# General Warmup 1 2 3

## Question

Can you convert the number 27 (base 10) to binary (base 2)?

What is 0x3D (base 16) in decimal (base 10).

# Solution

```>>> chr(0x41)
'A'
>>> bin(27)[2:]
'11011'
>>> 0x3d
61
```

flag:

• `picoCTF{A}`
• `picoCTF{11011}`
• `picoCTF{61}`

# Resources

## Question

We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources (link)

### Hint

No hints available

## Solution

```Thanks for reading the resources page! Here’s a flag for your time: picoCTF{xiexie_ni_lai_zheli}
```

flag:`picoCTF{xiexie_ni_lai_zheli}`

# Grep 1

## Question

Can you find the flag in file? This would be really obnoxious to look through by hand, see if you can find a faster way. You can also find the file in /problems/grep-1_3_8d9cff3d178c231ab735dfef3267a1c2 on the shell server.

grep tutorial

## Solution

`grep`，(global search regular expression(RE) and print out the line,全面搜索正则表达式并把行打印出来)是一种强大的文本搜索工具，它能使用正则表达式搜索文本，并把匹配的行打印出来。

`cat file`会有一大堆乱码字符，使用`grep picoCTF file`可以把flag从乱码中提取出来。

```finn@pico-2018-shell-2:/problems/grep-1_2_ee2b29d2f2b29c65db957609a3543418\$ grep picoCTF file
picoCTF{grep_and_you_will_find_42783683}
```

# net cat

## Question

Using netcat (nc) will be a necessity throughout your adventure. Can you connect to `2018shell1.picoctf.com` at port `49387` to get the flag?

nc tutorial

## Solution

`nc`是一个简单、可靠的网络工具，可通过TCP或UDP协议传输读写数据。

```❯ nc 2018shell2.picoctf.com 36356
That wasn't so hard was it?
picoCTF{NEtcat_iS_a_NEcESSiTy_9454f3e0}
```

flag:`picoCTF{NEtcat_iS_a_NEcESSiTy_9454f3e0}`

# pipe

## Question

During your adventure, you will likely encounter a situation where you need to process data that you receive over the network rather than through a file. Can you find a way to save the output from this program and search for the flag? Connect with `2018shell1.picoctf.com 48696`.

### Hint

Remember the flag format is picoCTF{XXXX}

Ever heard of a pipe? No not that kind of pipe... This kind

## Solution

```❯ nc 2018shell2.picoctf.com 34532 |grep picoCTF
picoCTF{almost_like_mario_b797f2b3}
```

flag:`picoCTF{almost_like_mario_b797f2b3}`

# Strings

## Question

Can you find the flag in this file without actually running it? You can also find the file in /problems/strings_2_b7404a3aee308619cb2ba79677989960 on the shell server.

strings

## Solution

`strings`命令可以打印文件中可打印的字符，使用`strings`命令配合`grep`命令可以把flag提取出来。

```finn@pico-2018-shell-2:/problems/strings_4_40d221755b4a0b134c2a7a2e825ef95f\$ strings strings |grep picoCTF
picoCTF{sTrIngS_sAVeS_Time_d3ffa29c}
```

flag:`picoCTF{sTrIngS_sAVeS_Time_d3ffa29c}`

# grep 2

## Question

This one is a little bit harder. Can you find the flag in /problems/grep-2_3_826f886f547acb8a9c3fccb030e8168d/files on the shell server? Remember, grep is your friend.

grep tutorial

## Solution

```finn@pico-2018-shell-2:/problems/grep-2_3_826f886f547acb8a9c3fccb030e8168d/files\$ grep -r picoCTF
files2/file20:picoCTF{grep_r_and_you_will_find_556620f7}
```

flag:`picoCTF{grep_r_and_you_will_find_556620f7}`

# Aca-Shell-A

## Question

It's never a bad idea to brush up on those linux skills or even learn some new ones before you set off on this adventure! Connect with `nc 2018shell1.picoctf.com 27833`.

