picoctf2019-writeup

picoCTF2019 writeup

Project maintained by johantannh Hosted on GitHub Pages — Theme by mattgraham

Insp3ct0r

Points: 50

Problem

Kishor Balan tipped us off that the following code may need inspection: https://2019shell1.picoctf.com/problem/63975/ or ttp://2019shell1.picoctf.com:63975

Hint

How do you inspect web code on a browser? There’s 3 parts

Solution

1) Inspect source of main page https://2019shell1.picoctf.com/problem/63975 by right clicking on page and selecting “View page source”. Part 1 of flag can be found in this page 2) Inspect source of css file “mycss.css”. Part 2 of flag can be found in this page 3) Inspect source of js file “myjs.js”. Part 3 of flag can be found in this page

Flag

picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?d3db9182}

dont-use-client-side

Points: 100

Problem

Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/45147/ or http://2019shell1.picoctf.com:45147

Hint

Never trust the client

Solution

  1. Go to chrome or FF inspector, look at debugger
  2. Find the index javascript file. There is a client sided check. 
    checkpass = document.getElementById("pass").value;
 split = 4;
 if (checkpass.substring(0, split) == 'pico') {
   if (checkpass.substring(split*6, split*7) == 'a60f') {
     if (checkpass.substring(split, split*2) == 'CTF{') {
      if (checkpass.substring(split*4, split*5) == 'ts_p') {
       if (checkpass.substring(split*3, split*4) == 'lien') {
         if (checkpass.substring(split*5, split*6) == 'lz_4') {
           if (checkpass.substring(split*2, split*3) == 'no_c') {
             if (checkpass.substring(split*7, split*8) == '3}') {
               alert("Password Verified")
               }
             }
           }
      
         }
       }
     }
   }
 }

    A bit of obfuscation, the code confuses you by checking substrings every 4 letters and not sequentially.

Just rearrange from split to split*8 and you will get the answer

  1. (0, split) == ‘pico’
  2. (split, split*2) == ‘CTF{‘
  3. (split2, split3) == ‘no_c’
  4. (split3, split4) == ‘lien’
  5. (split4, split5) == ‘ts_p’
  6. (split5, split6) == ‘lz_4’
  7. (split6, split7) == ‘a60f’
  8. (split7, split8) == ‘3}’

Flag

picoCTF{no_clients_plz_4a60f3}

logon

Points: 100

Problem

The factory is hiding things from all of its users. Can you login as logon and find what they’ve been looking at? https://2019shell1.picoctf.com/problem/45163 or http://2019shell1.picoctf.com:45163

Hint

Hmm it doesn’t seem to check anyone’s password, except for ‘s?

Solution

  1. Just type username as logon
  2. Use Chrome or Firefox developer console, find cookies
  3. Change admin value to True. Refresh the page

Flag

picoCTF{th3_c0nsp1r4cy_l1v3s_6679fcb5}

where-are-the-robots

Points: 100

Problem

Can you find the robots? https://2019shell1.picoctf.com/problem/32229 or http://2019shell1.picoctf.com:32229

Hint

What part of the website could tell you where the creator doesn’t want you to look?

Solution

  1. Axcess the robots.txt file by appending it to the url given.
  2. In robots.txt, there is a file under Disallow section.
  3. Access the file by appending it to the url given. The flag is then shown.

Flag

picoCTF{ca1cu1at1ng_Mach1n3s_0ecd0}

Client-side-again

Points: 200

Problem

Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/12278/ or http://2019shell1.picoctf.com:12278

Hint

What is obfuscation?

