Defalt_

In a forensic challenge with an image it is common to start with a panel of functions to detect a flag. First of all Exiftool which allows access to the metadata (the additional information of an image) but here we do not get anything very interesting. Strings which allows access to all the legible characters of the image but once again no flag. We can also use another tool to check the layers but the answer lies elsewhere. The solution : By using binwalk we access the signature of the file and we can read that the image is a compressed file under zip. So we can unzip the image and get another image of a smaller doll. You must have understood the reasoning you must unzip the image until you get a text file: the flag.

pico Looking at the keygenme-trial.py Instead of running the script right away, it is best practice to read the source code, right? username_trial = "GOUGH" bUsername_trial = b "GOUGH" key_part_static1_trial = "picoCTF{1n_7h3_|<3y_of_" key_part_dynamic1_trial = "xxxxxxxx" key_part_static2_trial = "}" key_full_template_trial = key_part_static1_trial + key_part_dynamic1_trial + key_part_static2_trial This will be obvious later, next of course the flag! Or here it is called the key. It is comprised of two static parts, and a dynamic part: key_full_template_trial = key_part_static1_trial + key_part_dynamic1_trial + key_part_static2_trial Great… maybe we can have a look at how the dynamic part is generated? Dynamic key To check the validity of the dynamic key, the following function is used : def check_key(key, username_trial): global key_full_template_trial if len ( key ) != len (

pico After the download two files take a look into the bash file . #!/bin/bash echo "Attempting disassembly of $1 ..." #This usage of "objdump" disassembles all (-D) of the first file given by #invoker, but only prints out the ".text" section (-j .text) (only section) #that matters in almost any compiled program... objdump -Dj .text $1 > $1 .ltdis.x86_64.txt #Check that $1.ltdis.x86_64.txt is non-empty #Continue if it is, otherwise print error and eject if [ -s " $1 .ltdis.x86_64.txt" ] then echo "Disassembly successful! Available at: $1 .ltdis.x86_64.txt" echo "Ripping strings from binary with file offsets..." strings -a -t x $1 > $1 .ltdis.strings.txt echo "Any strings found in $1 have been written to $1 .ltdis.strings.txt with file offset" else echo "Disassembly failed!" echo "Usage: ltdis.sh <program-file>"

Welcome file Description In RSA, a small e value can be problematic, but what about N? Can you decrypt this? values format : C = ciphertext p and q = prime numbers n = p * q phi = (p-1) * (q-1) e = some number that 1 < e < phi and gcd(e,phi) == 1 d = e^(-1) mod phi #! /usr/bin/env python3 from factordb . factordb import FactorDB import gmpy2 c = 240986837130071017759137533082982207147971245672412893755780400885108149006 n = 83141682808041786634050496818899003281031619353365351602217578439972014107627 e = 65537 f = FactorDB ( n ) f . connect ( ) p , q = f . get_factor_list ( ) ph = ( p -1 ) * ( q -1 ) d = gmpy2 . invert ( e , ph ) plaintext = pow ( c , d , n ) print ( "Flag: {}" . format ( bytearray . fromhex ( format ( plaintext , 'x' ) ) . decode ( ) ) )

Picoctf Two options When you look in to HTML file you can see two different option the ‘GET’ / ‘POST’ ┌─ [ visith@parrot ] ─ [ ~/Desktop/CTF/picoctf/get_ahead ] └──╼ $curl -I http://mercury.picoctf.net:47967/ 'GET' HTTP/1.1 200 OK flag: picoCTF { r3j3ct_th3_du4l1ty_cca66bd3 } Content-type: text/html ; charset = UTF-8 curl: ( 6 ) Could not resolve host: GET ┌─ [ ✗ ] ─ [ visith@parrot ] ─ [ ~/Desktop/CTF/picoctf/get_ahead ] └──╼ $curl -I http://mercury.picoctf.net:47967/ 'POST' HTTP/1.1 200 OK flag: picoCTF { r3j3ct_th3_du4l1ty_cca66bd3 } Content-type: text/html ; charset = UTF-8 curl: ( 6 ) Could not resolve host: POST

