Contact CTF writeups Notes

[PicoCTF 2018] - misc - Miscellaneous : Small tasks

This is one of my writeups for PicoCTF 2018

I'm collecting solutions to small tasks in the "Miscellaneous" category here, since they are too short to warrant individual posts.

General Warmup 1


If I told you your grade was 0x41 in hexadecimal, what would it be in ASCII?


We could check the ASCII table or just use python :

>>> chr(0x41)

The flag is picoCTF{A}

General Warmup 2


Can you convert the number 27 (base 10) to binary (base 2)?


We could do this by hand, or use python too !

>>> bin(27)

Removing the 0b prefix, our flag is picoCTF{11011}.

General Warmup 3


What is 0x3D (base 16) in decimal (base 10).


Same as above, let's use python :

>>> int(0x3D)

Flag : picoCTF{61}


We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag!

Just grab the flag from the bottom of the page : picoCTF{xiexie_ni_lai_zheli}

Grep 1


Can you find the flag in file ? This would be really obnoxious to look through by hand, see if you can find a faster way. You can also find the file in /problems/grep-1_1_35b9930ca897512a4d00b43d26eac73d on the shell server.

Hint :

  1. grep tutorial


We know the flag format, so we can just grep for that :

grep 'picoCTF{.*}' file

The flag is returned : picoCTF{grep_and_you_will_find_c709fa94}

Net Cat


Using netcat (nc) will be a necessity throughout your adventure. Can you connect to at port 22847 to get the flag?

Hint :

  1. nc tutorial


Just run nc 22847 to get the flag : picoCTF{NEtcat_iS_a_NEcESSiTy_69222dcc}.



Can you find the flag in this file without actually running it? You can also find the file in /problems/strings_1_c7bac958dd6a4b695dc72446d8014f59 on the shell server.


The task name is also its solution : run strings on the file and filter the output with grep to get the flag :

strings strings | grep "picoCTF{.*}"




During your adventure, you will likely encounter a situation where you need to process data that you receive over the network rather than through a file. Can you find a way to save the output from this program and search for the flag? Connect with 44310.

Hints :

  1. Remember the flag format is picoCTF{XXXX}
  2. Ever heard of a pipe? No not that kind of pipe... This kind


We need to pipe the output of netcat to grep:

nc 44310 | grep "picoCTF{.*}"

and the flag is printed = picoCTF{almost_like_mario_a13e5b27}

Grep 2


This one is a little bit harder. Can you find the flag in /problems/grep-2_3_826f886f547acb8a9c3fccb030e8168d/files on the shell server? Remember, grep is your friend.

Hint :

grep tutorial


This time we need to grep through several files scattered in different subdirectories. The -R option is meant for that :

grep -R "picoCTF{.*}" /problems/grep-2_3_826f886f547acb8a9c3fccb030e8168d/files

Gets us another flag : picoCTF{grep_r_and_you_will_find_556620f7}



It's never a bad idea to brush up on those linux skills or even learn some new ones before you set off on this adventure! Connect with nc 42334.


When we connect, we're presented with a limited shell and a set of prompts that give small subtasks that test basic linux commands knowledge :

If you need help, type "echo 'Help Me!'" and I'll see what I can do
> echo 'Help Me!'
You got this! Have you looked for any  directories?
> ls
> cd secret
Now we are cookin'! Take a look around there and tell me what you find!
> ls
Sabatoge them! Get rid of all their intel files!
> rm intel*
Nice! Once they are all gone, I think I can drop you a file of an exploit!
Just type "echo 'Drop it in!' " and we can give it a whirl!
> echo 'Drop it in!'
I placed a file in the executables folder as it looks like the only place we can execute from!
Run the script I wrote to have a little more impact on the system!
> cd ..
> cd executables
> ls
> ./dontLookHere
Looking through the text above, I think I have found the password. I am just having trouble with a username.
Oh drats! They are onto us! We could get kicked out soon!
Quick! Print the username to the screen so we can close are backdoor and log into the account directly!
You have to find another way other than echo!
> whoami
Perfect! One second!
Okay, I think I have got what we are looking for. I just need to to copy the file to a place we can read.
Try copying the file called TopSecret in tmp directory into the passwords folder.
> cd ..
> cp /tmp/TopSecret passwords/
Server shutdown in 10 seconds...
Quick! go read the file before we lose our connection!
> cd passwords
>  cat TopSecret
Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself.



Sometimes you have to configure environment variables before executing a program. Can you find the flag we've hidden in an environment variable on the shell server?

Hint :

  1. unix env


On the server, grep through the env output for the flag :

env | grep "picoCTF{.*}"




As nice as it is to use our webshell, sometimes its helpful to connect directly to our machine. To do so, please add your own public key to ~/.ssh/authorized_keys, using the webshell. The flag is in the ssh banner which will be displayed when you login remotely with ssh to with your username.

Hints :

  1. key generation tutorial
  2. We also have an expert demonstrator to help you along. link


The link videos details the steps to take. I used ssh-copy-id to install the key a bit faster (on MacOS, ssh-copy-id is available via homebrew.)

Once the key is installed, ssh to the server to display the flag : picoCTF{who_n33ds_p4ssw0rds_38dj21}.

What base is this ?


To be successful on your mission, you must be able read data represented in different ways, such as hexadecimal or binary. Can you get the flag from this program to prove you are ready? Connect with nc 31711.

Hints :

  1. I hear python is a good means (among many) to convert things.
  2. It might help to have multiple windows open


We are presented with three different representations of words and must decode each of them within 30 seconds. The first value is presented in binary (base2), the second one in hexadecimal (base 16) bytes and the third one in octal (base 8).

I made a quick python script and manually called the functions in an IPython shell :

def step1(input_):
    binchars = input_.split()
    return ''.join(chr(int(c, 2)) for c in binchars)

def step2(input_):
    out = []
    string = str(input_)
    for index in range(0, len(string), 2):
        byte = string[index:index+2]
        integer = int(byte, 16)
        character = chr(integer)
    return ''.join(out)

def step3(input_):
    return ''.join(chr(int(i, 8)) for i in input_.split())

After converting the values and passing them back to the server, we obtain the flag : picoCTF{delusions_about_finding_values_68051dea}

You Can't See Me


'...reading transmission... Y.O.U. .C.A.N.'.T. .S.E.E. .M.E. ...transmission ended...' Maybe something lies in /problems/you-can-t-see-me_2_cfb71908d8368e3062423b45959784aa.

Hints :

  1. What command can see/read files?
  2. What's in the manual page of ls?


The directory appears empty when first running ls, so we can used the -a flag to show hidden files (any files whose name starts with a .). When we do, three entries are shown : . and .. (pseudo-directories point to a the current and parent directory) and a file that seems to be called ..

It can't just called . though, as that would conflict with the . that represents the current working directory. So I tried :

ls -a | awk '{print "\""$0"\""}'

This uses awk to echo the output surrounded with double quotes. When we do this, we can see that the file's name is actually ". " (a dot followed by two spaces). We can get the flag by running cat ". " (the quotes will prevent the trailing spaces from being stripped) :