Forbidden
Paths
CTF's Author: LT
'syreal' Jones
Description
Can you get
the flag?We know that the website files live
in /usr/share/nginx/html/ and the flag is at /flag.txt but
the website is filtering absolute file paths. Can you get past the filter to
read the flag?
I just asked
gpt about the problem and got one of the approach for solving this problem.
To solve
this challenge and bypass the restriction on absolute file paths, you can
attempt to exploit directory traversal or similar methods to
read the flag.txt file. Since absolute file paths are filtered,
you’ll need to use relative paths. Here's how you might proceed:
Test in
the Input Field: If
the website has an input field or parameter that takes file paths
(e.g., GET /?file=example.txt), try replacing the file name with:
../../../../flag.txt
picoCTF{7h3_p47h_70_5ucc355_e5fe3d4d}
Hey everyone! Back with another CTF writeup, and this time we're tackling a cryptography challenge that's perfect for beginners. Let's dive into Challenge 13!
Challenge Overview
Challenge Name: 13
Category: Cryptography
Description: Cryptography can be easy, do you know what ROT13 is? cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}
Hint: This can be solved online if you don't want to do it by hand!
Understanding ROT13
Learning ROT13
Before we dive into doing this, let's discuss what ROT13 is. ROT13 is short for "rotate by 13 places" and it's one of the easiest encryption schemes around. It's a substitution cipher where every letter in the alphabet is swapped out for the letter 13 positions ahead of it.
So 'A' turns into 'N', 'B' into 'O', and so forth. The great thing about ROT13 is that it is self-inverse - that is, if you run ROT13 twice, you return to the original text. That's because there are 26 letters in the alphabet, so moving over 13 twice is a full circle of 26.
Solving the Challenge
Looking at our encrypted text: cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}
This definitely looks like it could be ROT13 encoded text. The structure suggests it might be a flag format with something that looks like "CTF" in the middle.
Method 1: Using an Online Tool
The hint mentions we can solve this online, so let's use the suggested website: https://rot13.com/
I simply pasted the encrypted text into the input field and got the result instantly:
Decrypted text: picoCTF{not_too_bad_of_a_problem}
Perfect! We can see this follows the standard picoCTF flag format.
Method 2: Manual Decryption
For those who want to understand the process better, let's decode a few characters manually:
c → shift back 13 positions → p
v → shift back 13 positions → i
p → shift back 13 positions → c
b → shift back 13 positions → o
And the pattern continues. You can work through the entire string this way, but honestly, the online tool makes life much easier for ROT13.
Method 3: Using Python
If you're more of a programmer, here's a quick Python solution:
def rot13_decrypt(text):
result = ""
for char in text:
if char.isalpha():
# Handle uppercase and lowercase separately
if char.isupper():
result += chr((ord(char) - ord('A') - 13) % 26 + ord('A'))
else:
result += chr((ord(char) - ord('a') - 13) % 26 + ord('a'))
else:
result += char
return result
encrypted = "cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}"
decrypted = rot13_decrypt(encrypted)
print(decrypted)
This script handles both uppercase and lowercase letters while leaving special characters unchanged.
Flag
After applying ROT13 decryption to the given text, we get our flag:
Flag: picoCTF{not_too_bad_of_a_problem}
Takeaways
This challenge was a great introduction to classical cryptography. ROT13 is often used in CTFs as a stepping stone to more complex crypto challenges. The key things to remember:
ROT13 is easily recognizable - gibberish text that maintains the structure of English
It's symmetric - applying it twice returns the original text
Online tools exist for quick decryption
Understanding the manual process helps with similar substitution ciphers
The challenge name "13" was actually a dead giveaway that this was ROT13 - sometimes the hints are right there in plain sight!
That's it for this writeup. ROT13 may appear insignificant, but it's the foundation for grasping more complex cryptographic principles. Practice every day, and soon you'll be solving RSA and AES problems without breaking a sweat!
Happy hacking!
.jpg)
.jpg)
No comments:
Post a Comment