Challenge: Super SSH | Category: General Skills | Points [25]
Here, we’ll just use ssh to connect to the challenge terminal, using the following syntax.
ssh <user-name>@<host> -p <port-number>
Easy-peasy.
Challenge: Commitment Issues | Category: General Skills | Points [50]
Here we’re given a zip file containing a git repository, we can tell from the hints this is git related.
Let’s check out the message…
Intuitively, it seems that this file originally might’ve included something that was edited/removed, and since this is a git environment, we can check the history.
I just moved to the folder and used the git show command, which shows me the edit history of the message. You can see the minus sign (-) dashes followed by a/message.txt and then (+) b/message.txt basically documenting the difference between the original text file containing flag and the new one containing what we found.
Some git basics right here.
Challenge: Time Machine | Category: General Skills | Points [50]
Here we’re given another git repository, but with a different challenge.
Here, we have the same message.txt which gives us a hint to check commit history, which we can do by using “git log” which shows the log history of changes being made to the repo. When you save a change in git repos, you have to add a title to the commit in which you made the change, so others have a reference as to what you did. And here it’s the flag.
Challenge: Blame Game | Category: General Skills | Points [75]
Here there’s a message.py file with an incomplete print statement.
Same idea here, but the difference is if we try to view the change log, we get this spaghetti.
Too many to look at manually, we need to heed the hint’s advice and find the changes done to the message.py file specifically to speed up the process, I asked GPT because I had trouble finding a command to show all changes in one place, and instead found this helpful command.
git log -p (patch) <file>
Challenge: Collaborative Development | Category: General Skills | Points [75]
We get another git repo as usual, when we check it out, there’s a flag.py file.
We want to check all available branches here, as per the hint.
As you can see there are three distinct ordered feature branches, these branches probably need to be concatenated to give us our flag.
In this context, I use checkout command to switch to the branch and print that part of the flag, we do this for the 3 feature branches and copy each part of the flag. Not sure if there’s a way to do this all in one step but I will investigate later as there is no time and I’m trying to solve as much as I can in such a tight timeframe.
Challenge: binhexa | Category: General Skills | Points [100]
This challenge is pretty fun to practice logical operators and binary operations.
We nc (netcat) to the challenge server on the given port using the provided syntax. Here I used the embedded picoCTF webshell which you can log into using your credentials.
In each instance these two numbers change, but the point is to answer 6 questions and then provide the last answer’s value in hexadecimal to get our flag.
Let’s go over these.
(Q) 1/6
The AND | & operator basically produces an output of 1 only when both inputs/bits are 1, and 0 in any other case. Here’s it’s truth table for reference.
(Q) 2/6
Here we’re asked to add both numbers.
Quick reminder, in binary addition, if we’re adding two 1’s, the result is 0 and we carry the one. If we’re adding two 1’s and there’s a carried 1 already, we release that carried 1 in the result and keep carrying the extra 1.
(Q) 3/6
Here we’re asked to left shift (<<) the first number. First, here’s a primer on left shift operator, which basically moves the bits to the left, effectively multiplying the number by 2 each time we shift it.
Let’s do this.
If you notice in the above screenshot, I first discarded the left-most bit and appended a 0 at the end, but it was not accepted, this means the question wants the number expanded.
Three down, three to go.
(Q) 4/6
We’re asked to multiply both numbers here. We now know that the answer can be of any size, not strictly 8-bits. For this one, we will just convert the numbers to decimal format, multiply them and then revert them to binary representation. Let’s do it in python, just because we can.
Let’s break it down, first step is to import each number into a variable as a string. Then I use the int() function, provide the number and then the base for it (in this case 2 because it’s binary, and we want it in decimal). Now we have the decimal representation in a1/b1, we multiply them and store the result in result. We can see the result is a big number in decimal, now we just need it back in binary to submit. Here the use of bin() converts the number to binary and the use of [2:] means start from the third index (since we start counting from 0 so 0–1–2), and we do this because if we don’t, it will include 0b prefix indicating this is a binary number.
(Q) 5/6
Here we’re asked to use the OR | “|” operator which basically provides an output of 1 when one or both of the inputs is a 1. So if there’s a one you can immediately add a 1 to the result. Here’s the truth table for reference.
Now let’s get it.
(Q) 5/6
Here, we’re asked to right shift (>>) the 2nd number.
So we’ll do the following.
In this case, the last number on the right is discarded and a 0 is appended at the left-most bit.
Finally, we’re asked to enter the hexadecimal representation of this answer to reveal the flag, we’ll do it using python on-the-fly.
Here, we convert the binary number to an int, and then we convert it to hex, as you can see in the last line this is what it looks like if we use the [2:] operator to discard the 0x prefix.
