PicoCTF Writeup – like1000
# Information:
CTF Name: PicoCTF
CTF Challenge: like1000
Challenge Category: Binary Exploitation
Challenge Points: 250
picoCTF 2019
# Used Tools:
- Python3
- Linux Terminal
# Challenge Description:
This .tar file got tarred a lot.
Hints: Try and script this, it’ll save you a lot of time
# Writeup
In this challenge, we are provided with 1 file, a tar called 1000.
Step 1
I decided to try to open it through the terminal by typing the command:
mregra on Cyber $ tar -xfv 1000.tar
999.tar
filler.txt
mregra on Cyber $
As you can see two files came out of the tar file, another tar, called 999.tar, and a text file, called filler.txt. By reading the hint I thought maybe I should write a script to open every tar file recursively and check the contents of filler.txt to make sure the flag is not hidden there.
Step 2
I decided to use Python 3 to create the script. I started with one thought process but in the end, I created one function that did the job more simply. Below you can find the code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import subprocess
import os
##################################################################
# Initial Solution:
def list_dir():
result = subprocess.run(["ls"], stdout=subprocess.PIPE, text=True)
list_result = []
temp = ""
for i in result.stdout:
if(i == '\n'):
list_result += [temp]
temp = ""
else:
temp += i
return list_result
#It turns out this one is not necessary because there is no flag in the filler.txt file
def checkIfFlag(list_result):
for i in list_result:
if "txt" in i:
result = subprocess.run(["cat", "filler.txt"], stdout=subprocess.PIPE, text=True)
if "picoCTF" in result.stdout:
print("FLAG found ----> ", result.stdout)
def unzipAndRemove(fileId):
arg = "tar -xvf " + str(fileId) + ".tar"
os.system(arg)
if(fileId != 1000):
arg = "rm -r " + str(fileId) + ".tar"
os.system(arg)
def main():
for i in range(1000, 0, -1):
unzipAndRemove(i)
checkIfFlag(list_dir())
##################################################################
# This part is enough:
def unzipAndRemoveAll1000():
for i in range(1000, 0, -1):
arg = "tar -xvf " + str(i) + ".tar"
os.system(arg)
if(i != 1000):
arg = "rm -r " + str(i) + ".tar"
os.system(arg)
unzipAndRemoveAll1000()
As you can see in the code above I started by creating a list_dir function that basically what it does is just to run the Linux bash ls command.
The second function, checkIfFlag, receives the input from list_dir and verifies if there is a .txt file in that list, if so, then it will run the cat command on that file and verify if the file has the sub-string “picoCTF” if so, we might be able to assume that we found the flag and I print the contents to the standard output.
The next function is unzipAndRemove. The function unzips the contents of the tar given as an argument and then removes it.
Finally, we have the main function that iterates over 1000 numbers and opens each tar, from 1000 to 1, and check if the flag is in any of the filler.txt files.
After running the entire script I noticed that the flag was not in any of the filler.txt files, instead, an image appeared after opening the last tar file:
And the flag is:
The Python 3 script source code can be found here.
Thank you very much for reading!
Cheers,
MRegra