picoCTF WriteUp

最终
293RD PLACE 2,710/6,575 PTS
三个人中我打了大部分的题,大概是开始打CTF以来做出最多的一次吧
毕竟简单,但也没有打过很多的高中生..

LEVEL 1


Digital Camouflage

在WireShark里面直接搜索user或者psword,能找到类似的

userid=grassers&pswrd=cHJ2cUJaTnFZdw%3D%3D

URL解码加上base64解码之后

FLAG:

prvqBZNqYw

Special Agent User

在WireShark里面搜索agent就能找到

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36

http://www.useragentstring.com./这个网站查询一下就能知道这个浏览器的版本了

FLAG:

Chrome 35.0.2117.157

keyz

生成公钥并复制到shell2017.picoctf.com的服务器上

把本机目录下面的id_rsa.pub复制到服务器用户目录下面/.ssh/authorized_keys里面就能不用密码使用ssh了

FLAG:

who_needs_pwords_anyways

Substitute

MIT YSAU OL OYGFSBDGRTKFEKBHMGCALSOQTMIOL. UTFTKAMTR ZB DAKQGX EIAOF GY MIT COQOHTROA HAUT GF EASXOF AFR IGZZTL. ZT CTKT SGFU, MIT YSACL GF A 2005 HKTLTFM MODTL MIAF LMADOFA GK A CTTQSB LWFRAB, RTETDZTK 21, 1989 1990, MIT RKTC TROMGKL CAL WHKGGMTR TXTKB CGKSR EAF ZT YGWFR MIT EGFMOFWTR MG CGKQ AM A YAOMIYWS KTHSOTL CITKT IGZZTL, LMBST AOD EASXOF, AMMAEQ ZGMI LORTL MG DAKQL, "CIAM RG EGFMKGSSOFU AF AEMWAS ZGAKR ZGVTL OF MIT HKTHAKTFML FADT, OL ODHWSLOXT KADHAUTL OF CIOEI ASCABL KTYTKTFETL MIT HALLCGKR, CIOEI DGFTB, AFR MITB IAR SOMMST YKGFM BAKR IOL YKWLMKAMTR EGSGK WFOJWT AZOSOMB COMI AFR OFROLHTFLAMT YGK MTAEI GMITK LMWROTL, AKT ACAKRL ZARUTL, HWZSOLITR ZTYGKT CTSS AL A YOKT UKGLL HSAFL CTKT GKOUOFASSB EIAKAEMTKL OF MIT LMKOH MG CIOEI LTTD MG OM CITF MTDHTKTR OF AFR IASSGCOFU MITB'KT LODHSB RKACOFU OF UOXTL GF" HKOFEOHAS LHOMMST ROLMGKM, KTARTKL EGDOEL AKT WLT, CAMMTKLGF MGGQ MCG 16-DGFMIL AYMTK KTLOLMAQTL A DGKT EKTAM RTAS MG EASXOF GYMTF IGZZTL MG ARDOML "LSODB, "ZWM OM'L FADTR A FOUIM