The program provided allows you to write to a file and read what you wrote from it. Try playing around with it and see if you can break it! Connect to the program with netcat:$ nc saturn.picoctf.net 50366The program's source code with the flag redacted can be downloaded here


Notice the piece of source code: 

if ((entry_number = strtol(entry, NULL, 10)) == 0) { 


    fseek(stdin, 0, SEEK_END); 





kali@kali:~/Desktop/pico2022$ nc saturn.picoctf.net 50366 

Hi, welcome to my echo chamber! 

Type '1' to enter a phrase into our database 

Type '2' to echo a phrase in our database 

Type '3' to exit the program 

Please enter your data: 



Please enter the length of your data: 

Your entry number is: 1 

Write successful, would you like to do anything else? 

Please enter the entry number of your data: 








We found this weird message being passed around on the servers, we think we have a working  decryption scheme. Download the message here.Take each number mod 37 and map it to the following character set: 0-25 is the alphabet (uppercase), 26-35 are the decimal digits, and 36 is an underscore.Wrap your decrypted message in the picoCTF flag format (i.e. picoCTF{decrypted_message}


Create a mapping table, then calculate the mod 

kali@kali:~$ for i in `echo "202 137 390 235 114 369 198 110 350 396 390 383 225 258 38 291 75 324 401 142 288 397 "`; do expr $i % 37; done 






A new modular challenge! Download the message here.Take each number mod 41 and find the modular inverse for the result. Then map to the following character set: 1-26 are the alphabet, 27-36 are the decimal digits, and 37 is an underscore. Wrap your decrypted message in the picoCTF flag format (i.e. picoCTF{decrypted_message}


Run this command to get the mod. 

for i in `echo "104 85 69 354 344 50 149 65 187 420 77 127 385 318 133 72 206 236 206 83 342 206 370  "`; do expr $i % 41; done 


Then use online tool to calculate their modular inverse and then map the table. 





buffer overflow 0 


Smash the stack. Let's start off simple, can you overflow the correct buffer? The program is available here. You can view source here. And connect with it using:nc saturn.picoctf.net 65355 


This is format string attack. 


Download the program, create a local flag.txt file. Try format string to see where to see the content of falg.txt. Apply the same to the server. 


kali@kali:~/Desktop/pico2022$ ls -al vuln 

-rw------- 1 kali kali 16016 Mar 15 23:09 vuln 

kali@kali:~/Desktop/pico2022$ chmod +x vuln 

kali@kali:~/Desktop/pico2022$ echo "THISISAFLAG" > flag.txt 

kali@kali:~/Desktop/pico2022$ ./vuln 

Input: %x%x%x%x%x%x%x%x%x%x 



kali@kali:~/Desktop/pico2022$ nc saturn.picoctf.net 65355 

Input: %x%x%x%x%x%x%x%x%x%x 





We found a leak of a blackmarket website's login credentials. Can you find the password of the user cultiris and successfully decrypt it? Download the leak here.The first user in usernames.txt corresponds to the first password in passwords.txt. The second user corresponds to the second password, and so on. 


So basically just need to locate the line number of username and find the corresponding password. 

kali@kali:~/Desktop/pico2022/leak$ grep cultiris -n usernames.txt  


kali@kali:~/Desktop/pico2022/leak$ head -378 passwords.txt 


And you will find the password is cvpbPGS{P7e1S_54I35_71Z3} 


This is caesar cipher, decode it we get: 





Enter the CVE of the vulnerability as the flag with the correct flag format:picoCTF{CVE-XXXX-XXXXX} replacing XXXX-XXXXX with the numbers for the matching vulnerability. The CVE we're looking for is the first recorded remote code execution (RCE) vulnerability in 2021 in the Windows Print Spooler Service, which is available across desktop and server versions of Windows operating systems. The service is used to manage printers and print servers. 


Google search "windows print spooler service rce vulnerability 2021" 






Download this image file and find the flag. 


So this is a svg file. A vector-based image file. 

Cat the content of the file, and notice 


      id="tspan3764">F { 3 n h 4 n </tspan><tspan 





      id="tspan3752">c 3 d _ 2 4 3 7 4 6 7 5 }</tspan></text> 





A program has been provided to you, what happens if you try to run it on the command line? Download the program here


This one is really easy. Just copy the file to Kali, chmod it and run it. 

kali@kali:~/Desktop/pico2022$ file run 

run: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9fa9c4d805e9a77142375b406526cb97b1aae60b, for GNU/Linux 3.2.0, not stripped 

kali@kali:~/Desktop/pico2022$ chmod +x run 

kali@kali:~/Desktop/pico2022$ ./run 

The flag is: picoCTF{U51N6_Y0Ur_F1r57_F113_e5559d46}kali@kali:~/Desktop/pico2022$  





Another program, but this time, it seems to want some input. What happens if you try to run it on the command line with input "Hello!"?Download the program here


Another super easy one. 

kali@kali:~/Desktop/pico2022$ file run3 

run3: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=689b8959bc0a65415698970bbb93ed2788442ffb, for GNU/Linux 3.2.0, not stripped 

kali@kali:~/Desktop/pico2022$ chmod +x run3 

kali@kali:~/Desktop/pico2022$ ./run3 

Run this file with only one argument. 

kali@kali:~/Desktop/pico2022$ ./run3 Hello 

Won't you say 'Hello!' to me first? 

kali@kali:~/Desktop/pico2022$ ./run3 Hello! 

The flag is: picoCTF{F1r57_4rgum3n7_96f2195f} 

File types 


This file was found among some files marked confidential but my pdf reader cannot read it, maybe yours can. You can download the file from here


The file flag.pdf is a script file. Need to install a package for the script to run. After running the script, you get an output file that is compressed multiple times with multiple compression programs. First two layers you can use default file explore to decompress. The rest requires some compression programs you have to install and apply the proper file extension for it to continue. Eventually you will get it. 


