PicoCTF Level1 WriteUp

在表哥的推荐下接触了PicoCTF,记录一下自己的解题思路

Tutorial

Tutorial 1

给了一个list,找出Robin Morris的中间名,直接搜索,找到Robin Almay Morris

Tutorial 2

打开链接

1
2
3
4
Hey, checkout this super secret message I made, using this cool ROT13
cipher I found online!
Lb, fb unir lbh orra cynlvat gung arj Zrfbcrgf tnzr? Gubfr arj Zrtnybalpuvqnr naq Oenqlcbqvqnr gurl nqqrq ner cerggl pbby. Npghnyyl, V jbhyq tb nf sne nf fnlvat gung vg vf abj zl yvsr'f qrnerfg nzovgvba gb bognva n "Vasyngnoyr Fybgu Zbafgre"!

直接给出了rot13的提示,解密

1
Yo, so have you been playing that new Mesopets game? Those new Megalonychidae and Bradypodidae they added are pretty cool. Actually, I would go as far as saying that it is now my life's dearest ambition to obtain a "Inflatable Sloth Monster"!

flag就是Inflatable Sloth Monster

Tutorial 3

1
2
3
4
5
6
7
8
9
These are a few of my favorite things!
7A3B00
6000C7
67C700
42FFFC
C70002
0003C7
007A78

找出红色的值即可,工具:http://www.atool.org/colorpicker.php
flag:C70002

Level1

Web

What Is Web

类似于入门的查看源代码的题目,flag分为3部分。

1
2
3
html中:<!-- The first part of the flag (there are 3 parts) is fab79c49d9e -->
css中:The second part of the flag is 5ba511a0f24
js中: * The final part of the flag is 36308e33e85

拼起来就是flag:fab79c49d9e5ba511a0f2436308e33e85

Reverse

Hex2Raw

在旁边的CLI窗口中cd对应的文件夹,ls,发现了hex2raw。

1
2
3
4
5
6
$ ./hex2raw
Give me this in raw form (0x41 -> 'A'):
416f1c7918f83a4f1922d86df5e78348
You gave me:

题目叫hex to raw,那么传递的字符串应该是hex解码的,运动python的decode()函数。

1
2
3
4
5
6
7
8
9
$ python -
c "print('416f1c7918f83a4f1922d86df5e78348'.decode('hex'))"| ./hex2raw
Give me this in raw form (0x41 -> 'A'):
416f1c7918f83a4f1922d86df5e78348
You gave me:
416f1c7918f83a4f1922d86df5e78348
Yay! That's what I wanted! Here be the flag:
1d2411efe307f5ac07bd28bbabb5769e

flag:1d2411efe307f5ac07bd28bbabb5769e

Raw2Hex

一开始跟上一题相同,但是出现的是一堆乱码,题目是raw to hex,运用linux自带的xxd命令就可以输出hex编码后的字符串。

1
2
$ ./raw2hex | xxd-p
54686520666c61672069733aff9a4fdb6995b557590a742b0e685bd3

flag:54686520666c61672069733aff9a4fdb6995b557590a742b0e685bd3
xxd命令:http://www.360doc.com/content/12/1228/14/3038654_256776082.shtml

Forensics

###Digital Camouflage
题目给了一个pcap文件,直接用wireshark打开,提取所有的html文件
找到了main.htmluserid=spiveyp&pswrd=S04xWjZQWFZ5OQ%3D%3D
对pswrd urldecode 得到S04xWjZQWFZ5OQ== 双等号,大小写,base64解密,得到flag。
flag:KN1Z6PXVy9

Special Agent User

同上题一样给了一个pcap文件,这题提示找http头的User-agent中的浏览器名字和版本,直接筛选http协议部分查看,得到flag。
flag:Special Agent User

