Pico CTF 2018

01 - Forensics Warmup 1

Solve

Can you unzip this file for me and retrieve the flag?

Solution

  • Download the zip file
  • Unzip folder
  • Open image
  • Flag in plain text

Flag

picoCTF{welcome_to_forensics}

02 - Forensics Warmup 2

Solve

Hmm for some reason I can't open this PNG? Any ideas?

Solution

Simply open the image

Flag

picoCTF{extensions_are_a_lie}

03 - General Warmup 1

Solve

If I told you your grade was 0x41 in hexadecimal, what would it be in ASCII?

Solution

I actually don’t know much about hexadecimal, so let take a look. I don’t think it’s going to be as straightforward as 0x41 = 0.

Anyways I typed 0x41= in google and it game me the answer of 65. That was too easy so I want to look further.

ASCII

https://bluesock.org/~willg/dev/ascii.html

Looking at the ascii table there are number of columns

Char | Dec | Oct | Hex

Hex = 0x41 <— this must be our number

Oct = 0101

Dec = 65 <— what google gave me

Char = A <— I’m going to assume this is the answer we’re looking for.

If we look at the above link and scroll to common ascii codes to know you will see.

A 65 0101 0x41 capital A”

Flag

picoCTF{A}

04 - General Warmup 2

Solve

Can you convert the number 27 (base 10) to binary (base 2)?

Solution

Pretty straight forwards using an online convertor like.

http://www.unitconversion.org/numbers/base-10-to-base-2-conversion.html

Flag

picoCTF{11011}

05 - General Warmup 3

Solve

What is 0x3D (base 16) in decimal (base 10).

Solution

Flag

picCTF{61}

06 - Resources

Solve

We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources

Solution

Open up link, right click > inspect > ctr + F

search CTF found

Flag

picoCTF{xiexie_ni_lai_zheli}

Looked back at the page and it is in plain text on the site so probably didn’t need to go through those steps.

07 - Reversing Warmup 1

Solve

Throughout your journey you will have to run many programs. Can you navigate to /problems/reversing-warmup-146b2499250c4624337a1948ac374c4934 on the shell server and run this program to retreive the flag?

Solution

Opened up the shell server

cd /problems/reversing-warmup-1_4_6b2499250c4624337a1948ac374c4934
ls

you’ll see the file ‘run’ highlighted in green which looks like an executable file so use.

./run

Flag

picoCTF{welc0m3_t0_r3VeRs1nG}

08 - Reversing Warmup 2

Solve

Can you decode the following string from base64 format to ASCII?

dGg0dF93NHNfczFtcEwz

Solution

https://base64decode.org

Flags

picoCTF{th4t_w4s_s1mpL3}

09 - Crypto Warmup 1

Solve

Crpyto can often be done by hand, here's a message you got from a friend,

llkjmlmpadkkcwith

the key of

thisisalilkey

Can you use this table to solve it?

Solution

There is a link to download the table to decrypt this, don’t not much about it at all so lets have a look at some one cipher tools to see what one can crack it first.

Not really sure what one start with? Hmmm…

Instead of filling this with a heap of different tools I tried here is the one that worked.

https://planetcalc.com/2468/

So it looks like there is some sort of crypto algorithm called Vigenere using some ROT#

Flag

picoCTF{secretmessage}

10 - Crypto Warmup 2

Solve

Cryptography doesn't have to be complicated, have you ever heard of something called rot13?

cvpbPGS{guvf_vf_pelcgb!}

Solution

So this is going back to the rot#, I found in the last task, simple google search rot13 decoder > https://rot13.com

Flags

picoCTF{this_is_crypto!}

11 - Grep 1

Solve

Can you find the flag in file? This would be really obnoxious to look through by hand, see if you can find a faster way. You can also find the file in /problems/grep-10c0c0c16438cdbee39591397e16389f59 on the shell server.

Solution

Go to directory

cd /problems/grep-1_0_c0c0c16438cdbee39591397e16389f59

See what is in there

ls

returned with “file”

cat file | grep pico

Flag

picoCTF{grep_and_you_will_find_52e63a9f}

12 - Net Cat

Solve

Using netcat (nc) will be a necessity throughout your adventure. Can you connect to get the flag?

2018shell.picoctf.com port 49387

to get the flag?

Solution

Use netcat or nc

netcat 2018shell.picoctf.com 49387

Flag

picoCTF{NEtcat_iS_a_NEcESSiTy_8b6a1fbc}

13 - HEEEEEEERE’S Johnny!