Solution

  1. Same as client side just inspect the code, this time it is way more complicated.
var _0x5a46=['25df2}','_again_b','this','Password\x20Verified','Incorrect\x20password','getElementById','value','substring','picoCTF{','not_this'];

(function(_0x4bd822,_0x2bd6f7){
    var _0xb4bdb3=function(_0x1d68f6){
        while(--_0x1d68f6){
            _0x4bd822['push'](_0x4bd822['shift']());
        }
    };
    _0xb4bdb3(++_0x2bd6f7);
}(_0x5a46,0x1b3));

var _0x4b5b=function(_0x2d8f05,_0x4b81bb){
    _0x2d8f05=_0x2d8f05-0x0;
    var _0x4d74cb=_0x5a46[_0x2d8f05];
    return _0x4d74cb;
};

function verify(){
    checkpass=document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')];
    split=0x4;
    if(checkpass[_0x4b5b('0x2')](0x0,split*0x2)==_0x4b5b('0x3')){
        if(checkpass[_0x4b5b('0x2')](0x7,0x9)=='{n'){
            if(checkpass[_0x4b5b('0x2')](split*0x2,split*0x2*0x2)==_0x4b5b('0x4')){
                if(checkpass[_0x4b5b('0x2')](0x3,0x6)=='oCT'){
                    if(checkpass[_0x4b5b('0x2')](split*0x3*0x2,split*0x4*0x2)==_0x4b5b('0x5')){
                        if(checkpass['substring'](0x6,0xb)=='F{not'){
                            if(checkpass[_0x4b5b('0x2')](split*0x2*0x2,split*0x3*0x2)==_0x4b5b('0x6')){
                                if(checkpass[_0x4b5b('0x2')](0xc,0x10)==_0x4b5b('0x7')){
                                    alert(_0x4b5b('0x8'));
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    else{
        alert(_0x4b5b('0x9'));
    }
}

10 values in data. index 0 starts at getElementById until index 9 ‘Incorrect\x20password’ var _0x5a46=[‘25df2}’,’_again_b’,’this’,’Password\x20Verified’,’Incorrect\x20password’,’getElementById’,’value’,’substring’,’picoCTF{‘,’not_this’];

  1. ‘getElementById’ = _0x4b5b('0x0')
  2. ‘value’ = _0x4b5b('0x1')
  3. ‘substring’ = _0x4b5b('0x2')
  4. ‘picoCTF{‘ = _0x4b5b('0x3')
  5. ‘not_this’ = _0x4b5b('0x4')
  6. ‘25df2}’ = _0x4b5b('0x5')
  7. ‘_again_b’ = _0x4b5b('0x6')
  8. ‘this’ = _0x4b5b('0x7')
  9. ‘Password\x20Verified’ = _0x4b5b('0x8')
  10. ‘Incorrect\x20password’ is _0x4b5b('0x9')

Now we can solve the remaining. Ignore the noise do the same thing as before, sort by split, except thist time in hexa

  1. (0x0,split*0x2)==_0x4b5b(‘0x3’) = picoCTF{
  2. (split0x2,split0x2*0x2)==_0x4b5b(‘0x4’) = not_this
  3. (split0x20x2,split0x30x2)==_0x4b5b(‘0x6’) = _again_b
  4. (split0x30x2,split0x40x2)==_0x4b5b(‘0x5’) = 25df2}

The rest are just obfuscation to confuse you but you can ignore but basically is just checking hexa 7 to 9, 3 to 6, 6 to b, c to 10. Which is the same as above answer

  1. (0x7,0x9)==’{n’
  2. (0x3,0x6)==’oCT’
  3. (0x6,0xb)==’F{not’
  4. (0xc,0x10)==_0x4b5b(‘0x7’) = this

Flag

picoCTF{not_this_again_b25df2}

Open-to-admins

Points: 200

Problem

This secure website allows users to access the flag only if they are admin and if the time is exactly 1400. https://2019shell1.picoctf.com/problem/49858/ or http://2019shell1.picoctf.com:49858

Hint

Can cookies help you to get the flag?

Solution

The biggest hints are cookies, time and admin.

