Write-up

Starting your instance also enables the download links to the source code and the compiled binary. You should download both.

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>

void segfault_handler() {
printf("Segfault Occurred, incorrect address.\n");
exit(0);
}

int win() {
FILE *fptr;
char c;

printf("You won!\n");
// Open file
fptr = fopen("flag.txt", "r");
if (fptr == NULL)
{
    printf("Cannot open file.\n");
    exit(0);
}

// Read contents from file
c = fgetc(fptr);
while (c != EOF)
{
    printf ("%c", c);
    c = fgetc(fptr);
}

printf("\n");
fclose(fptr);
}

int main() {
signal(SIGSEGV, segfault_handler);
setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered

printf("Address of main: %p\n", &main);

unsigned long val;
printf("Enter the address to jump to, ex => 0x12345: ");
scanf("%lx", &val);
printf("Your input: %lx\n", val);

void (*foo)(void) = (void (*)())val;
foo();
}

Executing the binary or connecting to the instance via netcat shows this:

Address of main: 0x5712addbd33d
Enter the address to jump to, ex => 0x12345:

Note that the challenge deals with PIE (Position Independent Executable, a.k.a. PIC or Position Independent Code), which means the addresses will change each time the program is run. This makes exploitation harder -- but not impossible (far from it). PIE relies on relative addresses (an offset) added to a base address (the part that changes every time the program is run) to get an absolute address (the final address from which the function executes).

This can be a bit overwhelming, but seeing it in action can help us understand. Running the vulnerable program multiple times shows us, as an example:

Address of main: 0x5600239a333d
    [...]    : 0x55b6c774e33d
    [...]    : 0x557a3cde733d

...And so on. Notice something? The last three digits never change. Our offset is 0x33d.

Subtracting 0x33d from any of the absolute addresses (i.e. what the program tells us is the address of main) gets us the base address. Keep this in mind.

If we examine the binary using gdb (GNU Debugger), we'll see:

$ gdb ./vuln

[...]
(gdb) set disassembly-flavor intel
(gdb) disassemble main
Dump of assembler code for function main:
  0x000000000000133d <+0>:	endbr64
  0x0000000000001341 <+4>:	push   rbp
[...]

The main function's address has an offset of 0x33d (don't get confused by the leading 1), as we discovered.

Look again at the source code: there's a win function, which is the one that'll give us the flag. Since we're examining the local binary, make a flag.txt file in the same folder as vuln. The contents aren't important, but do write something; I styled mine after the picoCTF flags. This is to make sure our exploit works before trying it for real.

picoCTF{hehehehe}

Now, going back to gdb, let's disassemble the win function.

(gdb) disassemble win
Dump of assembler code for function win:
  0x00000000000012a7 <+0>:	endbr64
  0x00000000000012ab <+4>:	push   rbp
[...]

The win function is located at offset is 0x2a7 (again, don't mind the leading 1, which you'll note doesn't change -- it's part of the base address in gdb)

With this information, let's execute vuln locally.

$ ./vuln

Address of main: 0x55fe44b5333d
Enter the address to jump to, ex => 0x12345: 

Remember that the addresses change every time the program is run, so:

1. The given address will naturally be different for you, so don't mindlessly copypaste from this writeup.
2. Don't input anything yet, keep the program running.

The base address in this case is 0x55fe44b53000 (0x55fe44b5333d − 0x33d). Base addresses must always end in 000.

Given that we know that the offsets never change (0x33d for main, 0x2a7 for win), we can add win's offset to our current base address to get our flag.

Enter the address to jump to, ex => 0x12345: 0x55fe44b532a7
You won!
picoCTF{hehehehe}

Great! Now we just need to repeat the process in the provided netcat instance. For brevity I will skip it, except for...

