Post

PicoCTF General Skills Walkthrought

Posted Updated
By Azer Sioud 12 min read

PicoCTF is the fun, free way to learn and practice cybersecurity concepts, I found the challenges super beginner friendly, they start from really easy(5pts) to medium(400pts). In this article I will be walking through the General skills category of Pico CTF!

PicoCTF 2021

1. PicoCTF2021 - Obedient Cat

Problem Statement

This file has a flag in plain sight (aka “in-the-clear”). Download flag.

Information

Point: 5 points
Category: General Skills

Hints

  1. Any hints about entering a command into the Terminal (such as the next one), will start with a ‘$’… everything after the dollar sign will be typed (or copy and pasted) into your Terminal.
  2. To get the file accessible in your shell, use wget
  3. $ man cat

Solution

Download file named “flag” and copy and paste the flag.

Flag

picoCTF{s4n1ty_v3r1f13d_b5aeb3dd}

2. PicoCTF2021 - Python Wrangling

Overview

Points: 10
Category: General Skills

Description

Python scripts are invoked kind of like programs in the Terminal… Can you run this Python script using ./pw.txt to get ./flag.txt.en?

Hints

  1. Get the Python script accessible in your shell by entering the following command in the Terminal prompt: $ wget https://mercury.picoctf.net/static/8e33ede04d02f3765b8c6a6e24d72733/ende.py
  2. $ man python

Approach

I tried running the code in the IDE but that didn’t work. I navigated to the directory where the Python file was (make sure the flag file is in the same directory) and used python -d flag.txt.en (-d for decode I’m guessing, -e is probably encode). This asked for the password which I pasted from pw.txt and then it outputted the flag.

1

sys.stdout.buffer.write(data_c)

needs to be replaced with

1

sys.stdout.write(data_c)

Flag

picoCTF{4p0110_1n_7h3_h0us3_aa821c16}

3. PicoCTF2021 - Waving Flag

Description

Can you invoke help flags for a tool or binary? This program has extraordinarily helpful information…

Challenge Information

Points: 10

Hints

  1. This program will only work in the webshell or another Linux computer.

  2. Download the file using wget

  3. Run this program by entering the following in the Terminal prompt: $ ./warm, but you’ll first have to make it executable with $ chmod +x warm

  4. -h and –help are the most common arguments to give to programs to get more information from them!

  5. Not every program implements help features like -h and –help.

Solution

Download “this program”, open it and search for “pico” in the search tab. From there, you should be able to find the flag somewhere in the middle.

Flag

picoCTF{b1scu1ts_4nd_gr4vy_755f3544}

4. PicoCTF2021 - Nice netcat

Overview

Points: 15
Category: General

Description

There is a nice program that you can talk to by using this command in a shell: $ nc mercury.picoctf.net 43239, but it doesn’t speak English…

Hints

  1. You can practice using netcat with this picoGym problem: what’s a netcat?
  2. You can practice reading and writing ASCII with this picoGym problem: Let’s Warm Up

Approach

First I connected to mercury.picoctf.net 43239 on a Linux terminal.

It gave these numbers:

112 105 99 111 67 84 70 123 103 48 48 100 95 107 49 116 116 121 33 95 110 49 99 51 95 107 49 116 116 121 33 95 55 99 48 56 50 49 102 53 125 10

These numbers are most likely ASCII values for text. I got tired of trying to look for an online source to decode it. I tried about 3 and they all didn’t work. I wrote up a Python script

1
2
3
4
5

nums = [112, 105, 99, 111, 67, 84, 70, 123, 103, 48, 48, 100, 95, 107, 49, 116, 116, 121, 33, 95, 110, 49, 99, 51, 95, 107, 49, 116, 116, 121, 33, 95, 55, 99, 48, 56, 50, 49, 102, 53, 125, 10]
flag = ""
for number in nums:
    flag += chr(number)
print(flag)

Flag

picoCTF{g00d_k1tty!_n1c3_k1tty!_7c0821f5}

5. PicoCTF2021 - Static Ain’t Always Noise

Challenge Description

Can you look at the data in this binary: static? This BASH script might help!

