More than 3 years have passed since last update.

picoCTF Practice Writeup 5

Last updated at 2021-04-27Posted at 2021-04-18

picoCTF Practice Writeup 5
picoGym Practice Challenges page=5 の11問を勉強した記録

だんだん難しくなってきた。

このページの難問は，
659 solves の Pixelated （スエガノグラフィー）
835 solves の It is my Birthday　（OSINT）
468 solves の Wireshark twoo twooo two twoo...　（パケット解析）
259 solves の Hurry up! Wait!

159 solves の Unsubscriptions Are Free はお手上げ

logon

Category: Web Exploitation
Description:
The factory is hiding things from all of its users. Can you login as Joe and find what they've been looking at? https://jupiter.challenges.picoctf.org/problem/44573/ (link) or http://jupiter.challenges.picoctf.org:44573
Hints:
Hmm it doesn't seem to check anyone's password, except for Joe's?

Solution:
何も入力せず Sign in ボタンをクリックすると

ログイン成功だって。
Burpでcookieみてみる

admin=FalseがあやしいのでTrueに変えて送信してみる

13

Category: Cryptography
Description:
Cryptography can be easy, do you know what ROT13 is? cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}
Hints:
This can be solved online if you don't want to do it by hand!
Solution:
ROT13

caesar

Category: Cryptography
Description:
Decrypt this message.
Hints:
caesar cipher tutorial

ciphertext

picoCTF{gvswwmrkxlivyfmgsrhnrisegl}

答えcrossingtherubicondjneoachだけど，どこで区切れば意味があるフレーズになるか
まったくわからん。

dont-use-client-side

Category: Web Exploitation
Description:
Can you break into this super secure portal? https://jupiter.challenges.picoctf.org/problem/17682/ (link) or http://jupiter.challenges.picoctf.org:17682
Hints:
Never trust the client

Solution:
ページのソース

<html>
<head>
<title>Secure Login Portal</title>
</head>
<body bgcolor=blue>
<!-- standard MD5 implementation -->
<script type="text/javascript" src="md5.js"></script>

<script type="text/javascript">
  function verify() {
    checkpass = document.getElementById("pass").value;
    split = 4;
    if (checkpass.substring(0, split) == 'pico') {
      if (checkpass.substring(split*6, split*7) == '706c') {
        if (checkpass.substring(split, split*2) == 'CTF{') {
         if (checkpass.substring(split*4, split*5) == 'ts_p') {
          if (checkpass.substring(split*3, split*4) == 'lien') {
            if (checkpass.substring(split*5, split*6) == 'lz_b') {
              if (checkpass.substring(split*2, split*3) == 'no_c') {
                if (checkpass.substring(split*7, split*8) == '5}') {
                  alert("Password Verified")
                  }
                }
              }
      
            }
          }
        }
      }
    }
    else {
      alert("Incorrect password");
    }
    
  }
</script>
<div style="position:relative; padding:5px;top:50px; left:38%; width:350px; height:140px; background-color:yellow">
<div style="text-align:center">
<p>This is the secure login portal</p>
<p>Enter valid credentials to proceed</p>
<form action="index.html" method="post">
<input type="password" id="pass" size="8" />
<br/>
<input type="submit" value="verify" onclick="verify(); return false;" />
</form>
</div>
</div>
</body>
</html>

並び変えるだけ

Bases

Category: General Skills
Description:
What does this bDNhcm5fdGgzX3IwcDM1 mean? I think it has something to do with bases.
Hints:
Submit your answer in our flag format. For example, if your answer was 'hello', you would submit 'picoCTF{hello}' as the flag.

Solution:
base64

First Grep

Category: General Skills
Description:
Can you find the flag in file? This would be really tedious to look through manually, something tells me there is a better way.
Hints:
grep tutorial

Solution:
表層解析

Pixelated

Category: Cryptography
Description:
I have these 2 images, can you make a flag out of them? scrambled1.png scrambled2.png
Hints:

https://en.wikipedia.org/wiki/Visual_cryptography
Think of different ways you can "stack" images

scrambled1.png

scrambled2.png

Solution:

「青い空を見上げればいつもそこに白い猫」の使い方

It is my Birthday

Category: Web Exploitation
Description:
I sent out 2 invitations to all of my friends for my birthday! I'll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn't believe how long it took me to find a collision. Anyway, see if you're invited by submitting 2 PDFs to my website. http://mercury.picoctf.net:50970/
Hints:

Look at the category of this problem.
How may a PHP site check the rules in the description?

Solution:
ネットでmd5ハッシュが衝突しているPDFを探す。
見つけたのでupしてみる。

File too large!

あり？サイズ制限がある。小さいサイズを探す。

Wireshark twoo twooo two twoo...

Who are you?

Hurry up! Wait!