$ nc rescued-float.picoctf.net [port]
Address of main: 0x5712addbd33d
Enter the address to jump to, ex => 0x12345: 0x5712addbd2a7
Your input: 5712addbd2a7
You won!
picoCTF{b4s1c_p051t10n_1nd3p3nd3nc3_XXXXXXXX}

Write-up

Once you connect to the challenge instance, you're greeted with a series of three hashes and prompted to enter the corresponding plaintext passwords. The hashes start from a very weak hashing algorithm (MD5) to the de facto standard (SHA256).

Hashes aren't reversible (in theory), so in order to crack hashes attackers use rainbow tables, which contain precomputed hashes from a wordlist.

After connecting to our instance...

Welcome!! Looking For the Secret?
We have identified a hash: 482c811da5d5b4bc6d497ffa98491e38
Enter the password for identified hash:

I will describe how to complete this challenge using hashcat.

First, we need to determine what hashing algorithm is being used. I've already told you the first and last, but let's assume we don't know.

One way is to study the hashes provided for a bit. The first one is 32 characters long; this is typical of MD5 hashes (128-bit or 16-byte). The 32 characters are perhaps more appropriately termed 32 hexadecimal digits (0-F, that is 0 to 16).

Other hashing algorithms work similarly: a 40-digit hash is likely SHA-1, and a 64-digit hash is likely SHA-256.

Hashcat can also guess, but since this means repeating commands it may or may not be more effective (these hashing algorithms are all very common, for one.)

In any case, if you'd like hashcat to autodetect:

$ hashcat --attack-mode 0 482c811da5d5b4bc6d497ffa98491e38 /usr/share/wordlists/rockyou.txt

Attack mode 0 is a dictionary attack; we provided the hash given by the challenge instance, and finally the dictionary (or wordlist) to use. After a few seconds hashcat will output a table with suggestions: MD4, MD5, variants of MD5 (salted, etc.), and a few operating system and application specific hashes.

Simple common sense is to try the most common and most vulnerable hashing algorithm.

$ hashcat --hash-type 0 --attack-mode 0 482c811da5d5b4bc6d497ffa98491e38 /usr/share/wordlists/rockyou.txt

Hash Type 0 is MD5.

After a few seconds, we get our answer:

482c811da5d5b4bc6d497ffa98491e38:password123

Input this extremely effective password into our challenge instance and, after a brief congratulations, are given another hash to crack. Note that the output is hash:password -- use the password!

Flag is yet to be revealed!! Crack this hash: b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3
Enter the password for the identified hash:

Same protocol as before: either make an educated guess and look up hashcat's codes for each hashing algorithm (either with the built-in help or via hascat's wiki) or have hashcat do the job for you. This one is SHA-1 (or SHA1), unsalted.

$ hashcat --hash-type 100 --attack-mode 0 b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3 /usr/share/wordlists/rockyou.txt

b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3:letmein

Input the password and you'll be given the final challenge. Do as before; this time is a SHA-256 (SHA2-256 in hashcat's reference table) unsalted hash.

Almost there!! Crack this hash: 916e8c4f79b25028c9e467f1eb8eee6d6bbdff965f9928310ad30a8d88697745
Enter the password for the identified hash:

$ hashcat --hash-type 1400 --attack-mode 0 916e8c4f79b25028c9e467f1eb8eee6d6bbdff965f9928310ad30a8d88697745 /usr/share/wordlists/rockyou.txt

916e8c4f79b25028c9e467f1eb8eee6d6bbdff965f9928310ad30a8d88697745:qwerty098

Input the final password and you'll get your flag.

picoCTF{UseStr0nG_h@shEs_&PaSswDs!_XXXXXXXX}

Write-up

Upon connecting to the instance, players are greeted by a mouse trying to determine if you're their real friend or a malicious clone.

*******************************************
***             Part 1                  ***
***    The Mystery of the CLONED RAT    ***
*******************************************

The super evil Dr. Lacktoes Inn Tolerant told me he kidnapped my best friend, Squeexy, and replaced him with an evil clone! You look JUST LIKE SQUEEXY, but I'm not sure if you're him or THE CLONE. I've devised a plan to find out if YOU'RE the REAL SQUEEXY! If you're Squeexy, I'll give you the key to the cloning room so you can maul the imposter...