Solve

Okay, so we found some important looking files on a Linux computer. Maybe they can be used to get a password to the process. Connect with nc 2018shell.picoctf.com 42165.

Files can be found here: passwd shadow.

Solution

Downloaded the two file

Password and Shadow

opened them in a text editor and had

Password

root:x:0:0:root:/root:/bin/bash

Shadow

root:$6$IGI9prWh$ZHToiAnzeD1Swp.zQzJ/Gv.iViy39EmjVsg3nsZlfejvrAjhmp5jY.1N6aRbjFJVQX8hHmTh7Oly3NzogaH8c1:17770:0:99999:7:::

Connecting to 2018shell.picoctf.com 42165

It asked me to login straight away.

I tried root > toor as I can see the user is root from the password and shadow file.

Only because I’ve used Jonnyripper before I tried this on localhost and i got the password

The matrix

Flag

picoCTF{J0hn_1$_R1pp3d_289677b5}

14 - Strings

Solve

Alright, can you find the flag in this file without actually running it?

You will be able to find the file in /problems/strings440d221755b4a0b134c2a7a2e825ef95f on the shell server.

Solution

Navigate to the folder

cd /problems/strings_1_c7bac958dd6a4b695dc72446d8014f59

the file was executable so I ran it to see what would happen, as expected it's a file with a string in loop.

Reloaded the the shell terminal navigated to the file

strings | grep CTF

Gave that a shot to see search the file with grep for CTF and nothing returned in a reasonable amount of time so restarted.

after a couple of different trial and errors I got this to work

strings strings | grep CTF

Flag

picoCTF{sTrIngS_sAVeS_Time_d7c8de6c}

15 - Pipe

Solve

During your adventure, you will likely encounter a situation where you need to process data that you receive over the network rather than through a file. Can you find a way to save the output from this program and search for the flag? Connect with 2018shell.picoctf.com 2015.

Solution

I know a little about pipe but thought I would do a quick look online http://www.linfo.org/pipes.html

Ran

netcat 2018shell.picoctf.com 2015

loaded with a message on loop should have read the solve message “save the output

nc 2018shell.picoctf.com 2015 echo cat * |grep pico

nc = connect to the server

echo = print

cat = read

*= any file

| grep = pico the phase I’m looking for.

Flag

picoCTF{almost_like_mario_a13e5b27}

16 - Inspect Me

Solve

Inpect this code! http://2018shell.picoctf.com:47428 (link)

Solution

Navigated to link. Right click > Inspect.

Sources > ctr + F then search for ctf

Immediately, you'll find the first part of the CTF in the code source:

<!-- I learned HTML! Here's part 1/3 of the flag: picoCTF{ur_4_real_1nspe -->

As it stated, it's just the first part and so we need to find two more. Unfortunately, it only shows one in Sources. So, I tried having a look around and went to the site's stylesheet mycss.css:

 /* I learned CSS! Here's part 2/3 of the flag: ct0r_g4dget_e96dd105} */ 

Since we're still missing the last part, I checked out the myjs.js script and found this:

/* I learned JavaScript! Here's part 3/3 of the flag:  */

For the result, you need only to combine the flag parts into one string.

Flag

picoCTF{ur_4_real_1nspect0r_g4dget_e96dd105}

17 - Grep 2

Solve

This one is a little bit harder. Can you find the flag in /problems/grep-21ef31faa711ad74321a7467978cb0ef3a/files on the shell server? Remember, grep is your friend.

Solution

cd /problems/grep-2_1_ef31faa711ad74321a7467978cb0ef3a/files
ls

List of files 0-9

grep ‘pico’ */*

grep = search

‘ ‘ = string

/ = all files

Flag

picoCTF{grep_r_and_you_will_find_4baaece4}

18 - Aca-Shell-A

Solve

It's never a bad idea to brush up on those Linux skills or even learn some new ones before you set off on this adventure! Connect with nc 2018shell.picoctf.com 42334.

Solution

Here are the commands that should be performed to obtain the flag.

cd secret
ls # you will get instructions about deleting intel files
rm intel_*
echo 'Drop it in!'
cd ..
cd executables # because cd ../executables does not work...
./dontLookHere # you'll see craphex on your screen...
whoami 
cd ..
cp /tmp/TopSecret passwords
cd passwords
cat TopSecret

This is what the output looks like:

Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself.

