Sunshine CTF 2018 Writeup

この大会は2018/4/6 5:00(JST)~2018/4/8 5:00(JST)に開催されました。
今回もチームで参戦。結果は1951点で780チーム中23位でした。
自分で解けた問題をWriteupとして書いておきます。

Welcome (Forensics 1)

問題にフラグが書いてある。

sun{take_this_free_FLAG}

My Secret Stash (Forensics 100)

gitのファイル群が添付されている。

$ cd .git
$ xxd -g 1 index
0000000: 44 49 52 43 00 00 00 02 00 00 00 01 5a ab 13 05  DIRC........Z...
0000010: 2f ad 33 86 5a ab 13 05 2f 55 fc 4e 01 00 00 04  /.3.Z.../U.N....
0000020: 00 5d 74 3d 00 00 81 a4 00 00 01 f5 00 00 00 14  .]t=............
0000030: 00 00 01 3c 9f ee ea b8 2f 7a fe 27 eb 0f 67 21  ...<..../z.'..g!
0000040: 2f 95 2d c8 6c 23 03 e9 00 07 73 65 63 72 65 74  /.-.l#....secret
0000050: 73 00 00 00 54 52 45 45 00 00 00 19 00 31 20 30  s...TREE.....1 0
0000060: 0a ce 69 c6 ab c7 c9 9b 63 50 5d f3 81 22 77 d6  ..i.....cP].."w.
0000070: 9b a4 67 4b 9d 8b 25 e0 4f a8 48 6f a2 6c c8 27  ..gK..%.O.Ho.l.'
0000080: 28 4e 8a 8f b8 2a 75 67 55                       (N...*ugU

$ python -c 'import zlib; print zlib.decompress(open("objects/9f/eeeab82f7afe27eb0f67212f952dc86c2303e9").read())'
blob 316I'm so very sorry, you will not find my secrets in here. There was a time at which I wanted to share my secrets with someone, but that was long ago and I don't trust anyone anymore. I want to keep all of my secrets to myself for now on! Good luck trying to find them, there's nothing to find. hehehehehehehehe!!!!!!

$ cat logs/refs/heads/master
0000000000000000000000000000000000000000 7e2927361b7e4101e07fc5a475bb244622a275e3 Carlos Staszeski <cstaszeski@gmail.com> 1521160193 -0400	commit (initial): vegan!
7e2927361b7e4101e07fc5a475bb244622a275e3 92fb7e7ebbc65d04ac311c3f1d4e496cd867e94d Carlos Staszeski <cstaszeski@gmail.com> 1521160586 -0400	commit: is
92fb7e7ebbc65d04ac311c3f1d4e496cd867e94d 3fe304a91a3049d9589e379b843f4dca9c47aafc Carlos Staszeski <cstaszeski@gmail.com> 1521160985 -0400	commit: Bobby

$ python -c 'import zlib; print zlib.decompress(open("objects/7e/2927361b7e4101e07fc5a475bb244622a275e3").read())'
commit 185tree 74967e81c7d6b83bb2647abc6890a3adfae0e96a
author Carlos Staszeski <cstaszeski@gmail.com> 1521160193 -0400
committer Carlos Staszeski <cstaszeski@gmail.com> 1521160193 -0400

vegan!

$ python -c 'import zlib; print zlib.decompress(open("objects/74/967e81c7d6b83bb2647abc6890a3adfae0e96a").read())' | xxd -g 1
0000000: 74 72 65 65 20 33 35 00 31 30 30 36 34 34 20 73  tree 35.100644 s
0000010: 65 63 72 65 74 73 00 8a de a5 38 cd 0f d8 27 09  ecrets....8...'.
0000020: 09 4b 9c 77 2d c3 a2 15 76 d4 d3 0a              .K.w-...v...

$ python -c 'import zlib; print zlib.decompress(open("objects/8a/dea538cd0fd82709094b9c772dc3a21576d4d3").read())'
blob 225So, you've discovered how to travel back in time did you? Well that's not going to help you much here, you see, my stash is so well hidden you will never ever ever find it! hahahahahahahahhahahahahahahahahahahah!!!!!!!!!!!!!

