Pico CTF 2018
November 23, 2019•2,488 words
01 - Forensics Warmup 1
Solve
Can you unzip this file for me and retrieve the flag?
Solution
- Download the zip file
- Unzip folder
- Open image
- Flag in plain text
Flag
picoCTF{welcome_to_forensics}
02 - Forensics Warmup 2
Solve
Hmm for some reason I can't open this PNG? Any ideas?
Solution
Simply open the image
Flag
picoCTF{extensions_are_a_lie}
03 - General Warmup 1
Solve
If I told you your grade was 0x41 in hexadecimal, what would it be in ASCII?
Solution
I actually don’t know much about hexadecimal, so let take a look. I don’t think it’s going to be as straightforward as 0x41 = 0.
Anyways I typed 0x41= in google and it game me the answer of 65. That was too easy so I want to look further.
ASCII
https://bluesock.org/~willg/dev/ascii.html
Looking at the ascii table there are number of columns
Char | Dec | Oct | Hex
Hex = 0x41 <— this must be our number
Oct = 0101
Dec = 65 <— what google gave me
Char = A <— I’m going to assume this is the answer we’re looking for.
If we look at the above link and scroll to common ascii codes to know you will see.
A 65 0101 0x41 capital A”
Flag
picoCTF{A}
04 - General Warmup 2
Solve
Can you convert the number 27 (base 10) to binary (base 2)?
Solution
Pretty straight forwards using an online convertor like.
http://www.unitconversion.org/numbers/base-10-to-base-2-conversion.html
Flag
picoCTF{11011}
05 - General Warmup 3
Solve
What is 0x3D (base 16) in decimal (base 10).
Solution
- https://www.hexadecimaldictionary.com/hexadecimal/0x3D/
- Not sure how hexadecimal works 100% but the above site give you the answer with a brief description.
Flag
picCTF{61}
06 - Resources
Solve
We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources
Solution
Open up link, right click > inspect > ctr + F
search CTF found
Flag
picoCTF{xiexie_ni_lai_zheli}
Looked back at the page and it is in plain text on the site so probably didn’t need to go through those steps.
07 - Reversing Warmup 1
Solve
Throughout your journey you will have to run many programs. Can you navigate to /problems/reversing-warmup-146b2499250c4624337a1948ac374c4934 on the shell server and run this program to retreive the flag?
Solution
Opened up the shell server
cd /problems/reversing-warmup-1_4_6b2499250c4624337a1948ac374c4934
ls
you’ll see the file ‘run’ highlighted in green which looks like an executable file so use.
./run
Flag
picoCTF{welc0m3_t0_r3VeRs1nG}
08 - Reversing Warmup 2
Solve
Can you decode the following string from base64 format to ASCII?
dGg0dF93NHNfczFtcEwz
Solution
Flags
picoCTF{th4t_w4s_s1mpL3}
09 - Crypto Warmup 1
Solve
Crpyto can often be done by hand, here's a message you got from a friend,
llkjmlmpadkkcwith
the key of
thisisalilkey
Can you use this table to solve it?
Solution
There is a link to download the table to decrypt this, don’t not much about it at all so lets have a look at some one cipher tools to see what one can crack it first.
Not really sure what one start with? Hmmm…
Instead of filling this with a heap of different tools I tried here is the one that worked.
So it looks like there is some sort of crypto algorithm called Vigenere using some ROT#
Flag
picoCTF{secretmessage}
10 - Crypto Warmup 2
Solve
Cryptography doesn't have to be complicated, have you ever heard of something called rot13?
cvpbPGS{guvf_vf_pelcgb!}
Solution
So this is going back to the rot#, I found in the last task, simple google search rot13 decoder > https://rot13.com
Flags
picoCTF{this_is_crypto!}
11 - Grep 1
Solve
Can you find the flag in file? This would be really obnoxious to look through by hand, see if you can find a faster way. You can also find the file in /problems/grep-10c0c0c16438cdbee39591397e16389f59 on the shell server.
Solution
Go to directory
cd /problems/grep-1_0_c0c0c16438cdbee39591397e16389f59
See what is in there
ls
returned with “file”
cat file | grep pico
Flag
picoCTF{grep_and_you_will_find_52e63a9f}
12 - Net Cat
Solve
Using netcat (nc) will be a necessity throughout your adventure. Can you connect to get the flag?
2018shell.picoctf.com port 49387
to get the flag?
