この大会は2020/6/9 19:30(JST)~2020/6/10 14:30(JST)に開催されました。
今回もチームで参戦。結果は2490点で343チーム中25位でした。
自分で解けた問題をWriteupとして書いておきます。
WELCOME (WELCOME 10)
Discordに入ると、ORGANIZERSの1人のプロフィールにフラグの前半、AUTHORSの1人のプロフィールにフラグの後半が書いてあった。
noob{w3lc0m3_t0_n00B_CTF_Buddy}
Just For Fun (Web 120)
Get Flagボタンを押すと、以下のパラメータが付いたアドレスになる。
https://private.vanisco.in/dakaar_lo/?flag=Get+Flag
HTTP POSTメソッドでアクセスしてみる。
$ curl -X POST -d 'flag=Get+Flag' https://private.vanisco.in/dakaar_lo/ <html> noob{G00d_hindi_Br0}
noob{G00d_hindi_Br0}
It's easy (Forensics 50)
JPGの先頭4バイトが壊れている。FF D8 FF E0に修正すると、画像が開けてフラグが書いてある。
noob{1_t0ld_y0u_1ts_34sy}
##Parent Process## (Memory Forensic 80)
Desktop Windows Managerの親プロセスIDを答える問題。
$ volatility -f image.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/image.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c420a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c43d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2020-06-02 20:02:03 UTC+0000 Image local date and time : 2020-06-02 16:02:03 -0400 $ volatility -f image.raw --profile=Win7SP1x64 pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa80024c8910:wininit.exe 416 352 3 74 2020-06-02 19:40:26 UTC+0000 . 0xfffffa8002c00b30:lsass.exe 528 416 6 575 2020-06-02 19:40:26 UTC+0000 . 0xfffffa8002beead0:services.exe 520 416 9 210 2020-06-02 19:40:26 UTC+0000 .. 0xfffffa8003c5a060:sppsvc.exe 1920 520 4 149 2020-06-02 19:40:51 UTC+0000 .. 0xfffffa8002cbcb30:svchost.exe 648 520 11 360 2020-06-02 19:40:26 UTC+0000 ... 0xfffffa80033beb30:WmiPrvSE.exe 1720 648 10 268 2020-06-02 19:40:40 UTC+0000 ... 0xfffffa8000e0eb30:wmplayer.exe 2312 648 21 555 2020-06-02 19:45:47 UTC+0000 ... 0xfffffa80033a5060:WmiPrvSE.exe 2252 648 11 293 2020-06-02 19:41:00 UTC+0000 ... 0xfffffa8000de6060:dllhost.exe 1512 648 9 211 2020-06-02 19:45:42 UTC+0000 .. 0xfffffa80030a0890:svchost.exe 1068 520 19 317 2020-06-02 19:40:30 UTC+0000 .. 0xfffffa8002f1f560:svchost.exe 856 520 15 312 2020-06-02 19:40:26 UTC+0000 ... 0xfffffa8003cb7190:dwm.exe 2512 856 3 70 2020-06-02 19:41:51 UTC+0000 .. 0xfffffa800302a740:svchost.exe 408 520 20 396 2020-06-02 19:40:29 UTC+0000 ... 0xfffffa80024fdb30:csrss.exe 428 408 10 291 2020-06-02 19:40:26 UTC+0000 .... 0xfffffa8000f3b060:conhost.exe 2588 428 2 50 2020-06-02 19:46:10 UTC+0000 ... 0xfffffa8002bbab30:winlogon.exe 484 408 3 111 2020-06-02 19:40:26 UTC+0000 .. 0xfffffa8002a73060:svchost.exe 1392 520 16 250 2020-06-02 19:42:33 UTC+0000 .. 0xfffffa8001875320:taskhost.exe 676 520 8 150 2020-06-02 19:40:51 UTC+0000 .. 0xfffffa8002fee3a0:svchost.exe 304 520 12 536 2020-06-02 19:40:29 UTC+0000 .. 0xfffffa80031cdab0:vmtoolsd.exe 1268 520 11 279 2020-06-02 19:40:31 UTC+0000 ... 0xfffffa8002fe4060:cmd.exe 3004 1268 0 ------ 2020-06-02 20:02:03 UTC+0000 .... 0xfffffa80010bc9e0:ipconfig.exe 2556 3004 0 ------ 2020-06-02 20:02:03 UTC+0000 .. 0xfffffa8000db0270:svchost.exe 920 520 14 337 2020-06-02 19:42:33 UTC+0000 .. 0xfffffa8002cf6b30:svchost.exe 712 520 8 309 2020-06-02 19:40:26 UTC+0000 .. 0xfffffa8003083360:spoolsv.exe 1036 520 16 274 2020-06-02 19:40:30 UTC+0000 .. 0xfffffa80031a8370:VGAuthService. 1236 520 3 84 2020-06-02 19:40:31 UTC+0000 .. 0xfffffa8000cd4b30:SearchIndexer. 2892 520 13 694 2020-06-02 19:41:57 UTC+0000 ... 0xfffffa8000dce060:SearchProtocol 928 2892 8 318 2020-06-02 19:56:39 UTC+0000 ... 0xfffffa8000fd7060:SearchFilterHo 748 2892 5 98 2020-06-02 19:56:40 UTC+0000 .. 0xfffffa80032adb30:svchost.exe 1516 520 7 95 2020-06-02 19:40:34 UTC+0000 .. 0xfffffa8002d48340:dllhost.exe 1776 520 15 196 2020-06-02 19:40:40 UTC+0000 .. 0xfffffa8002cab060:msdtc.exe 1864 520 14 153 2020-06-02 19:40:41 UTC+0000 .. 0xfffffa8002f26b30:svchost.exe 884 520 46 1056 2020-06-02 19:40:26 UTC+0000 .. 0xfffffa80033e9b30:WmiApSrv.exe 1656 520 6 113 2020-06-02 19:43:04 UTC+0000 .. 0xfffffa8002d299e0:svchost.exe 764 520 25 515 2020-06-02 19:40:26 UTC+0000 ... 0xfffffa8002fd5b30:audiodg.exe 984 764 8 144 2020-06-02 19:40:29 UTC+0000 . 0xfffffa8002c04b30:lsm.exe 536 416 11 152 2020-06-02 19:40:26 UTC+0000 0xfffffa800249f550:csrss.exe 360 352 9 488 2020-06-02 19:40:24 UTC+0000 . 0xfffffa800306d760:conhost.exe 2680 360 0 ------ 2020-06-02 20:02:03 UTC+0000 0xfffffa8003c48060:explorer.exe 2536 2500 42 1049 2020-06-02 19:41:51 UTC+0000 . 0xfffffa8000ce0060:notepad.exe 1472 2536 6 236 2020-06-02 19:43:32 UTC+0000 . 0xfffffa8000b68520:spkl.exe 1800 2536 6 249 2020-06-02 19:45:37 UTC+0000 .. 0xfffffa8000e9c380:spmm.exe 2940 1800 1 90 2020-06-02 19:45:44 UTC+0000 . 0xfffffa8000fa7060:Sonic Visualis 3032 2536 11 218 2020-06-02 19:45:50 UTC+0000 . 