GWM LIT OL HGOFM GY FGM LTTF IGZZTL MIT ZGGQL AM MIAM O KTDAOFOFU ZGGQ IADLMTK IWTB AKT AHHTAKAFET: RTETDZTK 6, 1995 DGD'L YKADTL GY EASXOF UOXTF A CAUGF, LGDTMODTL MIAM LG OM'L YAMITKT'L YADOSB FG EAFETSSAMOGFLIOH CAL HKTLTFML YKGD FGXTDZTK 21, 1985 SALM AHHTAK AZLTFET OF AFGMITKCOLT OM IAHHB MG KWF OM YGK MIOL RAR AL "A SOMMST MG MGSTKAMT EASXOF'L YADOSB RKACF ASDGLM EGDDTFRTR WH ZTOFU HTGHST OFLMAFET, UTM DAKKOTR ZB A RAFET EASXOF'L GWMSAFROLOFU MIT FTCLHAHTK GK MAZSGOR FTCLHAHTK ZWLOFTLL LIGC OL GF!" AFR LHKOFML GY EIOSRKTF'L RAR'L YKWLMKAMTR ZB MWKF IWDGK, CAL HWZSOE ROASGU MITKT'L FGM DWEI AL "'94 DGRTKFOLD" CAMMTKLGF IAL RTSOUIML GY YAFMALB SOYT CAMMTKLGF LABL LTKXTL AL AF AKMOLML OL RTLMKWEMOGF ZWLOFTLL, LHAETYAKTK GY MIT GHHGKMWFOMOTL BGW ZGMI A MGHOE YGK IOL IGDT MGFUWT-OF-EITTQ HGHWSAK MIAM OM CAL "IGF" AFR JWAKMTK HAUT DGKT LHAEOGWL EAFETSSAMOGF MIT HAOK AKT ESTAKSB OF HLBEIOE MKAFLDGUKOYOTK'L "NAH" LGWFR TYYTEM BGW MIOFQTK CAMMTKLGF ASLG UKTC OFEKTROZST LHAET ZWBL OF EGDDGFSB CIOST GMITKCOLT OM'L FADT OL FGMAZST LMGKBSOFT UAXT MIT GHHGKMWFOMOTL BGW EAFETSSAMOGF MIT "EASXOF GYYTK MG DAQT IOD OFEGKKTEM AFLCTKL CAMMTK AKMCGKQ GMITK GYMTF CIOEI OL TXORTFM MG GMITK LMKOH OL MG MITOK WLT GY KWSTL MIAM LIGCF GF LAFROYTK, CIG WLTL A EKGCJWOSS ZT LTTF "USWTR" MG MIT GFSB HTKL AFR IOL YAMITK LWHHGKM OL SWFEISOFT UAXT MITLT MIOF A BTAK OF DWSMODAMTKOAS AFR GZMAOF GF LAFMALB, IOL WLT, CAMMTKL ROASGUWT OL AF "AKMOLM'L LMAMWL AL "A ROD XOTC OF MIT TLLTFMOASSB MG DAQT IOD LTTD MG OFESWRTR MIAM EASXOF OL AF GRR ROASGUWT DGLM GY MIT ESWZ IAL TVHKTLLOGF GWMLORT AXAOSAZST MG"

