Wei's

PicoCTF - SQLiLite

22 Sep 2022

Challenge

Tags

PicoCTF 2022 / Web Exploitation / sql

Description

Can you login to this website?

Writeup

  1. Launch instance.
  2. Login with random username and password. I use admin as username and xx as password. remix
  3. Now we know the SQL query command, we can use SQL Injection to exploit it.
  4. Use OR 1=1--' as username and password to login again. remix
  5. The flag is hidden. So inspect elements to find it. remix
  6. Here’s flag: picoCTF{L00k5_l1k3_y0u_solv3d_it_9b0a4e21} ٩(^ᴗ^)۶

PicoCTF - SQL Direct

22 Sep 2022

Challenge

Tags

PicoCTF 2022 / Web Exploitation / sql

Description

Connect to this PostgreSQL server and find the flag!

Writeup

  1. Launch instance.
  2. Open Websell and Log in .
  3. Connect to sql by command psql -h saturn.picoctf.net -p 61408 -U postgres pico and input the password.
  4. Use \dt command to show all table, there is only one table, which is named flags.
  5. Use SELECT * FROM flags; command to check the content of table.
  6. Here’s flag: picoCTF{L3arN_S0m3_5qL_t0d4Y_31fd14c0} ٩(^ᴗ^)۶

PicoCTF - Power Cookie

22 Sep 2022

Challenge

Tags

PicoCTF 2022 / Web Exploitation

Description

Can you get the flag?
Go to this website and see what you can discover.

Writeup

  1. Click Continue as guest button, there is a page tell you they don’t have guest service.
  2. Change isAdmin cookie value to 1.
  3. Refresh the page.
  4. Here’s flag: picoCTF{gr4d3_A_c00k13_5d2505be} ٩(^ᴗ^)۶

PicoCTF - Search source

22 Sep 2022

Challenge

Tags

PicoCTF 2022 / Web Exploitation

Description

The developer of this website mistakenly left an important artifact in the website source, can you find it?
The website is here

Writeup

  1. wget -m http://saturn.picoctf.net:58133/ to get source code.
  2. grep -r 'picoCTF' saturn.picoctf.net:58133 to search the flag!
  3. Here’s flag: picoCTF{1nsp3ti0n_0f_w3bpag3s_587d12b8} ٩(^ᴗ^)۶

Ethernaut - 18. Magic Number

18 Sep 2022

Difficulty: 🌕🌕🌕🌑🌑

To solve this level, you only need to provide the Ethernaut with a Solver, a contract that responds to whatIsTheMeaningOfLife() with the right number.
Easy right? Well… there’s a catch.
The solver’s code needs to be really tiny. Really reaaaaaallly tiny. Like freakin’ really really itty-bitty tiny: 10 opcodes at most.
Hint: Perhaps its time to leave the comfort of the Solidity compiler momentarily, and build this one by hand O_o. That’s right: Raw EVM bytecode.
Good luck!

Contract

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract MagicNum {

  address public solver;

  constructor() public {}

  function setSolver(address _solver) public {
    solver = _solver;
  }

  /*
    ____________/\\\_______/\\\\\\\\\_____        
     __________/\\\\\_____/\\\///////\\\___       
      ________/\\\/\\\____\///______\//\\\__      
       ______/\\\/\/\\\______________/\\\/___     
        ____/\\\/__\/\\\___________/\\\//_____    
         __/\\\\\\\\\\\\\\\\_____/\\\//________   
          _\///////////\\\//____/\\\/___________  
           ___________\/\\\_____/\\\\\\\\\\\\\\\_ 
            ___________\///_____\///////////////__
  */
}

Writeup

  1. Get new instance.
  2. Create a new contract 
     // SPDX-License-Identifier: MIT
 pragma solidity ^0.6.0;

 contract MagicNumberCracker{
     constructor() public{
         assembly{
             mstore(0x00, 0x602a60005260206000f3)
             return(0x16, 0x0a)
         }
     }
 }

    How 0x602a60005260206000f3 come from ?

    1. PUSH(0x2a) –> 0x602a (Push 42 onto the stack)
    2. PUSH(0x00) –> 0x6000 (Push memory slot 00 to stack)
    3. MSTORE –> 0x52 (Store 42 to memory slot 00)
    4. PUSH(0x20) –> 0x6020 (Memory slot size is 32 bytes)
    5. PUSH(0x80) –> 0x6000 (Value is stored at moemory slot 00)
    6. RETURN –> 0xf3 (Return value which is stored at memory 00 with sizeof 32 bytes)
  3. Compile and Deploy.
  4. Set Solver : 
    
 await contract.setSolver('MAGICNUMBERCRACKER_CONTRACT_ADDRESS')
  5. Submit instance ξ( ✿>◡❛)

Reference