Security Forem: Hitanshu Gedam

picoCTF bloat.py writeup

Hitanshu Gedam — Mon, 22 Sep 2025 14:08:19 +0000

We are given two files and are askedd to run them in the same directory.
I create a ~/tmp directory on pico webshell and wget those two files in it. First, I open the python file to try to understand the code.

This code is obfuscated which makes it difficult for a human to read.

The variable a is given a long string.

I head over to Programiz to find what the first condition is:

It checks for the argument to be equal to the string "happychance", if it is, then it returns True, else it returns "That password is incorrect" and exits with code 0.
I re-wrote python code in a readable format:

a = "!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ"+ \
            "[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~ "
def check(pwd):
  if pwd == "happychance":
    return True
  else:
    print("The password is incorrect")

def decoder(arg444):
  return join_flag(arg444.decode(), "rapscallion")

def getinput():
  return input("Please enter correct password for flag: ")

def open_flag():
  return open('flag.txt.enc', 'rb').read()

def welc():
  print("Welcome back... your flag, user: ")


def join_flag(first_string, second_string):
    second_string_copy = second_string
    i = 0
    while len(second_string_copy) < len(first_string):
        second_string_copy = second_string_copy + second_string[i]
        i = (i + 1) % len(second_string)        
    return "".join([chr(ord(first_string_char) ^ ord(second_string_char)) for (first_string_char,second_string_char) in zip(first_string,second_string_copy)])


opened_flag_binary = open_flag()
pwd = getinput()
check(pwd)
welc()
decoded_flag = decoder(opened_flag_binary)
print(decoded_flag)

I decoded this much and after a while, I thought it was enough since later in the code the functions are being called and the values are getting stored in the variables.

I ran the python file and gave "happychance" as the input, and there I had my flag!

picoCTF RPS writeup

Hitanshu Gedam — Sat, 20 Sep 2025 12:06:55 +0000

We are given a Rock-Paper-Scissors game. I used wget to download the source file onto the webshell. I read the C source code.

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>


#define WAIT 60



static const char* flag = "[REDACTED]";

char* hands[3] = {"rock", "paper", "scissors"};
char* loses[3] = {"paper", "scissors", "rock"};
int wins = 0;



int tgetinput(char *input, unsigned int l)
{
    fd_set          input_set;
    struct timeval  timeout;
    int             ready_for_reading = 0;
    int             read_bytes = 0;

    if( l <= 0 )
    {
      printf("'l' for tgetinput must be greater than 0\n");
      return -2;
    }


    /* Empty the FD Set */
    FD_ZERO(&input_set );
    /* Listen to the input descriptor */
    FD_SET(STDIN_FILENO, &input_set);

    /* Waiting for some seconds */
    timeout.tv_sec = WAIT;    // WAIT seconds
    timeout.tv_usec = 0;    // 0 milliseconds

    /* Listening for input stream for any activity */
    ready_for_reading = select(1, &input_set, NULL, NULL, &timeout);
    /* Here, first parameter is number of FDs in the set, 
     * second is our FD set for reading,
     * third is the FD set in which any write activity needs to updated,
     * which is not required in this case. 
     * Fourth is timeout
     */

    if (ready_for_reading == -1) {
        /* Some error has occured in input */
        printf("Unable to read your input\n");
        return -1;
    } 

    if (ready_for_reading) {
        read_bytes = read(0, input, l-1);
        if(input[read_bytes-1]=='\n'){
        --read_bytes;
        input[read_bytes]='\0';
        }
        if(read_bytes==0){
            printf("No data given.\n");
            return -4;
        } else {
            return 0;
        }
    } else {
        printf("Timed out waiting for user input. Press Ctrl-C to disconnect\n");
        return -3;
    }

    return 0;
}


bool play () {
  char player_turn[100];
  srand(time(0));
  int r;

  printf("Please make your selection (rock/paper/scissors):\n");
  r = tgetinput(player_turn, 100);
  // Timeout on user input
  if(r == -3)
  {
    printf("Goodbye!\n");
    exit(0);
  }