Information

Points: 20

Solution

Download the static file, and search “pico”, and the flag is located somewhere in the middle.

Flag

picoCTF{d15a5m_t34s3r_1e6a7731} Make sure to type it out, otherwise the flag will not be accepted.

6. PicoCTF2021 Tab, Tab, Attack

Overview

Points: 20
Category: General Skills

Description

Using tabcomplete in the Terminal will add years to your life, esp. when dealing with long rambling directory structures and filenames: Addadshashanammu.zip

Hints

After unziping, this problem can be solved with 11 button-presses…(mostly Tab)…

Approach

Um. There really isn’t that many files. Unzip everything then have fun navigating using ls to list the folders/files and cd <foldername> to navigate there. Eventually there will be an ELF file which named fang-of-haynekhtnamet ./fang-of-haynekhtnamet to run it. It outputs: *ZAP!* picoCTF{l3v3l_up!_t4k3_4_r35t!_524e3dc4}

Flag

picoCTF{l3v3l_up!_t4k3_4_r35t!_524e3dc4}

7. PicoCTF2021 - Magikarp Ground Mission

Overview

Points: 30
Category: General Skills

Description

Do you know how to move between directories and read files in the shell? Start the container, ssh to it, and then ls once connected to begin. Login via ssh as ctf-player with the password, 6d448c9c

Hints

  1. Finding a cheatsheet for bash would be really helpful!

Approach

Hmm start by connecting to the server with ssh ctf-player@venus.picoctf.net -p 50713 and 6d448c9c as the password like the question says.

Using ls lists 1of3.flag.txt instructions-to-2of3.txt

With cat 1of3.flag.txt, we get

1

picoCTF{xxsh_

cat instructions-to-2of3.txt says

1

Next, go to the root of all things, more succinctly `/`

I typed in cd .. (go back a directory) then ls -a (list all because I have trust issues with hidden files) and came across 3of3.flag.txt

cat 3of3.flag.txt gave

1

5190b070}

I kept going back (with cd ..) and listing the files and directories (ls -a) until 2of3.flag.txt appeared.

cat 2of3.flag.txt gave

1

0ut_0f_\/\/4t3r_

Flag

picoCTF{xxsh_0ut_0f_\/\/4t3r_5190b070}

PicoCTF 2022

Nth here yet

PicoCTF 2023

1. PicoCTF2023 - chrono

Overview

Points: 100
Category: General Skills

Description

How to automate tasks to run at intervals on linux servers? Additional details will be available after launching your challenge instance.

Approach

Automating and scheduling of tasks is typically the role of cron jobs, managed by the cron table.

1
2
3
4
5
6
7
8
9
10
11
12
13

$ crontab -l
no crontab for picoplayer

$ crontab -e
no crontab for picoplayer - using an empty one
update-alternatives: error: no alternatives for editor
/usr/bin/sensible-editor: 25: editor: not found
/usr/bin/sensible-editor: 28: nano: not found
/usr/bin/sensible-editor: 31: nano-tiny: not found
/usr/bin/sensible-editor: 34: vi: not found
Couldn't find an editor!
Set the $EDITOR environment variable to your desired editor.
crontab: "/usr/bin/sensible-editor" exited with status 1

Ok, lets try viewing the cron table for root :

1
2
3
4
5
6

picoplayer@challenge:~$ crontab -u root -l
must be privileged to use -u

picoplayer@challenge:~$ sudo -l
[sudo] password for picoplayer: 
Sorry, user picoplayer may not run sudo on challenge.

Still no luck.

Solution

Lets try viewing the system-wide crontab :

1
2

$ cat /etc/crontab
# picoCTF{........redacted........}

Actual flag value redacted for the purposes of this write up.

Notes

Whilst trying to work out the above solution during the event, I did happen to accidently view the flag visible in /challenge/metadata.json, which didn’t seem like the intended solution and likely a permissions misconfiguration.

