#kksctf open 2019 Writeup

この大会は2019/12/28 16:00(JST)~2019/12/29 16:00(JST)に開催されました。
今回もチームで参戦。結果は1746点で393チーム中41位でした。
自分で解けた問題をWriteupとして書いておきます。

Xmas Tree (Misc)

クリスマスツリーのASCIIアートのあるページのHTMLソースを見る。

		<pre id="background">
                               <span style="color: red;">$</span>
                              <span style="color: red;">:$$</span>
                         <span style="color: red;">seeee$$$Neeee</span>
                           <span style="color: red;">R$$$F$$$$F</span>
                             <span style="color: red;">$$$$$$</span>
                            <span style="color: red;">@$$P*$$B</span>
                           <span style="color: red;">z$</span>#"  $#<span style="color: red;">$b</span>
                           " d   'N "
                            @"     ?r
                          xF .       "N
                       .$> P54.R       `$
                     $*   '*"$$$  uoP***~
                      #Noo "?$N"   #oL
                         f       o$#<span style="color: violet;">$$}</span>e.
                        $  @b    hoR$$r ^"$$b
                     .M   ?B$E   *.B$$       .R
                   .*     *\ *.4*R         ..*
                oo#     ooL    d#R.     P##~
                $c    .""P#$  @   P     k
                  R$r <span style="color: yellow;">w_y</span>L$$  P  "r     'N
                    ^$ "$$$` $.....JL     "N.
                  .$\           * P5"LR      $..
               ..* 4*R     xr    'PFN$$   .k    "*****.
            od#"   d#*.  "*$$P~   "?$*" '<span style="color: tomato;">kks{</span>"       u"
         e""      f   M   @F"$  ec       x$"$.     :"
         M        >  "d       $$$$?$           .$$F`
          "P..  .$.....$L $$.4$$. "   @#3$$   $E.
             '**..  *   R..$$ `R$*k.  f<span style="color: skyblue;">m@d</span>$>     *..
               J"       *k$$$~  "*$**o$o$$P        '*oo.
              P           #        "$$$#*o          >  '####*oooo
           .e"            :e$$e.  F3  ^"$P  :$$s :e@$ee        s"
         $P` <span style="color: orange;">n3</span>>    $P$$k "$"?$3 @"#N      CxN$$> .$$$       .P
      M$~   J\##   44N>$$  .d$.$d   @&      `$$$  F  .8..$$$*
  .***     :   JM   *d$$*.$$.P  M  .P5     M          **.
  "oo      J  .dP    ud$$od#   $oooooo$  oo$oo           ###ou
     "####$beeee$.'$eeP#~        ""      $<span style="color: greenyellow;">34r_</span>    e$$$o       #heeee
        :"    " z$r ^            o$N     '"  "   4$z>$$             """#$$$
       .~      F$4$B       r    F @#$.       ..   $8$$P M7                $
     .*  $     8 $$B     .J$..  hP$$$F     .'PB$       J~##             .d~
   .P  *<span style="color: blue;">n3</span>$*    "*"       $$$    #**~      hdM$$>     <   JM.......*****
 .P     $#*k       .o#>  P" "k   ..         '$$P      d  .JP'h
"""hr ^        xe""  >          ""c           ee    @beeeee$.)
      """t$$$$F"      M        $`   R          > "$r     "     "c
                              <span style="color: brown;">oooooooooo</span>
                              <span style="color: brown;">z        z</span>
                              <span style="color: brown;">z.,ze.$$$z</span>
                </pre>

spanタグの中にフラグが入っている。

<span style="color: violet;">$$}</span>
<span style="color: yellow;">w_y</span>
<span style="color: tomato;">kks{</span>
<span style="color: skyblue;">m@d</span>
<span style="color: orange;">n3</span>
<span style="color: greenyellow;">34r_</span>
<span style="color: blue;">n3</span>

虹の色で順に並べる。

kks{n3w_y34r_m@dn3$$}

ru!e5p@g3 (Misc)

ルールが記載されている箇所にフラグのサンプルが書いてある。

kks{w3lcom3_to_0ur_ru!e5p@g3}

Stego Warmup (Misc)

jpgが添付されている。EXIF情報を見てみる。

$ exiftool stego50.jpg 
ExifTool Version Number         : 10.10
File Name                       : stego50.jpg
Directory                       : .
File Size                       : 218 kB
File Modification Date/Time     : 2019:12:28 20:09:10+09:00
File Access Date/Time           : 2019:12:28 20:13:33+09:00
File Inode Change Date/Time     : 2019:12:28 20:09:10+09:00
File Permissions                : rwxrwxrwx
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
XMP Toolkit                     : Image::ExifTool 11.11
Author                          : kks{just_s1ml3_st3g0}
Comment                         : Created with GIMP
Image Width                     : 622
Image Height                    : 860
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 622x860
Megapixels                      : 0.535

