Writeups
  • Table of contents
  • 🦌Hack@10 2021 Writeup
  • 📰Hack The Box (HTB) Paper
  • 🦨ICA1 Vulnhub Writeup
  • 🐣Lazy Status Web Pentest
  • 🐃Pico CTF 2021 Writeups
  • 🐈‍⬛🐈⬛ 🐈⬛ UnderTheWire Century
  • 🕊️UnderTheWire Cyborg
  • 📍Battle Of 1337
Powered by GitBook
On this page

Pico CTF 2021 Writeups

PreviousLazy Status Web PentestNext🐈⬛ 🐈⬛ UnderTheWire Century

Last updated 2 years ago

Found the flag amongst the obfuscated code. picoCTF{th4ts_k1nd4_n34t_3bed1170}

Based on the challenge title, we should try get the website header either using curl or Burpsuite. curl command : curl -X HEAD -i http://mercury.picoctf.net:47967/``

and we got the flag from the header. picoCTF{r3j3ct_th3_du4l1ty_cca66bd3}

The title and hint of the website talks about cookies, lets view the cookies using the in browser function.

The current cookie value is -1, lets try changing it to 1and see if we get any output.

Based on the output, we need to traverse and try different value of cookies to get the flag.

And we got the flag on the 18 cookies. picoCTF{3v3ry1_l0v3s_c00k135_064663be}

Seems like a normal html website, lets take a look at the source.

It seems that this is a directory traversing challenge, we got the first part picoCTF{t from the source. It says the website was made from html,css and js. Lets take a look at those.

We found a js script, lets open it.

From the hint, we can guess the next part is in robots.txt that is used to configure crawler from accessing certain directory of the website.

5th part: _f7ce8828} . flag: picoCTF{th4ts_4_10t_0f_pl4c3s_2_100k_f7ce8828}

Opening the website told us that we can only access it with picobrowser. From reading past writeup, it seems that we need to change the user agent to access it. We use the curl command : curl -A "PicoBrowser" http://mercury.picoctf.net:46199 to change the user agent.

From the website, it asks us to visit the website, from the website itself. We can use curl command : curl -A "PicoBrowser" http://mercury.picoctf.net:46199/ -H "Referer: http://mercury.picoctf.net:46199"

Next it asks us to access the website from 2018. We can modify the time header through: curl -A "PicoBrowser" http://mercury.picoctf.net:46199/ -H "Referer: http://mercury.picoctf.net:46199" -H "Date: Wed 17 Mar 2018 02:47:59 GMT"

Now it asks us to send request without being tracked. We can use the DNT(Do Not Track) header curl command: curl -A "PicoBrowser" http://mercury.picoctf.net:46199/ -H "Referer: http://mercury.picoctf.net:46199" -H "Date: Wed 17 Mar 2018 02:47:59 GMT" -H "DNT: 1"

Now it only allows people from Sweden. We just need to use a sweden ip and X-Forwarded-For header to foward our curl request ip. curl -A "PicoBrowser" http://mercury.picoctf.net:46199/ -H "Referer: http://mercury.picoctf.net:46199" -H "Date: Wed 17 Mar 2018 02:47:59 GMT" -H "DNT: 1" -H "X-Forwarded-For:193.150.233.115"

Now it also want us to speak in Sweden. We just need to change the language header using the syntax: curl -A "PicoBrowser" http://mercury.picoctf.net:46199/ -H "Referer: http://mercury.picoctf.net:46199" -H "Date: Wed 17 Mar 2018 02:47:59 GMT" -H "DNT: 1" -H "X-Forwarded-For:193.150.233.115" -H 'Accept-LAnguage: sv'

And we finally got the flag. picoCTF{http_h34d3rs_v3ry_c0Ol_much_w0w_8d5d8d77}

This challenge is straight forward. We just need to look for the wasm files in the debugger browser function to get the flag. picoCTF{8857462f9e30faae4d037e5e25fee1ce}

This challenge is about the md5 hash collision that makes it unsecure.

The website requires us to upload two different pdf files with the same hashes. It also has an upload limit not allowing for more than 100kbs files. By using this website, we got two exe program with md5 hash collision.

Now since the php script only requires the uploaded files to have .pdf extension, we can just rename the files and add .pdf before uploading it.

And we got the flag. picoCTF{c0ngr4ts_u_r_1nv1t3d_73b0c8ad}

This challenge is about cookie forging. We were given a website and the server source code.

From the challenge description, we know that the website uses flask cookies. Flask cookie was made by using a 'secret key' to ensure it's secure. Let's see the value of the cookie using flask-unsign.