Cryptography

Substitute

1
2
3
4
A wizard (he seemed kinda odd...) handed me this. Can you figure out what it says?
HINTS
There are tools that make this easy this.
1
MIT YSAU OL OYGFSBDGRTKFEKBHMGCALSOQTMIOL. UTFTKAMTR ZB DAKQGX EIAOF GY MIT COQOHTROA HAUT GF EASXOF AFR IGZZTL. ZT CTKT SGFU, MIT YSACL GF A 2005 HKTLTFM MODTL MIAF LMADOFA GK A CTTQSB LWFRAB, RTETDZTK 21, 1989 1990, MIT RKTC TROMGKL CAL WHKGGMTR TXTKB CGKSR EAF ZT YGWFR MIT EGFMOFWTR MG CGKQ AM A YAOMIYWS KTHSOTL CITKT IGZZTL, LMBST AOD EASXOF, AMMAEQ ZGMI LORTL MG DAKQL, "CIAM RG EGFMKGSSOFU AF AEMWAS ZGAKR ZGVTL OF MIT HKTHAKTFML FADT, OL ODHWSLOXT KADHAUTL OF CIOEI ASCABL KTYTKTFETL MIT HALLCGKR, CIOEI DGFTB, AFR MITB IAR SOMMST YKGFM BAKR IOL YKWLMKAMTR EGSGK WFOJWT AZOSOMB COMI AFR OFROLHTFLAMT YGK MTAEI GMITK LMWROTL, AKT ACAKRL ZARUTL, HWZSOLITR ZTYGKT CTSS AL A YOKT UKGLL HSAFL CTKT GKOUOFASSB EIAKAEMTKL OF MIT LMKOH MG CIOEI LTTD MG OM CITF MTDHTKTR OF AFR IASSGCOFU MITB'KT LODHSB RKACOFU OF UOXTL GF" HKOFEOHAS LHOMMST ROLMGKM, KTARTKL EGDOEL AKT WLT, CAMMTKLGF MGGQ MCG 16-DGFMIL AYMTK KTLOLMAQTL A DGKT EKTAM RTAS MG EASXOF GYMTF IGZZTL MG ARDOML "LSODB, "ZWM OM'L FADTR A FOUIM GWM LIT OL HGOFM GY FGM LTTF IGZZTL MIT ZGGQL AM MIAM O KTDAOFOFU ZGGQ IADLMTK IWTB AKT AHHTAKAFET: RTETDZTK 6, 1995 DGD'L YKADTL GY EASXOF UOXTF A CAUGF, LGDTMODTL MIAM LG OM'L YAMITKT'L YADOSB FG EAFETSSAMOGFLIOH CAL HKTLTFML YKGD FGXTDZTK 21, 1985 SALM AHHTAK AZLTFET OF AFGMITKCOLT OM IAHHB MG KWF OM YGK MIOL RAR AL "A SOMMST MG MGSTKAMT EASXOF'L YADOSB RKACF ASDGLM EGDDTFRTR WH ZTOFU HTGHST OFLMAFET, UTM DAKKOTR ZB A RAFET EASXOF'L GWMSAFROLOFU MIT FTCLHAHTK GK MAZSGOR FTCLHAHTK ZWLOFTLL LIGC OL GF!" AFR LHKOFML GY EIOSRKTF'L RAR'L YKWLMKAMTR ZB MWKF IWDGK, CAL HWZSOE ROASGU MITKT'L FGM DWEI AL "'94 DGRTKFOLD" CAMMTKLGF IAL RTSOUIML GY YAFMALB SOYT CAMMTKLGF LABL LTKXTL AL AF AKMOLML OL RTLMKWEMOGF ZWLOFTLL, LHAETYAKTK GY MIT GHHGKMWFOMOTL BGW ZGMI A MGHOE YGK IOL IGDT MGFUWT-OF-EITTQ HGHWSAK MIAM OM CAL "IGF" AFR JWAKMTK HAUT DGKT LHAEOGWL EAFETSSAMOGF MIT HAOK AKT ESTAKSB OF HLBEIOE MKAFLDGUKOYOTK'L "NAH" LGWFR TYYTEM BGW MIOFQTK CAMMTKLGF ASLG UKTC OFEKTROZST LHAET ZWBL OF EGDDGFSB CIOST GMITKCOLT OM'L FADT OL FGMAZST LMGKBSOFT UAXT MIT GHHGKMWFOMOTL BGW EAFETSSAMOGF MIT "EASXOF GYYTK MG DAQT IOD OFEGKKTEM AFLCTKL CAMMTK AKMCGKQ GMITK GYMTF CIOEI OL TXORTFM MG GMITK LMKOH OL MG MITOK WLT GY KWSTL MIAM LIGCF GF LAFROYTK, CIG WLTL A EKGCJWOSS ZT LTTF "USWTR" MG MIT GFSB HTKL AFR IOL YAMITK LWHHGKM OL SWFEISOFT UAXT MITLT MIOF A BTAK OF DWSMODAMTKOAS AFR GZMAOF GF LAFMALB, IOL WLT, CAMMTKL ROASGUWT OL AF "AKMOLM'L LMAMWL AL "A ROD XOTC OF MIT TLLTFMOASSB MG DAQT IOD LTTD MG OFESWRTR MIAM EASXOF OL AF GRR ROASGUWT DGLM GY MIT ESWZ IAL TVHKTLLOGF GWMLORT AXAOSAZST MG

substitution意思是代换,替代,猜测是简单的替代密码,可以直接用工具破解。

在线工具:http://quipqiup.com/

flag:IFONLYMODERNCRYPTOWASLIKETHIS

Hash101

题目:

1
2
3
4
5
Prove your knowledge of hashes and claim a flag as your prize! Connect to the service at shell2017.picoctf.com:9661
UPDATED 16:12 EST 1 Apr.
HINTS
All concepts required to complete this challenge, including simple modular math, are quickly found by googling :)

