PicoCTF 2018, part 11 through 20

Introduction

This is a continuation of the series on the PicoCTF 2018 challenges I have completed so far. You can find the previous write-up here. You can find a collection of other write-ups in this series on the home page or through the related posts below this post.

Grep 175 points

This challenge hints to use the grep command.

Can you find the flag in file? This would be really obnoxious to look through by hand, see if you can find a faster way. You can also find the file in /problems/grep-1_2_ee2b29d2f2b29c65db957609a3543418 on the shell server.

We can use grep in several ways, however I simply pipe the file into grep CTF and voila; the flag

grep CTF < file

flag: picoCTF{grep_and_you_will_find_42783683}

Net Cat75 points

This one is rather self explanatory...

Using netcat (nc) will be a necessity throughout your adventure. Can you connect to 2018shell.picoctf.com at port 37721 to get the flag?

nc 2018shell.picoctf.com 37721

flag: picoCTF{NEtcat_iS_a_NEcESSiTy_0b4c4174}

HEEEEEEERE'S Johnny!100 points

We get a couple of download links to a passwd and shadow file, with information to connect to a server that asks us for a username and password.

Okay, so we found some important looking files on a linux computer. Maybe they can be used to get a password to the process. Connect with nc 2018shell.picoctf.com 42165. Files can be found here: passwd shadow.

I'm assuming that the username and password we need for this connection reside in the passwd and shadow files. If that is the case, we can also assume that root is the username. Nice! For the password we could try to use John the Ripper to crack the password with a dictionary attack.

$ john --wordlist=../../rockyou.txt shadow
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
hellokitty       (root)
1g 0:00:00:00 100% 1.234g/s 355.5p/s 355.5c/s 355.5C/s alyssa..brenda

We can now try to connect to the server that was specified in the problem description. When we do, it immediately presents us the flag!

$ nc 2018shell.picoctf.com 42165
Username: root
Password: hellokitty
picoCTF{J0hn_1$_R1pp3d_5f9a67aa}

flag: picoCTF{J0hn_1$_R1pp3d_5f9a67aa}

Strings100 points

The challenge asks you to find the flag from an ELF binary without executing it, implying using strings.

Can you find the flag in this file without actually running it? You can also find the file in /problems/strings_4_40d221755b4a0b134c2a7a2e825ef95f on the shell server.

This one is a bit obvious if you know the strings command, but could teach novice Linux users about one of the most valuable commands in reversing (in my opinion). The strings command allows you to list every string of readable characters in a file. When you combine this with grep, you can quickly find the flag in this binary file - which is conveniently also called strings.

$ strings strings | grep CTF
YzOejwCTF3GVzbdb8PkOKp1cKvAwEUvRSOLLm1yFFETiT
picoCTF{sTrIngS_sAVeS_Time_d3ffa29c}
7Oqu9T7p8SAoQcOcQVHM46k1xpt1M6Iu2ag4dw1OFCTFRbv6

flag: picoCTF{sTrIngS_sAVeS_Time_d3ffa29c}

Pipe110 points

In this challenge you are asked to filter the output of the response from 2018shell.picoctf.com at port 44310. It is implied that you need to save the output first.

During your adventure, you will likely encounter a situation where you need to process data that you receive over the network rather than through a file. Can you find a way to save the output from this program and search for the flag? Connect with 2018shell.picoctf.com 44310.

Instead of saving the output first and then find the flag, you could also pipe the output of the net cat connection to grep to find the flag directly. Like this, no additional file is needed.

nc 2018shell.picoctf.com 44310 | grep picoCTF

flag: picoCTF{almost_like_mario_a13e5b27}

Inspect Me125 points

In this challenge you're expected to inspect a website, implying that you look at its source code.

Inpect this code! http://2018shell.picoctf.com:47428 (link)

When you look at the source code for that page (Ctrl+U) you immediately see the first part of the flag. That wasn't too bad!

<!-- I learned HTML! Here's part 1/3 of the flag: picoCTF{ur_4_real_1nspe -->

As it seems we need 2 more parts, however judging by the parts I've found you need only 2 in total. Anyhow, the next one can be found in the site's stylesheet mycss.css:

/* I learned CSS! Here's part 2/3 of the flag: ct0r_g4dget_e96dd105} */

Just for completeness, we also check out the myjs.js script, however in my case it didn't seem to contain any more of the flag:

/* I learned JavaScript! Here's part 3/3 of the flag:  */

For the result, you need only to combine the flag parts into one string.

flag: picoCTF{ur_4_real_1nspect0r_g4dget_e96dd105}

Grep 2125 points

This challenge implies to be more difficult. The assignment is to find the flag in a directory on the shell server, so we need to find the flag in one of the files probably using grep.

This one is a little bit harder. Can you find the flag in /problems/grep-2_2_413a577106278d0711d28a98f4f6ac28/files on the shell server? Remember, grep is your friend.

I don't think this challenge is much more difficult than Grep 1, when we connect to the server and change the directory to be the files directory that contains our flag, we can use grep recursively to find our flag. I connect to the shell through SSH, using ssh username@2018shell4.picoctf.com and execute the following commands;

cd /problems/grep-2_2_413a577106278d0711d28a98f4f6ac28/files
grep -r "picoCTF"
> files7/file9:picoCTF{grep_r_and_you_will_find_8eb84049}

flag: picoCTF{grep_r_and_you_will_find_8eb84049}

Aca-Shell-A150 points

This challenge wants you to connect to a particularly weird shell to find the flag.

