picoCTF2021
Python Wrangling
Description
Python scripts are invoked kind of like programs in the Terminal... Can you run this Python script using this password to get the flag?
Solution:
kali@kali:~/Desktop$ python3 ende.py -d flag.txt.en
Please enter the password:68f88f9368f88f9368f88f9368f88f93
picoCTF{4p0110_1n_7h3_h0us3_68f88f93}
kali@kali:~/Desktop$
Binary Gauntlet 0
Description
This series of problems has to do with binary protections and how they affect exploiting a very simple program. How far can you make it in the gauntlet?
gauntlet nc -v mercury.picoctf.net 12294
Solution:
Download the program. First use strings command to check out plaintext contents. Looks it uses some insecure string command. It also shows requiring an input file called flag.txt. So we can create a local flag file and see what happens.
This is about format string attack.
https://nikhilh20.medium.com/format-string-exploit-ccefad8fd66b
kali@kali:~/Desktop/pico$ ./gauntlet flag.txt
%7$s
asasasa
Above string of "asasasa" is the content of my flag file. So we know %7$s gives out the flag.
kali@kali:~/Desktop/pico$ nc -v mercury.picoctf.net 12294
DNS fwd/rev mismatch: mercury.picoctf.net != ec2-18-189-209-142.us-east-2.compute.amazonaws.com
mercury.picoctf.net [18.189.209.142] 12294 (?) open
%7$s
fbd01d62c0e369e6de3d63b4b21d3830
Wave a flag
Description
Can you invoke help flags for a tool or binary? This program has extraordinarily helpful information...
Solution:
kali@kali:~/Desktop/pico$ ./warm -h
Oh, help? I actually don't do much, but I do have this flag here: picoCTF{b1scu1ts_4nd_gr4vy_6635aa47}
kali@kali:~/Desktop/pico$
Information
Description
Files can always be changed in a secret way. Can you find the flag? cat.jpg
Solution:
kali@kali:~/Desktop/pico$ strings cat.jpg > cat.txt
kali@kali:~/Desktop/pico$ leafpad cat.txt
kali@kali:~/Desktop/pico$ exiftool cat.jpg
Notice the lines:
Current IPTC Digest : 7a78f3d9cfb1ce42ab5a3aa30573d617
Copyright Notice : PicoCTF
Digest is based-64 encoded, decode it and get
picoCTF{the_m3tadata_1s_modified}
Nice netcat
Description
There is a nice program that you can talk to by using this command in a shell: $ nc mercury.picoctf.net 49039, but it doesn't speak English...
Solution:
Connect to the port and notice receiving a bunch of decimal numbers
kali@kali:~/Desktop/pico$ nc mercury.picoctf.net 49039 > net.txt
kali@kali:~/Desktop/pico$ cat net.txt | tr '\012' ' '
112 105 99 111 67 84 70 123 103 48 48 100 95 107 49 116 116 121 33 95 110 49 99 51 95 107 49 116 116 121 33 95 51 100 56 52 101 100 99 56 125 10
Goto online converter at https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html and get the flag
picoCTF{g00d_k1tty!_n1c3_k1tty!_3d84edc8}
Weird File
Description
What could go wrong if we let Word documents run programs? (aka "in-the-clear"). Download file.
Solution:
Once open file in Microsoft Word, enable edit, then go to View-> Macros->Macros in weird.docm, open the function runpython and find the string
Ret_Val = Shell("python -c 'print(\"cGljb0NURnttNGNyMHNfcl9kNG5nM3IwdXN9\")'" & " " & Args, vbNormalFocus)
Convert base64 string to flag
picoCTF{m4cr0s_r_d4ng3r0us}
GET aHEAD
Description
Find the flag being held on this server to get ahead of the competition http://mercury.picoctf.net:28916/
Solution:
Notice the HTTP response purely relies on the HTTP method in the HTTP request. Right now it sends either GET or POST to get different results. What if I change the the HTTP method to HEAD? Intercept the traffic with burp.
picoCTF{r3j3ct_th3_du4l1ty_70bc61c4}
Transformation
Description
I wonder what this really is... enc
Solution:
Analyse shows the content is Unicode encoded. So try to decode this string at https://www.online-toolz.com/tools/text-unicode-entities-convertor.php
From "灩捯䍔䙻ㄶ形楴獟楮獴㌴摟潦弸彥㜰㍢㐸㙽" to "%u7069%u636F%u4354%u467B%u3136%u5F62%u6974%u735F%u696E%u7374%u3334%u645F%u6F66%u5F38%u5F65%u3730%u3362%u3438%u367D"
It looks getting rid of %u and it will turn into hex-coded ascii.
