picoCTF

Cookie Monster Secret Recipe http://verbal-sleep.picoctf.net:56241/ Logging on give hit “Check cookies” value secrent_recipe: cGljb0NURntjMDBrMWVfbTBuc3Rlcl9sMHZlc19jMDBraWVzXzZDMkZCN0YzfQ%3D%3D As evident from the %3d%3d, most likely base64 encoded. Flag: picoCTF{c00k1e_m0nster_l0ves_c00kies_6C2FB7F3} head-dump Need to find enpoint with flag Documentation about API “browser_webshell_solvable” So we have a home page with 4 blog posts of cyber nodejs/swagger ui / API documentation Logging and hacking None of the #links work, except for #API Docuemntation get a Swagger docuemtnation page heapdump gets memory You can open it in text file CTRL+F “picoCTF{” picoCTF{Pat!3nt_15_Th3_K3y_ad7ea5ae n0s4n1ty 1 profile picture upload need to locate file upload area, and inside /root directory. uploading file change image “Update profile” button gives “File x.jpg has be uploaded Path: uplaods.jpg” uploaded webshell.php, find we are in /var/www/html/uploads ls /root gives us Permission Denied Check sudo? We have sudo! sudo ls /root finds /root/flag,txt sudo cat /root/flag.txt picoCTF{wh47_c4n_u_d0_wPHP_d698d800} SSTI1 announcer Whatever submitted in input box is then redirected to a page with jsut that text ca use <script> alert(5)</script> what can we do then… post / with content redirects to /announce Try PHP innject <?php echo "test" ?> It gets automatically commented out -> <?php tunrs into <!---?php In the HTML, we can see a POST request get sent to / Lets open burpsuite Be stupid and lookup what SSTI means Server Side Template injection Using {{}} we can evaluate the command {{7*7}} gives up 49 instead of the output! https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection We find it is a Jinja2 injection {{ request.application.__globals__.__builtins__.__import__('os').popen('ls').read() }} {{request.application.__globals__.__builtins__.__import__('os').popen('cat flag').read()}} WebSockFish stockfish chessbot! ...

chalkboard grep -v “I WILL NOT BE SNEAKY” Inbvert matching, finds lines that do not have this full content We can assemble the flag from that picoCTF{chalkboard_bert_7c69b78b} Cryptography RSA For n, n is made up of p*q where p and q are supposedly large primes notice the even number for n… only even prime is 2 (any other prime is odd, and odd*odd = odd). that manes p*q = N, one of pq must be 2 you can get decryption key this way Code decryption in python GUess my Chesse part 1 affine cihper each iteration of NC gives different a b values for afffine cipher encrypt 2 cheeses, check for which a b value with auto bruteforcer on dcode decrypt message with a b

Ph4nt0m 1ntrud3r pcpap capture first, sort by time (obviously out of order) ones of len 12 on bottom are base64 encoded -> get flag after copying and conveerting all TCP payloads Red supposedly normal red.png do strings files Get a poem Notice the first letters spell “CHECK LSB” Go to https://georgeom.net/StegOnline/upload Hit the “Extract Files/Data” Per lsb, grab bit 0 (least significant bit) of all 4 channels YOu’ll find repeated base64 values to decode Flags are Stepic Hint says to find non-matching flag We have a University listed as one of the countries you can grab the json data from source if u want and compare names Note: the flag abreviations are actually accurate You find university at the bottom You can’t download it directorly BUT you can go into Inspect -> Application -> Frames -> Image and download it there https://github.com/1049451037/stepic get flag Bitlocker-1 Given a .dd file (disk duplicate or whatever) bitlocker2john filename.dd Will provide 4 passwords, one is user password one is recovery key, and copies of both. Extract one of them (userpassword is first one and is necessary enough) use john or hashcat to crack with rockyou.txt password is jacqueline on linux, install dislocker sudo dislocker -v -V .dd –user-password=pass /media/bitlocker -> will create a dislocker-file inside to mount, mount -o loop,ro /media/bitlcoker/disclocker-file /mnt/wherever Flag is in first directory. Event Viewing ctrl+f Bitlocker-2 We have a RAM .mem dump -> volatility We look for bitlocker related volatility tools https://github.com/breppo/Volatility-BitLocker -> allows for dislocker integration need volatility 2 not 3 volatility needs to have a profile (ie OS), imageinfo plugin python2 vol.py -f .mem bitlocker –profile={profleAbove} –dislocker You’ll get .fvek files to use with dislocker, which you can refer to Bitlocker-1 for how to decode and mount file insteadd of –user-password, use –kvek= Flag is stored in first level of mount 5b6ff64e4a0ee8f89050b7ba532f6256 60be5ce2a190dfb760bea1ece40e4223c8982aecfd03221a5a43d8fdd302eaee 1ed2a4b8dd0290f646ded074fbcff8bd bccaf1d4ea09e91f976bf94569761654