Here we can see that the value is blank. However from the source code server.py, we can see that in order to get the flag, we need to set it to admin.

Before continue to forge it, we need to find the secret key of the flask cookie.

Here we can see that the secret key is chosen randomly from a list. We can bruteforce the wordlist by using flask-unsign feature.

From the bruteforce, we found out the secret key is butter. Now we can forge a new cookie with value:admin and secret key: butter.

Now change the cookie value on the browser to get the flag.

flag: picoCTF{pwn_4ll_th3_cook1E5_743c20eb}

For this challenge we were given two images that seems to be made out of statics.

I treated this challenge as steganography and used StegSolve to combine both images to produce an output.

After combining both and using the ADD function we can see the flag picoCTF{0542dc1d).

It's a simple rot13 encryption. Let's use CyberChef to decrypt it.

flag: picoCTF{next_time_I'll_try_2_rounds_of_rot13_TLcKBUdK}

It's is the usual RSA challenge.

We have to decrypt it based on the value given. I'm not good at math and just use rsactftool to decrypt it.

flag: picoCTF{sma11_N_n0_g0od_23540368}

In this challenge we were given e,n and c value. The d value can be calculated by yourself. Based on the challenge we know that d has a small value meaning it is vulnerable to the wiener attack. We can use rsactftool again to decrypt it.

Flag: picoCTF{proving_wiener_1146084}

Enter the plaintext into netcat.

flag: picoCTF{2e71b99fd3d07af3808f8dff2652ae0e}

Opening the file, it looks some kind of unicode characters. I proceed to use CyberChef magic feature to see if it can decrypt it. By putting picoCTF in the crib, we were able to decode it.

picoCTF{16_bits_inst34d_of_8_26684c20}

Looking at the source code, we only need to find the key_part_dynamic_1trial part of the flag.

Looking at the source, we can see that the dynamic key is taken from the certain value of hexdigest of the username which is GOUGH. We can write a short python script to print it.

The full flag: picoCTF{1n7h3|<3y_of_f911a486}

From the source code, we can see the the program uses ROT47 to encode and decode their bezos_cc_secret. We can use CyberChef to decode it.

Flag: picoCTF{1|\/|_4_p34||ut_4593da8a}.

Lets use netcat and save the output.

From the hint, we know that it is from CNC machine which uses G-code as the programming language. After some googling, I found this https://ncviewer.com/ which can be used to plot the G-code language.

flag: picoCTF{num3r1cal_c0ntr0l_f3fea95b}.

In this challenge, we have to exploit the fact that there the programmer did not implement any edge cases in the coin system of the market. We can input any value into the coin such as negative to exploit it.

Flag: picoCTF{b4d_brogrammer_797b292c}.

In this challenge we were given an image and the hint says something regarding information.

So I just try to see the metadata of the image using exiftool.

Looking at the license data, it looks like a base 64 string. Lets try decrypting it with CyberChef.

And we got the flag picoCTF{the_m3tadatais_modified}.

In this challenge we were given a Word document with a hint that there are some shell or macro in the file.

We're also given a youtube video that talks about macros in docx file. In the video it shows that we can use olevba to extract macros source code from word and ppt files.

From the extracted macros source, we can see that the embedded script is trying to print a line of strings that seems to be encoded in base 64.

$ echo cGljb0NURnttNGNyMHNfcl9kNG5nM3IwdXN9 | base64 -d 1 ⨯

picoCTF{m4cr0s_r_d4ng3r0us}

After decoding it, we got the flag picoCTF{m4cr0s_r_d4ng3r0us}.

This is matryoshka doll challenge in which we have to extract data from image multiple times to get the flag.

So lets binwalk the image to extract the data a couple times.

After a couple times we got the flag.

picoCTF{336cfd51c9d9774fd37196c1d7320ff}.

In this challenge we were given a pcap file, lets open it with wireshark.

I didnt find anything by trying to follow the packet so next I try to export the objects from the pcap.

Then, I tried opening some of the files and found a string that seems like it has been encoded with Caesar Cipher.

So we can try decoding it either using some website such as dcode.fr or using python script from github:

The flag is picoCTF{p33kab00_1_s33_u_deadbeef}.

At first I thought this challenge was similar to weird file and tried to extract macro data from the file using olevba, however I didnt manage to get any useable output from it.

Then I remembered that ppt files are just made up from a bunch of files. I performed binwalk on it to extract the data.

And after scouring around in the files, I manages to get a string that looks like it has been encoded.

