PicoCTF WriteUp
Level 1
MISC
1.Internet Kitties
I was told there was something at IP shell2017.picoctf.com with port 24369. How do I get there? Do I need a ship for the port?
**** HINTS
Look at using the netcat (nc) command!
To figure out how to use it, you can run “man nc” or “nc -h” on the shell, or search for it on the interwebz
WriteUp
nc shell2017.picoctf.com 24369
Flag
648defaaba45452729b7179f0603df05
2.Piazza
Have questions about pico? You can ask here. The access code is 31337.
WriteUp
注册Piazza的picoCTF课程。
Flag
flag{ask_and_hop3fully_we_can_help}
3.Leaf of the Tree
We found this annoyingly named directory tree starting at /problems/5da315e9c7f1c9886ea371abee5ae8d0. It would be pretty lame to type out all of those directory names but maybe there is something in there worth finding? And maybe we dont need to type out all those names…? Follow the trunk, using cat and ls!
**** HINTS
Tab completion is a wonderful, wonderful thing
WriteUp
lanvnal@shell-web:~$ cd /problems/5da315e9c7f1c9886ea371abee5ae8d0
lanvnal@shell-web:/problems/5da315e9c7f1c9886ea371abee5ae8d0$ find | grep flag
./trunk/trunke655/trunk8845/trunk9942/trunk2d10/trunk55d8/trunke715/trunkb041/flag lanvnal@shellweb:/problems/5da315e9c7f1c9886ea371abee5ae8d0$cat trunk/trunke655/trunk8845/trunk9942/trunk2d10/trunk55d8/trunke715/trunkb041/flag
42eed2e89ae8b05b56555f65e0ab81aa
Flag
42eed2e89ae8b05b56555f65e0ab81aa
4.looooong
I heard you have some “delusions of grandeur” about your typing speed. How fast can you go at shell2017.picoctf.com:59858?
**** HINTS
Use the nc command to connect!
I hear python is a good means (among many) to generate the needed input.
It might help to have multiple windows open
WriteUp
我的方法(捂脸
print "x" * time
然后复制
(逃
dalao的方法,python
import re
import socket
# Open socket
s = socket.socket()
s.connect(("shell2017.picoctf.com",44909))
# Receive initial instructions
instructions = s.recv(4096).decode("utf-8")
print(instructions)
# Parse instructions
letter = re.search("'([A-Za-z])' character", instructions).group(1)
count = int(re.search("'([0-9]+)' times", instructions).group(1))
end = re.search("followed by a single '([a-zA-Z0-9])'", instructions).group(1)
# Parse reply
reply = (letter * count) + end + "\n"
# Send reply
s.send(reply.encode("utf-8"))
# Receive reply to reply
print(s.recv(4096).decode("utf-8"))
Flag
Flag: with_some_recognition_and_training_delusions_become_glimpses_84bb3b369444af45f140fa500f5e54c3
5.Leaf of the Forest
We found an even bigger directory tree hiding a flag starting at /problems/db39b5c002d8445dc6d2bbf49a8ccc37. It would be impossible to find the file named flag manually…
**** HINTS
Is there a search function in Linux? Like if I wanted to ‘find’ something…
WriteUp
lanvnal@shell-web:/problems/5da315e9c7f1c9886ea371abee5ae8d0$ cd /problems/db39b5c002d8445dc6d2bbf49a8ccc37
lanvnal@shell-web:/problems/db39b5c002d8445dc6d2bbf49a8ccc37$ find | grep flag
./forest/treeada53a/trunkb393/trunkb8ea/trunka3c4/trunk639d/trunk324e/trunk0bf8/trunkf462/branchd463/flag
lanvnal@shell-web:/problems/db39b5c002d8445dc6d2bbf49a8ccc37$ cat forest/treeada53a/trunkb393/trunkb8ea/trunka3c4/trunk639d/trunk324e/trunk0bf8/trunkf462/branchd463/flag
c99501b0fe95402ed1c9191102fe1b68l
Flag
c99501b0fe95402ed1c9191102fe1b68l
6.WorldChat
We think someone is trying to transmit a flag over WorldChat. Unfortunately, there are so many other people talking that we can’t really keep track of what is going on! Go see if you can find the messenger at shell2017.picoctf.com:48145. Remember to use Ctrl-C to cut the connection if it overwhelms you!