  1. Using postman, setup a proxy between firefox and postman.
  2. Capture 4 different redirects
  3. The last redirect to https://2019shell1.picoctf.com/problem/49858/, has a cookie. Use that API request and modify the cookie header.
  4. Set cookie: cookie:session=""; admin=true; time=1400;
  5. Send GET request to https://2019shell1.picoctf.com/problem/49858/flag

Or even simpler, just send a https://2019shell1.picoctf.com/problem/49858/flag GET request with a single header

  1. cookie:session=""; admin=true; time=1400;

Can probably use curl or some other way to achieve this as well.

Flag

picoCTF{0p3n_t0_adm1n5_effb525e}

picobrowser

Points: 200

Problem

This website can be rendered only by picobrowser, go and catch the flag! https://2019shell1.picoctf.com/problem/21851/ or http://2019shell1.picoctf.com:21851

Hint

What part of the website could tell you where the creator doesn’t want you to look?

Solution

  1. Use web developer console, notice that there is a redirect before accessing the real page.
  2. Edit the /flag with status 200, change User Agent to picobrowser
  3. Send and look at the response.

To Learn: Use Burpsuite or Postman to capture the request as a proxy, modify it and resend.

Flag

picoCTF{p1c0_s3cr3t_ag3nt_3e1c0ea2}

Irish-Name-Repo

Points: 300

Problem

There is a website running at (link)[https://2019shell1.picoctf.com/problem/47253/] or http://2019shell1.picoctf.com:47253. Do you think you can log us in? Try to see if you can login!

Hint

There doesn’t seem to be many ways to interact with this, I wonder if the users are kept in a database? Try to think about how does the website verify your login?

Solution

  1. Click the nav bar at top left > admin login
  2. inspect the page, notice a hidden field called debug
  3. Change the debug value to 1, refresh the page
  4. Notice the SQL query being used. Signifies SQL injection can be done.
  5. Just use a typical SQL injection query on name ' OR 1=1;--

Flag

picoCTF{s0m3_SQL_93e76603}

Irish-Name-Repo-2

Points: 350

Problem

There is a website running at https://2019shell1.picoctf.com/problem/41025/. Someone has bypassed the login before, and now it’s being strengthened. Try to see if you can still login! or http://2019shell1.picoctf.com:41025

Hint

The password is being filtered.

Solution

  1. Click the nav bar at top left > admin login
  2. inspect the page, notice a hidden field called debug
  3. Change the debug value to 1, refresh the page
  4. Notice the SQL query being used. Signifies SQL injection can be done.
  5. Since the previous injection query has been filtered and the hint says the password has been filtered, use another SQL injection query that ignores the paassword field on the name field `‘admin’–.

Flag

picoCTF{m0R3_SQL_plz_83dad972}

Empire1

Points: 400

Problem

Psst, Agent 513, now that you’re an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/12234/ Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:12234

Hint

Pay attention to the feedback you get There is very limited filtering in place - this to stop you from breaking the challenge for yourself, not for you to bypass. The database gets reverted every 2 hours if you do break it, just come back later

Solution

Solution

Flag

Flag

Irish-Name-Repo-3

Points: 400

Problem

There is a secure website running at https://2019shell1.picoctf.com/problem/32237/ or http://2019shell1.picoctf.com:32237. Try to see if you can login as admin!

Hint

Seems like the password is encrypted.

Solution

Solution

Flag

Flag

JaWT-Scratchpad

Points: 400

Problem

Check the admin scratchpad! https://2019shell1.picoctf.com/problem/37903/ or http://2019shell1.picoctf.com:37903

Hint

What is that cookie? Have you heard of JWT?

Solution

Solution

Flag

Flag

JavaScript-Kiddie

Points: 400

Problem

The image link appears broken… https://2019shell1.picoctf.com/problem/37330 or http://2019shell1.picoctf.com:37330

Hint

This is only a JavaScript problem.

Solution

Solution here

Flag

Flag

cereal-hacker-1

Points: 450

Problem

Login as admin. https://2019shell1.picoctf.com/problem/12279/ or http://2019shell1.picoctf.com:12279

Hint

Solution

Solution here

Flag

Flag