読者です 読者をやめる 読者になる 読者になる

DoubleS1405 CTF Writeup

CTF writeup

この大会は2017/3/25 9:00(JST)~2017/3/26 21:00(JST)に開催されました。
今回もチームで参戦。結果は351点で249チーム中17位でした。
自分で解けた問題をWriteupとして書いておきます。

Mic Check (Misc 1)

問題に記載してあるフラグを解凍するだけ。"flag{" と"}"は不要。

W3lc0me_T0_DoubleS1405_CTF!

Easy_Crypt (Crypto 50)

Vigenere暗号の問題。
オンラインツールhttps://www.guballa.de/vigenere-solverで復号してみると、次のような文章になっていた。

the vigenere cipher is a method of encrypting alphabetic text by using a series of interwoven caesar ciphers based on the letters of a keyword. it is a form of polyalphabetic substitution. flag is hello_vigenere
hello_vigenere

RSA (Crypto 150)

RSA暗号の問題。

$ nc 203.251.182.94 4000
enc : 524088215288945245117812840274234074214259867311424793488872316310812706883024313867933264975831745029054523235181695352586709977208196363681301896057064415274078567043967757970801714625738226262293721554006107104236101335115913713660091583447557282002619134700442555482433678036710317021694260495168589479860504255753735295684993178728329372305366606635533145127946686273344730509844775300122864925154558295745613688004661516962622482022264505375004460809348994246393125753388290161988082612174365368309952527753924526213766797054879514133711596108047008600960292092135854237304270147666380464744930028252443649819646184914979910712331358503515497366868391163434331196745240129334051449430357442795848755908012895351467558418431211464970160313835649205450891868176931866059746834981469604038607844868902540578729908708475089242253961021291237310436998767128596611554846948529983930986516799540905413759161964474942642639146239239417647305400198714676910394008062192060561130474884192131791415273201113911520884357202482483443690793539529640607301455522584558165763889673353291204724196936406524674532675658355516720800608675712275967358182807215410869264526079077702286496666298128451842286840129878459991344435756626173655145826593
e : 65537
p : 32317006071311007300714876688669951960444102669715484032130345427524655138867890893197201411522913463688717960921898019494119559150490921095088152386448283120630877367300996091750197750389652106796057638384067568276792218642619756161838094338476170470581645852036305042887575891541065808607552399123930385521954285833276606292740174507176908054077273016103644389803261062635470374515595892199454891155463898488297024308700957247533881208055894474582694028535079545281620566442541400114261729854235365927395115457109476960042332821732358509197923144094801013581965651112146928918286923938064987973879624251895591220179
q : 32317006071311007300714876688669951960444102669715484032130345427524655138867890893197201411522913463688717960921898019494119559150490921095088152386448283120630877367300996091750197750389652106796057638384067568276792218642619756161838094338476170470581645852036305042887575891541065808607552399123930385521990685772174514834944123086486002362345153147580453526134037171595087108668773961917317502849945855689432886442889958513294157709640362363734479327004391952407569596153273880472331909250263593691635107321048666489395316204775782962517724272901158130972610802371589601746375325078943967095960733617174538141999

enc, e, p, qがわかり、enc以外は固定になっている。そのまま復号処理をし、hexデコードやbase64デコードで正しい答えになるよう調整する。

import socket
import re

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('203.251.182.94', 4000))
data = s.recv(4096)
print data

pattern = 'enc : (.+)\ne : (.+)\np : (.+)\nq : (.+)'
m = re.search(pattern, data)
c = int(m.group(1))
e = int(m.group(2))
p = int(m.group(3))
q = int(m.group(4))
n = p * q

a = (p - 1) * (q - 1)

x = 0
while True:
    if (a * x + 1) % e == 0:
        d = (a * x + 1) / e
        break
    x = x + 1

m = pow(c, d, n)

ans = ('%x' % m).decode('hex').decode('base64')
ans = ('%x' % int(ans)).decode('hex')

