/home/twachowski/CTFwriteups/picoctf/ # ls

picoCTF

2019

Irish-Name-Repo 1
Irish-Name-Repo 2
Irish-Name-Repo 3
flag_shop

2021

It is my Birthday
Mod 26
New Caesar
Obedient Cat
Wireshark doo dooo do doo...
Wireshark twoo twooo two twoo...



Irish-Name-Repo 1

Category: Web Exploitation

Description

There is a website running at https://jupiter.challenges.picoctf.org/problem/33850/ or http://jupiter.challenges.picoctf.org:33850. Do you think you can log us in? Try to see if you can login!

Solution

The place where we should look for potential flag is the Admin login. Inspecting the page reveals that we are sending three parameters - username, password and debug. We can modify the request with Burp and set debug=1. The response looks like this

username: user
password: pass
SQL query: SELECT * FROM users WHERE name='user' AND password='pass'
Login failed.

That looks like a classic SQL injection. To perform the attack we send admin as username and ' or 1=1;-- as password. As a response we recieve

Logged in!
Your flag is: picoCTF{s0m3_SQL_f8adf3fb}




Irish-Name-Repo 2

Category: Web Exploitation

Description

There is a website running at https://jupiter.challenges.picoctf.org/problem/64649/ or http://jupiter.challenges.picoctf.org:64649. Someone has bypassed the login before, and now it’s being strengthened. Try to see if you can still login!

Solution

This is the follow-up to part nr 1. Again, we’ll focus on the Admin login. Setting debug=1 in Burp reveals the following response

username: user
password: pass
SQL query: SELECT * FROM users WHERE name='user' AND password='pass'

To solve this, we simply type admin';-- as login and leave the password empty. We get our flag

Logged in!
Your flag is: picoCTF{m0R3_SQL_plz_aee925db}




Irish-Name-Repo 3

Category: Web Exploitation

Description

There is a secure website running at https://jupiter.challenges.picoctf.org/problem/54253/ or http://jupiter.challenges.picoctf.org:54253. Try to see if you can login as admin!

Solution

This is the follow-up to part nr 2. Once again, we’ll focus on the Admin login. Thsi time, we only have a password input available. Setting debug=1 in Burp reveals the following response

password: password
SQL query: SELECT * FROM admin where password = 'cnffjbeq'

We can easily check that the password is rot13 encoded. To insert ' or 1=1;-- as a password we simply use some rot13 tool to get ' be 1=1;--. Inputting this solves the challenge

Logged in!
Your flag is: picoCTF{3v3n_m0r3_SQL_7f5767f6}




It is my Birthday

Category: Web exploitation

Description

I sent out 2 invitations to all of my friends for my birthday! I’ll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn’t believe how long it took me to find a collision. Anyway, see if you’re invited by submitting 2 PDFs to my website.

link

Solution

After entering the site we can see two file uploads. Name of the challenge is a reference to the Birthday paradox. It gives us a hint, that we somehow have to obtain or make two .pdf files, that should produce the same MD5 hash.

A little bit of googling, and we encounter two messages, that have the same hash. message1.bin,message2.bin. After renaming it to message1.pdf and message2.pdf we can upload it on the site. Now we can see some PHP code with our flag commented out

// FLAG: picoCTF{c0ngr4ts_u_r_1nv1t3d_40d81ca2}




Mod 26

Category: Cryptography

Description

Cryptography can be easy, do you know what ROT13 is?

cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_Ncualgvd}

Solution

Rot13 is a special case of the Caesar cipher. To get the flag, we simply paste the data into CyberChef, rot13.com or use rot13 command on Linux (installed with package hxtools on Debian/Ubuntu/Kali or bsd-games Arch/Fedora).

cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_Ncualgvd}
picoCTF{next_time_I'll_try_2_rounds_of_rot13_Aphnytiq}




New Caesar

Category: Cryptography

Description

We found a brand new type of encryption, can you break the secret code? (Wrap with picoCTF{})

A file was attached.

Solution

LOWERCASE_OFFSET = 97
ALPHABET = 'abcdefghijklmnop'

After analysing the Python file we know it works like this:

  1. Take the plain text and key, check if key is of length 1 and in range a-p.
  2. Encode with Base16 (take the letter, represent it with binary, split into higher 4 bits and lower 4 bits, change their base to decimal and check which letter from ALPHABET variable it is)
  3. For each letter, check its integer representation. Do it for the key also. Calculate the difference between LOWERCASE_OFFSET (97), add the diffenences together, make it modulo 16 and check which letter from ALPHABET variable it is

