The next few installments in this series will focus solely on the picoCTF 2019 challenge platform. This post in particular will cover what the introduction is all about, provide some brief details about how the game is set up, and then dive into the “General Skills” challenge room. I will also expand on a few technical concepts along the way for those who may not know and to help fill in knowledge gaps.
To re-iterate from the last post, I genuinely enjoyed the game flow so far and since it’s my first CTF challenge, I believe that other first timers may enjoy it as well. It’s a great way to get your feet wet. I am unsure how long the challenge will remain online so partake while you can!
Disclaimer: I do have the answers in this blog so if you want to try the challenge yourself beforehand, I’d recommend coming back to this blog after at least giving it your best shot. Who knows, you may do better than me and can offer me some insight!
Introduction
The game starts with a character waking up, unsure of how they arrived where they are or who they are. This leads to you selecting a user ID for your character. Of course, the options are screen handles because hackers don’t use their real names. After selecting my handle, I decided to walk around and see what’s up. Disclaimer: I am a gamer and enjoy exploring the map, pressing buttons, and seeing if I can reveal hidden secrets or objectives.
As I am walking, I notice the button mappings on the wall and a computer in the room I wake up in, but it’s locked because “Somebody changed my password.” – yikes, talk about password security and multi-factor authentication solutions! Joking aside, I’m already pretty enveloped in the game at this point. After leaving the room and going through the next hallway, I notice two computers – one that’s unresponsive to me approaching it and another that pops up “Start Typing Game” as I get closer. I’ve always been semi-good at typing, so I put my skills to the test. Once the computer is activated, you’re presented with some animations and then multiple shell commands to type. Accuracy here is key and the goal is to get through all the commands within the timer.
Shell commands here refers to computer commands that you give to the computer to perform some action. For instance, in Linux’s terminal you can type “ls -l” to list (ls) the contents of the directory you’re in with the option to view the long listing (-l) format. The commands shown varied but covered some basic directory commands, a nmap command, and a traceroute command. I don’t recall all of the commands used and am unable to do the typing challenge again, so I am going off memory – and no, I didn’t take any notes on the commands!
Of interest was a nmap (short for Network Mapper) command, a tool that is used for many things such as discovering hosts and services and then analyzing the packet responses. If you’ve never used it or checked it out in more detail, you can use this resource to see just what it’s capable of. Traceroute is another cool utility that essentially shows the network path from the computer you’re on to whatever destination you “traceroute” to. Along the way, any routers or gateways are marked, since they are the ones handling packet communications between different networks. Pro tip: it can be used for network troubleshooting if you’re having communication issues between clients and servers on your network.
Moving on and leaving the hallway, you enter a big room with many smaller challenge rooms. This is where the “General Skills” room is, along with others such as “Web Exploit,” and “Reversing.” Before going into General Skills, I decided to walk around the room a bit and saw two additional mini games: one more typing challenge and another memory sequence game. I must admit here, seeing that since I couldn’t redo the typing challenges, I don’t quite recall which commands were presented from which typing mini game, so I won’t try to differentiate or add more commands. As for the memory challenge game, there is a matrix layout of computers in a 3×3 formation. The computer at the center can be activated when close enough and it turns on the other computers in a sequence. Remember the sequence and then go to each computer and activate it in the same sequence to complete the game. This was quite fun but after doing it several times, I am uncertain if there’s an end goal.
After spending some time with the mini games, I decided it was time to move on. Now, I didn’t want to jump the gun, so I obviously started with “General Skills” to assess my current skillset. I’d rather build myself up by tackling what (I think) I know, then moving to the other rooms that seem more daunting, if you will.
General Skills Challenge Room
This section will cover the over 15 challenges within the General Skills room. I will note the title of each challenge along with its point value, a description containing the challenge’s text, whether or not I personally answered the question along with the answer to that challenge, how I came to that answer, and the hint(s) that were available. Where appropriate, I will also add a pro tip section to expand on a concept.
Question 1:
Title: The Factory’s Secret (1 point)
Description: There appear to be some mysterious glyphs hidden inside this abandoned factory… I wonder what would happen if you collected them all?
Answered: No
Answer: Not sure there’s an answer here, I didn’t look this up quite yet.
Hint: describes how to submit your answer; e.g., “picoCTF{<flag>}”
Question 2:
Title: 2Warm (50 points)
Description: Can you convert the number 42 (base 10) to binary (base 2)?