  int computer_turn = rand() % 3;
  printf("You played: %s\n", player_turn);
  printf("The computer played: %s\n", hands[computer_turn]);

  if (strstr(player_turn, loses[computer_turn])) {
    puts("You win! Play again?");
    return true;
  } else {
    puts("Seems like you didn't win this time. Play again?");
    return false;
  }
}


int main () {
  char input[3] = {'\0'};
  int command;
  int r;

  puts("Welcome challenger to the game of Rock, Paper, Scissors");
  puts("For anyone that beats me 5 times in a row, I will offer up a flag I found");
  puts("Are you ready?");

  while (true) {
    puts("Type '1' to play a game");
    puts("Type '2' to exit the program");
    r = tgetinput(input, 3);
    // Timeout on user input
    if(r == -3)
    {
      printf("Goodbye!\n");
      exit(0);
    }

    if ((command = strtol(input, NULL, 10)) == 0) {
      puts("Please put in a valid number");

    } else if (command == 1) {
      printf("\n\n");
      if (play()) {
        wins++;
      } else {
        wins = 0;
      }

      if (wins >= 5) {
        puts("Congrats, here's the flag!");
        puts(flag);
      }
    } else if (command == 2) {
      return 0;
    } else {
      puts("Please type either 1 or 2");
    }
  }

  return 0;
}

The function of interest here is the play() function. Let’s say int computer_turn = 0, if we look at hands[0], we see that the computer chose ‘rock.’ On this page, I found the strstr() function returns a pointer to the position of the first occurrence of a string in another string. Now, the computer will check if the user input player_turncontains the string that corresponds to loses[0] i.e. ‘paper’.

I tried inputting the string rockpaperscissors 5 times to beat the game and there I found my flag:

picoCTF classic crackme 0x100 writeup

Hitanshu Gedam — Fri, 19 Sep 2025 18:27:29 +0000

We are given a binary file in this challenge and are asked to reverse engineer it. I download it on my windows laptop and decompile it on DogBolt.

I scroll down till I find the main() function:

I find that some variables and arrays are defined. It begins by copying a fixed 51-character string into a buffer called output, which represents the correct "transformed" version of the secret password. Then, it prompts the user to input a password, which is read into the input buffer. The core of the code lies in a nested loop that runs three times: for each character in the input, it performs a complex transformation based on the character's index using bitwise operations and modular arithmetic to shift the character within the lowercase alphabet ('a' to 'z'). After applying this transformation three times, the code compares the resulting input with the predefined output string using memcmp. If the transformed input matches output, it prints a success message and a placeholder flag; otherwise, it prints "FAILED!".

I used wget to download the file on pico webshell and give it executable permissions via the chmod command.

I wrote a python script with the help of ChatGPT:

output = "mpknnphjngbhgzydttvkahppevhkmpwgdzxsykkokriepfnrdm"

def transform_char(c, i_1):
    uVar1 = ((i_1 % 0xff) >> 1 & 0x55) + ((i_1 % 0xff) & 0x55)
    uVar1 = ((uVar1 >> 2) & 0x33) + (uVar1 & 0x33)
    iVar2 = (uVar1 >> 4) + ord(c) - 0x61 + (uVar1 & 0xf)
    result = iVar2 % 26 + ord('a')
    return chr(result)

def transform(s):
    return ''.join(transform_char(c, i) for i, c in enumerate(s))

# Reverse the transformation by brute-force
def reverse_transform(target):
    original = ['?'] * len(target)
    for i, target_c in enumerate(target):
        for c in range(ord('a'), ord('z') + 1):
            trial = chr(c)
            if transform_char(trial, i) == target_c:
                original[i] = trial
                break
    return ''.join(original)

# Apply reverse transformation 3 times
current = output
for _ in range(3):
    current = reverse_transform(current)

print("Recovered password:", current)

And I got the original string. I tried it as an input for the file on the webshell and it succeeded. Now that I was sure of the original string, I used the nc command provided in the challenge to connect to the machine and gave it the string.

