Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
PicoCTF - 2014
#1
Hey everyone.

I was just going to walk through a bunch of the questions.
I will be posting these in sets of 5 and using https://picoctf.com/problems to give me the problems without the stupid flash game..

P.S. I dun goofed formatting, and in fixing it lost the links.
If you are following along you should have the links anyway Smile

1 ) Tyrannosaurus Hex - 10

The contents of the flash drive appear to be password protected. On the back of the flash drive, you see the hexadecimal number 0x4ce340b9 scribbled in ink. The password prompt, however, only accepts decimal numbers. What number should you enter? (Press the Hint button for advice on solving the challenge)

Obviously this is a simple hex to decimal conversion

0x4ce340b9 = 1289961657


2 ) No Comment - 20

The CD you find has a copy of your father's website:
homepage.html.
Maybe something is hidden in the site...


This level is generated per user so you can't just use my answer

If you look at the source of the homepage site (right click on the page and go view page source) you will see the following line..
<!-- In case you forget, the password for this site is: flag_06604a8711588ecdf8da74075b9d0e915f4598e5 -->


Obviously "flag_06604a8711588ecdf8da74075b9d0e915f4598e5" is the flag



3 ) Common Vulnerability Exercise - 20
This disc is encrypted. The surprisingly elaborate password hint refers to "the CVE Identifier for a 2014 vulnerability that allowed arbitrary code execution in Firefox via a buffer overflow in a speech codec". If you found this "CVE-ID" thingy, it'd probably be the password.


This level looks like it could be very difficult but is actually really simple.
All we need to do is find the Firefox CVE.
There are sites which keep track of them.
The following site lists all the Firefox CVE's for 2014:
http://www.cvedetails.com/vulnerability-...refox.html

Looking through the page you will find "CVE-2014-1542" which matches the description of what were looking for and thus being our flag.


4 ) Caesar - 20
You find an encrypted message written on the documents. Can you decrypt it? encrypted.txt

Once again this level is generated per user, so no copy-pasta


So obviously this is a caesar cipher challenge.
The encrypted.txt file gives me this "cqnbnlancyjbbyqajbnrbsijzzolecrkoegormqivmuusqmirek"

There are many caesar cipher decrypters online, many have a 'guess' or 'solve' function. Which uses character frequency to guess how many shifts the text has been rotated by

I am using http://www.xarg.org/tools/caesar-cipher/
Using 'guess' it gives the the text "thesecretpassphraseisjzaqqfcvtibfvxfidhzmdlljhdzivb"
with my flag being  "jzaqqfcvtibfvxfidhzmdlljhdzivb"


5 ) The Valley of Fear - 20
The hard drive may be corrupted, but you were able to recover a small chunk of text. Scribbled on the back of the hard drive is a set of mysterious numbers. Can you discover the meaning behind these numbers? (1, 9, 4) (4, 2, Shadehappy (4, 8, 3) (7, 1, 5) (8, 10, 1)


This is a tricky challenge, however when looking at it I suddenly remembered a method of hiding passwords in common books.
The numbers correlate to paragraph, line, word

Looking up each word gives "the flag is Ceremonial plates."
So the flag is "Ceremonial plates."


6 ) Internet Inspection - 30
On his computer, your father left open a browser with the Thyrin Lab Website. Can you find the hidden access code?

This is another dynamically generated challenge

This one is pretty easy.
It uses JS to write tot he page after loading, then places an image over the top then css to blur out the text.
HOWEVER the original text is still in the rendered html.

All modern browsers (except IE) have developers tools which allow you to view and modify the current page.
If we right click on the checkered image and go inspect element (in chrome) it will open up the inspection panel.
If we expand the <div class="row"> element, and then <table class="rounded" id="content-table"> and after the <tbody> and the <tr id="contents"> elements we will see:

<tr id="contents">
   <td>7/21/2014</td>
   <td>Dr. Claudio Drake</td>
   <td>Towards developing the next generation of robotic assistants for cardiovascular surgery</td>
   <td>flag_1aaa91858357a5fba496c3b44b066a85c348ac91</td>
</tr>

Giving us the flag "flag_1aaa91858357a5fba496c3b44b066a85c348ac91"



7 ) Pickle Jar - 30
The police station offers free pickles to police officers. However, someone stole the pickles from the pickle jar! You find a clue on a USB drive left at the scene of the crime.


This gives a jar file.
If we open this with the extremely handy JD-GUI or fernflower we can decompiler this (I fucking love virtualised languages Wink )

However, this leads to nothing, but we do see that there is a pickle.p file in the jar..
Since Jar files are just special Zip files we can simply extract it and look at that file.
"S'YOUSTOLETHEPICKLES'
p0
."

Looking at that I suspect "YOUSTOLETHEPICKLES" is the flag
Submitting that we can see that we are right!


8 ) RoboPhoto - 30
Your father has been known to use the titles of his favorite books as passwords. While you don't remember any of the names of the books, your father keeps a poster for one of them on his wall. Can you figure out the name of the book and unlock the CD?


