picoCTF2022
basic-file-exploit
Description
The program provided allows you to write to a file and read what you wrote from it. Try playing around with it and see if you can break it! Connect to the program with netcat:$ nc saturn.picoctf.net 50366The program's source code with the flag redacted can be downloaded here.
Notice the piece of source code:
if ((entry_number = strtol(entry, NULL, 10)) == 0) {
puts(flag);
fseek(stdin, 0, SEEK_END);
exit(0);
}
kali@kali:~/Desktop/pico2022$ nc saturn.picoctf.net 50366
Hi, welcome to my echo chamber!
Type '1' to enter a phrase into our database
Type '2' to echo a phrase in our database
Type '3' to exit the program
1
1
Please enter your data:
fgfdgfd
fgfdgfd
Please enter the length of your data:
4
4
Your entry number is: 1
Write successful, would you like to do anything else?
2
2
Please enter the entry number of your data:
%x%x%x%x
%x%x%x%x
picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_25D6CDDB}
basic-mod1
Description
We found this weird message being passed around on the servers, we think we have a working decryption scheme. Download the message here.Take each number mod 37 and map it to the following character set: 0-25 is the alphabet (uppercase), 26-35 are the decimal digits, and 36 is an underscore.Wrap your decrypted message in the picoCTF flag format (i.e. picoCTF{decrypted_message})
Create a mapping table, then calculate the mod
kali@kali:~$ for i in `echo "202 137 390 235 114 369 198 110 350 396 390 383 225 258 38 291 75 324 401 142 288 397 "`; do expr $i % 37; done
picoCTF{R0UND_N_R0UND_B6B25531}
basic-mod2
Description
A new modular challenge! Download the message here.Take each number mod 41 and find the modular inverse for the result. Then map to the following character set: 1-26 are the alphabet, 27-36 are the decimal digits, and 37 is an underscore. Wrap your decrypted message in the picoCTF flag format (i.e. picoCTF{decrypted_message})
Run this command to get the mod.
for i in `echo "104 85 69 354 344 50 149 65 187 420 77 127 385 318 133 72 206 236 206 83 342 206 370 "`; do expr $i % 41; done
Then use online tool to calculate their modular inverse and then map the table.
picoCTF{1NV3R53LY_H4RD_DADAACAA}
buffer overflow 0
Description
Smash the stack. Let's start off simple, can you overflow the correct buffer? The program is available here. You can view source here. And connect with it using:nc saturn.picoctf.net 65355
This is format string attack.
https://nikhilh20.medium.com/format-string-exploit-ccefad8fd66b
Download the program, create a local flag.txt file. Try format string to see where to see the content of falg.txt. Apply the same to the server.
kali@kali:~/Desktop/pico2022$ ls -al vuln
-rw------- 1 kali kali 16016 Mar 15 23:09 vuln
kali@kali:~/Desktop/pico2022$ chmod +x vuln
kali@kali:~/Desktop/pico2022$ echo "THISISAFLAG" > flag.txt
kali@kali:~/Desktop/pico2022$ ./vuln
Input: %x%x%x%x%x%x%x%x%x%x
THISISAFLAG
kali@kali:~/Desktop/pico2022$ nc saturn.picoctf.net 65355
Input: %x%x%x%x%x%x%x%x%x%x
picoCTF{ov3rfl0ws_ar3nt_that_bad_34d6b87f}
credstuff
Description
We found a leak of a blackmarket website's login credentials. Can you find the password of the user cultiris and successfully decrypt it? Download the leak here.The first user in usernames.txt corresponds to the first password in passwords.txt. The second user corresponds to the second password, and so on.
So basically just need to locate the line number of username and find the corresponding password.
kali@kali:~/Desktop/pico2022/leak$ grep cultiris -n usernames.txt
378:cultiris
kali@kali:~/Desktop/pico2022/leak$ head -378 passwords.txt
And you will find the password is cvpbPGS{P7e1S_54I35_71Z3}
This is caesar cipher, decode it we get:
picoCTF{C7r1F_54V35_71M3}
CVE-XXXX-XXXX
Description
Enter the CVE of the vulnerability as the flag with the correct flag format:picoCTF{CVE-XXXX-XXXXX} replacing XXXX-XXXXX with the numbers for the matching vulnerability. The CVE we're looking for is the first recorded remote code execution (RCE) vulnerability in 2021 in the Windows Print Spooler Service, which is available across desktop and server versions of Windows operating systems. The service is used to manage printers and print servers.