### Hint

Linux for Beginners

## Solution

• `ls`
• `cd`
• `rm`
• `whoami`
• `cat`
• 如何执行二进制可执行文件

```\$ nc 2018shell1.picoctf.com 27833
Sweet! We have gotten access into the system but we aren't root.
It's some sort of restricted shell! I can't see what you are typing
If you need help, type "echo 'Help Me!'" and I'll see what I can do
There is not much time left!
~/\$ ls
blackmail
executables
photos
secret
~/\$ cd secret
Now we are cookin'! Take a look around there and tell me what you find!
~/secret\$ ls
intel_1
intel_2
intel_3
intel_4
intel_5
profile_AipieG5Ua9aewei5ieSoh7aph
profile_Xei2uu5suwangohceedaifohs
profile_ahShaighaxahMooshuP1johgo
profile_ahqueith5aekongieP4ahzugi
profile_aik4hah9ilie9foru0Phoaph0
profile_bah9Ech9oa4xaicohphahfaiG
profile_ie7sheiP7su2At2ahw6iRikoe
profile_of0Nee4laith8odaeLachoonu
profile_poh9eij4Choophaweiwev6eev
profile_poo3ipohGohThi9Cohverai7e
Sabatoge them! Get rid of all their intel files!
~/secret\$ rm intel*
Nice! Once they are all gone, I think I can drop you a file of an exploit!
Just type "echo 'Drop it in!' " and we can give it a whirl!
~/secret\$ echo 'Drop it in!'
Drop it in!
I placed a file in the executables folder as it looks like the only place we can execute from!
Run the script I wrote to have a little more impact on the system!
~/secret\$ cd ..
~/\$ cd executables
~/executables\$ ls
dontLookHere
~/executables\$ ./dontLookHere
...
...
...
Looking through the text above, I think I have found the password. I am just having trouble with a username.
Oh drats! They are onto us! We could get kicked out soon!
Quick! Print the username to the screen so we can close are backdoor and log into the account directly!
You have to find another way other than echo!
~/executables\$ whoami
l33th4x0r
Perfect! One second!
Okay, I think I have got what we are looking for. I just need to to copy the file to a place we can read.
Try copying the file called TopSecret in tmp directory into the passwords folder.
Server shutdown in 10 seconds...
Quick! go read the file before we lose our connection!
~/executables\$ cd ..
~/\$ ls
blackmail
executables
photos
secret
TopSecret
Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself.
picoCTF{CrUsHeD_It_9edaa84a}
```

flag:`picoCTF{CrUsHeD_It_9edaa84a}`

# environ

## Question

Sometimes you have to configure environment variables before executing a program. Can you find the flag we've hidden in an environment variable on the shell server?

unix env

## Solution

```finn@pico-2018-shell-2:/problems/grep-2_3_826f886f547acb8a9c3fccb030e8168d/files\$ env|grep pico
SECRET_FLAG=picoCTF{eNv1r0nM3nT_v4r14Bl3_fL4g_3758492}
```

flag:`picoCTF{eNv1r0nM3nT_v4r14Bl3_fL4g_3758492}`

# ssh-keyz

## Question

As nice as it is to use our webshell, sometimes its helpful to connect directly to our machine. To do so, please add your own public key to ~/.ssh/authorized_keys, using the webshell. The flag is in the ssh banner which will be displayed when you login remotely with ssh to with your username.

### Hint

key generation tutorial

## Solution

```finn@pico-2018-shell-2:~\$ cat /etc/ssh/sshd_config |grep banner
Banner /opt/ssh_banner
finn@pico-2018-shell-2:~\$ cat /opt/ssh_banner
picoCTF{who_n33ds_p4ssw0rds_38dj21}
```

flag:`picoCTF{who_n33ds_p4ssw0rds_38dj21}`

# what base is this?

## Question

To be successful on your mission, you must be able read data represented in different ways, such as hexadecimal or binary. Can you get the flag from this program to prove you are ready? Connect with `nc 2018shell1.picoctf.com 1225`.

### Hint

I hear python is a good means (among many) to convert things.

It might help to have multiple windows open

## Solution

```#!/usr/bin/env python
# -*- coding: utf-8 -*-

from pwn import *
import re

r = remote('2018shell2.picoctf.com', 31711)

binary = r.recvuntil('as a word.')
binary = re.findall(r'(d+)', binary)
binary_word = ''.join([chr(int(i, 2)) for i in binary])
r.sendline(binary_word)

hexnum = r.recvuntil('as a word.')
hexnum = re.findall(r'([0-9a-f]+) as', hexnum)[0]
hexword = hexnum.decode('hex')
r.sendline(hexword)

octal = r.recvuntil('as a word.')
octal = re.findall(r'([0-9]+)', octal)
octal_word = ''.join([chr(int(i, 8)) for i in octal])
r.sendline(octal_word)

print r.recvuntil('}n')

r.close()
```
```\$ python nc_convert.py
[+] Opening connection to 2018shell2.picoctf.com on port 31711: Done

Input:
You got it! You're super quick!

[*] Closed connection to 2018shell2.picoctf.com port 31711
```

flag:`picoCTF{delusions_about_finding_values_68051dea}`

# you can't see me

## Question

'...reading transmission... Y.O.U. .C.A.N.'.T. .S.E.E. .M.E. ...transmission ended...' Maybe something lies in /problems/you-can-t-see-me_3_1a39ec6c80b3f3a18610074f68acfe69.

### Hint

What's in the manual page of ls?