0xfffffa8001bfcb30:vm3dservice.ex 2620 2536 2 44 2020-06-02 19:41:51 UTC+0000 . 0xfffffa8003cf4b30:vmtoolsd.exe 2636 2536 8 154 2020-06-02 19:41:51 UTC+0000 . 0xfffffa8000ff5580:taskmgr.exe 2296 2536 6 118 2020-06-02 19:46:20 UTC+0000 . 0xfffffa8000fef060:cmd.exe 1396 2536 1 19 2020-06-02 19:46:10 UTC+0000 . 0xfffffa8003cf4060:sidebar.exe 2644 2536 10 244 2020-06-02 19:41:51 UTC+0000 0xfffffa8000b07b30:System 4 0 90 498 2020-06-02 19:40:18 UTC+0000 . 0xfffffa8002387b30:smss.exe 268 4 2 29 2020-06-02 19:40:18 UTC+0000 0xfffffa8002107060:GoogleCrashHan 2180 2156 5 97 2020-06-02 19:40:52 UTC+0000 0xfffffa8003cdf060:GoogleCrashHan 2188 2156 5 90 2020-06-02 19:40:52 UTC+0000
dwm.exe の親プロセスIDは856であることがわかる。
noob{856}
Malicious Process (Memory Forensic 100)
malicipusなプロセスのプロセス名を答える問題。
$ volatility -f image.raw --profile=Win7SP1x64 cmdline Volatility Foundation Volatility Framework 2.6 ************************************************************************ System pid: 4 ************************************************************************ smss.exe pid: 268 Command line : \SystemRoot\System32\smss.exe ************************************************************************ csrss.exe pid: 360 Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 ************************************************************************ wininit.exe pid: 416 Command line : wininit.exe ************************************************************************ csrss.exe pid: 428 Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 ************************************************************************ winlogon.exe pid: 484 Command line : winlogon.exe ************************************************************************ services.exe pid: 520 Command line : C:\Windows\system32\services.exe ************************************************************************ lsass.exe pid: 528 Command line : C:\Windows\system32\lsass.exe ************************************************************************ lsm.exe pid: 536 Command line : C:\Windows\system32\lsm.exe ************************************************************************ svchost.exe pid: 648 Command line : C:\Windows\system32\svchost.exe -k DcomLaunch ************************************************************************ svchost.exe pid: 712 Command line : C:\Windows\system32\svchost.exe -k RPCSS ************************************************************************ svchost.exe pid: 764 Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted ************************************************************************ svchost.exe pid: 856 Command line : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted ************************************************************************ svchost.exe pid: 884 Command line : C:\Windows\system32\svchost.exe -k netsvcs ************************************************************************ audiodg.exe pid: 984 Command line : C:\Windows\system32\AUDIODG.EXE 0x2c4 ************************************************************************ svchost.exe pid: 304 Command line : C:\Windows\system32\svchost.exe -k LocalService ************************************************************************ svchost.exe pid: 408 Command line : C:\Windows\system32\svchost.exe -k NetworkService ************************************************************************ spoolsv.exe pid: 1036 Command line : C:\Windows\System32\spoolsv.exe ************************************************************************ svchost.exe pid: 1068 Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork ************************************************************************ VGAuthService. pid: 1236 Command line : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" ************************************************************************ vmtoolsd.exe pid: 1268 Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" ************************************************************************ svchost.exe pid: 1516 Command line : C:\Windows\system32\svchost.exe -k bthsvcs ************************************************************************ WmiPrvSE.exe pid: 1720 Command line : C:\Windows\system32\wbem\wmiprvse.exe ************************************************************************ dllhost.exe pid: 1776 Command line : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} ************************************************************************ msdtc.exe pid: 1864 Command line : C:\Windows\System32\msdtc.exe ************************************************************************ taskhost.exe pid: 676 Command line : "taskhost.exe" ************************************************************************ sppsvc.exe pid: 1920 Command line : C:\Windows\system32\sppsvc.exe ************************************************************************ GoogleCrashHan pid: 2180 ************************************************************************ GoogleCrashHan pid: 2188 Command line : "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe" ************************************************************************ WmiPrvSE.exe pid: 2252 Command line : C:\Windows\system32\wbem\wmiprvse.exe ************************************************************************ dwm.exe pid: 2512 Command line : "C:\Windows\system32\Dwm.exe" ************************************************************************ explorer.exe pid: 2536 Command line : C:\Windows\Explorer.EXE ************************************************************************ vm3dservice.ex pid: 2620 Command line : "C:\Windows\System32\vm3dservice.exe" -u ************************************************************************ vmtoolsd.exe pid: 2636 Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr ************************************************************************ sidebar.exe pid: 2644 Command line : "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun ************************************************************************ SearchIndexer. pid: 2892 Command line : C:\Windows\system32\SearchIndexer.exe /Embedding ************************************************************************ svchost.exe pid: 1392 Command line : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation ************************************************************************ svchost.exe pid: 920 Command line : C:\Windows\System32\svchost.exe -k secsvcs ************************************************************************ WmiApSrv.exe pid: 1656 Command line : C:\Windows\system32\wbem\WmiApSrv.exe ************************************************************************ notepad.exe pid: 1472 Command line : "C:\Windows\system32\notepad.exe" ************************************************************************ spkl.exe pid: 1800 Command line : "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe" ************************************************************************ dllhost.exe pid: 1512 Command line : C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} ************************************************************************ spmm.exe pid: 2940 Command line : "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.5.21"★ ************************************************************************ wmplayer.exe pid: 2312 Command line : "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding ************************************************************************ Sonic Visualis pid: 3032 Command line : "C:\Program Files\Sonic Visualiser\Sonic Visualiser.exe" ************************************************************************ cmd.exe pid: 1396 Command line : "C:\Windows\system32\cmd.exe" ************************************************************************ conhost.exe pid: 2588 Command line : \??\C:\Windows\system32\conhost.exe ************************************************************************ taskmgr.exe pid: 2296 Command line : "C:\Windows\system32\taskmgr.exe" ************************************************************************ SearchProtocol pid: 928 Command line : "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" ************************************************************************ SearchFilterHo pid: 748 Command line : "C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524 ************************************************************************ cmd.exe pid: 3004 ************************************************************************ conhost.exe pid: 2680 ************************************************************************ ipconfig.exe pid: 2556
キーロガーが動いている。
noob{spmm.exe}
Gross (Crypto 120)
暗号文のアルファベットのインデックスとして、順に1~5引くことをを繰り返せば復号できる。
from string import uppercase ct = 'OQWKWPUVMYTIUSSTHHPI' key = [1, 2, 3, 4, 5] pt = '' for i in range(len(ct)): index = uppercase.index(ct[i]) index -= key[i%len(key)] pt += uppercase[index] flag = 'noob{%s}' % pt print flag
noob{NOTGROSSITSGRONSFELD}
WhatThe# (Crypto 150)
brainfuckだと思うが、おそらく文字が入れ替え変わっている。
- → + ] → [ < → > > → < [ → ] + → - , → .