Here's my secret cheese -- if you're Squeexy, you'll be able to guess it:  [encoded cheese]
Hint: The cheeses are top secret and limited edition, so they might look different from cheeses you're used to!
Commands: (g)uess my cheese or (e)ncrypt a cheese

The given cheese looks like a mangled bunch of letters in all caps. The challenge has a hint that proves very telling on which cipher we're working with. (It's the Affine Cipher, which uses a linear function).

The g option prompts players to input the decoded cheese. Failure to do so ends the game.

The e option prompts players to encode a cheese. Note that this isn't just thematic flavor -- input is limited to a set of actual, real cheeses. My favorites to try for this challenge are 'monterey jack' and 'quatre-vents', as they contain a pretty nice set of distinct alphabet letters.

Note that you only get 3 attempts at proving yourself, inclusive of any input errors. Spend your chances and the game ends.

Now, what cipher are we working with? (Let's pretend we don't know and we didn't look at the hint). If you look at your given cheese (and assuming at least some passing knowledge of ciphers), it looks like it may be some sort of substitution cipher. Every time we enter the instance, it changes in some way -- encrypt 'monterey jack' and each time and it will look different.

By encrypting a known plaintext (i.e. a cheese) we can use dCode's Cipher Identifier to figure it out. I'll use a particular instance as an example:

Here's my secret cheese -- if you're Squeexy, you'll be able to guess it:  LNGBOLNIC

And I encrypt a cheese...

What cheese would you like to encrypt? monterey jack
Here's your encrypted cheese:  DXAIBOBTIMNHJ
Not sure why you want it though...*squeak* - oh well!

While you could try with the secret cheese from the get-go, the (frequently) very short length of the encoded cheese means the suggestions may not be too useful, though you're free to go ahead and try them out.

Input our encoded cheese into the Cipher Identifier along with the plaintext as a keyword/hint and we'll be given a list of suggestions to try. Feel free to try different cheeses.

The top suggestion is generally the Affine Cipher.

We can use dCode's Affine Cipher decoder to bruteforce our encoded cheese and find out A and B. Using the bruteforce button we'll be shown in a sidebar to the left all possibilities -- ideally, our plaintext cheese will be near the top. I really recommend to give the page a read, it's really interesting and contextualizes the hint we were provided with.

Write down A and B. In my example (monterey jack = DXAIBOBTIMNHJ), it was A=23 and B=13.

Now, using that same page (or CyberChef or something else, if you wish), we can put the encoded cheese we have to guess with these coeficients.

In my case, LNGBOLNIC became SALERSATV (It seems to be the Salers cheese with some extra characters at the end. Something like a salt?).

Commands: (g)uess my cheese or (e)ncrypt a cheese
What would you like to do?
g

[ASCII art mice]

SQUEAK SQUEAK SQUEAK

[ASCII art mouse]

Is that you, Squeexy? Are you ready to GUESS...MY...CHEEEEEEESE?
Remember, this is my encrypted cheese:  LNGBOLNIC
So...what's my cheese?
SALERSATV

[ASCII art depicting a sequence of the unnamed mouse eating the cheese]

MUNCH.............
YUM! MMMMmmmmMMMMmmmMMM!!! Yes...yesssss! That's my cheese!
Here's the password to the cloning room:  picoCTF{ChEeSyXXXXXXXX}

And that's it.

Write-up

This is an introductory steganography challenge. The flag is hidden inside the image, somehow.

Typical hiding places include inside the metadata tags, but in this case is least-significant bit steganography.

Taking advantage of what digital images are, people can encode messages inside images by changing the least-significant bits (remember that each character has an equivalent value in hex; see an ASCII table). This encodes information without causing visual disruption (i.e. garbage pixels)

Try playing with this tool by comparing two identical colors, and then change the last bit with values from 0 to F. Notice how the changes are extremely subtle... In a complete image, it wouldn't be perceptible at all.