Since caesar cipher didn't work, I just put the strings into CyberChef and it automatically detected that it was from base64 and got the flag.

flag: picoCTF{D1d_u_kn0w_ppts_r_z1p5}

In this challenge we have to work with a pcap file. The title says something about ftp. As usual lets try opening it in wireshark and export the ftp objects from the pcap.

We manages to get 2 strings files and 3 pictures.

Seems like it is encoded with caesar cipher. After decoding it, the instruction says:

TFTPDOESNTENCRYPTOURTRAFFICSOWEMUSTDISGUISEOURFLAGTRANSFER.FIGUREOUTAWAYTOHIDETHEFLAGANDIWILLCHECKBACKFORTHEPLAN

IUSEDTHEPROGRAMANDHIDITWITH-DUEDILIGENCE.CHECKOUTTHEPHOTOS

After that, lets open the program.deb

It seems that one of the image contains a hidden flag and they used steghide to hid it with the key:DUEDILIGENCE.

After trying steghide on all 3 pictures, we finally get an output on the third image.

flag: picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}

This challenge was quite guessy and time consuming. We were given a pcap file. However after trying the usual follow packets and export objects, I only found fake flags. I saw someone mentions using NetworkMiner in the discord server and tried it.

After some times of taking a look at how it categorize each packets, I noticed something weird at the server and ip ttl value of some packets.

However after decoding it to base64 and submitting, it seems that it was a fake flag such as suggested by the site name itself.

Then I take a look back at the packets and notice that before the website, each of the packets have a different strings that looks like a base64 encoded strings. I then tried to decode one of the strings.

And indeed it produce part of the flag.

After collecting all of the strings from the packets, we got the flag. picoCTF{dns_3xf1l_ftw_deadbeef}.

The challenge gave us an image that can be mounted with a hint that the flag is stored a file called 'down-at-the-bottom.txt'. Rather than using sleuthkit as suggested, I just use binwalk to extract all the files in the image and find the file with the flag manually.

Manages to found the flag file in the root directory. The flag is picoCTF{f0r3ns1c4t0rn0v1c30ba8d02d}.

This was rather a stego challenge. We were given a link to a website and it looks like a script has been made to produce an output of gif from several images.

After saving the image, I started performing the usual ctf tools: strings, stegsolve, binwalk and view hex. And then after using zsteg, we manages to get output of the flag from one of the lsb.

The flag is picoCTF{imag3_m4n1pul4t10n_sl4p5}.

This was rather a quite hard and guessy challenge for me. In this challenge we were give a file. After looking at the header I was able to determine that it was a .bmp image.

I then proceed to try opening the image using image magick display since windows program was unable to open it directly.

From the displayed image, we can guess that this image hex value has been altered and not showing the whole picture.

After some times of reading the bitmap information from this website, I started to try and change the hex value of the image. After several days of break and taking a look back, I was able to produce the full image though the colors are not fully correct by changing these offset: 00Ah, 0012h and 0016h.

The flag is: picoCTF{qu1t3_a_v13w_2020}. This challenge taught me a lot about bitmap and how it was actually structured, I do think it deserve more points than most of the forensic challenges.

As the challenge name suggest, just use the cat syntax on the flag file.

flag: picoCTF{s4n1ty_v3r1f13d_28e8376d}

Download the files, and use python to open them: python3 ende.py -d flag.txt.en

It's an executable program, lets change the permision and run it.

Flag: picoCTF{b1scu1ts_4nd_gr4vy_18788aaa}

It gives numbers as output, let save it into txt.

Based on the hint, it's from ascii, lets decode it to text with this website.

Flag: picoCTF{g00d_k1tty!_n1c3_k1tty!_d3dfd6df}

The static is an exe program, change the permission and run it.

Lets see the other file ltdis.sh

It seems that this bash script is similar to objdump that is used to disassemble elf 64 files.

Using objdump -s option, gave us the flag.

picoCTF{d15a5m_t34s3r_ccb2b43e}.

Lets use cat syntax to open the unzipped file.

flag: picoCTF{l3v3l_up!_t4k18c}.

Lets connect to the ssh with the given credentials.

This challenge just taught us to use the basic ls and cd command in the terminal.

flag: picoCTF{xxsh_0ut0f\/\/4t3r_21cac893}

Based on the hint lets see the python version of the file.

It was created with python2 which has vulnerability in the input() function. This is the main reason why people have converted to python3. We can exploit it using import('os').system("put command here") in the input.

flag: picoCTF{v4lua4bl3_1npu7_8433797}

Overall I really enjoyed the ctf. As a solo player, I was able to learn a lot of things especially in reverse engineering and bin exp. Hopefully I will be able to solve more challenge in the upcoming CTFs.

🐃