PicoCTF 2022

PicoCTF is one of my favourite CTF’s and I highly recommend it to those who have recently started taking part in these competitions and are looking for something which is beginner friendly. Special thanks to my team member Siddharth Pandya for being a valuable asset and keeping me motivated all the way through. This writeup has the solutions for the following challenges:

  • Forensics
    • Enhance
    • Lookey Here
    • Packets Primer
    • Redaction Gone Wrong
    • Sleuthkit Intro
    • St3g0
  • Web Exploitation
    • Inspect HTML
    • Includes
    • Search Source
    • Power Cookie
    • Local Authority
    • Roboto Sans
  • Cryptography
    • Morse Code
    • Rail Fence
    • Substitution0
    • Vigenere
  • Reverse Engineering
    • Patchme.py
    • Bloat.py
    • Fresh Java

 

Enhance

Solution: The flag lies in the textual material of the image which can be accessed with a text editor (gedit, nano, etc), a browser (chrome, firefox, etc) or by simply applying cat to it. The characters are separated by a space which needs to be removed.

Flag: picoCTF{3nh4nc3d_aab729dd}

Lookey Here

Solution: The question provides us with a text file which contains a lot of material. The flag resides in between the text and finding it manually doesn’t make sense. Since we already know that the flag starts with “picoCTF” therefore the best solution is to find for this string in the file which can be done with either a text editor or by using grep.

Flag: picoCTF{gr3p_15_@w3s0m3_4c479940}

Packets Primer

Solution: We’ve been provided with a packet capture so the first thing that we’ll do is to analyze it using Wireshark. In order to look for the packet, right click on any TCP packet and Follow -> TCP Stream. The flag is revealed in plain text.

Flag: picoCTF{p4ck37_5h4rk_ceccaa7f}

Redaction Gone Wrong

Solution: This one is slightly tricky. The question provides us with a PDF file where some of the data has been blacked out. In order to obtain the flag we can open the PDF as a word document (using MS Word, LibreOffice Writer, etc) and simple copy the blacked out text and paste it in a text editor to reveal it.

Flag: picoCTF{C4n_Y0u_S33_m3_fully}

Sleuthkit Intro

Solution: The question provides us with a disk image and the first course of action that came to my mind was to mount it. However if you take a look at the checker program than you’ll realize that it just asks for the sector length. The question already has provided us with a way of finding it using mmls. An alternative way is to use fdisk as shown below.

The next step is just to run the access checker program and provide it the sector size which is 202752.

Flag: picoCTF{mm15_f7w!}

St3g0

Solution: The question provides us with an image where the flag has been embedded into it. It can be revealed with the help of a program called zsteg as shown below.

The other methods that I tried before stumbling upon the solution were: cat, strings, display, exiftool, steghide, binwalk and ghex.

Flag: picoCTF{7h3r3_15_n0_5p00n_96ae0ac1}

Inspect HTML

Solution: This is a very simple question and even its name is a dead giveaway to the flag’s location. The question provides us with a website which hides the flag in its source code.

Flag: picoCTF{1n5p3t0r_0f_h7ml_1fd8425b}

Includes

Solution: This is another simple challenge where the name is a pretty solid hint to the required technique. We are provided with a static web page with the flag residing in the files that make it up. So fire up its source code and open every file that you come across. The flags are in style.css and script.js.

Flag: picoCTF{1nclu51v17y_1of2_f7w_2of2_df589022}

Search Source

Solution: Now since the name of the question is search source then it pretty much directs us towards its source code. The source code in itself doesn’t have the flag but its files could surely do. But the problem is that we have several files to search which could be tiring and time consuming. A better approach is to give in to laziness and let the process be automated. For this we’ll make a copy of the entire website with the help of a tool called httrack as shown below.

The next step is to search every file for the flag for which we’ll use grep in a recursive manner. As we already know that the flag begins with pico we’ll leverage that and find the entire flag with the following command: grep -r pico

Flag: picoCTF{1nsp3ti0n_0f_w3bpag3s_587d12b8}

Power Cookie

Solution: The question presents us with a webpage which has a button named as Continue as guest. However upon clicking it you’ll be hit with an error message that says no guest service is available at the moment. Lets follow on with the hint that lies in the question’s name. Open inspect panel followed by Storage and Cookies. Here we have a single cookie called isAdmin with a value of 0. This essentially means that you as a user is visiting the site as a guest. Lets change this value to 1 which makes us the admin of this page and reload it.

Flag: picoCTF{gr4d3_A_c00k13_5d2505be}

Local Authority

Solution: The question provides us with a webpage which takes in a username and a password. Since we don’t have the correct credentials we’ll get treated with a Login Failed message. Lets see how these credentials are being handled. For this we’ll open the source code of the page and follow on to the login.php file. This page puts forward a bunch of scary code. Allow me to break down the important part to you.