The link takes us to a obscure image.
Since I am using chrome I can right click on the image and reverse image search.
This leads us to a wikipedia page named "The Positronic Man"
Which is the flag for this challenge


9 ) Grep is Still Your Friend - 40
The police need help decrypting one of your father's files. Fortunately you know where he wrote down all his backup decryption keys as a backup (probably not the best security practice). You are looking for the key corresponding to daedaluscorp.txt.enc. The file is stored on the shell server at /problems/grepfriend/keys .


This challenge would be very simple to people who have a lot of linux knowledge
You need to use grep to search through the files and find the a key.
Since I am currently running OSX I will use the native SSH client, however you may want to use the client at https://picoctf.com/shell

Using "grep "text string to search” directory-path" we can find the lines and files which contain certain text

running "grep "daedaluscorp.txt.enc" /problems/grepfriend/keys"
gives:
daedaluscorp.txt.enc b2bee8664b754d0c85c4c0303134bca6

Giving us the flag "b2bee8664b754d0c85c4c0303134bca6"


10 ) Javascrypt - 40
Tyrin Robotics Lab uses a special web site to encode their secret messages. Can you determine the value of the secret key?


YAY Client-side javascript encryption :D
This one is super simple.
If you look through the page source you will see the following:
" var key; // Global variable.
           
           // Since the key is generated when the page
           // is loaded, no one will be able to steal it
           // by looking at the source! This must be secure!"

Yeah no.
If we open the javascript console in chrome and type "key" and press enter it tells us the value of key is "flag_4818"

Giving us our flag for this level. Yay for client side encryption ;D


11 ) Easy Overflow - 40
Is the sum of two positive integers always positive?
nc vuln2014.picoctf.com 50000
'nc' is the Linux netcat command. Try running it in the shell.


For this all you need to do is overflow an int into being a negative.
A 4 byte int has a max signed size of 2147483647.
if you add anymore to this number it will overflow into a negative.

when running the netcat connect you connect to a java service which gives you a number.
My number was 3171933
To win this flag you need to enter a number bellow the max size of an int, but when added together is larger than the max int, an easy choice would be max int, but you do not have to..

I entered 2144313051 into netcat. (2147483647 - 3171933 + 1337)
and it returned "Congratulations! The sum is -2147482312. Here is the flag: That_was_easssy!"


12 ) ZOR - 50
Daedalus has encrypted their blueprints! Can you get us the password?
ZOR.py
encrypted

This is the first challenge I had to write code for

If we look at how they encrypt:
Code:
def encrypt(input_data, password):
   key = 0
   for ch in password:
       key ^= ((2 * ord(ch) + 3) & 0xff)

   return xor(input_data, key)
The key is a number. They multiple the ascii value of the character by 2, then add 3. and and it by 0xff.
it is xor'ed against the current value.
This gives a total of 255 possible values for the key, which can be easily bruteforced..

SO if we modify the ZOR.py, removing all the methods we do not need, and then add a loop calling the method xor on all possible values, and then printing out the output.

I ended up with the following code:
Code:
#!/usr/bin/python


def xor(input_data, key):
   result = ""
   for ch in input_data:
       result += chr(ord(ch) ^ key)

   return result


def main():
   input_data = open("encrypted", 'r').read()
   i = 0
   while i < 255:
       result = xor(input_data, i)
       print(str(i) + ": " + result)
       i += 1

main()

Running this I got quite a large output. Skimming through this you will see the following line, containing our flag.

"152: This message is for Daedalus Corporation only. Our blueprints for the Cyborg are protected with a password. That password is c23dc9535d5e04ef133b8dc4e5bc76"


13 ) Substitution - 50
There's an authorization code for some Thyrin Labs information here, along with someone's favorite song. But it's been encrypted! Find the authorization code.
encrypted.txt

This one is quite time consuming.

You're given a large encrypted text file, which has the key along with an encrypted song.

I started by writing out a table of a-z and then bellow it what I worked out an encrypted letter was.

By looking at the text you can kind of see that the first line is
the ************** **** is *******************

so you mark those down, and then above each line write what the unencrypted letter is.

As you keep going you will work out letter based on frequency and placing in a word.

I ended up with the table:
[Image: T1X88cA.png]

and then text:
[Image: 8Y4oPY4.png]

Giving the flag "illmakeamanoutofyou"


14 ) Basic ASM - 60
We found this program snippet.txt, but we're having some trouble figuring it out. What's the value of %eax when the last instruction (the NOP) runs?


YAY x86 ASM

I did this by hand, writing the values of the register next to the command

Using an image instead of aligning shit here.