Google search "windows print spooler service rce vulnerability 2021"
picoCTF{CVE-2021-34527}
Enhance!
Description
Download this image file and find the flag.
So this is a svg file. A vector-based image file.
Cat the content of the file, and notice
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3764">F { 3 n h 4 n </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.11588"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3752">c 3 d _ 2 4 3 7 4 6 7 5 }</tspan></text>
picoCTF{3nh4nc3d_24374675}
file-run1
Description
A program has been provided to you, what happens if you try to run it on the command line? Download the program here.
This one is really easy. Just copy the file to Kali, chmod it and run it.
kali@kali:~/Desktop/pico2022$ file run
run: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9fa9c4d805e9a77142375b406526cb97b1aae60b, for GNU/Linux 3.2.0, not stripped
kali@kali:~/Desktop/pico2022$ chmod +x run
kali@kali:~/Desktop/pico2022$ ./run
The flag is: picoCTF{U51N6_Y0Ur_F1r57_F113_e5559d46}kali@kali:~/Desktop/pico2022$
picoCTF{U51N6_Y0Ur_F1r57_F113_e5559d46}
file-run2
Description
Another program, but this time, it seems to want some input. What happens if you try to run it on the command line with input "Hello!"?Download the program here.
Another super easy one.
kali@kali:~/Desktop/pico2022$ file run3
run3: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=689b8959bc0a65415698970bbb93ed2788442ffb, for GNU/Linux 3.2.0, not stripped
kali@kali:~/Desktop/pico2022$ chmod +x run3
kali@kali:~/Desktop/pico2022$ ./run3
Run this file with only one argument.
kali@kali:~/Desktop/pico2022$ ./run3 Hello
Won't you say 'Hello!' to me first?
kali@kali:~/Desktop/pico2022$ ./run3 Hello!
The flag is: picoCTF{F1r57_4rgum3n7_96f2195f}
File types
Description
This file was found among some files marked confidential but my pdf reader cannot read it, maybe yours can. You can download the file from here.
The file flag.pdf is a script file. Need to install a package for the script to run. After running the script, you get an output file that is compressed multiple times with multiple compression programs. First two layers you can use default file explore to decompress. The rest requires some compression programs you have to install and apply the proper file extension for it to continue. Eventually you will get it.
395238 file Flag.pdf
395239 cat Flag.pdf
395240 chmod +x Flag.pdf
395241 sh ./Flag.pdf
395242 mv Flag.pdf Flag.sh
395243 sh ./Flag.sh
395244 cat Flag.sh
395245 eedecode
395246 uudecode
395247 sudo apt-get install sharutils
395248 uudecode
395249 sh ./Flag.sh
395250 ls
395251 cat flag.txt
395252 rm flag.txt
395253 cat out.txt
395254 ls
395255 mkdir test
395256 cd test
395257 cp ../Flag.sh .
395258 ls
395259 sh ./Flag.sh
395260 ls
395261 cat flag
395262 file flag
395263 ls -al
395264 cat flag
395265 file flag
395266 rm flag
395267 sh ./Flag.sh
395268 ls -al
395269 file flag
395270 ar flag
395271 ar -p flag
395272 file flag : after this it is a cpio archieve file, and you can just use File Explorer to uncommpress it.
395273 cd ttt
395274 ls -al
395275 cat flag
395276 file flag
395277 bzip2
395278 bzip2 --help
395279 ls
395280 bzip2 -d flag
395281 bunzip2 flag
395282 ls -al
395283 cat flag.out
395284 file flag.out
395285 gunzip flag.out
395286 ls
395287 cp flag.out flag.gz
395288 gunzip flag.gz
395289 ls
395290 cat flag
395291 file flag
395292 lzip
395293 lunzip
395294 sudo apt-get install -y lunzip
395295 ls
395296 lunzip flag
395297 mv flag.out flag.out.bak
395298 lunzip flag
395299 ls
395300 cat flag.out
395301 file flag.out
395302 sudo apt-get -y install lz4
395303 lz4
395304 lz4 --help
395305 lz4 -d flag.out
395306 lz4 -d flag.out flag2
395307 cat flag2
395308 file flag2
395309 tar --lzma -xvf flag2
395310 ls
395311 ls -al
395312 cat flag2
395313 cat flag.out
395314 file flag2
395315 tar --lzma -xvf flag2
395316 ls -al
395317 cd bbb
395318 ls
395319 cp ../flag2 .
