This is a series of selected challenges from the picoCTF 2022 competition which are more catered towards beginner players. Through these writeups, I hope you can find takeaways to help you in your future CTFs!
Binary Exploitation
basic-file-exploit
basic-file-exploit
author: Will Hong
points: 100
category: pwn
$ nc saturn.picoctf.net 50366
Let's connect to the server using netcat
to see what's going on:
Since this is the binary exploitation category, we'll be looking for a vulnerability in the source code that allows us to either break or control the program at a lower level. Let's view the attachment program-redacted.c
:
In the midst of this complex program, we need to figure out where the flag is, and how to trigger it to print:
The flag is defined in line 13 as "[REDACTED]"
, which will be the actual location on the remote server. From lines 139-143 it looks like a condition needs to be met in order to puts()
the flag, which writes a string to the output stream stdout
.
Google defines strtol()
as a function that "converts the initial part of the string in str to a long int value according to the given base". To break it, we need to input something that is unconvertible into a long integer. In this case, it would be a string, as they can't be properly coalesced into long integers!
This if statement is located within a function called data_read()
. Let's see where it's called in the program:
After we write some data with the command 1
, We should be pressing the command 2
to read from the stored data. Once it prompts us to "enter the entry number of your data", we'll send a string instead to break it. Let's head back to the netcat
and test it out:
CVE-XXXX-XXXX
CVE-XXXX-XXXX
author: Mubarak Mikail
points: 100
category: osint
picoCTF{CVE-XXXX-XXXXX}
- replacing XXXX-XXXXX
with the numbers for the matching vulnerability. The CVE we're looking for is the first recorded remote code execution (RCE) vulnerability in 2021 in the Windows Print Spooler Service, which is available across desktop and server versions of Windows operating systems. The service is used to manage printers and print servers.This is a really trivial challenge. You can actually google "first recorded remote code execution (RCE) vulnerability in 2021" and it will be the first result:
picoCTF{CVE-2021-34527}
ropfu
ropfu
Hey, look: a classic "ROP" (return-oriented programming) challenge with the source code provided! Let's take a look:
The source only provides us with one vulnerable function: gets()
. I've gone over this extremely unsafe function multiple times now, so feel free to read MITRE's Common Weakness Enumeration page if you don't know why. There is also no convenient function with execve("/bin/sh", 0, 0)
in it (for obvious reasons), so we will have to insert our own shellcode.
Although we could totally solve this the old-fashioned way (as John Hammond did in his writeup), we can use the power of automation with a tool called ROPgadget! Let's try using it here to automatically build the ROP-chain for us, which will eventually lead to a syscall:
Oh, wow. It generated the entire script for us (unfortunately in Python2), with only a few missing bits and bobs! The only things we need to manually configure now are the offset and remote connection. Since the checksec
mentioned that there was a canary enabled, it looks like we'll have to manually guess the offset with the $eip
:
The offset is 28, as we've successfully loaded 4 hex B
s into the $eip
. Our last step is to set up the remote connection with pwntools. Here is my final script:
Let's run the script:
I know the way of ROP-fu, old man. Your shell has been snatched.
Cryptography
basic-mod1
basic-mod1
author: Will Hong
points: 100
category: crypto
Take each number mod 37 and map it to the following character set - 0-25 is the alphabet (uppercase), 26-35 are the decimal digits, and 36 is an underscore. Wrap your decrypted message in the picoCTF flag format (i.e.
picoCTF{decrypted_message}
)Let's go over what it's asking:
- Calculate
% 37
for each number - Map each number to this specific charset:
- 0-25 = Uppercase alphabet (A-Z)
- 26-35 = Decimal digits (0-9)
- 36 = Underscore ("_")
I was too lazy to learn Python and do that, so here it is in native Javascript:
Looking back at the problem after I learned Python, here's a solution that's significantly cleaner:
Running the scripts:
basic-mod2
basic-mod2
author: Will Hong
points: 100
category: crypto
picoCTF{decrypted_message}
).Let's go over what it's asking once again:
- Calculate
% 41
for each number - Map each number to this specific charset:
- 1-26 = Uppercase alphabet (A-Z)
- 27-36 = Decimal digits (0-9)
- 37 = Underscore ("_")
Here's a stupidly long Javascript snippet I made to solve this:
Running the script:
credstuff
credstuff
- enscribe authors:- Will Hong
- Lt. 'Syreal' Jones points: 100
category: crypto
cultiris
and successfully decrypt it?The first user in
usernames.txt
corresponds to the first password in passwords.txt
. The second user corresponds to the second password, and so on.We're initially provided a leak.tar
archive. On extraction, we're presented with two files: usernames.txt
and passwords.txt
:
1
1
Let's go to the username cultiris
. The -n
tag in grep
will enable line numbers:
Let's fine the equivalent line in passwords.txt
:
On line 378 it looks like there's a flag obfuscated with shift cipher. Let's brute force this on DCode:
picoCTF{C7r1F_54V35_71M3}
morse-code
morse-code
author: Will Hong
points: 100
category: crypto
Wrap your answer with
picoCTF{}
, put underscores in place of pauses, and use all lowercase.We're presented with a morse_chal.wav
file:
We could totally decode this by hand using Audacity's visualizer, but that's super time-consuming. Instead, I opted for an automatic audio-based Morse decoder online:
The program outputs WH47 H47H 90D W20U9H7
. Following the conversion instructions, the final flag is:
picoCTF{wh47_h47h_90d_w20u9h7}
Forensics
Enhance!
Enhance!
author: Lt. 'Syreal' Jones
points: 100
category: forensics
This is an SVG file, which stands for Scalable Vector Graphics. They consist of vectors, not pixels, and can be thought of as a collection of shapes on a Cartesian (x/y) plane. The code that creates such graphics can also be viewed on Google Chrome with F12:
Look up what we end up finding in the Source tab:
picoCTF{3nh4nc3d_[REDACTED]}