Answered: Yes; picoCTF{101010}
Answer: I searched for “base 10 to base 2 online convertor” and used the first result. Within the base 10 value filed I entered 42 and the base 2 value field auto-populated the base 2 format “101010”
Hint: Describes how to submit the answer with the “picoCTF{<flag>}” format
Pro Tip: Encodings are a huge part of computers, you can read this Secplicity post for an introduction to them.
Question 3:
Title: Lets Warm Up (50 points)
Description: If I told you a word started with 0x70 in hexadecimal, what would it start with in ASCII?
Answered Yes; picoCTF{p}
Answer: I searched for “hexadecimal to ascii” and used the first result. In the hexadecimal value field I typed in 0x70 and the ascii value field resulted in “p”
Hint: Once again it details how to submit your answers with the prefixed requirement; e.g., picoCTF{<flag>}
Question 4:
Title: Warmed Up (50 points)
Description: What is 0x3D (base 16) in decimal (base 10)
Answered: Yes; picoCTF{61}
Answer: Looked up “hex to decimal” and entered 0x3D in the hex value field, the decimal value field revealed “61”. I did know that base 16 refers to hexadecimal.
Hint: Same deal on how to submit your answer; i.e., picoCTF{<flag>}
Question 5:
Title: Based (100 points)
Description: What does this bDNhcm5fdGgzX3lwcDM1 mean? I think it has something to do with bases.
Answered: Yes, picoCTF{l3arn_th3_r0p35}
Answer: I am aware of base 64 being a thing, so I searched for “base 64 decoder” and used the first result to reverse the string.
Hint: Same as previous; i.e., picoCTF{<flag>}
Pro Tip: The previously linked Secplicity post doesn’t cover base64 but I will say its usage is very common when sending binary data between computers. This StackOverflow link provided some great usage detail.
Question 6:
Title: First Grep (100 points)
Description: Can you find the flag in the file? This would be really tedious to look through manually, something tells me there is a better way. You can also find the file in /problems/first-grep_5_452e1c163eb14b6753e9a155c3ae588 on the shell server.
Answered: Yes; download hyper-linked “file”; ran ‘grep “pico” file’ and got the resulting: picoCTF{grep_is_good_to_find_things_887251c6}
Answer: Based on the title of the challenge and the fact that “file” was downloadable, in conjunction with the answer requirement (e.g., picoCTF{<flag>}), I grepped for pico to denote the constant prefix and found the answer. The file is human-readable, so you could have open it within a text editor and control + f to search the file.
Hint: grep tutorial (hyper link to a grep tutorial)
Pro Tip: grep is one of those commands that is extremely useful for when you already know a string you’re looking for exists within a file. Since the answer submission requires picoCTF, grepping a file for that string will return matching results.
Question 7:
Title: Resources (100 points)
Description: We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources (link)
Answered: Yes, picoCTF{r3source_pag3_flag}
Answer: After following the link, I briefly checked out the resources but then noticed the “(2019 competition)” flag value and entered that as the answer.
Hint: There was no hint available for this challenge
Question 8:
Title: strings it (100 points)
Description: Can you find the flag in file without running it? You can also find the file in /problems/strings-it_2_865eec66d190ef75386fb14e15972126 on the shell server.
Answered: Yes; picoCTF{5tRIng5_1T_d5b86184}
Answer: Based on the challenge title and being familiar with the strings utility, I was aware of it being a program that prints text strings embedded in binary files.
Hint: strings (hyperlink to strings’ man page)
Pro Tip: strings is a great way to view text strings that files process. That can seem confusing but know that this is a useful tool and I recommend checking it out in more details – if you’re nerdy enough, that is.
Question 9:
Title: what’s a net cat? (100 points)
Description: Using netcat (nc) is going to be pretty important. Can you connect to 2019shell1.picoctf.com at port 21865 to get the flag?
Answered: Yes; I got confused as to what the credentials were for the shell server that is available and after some digging, it’s the username and password combo you used to register your picoCTF account. Once I figured that out, I logged in and got the answer as: picoCTF{nEtCat_Mast3ry_4fefb685}
Answer: I am aware of what netcat is used for and have played with it before. Just as a refresher though, I simply looked up “how to connect to a server using netcat and a port” and read through a link to obtain the above answer.