替换加密,解出来大致是

THE FLAG IS IFONLYMODERNCRYPTOWASLIKETHIS. GENERATED BY MARKO? CHAIN OF THE WIKIPEDIA PAGE ON CAL?IN AND HOBBES. BE WERE LONG, THE FLAWS ON A 2005 PRESENT TIMES THAN STAMINA OR A WEEKLY SUNDAY, DECEMBER 21, 1989 1990, THE DREW EDITORS WAS UPROOTED E?ERY WORLD CAN BE FOUND THE CONTINUED TO WORK AT A FAITHFUL REPLIES WHERE HOBBES, STYLE AIM CAL?IN, ATTACK BOTH SIDES TO MARKS, "WHAT DO CONTROLLING AN ACTUAL BOARD BO?ES IN THE PREPARENTS NAME, IS IMPULSI?E RAMPAGES IN WHICH ALWAYS REFERENCES THE PASSWORD, WHICH MONEY, AND THEY HAD LITTLE FRONT YARD HIS FRUSTRATED COLOR UNI?UE ABILITY WITH AND INDISPENSATE FOR TEACH OTHER STUDIES, ARE AWARDS BADGES, PUBLISHED BEFORE WELL AS A FIRE GROSS PLANS WERE ORIGINALLY CHARACTERS IN THE STRIP TO WHICH SEEM TO IT WHEN TEMPERED IN AND HALLOWING THEY'RE SIMPLY DRAWING IN GI?ES ON" PRINCIPAL SPITTLE DISTORT, READERS COMICS ARE USE, WATTERSON TOOK TWO 16-MONTHS AFTER RESISTAKES A MORE CREAT DEAL TO CAL?IN OFTEN HOBBES TO ADMITS "SLIMY, "BUT IT'S NAMED A NIGHT OUT SHE IS POINT OF NOT SEEN HOBBES THE BOOKS AT THAT I REMAINING BOOK HAMSTER HUEY ARE APPEARANCE: DECEMBER 6, 1995 MOM'S FRAMES OF CAL?IN GI?EN A WAGON, SOMETIMES THAT SO IT'S FATHERE'S FAMILY NO CANCELLATIONSHIP WAS PRESENTS FROM NO?EMBER 21, 1985 LAST APPEAR ABSENCE IN ANOTHERWISE IT HAPPY TO RUN IT FOR THIS DAD AS "A LITTLE TO TOLERATE CAL?IN'S FAMILY DRAWN ALMOST COMMENDED UP BEING PEOPLE INSTANCE, GET MARRIED BY A DANCE CAL?IN'S OUTLANDISING THE NEWSPAPER OR TABLOID NEWSPAPER BUSINESS SHOW IS ON!" AND SPRINTS OF CHILDREN'S DAD'S FRUSTRATED BY TURN HUMOR, WAS PUBLIC DIALOG THERE'S NOT MUCH AS "'94 MODERNISM" WATTERSON HAS DELIGHTS OF FANTASY LIFE WATTERSON SAYS SER?ES AS AN ARTISTS IS DESTRUCTION BUSINESS, SPACEFARER OF THE OPPORTUNITIES YOU BOTH A TOPIC FOR HIS HOME TONGUE-IN-CHEEK POPULAR THAT IT WAS "HON" AND ?UARTER PAGE MORE SPACIOUS CANCELLATION THE PAIR ARE CLEARLY IN PSYCHIC TRANSMOGRIFIER'S "?AP" SOUND EFFECT YOU THINKER WATTERSON ALSO GREW INCREDIBLE SPACE BUYS IN COMMONLY WHILE OTHERWISE IT'S NAME IS NOTABLE STORYLINE GA?E THE OPPORTUNITIES YOU CANCELLATION THE "CAL?IN OFFER TO MAKE HIM INCORRECT ANSWERS WATTER ARTWORK OTHER OFTEN WHICH IS E?IDENT TO OTHER STRIP IS TO THEIR USE OF RULES THAT SHOWN ON SANDIFER, WHO USES A CROW?UILL BE SEEN "GLUED" TO THE ONLY PERS AND HIS FATHER SUPPORT IS LUNCHLINE GA?E THESE THIN A YEAR IN MULTIMATERIAL AND OBTAIN ON SANTASY, HIS USE, WATTERS DIALOGUE IS AN "ARTIST'S STATUS AS "A DIM ?IEW IN THE ESSENTIALLY TO MAKE HIM SEEM TO INCLUDED THAT CAL?IN IS AN ODD DIALOGUE MOST OF THE CLUB HAS E?PRESSION OUTSIDE A?AILABLE TO"

FLAG:

IFONLYMODERNCRYPTOWASLIKETHIS

Hash101

$ nc shell2017.picoctf.com 9661

Welcome to Hashes 101!

There are 4 Levels. Complete all and receive a prize!


-------- LEVEL 1: Text = just 1's and 0's --------
All text can be represented by numbers. To see how different letters translate to numbers, go to http://www.asciitable.com/

TO UNLOCK NEXT LEVEL, give me the ASCII representation of 0110100001100101011011000110110001101111

>hello
Correct! Completed level 1

------ LEVEL 2: Numbers can be base ANYTHING -----
Numbers can be represented many ways. A popular way to represent computer data is in base 16 or 'hex' since it lines up with bytes very well (2 hex characters = 8 binary bits). Other formats include base64, binary, and just regular base10 (decimal)! In a way, that ascii chart represents a system where all text can be seen as "base128" (not including the Extended ASCII codes)