直接nc提供的地址和端口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
windylh@shell-web:~$ nc shell2017.picoctf.com 9661
Welcome to Hashes 101!
There are 4 Levels. Complete all and receive a prize!
-------- LEVEL 1: Text = just 1's and 0's --------
All text can be represented by numbers. To see how different letters t
ranslate to numbers, go to http://www.asciitable.com/
TO UNLOCK NEXT LEVEL, give me the ASCII representation of 011011000110
111101110110011001010110110001111001
>lovely
Correct! Completed level 1

level1就是简单的二进制转ascii码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
------ LEVEL 2: Numbers can be base ANYTHING -----
Numbers can be represented many ways. A popular way to represent compu
ter data is in base 16 or 'hex' since it lines up with bytes very well
(2 hex characters = 8 binary bits). Other formats include base64, bin
ary, and just regular base10 (decimal)! In a way, that ascii chart rep
resents a system where all text can be seen as "base128" (not includin
g the Extended ASCII codes)
TO UNLOCK NEXT LEVEL, give me the text you just decoded, lovely, as it
s hex equivalent, and then the decimal equivalent of that hex number (
"foo" -> 666f6f -> 6713199)
hex>6c6f76656c79
Good job! 6c6f76656c79 to ASCII -> lovely is lovely
Now decimal
dec>119225983528057
Good job! 119225983528057 to Hex -> 6c6f76656c79 to ASCII -> lovely is
lovely
Correct! Completed level 2

level2就是将lovely的转成16进制和10进制,分别输入。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
----------- LEVEL 3: Hashing Function ------------
A Hashing Function intakes any data of any size and irreversibly trans
forms it to a fixed length number. For example, a simple Hashing Funct
ion could be to add up the sum of all the values of all the bytes in t
he data and get the remainder after dividing by 16 (modulus 16)
TO UNLOCK NEXT LEVEL, give me a string that will result in a 13 after
being transformed with the mentioned example hashing function
>g
incorrect. sum of all characters = 103 mod 16 = 7 does not equal 13
>h
incorrect. sum of all characters = 104 mod 16 = 8 does not equal 13
>x
incorrect. sum of all characters = 120 mod 16 = 8 does not equal 13
>m
Correct! Completed level 3

将输入的字符串的ascii码加和,和16取模,等于对应的数字即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Correct! Completed level 3
--------------- LEVEL 4: Real Hash ---------------
A real Hashing Function is used for many things. This can include chec
king to ensure a file has not been changed (its hash value would chang
e if any part of it is changed). An important use of hashes is for sto
ring passwords because a Hashing Function cannot be reversed to find t
he initial data. Therefore if someone steals the hashes, they must try
many different inputs to see if they can "crack" it to find what pass
word yields the same hash. Normally, this is too much work (if the pas
sword is long enough). But many times, people's passwords are easy to
guess... Brute forcing this hash yourself is not a good idea, but ther
e is a strong possibility that, if the password is weak, this hash has
been cracked by someone before. Try looking for websites that have st
ored already cracked hashes.
TO CLAIM YOUR PRIZE, give me the string password that will result in t
his MD5 hash (MD5, like most hashes, are represented as hex digits):
ac2f556a0eb415745b31e14a91d55d75
>muc1d
Correct! Completed level 4
You completed all 4 levels! Here is your prize: c3ee093f26ba147ccc451f
d13c91ffce

给出一个md5,直接解出来就行。

flag:c3ee093f26ba147ccc451fd13c91ffce

computeAES

1
2
3
Encrypted with AES in ECB mode. All values base64 encoded
ciphertext = R9TacKHy6cf1AZho/nwWWYaNzP5GfltKE5yW+kwRYe0LY+PdGk1hfoanS/iVZ7z1
key = azdvtH4bvfdS/mryKLTNqQ==

题目说加密用了AES的ECB模式,并且用了base64编码。

直接用python脚本解码。

1
2
3
4
5
6
7
8
9
10
11
import base64
from Crypto.Cipher import AES
key=base64.b64decode("azdvtH4bvfdS/mryKLTNqQ==")
Ciphertext=base64.b64decode("R9TacKHy6cf1AZho/nwWWYaNzP5GfltKE5yW+kwRYe0LY+PdGk1hfoanS/iVZ7z1")
st=AES.new(key,AES.MODE_ECB)
flag=st.decrypt(Ciphertext)
print flag

MASTER CHALLENGE

Lazy Dev

题目提示,输入password,先随便输入,返回Nah, that's not it,查看源代码,发现了一个js脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
//Validate the password. TBD!
function validate(pword){
//TODO: Implement me
return false;
}
//Make an ajax request to the server
function make_ajax_req(input){
var text_response;
var http_req = new XMLHttpRequest();
var params = "pword_valid=" + input.toString();
http_req.open("POST", "login", true);
http_req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_req.onreadystatechange = function() {//Call a function when the state changes.
if(http_req.readyState == 4 && http_req.status == 200) {
document.getElementById("res").innerHTML = http_req.responseText;
}
}
http_req.send(params);
}
//Called when the user submits the password
function process_password(){
var pword = document.getElementById("password").value;
var res = validate(pword);
var server_res = make_ajax_req(res);
}

我们输入的password放在validate()函数中验证正确与否,但是validate函数只返回false,chrome的控制台可以调用js中的函数,我们直接赋值,让res=true,来绕过validate函数。

1mc

flag:client_side_is_the_dark_side0c97381c155aae62b9ce3c59845d6941