$ python -c 'import zlib; print zlib.decompress(open("objects/92/fb7e7ebbc65d04ac311c3f1d4e496cd867e94d").read())'
commit 229tree ed91e6d10fdb88d4a9e2f4471e7b60170ba70a37
parent 7e2927361b7e4101e07fc5a475bb244622a275e3
author Carlos Staszeski <cstaszeski@gmail.com> 1521160586 -0400
committer Carlos Staszeski <cstaszeski@gmail.com> 1521160586 -0400

is

$ python -c 'import zlib; print zlib.decompress(open("objects/ed/91e6d10fdb88d4a9e2f4471e7b60170ba70a37").read())' | xxd -g 1
0000000: 74 72 65 65 20 33 35 00 31 30 30 36 34 34 20 73  tree 35.100644 s
0000010: 65 63 72 65 74 73 00 94 7f 94 13 31 a9 eb 2d 90  ecrets.....1..-.
0000020: 87 05 45 34 89 cd 56 e0 61 7d a5 0a              ..E4..V.a}..

$ python -c 'import zlib; print zlib.decompress(open("objects/94/7f941331a9eb2d908705453489cd56e0617da5").read())'
blob 304I feel like we are becoming good friends you and I. Yes. I even considered letting you in on one of my secrets just now, but I didn't want to risk it falling into the wrong hands. So instead I stashed it away and destroyed it so that no one would ever be able to recover my secrets! muahahahahahah!!!!!!

$ python -c 'import zlib; print zlib.decompress(open("objects/3f/e304a91a3049d9589e379b843f4dca9c47aafc").read())'
commit 232tree ce69c6abc7c99b63505df3812277d69ba4674b9d
parent 92fb7e7ebbc65d04ac311c3f1d4e496cd867e94d
author Carlos Staszeski <cstaszeski@gmail.com> 1521160985 -0400
committer Carlos Staszeski <cstaszeski@gmail.com> 1521160985 -0400

Bobby

$ python -c 'import zlib; print zlib.decompress(open("objects/ce/69c6abc7c99b63505df3812277d69ba4674b9d").read())' | xxd -g 1
0000000: 74 72 65 65 20 33 35 00 31 30 30 36 34 34 20 73  tree 35.100644 s
0000010: 65 63 72 65 74 73 00 9f ee ea b8 2f 7a fe 27 eb  ecrets...../z.'.
0000020: 0f 67 21 2f 95 2d c8 6c 23 03 e9 0a              .g!/.-.l#...

$ python -c 'import zlib; print zlib.decompress(open("objects/9f/eeeab82f7afe27eb0f67212f952dc86c2303e9").read())'
blob 316I'm so very sorry, you will not find my secrets in here. There was a time at which I wanted to share my secrets with someone, but that was long ago and I don't trust anyone anymore. I want to keep all of my secrets to myself for now on! Good luck trying to find them, there's nothing to find. hehehehehehehehe!!!!!!

フラグが見つからない。手あたり次第調べる。

$ python -c 'import zlib; print zlib.decompress(open("objects/7b/82ac03c49c0b55a4a8b8ffb3c04c5fe565fba6").read())'
commit 258tree 74967e81c7d6b83bb2647abc6890a3adfae0e96a
parent 7e2927361b7e4101e07fc5a475bb244622a275e3
author Carlos Staszeski <cstaszeski@gmail.com> 1521160299 -0400
committer Carlos Staszeski <cstaszeski@gmail.com> 1521160299 -0400

index on master: 7e29273 vegan!

$ python -c 'import zlib; print zlib.decompress(open("objects/14/a5c7088e7638abb2232c8cac1c7dd4687819f0").read())'
commit 304tree c9936edd0f107fc91fdaa876def0dc960b000760
parent 7e2927361b7e4101e07fc5a475bb244622a275e3
parent 7b82ac03c49c0b55a4a8b8ffb3c04c5fe565fba6
author Carlos Staszeski <cstaszeski@gmail.com> 1521160299 -0400
committer Carlos Staszeski <cstaszeski@gmail.com> 1521160299 -0400

WIP on master: 7e29273 vegan!

$ python -c 'import zlib; print zlib.decompress(open("objects/c9/936edd0f107fc91fdaa876def0dc960b000760").read())' | xxd -g 1
0000000: 74 72 65 65 20 33 35 00 31 30 30 36 34 34 20 73  tree 35.100644 s
0000010: 65 63 72 65 74 73 00 bd 12 73 6e 7c 80 5c 83 49  ecrets...sn|.\.I
0000020: 4a 71 c3 66 a7 f8 85 0e e7 a3 79 0a              Jq.f......y.

