06. what’s a net cat?

Using netcat (nc) is going to be pretty important. Can you connect to 2019shell1.picoctf.com at port 4158 to get the flag?
善用 netcat (nc) 工具是很有用的。試著連上 2019shell1.picoctf.com at port 4158 並取得 flag。

WRITEUP:

netcat (network concatenate) 號稱網路工具的瑞士刀，能夠在網路間傳接送封包，達到簡單的架站、掃描遠端服務的 port 等等許多功能。

首先進入shell 後查看 netcat 指令用法

man netcat 
NC(1)                                                            BSD General Commands Manual                                                            NC(1)

NAME
     nc — arbitrary TCP and UDP connections and listens

SYNOPSIS
     nc [-46bCDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl] [-m minttl] [-O length] [-P proxy_username] [-p source_port] [-q seconds] [-s source]
        [-T keyword] [-V rtable] [-W recvlimit] [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]] [-Z peercertfile] [destination] [port]

DESCRIPTION
     The nc (or netcat) utility is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets.  It can open TCP connections, send
     UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.  Unlike telnet(1), nc scripts nicely, and sepa‐
     rates error messages onto standard error instead of sending them to standard output, as telnet(1) does with some.

起頭便提示可以用縮寫 nc 來取代 netcat。接著來使用該工具連接題目上的位址與 port。參數加上 -v 則是會顯示該port 是否有開啟

nc 2019shell1.picoctf.com 4158 -v
Connection to 2019shell1.picoctf.com 4158 port [tcp/*] succeeded!
You're on your way to becoming the net cat master
picoCTF{nEtCat_Mast3ry_700da9c7}

參考資源

Netcat（Linux nc 指令）網路管理者工具實用範例
NetCAT 的七種滲透式安全測試用法

ANSWER:

picoCTF{nEtCat_Mast3ry_700da9c7}

「You’re doing extremely well. The factory must be powering up.」
「Are you and “your team” some type of… law enforcement?」
「Something like that. We’re the last resort, the consultants for the most intractable adversaries. We’re the cyber division.」
「Of what?」
「Keep on hacking like that and you might just find out. We’re always looking for new recruits.」
「Maybe after I get out of Wonderland.」

07. Based

To get truly 1337, you must understand different data encodings, such as hexadecimal or binary. Can you get the flag from this program to prove you are on the way to becoming 1337? Connect with nc 2019shell1.picoctf.com 28758.
如果你想要精通駭客語，就必須了解不同的資料編碼，例如 16 進位或是 2進位。試著使用 nc 2019shell1.picoctf.com 28758 連接網路並取得 flag 以證明你已經漸入駭客之境了。

註: 什麼是1337 (leet)

WRITEUP:

首先進入 shell 後執行 netcat 連線到該主機會出現:

nc 2019shell1.picoctf.com 28758 -v
Connection to 2019shell1.picoctf.com 28758 port [tcp/*] succeeded!
Let us see how data is stored
container
Please give the 01100011 01101111 01101110 01110100 01100001 01101001 01101110 01100101 01110010 as a word.
...
you have 45 seconds.....

Input:
container

第一題會先提示這題的答案為 container(注意這裡出的是隨機題目)，由 01 組合可以得知解法為 2 進位轉換為 ASCII。接著下一題(有可能)是

Please give me the  143 157 155 160 165 164 145 162 as a word.
Input:

一開始沒頭緒時，多猜錯幾次就會發現數字從140到160多，因此可以得知不是 2 進位或 16 進位。上網查看base轉換一覽表可以知道這個數字範圍對照到英文的就只有8進位，於是使用線上轉換器 即可求出解答。

computer
Please give me the 74657374 as a word.
Input:

接著是第三題，從前面經常練習的題目就可以直覺想到41到7A 這一段為16進位的表示法，丟到線上轉換器得出解答 。

test
You've beaten the challenge
Flag: picoCTF{learning_about_converting_values_4b4e293e}

這類猜題可以多嘗試幾次後，依照出現的字串範圍來推敲可能的編碼。事實上在解第二題時由於沒有第一眼看出編碼方式，這裡是不斷的猜題，蒐集題庫後猜中解答才反推到編碼方式 XD

ANSWER:

picoCTF{learning_about_converting_values_4b4e293e}
請注意每個使用者不同!

「You’re very good at this. No wonder they took you.」
「The Nameless. What do they want me for?」
「I think you know. Whatever they’re up to, they have their own secrets to protect and they want access to information and systems that don’t belong to them.」
「They want cybersecurity. They want me to hack for them.」
「You’re quick. Yes. And not just you. I have a lot of contacts, fellow experts in cybersecurity. They’ve been going off-line. Steadily, for months now.」
「The Nameless got to them, too.」
「And every one of them will make the Nameless harder to stop.」
「Well, not everyone’s going to agree to work for a group like that. I mean, come on, we do have standards.」
「And I’ve been helping you. I never did a thing for them.」
「You did. You don’t remember.」

09. plumbing

Sometimes you need to handle process data outside of a file. Can you find a way to keep the output from this program and search for the flag? Connect to 2019shell1.picoctf.com 9525.
有時候要處理的資料流並不在存在檔案中。你能夠連接上 2019shell1.picoctf.com 9525 並且抓住資料找出 flag 嗎?

WRITEUP:

資料是否存在檔案中，對於 linux 來說都是很好處理的，使用的工具仍然是 pipe (“|”)與 grep 。
打開 shell 使用net cat 到該主機後會發現一連串的洗板面。

nc 2019shell1.picoctf.com 9525.
.
.
I don't think this is a flag either
Again, I really don't think this is a flag
Not a flag either
Again, I really don't think this is a flag
Not a flag either
Not a flag either
.
.
.

在 nc 後附加 | grep 即可求得 flag

nc 2019shell1.picoctf.com 9525 | grep "picoCTF"

ANSWER:

picoCTF{digital_plumb3r_dd86d037}
注意每個人不同!