Hint: nc tutorial (hyper link to nc man page)
Question 10:
Title: Based (200 points)
Description: To get truly l337, you must understand different data encodings, such as hexadecimal or binary. Can you get the flag from this program to prove you are on the way to becoming l337? Connect with nc 2019shell1.picoctf.com 20836.
Answered: Yes, but it took me a few tries; had to look up each encoding separately: picoCTF{learning_about_converting_values_6cdcad0d}
Answer: After a few trial and error attempts, I got fast enough to recognize which encodings were what and used online resources to convert the content despite the hint of using python. Upon connecting to the remote server with nc, you receive a request to translate what appears to be a binary (base 2) sequence into a word. The sequences change but their encodings remain. After converting and typing in the answer, the next encoding was octal (base 8). The last sequence was in hex (base 16). You have 45 seconds to convert each encoding into a text representation.
Hint: I hear python can convert things.
Hint: It might help to have multiple windows open
Pro Tip: This challenge was a great way to assess the recognition of various encodings. This seems to be fairly common among these types of challenges.
Question 11:
Title: First Grep: Part II (200 points)
Description: Can you find the flag in /problems/first-grep—part-ii_5_956980126dc47c50540b0f8f35a8e443/files on the shell server? Remember to use grep.
Answered: Yes; {grep_r_to_find_this_0898e9c9}
Answer: Another grep question, sweet! Based on the title and the description, and me knowing about the power of grep, I realized that I’d have to use grep to recursively check ALL files in the directory. The “-r” option in grep allows for this exact function. The full command was ‘grep -r “pico” /problems/first-grep—part-ii_5_956980126dc47c50540b0f8f35a8e443/files’
Hint: grep tutorial (hyper link to a grep tutorial)
Pro Tip: I touched on grep above, but you can use the -r option to recursively go through all files in a given directory! This saves you the pain of going through each one individually.
Question 12:
Plumbing (200 points)
Description: Sometimes you need to handle process data outside of a file. Can you find a way to keep the output from this program and search for the flag? Connect to 2019shell1.picoctf.com 57911.
Answered: Yes, and after some trial, I realized what needed to be done – piping: picoCTF{digital_plumb3r_931b2271}
Answer: After testing the connection and seeing the output (a constant flow of data), I recalled a Linux piping operation! This is done in the form of “|” where the command is ‘nc 2019shell1.picoctf.com 57911 | grep “pico” ‘. This basically takes the output of the nc command (a constant flow of data) and redirects it into another program, in this case grep for the win! So the returned data is “piped” into the grep program, which is searching for a string containing “pico” within it.
Hint: Remember the flag format is picoCTF{XXXX}
Hint: What’s a pipe? No, not that kind of pipe… This kind (hyperlink about Linux piping)
Question 13:
Title: whats-the-difference (200 points)
Description: Can you spot the difference? Kitters cattos. They are also available at /problem/whats-the-difference_0_00862749a2aeb45993f6cc9cf98a47a on the shell server
Answered: No, I was on the right track but just couldn’t figure out the answer. After spending some time trying to explore my thoughts (viewing the hexadecimal encoding of the pictures), I couldn’t figure out what needed to be done: picoCTF{th3yr3_a5_d1ff3r3nt_4s_bu773r_4nd_j311y_aslkjfdsalkfslkflkjdsfdszmz10548}
Answer: Certain this challenge included viewing the hexadecimal content and having to spot the “difference” between the files, I initially thought the program “diff” would help here. However, diff didn’t display anything when the files were in jpg format (binary format). Running “diff kitters cattos” revealed that the binary files were indeed different, but not what the differences were. I then tried to dump the hex values into a text file by running “xxd <file>.jpg >> <file>.txt” and then comparing the two with “diff kitters.txt cattos.txt” but there was just too much data. I then tried “diff kitters.txt cattos.txt | grep ‘pico’” and did get something more manageable, but still not the answer. Alas, after looking up the answer, I was quite impressed at the different way folks solved this challenge! The solution was to store the hex values for each file, so far so good, but then compare them byte by byte. This is where I fell short. (Spoiler, the first two links reveal answers to most of the problems) This resource was the original I used but I was curious of others’ approach. This is a different one I used to compare solutions yet again, but this one stood out by far. I will say that since I had to look this up, I took the time to compare how I got the previous answers to the first resource just to see what I could’ve picked up on.
Hint: How do you find the difference between two files?
