Codebook
Run the Python script code.py in the same directory as codebook.txt.
This challenge is simple: download the files and run the script in the same directory as the text file. You must also make sure you are running Python from the same directory where the files are located.
picoCTF{c0d3b00k_455157_687087ee}
convertme.py
Run the Python script and convert the given number from decimal to binary to get the flag.
This is one of those challenges with a very simple shortcut. When running the script, it provides an output like If XX is in decimal base, what is it in binary base? where XX is a random number between 10 and 100.
To solve this the intended way, you can use any form of calculator to convert the number into the binary form. This can be done with Cyberchef, Python, or even the Windows calculator. However, this is a CTF, so let’s understand what’s happening here.
|
|
Line 11 is a basic check to see if the decimal conversion of our 1 and 0 input matches the randomly generated number. If so, print the encrypted flag. If we change this to ans_num != num, then if we don’t put in the right conversion, we will still get the flag!. Understanding the code and being able to make it do what you want to do is a critical skillset for harder reverse engineering and pwn categories challenges.
If 13 is in decimal base, what is it in binary base?
Answer: 1
That is correct! Here's your flag: picoCTF{4ll_y0ur_b4535_722f6b39}
fixme1.py
Fix the syntax error in this Python script to print the flag.
This challenge can solved fairly easily using an IDE or the basic knowledge that Python is a whitespace sensitive language. In this case, the final print statement is indented when it should not be. Simply remove the whitespace in front of it.
Incorrect
flag = str_xor(flag_enc, 'enkidu')
print('That is correct! Here\'s your flag: ' + flag)
Correct
flag = str_xor(flag_enc, 'enkidu')
print('That is correct! Here\'s your flag: ' + flag)
That is correct! Here's your flag: picoCTF{1nd3nt1ty_cr1515_79fb5597}
fixme2.py
Fix the syntax error in the Python script to print the flag.
Similar to the last challenge, the error can be found with an IDE or knowledge of programming languages. In Python, when checking equality between two objects, we use == (or != for inequality). When assigning an object a value, we use =. In this challenge, the wrong operator is being used when checking the value of the flag.
Solution:
# Check that flag is not empty
if flag == "":
print('String XOR encountered a problem, quitting.')
else:
print('That is correct! Here\'s your flag: ' + flag)
That is correct! Here's your flag: picoCTF{3qu4l1ty_n0t_4551gnm3nt_f6a5aefc}
Glitch Cat
Our flag printing service has started glitching!
$ nc saturn.picoctf.net 65443
Connecting to the provided endpoint returns some python code we can just copy and run in a script.
┌──(dcm㉿cocoahacks)-[~/wargames/picoctf/mini2022]
└─$ nc saturn.picoctf.net 65443
'picoCTF{gl17ch_m3_n07_' + chr(0x38) + chr(0x31) + chr(0x31) + chr(0x66) + chr(0x66) + chr(0x66) + chr(0x65) + chr(0x65) + '}
picoCTF{gl17ch_m3_n07_811fffee}
HashingJobApp
If you want to hash with the best, beat this test!
nc saturn.picoctf.net 63116
Connecting to this endpoint asks us to MD5 a hash of a provided quote. Normally, this can be done in the linux shell with echo -n STRING | md5sum or with Cyberchef. However, we are asked to do this an unspecified number of times. Therefore, we should script this in Python.
import re
from hashlib import md5
from socket import socket
HOST = "saturn.picoctf.net"
PORT = 63116
# Create a socket and connect to the challenge
sock = socket()
sock.connect((HOST, PORT))
# Let's loop!
while True:
# Receive the data
data = sock.recv(1024).decode()
print(data)
# If "picoCTF" is in the data, we likely have the flag so break the loop
if "picoCTF" in data:
break
# Use regex to search and capture the phrase between the quotes
phrase = re.search("'(.*)'", data)
match = phrase.group(1)
# Calculate the MD5 and send it back!
hashed = md5(match.encode()).hexdigest()
sock.send(hashed.encode() + b"\n")
# Print out the "correct" response string
print(sock.recv(1024))
Please md5 hash the text between quotes, excluding the quotes: 'stun guns'
Answer:
b'd1bc34c1bbadaea803f9ab0284e25adf\r\n'
Correct.
Please md5 hash the text between quotes, excluding the quotes: 'Katharine Hepburn'
Answer:
b'a05de7a1943e9df33a2d5407f612f16f\r\n'
Correct.
Please md5 hash the text between quotes, excluding the quotes: 'Cinco de Mayo'
Answer:
b'3b55fa8f34aae6b045ccec7f9b5d4c89\r\n'
Correct.
picoCTF{4ppl1c4710n_r3c31v3d_bf2ceb02}
PW Crack 1
Can you crack the password to get the flag? Download the password checker here and you’ll need the encrypted flag in the same directory too.
def level_1_pw_check():
user_pw = input("Please enter correct password for flag: ")
if( user_pw == "60ab"):
print("Welcome back... your flag, user:")
decryption = str_xor(flag_enc.decode(), user_pw)
print(decryption)
return
print("That password is incorrect")
To solve this, we simply input 60ab.
picoCTF{545h_r1ng1ng_c26330ca}
PW Crack 2
Can you crack the password to get the flag? Download the password checker here and you’ll need the encrypted flag in the same directory too.