Solution
Use netcat or nc
netcat 2018shell.picoctf.com 49387
Flag
picoCTF{NEtcat_iS_a_NEcESSiTy_8b6a1fbc}
13 - HEEEEEEERE’S Johnny!
Solve
Okay, so we found some important looking files on a Linux computer. Maybe they can be used to get a password to the process. Connect with nc 2018shell.picoctf.com 42165.
Files can be found here: passwd shadow.
Solution
Downloaded the two file
Password and Shadow
opened them in a text editor and had
Password
root:x:0:0:root:/root:/bin/bash
Shadow
root:$6$IGI9prWh$ZHToiAnzeD1Swp.zQzJ/Gv.iViy39EmjVsg3nsZlfejvrAjhmp5jY.1N6aRbjFJVQX8hHmTh7Oly3NzogaH8c1:17770:0:99999:7:::
Connecting to 2018shell.picoctf.com 42165
It asked me to login straight away.
I tried root > toor as I can see the user is root from the password and shadow file.
Only because I’ve used Jonnyripper before I tried this on localhost and i got the password
The matrix
Flag
picoCTF{J0hn_1$_R1pp3d_289677b5}
14 - Strings
Solve
Alright, can you find the flag in this file without actually running it?
You will be able to find the file in /problems/strings440d221755b4a0b134c2a7a2e825ef95f on the shell server.
Solution
Navigate to the folder
cd /problems/strings_1_c7bac958dd6a4b695dc72446d8014f59
the file was executable so I ran it to see what would happen, as expected it's a file with a string in loop.
Reloaded the the shell terminal navigated to the file
strings | grep CTF
Gave that a shot to see search the file with grep for CTF and nothing returned in a reasonable amount of time so restarted.
after a couple of different trial and errors I got this to work
strings strings | grep CTF
Flag
picoCTF{sTrIngS_sAVeS_Time_d7c8de6c}
15 - Pipe
Solve
During your adventure, you will likely encounter a situation where you need to process data that you receive over the network rather than through a file. Can you find a way to save the output from this program and search for the flag? Connect with 2018shell.picoctf.com 2015.
Solution
I know a little about pipe but thought I would do a quick look online http://www.linfo.org/pipes.html
Ran
netcat 2018shell.picoctf.com 2015
loaded with a message on loop should have read the solve message “save the output
nc 2018shell.picoctf.com 2015 echo cat * |grep pico
nc = connect to the server
echo = print
cat = read
*= any file
| grep = pico the phase I’m looking for.
Flag
picoCTF{almost_like_mario_a13e5b27}
16 - Inspect Me
Solve
Inpect this code! http://2018shell.picoctf.com:47428 (link)
Solution
Navigated to link. Right click > Inspect.
Sources > ctr + F then search for ctf
Immediately, you'll find the first part of the CTF in the code source:
<!-- I learned HTML! Here's part 1/3 of the flag: picoCTF{ur_4_real_1nspe -->
As it stated, it's just the first part and so we need to find two more. Unfortunately, it only shows one in Sources. So, I tried having a look around and went to the site's stylesheet mycss.css:
/* I learned CSS! Here's part 2/3 of the flag: ct0r_g4dget_e96dd105} */
Since we're still missing the last part, I checked out the myjs.js script and found this:
/* I learned JavaScript! Here's part 3/3 of the flag: */
For the result, you need only to combine the flag parts into one string.
Flag
picoCTF{ur_4_real_1nspect0r_g4dget_e96dd105}
17 - Grep 2
Solve
This one is a little bit harder. Can you find the flag in /problems/grep-21ef31faa711ad74321a7467978cb0ef3a/files on the shell server? Remember, grep is your friend.
Solution
cd /problems/grep-2_1_ef31faa711ad74321a7467978cb0ef3a/files
ls
List of files 0-9
grep ‘pico’ */*
grep = search
‘ ‘ = string
/ = all files
Flag
picoCTF{grep_r_and_you_will_find_4baaece4}
18 - Aca-Shell-A
Solve
It's never a bad idea to brush up on those Linux skills or even learn some new ones before you set off on this adventure! Connect with nc 2018shell.picoctf.com 42334.
Solution
Here are the commands that should be performed to obtain the flag.
cd secret
ls # you will get instructions about deleting intel files
rm intel_*
echo 'Drop it in!'
cd ..
cd executables # because cd ../executables does not work...
./dontLookHere # you'll see craphex on your screen...
whoami
cd ..
cp /tmp/TopSecret passwords
cd passwords
cat TopSecret
This is what the output looks like:
Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself.
