picoCTF 2021 General Skills
Obedient Cat
Description
This file has a flag in plain sight (aka "in-the-clear"). Download flag.
# cat flag picoCTF{s4n1ty_v3r1f13d_f28ac910}
"sanity verified"
Python Wrangling
Description
Python scripts are invoked kind of like programs in the Terminal... Can you run this Python script using this password to get the flag?
# wget https://mercury.picoctf.net/static/0bf545252b5120845e3b568b9ad0277e/ende.py /// skipped /// # wget https://mercury.picoctf.net/static/0bf545252b5120845e3b568b9ad0277e/pw.txt /// skipped /// # wget https://mercury.picoctf.net/static/0bf545252b5120845e3b568b9ad0277e/flag.txt.en /// skipped /// # ls ende.py flag.txt.en pw.txt # python3 ende.py Usage: ende.py (-e/-d) [file] # python3 ende.py -d flag.txt.en Please enter the password: # cat pw.txt | python3 ende.py -d flag.txt.en Please enter the password:picoCTF{4p0110_1n_7h3_h0us3_6008014f}
"apollo in the house"(?)
Wave a flag
Description
Can you invoke help flags for a tool or binary? This program has extraordinarily helpful information...
# wget https://mercury.picoctf.net/static/b28b6021d6040b086c2226ebeb913bc2/warm /// skipped /// # file warm warm: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b11c22752c901adc13ba1ce86eda9d5516f22763, with debug_info, not stripped # chmod +x warm # ./warm Hello user! Pass me a -h to learn what I can do! # ./warm -h Oh, help? I actually don't do much, but I do have this flag here: picoCTF{b1scu1ts_4nd_gr4vy_d6969390}
"biscuits and gravy"
Nice netcat
Description
There is a nice program that you can talk to by using this command in a shell: $ nc mercury.picoctf.net 22342, but it doesn't speak English...
# nc mercury.picoctf.net 22342 112 105 99 111 67 84 70 123 103 48 48 100 95 107 49 116 116 121 33 95 110 49 99 51 95 107 49 116 116 121 33 95 53 102 98 53 101 53 49 100 125 10
パッと見文字コードでしょう。
solver.py
from pwn import remote r = remote("mercury.picoctf.net", 22342) while True: try: c = chr(int(r.recvline().strip())) if c != "": print(c, end="") except EOFError as e: r.close() break
# python3 solver.py [+] Opening connection to mercury.picoctf.net on port 22342: Done picoCTF{g00d_k1tty!_n1c3_k1tty!_5fb5e51d} [*] Closed connection to mercury.picoctf.net port 22342
"good kitty! nice kitty!"
Static ain't always noise
Description
Can you look at the data in this binary: static? This BASH script might help!
# wget https://mercury.picoctf.net/static/ec4dbd8898ade34e1d60d5b70c1b8c8c/static /// skipped /// # wget https://mercury.picoctf.net/static/ec4dbd8898ade34e1d60d5b70c1b8c8c/ltdis.sh /// skipped /// # file static static: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=639391a8b15c579d69659462d3c935fa61693f17, not stripped # chmod +x static # ./static Oh hai! Wait what? A flag? Yes, it's around here somewhere! # cat ltdis.sh #!/bin/bash echo "Attempting disassembly of $1 ..." #This usage of "objdump" disassembles all (-D) of the first file given by #invoker, but only prints out the ".text" section (-j .text) (only section #that matters in almost any compiled program... objdump -Dj .text $1 > $1.ltdis.x86_64.txt #Check that $1.ltdis.x86_64.txt is non-empty #Continue if it is, otherwise print error and eject if [ -s "$1.ltdis.x86_64.txt" ] then echo "Disassembly successful! Available at: $1.ltdis.x86_64.txt" echo "Ripping strings from binary with file offsets..." strings -a -t x $1 > $1.ltdis.strings.txt echo "Any strings found in $1 have been written to $1.ltdis.strings.txt with file offset" else echo "Disassembly failed!" echo "Usage: ltdis.sh <program-file>" echo "Bye!" fi
シェルスクリプトはディスアセンブルしてるっぽい。
