Post

Pico CTF 2025 - Challenge Writeups

Posted Updated
By your_full_name
2 min read
Pico CTF 2025 - Challenge Writeups

pico

I participated in the Pico CTF 2025 online over 72 hours. I played with my univerersity peers on MQCyberSec Trojans team and we placed 185th out of 10460 teams.

Web

WebSockfish

Challenge

Can you win in a convincing manner against this chess bot? He won’t go easy on you!

Solve

i

We were given a link directly to the website of this challenges.

From the decrirption we know that in order to obtain the flag, we need to beat the bot in chess, However

i

The web uses StockFish chess engine, which is the most optimal chess engine currently and beating the bot using another engine against it won’t give us the flag as well.

Therefore, let’s examine how the websocket client is interacting with the server using burpsuite.

Upon making your chess move, the bot will then answers back with another move of its own.

i

Looking closely of the response to the server, we can see that the bot is using eval() function to response back to the server.

i

Thus, we have come to the conclusion that the bot is using the eval() function to evaluate its state in the current chess match. meaning that;

An eval() function with negative value will show that the bot thinking its losing whereas an eval() function with a positive value will show that its winning.

So how do we continue? We can manipulate the response from the bot to the server by using Burpsuite Repeater. HEAD OVER TO REPEATER!!!

i

Changing the value of eval() function to a very large negative number like -999999 and SEND!

i

There we go! The bot will automatically resigns thinking its loss the match and give us the flag.

i

1

picoCTF{c1i3nt_s1d3_w3b_s0ck3t5_46c33d0c}

YAY, we beat the best chess engine in just ONE move.

Forensics

Bit-locker 1

Challenge

Jacky is not very knowledgable about the best security passwords and used a simple password to encrypt their BitLocker drive. See if you can break through the encryption!

Solve

Downloading the file we are provided with bitlocker-1.dd (raw disk image) file which we know is BitLocker encrypted. The decryption key hash can be obtained using John the Ripper’s bitlocker2john tool:

1

sudo bitlocker2john -i bitlocker-1.dd > hashes.txt

Running the command returns 4 hashes:

  • $bitlocker$0$….(User password hash)
  • $bitlocker$1$…. (Recovery password hash)
  • $bitlocker$2$…. (Startup key hash)
  • $bitlocker$3$…. (Volume Master Key (VMK) Hash)

We are trying to crack the user password, so we copy the hash beginning with $bitlocker$0$ to a new file hash.txt and move over to hashcat to begin cracking.

Viewing the examples page shows that the relevant Hash-Mode for Bitlocker hashes is 22100. We crack the hash with:

1

hashcat -m 22100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

We find that the password used to decrypt the BitLocker drive is:

1

jacqueline

From here we can:

  • Create a directory to store the mounted drive
1

sudo mkdir -p /mnt/bitlocker
  • Decrypt the drive using dislocker:
1

sudo dislocker -r -V bitlocker-1.dd -u”jacqueline” -- /mnt/bitlocker
  • Create directory to mount decrypted drive
1

sudo mkdir -p /mnt/decrypted
  • Mount the decrypted drive
1

sudo mount -o loop /mnt/bitlocker/dislocker-file /mnt/decrypted
  • View contents of decrypted drive
1

ls decrypted
  • Read flag
1

cat decrypted/flag.txt

1

picoCTF{us3_b3tt3r_p4ssw0rd5_pl5!_3242adb1}
Pico
Web
This post is licensed under CC BY 4.0 by the author.

Trending Tags

Web