This is how I received the flag!

picoCTF bbbbloat writeup

Hitanshu Gedam — Fri, 19 Sep 2025 18:07:29 +0000

We are given a binary file here in this challenge. I used wget to download it in the pico webshell, and also downloaded it in my Windows laptop.
I make the file executable using the chmod +x bbbbloat. From the downloaded file on my Windows laptop, I head over to Dogbolt and upload the file there:

I keep scrolling down the decompiled code in order to find something interesting. I found the above code of interest.
This code checks if the variable local_48 equals 0x86187, and if so, it sets local_44 to 0xd2c49, then calls a function FUN_00101249 with arguments 0 and the address of local_38, expecting it to return a dynamically allocated string. It stores the result in local_40, prints the string to standard output followed by a newline, and then frees the allocated memory to avoid a memory leak. The function likely generates or retrieves a string (e.g., a message or flag) when the specific condition is met.
Next, I head over to RapidTables
for converting Hex to Decimal (because when I tried to run the executable bbbbloat file on webshell, it asked me to guess its favourite number i.e. for an integer input)

0x86187 = 549255 (in decimal)

I input that number after executing the bbbbloat file:

And there we have our flag!

picoCTF Irish-name-repo 3 writeup

Hitanshu Gedam — Fri, 19 Sep 2025 17:27:25 +0000

In this challenge we are given a basic website and are asked to bypass the admin login:

Let's go to the admin login page:

We are greeted with a login page:

I went to the Inspect element via right clicking the webpage. We can see the source code in the Elements tab. We see there is a debud hidden feature with value set to 0, I change it to 1 and enter 'admin' as the password:

Here we can see that 'admin' changes to 'nqzva'. We find a shift value of
13 between these two which suggests to me that it was a ROT13 cipher.

I head over to Cryptii, choose to encode a simple SQL injection payload that I intend to use ' or 1=1; --. We get the ciphertext as ' be 1=1; --

I use that ciphertext to bypass the login and there we have our flag:

picoCTF tapping writeup

Hitanshu Gedam — Fri, 19 Sep 2025 17:15:53 +0000

As soon as we connect to the given link with nc we are presented with a sequence of dots and dashes. This is Morse Code

I copied it and pasted it into this Morse Code Decoder (without the curly braces)

... there's our flag.

picoCTF flags writeup

Hitanshu Gedam — Tue, 16 Sep 2025 11:07:55 +0000

We are given this image

I used Google Image Search and found out they were International Maritime flags.

Then I searched google for International Maritime Flags and went to this Wikipedia link

https://en.wikipedia.org/wiki/International_maritime_signal_flags

This was the flag: PICOCTF{F1AG5AND5TUFF}

picoCTF Some Assembly Required writeup

Hitanshu Gedam — Tue, 16 Sep 2025 07:41:54 +0000

This challenge asks us to work with WebAssembly. I'll be honest I have never worked with WebAssembly. I looked up for some material and got myself a little familiar with it.

This is the code that build the website:

