picoCTF2019 writeup
Points: 50
Kishor Balan tipped us off that the following code may need inspection: https://2019shell1.picoctf.com/problem/63975/ or ttp://2019shell1.picoctf.com:63975
How do you inspect web code on a browser? There’s 3 parts
1) Inspect source of main page https://2019shell1.picoctf.com/problem/63975 by right clicking on page and selecting “View page source”. Part 1 of flag can be found in this page 2) Inspect source of css file “mycss.css”. Part 2 of flag can be found in this page 3) Inspect source of js file “myjs.js”. Part 3 of flag can be found in this page
picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?d3db9182}
Points: 100
Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/45147/ or http://2019shell1.picoctf.com:45147
Never trust the client
checkpass = document.getElementById("pass").value;
split = 4;
if (checkpass.substring(0, split) == 'pico') {
if (checkpass.substring(split*6, split*7) == 'a60f') {
if (checkpass.substring(split, split*2) == 'CTF{') {
if (checkpass.substring(split*4, split*5) == 'ts_p') {
if (checkpass.substring(split*3, split*4) == 'lien') {
if (checkpass.substring(split*5, split*6) == 'lz_4') {
if (checkpass.substring(split*2, split*3) == 'no_c') {
if (checkpass.substring(split*7, split*8) == '3}') {
alert("Password Verified")
}
}
}
}
}
}
}
}
A bit of obfuscation, the code confuses you by checking substrings every 4 letters and not sequentially.
Just rearrange from split to split*8 and you will get the answer
picoCTF{no_clients_plz_4a60f3}
Points: 100
The factory is hiding things from all of its users. Can you login as logon and find what they’ve been looking at? https://2019shell1.picoctf.com/problem/45163 or http://2019shell1.picoctf.com:45163
Hmm it doesn’t seem to check anyone’s password, except for ‘s?
admin
value to True
. Refresh the pagepicoCTF{th3_c0nsp1r4cy_l1v3s_6679fcb5}
Points: 100
Can you find the robots? https://2019shell1.picoctf.com/problem/32229 or http://2019shell1.picoctf.com:32229
What part of the website could tell you where the creator doesn’t want you to look?
picoCTF{ca1cu1at1ng_Mach1n3s_0ecd0}
Points: 200
Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/12278/ or http://2019shell1.picoctf.com:12278
What is obfuscation?
var _0x5a46=['25df2}','_again_b','this','Password\x20Verified','Incorrect\x20password','getElementById','value','substring','picoCTF{','not_this'];
(function(_0x4bd822,_0x2bd6f7){
var _0xb4bdb3=function(_0x1d68f6){
while(--_0x1d68f6){
_0x4bd822['push'](_0x4bd822['shift']());
}
};
_0xb4bdb3(++_0x2bd6f7);
}(_0x5a46,0x1b3));
var _0x4b5b=function(_0x2d8f05,_0x4b81bb){
_0x2d8f05=_0x2d8f05-0x0;
var _0x4d74cb=_0x5a46[_0x2d8f05];
return _0x4d74cb;
};
function verify(){
checkpass=document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')];
split=0x4;
if(checkpass[_0x4b5b('0x2')](0x0,split*0x2)==_0x4b5b('0x3')){
if(checkpass[_0x4b5b('0x2')](0x7,0x9)=='{n'){
if(checkpass[_0x4b5b('0x2')](split*0x2,split*0x2*0x2)==_0x4b5b('0x4')){
if(checkpass[_0x4b5b('0x2')](0x3,0x6)=='oCT'){
if(checkpass[_0x4b5b('0x2')](split*0x3*0x2,split*0x4*0x2)==_0x4b5b('0x5')){
if(checkpass['substring'](0x6,0xb)=='F{not'){
if(checkpass[_0x4b5b('0x2')](split*0x2*0x2,split*0x3*0x2)==_0x4b5b('0x6')){
if(checkpass[_0x4b5b('0x2')](0xc,0x10)==_0x4b5b('0x7')){
alert(_0x4b5b('0x8'));
}
}
}
}
}
}
}
}
else{
alert(_0x4b5b('0x9'));
}
}
10 values in data. index 0 starts at getElementById until index 9 ‘Incorrect\x20password’ var _0x5a46=[‘25df2}’,’_again_b’,’this’,’Password\x20Verified’,’Incorrect\x20password’,’getElementById’,’value’,’substring’,’picoCTF{‘,’not_this’];