**** HINTS
There are cool command line tools that can filter out lines with specific keywords in them. Check out ‘grep’! You can use the ‘|’ character to put all the output into another process or command (like the grep process)
WriteUp
nc shell2017.picoctf.com 48145 | grep -E "this is part"
14:02:34 flagperson: this is part 1/8 of the flag - 748a
14:02:35 flagperson: this is part 2/8 of the flag - 3a37
14:02:37 flagperson: this is part 3/8 of the flag - ce62
14:02:38 flagperson: this is part 4/8 of the flag - e537
14:02:42 flagperson: this is part 5/8 of the flag - 4552
14:02:43 flagperson: this is part 6/8 of the flag - c31f
14:02:46 flagperson: this is part 7/8 of the flag - 5319
14:02:48 flagperson: this is part 8/8 of the flag - 30dc
14:02:49 flagperson: this is part 1/8 of the flag - 748a
14:02:50 flagperson: this is part 2/8 of the flag - 3a37
14:02:50 flagperson: this is part 3/8 of the flag - ce62
14:02:55 flagperson: this is part 4/8 of the flag - e537
14:03:02 flagperson: this is part 5/8 of the flag - 4552
14:03:14 flagperson: this is part 6/8 of the flag - c31f
14:03:20 flagperson: this is part 7/8 of the flag - 5319
14:03:26 flagperson: this is part 8/8 of the flag - 30dc
14:03:28 flagperson: this is part 1/8 of the flag - 748a
14:03:29 flagperson: this is part 2/8 of the flag - 3a37
14:03:30 flagperson: this is part 3/8 of the flag - ce62
14:03:31 flagperson: this is part 4/8 of the flag - e537
14:03:32 flagperson: this is part 5/8 of the flag - 4552
Flag
748a3a37ce62e5374552c31f531930dc
Web
1.What Is Web
Someone told me that some guy came up with the “World Wide Web”, using “HTML” and “stuff”. Can you help me figure out what that is? Website.
**** HINTS
How can you figure out how the webpage is actually built?
WriteUp
源码-->
<!-- The first part of the flag (there are 3 parts) is fab79c49d9e -->
kacker.css-->
The second part of the flag is 5ba511a0f24
script.js-->
The final part of the flag is 36308e33e85
Flag
fab79c49d9e5ba511a0f2436308e33e85
FORENSICS
1.Digital Camouflage
We need to gain access to some routers. Let’s try and see if we can find the password in the captured network data: data.pcap.
**** HINTS
It looks like someone logged in with their password earlier. Where would log in data be located in a network capture?
If you think you found the flag, but it doesn’t work, consider that the data may be encrypted.
WriteUp
Wireshark分析,找到数据包#122,main.html
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "userid" = "spiveyp"
Form item: "pswrd" = "S04xWjZQWFZ5OQ=="
Base64解码得到flag。
Flag
KN1Z6PXVy9
2.Special Agent User
We can get into the Administrator’s computer with a browser exploit. But first, we need to figure out what browser they’re using. Perhaps this information is located in a network packet capture we took: data.pcap. Enter the browser and version as “BrowserName BrowserVersion”. NOTE: We’re just looking for up to 3 levels of subversions for the browser version (ie. Version 1.2.3 for Version 1.2.3.4) and ignore any 0th subversions (ie. 1.2 for 1.2.0)
** HINTS**
Where can we find information on the browser in networking data? Maybe try reading up on user-agent strings.