395238  file Flag.pdf  

395239  cat Flag.pdf  

395240  chmod +x Flag.pdf  

395241  sh ./Flag.pdf 

395242  mv Flag.pdf Flag.sh 

395243  sh ./Flag.sh  

395244  cat Flag.sh  

395245  eedecode 

395246  uudecode 

395247  sudo apt-get install sharutils 

395248  uudecode 

395249  sh ./Flag.sh  

395250  ls 

395251  cat flag.txt  

395252  rm flag.txt 

395253  cat out.txt  

395254  ls 

395255  mkdir test 

395256  cd test 

395257  cp ../Flag.sh . 

395258  ls 

395259  sh ./Flag.sh  

395260  ls 

395261  cat flag 

395262  file flag 

395263  ls -al 

395264  cat flag  

395265  file flag 

395266  rm flag 

395267  sh ./Flag.sh  

395268  ls -al 

395269  file flag 

395270  ar flag 

395271  ar -p flag 

395272  file flag  : after this it is a cpio archieve file, and you can just use File Explorer to uncommpress it. 

395273  cd ttt 

395274  ls -al 

395275  cat flag  

395276  file flag  

395277  bzip2 

395278  bzip2 --help 

395279  ls 

395280  bzip2 -d flag 

395281  bunzip2 flag 

395282  ls -al 

395283  cat flag.out  

395284  file flag.out 

395285  gunzip flag.out 

395286  ls 

395287  cp flag.out flag.gz 

395288  gunzip flag.gz 

395289  ls 

395290  cat flag 

395291  file flag 

395292  lzip 

395293  lunzip 

395294  sudo apt-get install -y lunzip 

395295  ls 

395296  lunzip flag 

395297  mv flag.out flag.out.bak 

395298  lunzip flag 

395299  ls 

395300  cat flag.out 

395301  file flag.out 

395302  sudo apt-get -y install lz4 

395303  lz4 

395304  lz4 --help 

395305  lz4 -d flag.out 

395306  lz4 -d flag.out flag2 

395307  cat flag2 

395308  file flag2 

395309  tar --lzma -xvf flag2 

395310  ls 

395311  ls -al 

395312  cat flag2 

395313  cat flag.out 

395314  file flag2 

395315  tar --lzma -xvf flag2 

395316  ls -al 

395317  cd bbb 

395318  ls 

395319  cp ../flag2 . 

395320  tar --lzma -xvf flag2 

395321  ls 

395322  ls -al 

395323  file flag2 

395324  sudo apt-get install lzma 

395325  lzma 

395326  lzma -h 

395327  lzma -d flag2 

395328  cp flag2 flag2.lama 

395329  lzma -d flag2.lama 

395330  ls 

395331  file flag2.lama 

395332  cp flag2 flag2.lzma 

395333  lzma -d flag2.lzma 

395334  ls 

395335  cat flag2 

395336  mv flag2  

395337  mv flag2 flag2.bak 

395338  lzma -d flag2.lzma 

395339  ls 

395340  cat flag2 

395341  file flag2 

395342  lzop 

395343  sudo apt-get install lzop 

395344  lzop --help 

395345  lzop -d flag2 

395346  mv flag2 flag2.lzo 

395347  lzop -d flag2.lzo 

395348  ls 

395349  file flag2 

395350  lzip 

395351  lunzip flag2 

395352  ls 

395353  file flag2.out 

395354  sudo apt-get install xz-utils 

395355  unxz flag.out 

395356  ls 

395357  unxz flag2.out 

395358  mv flag2.out flag2.xz 

395359  unxz flag2.xz 

395360  ls 

395361  file flag2 

395362  cat flag2 

kali@kali:~/Desktop/pico2022/test/ttt/bbb$ cat flag2 




Convert hex to ascii you get: 




GDB Test Drive 


Can you get the flag? Download this binary.Here's the test drive instructions: 


Follow the instruction and you will get the flag: 




Can you get the flag? Go to this website and see what you can discover. 


Go to the website. Nothing in robots.txt. Check out the source code of the page. Notice it includes style.css and script.js. Click on them and combine the content.  


This actually matches the description. The HTML code includes files supporting its content. 




Inspect HTML 


Can you get the flag? Go to this website and see what you can discover. 


This one is super easy. Go to the site and inspect the source code. 



Local Authority 


Can you get the flag? Go to this website and see what you can discover. 


Go to site, try with random username/password. You get an error page. Inspect the source code of the error page, you will see some code and link to  

<script src="secure.js"></script> 


Open the secure.js file, you will see the username and password. 

function checkPassword(username, password) 

  if( username === 'admin' && password === 'strongPassword098765' ) 


Login you get the flag: 



Lookey here 


Attackers have hidden information in a very large mass of data in the past, maybe they are still doing it. Download the data here


kali@kali:~/Desktop/pico2022$ ls -al anthem.flag.txt  

-rw------- 1 kali kali 108668 Mar 16 01:49 anthem.flag.txt 

kali@kali:~/Desktop/pico2022$ grep flag anthem.flag.txt  

kali@kali:~/Desktop/pico2022$ grep -i flag anthem.flag.txt  

kali@kali:~/Desktop/pico2022$ grep -i ctf anthem.flag.txt  

   we think that the men of picoCTF{gr3p_15_@w3s0m3_58f5c024} 





Morse code is well known. Can you decrypt this?Download the file here.Wrap your answer with picoCTF{}, put underscores in place of pauses, and use all lowercase. 


Download the wav file. Google online and you get find an online morse decode tool for wav file: