtherubiconwmanvbbo}

18) dont-use-client-side – Points: 100 –

Web Exploitation

Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/49886/ (link) or http://2019shell1.picoctf.com:49886

-> Check HTML source of this link. You will see the recursive if statements.

We can write flag with using this split order.

Answer : picoCTF{no_clients_plz_ee2f24}

19) logon – Points: 100 – Web Exploitation

The factory is hiding things from all of its users. Can you login as logon and find what they’ve been looking at? https://2019shell1.picoctf.com/problem/45163/ (link) or http://2019shell1.picoctf.com:45163

-> When you look at the cookies you will see the admin cookie. When you set True. You will see the flag when you refresh page.

We can also solve this question with using python.

Answer : picoCTF{th3_c0nsp1r4cy_l1v3s_6679fcb5}

20) strings it – Points: 100 – General Skills

Can you find the flag in file without running it? You can also find the file in /problems/strings-it_2_865eec66d190ef75386fb14e15972126 on the shell server.

->We can use strings for find the flag without run the file.

./strings | grep pico

Answer : picoCTF{5tRIng5_1T_d5b86184}

21) vault-door-1 – Points: 100 – Reverse Engineering

This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here: VaultDoor1.java

-> In VaulltDoor1.java file have flag. We must to allign the letter with correct index.

password.charAt(0) == ‘d’
password.charAt(1) == ‘3’
password.charAt(2) == ‘5’
password.charAt(3) == ‘c’
password.charAt(4) == ‘r’
password.charAt(5) == ‘4’
password.charAt(6) == ‘m’
password.charAt(7) == ‘b’
password.charAt(8) == ‘l’
password.charAt(9) == ‘3’
password.charAt(10) == ‘_’
password.charAt(11) == ‘t’
password.charAt(12) == ‘H’
password.charAt(13) == ‘3’
password.charAt(14) == ‘_’
password.charAt(15) == ‘c’
password.charAt(16) == ‘H’
password.charAt(17) == ‘4’
password.charAt(18) == ‘r’
password.charAt(19) == ‘4’
password.charAt(20) == ‘c’
password.charAt(21) == ‘T’
password.charAt(22) == ‘3’
password.charAt(23) == ‘r’
password.charAt(24) == ‘5’
password.charAt(25) == ‘_’
password.charAt(26) == ‘9’
password.charAt(27) == ‘d’
password.charAt(28) == ‘0’
password.charAt(29) == ‘3’
password.charAt(30) == ‘8’
password.charAt(31) == ‘f’

Answer : picoCTF{d35cr4mbl3_tH3_cH4r4cT3r5_9d038f}

22) what’s a net cat – Points: 100 – General Skills

Using netcat (nc) is going to be pretty important. Can you connect to 2019shell1.picoctf.com at port 32225 to get the flag?

->use net-cat for connect to adress
nc 2019shell1.picoctf.com 32225

Answer : picoCTF{nEtCat_Mast3ry_b1d25ece}

23) where are the robots – Points: 100 – Web Exploitation

Can you find the robots? https://2019shell1.picoctf.com/problem/12267/ (link) or http://2019shell1.picoctf.com:12267

-> When we look at the title of the task, it try to give hint about robots.txt. Robots.txt is store the name of pages which is not allowed for robots. So that, we must check /robots.txt file.

In this file  /713d3.html page is not allowed for robots. So we can check that page manually. In that page you will see the plag

Answer : picoCTF{ca1cu1at1ng_Mach1n3s_713d3}

24) OverFlow 1 – Points: 150 – Binary Exploitation

You beat the first overflow challenge. Now overflow the buffer and change the return address to the flag function in this program? You can find it in /problems/overflow-1_6_0a7153ff536ac8779749bc2dfa4735de on the shell server. Source.

->These files have also same attributes with the previous OverFlow task.

We must force to program go to flag function(). For this, we must overflow this program. Also we need to know flag function address. We can use objdump -d ./vuln | grep flag command for that/ Output us 080485e6 we must convert big endian. e6850408. And also we need overflow of array which is size is 64 but it is not work. Still we must increase number of A. After try to increase one by one. Finaly I found best size which is 76. So that we can use cat <(echo -e ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xe6\x85\x04\x08’) – | ./vuln 

Answer : picoCTF{n0w_w3r3_ChaNg1ng_r3tURn5b80c9cbf}

25) So Meta – Points: 150 – Forensics

Find the flag in this picture. You can also find the file in /problems/so-meta_2_da856426d694a4f0637bf1b169d8524e.

-> Use strings for flag

strings pico_img.png | grep pico

Also you can use exiftool pico_img.png. In the artist label you will see the flag.

Answer : picoCTF{s0_m3ta_3d6ced35}

26) What Lies Within – Points: 150 – Forensics

Theres something in the building. Can you retrieve the flag?

->I just know one image encryption method which is steganography. I will try that. I will use online least significant bit steganography decoder. Yes, flag is there picoCTF{h1d1ng_1n_th3_b1t5}

Answer : picoCTF{h1d1ng_1n_th3_b1t5}

27) extensions – Points: 150 – Forensics

This is a really weird text file TXT? Can you find the flag?

-> I download that file. Than I check file with file command. It says this is a PNG image. Than I change the extension of txt to png. I found the flag.

Answer : picoCTF{now_you_know_about_extensions}

28) shark on wire 1 – Points: 150 – Forensics

We found this packet capture. Recover the flag. You can also find the file in /problems/shark-on-wire-1_0_13d709ec13952807e477ba1b5404e620.

->Probabaly, we must use WireShark for this task.

Answer : picoCTF{}

2#) ## – Points: ** – XX

->

Answer : picoCTF{}

2#) ## – Points: ** – XX

->

Answer : picoCTF{}

3#) ## – Points: ** – XX

->

Answer : picoCTF{}

Leave a Reply

Your email address will not be published. Required fields are marked *