PicoCTF 2023 Writeup

This was the first time I participated in PicoCTF and it was a really fun experience. I learned a lot about how to tackle Forensics, Steganography, and Reverse Engineering based challenges in this CTF. We ranked 986 out of 7000 teams that were participating worldwide. I wish we could’ve devoted more time to solving the remaining challenges towards the end but because of academic commitments that wasn’t possible. I was stuck on a couple of challenges like MSB, Specialer, and No Way Out. I am curious to see write-ups from other teams who were able to solve these challenges.

Rank

These challenges are still available in the PicoGym Practice Challenges under PicoCTF 2023

https://play.picoctf.org/practice?originalEvent=72&page=1

The steps I took to solve these challenges are listed below -

FindAndOpen

Someone might have hidden the password in the trace file. Find the key to unlock

this file. This trace file might be good to analyze.

Solution -

  1. Open the dump.pcap file in Wireshark and go through the Ethernet packets.
  2. Some of the Ethernet Packets reveal that - ‘Flying on Ethernet secret: Is this the flag’ and some of them have - ‘Could the flag have been splitted?’
  3. This reveals that the flag has been split among the packets.
  4. Packet 48 has distinct data compared to others which we can copy and decode on CyberChef.

FindAndOpen

FindAndOpen2

  1. But this is just half of the flag. The remaining packets say ‘Maybe try checking the other file’
  2. Put in this half flag as the password for flag.txt in the zip. We got the flag.
picoCTF{R34DING_LOKd_fil56_succ3ss_0e30d0e1}

Two-Sum

What two positive numbers can make this possible: n1 > n1 + n2 OR n2 > n1 + n2

If these two are signed integers we can perform an integer overflow with Int Max (2147483647) + 1

Two-Sum

Chrono

An automated task at regular intervals in Linux is stored in /etc/crontab

Chrono

Findme

Open the burp suite and proxy all the traffic to the webpage. Put in the credentials as test and test! During login, the application is doing multiple redirects by passing in the ids in the URL and the id when decoded from Base64 is the flag. You will have to combine two ids.

Findme

picoCTF{proxies_all_the_way_df44c94c}

Permissions

Got to the root directory and inside the challenges directory there was a metadata.json file.

{"flag": "picoCTF{uS1ng_v1m_3dit0r_ad091ce1}", "username": "picoplayer", "password": "8nVVw6hmD7"}p

Ready Gladiator 0

Download the source code of imp.red and read through it. Which is assigning a name after redcode, asserting 1, and then moving positions and we just switch the positions.

Ready Gladiator 0

picoCTF{h3r0_t0_z3r0_4m1r1gh7_a7bf8a57}

timer

I reverse-engineered the timer.apk using apktool. I searched for picoctf in the project and found the flag.

Timer

picoCTF{t1m3r_r3v3rs3d_succ355fully_17496}

Special

The shell Capitalizes the first word and changes the spellings of commands to English words. The hint suggests experimenting with the syntax. When I tried &&, || it didn’t work but semicolon did work. There should not be any space after the semicolon or the shell capitalizes it. I used the python3 command after the semicolon to open the python IDLE. Then I opened the flag from there.

Special

picoCTF{5p311ch3ck_15_7h3_w0r57_b741d1b1}

hijacking

You will find the root binary python file in the home directory. The script is importing 3 libraries from which we can perform a library hijacking attack. Using sudo -l we can we can run the .server.py Python script without the password of the root user.

Hijacking

In the /lib/python3.8 directory the base64.py has write permission to it. We will overwrite the file to spawn a shell for us which when imported in the .server.py file will give us a root shell.

Hijacking 2

Run the .server.py Python script. The flag is in the /challenges directory.

Hijacking 3

picoCTF{pYth0nn_libraryH!j@CK!n9_0083cb0b}

hideme

Run binwalk -e on the image to find what other data is inside the image.

hideme

We found a secret/flag.png file

hideme 2

When you open the image it has the flag.

hidetosee

The word extract in the hint is an example to try out steghide tool to extract encrypted text.

hidetosee

I left the passphrase blank.

The image is of the atbash cipher so we will try to decrypt the text using atbash.

hidetosee 2

PcapPoisoning

Open the trace.pcap file in Wireshark and going through the packets we can see all of the FTP packets contain the same data, but in the first TCP Retransmission packet (Packet 507) is the flag.

pacppoisoning

ReadMyCert

Decode the certificate signing request file to verify the contents using

openssl req -in readmycert.csr -noout -text

The flag is in the Subject.

MatchTheRegex

Go to the website and view the page source. In the comments, they mentioned the regex.

matchtheregex

money-ware

Google search for the Bitcoin wallet address takes us to the BitcoinAbuse database at this link -

https://www.bitcoinabuse.com/reports/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

This malware is called Petya Ransomware so according to the description we will put the flag name as

picoCTF{Petya}

repetitions

Base64 decode the enc_flag text 6 times.

repetitions

who is it

Read through the email headers and we can see the email is sent from the mail.onionmail.org Email server. The IP address of the server is 173.249.33.206.

Run whois on the IP Address and the name of the person of the listing is the flag.

picoCTF{WilhelmZwalina}

rotation

When you open the encrypted text it is in the format of the flag which means likely the text has just been encrypted with the Rotation Cipher.

Paste the encrypted text as input in CyberChef and add ROT13 BruteForce in the recipe and bake. We will get the flag as 18 shift value.

rotation

Reverse

When you run the file command on the downloaded file we can see it is executable. Run chmod +x on the file and run the executable. It asks for a password. Open the executable in Ghidra and go to the main function. The flag is there.

reverse

Will be updated with other solutions