It's never a bad idea to brush up on those linux skills or even learn some new ones before you set off on this adventure! Connect with nc 2018shell.picoctf.com 42334.

In all honesty, this challenge was extremely silly. It gives you the idea that you're some elite hacker that is being helped by some other entity that is speaking to you through the terminal. It/he/she claims it can only see your output. If you carefully follow its instructions, you get the flag; not a challenge.

The following commands should be executed on the server in order to obtain the flag:

cd secret
ls # you will get instructions about deleting intel files
rm intel_*
echo 'Drop it in!'
cd ..
cd executables # because cd ../executables does not work...
./dontLookHere # you'll see craphex on your screen...
whoami 
cd ..
cp /tmp/TopSecret passwords
cd passwords
cat TopSecret

Outputs:

Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself. picoCTF{CrUsHeD_It_d6f202f1}

flag: picoCTF{CrUsHeD_It_d6f202f1}

Client Side Is Still Bad150 points

In this problem a user "forgot" his or her password, they ask you to help them out.

I forgot my password again, but this time there doesn't seem to be a reset, can you help me? http://2018shell.picoctf.com:8420 (link)

This one teaches you how incredible insecure client-side software can be, depending on the developer. I often tell my students never to store any sensitive data in their client-side source code. I once saw a student store his database password in a JS file for some reason (in comments); I kept adding rows to his database until he noticed.

The exact same thing is happening in this problem. The JavaScript source code contains a function that verifies the password that was entered;

  function verify() {
    checkpass = document.getElementById("pass").value;
    split = 4;
    if (checkpass.substring(split*7, split*8) == '}') {
      if (checkpass.substring(split*6, split*7) == '06ac') {
        if (checkpass.substring(split*5, split*6) == 'd_5e') {
         if (checkpass.substring(split*4, split*5) == 's_ba') {
          if (checkpass.substring(split*3, split*4) == 'nt_i') {
            if (checkpass.substring(split*2, split*3) == 'clie') {
              if (checkpass.substring(split, split*2) == 'CTF{') {
                if (checkpass.substring(0,split) == 'pico') {
                  alert("You got the flag!")
                  }
                }
              }

            }
          }
        }
      }
    }
    else {
      alert("Incorrect password");
    }
  }

In this less-than-pretty code you will see some amazing high-tech checks that verify the password in 8 steps. You can simply read from bottom to top and get the flag, which incidentally is the flag.

flag: picoCTF{client_is_bad_5e06ac}

Desrouleaux150 points

I need to help out the network administrator with some handling of incidents and are provided a net cat connection string and json file named incidents.json

Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with nc 2018shell.picoctf.com 10493. incidents.json

This one was a bit of a pain, but manageable; you were asked three questions that were based on the incidents.json input file. All these questions were answerable with a bit of minor data analysis. I used a python script to answer the questions for me, however I'll mention the complete net cat i/o first.

nc 2018shell.picoctf.com 10493
# You'll need to consult the file `incidents.json` to answer the following questions.

# What is the most common source IP address? If there is more than one IP address that is the most common, you may give any of the most common ones.
> 167.243.246.96
# Correct!

# How many unique destination IP addresses were targeted by the source IP address 4.178.151.99?
> 3
# Correct!

# What is the number of unique destination ips a file is sent, on average? Needs to be correct to 2 decimal places.
> 1.29
# Correct!

# Great job. You've earned the flag: picoCTF{J4y_s0n_d3rUUUULo_a062e5f8}

And now for the (not the prettiest) code that generated these answers based on incidents.json:

import json
from collections import Counter

def avg(x):
    return sum(x) / len(x)

with open("incidents.json") as f_incidents:
    incidents = json.load(f_incidents)

    # visit each incident
    src_ip = Counter()  # most common ip source
    dst_ip = {}         # number of unique destination ips for specific ip source
    snd_ip = {}         # number of unique destination ips per file hash
    for incident in incidents["tickets"]:
        file_hash = incident["file_hash"]
        dst_ip_   = incident["dst_ip"]
        src_ip_   = incident["src_ip"]

        # increment source ip count for this ip
        src_ip[src_ip_] += 1

        # count unique destination ips for 4.178.151.99
        if src_ip_ == "4.178.151.99":
            dst_ip[dst_ip_] = True

        # count unique destination ips for each hash
        if file_hash in snd_ip:
            if not dst_ip_ in snd_ip[file_hash]:
                snd_ip[file_hash].append(dst_ip_)
        else:
            snd_ip[file_hash] = [dst_ip_]

    # calculate the average unique destination ips for hash
    snd_ip_avg = [len(snd_ip[x]) for x in snd_ip]

    # display results 
    print("most common source ip: {:s}".format(src_ip.most_common(1)[0][0]))
    print("len dst_ip: {:d}".format(len(dst_ip)))
    print("avg unique: {:f}".format(round(avg(snd_ip_avg), 2)))

When all answers are correct (your questions may vary), we get the flag.

flag: picoCTF{J4y_s0n_d3rUUUULo_a062e5f8}