2. PicoCTF2023 - money-ware

Overview

Points: 100
Category: General Skills

Description

Flag format: picoCTF{Malwarename} The first letter of the malware name should be capitalized and the rest lowercase. Your friend just got hacked and has been asked to pay some bitcoins to 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. He doesn’t seem to understand what is going on and asks you for advice. Can you identify what malware he’s being a victim of?

Approach

Googling for references to malware that utilises cryptocurrency 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX for payment, resulted in finding references to Petya.

Solution

picoCTF{Petya}

3. PicoCTF2023 - Permissions

Overview

Points: 100
Category: General Skills

Description

Can you read files in the root file?

Approach

Nothing of interest in the users home folder and we don’t have permission to list the contents of /root' :

1
2

$ ls /root
ls: cannot open directory '/root': Permission denied

Suggesting we may need sudo, lets see what is available to us :

1
2
3
4
5
6
7
8

$ picoplayer@challenge:~$ sudo -l
[sudo] password for picoplayer: 
Matching Defaults entries for picoplayer on challenge:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User picoplayer may run the following commands on challenge:
    (ALL) /usr/bin/vi

Solution

vi may be run as a superuser via sudo, so we’ll run it using the following command to show us a directory listing of /root as we don’t its contents as yet :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

$ sudo vi /root

" ============================================================================
" Netrw Directory Listing                                        (netrw v165)
"   /root
"   Sorted by      name
"   Sort sequence: [\/]$,\<core\%(\.\d\+\)\=\>,\.h$,\.c$,\.cpp$,\~\=\*$,*,\.o$,\.obj$,\.info$,\.swp$
"   Quick Help: <F1>:help  -:go up dir  D:delete  R:rename  s:sort-by  x:special
" ==============================================================================
../                                                                                                 
./
.vim/
.bashrc
.flag.txt
.profile
.viminfo

Navigate to the .flag.txt file, hit enter to open and view the flag contents.

4. PicoCTF2023 - repetitions

Overview

Points: 100
Category: General Skills

Description

Can you make sense of this file?

Approach

The contents of the downloaded enc_flag file appears to be base64 encoded :

1
2
3
4
5
6

$ cat enc_flag 
VmpGU1EyRXlUWGxTYmxKVVYwZFNWbGxyV21GV1JteDBUbFpPYWxKdFVsaFpWVlUxWVZaS1ZWWnVh
RmRXZWtab1dWWmtSMk5yTlZWWApiVVpUVm10d1VWZFdVa2RpYlZaWFZtNVdVZ3BpU0VKeldWUkNk
MlZXVlhoWGJYQk9VbFJXU0ZkcVRuTldaM0JZVWpGS2VWWkdaSGRXCk1sWnpWV3hhVm1KRk5XOVVW
VkpEVGxaYVdFMVhSbFZrTTBKVVZXMTRWMDVHV2toalJYUlhDazFyV25sVVZXaHpWakpHZEdWRlZs
aGkKYlRrelZERldUMkpzUWxWTlJYTkxDZz09Cg==

Running a base64 decode of the contents of enc_flag :

1
2

$ base64 -d enc_flag
VjFSQ2EyTXlSblJUV0dSVllrWmFWRmx0TlZOalJtUlhZVVU1YVZKVVZuaFdWekZoWVZkR2NrNVVX bUZTVmtwUVdWUkdibVZXVm5WUgpiSEJzWVRCd2VWVXhXbXBOUlRWSFdqTnNWZ3BYUjFKeVZGZHdW MlZzVWxaVmJFNW9UVVJDTlZaWE1XRlVkM0JUVW14V05GWkhjRXRXCk1rWnlUVWhzVjJGdGVFVlhi bTkzVDFWT2JsQlVNRXNLCg==

Still looking very much like a base64 string after decoding, only slightly shorter. Given the name of this challenge and assumption is made that the base64 encoding is repeated multiple times.

Solution

During the CTF event I solved this challenge manually by chaining up the decodes in a manual fashion, which works when the number of repetitions is low (6 in this case) :

1
2

$ base64 -d enc_flag | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d
picoCTF{........redacted........}

Where the actual flag value redacted for the purposes of this write up.

