PicoCTF WriteUp

Level 1

MISC

1.Internet Kitties

I was told there was something at IP shell2017.picoctf.com with port 24369. How do I get there? Do I need a ship for the port?

**** HINTS

Look at using the netcat (nc) command!

To figure out how to use it, you can run “man nc” or “nc -h” on the shell, or search for it on the interwebz

WriteUp

nc shell2017.picoctf.com 24369

Flag

648defaaba45452729b7179f0603df05

2.Piazza

Have questions about pico? You can ask here. The access code is 31337.

WriteUp

注册Piazza的picoCTF课程。

Flag

flag{ask_and_hop3fully_we_can_help}

3.Leaf of the Tree

We found this annoyingly named directory tree starting at /problems/5da315e9c7f1c9886ea371abee5ae8d0. It would be pretty lame to type out all of those directory names but maybe there is something in there worth finding? And maybe we dont need to type out all those names…? Follow the trunk, using cat and ls!

**** HINTS

Tab completion is a wonderful, wonderful thing

WriteUp

lanvnal@shell-web:~$ cd /problems/5da315e9c7f1c9886ea371abee5ae8d0    
lanvnal@shell-web:/problems/5da315e9c7f1c9886ea371abee5ae8d0$ find | grep flag
./trunk/trunke655/trunk8845/trunk9942/trunk2d10/trunk55d8/trunke715/trunkb041/flag                lanvnal@shellweb:/problems/5da315e9c7f1c9886ea371abee5ae8d0$cat trunk/trunke655/trunk8845/trunk9942/trunk2d10/trunk55d8/trunke715/trunkb041/flag
42eed2e89ae8b05b56555f65e0ab81aa

Flag

42eed2e89ae8b05b56555f65e0ab81aa

4.looooong

I heard you have some “delusions of grandeur” about your typing speed. How fast can you go at shell2017.picoctf.com:59858?

**** HINTS

Use the nc command to connect!

I hear python is a good means (among many) to generate the needed input.

It might help to have multiple windows open

WriteUp

我的方法(捂脸

print "x" * time
然后复制
（逃

dalao的方法，python

import re
import socket

# Open socket
s = socket.socket()
s.connect(("shell2017.picoctf.com",44909))

# Receive initial instructions
instructions = s.recv(4096).decode("utf-8")
print(instructions)

# Parse instructions
letter = re.search("'([A-Za-z])' character", instructions).group(1)
count = int(re.search("'([0-9]+)' times", instructions).group(1))
end = re.search("followed by a single '([a-zA-Z0-9])'", instructions).group(1)

# Parse reply
reply = (letter * count) + end + "\n"

# Send reply
s.send(reply.encode("utf-8"))

# Receive reply to reply
print(s.recv(4096).decode("utf-8"))

Flag

Flag: with_some_recognition_and_training_delusions_become_glimpses_84bb3b369444af45f140fa500f5e54c3

5.Leaf of the Forest

We found an even bigger directory tree hiding a flag starting at /problems/db39b5c002d8445dc6d2bbf49a8ccc37. It would be impossible to find the file named flag manually…

**** HINTS

Is there a search function in Linux? Like if I wanted to ‘find’ something…

WriteUp

lanvnal@shell-web:/problems/5da315e9c7f1c9886ea371abee5ae8d0$ cd /problems/db39b5c002d8445dc6d2bbf49a8ccc37                                 
lanvnal@shell-web:/problems/db39b5c002d8445dc6d2bbf49a8ccc37$ find | grep flag
./forest/treeada53a/trunkb393/trunkb8ea/trunka3c4/trunk639d/trunk324e/trunk0bf8/trunkf462/branchd463/flag
lanvnal@shell-web:/problems/db39b5c002d8445dc6d2bbf49a8ccc37$ cat forest/treeada53a/trunkb393/trunkb8ea/trunka3c4/trunk639d/trunk324e/trunk0bf8/trunkf462/branchd463/flag
c99501b0fe95402ed1c9191102fe1b68l

Flag

c99501b0fe95402ed1c9191102fe1b68l

6.WorldChat

We think someone is trying to transmit a flag over WorldChat. Unfortunately, there are so many other people talking that we can’t really keep track of what is going on! Go see if you can find the messenger at shell2017.picoctf.com:48145. Remember to use Ctrl-C to cut the connection if it overwhelms you!