$ python -c 'import zlib; print zlib.decompress(open("objects/bd/12736e7c805c83494a71c366a7f8850ee7a379").read())'
blob 17sun{git_gud_k1d}
sun{git_gud_k1d}

Source Protection (RE 100)

https://sourceforge.net/projects/pyinstallerextractor/からPyInstaller Extractorをインストール、展開する。

>pyinstxtractor.py passwords.exe
[*] Processing passwords.exe
[*] Pyinstaller version: 2.1+
[*] Python version: 27
[*] Length of package: 3188825 bytes
[*] Found 18 files in CArchive
[*] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap
[+] Possible entry point: passwords
[*] Found 194 files in PYZ archive
[*] Successfully extracted pyinstaller archive: passwords.exe

You can now use a python decompiler on the pyc files within the extracted directory

passwordsファイル内にフラグがあった。

sun{py1n574ll3r_15n7_50urc3_pr073c710n}

Visionary (Crypto 150)

スペースを除くprintableな文字をすべて使ったVigenere暗号。

chars = '!\"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~'

with open('visionary/Cipher1.txt', 'r') as f:
    c1 = f.read().strip()

with open('visionary/Decipher(Cipher1).txt', 'r') as f:
    p1 = f.read().strip()

with open('visionary/cipherFlag.txt', 'r') as f:
    encFlag = f.read().strip()

key = ''
for i in range(len(encFlag)):
    index = chars.index(c1[i]) - chars.index(p1[i])
    if index < 0:
        index += len(chars)
    key += chars[index]

print key

flag = ''
for i in range(len(encFlag)):
    index = chars.index(encFlag[i]) - chars.index(key[i])
    if index < 0:
        index += len(chars)
    flag += chars[index]

print flag
sun{Why_would_Any0n3_use_A_T@bl3_tH@t_LaRg3}

Missing Bytes (Scripting 200)

再帰を使いながら、ディレクトリのサイズが配下のサイズの合計と一致しない場合にsendコマンドでディレクトリ名を指定する。
コードは以下の通り。20ラウンド正解すると、フラグが表示される。

import socket
import re

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

def check_dir(name, size):
    # 0: ok
    # 1: ng
    # 2: finish
    cmd = 'cd ' + name
    #print cmd
    s.sendall(cmd + '\n')
    data = recvuntil(s, '$ ')
    #print data

    cmd = 'ls'
    #print cmd
    s.sendall(cmd + '\n')
    data = recvuntil(s, '$ ')
    #print data

    rows = data.split('\r\n')
    num = get_entries_num(rows[0])
    sum_size = 0
    for i in range(num):
        name2, fd, size2 = get_row_info(rows[i+1])
        sum_size += size2
        if fd == 'DIR':
            res = check_dir(name2, size2)
            if res == 1:
                s.sendall('send ' + name2 + '\n')
                data = recvuntil(s, '\n')
                data += recvuntil(s, ' ')
                if 'Hooray!' in data:
                    data += recvuntil(s, '\n')
                    data += recvuntil(s, '\n')
                    print data
                    return 2
                else:
                    data += recvuntil(s, '$ ')
                    #print data
            elif res == 2:
                return 2

    cmd = 'cd ..'
    #print cmd
    s.sendall(cmd + '\n')
    data = s.recv(256)
    #print data

    if size == sum_size:
        return 0
    else:
        return 1

def get_entries_num(row):
    m = re.search('\((.+) entries\)', row)
    num = int(m.group(1))
    return num

def get_row_info(row):
    name = row[:7].strip()
    fd = row[8:12].strip()
    size = int(row[13:])
    return name, fd, size

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('chal1.sunshinectf.org', 30001))

data = recvuntil(s, '\n')
print data

print 'start'
s.sendall('start\n')

for i in range(20):
    print '**************************'
    print '******** Round %02d ********' % (i+1)
    print '**************************'
    data = recvuntil(s, '$ ')
    print data

    cmd = 'ls'
    print cmd
    s.sendall(cmd + '\n')
    data = recvuntil(s, '$ ')
    print data

    rows = data.split('\r\n')
    num = get_entries_num(rows[0])
    for j in range(num):
        name, fd, size = get_row_info(rows[j+1])
        if fd == 'DIR':
            print name
            res = check_dir(name, size)
            if res == 1:
                s.sendall('send ' + name + '\n')
                data = recvuntil(s, '\n')
                data += recvuntil(s, ' ')
                if 'Hooray!' in data:
                    data += recvuntil(s, '\n')
                    data += recvuntil(s, '\n')
                    #print data
                    break
                else:
                    data += recvuntil(s, '$ ')
                    #print data
            elif res == 2:
                break
sun{a11_ur_byt3s_4re_b3long_t0_m3}