PicoCTF
PicoGym Challenges
PicoCTF is a free computer security game with original educational content built on a capture-the-flag framework created by security and privacy experts at Carnegie Mellon University. The competition has participants reverse engineer, break, hack, decrypt, and think creatively and critically to solve the challenges and capture the flags.
The following are questions that can be found on the new picoGym challenges page. They include solutions for the picoCTF 2019 competition and picoCTF 2020 mini competition.
Overview
Title
Category
Points
Flag
General Skills
50
picoCTF{p}
General Skills
50
picoCTF{101010}
General Skills
50
picoCTF{61}
General Skills
100
picoCTF{l3arn_th3_r0p35}
General Skills
100
picoCTF{grep_is_good_to_find_things_f77e0797}
General Skills
100
picoCTF{5tRIng5_1T_d66c7bb7}
General Skills
100
picoCTF{nEtCat_Mast3ry_d0c64587}
Cryptography
50
picoCTF{THENUMBERSMASON}
Cryptography
100
picoCTF{crossingtherubiconvfhsjkou}
Cryptography
100
picoCTF{not_too_bad_of_a_problem}
Cryptography
100
picoCTF{CRYPTOISFUN}
Web Exploitation
50
picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?f10be399}
Web Exploitation
100
picoCTF{no_clients_plz_7723ce}
Web Exploitation
100
picoCTF{ca1cu1at1ng_Mach1n3s_8028f}
Web Exploitation
100
picoCTF{th3_c0nsp1r4cy_l1v3s_d1c24fef}
Reverse Engineering
50
picoCTF{w4rm1ng_Up_w1tH_jAv4_be8d9806f18}
Reverse Engineering
100
picoCTF{d35cr4mbl3_tH3_cH4r4cT3r5_75092e}
Forensics
50
picoCTF{more_than_m33ts_the_3y3eBdBd2cc}
Forensics
150
picoCTF{s0_m3ta_eb36bf44}
General Skills: Lets Warm Up
Challenge
If I told you a word started with 0x70 in hexadecimal, what would it start with in ASCII?
Solution
This is really easy to do in bash as the command echo has the ability to interpret backslashes, you can also use a tool like xxd to make a hexdump or reverse it with the -r option.
It can also be done in python using the 'decode' command and passing in the type argument as 'hex'.
Flag
Back to Top
General Skills: 2Warm
Challenge
Can you convert the number 42 (base 10) to binary (base 2)?
Solution
This can be converted by hand but the process can be simplified for any n using bash or python. In bash, you can utilize the bc command tool which takes a string as input to calculate arbitrary precision numbers.
In python, there is a built-in command called 'bin' that will return a binary string starting with '0b'.
Flag
Back to Top
General Skills: Warmed Up
Challenge
What is 0x3D (base 16) in decimal (base 10)?
Solution
Once again, you can use bash's bc function or python to do this conversion.
In the command above, the 'obase' field stands for the output base and the 'ibase' field stands for the input base.
Flag
Back to Top
General Skills: Bases
Challenge
What does this bDNhcm5fdGgzX3IwcDM1 mean? I think it has something to do with bases.
Solution
Using the title as a hint, first thoughts go to a base64 encoded string. To decode it, you can use the base64 bash tool along with the echo command
It's also possible to do it in python, though an external package 'base64' needs to be imported to utilize the base64 decoder.
Flag
Back to Top
General Skills: First Grep
Challenge
Solution
Download linked file and rename it to something more accurate i.e. first-grep.txt
This challenge requires using the bash tool grep which is a utility that searches any given input file and selects lines that match one or more patterns. The general command for grep looks like the following: grep [pattern] [file ...]
Flag
Back to Top
General Skills: Strings It
Challenge
Solution
Download linked file > called 'strings'
This challenge requires using the bash tool strings which is a utility that displays printable strings in a file. For this one, run the tool on the 'strings' file and then grep for the flag.
Flag
Back to Top
General Skills: Whats a Net Cat
Challenge
Using netcat (nc) is going to be pretty important. Can you connect to jupiter.challenges.picoctf.org at port 25103 to get the flag?
Solution
This challenge is as simple as using the netcat tool to connect to the listener at the host jupiter.challenges.picoctf.org on port 25103. To actually run the netcat program, the general format is as follows: nc [hostname] [port]
Flag
Back to Top
Cryptography: The Numbers
Challenge
The numbers... what do they mean? (The flag is in the format PICOCTF{})
Solution
String of numbers > 16 9 3 15 3 20 6 { 20 8 5 14 21 13 2 5 18 19 13 1 19 15 14 }
The numbers correspond with the order of the alphabet i.e. 1=A, 2=B, 3=C, etc.
Flag
Back to Top
Cryptography: Caesar
Challenge
Solution
The downloaded message looks like the following:
Running this code will produce the following:
Flag
Back to Top
Cryptography: 13
Challenge
Cryptography can be easy, do you know what ROT13 is? cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}
Solution
This challenge is basically an easier version of the Caesar challenge. Since ROT13 uses a standard key of 13, you can simplify the problem even more. The bash tool trace can be used to make a static transformation like ROT13.
What's happening here is that the trace command is mapping the original alphabet to a new alphabet that starts with 'n' and ends with 'm' wrapping around from 'z' to 'a'. When are the substitutions are completed, it outputs the transformation to the console.