## Solution

`ls -a`可以查看以`.`开头的隐藏文件。

```finn@pico-2018-shell-2:/problems/you-can-t-see-me_2_cfb71908d8368e3062423b45959784aa\$ ls -a
.  .    ..
```

```finn@pico-2018-shell-2:/problems/you-can-t-see-me_2_cfb71908d8368e3062423b45959784aa\$ cat .
cat: .: Is a directory
```

```finn@pico-2018-shell-2:/problems/you-can-t-see-me_2_cfb71908d8368e3062423b45959784aa\$ cat .
picoCTF{j0hn_c3na_paparapaaaaaaa_paparapaaaaaa_093d6aff}
```

flag:`picoCTF{j0hn_c3na_paparapaaaaaaa_paparapaaaaaa_093d6aff}`

# absolutely relative

## Question

In a filesystem, everything is relative ¯_(ツ)_/¯. Can you find a way to get a flag from this program? You can find it in /problems/absolutely-relative_1_15eb86fcf5d05ec169cc417d24e02c87 on the shell server. Source.

### Hint

Do you have to run the program in the same directory? (⊙.☉)7

Ever used a text editor? Check out the program 'nano'

## Solution

```#include <stdio.h>
#include <string.h>

#define yes_len 3
const char *yes = "yes";

int main()
{
char flag[99];
char permission[10];
int i;
FILE * file;

file = fopen("/problems/absolutely-relative_0_d4f0f1c47f503378c4bb81981a80a9b6/flag.txt" , "r");
if (file) {
while (fscanf(file, "%s", flag)!=EOF)
fclose(file);
}

file = fopen( "./permission.txt" , "r");
if (file) {
for (i = 0; i < 5; i++){
fscanf(file, "%s", permission);
}
permission[5] = '';
fclose(file);
}

if (!strncmp(permission, yes, yes_len)) {
printf("You have the write permissions.n%sn", flag);
} else {
printf("You do not have sufficient permissions to view the flag.n");
}

return 0;
}
```

```finn@pico-2018-shell-2:~\$ echo -n "yes" > permission.txt
finn@pico-2018-shell-2:~\$ /problems/absolutely-relative_0_d4f0f1c47f503378c4bb81981a80a9b6/absolutely-relative

You have the write permissions.
picoCTF{3v3r1ng_1\$_r3l3t1v3_befc0ce1}
```

flag:`picoCTF{3v3r1ng_1\$_r3l3t1v3_befc0ce1}`

# in out error

## Question

Can you utlize stdin, stdout, and stderr to get the flag from this program? You can also find it in /problems/in-out-error_2_c33e2a987fbd0f75e78481b14bfd15f4 on the shell server

### Hint

Maybe you can split the stdout and stderr output?

## Solution

linux输出重定向，可以参考Linux标准输入、输出和错误和文件重定向

```finn@pico-2018-shell-2:/problems/in-out-error_0_0f875f7714b995dad5946a15be6267a7\$ ./in-out-error 1>/dev/null
Please may I have the flag?
picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoC
TF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1
p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_
1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_
7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng
_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6
fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}
picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoC
TF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1
p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_
1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_
7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng
_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6
fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}
picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoC
TF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1
p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}
```

flag:`picoCTF{p1p1ng_1S_4_7h1ng_85f6fd2c}`

# learn gdb

## Question

Using a debugging tool will be extremely useful on your missions. Can you run this program in gdb and find the flag? You can find the file in /problems/learn-gdb_0_716957192e537ac769f0975c74b34194 on the shell server.

### Hint

Try setting breakpoints in gdb

Try and find a point in the program after the flag has been read into memory to break on

Where is the flag being written in memory?

## Solution

```finn@pico-2018-shell-2:/problems/learn-gdb_3_f1f262d9d48b9ff39efc3bc092ea9d7b\$ ./run
Decrypting the Flag into global variable 'flag_buf'
.....................................
Finished Reading Flag into global variable 'flag_buf'. Exiting.
```

`gdb`加载程序，反汇编`main`函数。

```finn@pico-2018-shell-2:/problems/learn-gdb_3_f1f262d9d48b9ff39efc3bc092ea9d7b\$ gdb run
...
(gdb) disassemble main
...
0x00000000004008f1 <+40>:    callq  0x400650 <setvbuf@plt>
0x00000000004008f6 <+45>:    mov    \$0x4009d0,%edi
0x00000000004008fb <+50>:    callq  0x400600 <puts@plt>
0x0000000000400900 <+55>:    mov    \$0x0,%eax
0x0000000000400905 <+60>:    callq  0x400786 <decrypt_flag>
...
```

```(gdb) disas decrypt_flag
...

0x0000000000400896 <+272>:   mov    0x200b4b(%rip),%rdx        # 0x6013e8 <flag_buf>
0x000000000040089d <+279>:   mov    -0x20(%rbp),%eax
0x00000000004008a0 <+282>:   cltq
0x00000000004008a5 <+287>:   movb   \$0x0,(%rax)
0x00000000004008a8 <+290>:   mov    \$0xa,%edi
0x00000000004008b2 <+300>:   nop
...
(gdb) b *0x00000000004008a8
Breakpoint 1 at 0x4008a8
(gdb) r
Starting program: /problems/learn-gdb_3_f1f262d9d48b9ff39efc3bc092ea9d7b/run
Decrypting the Flag into global variable 'flag_buf'
.....................................
Breakpoint 1, 0x00000000004008a8 in decrypt_flag ()
```

