PicoCTF 2024 Documentation

Description –
Why search for the flag when I can make a bookmarklet to print it for me? Browse here, and find the flag!

Approach –
This is a simple challenge, where all you have to do is run the javascript code in a compiler. They give you the code when you click the link.

Description –
Do you know how to use the web inspector? Start searching here to find the flag

Approach –
Navigate to the About Me page, where it says “Try inspecting the page!! You might find it there”. Then, you find some base64 here: notify_true=”cGljb0NURnt3ZWJfc3VjYzNzc2Z1bGx5X2QzYzBkZWRfMDdiOTFjNzl9”
Decode that and you’re done.

Description –
Try here to find the flag

Approach –
It’s a simple registration page with some fields and a submit button. Edit the POST (this can be done in Firefox) to send this JSON body:
{

    “otp”: “123456′ OR ‘1’=’1”

}

Description –
I don’t like scrolling down to read the code of my website, so I’ve squished it. As a bonus, my pages load faster! Browse here, and find the flag!

Approach –
View page source and find the flag in the squished code.

Description –
Can you try to get access to this website to get the flag? You can download the source here. The website is running here. Can you log in?

Approach –
Send a POST in webshell to get the database, which contains your password

curl -X POST -H “Content-Type: application/json” -d ‘{“email”: “{“$ne”: null}”, “password”: “{“$ne”: null}”}’ http://atlas.picoctf.net:(port)/api/login – this gives u the password base64 encrypted, so just decrypt.

Description –
I found a web app that can help process images: PNG images only! Additional details will be available after launching your challenge instance.
Approach –
First check /robots.txt, which tells you of the existence of 2 things: an uploads folder, where your png is sent, and an instructions.txt. Instructions.txt tells you that they are only checking for 3 magic bytes to determine if it is a png, as well as the characters “.png” in the name of the file. A payload can be injected anywhere after the magic bytes for the png are used, and the file can be named decrypt.png.php so that the browser treats it as a php script, which will give you access to the directories, and eventually the flag.

Description –
This challenge will introduce you to ‘Anti-Debugging.’ Malware developers don’t like it when you attempt to debug their executable files because debugging these files reveals many of their secrets! That’s why, they include a lot of code logic specifically designed to interfere with your debugging process.

Now that you’ve understood the context, go ahead and debug this Windows executable!

This challenge binary file is a Windows console application and you can start with running it using cmd on Windows.

Challenge can be downloaded here.
Approach –
This one was a little harder since I had no prior experience with Windows Debugging. This is probably not the optimal solution, but it works:

Use IDAFreeware for static analysis, which tells you that if IsDebuggerPresent is false you will get the flag. Use WinDbg for stepping through, and x64dbg for finding the address of IsDebuggerPresent. Set a breakpoint in WinDbg and step through until it returns, then set eax to 0 in order to patch the call so that it thinks there is no debugger present. WinDbg is used because it is easier to understand what is happening (from my experience).

Description –
If you have solved WinAntiDbg0x100, you’ll discover something new in this one. Debug the executable and find the flag!

This challenge executable is a Windows console application, and you can start by running it using Command Prompt on Windows.

This executable requires admin privileges. You might want to start Command Prompt or your debugger using the ‘Run as administrator’ option.

Challenge can be downloaded here.
Approach –
Similar to the last one, where you need to patch IsDebuggerPresent, however, you also need to fork it to send you to IsDebuggerPresent, since the “straightforward” path leads you to the debugger breaking. Fork, then patch, and you get the flag. Use IDA Freeware for static analysis, WinDbg for stepping through until you find where it ruins itself, and x64dbg for finding addresses of functions. In this case, I found the address of the output string, which is where they print the start of the challenge, and manually stepped through until I found where it is forking.

Description –
This challenge is a little bit invasive. It will try to fight your debugger. With that in mind, debug the binary and get the flag!

This challenge executable is a GUI application and it requires admin privileges. And remember, the flag might get corrupted if you mess up the process’s state.

Challenge can be downloaded here.
Approach –
Taking what is learned from the last two WinAntiDbg challenges, you simply need to utilize the forking and patching techniques multiple times to prevent the debugger from crashing. Use IDA Freeware to navigate through the many sub-directories, until you find one that belongs to WinMain, and you can break at the address of any function inside the sub-directory by finding it in x64dbg. Use WinDbg to manually step through, and follow the code both dynamically and statically to keep track of where you are, which allows you to know where each jump will lead. If a jump leads somewhere undesirable, simply patch it, and continue until you reach the flag.

Description –
I’ve gotten bored of handing out flags as text. Wouldn’t it be cool if they were an image instead? You can download the challenge files here: challenge.zip. Additional details will be available after launching your challenge instance.
Approach –
Scan the QR code in the downloaded file

Description –
People keep trying to trick my players with imitation flags. I want to make sure they get the real thing! I’m going to provide the SHA-256 hash and a decrypt script to help you know that my flags are legitimate. You can download the challenge files here: challenge.zip

Additional details will be available after launching your challenge instance.
Approach –
Compare checksum.txt to all files and find the one that matches, then decrypt it using the decrypt.sh.

Description –
Can you handle APKs? Download the android apk here.
Approach –
Unzip the APK and read the flag: cat res/color/flag.txt. You will also need to convert from hex.

Description –
Can you get sense of this code file and write the function that will decode the given encrypted file content. Find the encrypted file here flag_info and code file might be good to analyze and get the flag.
Approach –
What’s happening:

Generation of a shared key using a Diffie-Hellman-like mechanism.

Application of a dynamic XOR operation on the plaintext with a given text key.

Multiplication of each character’s ASCII value by the shared key and a constant (311) to produce the cipher.

To decrypt, you must:

Recompute the shared key using the same parameters (a, b, g, p).

Invert the multiplication for each cipher element to retrieve the XOR-encrypted characters.

Reverse the XOR operation using the same text key to get the original plaintext.

Description –
This is the Custom Cyclical Cipher! Download the ciphertext here. Download the encoder here.

Enclose the flag in our wrapper for submission. If the flag was “example” you would submit “picoCTF{example}”.

Browse here, and find the flag!
Approach –
Use the output as a char and loop through that to find the word “adlibs” which u throw into picoCTF{adlibs}

Code:
import sys

chars = “””#asciiorder

#fortychars

#selfinput

#pythontwo

chars = “”

from fileinput import input

for line in input():

    chars += line

b = 1 / 1

for i in range(len(chars)):

    if i == b * b * b:

        print chars[i] #prints

        b += 1 / 1″””

# Initialization of variable ‘b’ as a float in Python 2 (‘b = 1 / 1’)

# In Python 3, this results in a float, but for index calculation, it should be an integer.

b = 1

# Convert the script for using ‘print’ function with parentheses for Python 3 compatibility.

for i in range(len(chars)):

    # The cube of ‘b’ is used to find specific indices. This logic is retained from Python 2 to 3.

    if i == b ** 3:

        # Print function in Python 3 requires parentheses.

        print(chars[i], end=”)

        b += 1