Category: Reverse Engineering
Description:
svchost.exe
Hints:
(None)

Splution:
Ghidraで静的解析する。
関数が次々呼ばれている。

FUN_0010298a

void FUN_0010298a(void)
{
  ada__calendar__delays__delay_for(1000000000000000);
  FUN_00102616(); 
  FUN_001024aa(); 
  FUN_00102372(); 
  FUN_001025e2(); 
  FUN_00102852(); 
  FUN_00102886(); 
  FUN_001028ba(); 
  FUN_00102922(); 
  FUN_001023a6();  
  FUN_00102136();
  FUN_00102206();
  FUN_0010230a();
  FUN_00102206();
  FUN_0010257a();
  FUN_001028ee();
  FUN_0010240e();
  FUN_001026e6();
  FUN_00102782();
  FUN_001028ee();
  FUN_001023da();
  FUN_0010230a();
  FUN_0010233e();
  FUN_0010226e();
  FUN_001022a2();
  FUN_001023da();
  FUN_001021d2();
  FUN_00102956(); 
  return;
}

先頭のFUN_00102616()を見てみる

FUN_00102616

void FUN_00102616(void)

{
  ada__text_io__put__4(&DAT_00102cd8,&DAT_00102cb8,&DAT_00102cb8,&DAT_00102cd8);
  return;
}

ada__text_io__put__4を調べると，Ada（エイダ）というプログラミング言語みたいだ。

&DAT_00102cd8は？

pだ。
次々調べる。

FUN_0010298a

void FUN_0010298a(void)
{
  ada__calendar__delays__delay_for(1000000000000000);
  FUN_00102616(); // p
  FUN_001024aa(); // i
  FUN_00102372(); // c
  FUN_001025e2(); // o
  FUN_00102852(); // C
  FUN_00102886(); // T
  FUN_001028ba(); // F
  FUN_00102922(); // {
  FUN_001023a6(); // d
  FUN_00102136(); // 1
  FUN_00102206(); // 5
  FUN_0010230a(); // a
  FUN_00102206(); // 5 
  FUN_0010257a(); // m
  FUN_001028ee(); // _
  FUN_0010240e(); // f
  FUN_001026e6(); // t
  FUN_00102782(); // w
  FUN_001028ee(); // _
  FUN_001023da(); // e
  FUN_0010230a(); // a
  FUN_0010233e(); // b
  FUN_0010226e(); // 7
  FUN_001022a2(); // 8
  FUN_001023da(); // e
  FUN_001021d2(); // 4
  FUN_00102956(); // }
  return;
}

Unsubscriptions Are Free

Category: Binary Exploitation
Description:
Check out my new video-game and spaghetti-eating streaming channel on Twixer! program and get a flag. source nc mercury.picoctf.net 4593
Hints:

http://homes.sice.indiana.edu/yh33/Teaching/I433-2016/lec13-HeapAttacks.pdf

vuln.c

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <ctype.h>

#define FLAG_BUFFER 200
#define LINE_BUFFER_SIZE 20


typedef struct {
	uintptr_t (*whatToDo)();
	char *username;
} cmd;

char choice;
cmd *user;

void hahaexploitgobrrr(){
 	char buf[FLAG_BUFFER];
 	FILE *f = fopen("flag.txt","r");
 	fgets(buf,FLAG_BUFFER,f);
 	fprintf(stdout,"%s\n",buf);
 	fflush(stdout);
}

char * getsline(void) {
	getchar();
	char * line = malloc(100), * linep = line;
	size_t lenmax = 100, len = lenmax;
	int c;
	if(line == NULL)
		return NULL;
	for(;;) {
		c = fgetc(stdin);
		if(c == EOF)
			break;
		if(--len == 0) {
			len = lenmax;
			char * linen = realloc(linep, lenmax *= 2);

			if(linen == NULL) {
				free(linep);
				return NULL;
			}
			line = linen + (line - linep);
			linep = linen;
		}

		if((*line++ = c) == '\n')
			break;
	}
	*line = '\0';
	return linep;
}

void doProcess(cmd* obj) {
	(*obj->whatToDo)();
}

void s(){
 	printf("OOP! Memory leak...%p\n",hahaexploitgobrrr);
 	puts("Thanks for subsribing! I really recommend becoming a premium member!");
}

void p(){
  	puts("Membership pending... (There's also a super-subscription you can also get for twice the price!)");
}

void m(){
	puts("Account created.");
}

void leaveMessage(){
	puts("I only read premium member messages but you can ");
	puts("try anyways:");
	char* msg = (char*)malloc(8);
	read(0, msg, 8);
}

void i(){
	char response;
  	puts("You're leaving already(Y/N)?");
	scanf(" %c", &response);
	if(toupper(response)=='Y'){
		puts("Bye!");
		free(user);
	}else{
		puts("Ok. Get premium membership please!");
	}
}

void printMenu(){
 	puts("Welcome to my stream! ^W^");
 	puts("==========================");
 	puts("(S)ubscribe to my channel");
 	puts("(I)nquire about account deletion");
 	puts("(M)ake an Twixer account");
 	puts("(P)ay for premium membership");
	puts("(l)eave a message(with or without logging in)");
	puts("(e)xit");
}

void processInput(){
  scanf(" %c", &choice);
  choice = toupper(choice);
  switch(choice){
	case 'S':
	if(user){
 		user->whatToDo = (void*)s;
	}else{
		puts("Not logged in!");
	}
	break;
	case 'P':
	user->whatToDo = (void*)p;
	break;
	case 'I':
 	user->whatToDo = (void*)i;
	break;
	case 'M':
 	user->whatToDo = (void*)m;
	puts("===========================");
	puts("Registration: Welcome to Twixer!");
	puts("Enter your username: ");
	user->username = getsline();
	break;
   case 'L':
	leaveMessage();
	break;
	case 'E':
	exit(0);
	default:
	puts("Invalid option!");
	exit(1);
	  break;
  }
}

int main(){
	setbuf(stdout, NULL);
	user = (cmd *)malloc(sizeof(user));
	while(1){
		printMenu();
		processInput();
		//if(user){
			doProcess(user);
		//}
	}
	return 0;
}

Solution:
Use After Freeの脆弱性が，leaveMessage() にあるように見えるが。。。
手動でやると　
timeout:
とソースコードにないエラーメッセージが表示される。

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up