Flag

picoCTF{CrUsHeD_It_d6f202f1}

19 - Client Side is Still Bad

Solve

I forgot my password again, but this time there doesn't seem to be a reset, can you help me? http://2018shell.picoctf.com:8420 (link)

Solution

Clicked on Sign In and said "Incorrect Password"

Inspected code

not much in there, lets take a look at the network tab

and the header request and response

found login

response header has set-cookie: admin=False

let change that to true

copied the curl link and replaced admin=True pasted it in insomnia and it returned

Flag

picoCTF{l0g1ns_ar3nt_r34l_aaaaa17a}

20 - Desrouleaux

Solve

Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with nc 2018shell.picoctf.com 10493. incidents.json

Solution

A python script can be used to answer the questions here based on incidents.json

Input and Output:

nc 2018shell.picoctf.com 10493
# You'll need to consult the file `incidents.json` to answer the following questions.

# What is the most common source IP address? If there is more than one IP address that is the most common, you may give any of the most common ones.
> 167.243.246.96
# Correct!

# How many unique destination IP addresses were targeted by the source IP address 4.178.151.99?
> 3
# Correct!

# What is the number of unique destination ips a file is sent, on average? Needs to be correct to 2 decimal places.
> 1.29
# Correct!

# Great job. You've earned the flag: picoCTF{J4y_s0n_d3rUUUULo_a062e5f8}

Flag

picoCTF{J4y_s0n_d3rUUUULo_a062e5f8}

21 - Logon

Solve

I made a website so now you can log on to! I don't seem to have the admin password. See if you can't get to the flag. http://2018shell1.picoctf.com:57252 (link)

Solution

Apparently, this only checks the password for the user admin. So we can log in using any username, so we can get 3 cookies.

We will change admin cookie to from False to True, refresh the page and then get the flag.

Flag

picoCTF{l0g1ns_ar3nt_r34l_2a968c11}

22 - Reading between the eyes

Solve

Stego-Saurus hid a message for you in this image, can you retrieve it?

Solution

This is pretty straight forward. Iust uploaded the image here and let this tool do the job.

Flag

picoCTF{r34d1ng_b37w33n_7h3_by73s}

23 - Recovering from the snap

Solve

There used to be a bunch of animals here, what did Dr. Xernon do to them?

Solution

  1. Download the animals.dd file

At first I wasn’t sure what a .dd file was so googled that, found out it is a disk image.

reverse engineering.stackexchange.com/questions/19496/what-to-do-with-dd-files

So I mounted the disk image in Linux and found the images of the animals

Looked at the hint and is said the some files have been deleted from the disk image, but are they really gone?

So I looked into how to recover deleted images from disk image.

Came across the first tool from cgsecurity.org this is a open source data recover application

Downloaded and installed, had to read through the docs quickly to make sense of it.

  1. cgsecurity have a couple of application to play with I tried photorec first this need to be ran from terminal
cd Downloads/
ls
cd test disk-7.2-WIP
ls -a
chmod +x photorec_static
./photorec_static

Need permission to run

sudo ./photorec_static
  1. Loaded and a heap of Disk /dev/loop# rows appeared first I started entering ones that where close to 10mb as that was the animal.dd file size and couldn’t work out what was going on, then I noticed the [Next] button and that kept scrolling through the list and found one which was 10mb

Clicked [Proceed]

Clicked [Search]

Clicked [Other]

Clicked [Whole]

Then you need to save the output file to a directory of choice by pressing C

Quick the program and navigated to the output folder.

Noticed a new folder called

recap_dir.1 > Opened > A found some new images one being the flag.

Flag

picoCTF{th3_5n4p_happ3n3d}

24 - Admin Panel

Solve

We captured some traffic logging into the admin panel, can you find the password?

Solution

  1. Opened .pcap file in Wireshark and looked through the entries.

  2. Search http. This is because whenever you try to login you'll into any account you have to send data which is a POST method used by HTTP for sending those credentials.

  1. Opened the line 68 37.234879 192.168.3.129 192.168.3.128 HTTP 542 POST /login HTTP/1.1 [Packet size limited during capture] and get the flag

Flag

picoCTF{n0ts3cur3_9feedfbc} 

25 - Assembly-O

Solve

What does asm0(0xd8,0x7a) return? Submit the flag as a hexadecimal value (starting with 0x).

NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/assembly-0_1_fc43dbf0079fd5aab87236bf3bf4ac63.

Solution

Flag


More from Adam Martelletti