# PicoCTF 2019

## Glory of the Garden

Given an image (`garden.jpg`), can you find the flag.

Looking at the image didn't show much, and there was nothing immediately obvious in the metadata. Knowing that it is a 50 pt problem, it has to be pretty easy, so I ran strings against it and the last line includes: `Here is a flag "picoCTF{redacted_value}"`

---

## So Meta

Asked to find the flag in the provided picture: `pico_img.png`.

Probably could have used some image-processing tool to inspect the metadata, but I ran it through strings and immediately found what I was looking for (e.e. `$ strings pico_img.png | grep pico`)


---

## shark on wire 1

Given a capture file (`capture.pcap`), you are asked to recover the flag.

After noodling around a bit, I found the flag, but I wish I had a better way.

I searched for `pico` and found nothing.

I then went to `Statistics --> Conversations`. From there, I started looking around at ones that looked interesting, and started clicking on UDP converstions where there was data being sent back (e.g. `B --> A`). After clicking a few and pressing `Follow Stream...` I found the flag.

While this works for the problem, there *must* be a better way. I read a handful of write-ups, and many people "just searched" like I had and seemed to have stumbled upon it. I still don't like that as a sustainable approach, because it feels too much like luck.

I then found [this writeup](https://github.com/Dvd848/CTFs/blob/master/2019_picoCTF/shark_on_wire_1.md) which used a bash script with `tshark` (command-line version of wireshark) to find it. This is a much better approach in my mind.

Therefore, in order to ensure I learned from this, I pulled apart the script so I could understand what is going on.  I include it below with my comments for clarity, but credit for the script goes to [dvd848](https://github.com/Dvd848)

```bash
#!/bin/bash

# this is the file we are interrogating
PCAP=shark_on_wire.pcap; 

# determine how many UDP streams exist in the file
# this number increments so we just grab the last one.
END=$(tshark -r $PCAP -T fields -e udp.stream | sort -n | tail -1); 

# loop through the UDP streams...
for ((i=0;i<=END;i++));
do
    # for the given stream:
    #   show the data as text, ignoring any errors
    #   remove any line returns via the translate (`tr`) tool
    #   grep/search for "picoCTF"
    tshark -r $PCAP -Y "udp.stream eq $i" -T fields -e data.text -o data.show_as_text:TRUE 2>/dev/null | tr -d '\n' | grep "picoCTF"; 

    # if the result of the prior command was "0" (successful), indicate which stream it was in.
    if [ $? -eq 0 ]; then
        echo "(Stream #$i)";
    fi; 
done
```

---

## extensions

By the name, you can guess that the file extension is wrong. If you run `file` against it, you see that it believes it to be a `png`.

Running `strings` shows you nothing, but if you open it in an image viewer you see the flag to submit


---

## What Lies Within

File is definitely an image. Neither `identify` or `exiftool` showed anything interesting. Running `strings` didn't make anything immediately obvious either.

---

## m00nwalk

```{note}
not yet started
```

---

## WhitePages

```{note}
not yet started
```

---

## c0rrupt

```{note}
not yet started
```

---

## like1000

```{note}
not yet started
```

---

## m00nwalk2

```{note}
not yet started
```

---

## Investigative Reversing 0

```{note}
not yet started
```

---

## shark on wire 2

```{note}
not yet started
```

---

## Investigative Reversing 1

```{note}
not yet started
```

---

## Investigative Reversing 2

```{note}
not yet started
```

---

## WebNet0

```{note}
not yet started
```

---

## Investigative Reversing 3

```{note}
not yet started
```

---

## Investigative Reversing 4

```{note}
not yet started
```

---

## WebNet1

```{note}
not yet started
```

---

## investigation_encoded_1

```{note}
not yet started
```

---

## investigation_encoded_2

```{note}
not yet started
```

---

## B1g_Mac

```{note}
not yet started
```