kali@kali:~/Desktop/pico$ echo "%u7069%u636F%u4354%u467B%u3136%u5F62%u6974%u735F%u696E%u7374%u3334%u645F%u6F66%u5F38%u5F65%u3730%u3362%u3438%u367D" > enc2
kali@kali:~/Desktop/pico$ sed 's/%u//g' enc2
7069636F4354467B31365F626974735F696E73743334645F6F665F385F65373033623438367D
kali@kali:~/Desktop/pico$ sed 's/%u//g' enc2 | xxd -r -p
picoCTF{16_bits_inst34d_of_8_e703b486}
kali@kali:~/Desktop/pico$
Static ain't always noise
Description
Can you look at the data in this binary: static? This BASH script might help!
Solution:
kali@kali:~/Desktop/pico$ strings static
Will find the flag
picoCTF{d15a5m_t34s3r_ae0b3ef2}
Tab, Tab, Attack
Description
Using tabcomplete in the Terminal will add years to your life, esp. when dealing with long rambling directory structures and filenames: Addadshashanammu.zip
Solution:
Just unzip and go deep to the last directory and run
$ strings fang-of-haynekhtnamet | grep pico
*ZAP!* picoCTF{l3v3l_up!_t4k3_4_r35t!_a00cae70}
keygenme-py
Description
Solution:
Read the code. Notice the flag contains static and dynamic part. Need to figure out dynamic part.
Run the code step by step in python console, replace the input with the real variable.
kali@kali:~$ python3
Python 3.8.2 (default, Apr 1 2020, 15:52:55)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> from cryptography.fernet import Fernet
>>> import base64
>>> username_trial = "ANDERSON"
>>> bUsername_trial = b"ANDERSON"
>>> hashlib.sha256(username_trial).hexdigest()[4]
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
TypeError: Unicode-objects must be encoded before hashing
>>> hashlib.sha256(bUsername_trial).hexdigest()[4]
'0'
>>> hashlib.sha256(bUsername_trial).hexdigest()[5]
'1'
>>> hashlib.sha256(bUsername_trial).hexdigest()[3]
'5'
>>> hashlib.sha256(bUsername_trial).hexdigest()[6]
'8'
>>> hashlib.sha256(bUsername_trial).hexdigest()[2]
'2'
>>> hashlib.sha256(bUsername_trial).hexdigest()[7]
'4'
>>> hashlib.sha256(bUsername_trial).hexdigest()[1]
'1'
>>> hashlib.sha256(bUsername_trial).hexdigest()[8]
'9'
Put together we get the final flag as:
picoCTF{1n_7h3_|<3y_of_01582419}
Matryoshka doll
Description
Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image: this
Solution:
Use binwalk to extract embedded zip file from image file, and repeat the process till you get the flag file.
https://book.hacktricks.xyz/stego/stego-tricks
https://trailofbits.github.io/ctf/forensics/
kali@kali:~/Desktop/pico$ binwalk -e dolls.jpg
picoCTF{bf6acf878dcbd752f4721e41b1b1b66b}
crackme-py
Description
Solution:
Inspect the source code. Notice it already has decrypt function. Just need to run the function in the program. Add two line program:
print ("the secret is")
decode_secret(bezos_cc_secret)
And get the flag:
picoCTF{1|\/|_4_p34|\|ut_a79b6c2d}
Magikarp Ground Mission
Description
Do you know how to move between directories and read files in the shell? Start the container, `ssh` to it, and then `ls` once connected to begin. Login via `ssh` as `ctf-player` with the password, `6dee9772`
Solution:
This one is easy. Just follow the instruction to get all three pieces of information for the flag.
After ssh to the machine:
picoCTF{xxsh_0ut_0f_\/\/4t3r_540e4e79}
Cookies
Description
Who doesn't love cookies? Try to figure out the best one. http://mercury.picoctf.net:64944/
Solution:
Check out the site, and notice it uses a cookie called name=-1. Think to change cookie value to see what happens.
Browser tool does not help too much here. Use burp to intercept traffic.
Notice the sequence, try to send each packet to repeater and change cookie value.
The third packet actually responds differently if you modify cookie value. Keep changing the value until the final flag shows up.
picoCTF{3v3ry1_l0v3s_c00k135_cc9110ba}
Wireshark doo dooo do doo...
Description
Can you find the flag? shark1.pcapng
Solution:
Open the file with wireshark. Try to search for work like pico or CTF but nothing is found.
Next step is to look for TCP connection content.
Once search for "tcp.stream eq 5", you see content like in a flag format:
Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}
Convert this with Caesar Cipher, you get
picoCTF{p33kab00_1_s33_u_deadbeef}
speeds and feeds
Description
There is something on my shop network running at nc mercury.picoctf.net 33596, but I can't tell what it is. Can you?