TO UNLOCK NEXT LEVEL, give me the text you just decoded, hello, as its hex equivalent, and then the decimal equivalent of that hex number ("foo" -> 666f6f -> 6713199)

hex>68656c6c6f
Good job! 68656c6c6f to ASCII -> hello is hello
Now decimal
dec>448378203247
Good job! 448378203247 to Hex -> 68656c6c6f to ASCII -> hello is hello
Correct! Completed level 2

----------- LEVEL 3: Hashing Function ------------
A Hashing Function intakes any data of any size and irreversibly transforms it to a fixed length number. For example, a simple Hashing Function could be to add up the sum of all the values of all the bytes in the data and get the remainder after dividing by 16 (modulus 16)

TO UNLOCK NEXT LEVEL, give me a string that will result in a 14 after being transformed with the mentioned example hashing function

>.
Correct! Completed level 3

--------------- LEVEL 4: Real Hash ---------------
A real Hashing Function is used for many things. This can include checking to ensure a file has not been changed (its hash value would change if any part of it is changed). An important use of hashes is for storing passwords because a Hashing Function cannot be reversed to find the initial data. Therefore if someone steals the hashes, they must try many different inputs to see if they can "crack" it to find what password yields the same hash. Normally, this is too much work (if the password is long enough). But many times, people's passwords are easy to guess... Brute forcing this hash yourself is not a good idea, but there is a strong possibility that, if the password is weak, this hash has been cracked by someone before. Try looking for websites that have stored already cracked hashes.

TO CLAIM YOUR PRIZE, give me the string password that will result in this MD5 hash (MD5, like most hashes, are represented as hex digits):
ee4d5bc25a2771d95fdbd24452e355ad

>r3s4w
Correct! Completed level 4
You completed all 4 levels! Here is your prize: c3ee093f26ba147ccc451fd13c91ffce

上面几个level可以用这段代码

import sys
s = raw_input()

i = 0
while(i<len(s)):
    sys.stdout.write(chr(int(s[i:i+8],2)))
    i += 8

s = raw_input("\n> ")

for i in s:
    sys.stdout.write(hex(ord(i))[2:4])

s = raw_input("\n> ")

print int(s,16)

最后面的md5很短,可以直接在线解

FLAG:

c3ee093f26ba147ccc451fd13c91ffce

computeAES

Encrypted with AES in ECB mode. All values base64 encoded
ciphertext = I300ryGVTXJVT803Sdt/KcOGlyPStZkeIHKapRjzwWf9+p7fIWkBnCWu/IWls+5S
key = iyq1bFDkirtGqiFz7OVi4A==

通过python就能解出来,不过首先要base64解码

from Crypto.Cipher import AES
key = base64.b64decode('iyq1bFDkirtGqiFz7OVi4A==')
cipher = base64.b64decode('I300ryGVTXJVT803Sdt/KcOGlyPStZkeIHKapRjzwWf9+p7fIWkBnCWu/IWls+5S')
aes = AES.new(key, AES.MODE_ECB)
aes.decrypt(cipher)
flag{do_not_let_machines_win_2d4975bc}__________

FLAG:

do_not_let_machines_win_2d4975bc

ComputeRSA

RSA encryption/decryption is based on a formula that anyone can find and use, as long as they know the values to plug in. Given the encrypted number 150815, d = 1941, and N = 435979, what is the decrypted number?

HINTS

decrypted = (encrypted) ^ d mod N

HINTS的公式直接算就得到FLAG

FLAG:

133337

Hex2Raw

printf "\x1a\x55\x8a\xcd\xda\xbd\x64\xbb\xcc\xdd\x94\x90\x3e\xaf\xdf\x18" | ./hex2raw

Give me this in raw form (0x41 -> 'A'):
1a558acddabd64bbccdd94903eafdf18

You gave me:
1a558acddabd64bbccdd94903eafdf18
Yay! That's what I wanted! Here be the flag:
ceb80093717fd7e9aae149dacc7ac9b3