`printf "%s", (char *) flag_buf`打印`flag_buf`变量，得到flag。

```(gdb) printf "%s", (char *) flag_buf
picoCTF{gDb_iS_sUp3r_u53fuL_efaa2b29}
```

flag:`picoCTF{gDb_iS_sUp3r_u53fuL_efaa2b29}`

# roulette

## Question

This Online Roulette Service is in Beta. Can you find a way to win \$1,000,000,000 and get the flag? Source. Connect with `nc 2018shell1.picoctf.com 5731`

### Hint

There are 2 bugs!

## Solution

```long get_rand() {
long seed;
FILE *f = fopen("/dev/urandom", "r");
fclose(f);
seed = seed % 5000;
if (seed < 0) seed = seed * -1;
srand(seed);
return seed;
}
...
int main(int argc, char *argv[]) {
...
cash = get_rand();
...
}
```

```long get_long() {
printf("> ");
uint64_t l = 0;
char c = 0;
while(!is_digit(c))
c = getchar();
while(is_digit(c)) {
if(l >= LONG_MAX) {
l = LONG_MAX;
break;
}
l *= 10;
l += c - '0';
c = getchar();
}
while(c != 'n')
c = getchar();
return l;
}
```

```if(cash > ONE_BILLION) { // cash大于十亿
printf("*** Current Balance: \$%lu ***n", cash);
if (wins >= HOTSTREAK) {// 连胜次数大于等于三次
puts("Wow, I can't believe you did it.. You deserve this flag!");
print_flag();
exit(0);
}
```

```#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[]) {
srand(atoi(argv[1]));
int i = 0;
for (i = 0; i < 8; i++) {
long k = (rand() % 36) + 1;
if (i % 2 == 0){
printf("%ld ", k);
}
}
puts("");
return 0;
}
```

```~ gcc generator.c -o random_predict
~ ./random_predict 611
12 23 34 26
~
```
```\$ nc 2018shell2.picoctf.com 48312
Welcome to ONLINE ROULETTE!
Here, have \$611 to start on the house! You'll lose it all anyways >:)

How much will you wager?
Current Balance: \$611    Current Wins: 0
> 611
Choose a number (1-36)
> 12

Spinning the Roulette for a chance to win \$1222!

Roulette  :  12

You chose correct!

How much will you wager?
Current Balance: \$1222   Current Wins: 1
> 1222
Choose a number (1-36)
> 23

Spinning the Roulette for a chance to win \$2444!

Roulette  :  23

Wow, you won!

How much will you wager?
Current Balance: \$2444   Current Wins: 2
> 2444
Choose a number (1-36)
> 34

Spinning the Roulette for a chance to win \$4888!

Roulette  :  34

Congrats!

How much will you wager?
Current Balance: \$4888   Current Wins: 3
> 3221225472
Choose a number (1-36)
> 25

Spinning the Roulette for a chance to win \$2147483648!

Roulette  :  26

WRONG
If you keep it up, maybe you'll get the flag in 100000000000 years

*** Current Balance: \$1073746712 ***
Wow, I can't believe you did it.. You deserve this flag!
picoCTF{1_h0p3_y0u_f0uNd_b0tH_bUg5_8fb4d984}
```

flag:`picoCTF{1_h0p3_y0u_f0uNd_b0tH_bUg5_8fb4d984}`

# store

## Question

We started a little store, can you buy the flag? Source. Connect with `2018shell1.picoctf.com 53220`.

### Hint

Two's compliment can do some weird things when numbers get really big!

## Solution

```~ strings store |grep pico
```

```Welcome to the Store App V1.0

[1] Check Account Balance

[3] Exit

2
Current Auctions
[1] I Can't Believe its not a Flag!
[2] Real Flag
1
Imitation Flags cost 1000 each, how many would you like?
10000000000000000

Welcome to the Store App V1.0

[1] Check Account Balance

[3] Exit

2
Current Auctions
[1] I Can't Believe its not a Flag!
[2] Real Flag
2
A genuine Flag costs 100000 dollars, and we only have 1 in stock
Enter 1 to purchase1
flag:`picoCTF{numb3r3_4r3nt_s4f3_dbd42a50}`