Solution:
After connecting to the port, it displays a longlist of like this:
G0Z0.1
G0X194.8276Y3.3103
G1Z0.1
G1X195.3793Y3.5862
G1X195.6552Y4.1379
G1X195.6552Y4.9655
G1X195.3793Y5.5172
G1X194.8276Y5.7931
G0Z0.1
Export all the results to a local file.
kali@kali:~/Desktop/pico$ nc mercury.picoctf.net 33596 > my.txt
Need to figure out what kind of codes they are.
Take the hint "What language does a CNC machine use?"
Google search "What language does a CNC machine use?" And find it is called G-Code.
Google search "g-code simulator online"
Upload saved file and you get the flag:
picoCTF{num3r1cal_c0ntr0l_e7749028}
Shop
Description
Best Stuff - Cheap Stuff, Buy Buy Buy... Store Instance: source. The shop is open for business at nc mercury.picoctf.net 24851.
Solution:
Download the source code, extract strings but it does not help much.
Connect to the port, it looks running a shopping application. The hint says considering corner case.
Exploring around and notice you can earn money by purchasing negative amount of items. Then get the idea that Fruitful Flag has the flag you need to buy with 100 coins.
kali@kali:~/Desktop/pico$ nc mercury.picoctf.net 24851
Welcome to the market!
=====================
You have 40 coins
Item Price Count
(0) Quiet Quiches 10 12
(1) Average Apple 15 8
(2) Fruitful Flag 100 1
(3) Sell an Item
(4) Exit
Choose an option:
0
How many do you want to buy?
-1
You have 50 coins
Item Price Count
(0) Quiet Quiches 10 13
(1) Average Apple 15 8
(2) Fruitful Flag 100 1
(3) Sell an Item
(4) Exit
Choose an option:
0
How many do you want to buy?
-10000000000000
You have 50 coins
Item Price Count
(0) Quiet Quiches 10 13
(1) Average Apple 15 8
(2) Fruitful Flag 100 1
(3) Sell an Item
(4) Exit
Choose an option:
0
How many do you want to buy?
-2
You have 70 coins
Item Price Count
(0) Quiet Quiches 10 15
(1) Average Apple 15 8
(2) Fruitful Flag 100 1
(3) Sell an Item
(4) Exit
Choose an option:
0
How many do you want to buy?
-3
You have 100 coins
Item Price Count
(0) Quiet Quiches 10 18
(1) Average Apple 15 8
(2) Fruitful Flag 100 1
(3) Sell an Item
(4) Exit
Choose an option:
2
How many do you want to buy?
1
Flag is: [112 105 99 111 67 84 70 123 98 52 100 95 98 114 111 103 114 97 109 109 101 114 95 53 51 50 98 99 100 57 56 125]
Convert this decimal to ascii we get the flag:
picoCTF{b4d_brogrammer_532bcd98}
What's your input?
Description
We'd like to get your input on a couple things. Think you can answer my questions correctly? in.py nc mercury.picoctf.net 13142
Solution:
Download the source code in.py. Look at the code. Looks the first question actually doesn't matter. The second question you need to get the right answer to get the flag.
Connect to the site, run some examples:
kali@kali:~/Desktop/pico$ nc mercury.picoctf.net 13142
What's your favorite number?
Number? 34
You said: 34
Okay...
What's the best city to visit?
City? London
City? 1==2
You said: False
City? 1-1=0
City? 1==1
You said: True
Thanks for your input!
Interesting, it looks when you enter a city name, it does not take the result. Instead if you enter a logic expression, it will evaluate it and show False or True.
Try the code in local machine, it appears to be a behavior from Python version 2.7. In Python version 3 it works as expected.
kali@kali:~/Desktop/pico$ python
Python 2.7.18 (default, Apr 20 2020, 20:30:41)
[GCC 9.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> res = input("City? ")
City? London
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <module>
NameError: name 'London' is not defined
>>> London
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
NameError: name 'London' is not defined
>>> res = input("City? ")
City? 1==1
>>> print("You said: {}".format(res))
You said: True
Google search "python 2.7 input name is not defined", find this one:
https://stackoverflow.com/questions/21122540/input-error-nameerror-name-is-not-defined
Follow the idea from above article:
kali@kali:~/Desktop/pico$ nc mercury.picoctf.net 13142
What's your favorite number?
Number? 23
You said: 23
Okay...
What's the best city to visit?
City? city
You said: Nashville
I agree!
picoCTF{v4lua4bl3_1npu7_4379065}
Scavenger Hunt
Description
There is some interesting information hidden around this site http://mercury.picoctf.net:55079/. Can you find it?