Download the image and simply run zsteg.

$ zsteg red.png

The output contains the flag, encoded in base64.

meta Poem           .. text: "Crimson heart, vibrant and bold,\nHearts flutter at your sight.\nEvenings glow softly red,\nCherries burst with sweet life.\nKisses linger with your warmth.\nLove deep as merlot.\nScarlet leaves falling softly,\nBold in every stroke."
b1,rgba,lsb,xy      .. text: "cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ=="

The poem, by the way, is hidden in the metadata. We could've uncovered it with exiftools, but alas that's not the flag. Note how zsteg notes the base64 string is hidden in the least significant bits (lsb).

Decode it with CyberChef and get your flag. This time around, it doesn't seem to have the usual 8 character hash...

picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn355_}

Write-up

This time we're given a PCAP (Packet Capture) file, which we must investigate to find the flag.

I will assume you have some basic familiarity with Wireshark (for this challenge, that practically only implies "can launch the program").

However, before doing that, let's run the strings command against the PCAP file. It kinda goes against the spirit of the exercise, but maybe the flag is in plain sight.

$ strings myNetworkTraffic.pcap

ezF0X3c0cw==
cGljb0NURg==
bnRfdGg0dA==
Yt8ksMM=
3psv5C4=
YQEFzIU=
YmhfNHJfOQ==
a23/UbI=
TOGSGg4=
bpzQ0R8=
fQ==
nfu4Vww=
J4auZMY=
ePRXDio=
fjIzQwk=
XThGxuE=
ckBkZLk=
CJr4oDk=
BgJLB0c=
XzM0c3lfdA==
NTlmNTBkMw==
dgV9v0s=

At least looking at the output, it sure looks like base64. Dumping this into CyberChef reveals that among the base64-encoded gibberish are chunks of the flag. While we could try to reconstruct it, perhaps it's better to investigate with Wireshark.

After opening the packet capture, I noticed a few things:

• This is a very tiny file. appropriate for this beginner's challenge, but I did a double-take at first!
• All the connections are TCP; most of them (suspected) retransmissions.
• Most have negative time. I don't quite understand the significance even after some research (something about delta time?), but it does hint that something is afoot, and that the default ordering by Wireshark is not necessarily correct or useful to us.

If you sort the packets by time it becomes clear that most of the packets have a content length of 8 (Len=8); the gibberish base64-encoded strings we uncovered earlier are all 8 characters long.

The ones with a length of 12 (Len=12) correspond to the flag chunks, as seen in the payload pane; and the sole packet with a length of 4 is a single character in base64 (the closing curly bracket).

Join together these base64-encoded chunks and you get the flag.

picoCTF{1t_w4snt_th4y_34sy_tbh_4r_XXXXXXXX}

Write-up

Players are given a disk image of a Bitlocker-encrypted disk (bitlocker-1.dd)

This challenge requires of quite a few steps to solve. With Bitlocker encryption it's impossible to do most of anything from the get-go; we must use specialized tools for the task.

Note that I use Kali Linux, so my instructions are geared towards that (or similar Linux systems).

After downloading our bitlocker-1.dd image, we must get the password hashes for this encrypted drive with John The Ripper's bitlocker2john

bitlocker2john -i bitlocker-1.dd > bitlocker-1-hash.txt

Feel free to look at the file to check it's correct. You should have hashes starting with $bitlocker$. You may name your .txt file anything you want, of course.

Now we must use these hashes paired with our RockYou password list.

hashcat --hash-type 22100 --attack-mode 0 bitlocker-1-hash.txt /usr/share/wordlists/rockyou.txt

22100 is Bitlocker; attack mode 0 is a dictionary attack; first we provide the file with the hashes we want to check against the wordlist we want to use.

Check the docs for other ways to use it.

