picoCTF

Dvd848 · Oct 12, 2019 · c34f704 · c34f704
1 parent 2104cbf
commit c34f704
Show file tree

Hide file tree

Showing 22 changed files with 1,333 additions and 2 deletions.
diff --git a/2019_picoCTF/Based.md b/2019_picoCTF/Based.md
@@ -7,4 +7,109 @@ General Skills, 200 points
 
 ## Solution: 
 
+We connect to the service and get the following request:
+```console
+Let us see how data is stored
+chair
+Please give the 01100011 01101000 01100001 01101001 01110010 as a word.
+...
+you have 45 seconds.....
 
+Input:
+```
+
+This looks like binary, let's decode:
+```python
+>>> for x in "01100011 01101000 01100001 01101001 01110010".split(" "):
+...     sys.stdout.write(chr(int(x, 2)))
+chair
+```
+
+Our input is accepted, and another request is received:
+```console
+Please give me the  146 141 154 143 157 156 as a word.
+Input:
+```
+
+This looks like base 8 (highest value is 7), let's decode:
+```python
+>>> for x in "146 141 154 143 157 156".split(" "):
+...     sys.stdout.write(chr(int(x,8)))
+falcon
+```
+
+Since we keep getting new requests in different bases, let's write a script to decode a given sequence with an unknown base:
+```python
+from pwn import *
+import re
+import string
+
+#context.log_level = "DEBUG"
+
+r = remote("2019shell1.picoctf.com", 7380)
+
+def get_base_encoded_str(r):
+    s = r.recvuntil("the ")
+    if ("Please" not in s):
+        r.recvline()
+        return None
+    s = r.recvuntil(" as a word.", drop = True)
+    return s.strip()
+
+def decode_string_as_char_array(s, base):
+    res = ""
+    for unit in s.split(" "):
+        c = chr(int(unit, base))
+        if c not in string.ascii_letters:
+            raise Exception("Non-ASCII result")
+        res += c
+    return res
+
+def try_decode_as_char_array_with_unknown_base(s):
+    for base in range(1, 17):
+        try:
+            res = decode_string_as_char_array(s, base)
+            log.info("Decode successful with base {}".format(base))
+            return res
+        except:
+            pass
+    return None
+
+def try_decode_as_hex(s):
+    try:
+        return s.decode("hex")
+    except:
+        return None
+
+r.recvline()
+r.recvline()
+s = get_base_encoded_str(r)
+while s is not None:
+    log.info("Trying to decode '{}'".format(s))
+    res = try_decode_as_char_array_with_unknown_base(s) or try_decode_as_hex(s)
+    if res is None:
+        log.error("Can't decode '{}'".format(s))
+        break
+    log.info("Decoded as '{}'".format(res))
+    r.sendlineafter("Input:", res)
+    s = get_base_encoded_str(r)
+
+print r.recvall()
+```
+
+Output:
+```console
+root@kali:/media/sf_CTFs/pico/Based# python solve.py
+[+] Opening connection to 2019shell1.picoctf.com on port 7380: Done
+[*] Trying to decode '01110000 01100101 01100001 01110010'
+[*] Decode successful with base 2
+[*] Decoded as 'pear'
+[*] Trying to decode '164 145 163 164'
+[*] Decode successful with base 8
+[*] Decoded as 'test'
+[*] Trying to decode '737472656574'
+[*] Decoded as 'street'
+[+] Receiving all data: Done (57B)
+[*] Closed connection to 2019shell1.picoctf.com port 7380
+Flag: picoCTF{learning_about_converting_values_8e70d435}
+```
diff --git a/2019_picoCTF/Tapping.md b/2019_picoCTF/Tapping.md
@@ -4,7 +4,28 @@ Cryptography, 200 points
 ## Description:
 > Theres tapping coming in from the wires.
 