This challenge is similar to the last, except the string is now represented by converting numbers to ascii characters.
if( user_pw == chr(0x33) + chr(0x39) + chr(0x63) + chr(0x65) )
We can run the chr() calls in a separate script to get the expected matching value (which turns out to be 39ce in this case).
Please enter correct password for flag: 39ce
Welcome back... your flag, user:
picoCTF{tr45h_51ng1ng_502ec42e}
PW Crack 3
Can you crack the password to get the flag? Download the password checker here and you’ll need the encrypted flag and the hash in the same directory too.
There are 7 potential passwords with 1 being correct. You can find these by examining the password checker script.
This challenge wants us to enter the correct password and in the script provides 7 possible solutions. We could enter these by hand but instead we’ll make the provided script do the work for us.
Original
def level_3_pw_check():
user_pw = input("Please enter correct password for flag: ")
user_pw_hash = hash_pw(user_pw)
if( user_pw_hash == correct_pw_hash ):
print("Welcome back... your flag, user:")
decryption = str_xor(flag_enc.decode(), user_pw)
print(decryption)
return
print("That password is incorrect")
level_3_pw_check()
# The strings below are 7 possibilities for the correct password.
# (Only 1 is correct)
pos_pw_list = ["80f4", "da1d", "eeda", "5561", "5449", "64ac", "668b"]
Solution
def level_3_pw_check():
# user_pw = input("Please enter correct password for flag: ")
for user_pw in ["80f4", "da1d", "eeda", "5561", "5449", "64ac", "668b"]:
user_pw_hash = hash_pw(user_pw)
if user_pw_hash == correct_pw_hash:
print("Welcome back... your flag, user:")
decryption = str_xor(flag_enc.decode(), user_pw)
print(decryption)
return
# print("That password is incorrect")
picoCTF{m45h_fl1ng1ng_024c521a}
PW Crack 4
Can you crack the password to get the flag? Download the password checker here and you’ll need the encrypted flag and the hash in the same directory too.
There are 100 potential passwords with only 1 being correct. You can find these by examining the password checker script.
Even with this longer wordlist, we can use the same solution from PW Crack 3!
def level_4_pw_check():
# user_pw = input("Please enter correct password for flag: ")
for user_pw in ["b5e5", "71ff", "acaf", "390c", "1a9b", "e7e2", "a35c", "fafd", "b759", "5eba", "6506", "d5ce", "2df5", "476b", "ca78", "8797", "821c", "28e7", "2bcb", "7906", "6c2a", "734e", "ad9a", "7acd", "6c65", "8d90", "6c81", "b3a8", "bfac", "d96e", "8d45", "b365", "2bf7", "bec9", "25c8", "c716", "1854", "75d0", "9084", "a891", "e863", "d754", "5486", "d652", "a529", "af06", "2b97", "3e5c", "6c7d", "9d26", "5db7", "69cc", "e304", "94cf", "e7c9", "67c7", "df95", "8858", "9319", "b91e", "1ff8", "ed2e", "9628", "70ba", "2ea8", "a5d8", "d59b", "a0c6", "2f25", "f7ba", "db04", "c53f", "e2f7", "bf10", "1392", "ff42", "31d4", "edab", "5bea", "dd25", "32e6", "980e", "8286", "23e8", "4379", "88cc", "de9a", "92dd", "4922", "7c82", "c054", "6587", "e655", "5c39", "ab8c", "29b3", "443c", "31f9", "fbff", "a08f"]:
user_pw_hash = hash_pw(user_pw)
if( user_pw_hash == correct_pw_hash ):
print("Welcome back... your flag, user:")
decryption = str_xor(flag_enc.decode(), user_pw)
print(decryption)
return
picoCTF{fl45h_5pr1ng1ng_e7668ddf}
PW Crack 5
Can you crack the password to get the flag? Download the password checker here and you’ll need the encrypted flag and the hash in the same directory too.
Here’s a dictionary with all possible passwords based on the password conventions we’ve seen so far.
Same concept as the previous challenges except we need to read our input from a file instead of having the possible answers in the script.
def level_5_pw_check():
# user_pw = input("Please enter correct password for flag: ")
wordlist = open("dictionary.txt").read().splitlines()
for user_pw in wordlist:
user_pw_hash = hash_pw(user_pw)
if user_pw_hash == correct_pw_hash:
print("Welcome back... your flag, user:")
decryption = str_xor(flag_enc.decode(), user_pw)
print(decryption)
return
picoCTF{h45h_sl1ng1ng_40f26f81}
runme.py
Run the runme.py script to get the flag. Download the script with your browser or with wget in the webshell.
This challenge has an arbitrary requirement to use wget. This is probably to help beginners get familiar with the command line. Also, you can just run or read the script to get the flag.
picoCTF{run_s4n1ty_run}
Serpentine
Find the flag in the Python script!
To get the flag, you can ignore all of the extra content in the script and just add a call to print_flag().
picoCTF{7h3_r04d_l355_7r4v3l3d_569ab7a6}