Here you can see that the checkPassword function takes in the username and password that we provide and decide whether they are correct or not and accordingly return one of the following three messages: Log in Successful, Log In Failed and Illegal character in username or password. So our next step is to analyze this function for which we’ll open secure.js file in the script tag.

It provides us with a username and password. Lets try to key this into the login page. As expected we have logged in successfully and obtained the flag for this challenge.

Flag: picoCTF{j5_15_7r4n5p4r3n7_05df90c8}

Roboto Sans

Solution: We are provided with a link to a webpage which doesn’t hold any useful information about the flag. However we do have a hint in the form of the question’s name. Lets see what the robot file has in store for us. We’ll add robots.txt after the URL of the website to visit it.

This provides us with three ciphers but we don’t have any information about the used encryption algorithm. Take a close look at the second cipher. Noticed any hint? The double equal sign at the end of it points us to base64. Alternatively you could also use hashid or the analyze function of CyberChef. Now I’ll be using base64decode.org to decode it but you can go ahead with any other site that performs the same function.

Upon using the first plaintext we are treated with a not found page. So lets move onto the second plaintext while the third plaintext is of no use. The second plaintext does provide us with the flag for this challenge.

Flag: picoCTF{Who_D03sN7_L1k5_90B0T5_718c9043}

Morse Code

Solution: The question provides us with a wav file which seems to have the dots and dashes used in morse code. One way to obtain the text out of this is to listen for the sounds and convert them manually. Another way is to use https://morsecode.world/international/decoder/audio-decoder-adaptive.html where we’ll upload our wav file and let the website convert it into text. The output would look as follows:

Remember to replace space with underscore and converting all alphabets to lowercase.

Flag: picoCTF{wh47_h47h_90d_w20u9h7}

Rail Fence

Solution: The question provides us with ciphertext, encryption algorithm as well as the key which makes it a super simple challenge. Download the message and head on to https://www.boxentriq.com/code-breaking/rail-fence-cipher. Simply paste the code and change the rails to 4 and you’ll be treated with the flag in the result box.

Flag: picoCTF{WH3R3_D035_7H3_F3NC3_8361N_4ND_3ND_4A76B997}

Substitution0

Solution: This is another simple challenge where the downloaded message provides us with the ciphertext and key while we already know that the encryption algorithm is substitution. This can be decoded with the help of https://cryptii.com/pipes/alphabetical-substitution by specifying the ciphertext and its key as shown below.

Flag: picoCTF{5ub5717u710n_3v0lu710n_59533a2e}

Vigenere

Solution: Similar to the previous question we have been provided with the ciphertext, key and encryption algorithm. We’ll use the same website mentioned before i.e. https://cryptii.com/pipes/alphabetical-substitution to solve this challenge. The provided information can be entered as shown below to obtain the flag.

Flag: picoCTF{d0nt_us3_v1g3n3r3_c1ph3r_ae82272q}

Patchme.py

Solution: The challenge provides us a python file and a text file which contains the encrypted flag. The python file upon executing requires a password however we don’t possess one as of yet. So lets try understanding how this python file has been coded for which we’ll open it using any text editor.

We can see that the password has been provided to use and we can simply use it but there’s another fun way to do this. Lets change the password to something else and use it upon execution. The modified code would look as shown below.

Next we’ll execute the python file and provide the password as 1234567 to obtain the flag.

Flag: picoCTF{p47ch1ng_l1f3_h4ck_c4a4688b}

Bloat.py

Solution: The challenge provides us with a python file along with an encrypted flag file. The python file has been obfuscated to make it harder to understand. I’ve provided a deobfuscated version of it below so that it can be easily grasped. This is done by creating a separate python file and copying variable a along with a print statement for every usage of it.

This shows that the file would ask for a password upon its execution which happens to be “happychance”. So lets move on with it and receive our password.

Flag: picoCTF{d30bfu5c4710n_f7w_b8062eec}

Fresh Java

Solution: This challenge provides us with a java class file however it uses some weird encoding due to which it becomes difficult to understand it. This can be solved with online java decompilers such as http://www.javadecompilers.com/result and https://www.javainuse.com/decomp which takes care of this and provides us with an easy to grasp output. Taking a look at this new code you’ll realize that the key has been provided to us in the form of if statements. So all you have to do is start from the bottom of this document and record the keys while moving up. This will allow you to obtain the flag of this question in a comprehensible manner.

Flag: picoCTF{700l1ng_r3qu1r3d_738cac89}