A

# 01 - Forensics Warmup 1

### Solve

Can you unzip this file for me and retrieve the flag?

### Solution

• Unzip folder
• Open image
• Flag in plain text

### Flag

``````picoCTF{welcome_to_forensics}
``````

# 02 - Forensics Warmup 2

### Solve

Hmm for some reason I can't open this PNG? Any ideas?

### Solution

Simply open the image

### Flag

``````picoCTF{extensions_are_a_lie}
``````

# 03 - General Warmup 1

### Solution

I actually don’t know much about hexadecimal, so let take a look. I don’t think it’s going to be as straightforward as 0x41 = 0.

Anyways I typed 0x41= in google and it game me the answer of 65. That was too easy so I want to look further.

ASCII

https://bluesock.org/~willg/dev/ascii.html

Looking at the ascii table there are number of columns

Char | Dec | Oct | Hex

Hex = 0x41 <— this must be our number

Oct = 0101

Dec = 65 <— what google gave me

Char = A <— I’m going to assume this is the answer we’re looking for.

If we look at the above link and scroll to common ascii codes to know you will see.

A 65 0101 0x41 capital A”

### Flag

``````picoCTF{A}
``````

# 04 - General Warmup 2

### Solve

Can you convert the number 27 (base 10) to binary (base 2)?

### Solution

Pretty straight forwards using an online convertor like.

http://www.unitconversion.org/numbers/base-10-to-base-2-conversion.html

### Flag

``````picoCTF{11011}
``````

# 05 - General Warmup 3

### Solve

What is 0x3D (base 16) in decimal (base 10).

### Flag

``````picCTF{61}
``````

# 06 - Resources

### Solve

We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources

### Solution

Open up link, right click > inspect > ctr + F

search CTF found

### Flag

``````picoCTF{xiexie_ni_lai_zheli}
``````

Looked back at the page and it is in plain text on the site so probably didn’t need to go through those steps.

# 07 - Reversing Warmup 1

### Solve

Throughout your journey you will have to run many programs. Can you navigate to /problems/reversing-warmup-146b2499250c4624337a1948ac374c4934 on the shell server and run this program to retreive the flag?

### Solution

Opened up the shell server

``````cd /problems/reversing-warmup-1_4_6b2499250c4624337a1948ac374c4934
ls
``````

you’ll see the file ‘run’ highlighted in green which looks like an executable file so use.

``````./run
``````

### Flag

``````picoCTF{welc0m3_t0_r3VeRs1nG}
``````

# 08 - Reversing Warmup 2

### Solve

Can you decode the following string from base64 format to ASCII?

``````dGg0dF93NHNfczFtcEwz
``````

### Solution

https://base64decode.org

### Flags

``````picoCTF{th4t_w4s_s1mpL3}
``````

# 09 - Crypto Warmup 1

### Solve

Crpyto can often be done by hand, here's a message you got from a friend,

``````llkjmlmpadkkcwith
``````

the key of

``````thisisalilkey
``````

Can you use this table to solve it?

### Solution

There is a link to download the table to decrypt this, don’t not much about it at all so lets have a look at some one cipher tools to see what one can crack it first.

Instead of filling this with a heap of different tools I tried here is the one that worked.

https://planetcalc.com/2468/

So it looks like there is some sort of crypto algorithm called Vigenere using some ROT#

### Flag

``````picoCTF{secretmessage}
``````

# 10 - Crypto Warmup 2

### Solve

Cryptography doesn't have to be complicated, have you ever heard of something called rot13?

``````cvpbPGS{guvf_vf_pelcgb!}
``````

### Solution

So this is going back to the rot#, I found in the last task, simple google search rot13 decoder > https://rot13.com

### Flags

``````picoCTF{this_is_crypto!}
``````

# 11 - Grep 1

### Solve

Can you find the flag in file? This would be really obnoxious to look through by hand, see if you can find a faster way. You can also find the file in /problems/grep-10c0c0c16438cdbee39591397e16389f59 on the shell server.

### Solution

Go to directory

``````cd /problems/grep-1_0_c0c0c16438cdbee39591397e16389f59
``````

See what is in there

``````ls
``````

returned with “file”

``````cat file | grep pico
``````

### Flag

``````picoCTF{grep_and_you_will_find_52e63a9f}
``````

# 12 - Net Cat

### Solve

Using netcat (nc) will be a necessity throughout your adventure. Can you connect to get the flag?

``````2018shell.picoctf.com port 49387
``````

to get the flag?

### Solution

Use netcat or nc

``````netcat 2018shell.picoctf.com 49387
``````

### Flag

``````picoCTF{NEtcat_iS_a_NEcESSiTy_8b6a1fbc}
``````

# 13 - HEEEEEEERE’S Johnny!

### Solve

Okay, so we found some important looking files on a Linux computer. Maybe they can be used to get a password to the process. Connect with nc 2018shell.picoctf.com 42165.