[Image: uipmSEg.png]
This gives a flag of "54078007"


15 ) Spoof Proof - 60
The police have retrieved a network trace of some suspicious activity. Most of the traffic is users viewing their own profiles on a social networking website, but one of the users on the network downloaded a file from the Thyrin Labs VPN and spoofed their IP address in order to hide their identity. Can you figure out the last name of person that accessed the Thyrin files, and the two source IP addresses they used?
[Example valid flag format: "davis,192.168.50.6,192.168.50.7"]

PCAP file available here. You can also view it on CloudShark


I haven't installed wireshark on this laptop yet, so I am going to use the cloudshark version.
If you look at the packet dump you will see:
SRC                 DEST                INFO
192.168.50.4   192.168.50.10   GET /secretfile.txt HTTP/1.1

If you click that packet, then expand Ethernet II you can see the source Mac address 08:00:27:2b:f7:02

We can now apply the filter "eth.addr ==  08:00:27:2b:f7:02"
This shows us any packets sent to or from a network adapter with the mac addres 08:00:27:2b:f7:02

In those requests you will see a GET /john.johnson giving the persons name
and the two IP address he used 192.168.50.3, 192.168.50.4

Giving us the flag "johnson,192.168.50.3,192.168.50.4"




16 ) Redacted - 50
You found a letter that may shed light on recent events.


Since I am using mac I had a little trouble extracting the pdf using tools on the laptop..

However I found a handy website (http://www.extractpdf.com)
If you extract the pdf you will see that the redacted marks were images on top of a background image.
Allowing you to get the non-reacted image.

Giving us a flag of "one_two_three_four"



17 ) Toaster Control - 50
Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command 'Shutdown & Turn Off' from the control panel. Maybe the functionality is still there...


If you look at the page source, you will see a jquery method doing a get request to url + handler.php?action=

If we url encode "Shutdown & Turn Off" we get Shutdown%20%26%20Turn%20Off
then browse to "http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown%20%26%20Turn%20Off"

we get a webpage which contains "Shutdown code: flag_c49bdkeekr5zqgvc20vc"



18 ) This is the Endian - 40
This is the end! Solving this challenge will help you defeat Daedalus's cyborg. You can find more information about endianness and the problem here. The flag is the smallest possible program input that causes the program to print "Access Granted".


This one is super simple.
You need to write some input that will pass the check
You're told the two checks it makes "if(answer[0] == 0x52657663 && answer[1] == 0x30646521)"

The UI gives you a super simple way to write this, and itl convert it to ascii for you.
If you fill in the boxes it like so:
[Image: fgwHYee.png]

It tells you your input is "cveR!ed0"
You can use the bellow shell to test this is correct.

Giving you your flag of "cveR!ed0"


19 ) Intercepted Post - 40
We intercepted some of your Dad's web activity. Can you get a password from his traffic?. You can also view the traffic on CloudShark.


If you look through the packet dump you will see a post to /login/, with a acknowledgement saying they have logged in.
If you click the TCP Segment bellow the request you can see the POST data.
"username=claudio&password=flag%7Bpl%24_%24%24l_y0ur_l0g1n_form%24%7D"

If we urldecode the password we get "flag{pl$_$$l_y0ur_l0g1n_form$}"
Giving us the flag "pl$_$$l_y0ur_l0g1n_form$"


20 ) Delicious! - 60
You have found the administrative control panel for the Daedalus Coperation Website: https://web2014.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?


When we load the page we are given the number "67"
If you open the browsers developer tools we can see this is set in the cookies.

We can use the javascript console to change this value..
using 'document.cookie="session_id=1";'
To set the value to 1, and then reloading the page we get a message saying that we need to re-login.

If we set the cookie to 65 and reload when get a message saying
"You're logged in as Dr. Florian Richards. Today's secret Daedalus code is: session_cookies_are_the_most_delicious"

Giving us our flag :D
Reply
#2
21 ) Supercow - 40
Daedalus Corp. has a special utility for printing .cow files at /home/daedalus/supercow. Can you figure out how to get it to print out the flag?


The supercow application executes with the permissions of who created it, not who is running it.
It also only allows the reading of files which have a .cow extension

What we need to do is make a symbolic link between the flag.txt and {anything}.cow

The only problem is we need a directory we can write to.
Luckily we have /tmp/ which has write but no read permissions (to stop you from leeching other peoples solutions..)

So we can run a few commands to get our flags
Code:
mkdir /tmp/thebytecodeclub
ln -s /home/daedalus/flag.txt /tmp/thebytecodeclub/flag.cow
/home/daedalus/supercow /tmp/thebytecodeclub/flag.cow


Which will output
___________________________
< cows_drive_mooooving_vans >
---------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||

Giving us another flag :D


22 ) Write Right - 50
Can you change the secret? The binary can be found at /home/write_right/ on the shell server. The source can be found here.




If you wish to work on the harder problems with me, I will be on the IRC channel while solving them
Reply
#3
Very sexy! I'll briefly skimmed over this and it looks pretty solid, great work.
Reply
 


Forum Jump:


Users browsing this thread: 1 Guest(s)

About The Bytecode Club

We're a community focused on Reverse Engineering, we try to target Java/Android but we also include other langauges/platforms. We pride ourselves in supporting and free and open sourced applications.

Website