395320 tar --lzma -xvf flag2
395321 ls
395322 ls -al
395323 file flag2
395324 sudo apt-get install lzma
395325 lzma
395326 lzma -h
395327 lzma -d flag2
395328 cp flag2 flag2.lama
395329 lzma -d flag2.lama
395330 ls
395331 file flag2.lama
395332 cp flag2 flag2.lzma
395333 lzma -d flag2.lzma
395334 ls
395335 cat flag2
395336 mv flag2
395337 mv flag2 flag2.bak
395338 lzma -d flag2.lzma
395339 ls
395340 cat flag2
395341 file flag2
395342 lzop
395343 sudo apt-get install lzop
395344 lzop --help
395345 lzop -d flag2
395346 mv flag2 flag2.lzo
395347 lzop -d flag2.lzo
395348 ls
395349 file flag2
395350 lzip
395351 lunzip flag2
395352 ls
395353 file flag2.out
395354 sudo apt-get install xz-utils
395355 unxz flag.out
395356 ls
395357 unxz flag2.out
395358 mv flag2.out flag2.xz
395359 unxz flag2.xz
395360 ls
395361 file flag2
395362 cat flag2
kali@kali:~/Desktop/pico2022/test/ttt/bbb$ cat flag2
7069636f4354467b66316c656e406d335f6d406e3170756c407431306e5f
6630725f3062326375723137795f37396230316332367d0a
Convert hex to ascii you get:
picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_79b01c26}
GDB Test Drive
Description
Can you get the flag? Download this binary.Here's the test drive instructions:
$ chmod +x gdbme
$ gdb gdbme
(gdb) layout asm
(gdb) break *(main+99)
(gdb) run
(gdb) jump *(main+104)
Follow the instruction and you will get the flag:
picoCTF{d3bugg3r_dr1v3_72bd8355}
ncludes
Description
Can you get the flag? Go to this website and see what you can discover.
Go to the website. Nothing in robots.txt. Check out the source code of the page. Notice it includes style.css and script.js. Click on them and combine the content.
This actually matches the description. The HTML code includes files supporting its content.
picoCTF{1nclu51v17y_1of2_f7w_2of2_6edef411}
Inspect HTML
Description
Can you get the flag? Go to this website and see what you can discover.
This one is super easy. Go to the site and inspect the source code.
picoCTF{1n5p3t0r_0f_h7ml_8113f7e2}
Local Authority
Description
Can you get the flag? Go to this website and see what you can discover.
Go to site, try with random username/password. You get an error page. Inspect the source code of the error page, you will see some code and link to
<script src="secure.js"></script>
Open the secure.js file, you will see the username and password.
function checkPassword(username, password)
{
if( username === 'admin' && password === 'strongPassword098765' )
Login you get the flag:
picoCTF{j5_15_7r4n5p4r3n7_b0c2c9cb}
Lookey here
Description
Attackers have hidden information in a very large mass of data in the past, maybe they are still doing it. Download the data here.
kali@kali:~/Desktop/pico2022$ ls -al anthem.flag.txt
-rw------- 1 kali kali 108668 Mar 16 01:49 anthem.flag.txt
kali@kali:~/Desktop/pico2022$ grep flag anthem.flag.txt
kali@kali:~/Desktop/pico2022$ grep -i flag anthem.flag.txt
kali@kali:~/Desktop/pico2022$ grep -i ctf anthem.flag.txt
we think that the men of picoCTF{gr3p_15_@w3s0m3_58f5c024}
kali@kali:~/Desktop/pico2022$
morse-code
Description
Morse code is well known. Can you decrypt this?Download the file here.Wrap your answer with picoCTF{}, put underscores in place of pauses, and use all lowercase.
Download the wav file. Google online and you get find an online morse decode tool for wav file:
https://morsecode.world/international/decoder/audio-decoder-adaptive.html
picoCTF{wh47_h47h_90d_w20u9h7}