Welcome file Information When you download that j-peg file u can see nice little cat. But in the hints they look into the picture details. So u need to install tool called exif and look into that. I found a suspsious thing in license tag looks like base64. visith@ubuntu:~/Desktop/ctf/picoctf/forensics/information$ exiftool cat.jpg ExifTool Version Number : 11.88 File Name : cat.jpg License : cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9 visith@ubuntu:~/Desktop/ctf/picoctf/forensics/information$ echo cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9 | base64 -d picoCTF { the_m3tadata_1s_modified } visith@ubuntu:~/Desktop/ctf/picoctf/forensics/information$

picoctf stonks First look at that file ‘vuln.c’. vuln.c file : # include <stdlib.h> # include <stdio.h> # include <string.h> # include <time.h> # define FLAG_BUFFER 128 # define MAX_SYM_LEN 4 typedef struct Stonks { int shares ; char symbol [ MAX_SYM_LEN + 1 ] ; struct Stonks * next ; } Stonk ; typedef struct Portfolios { int money ; Stonk * head ; } Portfolio ; int view_portfolio ( Portfolio * p ) { if ( ! p ) { return 1 ; } printf ( "\nPortfolio as of " ) ; fflush ( stdout ) ; system ( "date" ) ; // TODO: implement this in C fflush ( stdout ) ; printf ( "\n\n" ) ; Stonk * head = p -> head ; if ( ! head ) { printf ( "You don't own any stonks!\n" ) ; } while ( head ) { printf ( "%d shares of %s\n" , head -> shares , head -> symbol ) ; head = head -> next ; } retu

Welcome file transformation Here u can use two methods recover this flag. you can simply use cyberchef online decoder or You can make a decode python script decode = '灩捯䍔䙻ㄶ形楴獟楮獴㌴摟潦弸彥ㄴㅡて㝽' print ( decode . encode ( 'utf-16-be' ) )

Welcome file wave the flag isith@ubuntu:~/Desktop/ctf/picoctf/general/wave the flag$ chmod +x warm visith@ubuntu:~/Desktop/ctf/picoctf/general/wave the flag$ ./warm Hello user ! Pass me a -h to learn what I can do ! visith@ubuntu:~/Desktop/ctf/picoctf/general/wave the flag$ ./warm -h Oh, help? I actually don't do much, but I do have this flag here: picoCTF { b1scu1ts_4nd_gr4vy_18788aaa }

Welcome file python wrangling First download the ende.py and read the file visith@ubuntu:~/Desktop/ctf/picoctf/general/python wrangling$ python3 ende.py -d flag.txt.en Please enter the password:dbd1bea4dbd1bea4dbd1bea4dbd1bea4 picoCTF { 4p0110_1n_7h3_h0us3_dbd1bea4 }

Welcome file nice netcat… visith@ubuntu:~/Desktop/ctf/picoctf/general/nice netcat$ nc mercury.picoctf.net 22902 112 105 99 111 67 84 In the hints they said these numbers are ASCII. So u can use online decoder to do this. picoCTF{g00d_k1tty!_n1c3_k1tty!_d3dfd6df}

 Still this post is updating.. Other challenges are coming soon.. Welcome file Mod 26 Using ROT13 decrypter online Or use command line visith@visith-VirtualBox:~/Documents/Picoctf/Obedient Cat$ echo "cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_GYpXOHqX}" | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' picoCTF { next_time_I'll_try_2_rounds_of_rot13_TLcKBUdK } visith@visith-VirtualBox:~/Documents/Picoctf/Obedient Cat$ Adding tr command to .bashrc file stackoverflow alias rot13 = "tr 'A-Za-z' 'N-ZA-Mn-za-m'" Now you can just call: visith@visith-VirtualBox:~/Documents/Picoctf/Obedient Cat$ echo "cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_GYpXOHqX}" | rot13 picoCTF { next_time_I'll_try_2_rounds_of_rot13_TLcKBUdK }

Welcome file Obedient cat visith@visith-VirtualBox:~/Documents/Picoctf/Obedient Cat$ cat flag picoCTF { s4n1ty_v3r1f13d_28e8376d }