Flag
Back to Top
Cryptography: Easy1
Challenge
The one time pad can be cryptographically secure, but not when you know the key. Can you solve this? We've given you the encrypted flag, key, and a table to help UFJKXQZQUNB with the key of SOLVECRYPTO. Can you use this table to solve it?.
Solution
Below is the table that is given in the question.
This table is commonly used in the Vigenere method. The 'Vigenere' cipher employs a form of polyalphabetic substitution and a key to encrypt phrases. Using the key SOLVECRYPTO, we can decode the encrypted message UFJKXQZQUNB by finding the intersection of the respective letters. If we reached the end of the key, it would repeat at the beginning until the full message is decoded. In this question, both strings are 11 characters making it a one-to-one relationship. Decoding letter by letter, the decrypted message is CRYPTOISFUN.
Flag
Back to Top
Web Exploitation: Insp3ct0r
Challenge
Solution
Navigating to the given link, you're greeted with a simple html page that says 'Inspect Me'. On Chrome, you can open the inspector by either using the shortcut 'Option+Command+J' or by right clicking and then clicking the 'Inspect' option. Opening the inspector shows the following:
The first part of the flag is given in the HTML file > picoCTF{tru3_d3
Navigating to the 'Sources' tab, you can view the js and css to get the next part of the flags:
mycss.css >
t3ct1ve_0r_ju5tmyjs.js >
_lucky?f10be399}
Putting it all together makes picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?f10be399}
Flag
Back to Top
Web Exploitation: Dont Use Client Side
Challenge
Solution
On entry to the portal, there is a single input field that takes a password - first thing first is to check the inspector for any interesting information.
Opening the inspector, there's a verify function that receives the password string provided and compares it to pieces of the flag that are out of order - now all you need to do it put it back together. Putting the 8 parts together gives us the flag > picoCTF{no_clients_plz_7723ce}.
Enter the flag as the password and if you receive an alert that says 'Password Verified' then you're good to go!
Flag
Back to Top
Web Exploitation: Where are the Robots
Challenge
Solution
The title of the challenge asks 'where are the robots' implying that you might want to look at the robots.txt file on the website. A robots.txt file is a text file that is used to instruct web robots or web crawlers which parts of a website to not visit. This text file is part of the robots exclusion protocol (REP), a group of standards that regulate how robots crawl the web.
Flag
Back to Top
Web Exploitation: Logon
Challenge
Solution
Looking at the source files doesn't really make anything stand out, but there are multiple cookies being stored on the webpage. Viewing the cookies on the webpage or the Application tab, you can find four cookies: 1. admin: False 2. password: '' 3. session: '' 4. ussername: ''
The admin cookie with the value 'False' especially stands out. The next step is then to try to figure out how to change that value to 'True' to see if you can bypass the authentication. To change the cookie's value, do the following:
Go to inspector
Click on the 'Application' tab
Find the 'Cookies' option under the Storage section of the left navbar
Click on the cookie item for the current website
Double click on the value for the cookie 'admin'
Change to 'True'
Changing the value and refreshing the page then reveals the flag!
Flag
Back to Top
Reverse Engineering: Vault Door Training
Challenge
Solution
The java file has the following function:
When the program takes the users input, it strips out the 'picoCTF{' and '}' sections, so the password for the vault would be picoCTF{w4rm1ng_Up_w1tH_jAv4_be8d9806f18}.
On macOS, you can test it by doing the following: 1. javac VaultDoorTraining.java 2. java VaultDoorTraining
Flag
Back to Top
Reverse Engineering: Vault Door 1
Challenge
Solution
Similar to the training challenge, this one has you examing java code to retrieve a password. The java file has another vulnerable checker function that leaves the password easily decipherable. The function is as follows:
Instead of deciphering it by hand which is very doable yet tedious, you can also write some code to do it for you:
Although you don't need to completely understand this script to do the problem, the explanation is as follows: First, the re library is imported so that searching (findall function) can be done on regex to get specific phrases back - that is the index of the character in the password along with the character at that index. Second, change the returned phrases into simple tuples that can be sorted based on index. Lastly, join the characters of the sorted list back into an answer.
Note: The pattern used in the re.findall() function is \d+)\s+==\s+\'. which can be really confusing at first glance. Look at the following to understand.
\d+ looks for a digit that is at least one length, this is the index
\s+ looks for a sequence of spaces that is at least one length
== looks for the literal string '=='
. looks for any character, that is the character in the password
Flag
Back to Top
Forensics: Glory of the Garden
Challenge
This garden contains more than it seems.
Solution
This problem can be solved in multiple ways, two I'll demonstrate use the strings command and the hexdump command.
The strings command finds printable strings in an object while the grep command searches for strings with the pattern 'pico', the '|' character is a pipe and gives the ouput of the first command to the input of the second command.
You can also view the file as a hexdump with the hexdump command which is used to filter and display files in a human readable specified format.
Flag
Back to Top
Forensics: So Meta
Challenge
Solution
This name of this problem hints at looking at metadata. In images, metadata is a set of information describing information about rights and administration of an image. It allows information to be embedded into an images data to be understood by both software and human users.
Flag
Back to Top
Sample: Sample
Challenge
A
Solution
B
Flag
Back to Top
File Type References
Image Reference:
Last updated
