PicoCTF 2023

Posted on | Post modified | In |

PicoCTF 2023

:::spoiler [TOC] :::

Crypto

HideToSee

Recon

這一題比較像是Misc題目,比賽的時候想了很久都沒進展,賽後看了write up才覺得異常簡單,當初應該也是有往這方面想,但沒有用steghide

Exploit - Steghide + Atbash

  1. 先用steghide解密出隱藏的文檔 
    1
    		 
     $ steghide extract -sf atbash.jpg
  2. online tool解密

Reverse

Reverse

IDA Flag: picoCTF{3lf_r3v3r5ing_succe55ful_8108250b}

Safe Opener 2

Strings search Flag: picoCTF{SAf3_0p3n3rr_y0u_solv3d_it_ccb5525e}

timer

Use mobsf Flag: picoCTF{t1m3r_r3v3rs3d_succ355fully_17496}

Ready Gladiator 0

  • ???
  • picoCTF{h3r0_t0_z3r0_4m1r1gh7_a220a377}

Forensics

hideme

Use binwalk to observe that it should be a zip file.

1
2
3
4
5
6
7
8
9
 
$ binwalk flag.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced
41            0x29            Zlib compressed data, compressed
39739         0x9B3B          Zip archive data, at least v1.0 to extract, name: secret/
39804         0x9B7C          Zip archive data, at least v2.0 to extract, compressed size: 3037, uncompressed size: 3187, name: secret/flag.png
43076         0xA844          End of Zip archive, footer length: 22

Change extension to zip file and extract it

Flag:

PcapPoisoning

String Search pico Flag: picoCTF{P64P_4N4L7S1S_SU55355FUL_b1995216}

MSB

Reference: CTF-Misc-LSB Flag was hidden in extracted text file: picoCTF{15_y0ur_que57_qu1x071c_0r_h3r01c_c02eeaac}

UnforgottenBits(TBD)

recon

1
2
 
asef18766@vmware:~/picoCTF$ file disk.flag.img
disk.flag.img: DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0xc,223,19), startsector 2048, 204800 sectors; partition 2 : ID=0x82, start-CHS (0xc,223,20), end-CHS (0x2d,130,21), startsector 206848, 524288 sectors; partition 3 : ID=0x83, start-CHS (0x2d,130,22), end-CHS (0x82,138,8), startsector 731136, 1366016 sectors
  • probable corrupted section info
  • just dump file system with binwalk --dd=".*"(note since i am too lazy to optimize the command, it may used up all your disk space)
  • at offset 0x16500000 there is an ext4 file system, you can just open it with 7zip
  • there’s something under his /home, but no clue with it :P

FindAndOpen(TBD)

recon

  • some strings are send directly via raw socket
  • probably some base64 string? but no clue with it :P 
    1
    2
    3
    4
    		 
      iBwaWNvQ1RGe1
  AABBHHPJGTFRLKVGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8=
  PBwaWUvQ1RGesabababkjaASKBKSBACVVAVSDDSSSSDSKJBJS
  PBwaWUvQ1RGe1