const _0x402c = ['value', '2wfTpTR', 'instantiate', '275341bEPcme', 'innerHTML', '1195047NznhZg', '1qfevql', 'input', '1699808QuoWhA', 'Correct!', 'check_flag', 'Incorrect!', './JIFxzHyW8W', '23SMpAuA', '802698XOMSrr', 'charCodeAt', '474547vVoGDO', 'getElementById', 'instance', 'copy_char', '43591XxcWUl', '504454llVtzW', 'arrayBuffer', '2NIQmVj', 'result'];
const _0x4e0e = function(_0x553839, _0x53c021) {
    _0x553839 = _0x553839 - 0x1d6;
    let _0x402c6f = _0x402c[_0x553839];
    return _0x402c6f;
};
(function(_0x76dd13, _0x3dfcae) {
    const _0x371ac6 = _0x4e0e;
    while (!![]) {
        try {
            const _0x478583 = -parseInt(_0x371ac6(0x1eb)) + parseInt(_0x371ac6(0x1ed)) + -parseInt(_0x371ac6(0x1db)) * -parseInt(_0x371ac6(0x1d9)) + -parseInt(_0x371ac6(0x1e2)) * -parseInt(_0x371ac6(0x1e3)) + -parseInt(_0x371ac6(0x1de)) * parseInt(_0x371ac6(0x1e0)) + parseInt(_0x371ac6(0x1d8)) * parseInt(_0x371ac6(0x1ea)) + -parseInt(_0x371ac6(0x1e5));
            if (_0x478583 === _0x3dfcae)
                break;
            else
                _0x76dd13['push'](_0x76dd13['shift']());
        } catch (_0x41d31a) {
            _0x76dd13['push'](_0x76dd13['shift']());
        }
    }
}(_0x402c, 0x994c3));
let exports;
(async () => {
    const _0x48c3be = _0x4e0e;
    let _0x5f0229 = await fetch(_0x48c3be(0x1e9))
      , _0x1d99e9 = await WebAssembly[_0x48c3be(0x1df)](await _0x5f0229[_0x48c3be(0x1da)]())
      , _0x1f8628 = _0x1d99e9[_0x48c3be(0x1d6)];
    exports = _0x1f8628['exports'];
}
)();
function onButtonPress() {
    const _0xa80748 = _0x4e0e;
    let _0x3761f8 = document['getElementById'](_0xa80748(0x1e4))[_0xa80748(0x1dd)];
    for (let _0x16c626 = 0x0; _0x16c626 < _0x3761f8['length']; _0x16c626++) {
        exports[_0xa80748(0x1d7)](_0x3761f8[_0xa80748(0x1ec)](_0x16c626), _0x16c626);
    }
    exports['copy_char'](0x0, _0x3761f8['length']),
    exports[_0xa80748(0x1e7)]() == 0x1 ? document[_0xa80748(0x1ee)](_0xa80748(0x1dc))[_0xa80748(0x1e1)] = _0xa80748(0x1e6) : document[_0xa80748(0x1ee)](_0xa80748(0x1dc))[_0xa80748(0x1e1)] = _0xa80748(0x1e8);
}

I thought ./JIFxzHyW8W to be of interest because of the ./

It means that is a file.

I used wget to download the file on the pico webshell and tried to read it with the strings command and piped the output to grep searching for the word 'pico'. Fortunately, I found the flag there itself.

picoCTF Match The Regex writeup

Hitanshu Gedam — Mon, 15 Sep 2025 17:13:03 +0000

This is an easy web challenge.

This websites asks for an input from the user

I tried 'hello' and it alerted me with a 'wrong message' alert.

Then I went to check the source code of the website by Right-click -> View Page Source, scrolled to the bottom and found the script that the website was running:

We see the regex pattern ^p.....F!? in the comment.

The regex pattern ^p.....F!? matches strings that start with a lowercase "p", followed by exactly five characters of any kind, then an uppercase "F", and optionally ending with an exclamation mark.

The ^ asserts the start of the string, while the . wildcard matches any single character except newline.

The !? means that the exclamation mark at the end is optional — the string may or may not include it.

My immediate guess was trying to input picoCTF:

... and that's how I got the flag to solve this challenge.

picoCTF Roboto Sans writeup

Hitanshu Gedam — Mon, 15 Sep 2025 15:04:34 +0000

I found some random characters together and it struck me they might be base64 encoded strings

I tried to deocde them:

I got flag1.txt but it was of no use
we can see that I get js/myfile.txt

I decided to visit that file on the website

... and there I get my flag!

picoCTF SQLiLite writeup

Hitanshu Gedam — Mon, 15 Sep 2025 14:49:51 +0000

We are asked to bypass the login page in the website.

I decide to try with the most basic SQLi attack ' OR 1=1 --

I try to login with that payload.

And we are in! Now we are challenged to find the flag which is hidden in 'plain sight'. So I right click on the webpage, and click on "View Page Source"

..and there was the flag hidden in "plain sight".

picoCTF Forbidden Paths writeup

Hitanshu Gedam — Mon, 15 Sep 2025 14:44:07 +0000

Here is our challenge:

We are told that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt.

I decided to type ../../../flag.txt and read.

Read.

And there's the flag!