対となりそうな文字を反対にしてみる。
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++++++++++.+..-------------.+++++++++++++++++++++++++.<++++++++.<++++++++++++++++++.>>-------.<+++++++++++++++++.<++++.>>--------.+++++++++++.<<.>>++.<<+.>.+++.>-------.<<-.---.>>----.+++++++++++++++.
https://sange.fi/esoteric/brainfuck/impl/interp/i.htmlで実行する。
noob{N0t_4lw4y5_br41n}
BASEd (Crypto 150)
base85デコードの後、base58デコードを実行する。
#!/usr/bin/env python3 import base64 import base58 enc = '1c@^(9l;sa2c3Ln20_Mf<&&Vs<r' flag = base58.b58decode(base64.a85decode(enc)) print(flag)
noob{base58_85}
Aar_Ess_Ae 2.0 (Crypto 200)
nをFermat法で素因数分解する。あとはそのまま復号する。
from Crypto.Util.number import * def isqrt(n): x = n y = (x + n // x) // 2 while y < x: x = y y = (x + n // x) // 2 return x def fermat(n): x = isqrt(n) + 1 y = isqrt(x * x - n) while True: w = x * x - n - y * y if w == 0: break elif w > 0: y += 1 else: x += 1 return x - y, x + y n = 1209143407476550975641959824312993703149920344437422193042293131572745298662696284279928622412441255652391493241414170537319784298367821654726781089600780498369402167443363862621886943970468819656731959468058528787895569936536904387979815183897568006750131879851263753496120098205966442010445601534305483783759226510120860633770814540166419495817666312474484061885435295870436055727722073738662516644186716532891328742452198364825809508602208516407566578212780807 e = 65537 c = 479864533376761605695501447173868480555428955121197237667644363164782871896916177280454277070395501072881821206028710238061428135752902868021510351013602427444705377461961807606024656743172785917677779391848195684330103645049456693618142623342949445393135435605296850775153054696353591431012573391751673267024658145416936335505273041995697052197680305689264142043959382559774510439925577487721780439642813074520685265074584526487330950173513520723457640547997316 p, q = fermat(n) phi = (p - 1) * (q - 1) d = inverse(e, phi) m = pow(c, d, n) flag = long_to_bytes(m) print flag
noob{Primes_Can_B3_Saxy_T00}
Whatever It Takes!! (Crypto 200)
ASCIIコードを文字にしていく。gAAAAで始まっているので、Fernet暗号と推測。keyはurlsafeのbase64文字列である必要がある。rot47にすると、base64文字列になる。
e1o6A1qXqFvaG77XpHZTxOcnepxXYIJlGj0GqpLXltQ=
それからデコードしながら、対応する方式で次のデコードをする。
Fernet暗号の復号→base64デコード→ASCIIコードデコード