そうだとすれば、strings
でフラグ取れるのでは?(最初にテキストセクションがなんちゃらって書いてあるし)
# strings static /lib64/ld-linux-x86-64.so.2 libc.so.6 puts __cxa_finalize __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable AWAVI AUATL []A\A]A^A_ Oh hai! Wait what? A flag? Yes, it's around here somewhere! ;*3$" picoCTF{d15a5m_t34s3r_98d35619} GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.7698 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry static.c __FRAME_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable puts@@GLIBC_2.2.5 _edata __libc_start_main@@GLIBC_2.2.5 __data_start __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main __TMC_END__ _ITM_registerTMCloneTable flag __cxa_finalize@@GLIBC_2.2.5 .symtab .strtab .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .data .bss .comment # strings static | grep pico picoCTF{d15a5m_t34s3r_98d35619}
"disasm teaser"
Tab, Tab, Attack
Description
Using tabcomplete in the Terminal will add years to your life, esp. when dealing with long rambling directory structures and filenames: Addadshashanammu.zip
# unzip Addadshashanammu.zip Archive: Addadshashanammu.zip creating: Addadshashanammu/ creating: Addadshashanammu/Almurbalarammi/ creating: Addadshashanammu/Almurbalarammi/Ashalmimilkala/ creating: Addadshashanammu/Almurbalarammi/Ashalmimilkala/Assurnabitashpi/ creating: Addadshashanammu/Almurbalarammi/Ashalmimilkala/Assurnabitashpi/Maelkashishi/ creating: Addadshashanammu/Almurbalarammi/Ashalmimilkala/Assurnabitashpi/Maelkashishi/Onnissiralis/ creating: Addadshashanammu/Almurbalarammi/Ashalmimilkala/Assurnabitashpi/Maelkashishi/Onnissiralis/Ularradallaku/ inflating: Addadshashanammu/Almurbalarammi/Ashalmimilkala/Assurnabitashpi/Maelkashishi/Onnissiralis/Ularradallaku/fang-of-haynekhtnamet # file Addadshashanammu/Almurbalarammi/Ashalmimilkala/Assurnabitashpi/Maelkashishi/Onnissiralis/Ularradallaku/fang-of-haynekhtnamet Addadshashanammu/Almurbalarammi/Ashalmimilkala/Assurnabitashpi/Maelkashishi/Onnissiralis/Ularradallaku/fang-of-haynekhtnamet: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=55548d0314fdf7999b966728d19712cdf8a52e58, not stripped # strings Addadshashanammu/Almurbalarammi/Ashalmimilkala/Assurnabitashpi/Maelkashishi/Onnissiralis/Ularradallaku/fang-of-haynekhtnamet | grep pico *ZAP!* picoCTF{l3v3l_up!_t4k3_4_r35t!_f3553887}
"level up! take a rest!"
Magikarp Ground Mission
Description
Do you know how to move between directories and read files in the shell? Start the container, `ssh` to it, and then `ls` once connected to begin. Login via `ssh` as `ctf-player` with the password, `481e7b14`
インスタンスを起動させてから、指定されたサーバ・ポートにアクセス
# ssh ctf-player@venus.picoctf.net -p 54159 ctf-player@venus.picoctf.net's password: /// skipped /// ctf-player@pico-chall$ ls 1of3.flag.txt instructions-to-2of3.txt ctf-player@pico-chall$ cat 1of3.flag.txt picoCTF{xxsh_ ctf-player@pico-chall$ cat instructions-to-2of3.txt Next, go to the root of all things, more succinctly `/` ctf-player@pico-chall$ cd / ctf-player@pico-chall$ ls 2of3.flag.txt dev instructions-to-3of3.txt media proc sbin tmp bin etc lib mnt root srv usr boot home lib64 opt run sys var ctf-player@pico-chall$ cat 2of3.flag.txt 0ut_0f_\/\/4t3r_ ctf-player@pico-chall$ cat instructions-to-3of3.txt Lastly, ctf-player, go home... more succinctly `~` ctf-player@pico-chall$ cd ~ ctf-player@pico-chall$ ls 3of3.flag.txt drop-in ctf-player@pico-chall$ cat 3of3.flag.txt 1118a9a4}
picoCTF{xxsh_0ut_0f_\/\/4t3r_1118a9a4}
"xxsh out of water"