FLAG

ceb80093717fd7e9aae149dacc7ac9b3

Raw2Hex

The flag is:\xc3\xae\xef\xde-\x8f\xa0\xbc\x81\xf9U1DG\xa3H

import binascii
print binascii.b2a_hex('\xc3\xae\xef\xde-\x8f\xa0\xbc\x81\xf9U1DG\xa3H')

FLAG

c3aeefde2d8fa0bc81f955314447a348

What Is Web

查看源代码,在HTML文件最下面有一部分FLAG,第二部分FLAG在CSS文件里面,第三部分在js文件里面

FLAG

fab79c49d9e5ba511a0f2436308e33e85

Bash Loop

$ in {0..4096}; do ./bashloop $i; done | grep -n 'flag'

3024:Yay! That's the number! Here be the flag: bcf9ac72d8721c303ae95239c2deacb3

FLAG

bcf9ac72d8721c303ae95239c2deacb3

Just No

相对路径和绝对路径的问题

只要在home目录下面构造出~/problems/02bd7d8f7e9c13a19940fd1116234469/auth就行了

knowncold@shell-web:~/problems/02bd7d8f7e9c13a19940fd1116234469$ /problems/02bd7d8f7e9c13a19940fd1116234469/justno

Oh. Well the auth file doesn't say no anymore so... Here's the flag: cad7c91983f6a8ed691c6d7e2dd2264c

FLAG

cad7c91983f6a8ed691c6d7e2dd2264c

Internet Kitties

简单的nc命令连接就能得到FLAG

$ nc shell2017.picoctf.com 58626
Yay! You made it!
Take a flag!
86c3b6dc83b85a2e67f0c163dd525cb0

FLAG

86c3b6dc83b85a2e67f0c163dd525cb0

Piazza

注册Pizza,相当于一个IRC

FLAG

ask_and_hop3fully_we_can_help

Leaf of the Tree

$ find -name flag
./trunk/trunk47a0/trunk599f/trunk4e66/trunke117/trunk64f5/trunk9721/trunk1e42/flag

cat ./trunk/trunk47a0/trunk599f/trunk4e66/trunke117/trunk64f5/trunk9721/trunk1e42/flag

FLAG

a2916629ba334b79632b6af945131ea2

looooong

To prove your skills, you must pass this test.
Please give me the 'H' character '705' times, followed by a single '3'.
To make things interesting, you have 30 seconds.
Input:

You got it! You're super quick!
Flag: with_some_recognition_and_training_delusions_become_glimpses_fbafb1011720def036b5aa32671f3710

FLAG

with_some_recognition_and_training_delusions_become_glimpses_fbafb1011720def036b5aa32671f3710

Leaf of the Forest

$ find . -name "flag"
./forest/tree3bd8a8/trunkc5a8/trunkc874/trunkb0d5/trunk989b/trunkd500/trunk68dc/trunkd705/branchc164/flag
$ cat ./forest/tree3bd8a8/trunkc5a8/trunkc874/trunkb0d5/trunk989b/trunkd500/trunk68dc/trunkd705/branchc164/flag
e553af78ff1f7a6a428456ac53d837e5

FLAG

e553af78ff1f7a6a428456ac53d837e5

WorldChat

nc shell2017.picoctf.com 44323 | grep "the flag"

03:21:01 flagperson: this is part 1/8 of the flag - 7c20
03:21:04 flagperson: this is part 2/8 of the flag - 77dc
03:21:07 flagperson: this is part 3/8 of the flag - 26c1
03:21:14 flagperson: this is part 4/8 of the flag - 6dc8
03:21:28 flagperson: this is part 5/8 of the flag - 1acd
03:21:30 flagperson: this is part 6/8 of the flag - e49c
03:21:31 flagperson: this is part 7/8 of the flag - d563
03:21:31 flagperson: this is part 8/8 of the flag - 0146

FLAG

7c2077dc26c16dc81acde49cd5630146

Lazy Dev


LEVEL 2


Meta Find Me

Little School Bus

Just keyp Trying

SoRandom