Run the program and wait for it to finish; feel free to read the outputs as it goes.

I did not have any issues and it did not take very long on a not-very-good laptop, though obviously more advanced and sophisticated uses of hashcat will really benefit (if not actually need) much better hardware.

The final output might be a bit unintuitive (it was for me, at any rate).

It outputs the hash that had a match, like so:

$bitlocker$[very long hash]:[cracked password]

In this case, the password was jacqueline. (Jacky...)

And below that line is information on the cracking process, such as time started and ended (mine took 27 seconds) among other things. Don't get confused by the "Candidates" row.

Now, we have a password. But what do we do? We can't mmls the file, or even mount it ('unknown filesystem type Bitlocker')... This is where dislocker comes in.

First, make the folders where we'll mount things. The way dislocker works is that it decrypts the Bitlocker disk image at a specified mountpoint, where it drops dislocker-file. This is a flat file that can be mounted as a NTFS partition. You cannot just open or browse dislocker-file; you must mount it elsewhere.

$ sudo mkdir /media/bitlockermnt

$ sudo mkdir /media/bitlockerdecrypt

These are the names I used; use the ones you please.

I struggled quite a bit using dislocker -- the program itself is not too difficult, but you may run into issues regarding file and mounting permissions (as I did for an embarrassingly long time). So, as recommended in a dislocker issue, do this:

$ sudo su -

Now you're root. Be careful! Now do:

# dislocker -ujacqueline /home/kali/Downloads/bitlocker-1.dd /media/bitlockerdecrypt

Obviously replacing my filepaths with your own. As previously explained, this will place a file called dislocker-file in /media/bitlockerdecrypt

And finally, do:

# mount -o loop,ro /media/bitlockerdecrypt/dislocker-file /media/bitlockermnt

(if you don't specify -o loop,ro it will complain about unclean filesystems and will try to open it as read-only. Might as well skip that, no?)

And it's mounted. At least in my case, it doesn't appear mounted in the file manager (unlike bitlockerdecrypt), so you must go to /media/bitlockermnt manually (preferably from the CLI).

# ls /media/bitlockermnt

'$RECYCLE.BIN'   flag.txt  'System Volume Information'

Read the file in the way you prefer, and you'll get your flag.

# cat /media/bitlockermnt/flag.txt

picoCTF{us3_b3tt3r_p4ssw0rd5_pl5!_XXXXXXXX}

Unmount the folders we used, and don't forget to exit root.

Write-up

Players are provided with a Windows XML EventLog (.evxt) file, which they must analyze to find the flag, which has been split into 3 parts and located in events that are evidence of the alleged malware.

Write-up

We're given a Bitlocker-encrypted disk image (.dd) once again; we must decrypt it and find the flag. This time around, Jacqueline "Jacky" (allegedly) learned the lesson from Bitlocker-1 and has an (allegedly) much better password.

I found this quite challenging, but unfortunately less because of any merits of its design and more because I (once again) had to wrangle with the tools necessary to complete this challenge for an absurdly long time. Oh, to be a greenhorn is to suffer.

Write-up

An easy challenge that will put to the test your skills using your preferred browser's web developer tools.

Write-up

After firing up the instance, players are dropped into what looks like a small (and rather amateurish) blogging platform. Most links send you back to this page, and most elements aren't interactive at all. The "About Us" and "Services" pages are unrelated to the challenge.

Write-up

After firing up the instance, you'll be granted access to a tiny web application where you can upload a profile picture. However, as the name of the challenge implies, the image input is not sanitized at all. You can upload anything from images to text files (though that last one, naturally, doesn't display properly as an avatar).

After uploading the file, we're given the filepath to our upload, which we're free to check out. Going to the uploads folder is forbidden, though.

Write-up

The website is very simple. Users are given a text box in which they can write messages to "announce" (meaning that we're sent to a page with our message in very big letters. The messages aren't posted in a way we can see others' or others can see ours.)