ReadMyCert

Base64 decode the certificate strings Flag: picoCTF{read_mycert_4448b598}

rotation

rot-18 Flag: picoCTF{r0tat1on_d3crypt3d_4a3dcb4c}

FindAndOpen

  • picoCTF{R34DING_LOKd_fil56_succ3ss_419835ef}

who is it

Recon

Strings search to find IP-liked strings - Sublime

  • whois 173.249.33.206
  • picoCTF{WilhelmZwalina}

UnforgottenBits

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
yone$ cat irclogs/**/*.log                                                                                                                                             
[08:12] <yone786> Ok, let me give you the keys for the light.                                                                                                          
[08:12] <avidreader13> I’m ready.                                                                                                                                      
[08:15] <yone786> First it’s steghide.                                                                                                                                 
[08:15] <yone786> Use password: akalibardzyratrundle                                                                                                                   
[08:16] <avidreader13> Huh, is that a different language?                                                                                                              
[08:18] <yone786> Not really, don’t worry about it.                                                                                                                    
[08:18] <yone786> The next is the encryption. Use openssl, AES, cbc.                                                                                                   
[08:19] <yone786> salt=0f3fa17eeacd53a9 key=58593a7522257f2a95cce9a68886ff78546784ad7db4473dbd91aecd9eefd508 iv=7a12fd4dc1898efcd997a1b9496e7591                       
[08:19] <avidreader13> Damn! Ever heard of passphrases?                                                                                                                
[08:19] <yone786> Don’t trust em. I seed my crypto keys with uuids.                                                                                                    
[08:20] <avidreader13> Ok, I get it, you’re paranoid.                                                                                                                  
[08:20] <avidreader13> But I have no idea if that would work.                                                                                                          
[08:21] <yone786> Haha, I’m not paranoid. I know you’re not a good hacker dude.                                                                                        
[08:21] <avidreader13> Is there a better way?                                                                                                                          
[08:22] * yone786 yawns.                                                                                                                                               
[08:24] <yone786> You’re ok at hacking. I’m good at writing code and using it                                                                                          
[08:24] <avidreader13> What language are you writing in?                                                                                                               
[08:26] <yone786> C                                                                                                                                                    
[08:26] <avidreader13> Oh, I see.                                                                                                                                      
[08:26] <yone786> I’m glad you like it. I’m sure you wouldn’t understand half of what I was doing.                                                                     
[08:28] <avidreader13> I understand enough, but I do wish you wouldn’t take so much time with it.                                                                      
[08:28] <yone786> Sorry. Well, I wish you could learn some things.                                                                                                     
[08:29] <avidreader13> But it’s an incredible amount of time you spend on it.                                                                                          
[08:29] <yone786> Haha, don’t take it like that.                            

1
2
3
4
 
one$ cat notes/*.txt                     
chizazerite
guldulheen
I keep forgetting this, but it starts like: yasuoaatrox...

1
2
3
4
5
6
 
alene2# cat .lynx/browsing-history.log
www.google.com
https://www.google.com/search?q=number+encodings&source=hp&ei=WeC9Y77KJ_iwqtsP0sGu6A0&iflsig=AK50M_UAAAAAY73uaRxDkbHRUH8jn4OVhOgM8riUqvVI&ved=0ahUKEwj-2r_EgL78AhV4mGoFHdKgC90Q4dUDCAk&uact=5&oq=number+encodings&gs_lcp=Cgdnd3Mtd2l6EAMyBggAEBYQHjIFCAAQhgMyBQgAEIYDMgUIABCGAzIFCAAQhgM6DgguEIAEELEDEIMBENQCOgsIABCABBCxAxCDAToRCC4QgAQQsQMQgwEQxwEQ0QM6CAgAELEDEIMBOgsILhCABBCxAxCDAToFCAAQgAQ6CAgAEIAEELEDOggILhCABBDUAjoHCAAQgAQQCjoHCC4QgAQQClAAWI0VYPAXaABwAHgDgAHDA4gB-iKSAQkwLjMuNS40LjOYAQCgAQE&sclient=gws-wiz
https://en.wikipedia.org/wiki/Church_encoding
https://cs.lmu.edu/~ray/notes/numenc/
https://www.wikiwand.com/en/Golden_ratio_base
  • 解 /home/yone/gallery/bmp
  • steghide --extract -sf 7.bmp openssl enc -d -aes-256-cbc -pbkdf2 -iv 7a12fd4dc1898efcd997a1b9496e7591 -S 0f3fa17eeacd53a9 -K 58593a7522257f2a95cce9a68886ff78546784ad7db4473dbd91aecd9eefd508 -in les-mis.txt.enc -out ccc

General Skill

money-ware

Chat-GPT is your friend Obviously is not Ransomware, so I asked the variant type of Ransomware.