Hint: Dumping the data from a hex editor may make it easier to compare
Pro Tip: diff is used to compare two files and display their differences, which is why I tried this method out. I wasn’t aware of it not working with binary files (I learned that through this challenge). I did learn many new ways to go about comparing the difference of a file’s encoding, but the linked references simply blew my mind. I recommend exploring them at some point.
Question: 14:
Title: where-is-the-file (200 points)
Description: I’ve used a super-secret mind trick to hide this file. Maybe something lies in /problems/where-is-the-file_1_5487839f5b7db0ddbaf642cdb5c9b3b5
Answered: Yes; picoCTF{w3ll_that_d1dnt_w0RK_3e782057}
Answer: After getting into the shell server and changing directories (you can use the “cd” command to change directories) to the one provided, I used “ls” to view the contents of that directory, but it was empty. Hmmm, then I remembered that files prepended with a period “.” are hidden, so then I issued a ls -a command which is used to reveal these hidden files. Once I discovered the filename, I opened it using “vi”. Another option was using grep; either worked fine.
Hint: What command can see/read files
Hint: What’s the manual page of ls?
Pro Tip: Hidden files are common, and they are typically configuration files or other files that aren’t commonly used by standard end users. Power users likely are more aware of their existence and use them as well, or system administrators.
Question 15:
Title: flag_shop (300 points)
Description: There’s a flag shop selling stuff, can you buy a flag? Source. Connect with nc 2019shell1.picoctf.com 3967.
Answered: No, I was on the right track but had no idea how to solve it: picoCTF{m0n3y_bag5_cd0ead78}
Answer: After downloading the source file (store.c), I read through the source code and ruled out what wouldn’t lead me the right way and honed down to the lines requiring user input. One thing I know from a security standpoint is: never trust user input. Taking that into account, and the not-so-helpful hint, I got stuck. After looking it up, I must say that I definitely learned something new and will put this into my tool kit! This is the original source I used, but to compare solutions I saw this as well. What I learned here is that you can overflow an int datatype value in the C programming language. What I didn’t get is why the randomly large numbers I used wouldn’t overflow it. I figure the answer has to do with the math behind the scenes, but this was a bit beyond my comprehension. The original source I used for the answer worked in one go, the second one required multiple entries. Why the differences?
Hint: Two’s complement can do some weird things when numbers get really big!
Pro Tip: I know about buffer overflow and stack overflow attacks but have never heard of an integer overflow. In digging a bit to better understand this and seeing how it applies to the challenge, the variable in question was stored in an “int” data type, which can only hold so much data. The math used to overflow the int data type allows for undesired results – undesired from a programming and security point, but desired from a hacker or user standpoint.
Question 16:
Title: mus1c (300 points)
Description: I wrote you a song. Put it in the picoCTF{} flag format.
Answered: No, I was completely lost here; picoCTF{rrrocknrn0113r}
Answer: As stated above, this challenge was way over my head. I had to look this up and I must add that it’s pretty cool but still don’t entirely understand the output nor the input of this “Rockstar” programming language. “song” from the description is a downloadable file with song lyrics. Putting it into this online converter, you’re presented with decimal values that then need to be converted to text, which is the flag. I definitely learned something new here. I got the answer from here.
Hint: Do you think you can master Rockstar?
Question 17:
Title: 1_wanna_b3_a_r0ck5tar (350 points)
Description: I wrote you another song. Put the flag in the picoCTF{} flag format.
Answered: No; picoCTF{BONJOVI}
Answer: Despite the previous challenge, I was still at a complete loss here. After looking up the answer, I extrapolated why what needed to be done was required. Perhaps I should be a “Rockstar” programmer! Many programming languages have if and else statements, as does Rockstar. Rockstar also has say and listenstatements, which I was not aware about; the more you know! I used the same link as above to answer this.
Hint: None
Conclusion and Thoughts
Wow, that was a lot of fun! I definitely learned some new tips and tricks for future CTF challenges and will take note of these. The most intriguing tactic was that of the hexadecimal comparisons of the two image files (question 13’s whats-the-difference). Next up was the integer overflow challenge (question 15’s flag_shop), it was fascinating to see the different answers and how the program reacted. Last, but most certainly not least, was the fact that there is a programming language named Rockstar!
I look forward to checking out the rest of the rooms and seeing how I perform. Hopefully the challenges gradually get harder, which I assume is the format considering how the General Skills room held up. Don’t get me wrong, I don’t despise challenges, but I don’t want to get shut down from the start!