**** HINTS

There are cool command line tools that can filter out lines with specific keywords in them. Check out ‘grep’! You can use the ‘|’ character to put all the output into another process or command (like the grep process)

WriteUp

nc shell2017.picoctf.com 48145 | grep -E "this is part"

14:02:34 flagperson: this is part 1/8 of the flag - 748a
14:02:35 flagperson: this is part 2/8 of the flag - 3a37
14:02:37 flagperson: this is part 3/8 of the flag - ce62
14:02:38 flagperson: this is part 4/8 of the flag - e537
14:02:42 flagperson: this is part 5/8 of the flag - 4552
14:02:43 flagperson: this is part 6/8 of the flag - c31f
14:02:46 flagperson: this is part 7/8 of the flag - 5319
14:02:48 flagperson: this is part 8/8 of the flag - 30dc
14:02:49 flagperson: this is part 1/8 of the flag - 748a
14:02:50 flagperson: this is part 2/8 of the flag - 3a37
14:02:50 flagperson: this is part 3/8 of the flag - ce62
14:02:55 flagperson: this is part 4/8 of the flag - e537
14:03:02 flagperson: this is part 5/8 of the flag - 4552
14:03:14 flagperson: this is part 6/8 of the flag - c31f
14:03:20 flagperson: this is part 7/8 of the flag - 5319
14:03:26 flagperson: this is part 8/8 of the flag - 30dc
14:03:28 flagperson: this is part 1/8 of the flag - 748a
14:03:29 flagperson: this is part 2/8 of the flag - 3a37
14:03:30 flagperson: this is part 3/8 of the flag - ce62
14:03:31 flagperson: this is part 4/8 of the flag - e537
14:03:32 flagperson: this is part 5/8 of the flag - 4552

Flag

748a3a37ce62e5374552c31f531930dc

Web

1.What Is Web

Someone told me that some guy came up with the “World Wide Web”, using “HTML” and “stuff”. Can you help me figure out what that is? Website.

**** HINTS

How can you figure out how the webpage is actually built?

WriteUp

源码-->
<!-- The first part of the flag (there are 3 parts) is fab79c49d9e -->
kacker.css-->
The second part of the flag is 5ba511a0f24 
script.js-->
The final part of the flag is 36308e33e85

Flag

fab79c49d9e5ba511a0f2436308e33e85

FORENSICS

1.Digital Camouflage

We need to gain access to some routers. Let’s try and see if we can find the password in the captured network data: data.pcap.

**** HINTS

It looks like someone logged in with their password earlier. Where would log in data be located in a network capture?

If you think you found the flag, but it doesn’t work, consider that the data may be encrypted.

WriteUp

Wireshark分析，找到数据包#122，main.html

HTML Form URL Encoded: application/x-www-form-urlencoded
    Form item: "userid" = "spiveyp"
    Form item: "pswrd" = "S04xWjZQWFZ5OQ=="

Base64解码得到flag。

Flag

KN1Z6PXVy9

2.Special Agent User

We can get into the Administrator’s computer with a browser exploit. But first, we need to figure out what browser they’re using. Perhaps this information is located in a network packet capture we took: data.pcap. Enter the browser and version as “BrowserName BrowserVersion”. NOTE: We’re just looking for up to 3 levels of subversions for the browser version (ie. Version 1.2.3 for Version 1.2.3.4) and ignore any 0th subversions (ie. 1.2 for 1.2.0)

** HINTS**

Where can we find information on the browser in networking data? Maybe try reading up on user-agent strings.