Files can be found here: passwd shadow.

### Solution

opened them in a text editor and had

``````root:x:0:0:root:/root:/bin/bash
``````

``````root:\$6\$IGI9prWh\$ZHToiAnzeD1Swp.zQzJ/Gv.iViy39EmjVsg3nsZlfejvrAjhmp5jY.1N6aRbjFJVQX8hHmTh7Oly3NzogaH8c1:17770:0:99999:7:::
``````

Connecting to 2018shell.picoctf.com 42165

I tried root > toor as I can see the user is root from the password and shadow file.

Only because I’ve used Jonnyripper before I tried this on localhost and i got the password

``````The matrix
``````

### Flag

``````picoCTF{J0hn_1\$_R1pp3d_289677b5}
``````

# 14 - Strings

### Solve

Alright, can you find the flag in this file without actually running it?

You will be able to find the file in /problems/strings440d221755b4a0b134c2a7a2e825ef95f on the shell server.

### Solution

Navigate to the folder

``````cd /problems/strings_1_c7bac958dd6a4b695dc72446d8014f59
``````

the file was executable so I ran it to see what would happen, as expected it's a file with a string in loop.

Reloaded the the shell terminal navigated to the file

``````strings | grep CTF
``````

Gave that a shot to see search the file with grep for CTF and nothing returned in a reasonable amount of time so restarted.

after a couple of different trial and errors I got this to work

``````strings strings | grep CTF
``````

### Flag

``````picoCTF{sTrIngS_sAVeS_Time_d7c8de6c}
``````

# 15 - Pipe

### Solve

During your adventure, you will likely encounter a situation where you need to process data that you receive over the network rather than through a file. Can you find a way to save the output from this program and search for the flag? Connect with 2018shell.picoctf.com 2015.

### Solution

I know a little about pipe but thought I would do a quick look online http://www.linfo.org/pipes.html

Ran

``````netcat 2018shell.picoctf.com 2015
``````

loaded with a message on loop should have read the solve message “save the output

``````nc 2018shell.picoctf.com 2015 echo cat * |grep pico
``````

nc = connect to the server

echo = print

*= any file

| grep = pico the phase I’m looking for.

### Flag

``````picoCTF{almost_like_mario_a13e5b27}
``````

# 16 - Inspect Me

### Solution

Navigated to link. Right click > Inspect.

Sources > ctr + F then search for ctf

Immediately, you'll find the first part of the CTF in the code source:

``````<!-- I learned HTML! Here's part 1/3 of the flag: picoCTF{ur_4_real_1nspe -->
``````

As it stated, it's just the first part and so we need to find two more. Unfortunately, it only shows one in Sources. So, I tried having a look around and went to the site's stylesheet `mycss.css`:

`````` /* I learned CSS! Here's part 2/3 of the flag: ct0r_g4dget_e96dd105} */
``````

Since we're still missing the last part, I checked out the `myjs.js` script and found this:

``````/* I learned JavaScript! Here's part 3/3 of the flag:  */
``````

For the result, you need only to combine the flag parts into one string.

### Flag

``````picoCTF{ur_4_real_1nspect0r_g4dget_e96dd105}
``````

# 17 - Grep 2

### Solve

This one is a little bit harder. Can you find the flag in /problems/grep-21ef31faa711ad74321a7467978cb0ef3a/files on the shell server? Remember, grep is your friend.

### Solution

``````cd /problems/grep-2_1_ef31faa711ad74321a7467978cb0ef3a/files
ls
``````

List of files 0-9

``````grep ‘pico’ */*
``````

grep = search

‘ ‘ = string

/ = all files

### Flag

``````picoCTF{grep_r_and_you_will_find_4baaece4}
``````

# 18 - Aca-Shell-A

### Solve

It's never a bad idea to brush up on those Linux skills or even learn some new ones before you set off on this adventure! Connect with nc 2018shell.picoctf.com 42334.

### Solution

Here are the commands that should be performed to obtain the flag.

``````cd secret
ls # you will get instructions about deleting intel files
rm intel_*
echo 'Drop it in!'
cd ..
cd executables # because cd ../executables does not work...
./dontLookHere # you'll see craphex on your screen...
whoami
cd ..
cat TopSecret
``````

This is what the output looks like:

``````Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself.
``````

### Flag

``````picoCTF{CrUsHeD_It_d6f202f1}
``````

# 19 - Client Side is Still Bad

### Solve

I forgot my password again, but this time there doesn't seem to be a reset, can you help me? http://2018shell.picoctf.com:8420 (link)

### Solution

Inspected code

not much in there, lets take a look at the network tab

and the header request and response

let change that to true

copied the curl link and replaced admin=True pasted it in insomnia and it returned

