picoCTF 2022: Forensics writeups

Enhance! (100 pts)

Use strings on the file and get the flag:

Remove the gaps and use the flag: picoCTF{3nh4nc3d_<unique_code>}

Lookey here (100 pts)

We need to grep the file in this case:

cat anthem.flag.txt | grep pico

Flag: picoCTF{gr3p_15_@w3s0m3_<unique_code>}

Packets Primer (100 pts)

Download file and open it in wireshark

Right-click the first packet and select Follow > TCP stream

You will get the flag. Now remove the spaces in between the characters and use it: picoCTF{p4ck37_5h4rk_<unique_code>}

Redaction gone wrong (100 pts)

In the PDF, select the highlighted part and copy it. Paste it in a text file to see the full flag: picoCTF{C4n_Y0u_S33_m3_fully}

Sleuthkit Intro (100 pts)

Download the file and decompress it with gzip -d disk.img.gz (Linux)
On windows use 7-zip for extraction.

In this question we need to find the size of the disk. As hinted in the question let’s mmls

Use The command: mmls disk.img
We find the size/length to be at: 202752

Let’s connect to the server using netcat (see the question) and type in the size number, we get the flag: picoCTF{mm15_f7w!}

Sleuthkit Apprentice (200 pts)

Download the file and decompress it with gzip -d disk.img.gz (Linux)
On windows use 7-zip for extraction.

We’re using AccessData FTK Imager for further analysis.

Go file>Add Evidence Item…

Then select Image File and then select the file you want to import in (the decompressed disk image)

Now press Ctrl + F and type in picoctf and press Enter.

We find the flag now! Remove the dots and get the flag.
[Quick tip: In python, use: ‘’.join(‘<flag-with-dots>’.split(‘.’)) to get the flag mighty fast]

Flag: picoCTF{by73_5urf3r_<unique_code>}

Eavesdrop (300 pts)

Let’s inspect the pcap file. Right click a TCP packet and select Follow > TCP Stream

On Stream 0, we spot a conversation:

The highlighted text shall be needed later for decoding

We are gonna convert the encoded message to it’s raw format and save it.

I renamed the file to file.des3 to match the input name as in the command you saw before.

Then we use:
openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123

Flag on decoding:


St3g0 (300 pts)

After trying out a number of steganography tools I found the solution with zsteg.

Use zsteg -a pico.flag.png

Flag: picoCTF{7h3r3_15_n0_5p00n_<unique_code>}

SideChannel (400 pts)

In this challenge we are going to bruteforce to get the password or pin. So, basically we are gonna use the time function to check the behaviour of pin_checker for the entered pins. If accepts a 8-digit pin and for each correct digit entered we’re going to difference in time response.

Let’s try 00000000, then 10000000 and so on. Looks like the first digit is 4.

See the time difference. For other digits than 4 the time is coming around 0.12s while it is 0.25s for 4. try the same for the other digits.

Finally the pin discovered is: 48390513

Connecting to the server with nc saturn.picoctf.net 50364 and putting in the pin and we get the flag: picoCTF{t1m1ng_4tt4ck_<unique_code>}



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store