Authorにフラグが設定されていた。

kks{just_s1ml3_st3g0}

kacker Bob and kacker Alice (Cryptography)

nとc1~c3が与えられている。おそらくRSA暗号で、nはそれほど大きくないので、nを素因数分解する。

n = 13037609104445998727 * 16003250919732396127

eはとりあえず65537で決め打ち。あとはc1から順に復号し、結合する。

from Crypto.Util.number import *

n = 208644129891836890527171768061301730329

c1 = 173743301171240370198046699578309731314
c2 = 18997024455485040483743919351219518166
c3 = 49337945995780286416188917529635194536

p = 13037609104445998727
q = 16003250919732396127
phi = (p - 1) * (q - 1)

e = 65537
d = inverse(e, phi)

m1 = pow(c1, d, n)
m2 = pow(c2, d, n)
m3 = pow(c3, d, n)
flag = long_to_bytes(m1) + long_to_bytes(m2) + long_to_bytes(m3)
print flag
kks{sm4ll_rs4_c4n_br3k_all_ur_creptographix}

Message from base (Cryptography)

たぶん問題名からも何進数かが使われている。"l"まで使われているので、最低22進数と推定して、デコードしてみる。

from Crypto.Util.number import *

enc = '2bi4j2fcjli84edk07kbjj3cggg3k5ih0hcgg710260lak1ibead1gf15hflb5f41'

val = int(enc, 22)
flag = long_to_bytes(val)
print flag
kks{do_y0u_know_h0w_3nc0d1ng_w0rk$?}

Every day i'm shuffling (Cryptography)

乱数を使って、ファイル名とファイル内のメッセージをシャッフルしている。seedはファイル名の長さの範囲のため、ブルートフォースで求められる。さらに同じ長さのデータでシャッフル後にどの位置が来るかが分かれば、元に戻せる。

#!/usr/bin/env python3
from random import *

def Shuffle(p, data):
    buf = list(data)
    for i in range(len(data)):
        buf[i] = data[p[i]]
    return ''.join(buf)

file_name = 'message_from_above'

for seed_val in range(1, len(file_name) + 1):
    file_name = 'message_from_above'
    seed(seed_val)
    file_name = list(file_name)
    shuffle(file_name)
    if ''.join(file_name) == 'fsegovs_meaoerbma_':
        break

with open('fsegovs_meaoerbma_.txt', 'r') as f:
    enc = f.read()

p = list(range(len(enc)))
shuffle(p)

place = []
for i in range(len(enc)):
    try_pt = '0' * i + '1' + '0' * (len(enc) - i - 1)
    data = Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,try_pt))))))))))))))))))))))))))))))))))))))))
    place.append(data.index('1'))

msg = ''
for i in range(len(enc)):
    msg += enc[place[i]]

print(msg)

実行結果は以下の通り。

Once upon a midnight dreary, while I pondered, weak and weary,
Over many a quaint and curious volume of forgotten lore—
    While I nodded, nearly napping, suddenly there came a tapping,
As of some one gently rapping, rapping at my chamber door.
“’Tis some visitor,” I muttered, “tapping at my chamber door—
            Only this and nothing more.”

    Ah, distinctly I remember it was in the bleak December;
And each separate dying ember wrought its ghost upon the floor.
    Eagerly I wished the morrow;—vainly I had sought to borrow
    From my books surcease of sorrow—sorrow for the lost Lenore—
For the rare and radiant maiden whom the angels name Lenore—
            Nameless here for evermore.

    And the silken, sad, uncertain rustling of each purple curtain
Thrilled me—filled me with fantastic terrors never felt before;
    So that now, to still the beating of my heart, I stood repeating
    “’Tis some visitor entreating entrance at my chamber door—
Some late visitor entreating entrance at my chamber door;—
            This it is and nothing more.”

    Presently my soul grew stronger; hesitating then no longer,
“Sir,” said I, “or Madam, truly your forgiveness I implore;
    But the fact is I was napping, and so gently you came rapping,
    And so faintly you came tapping, tapping at my chamber door,
That I scarce was sure I heard you”—here I opened wide the door;—
            Darkness there and nothing more.

    Deep into that darkness peering, long I stood there wondering, fearing,
Doubting, dreaming dreams no mortal ever dared to dream before;
    But the silence was unbroken, and the stillness gave no token,
    And the only word there spoken was the whispered word, “Lenore?”
This I whispered, and an echo murmured back the word, “Lenore!”—
            Merely this and nothing more.

    Back into the chamber turning, all my soul within me burning,
Soon again I heard a tapping somewhat louder than before.
    “Surely,” said I, “surely that is something at my window lattice;
      Let me see, then, what thereat is, and this mystery explore—
Let my heart be still a moment and this mystery explore;—
            ’Tis the wind and nothing more!”

    Open here I flung the shutter, when, with many a flirt and flutter,
In there stepped a stately Raven of the saintly days of yore;
    Not the least obeisance made he; not a minute stopped or stayed he;
    But, with mien of lord or lady, perched above my chamber door—
Perched upon a bust of Pallas just above my chamber door—
            Perched, and sat, and nothing more.

Then this ebony bird beguiling my sad fancy into smiling,
By the grave and stern decorum of the countenance it wore,
“Though thy crest be shorn and shaven, thou,” I said, “art sure no craven,
Ghastly grim and ancient Raven wandering from the Nightly shore—
Tell me what thy lordly name is on the Night’s Plutonian shore!”
            Quoth the Raven “kks{5huffl3_5huffl3_5huffl3}”
kks{5huffl3_5huffl3_5huffl3}