Solution:
The pieces of flag are scattered in different places. Need to find them all.
First piece, check homepage source code
<!-- Here's the first part of the flag: picoCTF{t -->
Second piece, check css source code at mycss.css within developer tool:
/* CSS makes the page look nice, and yes, it also has part of the flag. Here's part 2: h4ts_4_l0 */
Third piece, in myjs.js from developer tool, there is a hint "/* How can I keep Google from indexing my website? */"
so check the robots.txt
# Part 3: t_0f_pl4c
And there is a hint "# I think this is an apache server... can you Access the next flag?"
Fourth piece:
http://mercury.picoctf.net:55079/.htaccess
# Part 4: 3s_2_lO0k
With a hint "# I love making websites on my Mac, I can Store a lot of information there."
Fifth piece:
This is the hardest one. At the beginning I thought it was index.html.en which was mentioned in many posts. Google a lot of places and finally find this: https://logicintel.com/removing-ds_store-files-on-linux-server/
http://mercury.picoctf.net:55079/.DS_Store
Congrats! You completed the scavenger hunt. Part 5: _74cceb07}
So put all the pieces together and the flag is:
picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_74cceb07}
MacroHard WeakEdge
Description
I've hidden a flag in this file. Can you find it? Forensics is fun.pptm
Solution:
Tried first with File->INFO->Inspect Presentation, and then View->Macro, nothing found.
Then tried to check metadata and other hidden info online at https://products.aspose.app/slides/family without luck.
More research about pptm file format leads me this article:
https://docs.fileformat.com/presentation/pptm/
So pptm extension actually is a zip file.
Change the file extension from pptm to zip, then unzip it.
Tried grep command but didn't find anything with pico or CTF.
kali@kali:~/Desktop/pico$ grep pico -r ./Forensics_is_fun_2/*
kali@kali:~/Desktop/pico$ grep CTF -r ./Forensics_is_fun_2/*
Look at the unzipped folder, notice there's file called hidden under ppt->slideMasters
Get rid of the space, then base64 decode it and you get the flag:
kali@kali:~/Desktop/pico/Forensics_is_fun_2/docProps$ echo "Z m x h Z z o g c G l j b 0 N U R n t E M W R f d V 9 r b j B 3 X 3 B w d H N f c l 9 6 M X A 1 f Q" | sed 's/ //g' | base64 -d
flag: picoCTF{D1d_u_kn0w_ppts_r_z1p5}
kali@kali:~/Desktop/pico/Forensics_is_fun_2/docProps$
Who are you?
Description
Let me in. Let me iiiiiiinnnnnnnnnnnnnnnnnnnn http://mercury.picoctf.net:34588/
Solution:
This challenge includes series of questions you have to meet in the HTTP request.
Use burp to intercept a request then send to repeater.
First one is obvious: only use PicoBrowser:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 PicoBrowser
Next one: don't trust user from another site. Add header
Referer: http://mercury.picoctf.net:34588
Next one: site only available for 2018. Add header
Date: Tue, 15 Nov 2018 08:12:31 GMT
Next one: don't like user to be tracked. Add header
DNT: 0 (Do Not Track header)
Next one: only accept users from Sweden. This means we need to tell web server my client IP is from Sweden. Add header
X-Forwarded-For: 31.15.33.12 (you can google search Sweden IP)
Last one: you need to speak Sweden. Turns out there is a web browser language identification code. Add Swedish:
Accept-Language: en-US,en;q=0.9,sv
And you will get the flag:
picoCTF{http_h34d3rs_v3ry_c0Ol_much_w0w_79e451a7}
Some Assembly Required 1
Description
http://mercury.picoctf.net:40226/index.html
Solution:
Connect to the site, enter some random inputs. Then open developer tool, observe network tab and notice no traffic is captured. Refresh the page, find there is a request to JIFxzHyW8W. Check its response and find the flag:
picoCTF{cb688c00b5a2ede7eaedcae883735759}
This one actually is easier than some earlier questions.
Some Assembly Required 2
| 110 points
Tags: picoCTF 2021Web Exploitation
AUTHOR: SEARS SCHULZ
Description
http://mercury.picoctf.net:44570/index.html
Similar to Some Assembly Required 1 challenge, use burp to intercept traffic.
Notice the traffic to /aD8SvhyVkb
At the end there is a string
+xakgK\Ns><m:i1>1991:nkjl<ii1j0n=mm09
Use cyberchef magic block, choose Intensive Mode
picoCTF{64e2a9691192fcbd4aa9b8f5ee8134a2}