-
 ## Solution: 
 
+Let's connect to the service:
+```console
+root@kali:/media/sf_CTFs/pico/Tapping# nc 2019shell1.picoctf.com 37920
+.--. .. -.-. --- -.-. - ..-. { -- ----- .-. ... ...-- -.-. ----- -.. ...-- .---- ... ..-. ..- -. ..... ---.. ...-- ----. ----- ----- ----. ---.. .---- }
+```
+
+This looks like morse code.
+
+We can decode this with the [CyberChef Online API](https://github.com/gchq/CyberChef/wiki/Node-API).
+
+If you're using Kali, the NPM package which comes with the OS is outdated, and in order to update it you need to follow [these](https://npmerror.com/how-to-update-npm-in-linux/#comment-5) instructions. Then, you can install the CyberChef package globally using `npm install -g cyberchef  --unsafe-perm=true --allow-root`.
+
+Now we can decode the message using:
+```console
+root@kali:/media/sf_CTFs/pico/Tapping# export NODE_PATH=$(npm root --quiet -g)
+root@kali:/media/sf_CTFs/pico/Tapping# node
+> const chef = require("cyberchef");
+> chef.fromMorseCode(".--. .. -.-. --- -.-. - ..-.").toString() + "{" + chef.fromMorseCode(" -- ----- .-. ... ...-- -.-. ----- -.. ...-- .---- ... ..-. ..- -. ..... ---.. ...-- ----. ----- ----- ----. ---.. .---- ").toString() + "}"
+'PICOCTF{M0RS3C0D31SFUN583900981}'
+```
+
+
 
diff --git a/2019_picoCTF/WhitePages.md b/2019_picoCTF/WhitePages.md
@@ -4,7 +4,52 @@ Forensics, 250 points
 ## Description:
 > I stopped using YellowPages and moved onto WhitePages... but the page they gave me is all blank!
 
+The following file was attached (yes, it's composed of whitespaces):
+
+```
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
+```
 
 ## Solution: 
 
+If we inspect the file using a HEX editor, we can see that there are two types of whitespaces:
+
+```console
+root@kali:/media/sf_CTFs/pico/WhitePages# xxd -g 1 whitepages.txt  | head
+00000000: e2 80 83 e2 80 83 e2 80 83 e2 80 83 20 e2 80 83  ............ ...
+00000010: 20 e2 80 83 e2 80 83 e2 80 83 e2 80 83 e2 80 83   ...............
+00000020: 20 e2 80 83 e2 80 83 20 e2 80 83 e2 80 83 e2 80   ...... ........
+00000030: 83 e2 80 83 20 e2 80 83 e2 80 83 20 e2 80 83 20  .... ...... ...
+00000040: 20 20 e2 80 83 e2 80 83 e2 80 83 e2 80 83 e2 80    ..............
+00000050: 83 20 20 e2 80 83 20 e2 80 83 e2 80 83 20 e2 80  .  ... ...... ..
+00000060: 83 20 20 e2 80 83 e2 80 83 e2 80 83 20 20 e2 80  .  .........  ..
+00000070: 83 20 20 e2 80 83 20 20 20 20 e2 80 83 20 e2 80  .  ...    ... ..
+00000080: 83 e2 80 83 e2 80 83 e2 80 83 20 20 e2 80 83 20  ..........  ...
+00000090: e2 80 83 20 e2 80 83 20 e2 80 83 e2 80 83 e2 80  ... ... ........
+```
+
+We have the standard space (`0x20`), and the Unicode `EM SPACE` (`U+2003` / `0xE2 0x80 0x83`).
+
+Since we have only two options, let's try to treat them as binary.
+
+```python
+from pwn import *
+
+with open("whitepages.txt", "rb") as bin_file:
+    data = bytearray(bin_file.read()) 
+    data = data.replace(b'\xe2\x80\x83', b'0')
+    data = data.replace(b'\x20', b'1')
+    data = data.decode("ascii")
+    print unbits(data)
+```
+
+Output:
+```console
+root@kali:/media/sf_CTFs/pico/WhitePages# python solve.py
+
+        picoCTF
 