Flag
picoCTF{CrUsHeD_It_d6f202f1}
19 - Client Side is Still Bad
Solve
I forgot my password again, but this time there doesn't seem to be a reset, can you help me? http://2018shell.picoctf.com:8420 (link)
Solution
Clicked on Sign In and said "Incorrect Password"
Inspected code
not much in there, lets take a look at the network tab
and the header request and response
found login
response header has set-cookie: admin=False
let change that to true
copied the curl link and replaced admin=True pasted it in insomnia and it returned
Flag
picoCTF{l0g1ns_ar3nt_r34l_aaaaa17a}
20 - Desrouleaux
Solve
Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with nc 2018shell.picoctf.com 10493. incidents.json
Solution
A python script can be used to answer the questions here based on incidents.json
Input and Output:
nc 2018shell.picoctf.com 10493
# You'll need to consult the file `incidents.json` to answer the following questions.
# What is the most common source IP address? If there is more than one IP address that is the most common, you may give any of the most common ones.
> 167.243.246.96
# Correct!
# How many unique destination IP addresses were targeted by the source IP address 4.178.151.99?
> 3
# Correct!
# What is the number of unique destination ips a file is sent, on average? Needs to be correct to 2 decimal places.
> 1.29
# Correct!
# Great job. You've earned the flag: picoCTF{J4y_s0n_d3rUUUULo_a062e5f8}
Flag
picoCTF{J4y_s0n_d3rUUUULo_a062e5f8}
21 - Logon
Solve
I made a website so now you can log on to! I don't seem to have the admin password. See if you can't get to the flag. http://2018shell1.picoctf.com:57252 (link)
Solution
Apparently, this only checks the password for the user admin. So we can log in using any username, so we can get 3 cookies.
We will change admin cookie to from False to True, refresh the page and then get the flag.
Flag
picoCTF{l0g1ns_ar3nt_r34l_2a968c11}
22 - Reading between the eyes
Solve
Stego-Saurus hid a message for you in this image, can you retrieve it?
Solution
This is pretty straight forward. Iust uploaded the image here and let this tool do the job.
Flag
picoCTF{r34d1ng_b37w33n_7h3_by73s}
23 - Recovering from the snap
Solve
There used to be a bunch of animals here, what did Dr. Xernon do to them?
Solution
- Download the animals.dd file
At first I wasn’t sure what a .dd file was so googled that, found out it is a disk image.
reverse engineering.stackexchange.com/questions/19496/what-to-do-with-dd-files
So I mounted the disk image in Linux and found the images of the animals
Looked at the hint and is said the some files have been deleted from the disk image, but are they really gone?
So I looked into how to recover deleted images from disk image.
Came across the first tool from cgsecurity.org this is a open source data recover application
Downloaded and installed, had to read through the docs quickly to make sense of it.
- cgsecurity have a couple of application to play with I tried photorec first this need to be ran from terminal
cd Downloads/
ls
cd test disk-7.2-WIP
ls -a
chmod +x photorec_static
./photorec_static
Need permission to run
sudo ./photorec_static
- Loaded and a heap of Disk /dev/loop# rows appeared first I started entering ones that where close to 10mb as that was the animal.dd file size and couldn’t work out what was going on, then I noticed the [Next] button and that kept scrolling through the list and found one which was 10mb
Clicked [Proceed]
Clicked [Search]
Clicked [Other]
Clicked [Whole]
Then you need to save the output file to a directory of choice by pressing C
Quick the program and navigated to the output folder.
Noticed a new folder called
recap_dir.1 > Opened > A found some new images one being the flag.
Flag
picoCTF{th3_5n4p_happ3n3d}
24 - Admin Panel
Solve
We captured some traffic logging into the admin panel, can you find the password?
Solution
Opened .pcap file in Wireshark and looked through the entries.
Search
http. This is because whenever you try to login you'll into any account you have to send data which is aPOSTmethod used by HTTP for sending those credentials.
- Opened the line
68 37.234879 192.168.3.129 192.168.3.128 HTTP 542 POST /login HTTP/1.1 [Packet size limited during capture]and get the flag
Flag
picoCTF{n0ts3cur3_9feedfbc}
25 - Assembly-O
Solve
What does asm0(0xd8,0x7a) return? Submit the flag as a hexadecimal value (starting with 0x).
NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/assembly-0_1_fc43dbf0079fd5aab87236bf3bf4ac63.
Solution
Flag