However for situations that may utilise higher orders of repetitions, a simply bash script to loop until solved, or base64 decode fails would be a better solution.

5. PicoCTF2023 - useless

Overview

Points: 100
Category: General Skills

Description

There’s an interesting script in the user’s home directory The work computer is running SSH. We’ve been given a script which performs some basic calculations, explore the script and find a flag.

Solution

The home folder contains a useless bash shell script that performed arithmetic calculations. After playing around with the script for some time I noticed the reference to the man keyword in the challenge description tags.

1
2

$ man useless
picoCTF{........redacted........}

Actual flag value redacted for the purposes of this write up.

6. PicoCTF2023 - Special

Overview

Points: 300
Category: General Skills

Description

Don’t power users get tired of making spelling mistakes in the shell? Not anymore! Enter Special, the Spell Checked Interface for Affecting Linux. Now, every word is properly spelled and capitalized… automatically and behind-the-scenes! Be the first to test Special in beta, and feel free to tell us all about how Special streamlines every development process that you face. When your co-workers see your amazing shell interface, just tell them: That’s Special (TM)

Approach

This took a lot of experimenting with bash shell syntax that I was familiar, throwing everything at the wall until I stumbled on the use of ((cat)) whilst trying to concatenate potential flag files in the working folder. This command would not emit the typical error and would await for further input on standard input, as if cat command was being executed without arguments.

Knowing this, and assuming cat could be replaced by any command, the next test was to use ((ls)) to start gathering information about what is in the current working folder that may be accessible.

((ls)) showed a single entry blargh.

I then spent a quite a while trying to interact with blargh and the method of command execution I had found. What I quickly realised though was the ((<command>)) mechanism did not facilitate the use of arguments, for example attempts to cat blargh or ls -al failed, they were not being parsed properly by the “Special (TM)” interpretor.

There had to be a method of getting additional data into commands, which is when I started experimenting with input redirection. Finding the following command syntax was doing as I expected:

1

((cat)) < blargh

This returned an error indicating blargh was actually a directory and not a file, therefore having a guess at its possible contents led to the final solution.

Solution

The final command used to drop the flag during the event was :

1
2
3

Special$ ((cat)) < blargh/flag.txt
((cat)) < blargh/flag.txt 
picoCTF{........redacted........}

Actual flag value redacted for the purposes of this write up.

7. PicoCTF2023 - Specialer

Overview

Points: 400
Category: General Skills

Description

Reception of Special has been cool to say the least. That’s why we made an exclusive version of Special, called Secure Comprehensive Interface for Affecting Linux Empirically Rad, or just ‘Specialer’. With Specialer, we really tried to remove the distractions from using a shell. Yes, we took out spell checker because of everybody’s complaining. But we think you will be excited about our new, reduced feature set for keeping you focused on what needs it the most.

Please start an instance to test your very own copy of Specialer.

1

ssh -p 57125 ctf-player@saturn.picoctf.net.

The password is 483e80d4

Solution

Google “display content of file in shell script” => echo “$(<filename)” (ref)

echo: When you run “echo *,” the shell expands the wildcard and displays a list of all files and directories in the current directory. However, “echo” only displays the names of the files and directories, not their detailed information or attributes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

Specialer$ pwd
/home/ctf-player

Specialer$ echo *
abra ala sima

Specialer$ echo /
/

Specialer$ echo */*
abra/cadabra.txt abra/cadaniel.txt ala/kazam.txt ala/mode.txt sim/city.txt sim/salabim.txt

Specialer$ echo "$(<$ala/kazam.txt)"
-bash: /kazam.txt: No such file or directory

Specialer$ echo "$( < /home/ctf-player/ala/kazam.txt)"
return 0 picoCTF{hidden flag}
CTF, General Skills
python networking binary exploitation security forensics reverse engineering cryptography web exploitation
This post is licensed under CC BY 4.0 by the author.