Enhance! (100 pts)
Use strings on the file and get the flag:
Remove the gaps and use the flag: picoCTF{3nh4nc3d_<unique_code>}
Lookey here (100 pts)
We need to grep the file in this case:
cat anthem.flag.txt | grep pico
Flag: picoCTF{gr3p_15_@w3s0m3_<unique_code>}
Packets Primer (100 pts)
Download file and open it in wireshark
Right-click the first packet and select Follow > TCP stream
You will get the flag. Now remove the spaces in between the characters and use it: picoCTF{p4ck37_5h4rk_<unique_code>}
Redaction gone wrong (100 pts)
In the PDF, select the highlighted part and copy it. Paste it in a text file to see the full flag: picoCTF{C4n_Y0u_S33_m3_fully}
Sleuthkit Intro (100 pts)
Download the file and decompress it with gzip -d disk.img.gz (Linux)
On windows use 7-zip for extraction.
In this question we need to find the size of the disk. As hinted in the question let’s mmls
Use The command: mmls disk.img
We find the size/length to be at: 202752
Let’s connect to the server using netcat (see the question) and type in the size number, we get the flag: picoCTF{mm15_f7w!}
Sleuthkit Apprentice (200 pts)
Download the file and decompress it with gzip -d disk.img.gz (Linux)
On windows use 7-zip for extraction.
We’re using AccessData FTK Imager for further analysis.
Go file>Add Evidence Item…
Then select Image File and then select the file you want to import in (the decompressed disk image)
Now press Ctrl + F and type in picoctf and press Enter.
We find the flag now! Remove the dots and get the flag.
[Quick tip: In python, use: ‘’.join(‘<flag-with-dots>’.split(‘.’)) to get the flag mighty fast]
Flag: picoCTF{by73_5urf3r_<unique_code>}
Eavesdrop (300 pts)
Let’s inspect the pcap file. Right click a TCP packet and select Follow > TCP Stream
On Stream 0, we spot a conversation:
The highlighted text shall be needed later for decoding
We are gonna convert the encoded message to it’s raw format and save it.
I renamed the file to file.des3 to match the input name as in the command you saw before.
Then we use:openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123
Flag on decoding:
picoCTF{nc_73115_411_<unique_code>}
St3g0 (300 pts)
After trying out a number of steganography tools I found the solution with zsteg.
Use zsteg -a pico.flag.png
Flag: picoCTF{7h3r3_15_n0_5p00n_<unique_code>}
SideChannel (400 pts)
In this challenge we are going to bruteforce to get the password or pin. So, basically we are gonna use the time function to check the behaviour of pin_checker for the entered pins. If accepts a 8-digit pin and for each correct digit entered we’re going to difference in time response.
Let’s try 00000000, then 10000000 and so on. Looks like the first digit is 4.
See the time difference. For other digits than 4 the time is coming around 0.12s while it is 0.25s for 4. try the same for the other digits.
Finally the pin discovered is: 48390513
Connecting to the server with nc saturn.picoctf.net 50364 and putting in the pin and we get the flag: picoCTF{t1m1ng_4tt4ck_<unique_code>}