1
2
3
4
5
6
7
8
9
10
 
有沒有甚麼電腦病毒是ransomware的變形
    >是的,還有其他的ransomware變形,以下是一些例子:

    Scareware: Scareware是一種偽造的安全軟件,通常被包裝成一個看起來很正常的防病毒軟件或系統工具。一旦安裝,它會顯示虛假的安全警告,告訴受害者他們的電腦被感染了,然後要求他們支付費用以解決問題。如果受害者支付了費用,騙子就會獲得受害者的信用卡資訊,並且沒有提供任何實際的解決方案。

    Petya: Petya是一種高度進階的ransomware變形,它使用了一種稱為“全硬盤加密”的技術,這種技術可以將整個硬盤的內容加密,而不僅僅是檔案。此外,Petya可以使用Windows引導管理員功能進行攻擊,這使得它比其他ransomware更加難以檢測和清除。

    Jigsaw: Jigsaw是一種具有惡意程式碼的ransomware,它的名字來自電影《肖申克的救贖》中的反派角色。一旦感染,Jigsaw會加密受害者的檔案,並在犧牲第一個檔案後要求贖金。如果受害者不支付,Jigsaw會刪除一些檔案,直到受害者支付為止。

    這些ransomware變形都是非常危險的,並且可能會導致嚴重的損失。建議使用最新的防病毒軟件和更新的操作系統來防止感染,同時定期備份重要檔案以便在受到攻擊時恢復。

Flag: picoCTF{Petya}

repetitions

Just multiple base64 decode… Flag: picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_a2d1b8b6}

Rules 2023

It’s kind a web type… Check the page source and just search picoCTF{ then you got it. Flag: picoCTF{h34rd_und3r5700d_4ck_cba1c711}

chrono

Basic linux command skill

$ ssh -p 63185  picoplayer@saturn.picoctf.net
# enter password
$ cd /challenge
$ cat metadata.json
{"flag": "picoCTF{Sch3DUL7NG_T45K3_L1NUX_88865742}", "username": "picoplayer", "password": "lsPTmnodPc"}

Flag: picoCTF{Sch3DUL7NG_T45K3_L1NUX_88865742}

Permissions

Very similar to chrono Flag: picoCTF{uS1ng_v1m_3dit0r_8a15f6a3}

Special

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
Special$ ${0}
${0} 
$ echo 1
1
$ ls
blargh
$ pwd
/home/ctf-player
$ echo $0
sh
$ cat ^C
$ ls
blargh
$ cat blargh
cat: blargh: Is a directory
$ cd bla*
$ ls
flag.txt
$ cat flag.txt
picoCTF{5p311ch3ck_15_7h3_w0r57_008cf854}$ Connection to saturn.picoctf.net closed by remote host.

Specialer

  • $ echo "$(<./ala/kazam.txt)" picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01ng_h3r3_58131e2c}

Web

findme

  • login and observe traffic
  • and flag is base64-encoded in some redirecting page.
  • picoCTF{proxies_all_the_way_48c47a95}

MatchTheRegex

Observe page source found the script tag

...
<script>
	function send_request() {
		let val = document.getElementById("name").value;
		// ^p.....F!?
		fetch(`/flag?input=${val}`)
			.then(res => res.text())
			.then(res => {
				const res_json = JSON.parse(res);
				alert(res_json.flag)
				return false;
			})
		return false;
	}
</script>
...

So, we just enter picoCTF to match the strings then we got the flag. Flag:

findme

The point is observing redirection. Use burp suite to observe every web page after you login. Then you may find something strange such as id. $\to$ cGljb0NURntwcm94aWVzX2Fs $\to$ bF90aGVfd2F5XzQ4YzQ3YTk1fQ==

And these are base64 encoded string obviously. Flag: picoCTF{proxies_all_the_way_48c47a95}

SOAP

  • raw XXE injection
  • picoCTF{XML_3xtern@l_3nt1t1ty_53488905}

More SQLi

  • SQLite
  • username=&password='or'1'='1'--

Java Code Analysis

  • find JWT secret key: ‘1234’
  • sign JWT with role ‘Admin’
  • update self role as ‘Admin’ since pdf acl get role from DB instead of JWT

  • relogin to access pdf/5

  • picoCTF{w34k_jwt_n0t_g00d_6e5d7df5}