“Cybercrime is the greatest threat to every company in the world.” — Ginni Rometty

plumbing

連線後發現跑出一堆文字，有可能flag藏在裡面。

$ nc jupiter.challenges.picoctf.org 7480 | grep "picoCTF"

flag_shop

$ nc jupiter.challenges.picoctf.org 4906

查看它的Souce code後，發現：

1. flag需要account_balance > 100000，但初始金額只有1100。
2. 購買物品的地方沒有限定數量，而account_balance = account_balance - total_cost，如果total_cost 溢位會導致total_cost變成負數，account_balance - (負數) = account_balance + x

了解情況後，開始輸入惡意資料：

"Welcome to the flag exchange
We sell flags

1. Check Account Balance

2. Buy Flags

3. Exit

Enter a menu selection
2
Currently for sale
1. Defintely not the flag Flag
2. 1337 Flag
1
These knockoff Flags cost 900 each, enter desired quantity
2386099

The final cost is: -2147478196

Your current balance after transaction: 2147479296

Welcome to the flag exchange
We sell flags

1. Check Account Balance

2. Buy Flags

3. Exit

 Enter a menu selection
2
Currently for sale
1. Defintely not the flag Flag
2. 1337 Flag
2
1337 flags cost 100000 dollars, and we only have 1 in stock
Enter 1 to buy one1"
YOUR FLAG IS: picoCTF{m0n3y_bag5_9c5fac9b}

Glory of the Garden

$ wget https://jupiter.challenges.picoctf.org/static/43c4743b3946f427e883f6b286f47467/garden.jpg
# 這題類別是Forensics，所以載下來先隨便看看 exiftool, cat, hd...
$ hd garden.jpg | less
# 按下大寫G後等待一段時間會跑到最底部
# 可以看到最底部 "Here is a flag "picoCTF..."

Secret of the polyglot

$ wget https://artifacts.picoctf.net/c_titan/99/flag2of2-final.pdf
$ exiftool flag2of2-final.pdf # 發現檔案類型是PNG

(Note: 一個檔案在最前面都會有所謂的標頭(header)，會表示檔案的資訊(檔案大小、檔案類型等等...。)

但操作系統要使用哪個解碼器進行解碼仍取決於副檔名，所以原先副檔名為pdf，那就會使用pdf解碼器，改成png之後就會使用png解碼器。
回到Windows(或你的GUI OS)，將原先pdf內的內容與將副檔名改成png的內容結合。

(延伸思考: 為什麼操作系統不透過直接讀取標頭的檔案類型去做相應的解碼?)