_0x4b5b('0x0')
_0x4b5b('0x1')
_0x4b5b('0x2')
_0x4b5b('0x3')
_0x4b5b('0x4')
_0x4b5b('0x5')
_0x4b5b('0x6')
_0x4b5b('0x7')
_0x4b5b('0x8')
_0x4b5b('0x9')
Now we can solve the remaining. Ignore the noise do the same thing as before, sort by split, except thist time in hexa
picoCTF{
not_this
_again_b
25df2}
The rest are just obfuscation to confuse you but you can ignore but basically is just checking hexa 7 to 9, 3 to 6, 6 to b, c to 10. Which is the same as above answer
this
picoCTF{not_this_again_b25df2}
Points: 200
This secure website allows users to access the flag only if they are admin and if the time is exactly 1400. https://2019shell1.picoctf.com/problem/49858/ or http://2019shell1.picoctf.com:49858
Can cookies help you to get the flag?
The biggest hints are cookies, time and admin.
cookie:session=""; admin=true; time=1400;
GET
request to https://2019shell1.picoctf.com/problem/49858/flagOr even simpler, just send a https://2019shell1.picoctf.com/problem/49858/flag GET request with a single header
cookie:session=""; admin=true; time=1400;
Can probably use curl or some other way to achieve this as well.
picoCTF{0p3n_t0_adm1n5_effb525e}
Points: 200
This website can be rendered only by picobrowser, go and catch the flag! https://2019shell1.picoctf.com/problem/21851/ or http://2019shell1.picoctf.com:21851
What part of the website could tell you where the creator doesn’t want you to look?
User Agent
to picobrowser
To Learn: Use Burpsuite or Postman to capture the request as a proxy, modify it and resend.
picoCTF{p1c0_s3cr3t_ag3nt_3e1c0ea2}
Points: 300
There is a website running at (link)[https://2019shell1.picoctf.com/problem/47253/] or http://2019shell1.picoctf.com:47253. Do you think you can log us in? Try to see if you can login!
There doesn’t seem to be many ways to interact with this, I wonder if the users are kept in a database? Try to think about how does the website verify your login?
debug
' OR 1=1;--
picoCTF{s0m3_SQL_93e76603}
Points: 350
There is a website running at https://2019shell1.picoctf.com/problem/41025/. Someone has bypassed the login before, and now it’s being strengthened. Try to see if you can still login! or http://2019shell1.picoctf.com:41025
The password is being filtered.
debug
picoCTF{m0R3_SQL_plz_83dad972}
Points: 400
Psst, Agent 513, now that you’re an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/12234/ Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:12234
Pay attention to the feedback you get There is very limited filtering in place - this to stop you from breaking the challenge for yourself, not for you to bypass. The database gets reverted every 2 hours if you do break it, just come back later
Solution
Flag
Points: 400
There is a secure website running at https://2019shell1.picoctf.com/problem/32237/ or http://2019shell1.picoctf.com:32237. Try to see if you can login as admin!
Seems like the password is encrypted.
Solution
Flag
Points: 400
Check the admin scratchpad! https://2019shell1.picoctf.com/problem/37903/ or http://2019shell1.picoctf.com:37903
What is that cookie? Have you heard of JWT?
Solution
Flag
Points: 400
The image link appears broken… https://2019shell1.picoctf.com/problem/37330 or http://2019shell1.picoctf.com:37330
This is only a JavaScript problem.
Solution here
Flag
Points: 450
Login as admin. https://2019shell1.picoctf.com/problem/12279/ or http://2019shell1.picoctf.com:12279
Solution here
Flag