picoCTF is a beginner friendly Capture the Flag game that mainly targets middle school students and high school students. In fact, it was easy enough for me to finish the whole problem set. So, if anyone is interested in CTFs and needs a boost in confidence, I suggest visiting problems from picoCTF. Below are some of my notes to picoMini 2022, feel free to play along.
runme.py
Description:
Run the runme.py script to get the flag. Download the script with your browser or with wget in the webshell.
runme.py
Solution:
Download runme.py and run it using python runme.py.
flag: picoCTF{run_s4n1ty_run}
ncme
Description:
Connect to a remote computer using nc and get the flag.
$ nc saturn.picoctf.net 54554
Solution:
Run nc saturn.picoctf.net 54554, the flag will be given directly.
flag: picoCTF{s4n1ty_c4t}
convertme.py
Description:
Run the Python script and convert the given number from decimal to binary to get the flag.
Download Python script
Solution:
Download convertme.py and run it. The program will prompt you to convert the given number from decimal to binary to get the flag.
flag: picoCTF{4ll_y0ur_b4535_c1aa6329}
Cookbook
Description:
Run the Python script code.py in the same directory as codebook.txt.
Download code.py
Download codebook.txt
Solution:
Download code.py and cookbook.txt. Run code.py and the flag will be given directly.
This problem can be a reverse engineering problem, because the structure of the code isn’t simple.
flag: picoCTF{c0d3b00k_455157_7d102d7a}
fixme1.py
Description:
Fix the syntax error in this Python script to print the flag.
Download Python script
Solution:
Remove the unexpected indentation, then run fixme1.py, the flag will be given directly.
The encryption method in this program is the same compared to the program in Cookbook.
flag: picoCTF{1nd3nt1ty_cr1515_6a476c8f}
fixme2.py
Description:
Fix the syntax error in the Python script to print the flag.
Download Python script
Solution:
Change = to == in code, then run fixme2.py, the flag will be given directly.
This program is almost identical to fixme1.py.
flag: picoCTF{3qu4l1ty_n0t_4551gnm3nt_c12bf751}
PW Crack 1
Description:
Can you crack the password to get the flag? Download the password checker here and you’ll need the encrypted flag in the same directory too.
Solution:
The encryption function again is the same. By opening level1.py, we can see that the password is in plain text, f014. Run the program, enter the password, and the flag will be given.
flag: picoCTF{545h_r1ng1ng_6ed6f065}
Glitch Cat
Description:
Our flag printing service has started glitching!
$ nc saturn.picoctf.net 49698
Solution:
After connecting to netcat, we get
'picoCTF{gl17ch_m3_n07_' + chr(0x61) + chr(0x34) + chr(0x33) + chr(0x39) + chr(0x32) + chr(0x64) + chr(0x32) + chr(0x65) + '}', which is a line of Python code. chr() converts hexadecimals into characters. By running this line of code in the Python console, we now have the flag.
flag: picoCTF{gl17ch_m3_n07_a4392d2e}
PW Crack 2
Description:
Can you crack the password to get the flag? Download the password checker here and you’ll need the encrypted flag in the same directory too.
Solution:
Open level.py, we can see the password written in hexadecimals. Convert using an ASCII table, the password is b707.
flag: picoCTF{tr45h_51ng1ng_f21caf8e}
HashingJobApp
Description:
If you want to hash with the best, beat this test!
nc saturn.picoctf.net 57329
Solution:
After connecting to netcat, the program prompts us to input the hash of 3 strings. I used an online tool to produce MD5 hash.
flag: picoCTF{4ppl1c4710n_r3c31v3d_d98bfcb7}
Serpentine
Description:
Find the flag in the Python script!
Download Python script
Solution:
Open serpentine.py, option b has been replaced with a piece of dummy text. Change the dummy text into function print_flag(), the flag will be given once we run the program.
flag: picoCTF{7h3_r04d_l355_7r4v3l3d_1414d511}
PW Crack 3
Description:
Can you crack the password to get the flag? Download the password checker here and you’ll need the encrypted flag and the hash in the same directory too. There are 7 potential passwords with 1 being correct. You can find these by examining the password checker script.
Solution:
Open level3.py, there is a list of 7 keys to choose as the passcode for the program. The correct passcode’s hash value should be identical to the hash value stored in level3.hash.bin. To view .bin file, I used bvi, which is a command line tool.
This program uses hashlib.
flag: picoCTF{m45h_fl1ng1ng_dda9c5d4}
PW Crack 4
Description:
Can you crack the password to get the flag? Download the password checker here and you’ll need the encrypted flag and the hash in the same directory too. There are 100 potential passwords with only 1 being correct. You can find these by examining the password checker script.
Solution:
This time, instead of 7 keys, there are 100. Since it would be very time consuming to test out the hash for each key, we can write a for loop that encapsulates the main logic of level_4_pw_check():
for user_pw in pos_pw_list:
user_pw_hash = hash_pw(user_pw)
if( user_pw_hash == correct_pw_hash ):
print("Welcome back... your flag, user:")
decryption = str_xor(flag_enc.decode(), user_pw)
print(decryption)
return
print("That password is incorrect")Remember to comment out the line that reads user input.
flag: picoCTF{fl45h_5pr1ng1ng_ae0fb77c}
PW Crack 5
Description:
Can you crack the password to get the flag? Download the password checker here and you’ll need the encrypted flag and the hash in the same directory too. Here’s a dictionary with all possible passwords based on the password conventions we’ve seen so far.
Solution:
This program bumps up the number of keys to $2^{16}$, since each key is a four digit hexadecimal. All keys are stored in a single .txt file, so read the file:
dictionary = open('dictionary.txt', 'rb').readlines()Each line of code looks like b'ffff\n'. Use strip() to remove the newline at the end.
Also, remember to convert each line from bytes to string, else there will be an error:
Traceback (most recent call last):
File "level5.py", line 43, in <module>
level_5_pw_check()
File "level5.py", line 32, in level_5_pw_check
user_pw_hash = hash_pw(user_pw)
File "level5.py", line 21, in hash_pw
pw_bytes.extend(pw_str.encode())
AttributeError: 'bytes' object has no attribute 'encode'This is how I modified the check function:
def level_5_pw_check():
# user_pw = input("Please enter correct password for flag: ")
for user_pw in dictionary:
user_pw = user_pw.strip().decode("utf-8")
user_pw_hash = hash_pw(user_pw)
if( user_pw_hash == correct_pw_hash ):
print("Welcome back... your flag, user:")
decryption = str_xor(flag_enc.decode(), user_pw)
print(decryption)
return
print("That password is incorrect")flag: picoCTF{h45h_sl1ng1ng_b7de2d73}