WriteUp

找UA
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36

Flag

Chrome 40.0.2214

CRYPTOGRAPHY

1.Keyz

While webshells are nice, it’d be nice to be able to login directly. To do so, please add your own public key to ~/.ssh/authorized_keys, using the webshell. Make sure to copy it correctly! The key is in the ssh banner, displayed when you login remotely with ssh, to shell2017.picoctf.com

**** HINTS

There are plenty of tutorials out there. This one covers key generation: https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html

Then, use the web shell to copy/paste it, and use the appropriate tool to ssh to the server using your key

WriteUp

http://www.laozuo.org/2811.html

Flag

who_needs_pwords_anyways

2.Substitute

A wizard (he seemed kinda odd…) handed me this. Can you figure out what it says?

**** HINTS

There are tools that make this easy this.

WriteUp

字母替换
工具解决。
http://quipqiup.com/

Flag

    THE FLAG IS IFONLYMODERNCRYPTOWASLIKETHIS.

MASTER CHALLENGE

Lazy Dev

I really need to login to this website, but the developer hasn’t implemented login yet. Can you help?

**** HINTS

Where does the password check actually occur?

Can you interact with the javascript directly?

WriteUp

看一下源码，js文件中有一段有问题导致总是返回false。
//Validate the password. TBD!
function validate(pword){
  //TODO: Implement me
  return true;
}

//Make an ajax request to the server
function make_ajax_req(input){
  var text_response;
  var http_req = new XMLHttpRequest();
  var params = "pword_valid=" + input.toString();
  http_req.open("POST", "login", true);
  http_req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  http_req.onreadystatechange = function() {//Call a function when the state changes.
      if(http_req.readyState == 4 && http_req.status == 200) {
      document.getElementById("res").innerHTML = http_req.responseText;
    }
  }
  http_req.send(params);
}

//Called when the user submits the password
function process_password(){
  var pword = document.getElementById("password").value;
  var res = validate(pword);
  var server_res = make_ajax_req(res);
}
有问题的就是-->
function validate(pword){
  //TODO: Implement me
  return true;
}
导致的就是pword_valid=false。（ var params = "pword_valid=" + input.toString();）
F12进行调试，改为true。

Flag

client_side_is_the_dark_sidebde1f567656f8c9b654a1ec24e1ff889

Level 2

Web

1.My First SQL

I really need access to website, but I forgot my password and there is no reset. Can you help?

**** HINTS

Have you heard about SQL injection?

WriteUp

payload:
user:1' or ''='
password:1' or ''='

Flag

be_careful_what_you_let_people_ask_104d9ea430b41fb4c5560eecc0652111

2.TW_GR_E1_ART

Oh, sweet, they made a spinoff game to Toaster Wars! That last room has a lot of flags in it though. I wonder which is the right one…? Check it out here.

**** HINTS

I think this game is running on a Node.js server. If it’s configured poorly, you may be able to access the server’s source. If my memory serves me correctly, Node servers have a special file that lists dependencies and a start command; maybe you can use that file to figure out where the other files are?

MISC

1.Yarn

I was told to use the linux strings command on yarn, but it doesn’t work. Can you help? I lost the flag in the binary somewhere, and would like it back

**** HINTS

What does the strings command use to determine if something is a string?

Is there an option to change the length of what strings considers as valid?

WriteUp

winhex打开可以看到Submit_me_for_I_am_the_flag，这就是flag。
或
linux下执行命令
strings -n 2 -d flag yarn

Flag

Submit_me_for_I_am_the_flag

####2.Mystery Box

You’ve found a mystery machine with a sticky note attached to it! Oh, there’s also this picture of the machine you found.

**** HINTS

It really gets your gears Turing.

I hear there’s something Naval about it.

WriteUp

Enigma密码机
http://enigma.louisedade.co.uk/enigma.html?m3;b;b123;ALOG;APPP;FH-GL
在线解密

Flag

QUITEPUZZLINGINDEED