While enjoying some holiday time (because who doesn't love mixing relaxation with buffer overflows?), I finally decided to tackle PicoCTF's challenges. You know that feeling when you find a perfect excuse to dive deep into binary exploitation? Yeah, that's the one.
So, Pico CTFs or Capture the Flag challenges come in different flavors, each with its own special sauce:
- Web Exploitation
- Cryptography
- Reverse Engineering
- Forensics
- General Skills
- Binary Exploitation
While on vacation, I completed just about all Easy PicoCTF (PicoGym) challenges in a few hours, which was a lot of fun, and then decided to tackle the Medium ones as soon as I arrived back home.
I then stumbled upon this particular challenge that had me grinning like a kid in a candy store: a Linux machine which allowed no alphabetic characters. None. Zero. Null.
Just numbers and symbols.
Being somewhat versed in C (because real friends...), I thought I had it all figured out. Characters are just numbers in disguise, right? I'd just convert a bunch of numbers into characters and then feed that to stdin and then I could ls, cat, grep... Wrong! The challenge designers were way ahead of me. Any attempt to convert numbers to ASCII characters? Boom. Server says 'no way, Jose. Go do something else'.
But wait, there's more...
The real fun began when I shared this challenge with some friends. A couple of them didn't know CTFs were a thing, and they thought that this particular challenge sounded crazy fun. So, at around lunchtime, we went at it.
Remember that more modern security challenges often include protections like ASLR, DEP, and other acronyms that usually drive newcomers to fits of despair. But this challenge? This was different. It wasn't about bypassing protections - it was about thinking differently about how we interact with Linux systems. How on earth do you run commands when you can't write letters? What commands can you write?
While many classic approaches would be blocked by the no-alphabet rule, there are ways around limitations. That's the beauty of Linux - there's usually another way.
So, we put our heads together and had a great time, bouncing ideas off each other.
Remember: I don't do walkthroughs, so you won't find one here. Don't worry.
There are plenty out there, but if you simply give in and read one of those, you'll rob yourself of the delight of actually figuring out how to beat a challenge like this. Trust me: there's a lot to be said for failing, trying again, failing again, having a small breakthrough and going back to the drawing board before trying once more. Much learning can happen in those moments.
Every failed attempt, every error message, every "permission denied" - they're all teaching moments. They get under your skin, become part of your hacker DNA.
Still with me? Good, because here's the thing about CTFs that many miss: they're not about the flags. They're about the journey, the learning, the moments when you and your friends look at each other and go "ohhhhh, that's how it works!" or "how about this? Let's try it!"
Some say CTFs are unrealistic. Maybe. But you know what? So is practicing armbars on a compliant partner, yet BJJ works. And believe me, you'll learn when you win, but you'll do double plus better when you are faced with a new adversary or technique that rocks your world and turns it upside down. Losing is Fun.
Remember: every great hacker started somewhere. Probably failing at a challenge just like this one. The difference? They kept going.
So, yeah. We found the solution and had our minds blown at what we could do within such a restricted environment.
If you have any favorite CTF stories, challenges that made you pull your hair out, or just want to geek out about Linux and security, hit me up. I'm always open to learning more.
No, I didn't forget about the 'hacking a (slightly harder) C program' blog post: it's upcoming. Nor have I forgotten the list of other projects and blog posts that are on hold: those will come in due time.
Just one final piece of advice: keep a notebook of sorts that you keep close to you as you go through these CTFs. It's great to be able to explain in a coherent manner what you tried to achieve, your difficulties, and your ideas.
No comments:
Post a Comment