+        SEE PUBLIC RECORDS & BACKGROUND REPORT
+        5000 Forbes Ave, Pittsburgh, PA 15213
+        picoCTF{not_all_spaces_are_created_equal_f006c045f6b402ce4bc749dc7a262380}
+```
diff --git a/2019_picoCTF/asm1.md b/2019_picoCTF/asm1.md
@@ -4,7 +4,70 @@ Reverse Engineering, 200 points
 ## Description:
 > What does asm1(0x1f3) return? Submit the flag as a hexadecimal value (starting with '0x').
 
+```assembly
+asm1:
+	<+0>:	push   ebp
+	<+1>:	mov    ebp,esp
+	<+3>:	cmp    DWORD PTR [ebp+0x8],0x767
+	<+10>:	jg     0x512 <asm1+37>
+	<+12>:	cmp    DWORD PTR [ebp+0x8],0x1f3
+	<+19>:	jne    0x50a <asm1+29>
+	<+21>:	mov    eax,DWORD PTR [ebp+0x8]
+	<+24>:	add    eax,0xb
+	<+27>:	jmp    0x529 <asm1+60>
+	<+29>:	mov    eax,DWORD PTR [ebp+0x8]
+	<+32>:	sub    eax,0xb
+	<+35>:	jmp    0x529 <asm1+60>
+	<+37>:	cmp    DWORD PTR [ebp+0x8],0xcde
+	<+44>:	jne    0x523 <asm1+54>
+	<+46>:	mov    eax,DWORD PTR [ebp+0x8]
+	<+49>:	sub    eax,0xb
+	<+52>:	jmp    0x529 <asm1+60>
+	<+54>:	mov    eax,DWORD PTR [ebp+0x8]
+	<+57>:	add    eax,0xb
+	<+60>:	pop    ebp
+	<+61>:	ret    
+```
 
 ## Solution: 
 
 
+This is how the stack looks after performing the `mov ebp,esp` command:
+
+```
++---------+
+| old ebp | <-- ebp
++---------+
+| ret     | <-- ebp + 0x4
++---------+
+| 0x1f3   | <-- ebp + 0x8
++---------+
+```
+
+What happens later is:
+
+```assembly
+	<+0>:	push   ebp
+	<+1>:	mov    ebp,esp
+	<+3>:	cmp    DWORD PTR [ebp+0x8],0x767    ; Compare 0x1f3 to 0x767
+	<+10>:	jg     0x512 <asm1+37>              ; Jump not taken (0x1f3 is smaller)
+	<+12>:	cmp    DWORD PTR [ebp+0x8],0x1f3    ; Compare 0x1f3 to 0x1f3
+	<+19>:	jne    0x50a <asm1+29>              ; Jump not taken (they are equal)
+	<+21>:	mov    eax,DWORD PTR [ebp+0x8]      ; eax = 0x1f3
+	<+24>:	add    eax,0xb                      ; eax = 0x1f3 + 0xb = 0x1fe
+	<+27>:	jmp    0x529 <asm1+60>              ; Jump taken
+	<+29>:	mov    eax,DWORD PTR [ebp+0x8]
+	<+32>:	sub    eax,0xb
+	<+35>:	jmp    0x529 <asm1+60>
+	<+37>:	cmp    DWORD PTR [ebp+0x8],0xcde
+	<+44>:	jne    0x523 <asm1+54>
+	<+46>:	mov    eax,DWORD PTR [ebp+0x8]
+	<+49>:	sub    eax,0xb
+	<+52>:	jmp    0x529 <asm1+60>
+	<+54>:	mov    eax,DWORD PTR [ebp+0x8]
+	<+57>:	add    eax,0xb
+	<+60>:	pop    ebp                          ; We jump here
+	<+61>:	ret 
+```
+
+So the return value is `0x1fe`.