Challenges

What’s an MD5 hash collision?

(Click on the link and go to the challenge listed.)

What’s a file descriptor?

(Click on the link and go to the challenge listed.)

Original Description

The name of the game is speed. Are you quick enough to solve this problem and keep it above 50 mph?

Advice

Use Ghidra to look at the binary's main function and figure out what is happening. From there, you have options (which is common for RE problems):

• Static RE: just read the disassembly/decompiler output until you can work out on paper/etc. what the answer is
• Dynamic RE: use a debugger like GDB (or other options, like LD_PRELOAD) to manipulate the flow of execution in the program and side-step the booby-trap </ul></p>

Original Description

We have recovered a binary and a text file. Can you reverse the flag?

Advice

Use Ghidra to understand the cipher algorithm. Then write a simple program (e.g., in Python) to reverse that algorithm and decipher the flag.

Original Description

Can you crack this DRM?

This is some nice SSO they’ve built here… Don’t you love undocumented APIs?

Be the admin you were always meant to be

What’s Use After Free?

(Click on the link and go to the challenge listed.)

Original Description

Welcome to web! Let's start off with something kinda funky :)

Beginner ROP challenge from pbCTF 2020

Can you make the canary sing your song?

I’ve always wondered how malloc actually works. Can you teach me?

Original Description

In this program, identify the last integer value that is passed as parameter to the function doNothing().

Advice

Treat this as a pure-static RE problem. You need to understand the semantics of the Unix system call fork (and that processes can share memory, as they do in this case to have one single copy of the key veriable stored between all of them).

The flag is in the format picoCTF{INTEGER_YOU_FOUND}. Be aware that INTEGER_YOU_FOUND can be negative. You will have to consider:

• machine word sizes (e.g., 32-bit vs. 64-bit integers)
• 2's complement binary encoding of signed numbers
• multi-byte integer Endianness </ul></p>

Original Description

What will asm4("picoCTF_724a2") return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal [picoCtf] flag format.

Advice

You are given a disassembly dump of a function taking a C string and returning an integer; you need to figure out the integer returned for the string given above.

No cheating with Ghidra this time! (Not strictly true; but if you get it into a form where Ghidra can help, you have it in a form where you don't really need Ghidra anymore...)

The obvious solution is to manually decompile this assembly into C code that you can compile and run. Of course, this approach requires some understanding of

• 32-bit x86 (a.k.a. i386 or i686) assembly language syntax and machine instruction semantics
• the C calling convention (a.k.a. ABI) for GCC/Linux (i.e., how the compiler and system libraries use registers, the stack, etc.) </ul> A great resource for exploring these (in the C -> assembly direction) is Godbolt's Compiler Explorer. </p>

  There's also the "cheating" way, which get's us back to my first comment about getting it into a form usable with Ghidra. Question to ponder: can you just "assemble" this source code back into an ELF binary module that could be loaded by Ghidra? If not, why not? What then?

Original Description

Can you reverse this Windows Binary?

Advice

This is not quite a classic RE challenge that simply validates a flag you have to enter, but it's close.

The flag format is PICOCTF{xxxxx}

This binary does not make for a pleasant experience in Ghidra if you aren't used to the quirks of Microsoft's C/C++ toolchain. The original picoCtf hints recommending using a Windows VM and Windows debugging tools like OllyDbg are worth considering.

But it can be run and even debugged on a Linux system using Wine's winedbg toolchain. Given a little persistence and cleverness in Ghidra finding critical points inside the program, the Wine debugger is sufficient for you to side-step the obstacles and get a flag printed out.

Description

Hmm, do pirates really think they can hide a treasure without us knowing? Find the treasure and prove they are wrong

This is basic web challenges. Only some level of poking is needed. Access the website here: link

Flag format: hackpack{...}

Description

Visit our pages to see our awesomeness! Look for the 'flag' file"

Flag format: hackpack{...}

Description

How often do you visit the website just to bounce back because of bad design? Now we developed a new feature, which gives you ability to change the design!

Flag format: hackpack{...}

Description

This is the most advanced vulnerable application on the web! How many vulnerabilities can you find?

DO NOT RUN OUTSIDE A VIRTUAL MACHINE

This file will record all keystrokes and save them to C:/ProgramData/Log. It will not send any information anywhere else.

We have found the following malware on our top secret server. We also intercepted the following file that the malware tried to send out. Can you see what info they tried to steal?

This executable seems to be loading another executable into memory. Can you solve this?

Description

Kishor Balan tipped us off that the following code may need inspection:

NOTE: Submit flag without random characters at end. For instance, if flag is "picoCTF{this_is_a_flag!a8103b}", you would submit "picoCTF{this_is_a_flag}"

Description

My dog-sitter's brother made this website but I can't get in; can you help?

Description

Alright, enough of using my own encryption. Flask session cookies should be plenty secure!

NOTE: Submit flag without random characters at end. For instance, if flag is "picoCTF{this_is_a_flag!a8103b}", you would submit "picoCTF{this_is_a_flag}"

Original Description

This vault uses some complicated arrays! I hope you can make sense of it, special agent.

Original Description

This vault uses for-loops and byte arrays.

Original Description

Apparently Dr. Evil's minions knew that our agency was making copies of their source code, because they intentionally sabotaged this source code in order to make it harder for our agents to analyze and crack into! The result is a quite mess, but I trust that my best special agent will find a way to solve it.

Description

Can you log in as admin?

Flag format: picoCTF{...}

Description

Can you get logged in as the administrator? It's not as simple as it looks...

UPDATE: The flag will have a random token string at the end. To submit the flag in a way that we can check, remove the last portion (separated by _) and submit.

Flag format: picoCTF{...}

Description

Have you heard of JWT?

Flag format: picoCTF{...}

This challenge is centered around analyzing pcaps from malware running in a virtual machine and writing rules to detect the malicious traffic via Snort, a network intrusion detection system (IDS). </br>

The talk on 4/9/2021 will discuss how to use Wireshark to inspect PCAPs and provide an overiew of how to write Snort rules, but the ultimate goal of this challenge is for anyone interested to be able to write a Snort rule that detects real malware and then have the Snort rule added into the official Snort community ruleset.

The currently available challenge problems are:

• Predator the Thief C2 traffic
• PonyStealer Exfil Attempts
• TVRat / TeamSpy C2 Traffic

To coordinate working on the challenge problems, either post in the GitHub issue or in the Discord. Working together is allowed, and more problems can be posted if needed.

Can you show that your brain is overflowing with knowlege by solving this challenge?

Enjoy the meme while you warm up a stego skill you’ll be using a lot in this challenge set. (Updated file link)

You wouldn’t take an unencrypted message at face value, would you?

Have you ever looked through diffraction lenses? What do they do?

Decode these two keys from Base64 and XOR them keys to get the flag!

Be sure to do this as part of a script; you will need that code for the next two challenges.

This ciphertext has been XOR encrypted with a single length key.

For example, if the key was f, each byte of the plaintext would be XORed with f.

The cipher text is also in Base64, which you’ll need to decode before XORing

This ciphertext has been XOR encrypted with key of unknown length.

For instance, if the key was wot, the first byte of the plaintext would be XORed with w, the second with o, the third with t, and then it would loop around to XOR the fourth character with w

The cipher text is also in Base64, which you’ll need to decode before XORing