WriteUp
找UA
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Flag
Chrome 40.0.2214
CRYPTOGRAPHY
1.Keyz
While webshells are nice, it’d be nice to be able to login directly. To do so, please add your own public key to ~/.ssh/authorized_keys, using the webshell. Make sure to copy it correctly! The key is in the ssh banner, displayed when you login remotely with ssh, to shell2017.picoctf.com
**** HINTS
There are plenty of tutorials out there. This one covers key generation: https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html
Then, use the web shell to copy/paste it, and use the appropriate tool to ssh to the server using your key
WriteUp
http://www.laozuo.org/2811.html
Flag
who_needs_pwords_anyways
2.Substitute
A wizard (he seemed kinda odd…) handed me this. Can you figure out what it says?
**** HINTS
There are tools that make this easy this.
WriteUp
字母替换
工具解决。
http://quipqiup.com/
Flag
THE FLAG IS IFONLYMODERNCRYPTOWASLIKETHIS.
MASTER CHALLENGE
Lazy Dev
I really need to login to this website, but the developer hasn’t implemented login yet. Can you help?
**** HINTS
Where does the password check actually occur?
Can you interact with the javascript directly?
WriteUp
看一下源码,js文件中有一段有问题导致总是返回false。
//Validate the password. TBD!
function validate(pword){
//TODO: Implement me
return true;
}
//Make an ajax request to the server
function make_ajax_req(input){
var text_response;
var http_req = new XMLHttpRequest();
var params = "pword_valid=" + input.toString();
http_req.open("POST", "login", true);
http_req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_req.onreadystatechange = function() {//Call a function when the state changes.
if(http_req.readyState == 4 && http_req.status == 200) {
document.getElementById("res").innerHTML = http_req.responseText;
}
}
http_req.send(params);
}
//Called when the user submits the password
function process_password(){
var pword = document.getElementById("password").value;
var res = validate(pword);
var server_res = make_ajax_req(res);
}
有问题的就是-->
function validate(pword){
//TODO: Implement me
return true;
}
导致的就是pword_valid=false。( var params = "pword_valid=" + input.toString();)
F12进行调试,改为true。
Flag
client_side_is_the_dark_sidebde1f567656f8c9b654a1ec24e1ff889
Level 2
Web
1.My First SQL
I really need access to website, but I forgot my password and there is no reset. Can you help?
**** HINTS
Have you heard about SQL injection?
WriteUp
payload:
user:1' or ''='
password:1' or ''='
Flag
be_careful_what_you_let_people_ask_104d9ea430b41fb4c5560eecc0652111
2.TW_GR_E1_ART
Oh, sweet, they made a spinoff game to Toaster Wars! That last room has a lot of flags in it though. I wonder which is the right one…? Check it out here.
**** HINTS
I think this game is running on a Node.js server. If it’s configured poorly, you may be able to access the server’s source. If my memory serves me correctly, Node servers have a special file that lists dependencies and a start command; maybe you can use that file to figure out where the other files are?
MISC
1.Yarn
I was told to use the linux strings command on yarn, but it doesn’t work. Can you help? I lost the flag in the binary somewhere, and would like it back
**** HINTS
What does the strings command use to determine if something is a string?
Is there an option to change the length of what strings considers as valid?
WriteUp
winhex打开可以看到Submit_me_for_I_am_the_flag,这就是flag。
或
linux下执行命令
strings -n 2 -d flag yarn
Flag
Submit_me_for_I_am_the_flag
####2.Mystery Box
You’ve found a mystery machine with a sticky note attached to it! Oh, there’s also this picture of the machine you found.
**** HINTS
It really gets your gears Turing.
I hear there’s something Naval about it.
WriteUp
Enigma密码机
http://enigma.louisedade.co.uk/enigma.html?m3;b;b123;ALOG;APPP;FH-GL
在线解密
Flag
QUITEPUZZLINGINDEED