Contact CTF writeups Notes

[PicoCTF 2018] - misc - Miscellaneous : Small tasks

This is one of my writeups for PicoCTF 2018

I'm collecting solutions to small tasks in the "Miscellaneous" category here, since they are too short to warrant individual posts.

General Warmup 1

Problem

If I told you your grade was 0x41 in hexadecimal, what would it be in ASCII?

Solution

We could check the ASCII table or just use python :

>>> chr(0x41)
"A"

The flag is picoCTF{A}

General Warmup 2

Problem

Can you convert the number 27 (base 10) to binary (base 2)?

Solution

We could do this by hand, or use python too !

>>> bin(27)
'0b11011'

Removing the 0b prefix, our flag is picoCTF{11011}.

General Warmup 3

Problem

What is 0x3D (base 16) in decimal (base 10).

Solution

Same as above, let's use python :

>>> int(0x3D)
61

Flag : picoCTF{61}

Resources

We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources

Just grab the flag from the bottom of the page : picoCTF{xiexie_ni_lai_zheli}

Grep 1

Problem

Can you find the flag in file ? This would be really obnoxious to look through by hand, see if you can find a faster way. You can also find the file in /problems/grep-1_1_35b9930ca897512a4d00b43d26eac73d on the shell server.

Hint :

  1. grep tutorial

Solution

We know the flag format, so we can just grep for that :

grep 'picoCTF{.*}' file

The flag is returned : picoCTF{grep_and_you_will_find_c709fa94}

Net Cat

Problem

Using netcat (nc) will be a necessity throughout your adventure. Can you connect to 2018shell3.picoctf.com at port 22847 to get the flag?

Hint :

  1. nc tutorial

Solution

Just run nc 2018shell3.picoctf.com 22847 to get the flag : picoCTF{NEtcat_iS_a_NEcESSiTy_69222dcc}.

Strings

Problem

Can you find the flag in this file without actually running it? You can also find the file in /problems/strings_1_c7bac958dd6a4b695dc72446d8014f59 on the shell server.

Solution

The task name is also its solution : run strings on the file and filter the output with grep to get the flag :

strings strings | grep "picoCTF{.*}"

picoCTF{sTrIngS_sAVeS_Time_2fbe2166}

Pipe

Problem

During your adventure, you will likely encounter a situation where you need to process data that you receive over the network rather than through a file. Can you find a way to save the output from this program and search for the flag? Connect with 2018shell3.picoctf.com 44310.

Hints :

  1. Remember the flag format is picoCTF{XXXX}
  2. Ever heard of a pipe? No not that kind of pipe... This kind

Solution

We need to pipe the output of netcat to grep:

nc 2018shell3.picoctf.com 44310 | grep "picoCTF{.*}"

and the flag is printed = picoCTF{almost_like_mario_a13e5b27}

Grep 2

Problem

This one is a little bit harder. Can you find the flag in /problems/grep-2_3_826f886f547acb8a9c3fccb030e8168d/files on the shell server? Remember, grep is your friend.

Hint :

grep tutorial

Solution

This time we need to grep through several files scattered in different subdirectories. The -R option is meant for that :

grep -R "picoCTF{.*}" /problems/grep-2_3_826f886f547acb8a9c3fccb030e8168d/files

Gets us another flag : picoCTF{grep_r_and_you_will_find_556620f7}

Aca-Shell-A

Problem

It's never a bad idea to brush up on those linux skills or even learn some new ones before you set off on this adventure! Connect with nc 2018shell3.picoctf.com 42334.

Solution

When we connect, we're presented with a limited shell and a set of prompts that give small subtasks that test basic linux commands knowledge :