Challenge: Binary Search | Category: General Skills | Points [100]
This one was so much fun as it was a practical application of mental math on the fly. Let’s give it a try. I downloaded the challenge.zip and found a .sh file that contains the program. Here’s how it looks like.
So basically we’re going to have 10 guesses and the number is between 1–1000, each time we guess we’re told whether the answer’s higher or lower than the given number.
I will do this through pico WebShell, connect to the challenge and let’s get cracking.
For this challenge, it really is a guessing game. However, the concept is to start with the middle number, first try is always 500 to know which half we should be looking at. And then from there, it’s just a matter of halving whichever amount you get up or down.
Read more about binary search if you’re unfamiliar here.
Challenge: endianness | Category: General Skills | Points [200]
Okay, let’s connect to the challenge from the WebShell, we’re given this word, and we’re asked to input it’s little endian representation. Read about endianness here.
Okay, now we need to find the ASCII representation of each of these letters, find the hexadecimal equivalent for that and then provide the little-endian representation of this string.
Let’s do it using python.
Here, I put the string we were given in a value called string and created an empty list called l, then I iterated over each character in the string, converting the character to its ASCII value using ord() and then converted that to hex using hex() function and the [2:] to get rid of the 0x prefix as shown before. This final value will be added to the l list I created. After the loop is finished, I just used ‘’.join(<list-name>) to concatenate the list items into one whole string, the ‘’ here is the delimiter and in this case it’s nothing, so the characters are printed consecutively.
The value printed out at last is the big-endian representation, or the normal order we’re used to. However, for little-endian, we basically need to start from the last character first (remember each character here is represented by two hexa digits). Check the next picture and notice the last two pairs in the first prompt are the first two in the second, and so on.
This was all I could solve from the General Skills category, with only two challenges left that I haven’t figured out yet. Those are dont-you-love-banners and SansAlpha. Let’s move on to the Forensics category, my favorite.
Challenge: Scan Surprise | Category: Forensics | Points [50]
Let’s download the file and see what this is about. Through the hints, w’ere given a utility that scans QR codes on PC, called zbar. I downloaded the tool and used it through cmd on the path where the flag.png image from the zip file is located and we get our flag.
Challenge: Verify | Category: Forensics | Points [50]
Here, we’re given a checksum hash for the file containing the flag, all we need to do is find the corresponding file with the same hash inside the files folder.
First, I displayed the hash we need to check against, then I used sha256sum which is a command-line utility on Linux that allows us to calculate the checksum of any file. I used files/* meaning, go inside the files directory and apply this command to every file. Instead of showing the hundreds of files with their hashes, we just need to find the one with the checksum we already have, so I used grep to make my job easier.
Now that we know which file it is, we just need to apply the decrypt.sh script on the file, and we’re given our flag.
Challenge: CanYouSee | Category: Forensics | Points [100]
In this challenge, we’re given an image. ABCs of forensics ctfs dictate that we check the image metadata using exiftool. However, since I’m not on my Linux machine, I’ll just loop up an exiftool online viewer.
Upload the file and check the info.
We notice a string with two “=” signs, most probably a base64 string. Let’s check it out.
Challenge: Secret of the Polyglot | Category: Forensics | Points [100]
I downloaded the file and got a .pdf. I opened the pdf and found this.
Looks like the second part of our flag, where’s the rest? Let’s heed the hint’s advice and try different ways.
I tried using cat, strings, and opening it in a text editor but got nothing useful. Then I noticed the challenge description said “conflicting information on what type of file it is” and immediately tried the file command.
Okay, so this is originally a png, let’s try to change the extension and see what happens.
Once I changed the extension from .pdf to .png, I can see the first part of the flag in the thumbnail. Easy-peasy?
Challenge: interencdec | Category: Cryptography | Points [50]
We get a text file with a base64-looking string inside it.
On the first decoding attempt, you can see the b’’ identifier around the string, meaning this is in the form of a bytes object and not a string, so I copied the string and base64 decoded it once again since it also has “==” signs and end up with a flag-looking string.
This looks like a simple caesar cipher, there are two ways to go about this. Either think of how many letter shifts we’d need to go from the first letter (w) to (p) which is the first letter in picoCTF flags. Or you can just throw the string on rot13.com and try every option.
This is it for today’s writeup. I will try my best to create a part-2 where I solve the rest of pico’s 2024 challenges as they are very beginner/intermediate-beginner-friendly and help me gain more commandline and investigative skills.
#Writeups #Cyber #CTF #picoCTF #Forensics #Linux #Shell #picoCTF2024