To decode it, we must reverse this process and brute-force the key. Example script may look like this

import string

LOWERCASE_OFFSET = ord("a")  # 97
ALPHABET = string.ascii_lowercase[:16]  # a-p

def b16_decode(ciphered,key):
    dec = ""
    for i in range( int( len(ciphered)/2 ) ):
        b1 = "{0:04b}".format(ALPHABET.index(ciphered[2*i]))
        b2 = "{0:04b}".format(ALPHABET.index(ciphered[2*i+1]))
        dec += chr(int(b1+b2,2))
    return dec

def rev_shift(ciphered,key):
    dec = ""
    for c in ciphered:
        i = ALPHABET.index(c)
        t1 = i - (ord(key)-97)
        if t1 < 0:
            t1 += 16
        return chr(t1+97)
        

def main():
    enc = "mlnklfnknljflfjljnjijjmmjkmljnjhmhjgjnjjjmmkjjmijhmkjhjpmkmkmljkjijnjpmhmjjgjj"
    for key in ALPHABET:
        dec = ""
        for c in enc:
            dec += rev_shift(c,key)
        flag = b16_decode(dec,key)
        print(key,": ",flag)


if __name__ == '__main__':
    main()

Most of the keys return gibberish, but the g key returns et_tu?_5723f4e71a0736d3b1d19dde4279ac03. It is a reference tof William Shakespeare’s play Julius Caesar. Wrapping the answer into flag format, we get our answer

picoCTF{et_tu?_5723f4e71a0736d3b1d19dde4279ac03}




Obedient cat

Category: General skills

Description

This file has a flag in plain sight (aka “in-the-clear”).

A file was attached.

Solution

After running file on the new download, we get the output:

flag: ASCII text

which means, we should be able to read it like a normal .txt. We run less on the file to view its content. We can then read the flag: picoCTF{s4n1ty_v3r1f13d_2aa22101}.




Wireshark doo dooo do doo…

Category: Forensics

Description

Can you find the flag?

A file was attached.

Solution

After opening shark.pcapng with Wireshark we can see several captured packets. After sorting them by Source IP, selecting 192.168.38.104 and using option Follow TCP Stream we discover something similar to our flag, but the letters seem shifted.

Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}

It’s clearly a caesar cipher. After running rot13 on it we get

$ rot13
Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}
The flag is picoCTF{p33kab00_1_s33_u_deadbeef}




Wireshark twoo twooo two twoo…

Category: Forensics

Description

Can you find the flag?

A file was attached.

Solution

We start similarly to <a href=Wireshark_doodooo_do_doo.md> part 1 </a>. After opening shark2.pcapng with Wireshark we can see several captured packets. After searching for pico we discover some potential flags like

picoCTF{bfe48e8500c454d647c55a4471985e776a07b26cba64526713f43758599aa98b}
picoCTF{e1d0a752dc71121200f4bcb1b8cc2e03e84488df229b82196afbe0045ef025c4}

There’s a lot more of them, so we can try to download all packets with this format and try to process it. To do that, we export HTTP objects, with flag filter and merge them all into one file. One way to do it is;

for f in flag*; do (cat "${f}"; echo) >> flags.txt; done


Ufortunately, an attempt to decode any of the flags leaves us with no answer.

WARNING: As of date (25 April 2021) the website `reddshrimpandherring.com` is unfortunately DOWN.


After searching a bit longer, we notice lots of queries for different subdomains of reddshrimpandherring.com. After visiting this website, before our eyes emerges this text

Congrats! Was that tooooo easy?

Flag: cGljb0NURntmMXNoeV9zMXR1NHRpMG5fc2VsYmF0X3liYm9iX2VsdHRpbH0=

After decoding it with Base64 we get picoCTF{f1shy_s1tu4ti0n_selbat_ybbob_elttil}. Sadly, as the domain name might suggest, it is a red herring. Analysing the DNS traffic further, we notice fQ== in one of the subdomains. It resembles the ending of Base64 encoding. To combine suspected message, we apply this filter dns and ip.dst == 18.217.1.57, sort by No. and type the subdomains into a Base64 decoder.

cGljb0NURntkbnNfM3hmMWxfZnR3X2RlYWRiZWVmfQ==
picoCTF{dns_3xf1l_ftw_deadbeef}

Then we paste our flag into picoCTF website to get the points.




flag_shop

Category: General Skills

Description

There’s a flag shop selling stuff, can you buy a flag? Connect with nc jupiter.challenges.picoctf.org 4906

A file was attached.

Solution

After connecting to the server and selecting option nr 2 we can see

Currently for sale
1. Defintely not the flag Flag
2. 1337 Flag

The second flag cost is too high for our balance, so we have to find a way to make it go higher. The easiest option would be to input negative value in the 1 option, but unfortunately our program is prepared for that. However, if we type in the int maximum value 2147483647 we get:

The final cost is: -900

Your current balance after transaction: 2000

To make our balance higher, we simply subtract from the maximum value. Inserting 2147482000 should do the trick.

The final cost is: -1483200

Your current balance after transaction: 1485200

Indeed, our balance is now sufficient to buy the second flag. We get the answer:

YOUR FLAG IS: picoCTF{m0n3y_bag5_9c5fac9b}