If you need help, type "echo 'Help Me!'" and I'll see what I can do
> echo 'Help Me!'
You got this! Have you looked for any  directories?
> ls
blackmail
executables
passwords
photos
secret
> cd secret
Now we are cookin'! Take a look around there and tell me what you find!
> ls
intel_1
intel_2
intel_3
intel_4
intel_5
profile_ahqueith5aekongieP4ahzugi
profile_ahShaighaxahMooshuP1johgo
profile_aik4hah9ilie9foru0Phoaph0
profile_AipieG5Ua9aewei5ieSoh7aph
profile_bah9Ech9oa4xaicohphahfaiG
profile_ie7sheiP7su2At2ahw6iRikoe
profile_of0Nee4laith8odaeLachoonu
profile_poh9eij4Choophaweiwev6eev
profile_poo3ipohGohThi9Cohverai7e
profile_Xei2uu5suwangohceedaifohs
Sabatoge them! Get rid of all their intel files!
> rm intel*
Nice! Once they are all gone, I think I can drop you a file of an exploit!
Just type "echo 'Drop it in!' " and we can give it a whirl!
> echo 'Drop it in!'
I placed a file in the executables folder as it looks like the only place we can execute from!
Run the script I wrote to have a little more impact on the system!
> cd ..
> cd executables
> ls
dontLookHere
> ./dontLookHere
Looking through the text above, I think I have found the password. I am just having trouble with a username.
Oh drats! They are onto us! We could get kicked out soon!
Quick! Print the username to the screen so we can close are backdoor and log into the account directly!
You have to find another way other than echo!
> whoami
l33th4x0r
Perfect! One second!
Okay, I think I have got what we are looking for. I just need to to copy the file to a place we can read.
Try copying the file called TopSecret in tmp directory into the passwords folder.
> cd ..
> cp /tmp/TopSecret passwords/
Server shutdown in 10 seconds...
Quick! go read the file before we lose our connection!
> cd passwords
>  cat TopSecret
Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself.
picoCTF{CrUsHeD_It_d6f202f1}

Environ

Problem

Sometimes you have to configure environment variables before executing a program. Can you find the flag we've hidden in an environment variable on the shell server?

Hint :

  1. unix env

Solution

On the server, grep through the env output for the flag :

env | grep "picoCTF{.*}"

picoCTF{eNv1r0nM3nT_v4r14Bl3_fL4g_3758492}

SSH-Keyz

Problem

As nice as it is to use our webshell, sometimes its helpful to connect directly to our machine. To do so, please add your own public key to ~/.ssh/authorized_keys, using the webshell. The flag is in the ssh banner which will be displayed when you login remotely with ssh to with your username.

Hints :

  1. key generation tutorial
  2. We also have an expert demonstrator to help you along. link

Solution

The link videos details the steps to take. I used ssh-copy-id to install the key a bit faster (on MacOS, ssh-copy-id is available via homebrew.)

Once the key is installed, ssh to the server to display the flag : picoCTF{who_n33ds_p4ssw0rds_38dj21}.

What base is this ?

Problem

To be successful on your mission, you must be able read data represented in different ways, such as hexadecimal or binary. Can you get the flag from this program to prove you are ready? Connect with nc 2018shell3.picoctf.com 31711.

Hints :

  1. I hear python is a good means (among many) to convert things.
  2. It might help to have multiple windows open

Solution

We are presented with three different representations of words and must decode each of them within 30 seconds. The first value is presented in binary (base2), the second one in hexadecimal (base 16) bytes and the third one in octal (base 8).

I made a quick python script and manually called the functions in an IPython shell :

def step1(input_):
    binchars = input_.split()
    return ''.join(chr(int(c, 2)) for c in binchars)


def step2(input_):
    out = []
    string = str(input_)
    for index in range(0, len(string), 2):
        byte = string[index:index+2]
        integer = int(byte, 16)
        character = chr(integer)
        out.append(character)
    return ''.join(out)


def step3(input_):
    return ''.join(chr(int(i, 8)) for i in input_.split())

After converting the values and passing them back to the server, we obtain the flag : picoCTF{delusions_about_finding_values_68051dea}

You Can't See Me

Problem

'...reading transmission... Y.O.U. .C.A.N.'.T. .S.E.E. .M.E. ...transmission ended...' Maybe something lies in /problems/you-can-t-see-me_2_cfb71908d8368e3062423b45959784aa.

Hints :

  1. What command can see/read files?
  2. What's in the manual page of ls?

Solution

The directory appears empty when first running ls, so we can used the -a flag to show hidden files (any files whose name starts with a .). When we do, three entries are shown : . and .. (pseudo-directories point to a the current and parent directory) and a file that seems to be called ..

It can't just called . though, as that would conflict with the . that represents the current working directory. So I tried :

ls -a | awk '{print "\""$0"\""}'

This uses awk to echo the output surrounded with double quotes. When we do this, we can see that the file's name is actually ". " (a dot followed by two spaces). We can get the flag by running cat ". " (the quotes will prevent the trailing spaces from being stripped) :

picoCTF{j0hn_c3na_paparapaaaaaaa_paparapaaaaaa_093d6aff}