print ans
s.sendall(ans)
data = s.recv(4096)
print data

実行結果は以下の通り。

enc : 943323076663715024141647584331931588504059538634678245280425831973796289347224969397647303454937690940952859232063793733404967720884450831759307523716676374906805977677219485079131899110251690387052195431428481983362303508265715568364926129160708402287993207521665278959090563863929142276264132832262357813131882224629836702376792898930239886372171786808974048556564459127393421203100595023420176207941095860228262228123206815043761469110111545721812944012788553149575087398528786583978437383550919700413294635921293905268700691986832657511626585629156289537911662116698677989724589794181878086199351516800977257909086655330248139060177962291764419430342443557667861917686953473395731524558266643177815366887860803117307072934899459045728454706856296407965798284164935167469656739110378295698864119610217189620023320017254576611161419886036093861180781769495008397890178322624327006809008967677442747797792584907829610673111299004805651549603121773706860385941777176103149272425054779791817810966316678169201560717394130219015631420356160614120412760419002013131762642338218434316378193883589201195199752227857462248942614326911643627127945748100365516522106686625206332033784564337959925495322684860188773445710912068399610295000708
e : 65537
p : 32317006071311007300714876688669951960444102669715484032130345427524655138867890893197201411522913463688717960921898019494119559150490921095088152386448283120630877367300996091750197750389652106796057638384067568276792218642619756161838094338476170470581645852036305042887575891541065808607552399123930385521954285833276606292740174507176908054077273016103644389803261062635470374515595892199454891155463898488297024308700957247533881208055894474582694028535079545281620566442541400114261729854235365927395115457109476960042332821732358509197923144094801013581965651112146928918286923938064987973879624251895591220179
q : 32317006071311007300714876688669951960444102669715484032130345427524655138867890893197201411522913463688717960921898019494119559150490921095088152386448283120630877367300996091750197750389652106796057638384067568276792218642619756161838094338476170470581645852036305042887575891541065808607552399123930385521990685772174514834944123086486002362345153147580453526134037171595087108668773961917317502849945855689432886442889958513294157709640362363734479327004391952407569596153273880472331909250263593691635107321048666489395316204775782962517724272901158130972610802371589601746375325078943967095960733617174538141999

49U6KMTW0P2m3baysLHcH4WKUjS4WBrk
flag{Y34hh_RSA_1S_S0_E4sy}
Y34hh_RSA_1S_S0_E4sy

Cute(Forensic 50)

$ file file
file: Matroska data

字幕が隠れていそうなので、ffmpegでテキスト化する。

$ ffmpeg -i file -map 0:s:0 file-subs.srt
          : (省略)

file-subs.srtの内容は以下の通り。

   :
80
00:00:10,517 --> 00:00:10,538
eh~!@#~!!#!

81
00:00:10,539 --> 00:00:10,539
f

82
00:00:10,539 --> 00:00:10,539
l

83
00:00:10,539 --> 00:00:10,539
a

84
00:00:10,539 --> 00:00:10,539
g

85
00:00:10,539 --> 00:00:10,539
{

86
00:00:10,539 --> 00:00:10,539
v

87
00:00:10,539 --> 00:00:10,539
3

88
00:00:10,539 --> 00:00:10,539
r

89
00:00:10,539 --> 00:00:10,539
_

90
00:00:10,539 --> 00:00:10,539
c

91
00:00:10,539 --> 00:00:10,539
u

92
00:00:10,539 --> 00:00:10,539
t

93
00:00:10,539 --> 00:00:10,539
3

94
00:00:10,539 --> 00:00:10,539
_

95
00:00:10,539 --> 00:00:10,539
p

96
00:00:10,539 --> 00:00:10,539
4

97
00:00:10,539 --> 00:00:10,539
R

98
00:00:10,539 --> 00:00:10,539
r

99
00:00:10,539 --> 00:00:10,539
0

100
00:00:10,539 --> 00:00:10,539
t

101
00:00:10,539 --> 00:00:10,539
_

102
00:00:10,539 --> 00:00:10,539
1

103
00:00:10,539 --> 00:00:10,539
2

104
00:00:10,539 --> 00:00:10,539
n

105
00:00:10,539 --> 00:00:10,539
t

106
00:00:10,539 --> 00:00:10,539
_

107
00:00:10,539 --> 00:00:10,539
!

108
00:00:10,539 --> 00:00:10,539
t

109
00:00:10,539 --> 00:00:10,539
?

110
00:00:10,539 --> 00:00:10,539
}

111
00:00:10,539 --> 00:00:10,560
eh~!@#~!!#!@
   :

これを見ると、最後の方にフラグが隠れている。

flag{v3r_cut3_p4Rr0t_12nt_!t?}
v3r_cut3_p4Rr0t_12nt_!t?