Skip to main content

Posts

Showing posts with the label PicoCTF2018

PIcoCTF 2018 – Binary Exploitation - buffer overflow0

PIcoCTF 2018 – Binary Exploitation - buffer overflow0 Objective: Let's start off simple, can you overflow the right buffer in this program [1]   to get the flag? You can also find it in /problems/buffer-overflow-0_1_316c391426b9319fbdfb523ee15b37db on the shell server. Source [2] . Hints: (1)     How can you trigger the flag to print? (2) If you try to do the math by hand, maybe try and add a few more characters. Sometimes there are things you aren't expecting. Solution:   I started by CDing over to the problem folder Ls shows us a flag file(Which we can’t open) the program and the c code The title tells us this is about a buffer over flow Running the program we get this ./vuln This program takes 1 argument. Ok let’s give it an argument ./vuln 1 Thanks! Received: 1 Lets try just throwing a bunch values at it ./vuln 11111111111111111111111111111111111 picoCTF{ov3rfl0ws_ar3nt_that_bad_3598a894} that was super simple but

PicoCTF 2018 – Reverse Engineering - assembly 0

PicoCTF 2018 – Reverse Engineering   - assembly 0 Objective: What does asm0(0xb6,0xc6) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source [1]   located in the directory at /problems/assembly-0_0_5a220faedfaf4fbf26e6771960d4a359. Hints: (1)     basical assembly tutorial [2]   (2) assembly registers [3] Source: .intel_syntax noprefix .bits 32                 .global asm0 asm0:                 push       ebp                                                                         mov        ebp,esp                 mov        eax,DWORD PTR [ebp+0x8]                 mov        ebx,DWORD PTR [ebp+0xc]                 mov        eax,ebx                 mov        esp,ebp                 pop         ebp                         ret Solution: So   I spent about an hour watching youtube videos to try and understand assembly language

PicoCTF 2018 – Reverse Engineering - Reversing Warmup2

PicoCTF 2018 – Reverse Engineering   - Reversing Warmup 2 Objective: Can you decode the following string dGg0dF93NHNfczFtcEwz from base64 format to ASCII? Hints: (1) Submit your answer in our competition's flag format. For example, if you answer was 'hello', you would submit 'picoCTF{hello}' as the flag. Solution: @pico-2018-shell:/problems/reversing-warmup-1_1_b416a2d0694c871d8728d8268d84ac5c$ echo dGg0dF93NHNfczFtcEwz | base64 --decode th4t_w4s_s1mpL3 picoCTF{ th4t_w4s_s1mpL3}

PicoCTF2018 – Reverse Engineering – reversing warmup 1

PicoCTF2018 – Reverse Engineering – reversing warmup 1 Objective: Throughout your journey you will have to run many programs. Can you navigate to /problems/reversing-warmup-1_1_b416a2d0694c871d8728d8268d84ac5c on the shell server and run this program [1]   to retreive the flag? Hints: 1) If you are searching online, it might be worth finding how to exeucte a program in command line. Solution: So this is a warmup so it is super simple I just connected up to the shell, cd’d to the problem folder pico-2018-shell:/problems/reversing-warmup-1_1_b416a2d0694c871d8728d8268d84ac5c$ ls run so there is program in there called run . @pico-2018-shell:/problems/reversing-warmup-1_1_b416a2d0694c871d8728d8268d84ac5c$ ./run picoCTF{welc0m3_t0_r3VeRs1nG} there is the flag

PicoCTF2018 – Web – Artisinal Handcrafted HTTP 3

PicoCTF2018 – Web – Artisinal Handcrafted HTTP 3 Objective : We found a hidden flag server hiding behind a proxy, but the proxy has some... _interesting_ ideas of what qualifies someone to make HTTP requests.   Looks like you'll have to do this one by hand.   Try connecting via nc 2018shell.picoctf.com 18685, and use the proxy to send HTTP requests to `flag.local`.   We've also recovered a username and a password for you to use on the login page: `realbusinessuser`/`potoooooooo`. Hint : (1)     _Be the browser._   When you navigate to a page, how does your browser send HTTP requests?   How does this change when you submit a form? Solution : This is my first-time sending HTTP GET and POST manually, so I leaned pretty heavily on online resources @pico-2018-shell:~$ nc 2018shell.picoctf.com 18685 Real Business Corp., Internal Proxy Version 2.0.7 To proceed, please solve the following captcha:   _____           __            / __   \         /

PicoCTF2018 – Web – The Vault

PicoCTF2018 – Web – The Vault Objective: There is a website running at http://2018shell.picoctf.com:64349 (link [1] ). Try to see if you can login! Solution: Ok this site is nice enough to give us the code for login.php Looking in the code you can see there is an attempt to sanitize inputs using regular expressions It creates a variable named pattern which is a regex used to match against the variables //validation check   $pattern ="/.*['\"].*OR.*/i";   $user_match = preg_match($pattern, $username);   $password_match = preg_match($pattern, $username);   if($user_match + $password_match > 0)   {     echo "<h1>SQLi detected.</h1>";   }   else {     $result = $con->query($query);     $row = $result->fetchArray();         if ($row) {       echo "<h1>Logged in!</h1>";       echo "<p>Your flag is: $FLAG</p>";     } else {       echo &quo

PicoCTF2018 – Web – Buttons

PicoCTF2018 – Web – Buttons Objective: There is a website running at http://2018shell.picoctf.com:18342 (link [1] ). Try to see if you can push their buttons. Hints:                 What's different about the two buttons? Solution: Okay let’s walk through this site and see what we see. The first page is a button, not anything interesting in the source code The second page is a hyperlink named button2 pointing to button2.php You did it! Try the next button: <a href =" button2.php "> Button2 </a> This button loads up a page named boo.html which loads a rickroll But there is a message saying FORM DISABLED. THIS INCIDENT HAS BEEN LOGGED AND REPORTED TO /dev/null Lets look in the source here This looks interesting <form action =" button2.php " method =" POST "> Button2.php method post Let’s load up burp suite and see what we can see The site map for button2.php is using get

PicoCTF2018 – Web – Secret Agent

PicoCTF2018 – Web – Secret Agent Objective: Here's a little website that hasn't fully been finished. But I heard google gets all your info anyway. http://2018shell.picoctf.com:3827 (link [1] ) Hints: (             How can your browser pretend to be something else? Solution: Ok so this one looks like its referencing a user agent, which is what your browser tells the website about your computer. Such as OS and browser So if you click on the flag button in the website and you get this error message. “Your’re not google!” That is a clue we are looking for, its checking to see if the user agent is google. I used a chrome extension called “User-Agent Swticher” to change my user agent to replicate that of   the Googlebot – which is google spider agent Tried the flag button again and got the flag Flag :  picoCTF{s3cr3t_ag3nt_m4n_12387c22}