### Flag

``````picoCTF{l0g1ns_ar3nt_r34l_aaaaa17a}
``````

# 20 - Desrouleaux

### Solve

Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with `nc 2018shell.picoctf.com 10493`. incidents.json

### Solution

A python script can be used to answer the questions here based on incidents.json

Input and Output:

``````nc 2018shell.picoctf.com 10493
# You'll need to consult the file `incidents.json` to answer the following questions.

# What is the most common source IP address? If there is more than one IP address that is the most common, you may give any of the most common ones.
> 167.243.246.96
# Correct!

# How many unique destination IP addresses were targeted by the source IP address 4.178.151.99?
> 3
# Correct!

# What is the number of unique destination ips a file is sent, on average? Needs to be correct to 2 decimal places.
> 1.29
# Correct!

# Great job. You've earned the flag: picoCTF{J4y_s0n_d3rUUUULo_a062e5f8}
``````

### Flag

``````picoCTF{J4y_s0n_d3rUUUULo_a062e5f8}
``````

# 21 - Logon

### Solve

I made a website so now you can log on to! I don't seem to have the admin password. See if you can't get to the flag. http://2018shell1.picoctf.com:57252 (link)

### Solution

Apparently, this only checks the password for the user `admin`. So we can log in using any username, so we can get 3 cookies.

We will change `admin` cookie to from `False` to `True`, refresh the page and then get the flag.

### Flag

``````picoCTF{l0g1ns_ar3nt_r34l_2a968c11}
``````

# 22 - Reading between the eyes

### Solve

Stego-Saurus hid a message for you in this image, can you retrieve it?

### Solution

This is pretty straight forward. Iust uploaded the image here and let this tool do the job.

### Flag

``````picoCTF{r34d1ng_b37w33n_7h3_by73s}
``````

# 23 - Recovering from the snap

### Solve

There used to be a bunch of animals here, what did Dr. Xernon do to them?

### Solution

At first I wasn’t sure what a .dd file was so googled that, found out it is a disk image.

reverse engineering.stackexchange.com/questions/19496/what-to-do-with-dd-files

So I mounted the disk image in Linux and found the images of the animals

Looked at the hint and is said the some files have been deleted from the disk image, but are they really gone?

So I looked into how to recover deleted images from disk image.

Came across the first tool from cgsecurity.org this is a open source data recover application

1. cgsecurity have a couple of application to play with I tried photorec first this need to be ran from terminal
``````cd Downloads/
ls
cd test disk-7.2-WIP
ls -a
chmod +x photorec_static
./photorec_static
``````

Need permission to run

``````sudo ./photorec_static
``````
1. Loaded and a heap of Disk /dev/loop# rows appeared first I started entering ones that where close to 10mb as that was the animal.dd file size and couldn’t work out what was going on, then I noticed the [Next] button and that kept scrolling through the list and found one which was 10mb

Clicked `[Proceed]`

Clicked `[Search]`

Clicked `[Other]`

Clicked `[Whole]`

Then you need to save the output file to a directory of choice by pressing C

Quick the program and navigated to the output folder.

Noticed a new folder called

recap_dir.1 > Opened > A found some new images one being the flag.

### Flag

``````picoCTF{th3_5n4p_happ3n3d}
``````

### Solve

We captured some traffic logging into the admin panel, can you find the password?

### Solution

1. Opened .pcap file in Wireshark and looked through the entries.

2. Search `http`. This is because whenever you try to login you'll into any account you have to send data which is a `POST` method used by HTTP for sending those credentials.

1. Opened the line `68 37.234879 192.168.3.129 192.168.3.128 HTTP 542 POST /login HTTP/1.1 [Packet size limited during capture]` and get the flag

### Flag

``````picoCTF{n0ts3cur3_9feedfbc}
``````

25 - Assembly-O

Solve

What does `asm0(0xd8,0x7a)` return? Submit the flag as a hexadecimal value (starting with `0x`).

NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at `/problems/assembly-0_1_fc43dbf0079fd5aab87236bf3bf4ac63`.

Solution

Flag

# Mac Dark Mode keeps resetting to the standard light mode.

For those who like to use Dark Mode, you might become frustrated each time you return to your Mac, and it's reset itself back to Light Mode.

It can happens after, Reboot, Wake up, Starting an app that uses fullscreen mode

## 3rd Party Conflict

One of the most common problems with this is a third party application that uses night shield-like Flux and Nightowl.

You can turn them off, or change the setting to prevent this conflict.

After a quick search online I couldn’t find any really helpful answers without spending an hour trawling through comments on forums

# test

This is a test

``````
code

``````

# Solve

Forensics Warmup 1

Can you unzip this file for me and retreive the flag?

# Solution

`picoCTF{welcome_to_forensics}`