from cryptography.fernet import Fernet codes = '67 41 41 41 41 41 42 65 30 6c 79 75 31 6b 7a 4a 78 49 67 48 69 4d 65 67 38 6e 6a 4f 5a 6d 5f 38 48 32 6f 4a 5a 74 4d 4f 52 2d 62 68 70 2d 6f 7a 7a 6e 43 46 6b 6b 59 35 48 33 6c 39 42 47 31 64 4b 68 37 6b 70 66 5f 4f 4b 61 48 52 4a 6b 57 54 70 7a 62 5a 75 4f 75 6f 71 35 36 2d 52 66 45 68 36 41 45 46 75 4d 4f 59 6e 36 65 67 55 59 64 51 6a 61 37 6b 78 79 6d 67 59 32 38 36 62 49 48 72 45 45 41 6b 62 65 47 4a 78 75 67 4f 73 44 66 46 4d 2d 72 63 37 7a 62 61 35 61 69 4e 61 45 5a 45 78 69 57 72 50 57 30 4a 57 38 48 53 66 49 54 54 4d 54 72 54 6a 38 36 57 65 71 66 68 53 48 58 6b 32 48 78 71 53 4c 34 4f 35 33 63 71 58 52 65 76 34 4f 38 75 7a 44 6a 78 66 70 50 33 4b 44 42 78 5f 37 4a 74 58 61 73 53 79 4a 46 36 56 45 4f 4a 54 52 77 49 7a 64 45 75 56 7a 65 70 41 4c 44 5f 53 76 4c 72 63 5f 65 43 50 30 77 51 4b 47 71 50 63 41 6f 38 6f 71 78 73 34 74 6e 4c 52 48 35 74 6e 71 4c 73 64 47 6f 74 37 4e 46 58 6d 37 35 45 6e 78 42 7a 6c 38 42 62 37 77 59 61 41 6e 54 7a 53 59 56 64 47 51 53 59 79 4f 43 64 44 53 37 72 4d 75 4a 34 6f 33 63 72 49 49 5a 31 48 30 4a 62 61 31 6c 6f 75 5f 52 46 6e 63 74 31 64 63 47 37 65 5f 4a 6e 6a 54 35 6e 68 5a 5a 64 61 30 41 72 42 7a 6e 39 30 45 61 72 32 6d 7a 61' codes = codes.split(' ') key = 'e1o6A1qXqFvaG77XpHZTxOcnepxXYIJlGj0GqpLXltQ=' ct = '' for code in codes: ct += chr(int(code, 16)) print ct f = Fernet(key) b64 = f.decrypt(ct) print b64 codes = b64.decode('base64') print codes codes = codes.split(';')[:-1] flag = '' for code in codes: flag += chr(int(code[2:])) print flag
実行結果は以下の通り。
gAAAAABe0lyu1kzJxIgHiMeg8njOZm_8H2oJZtMOR-bhp-ozznCFkkY5H3l9BG1dKh7kpf_OKaHRJkWTpzbZuOuoq56-RfEh6AEFuMOYn6egUYdQja7kxymgY286bIHrEEAkbeGJxugOsDfFM-rc7zba5aiNaEZExiWrPW0JW8HSfITTMTrTj86WeqfhSHXk2HxqSL4O53cqXRev4O8uzDjxfpP3KDBx_7JtXasSyJF6VEOJTRwIzdEuVzepALD_SvLrc_eCP0wQKGqPcAo8oqxs4tnLRH5tnqLsdGot7NFXm75EnxBzl8Bb7wYaAnTzSYVdGQSYyOCdDS7rMuJ4o3crIIZ1H0Jba1lou_RFnct1dcG7e_JnjT5nhZZda0ArBzn90Ear2mza JiMxMTA7JiMxMTE7JiMxMTE7JiM5ODsmIzEyMzsmIzEwMjsmIzEwMTsmIzExNDsmIzExMDsmIzUxOyYjMTE2OyYjOTU7JiM5ODsmIzk3OyYjOTg7JiM1MTsmIzk1OyYjMTIxOyYjMTExOyYjMTE3OyYjOTU7JiM5NzsmIzExNDsmIzUxOyYjOTU7JiMxMDg7JiM1MTsmIzUxOyYjMTE2OyYjMTI1Ow== noob{fern3t_bab3_you_ar3_l33t}
noob{fern3t_bab3_you_ar3_l33t}
CrackMeh (Crypto 250)
$ cat diary.txt _________________________ | | | | | | | Alice | | January | | 1994 | | USA | | 25 | | Security | | | | | |_______________________|
diary.txtにある言葉を組み合わせてパスワードにしていると推測できる。順列を総当たりにして、目的のハッシュになるものを探す。
import itertools import hashlib words = ['Alice', 'January', '1994', 'USA', '25', 'Security'] h = '4ee805f9397a1d584ef9be9d2a4f8f20' found = False for i in range(1, 6): for c in itertools.permutations(words, i): password = ''.join(c) if hashlib.md5(password).hexdigest() == h: found = True flag = 'noob{%s}' % password print flag break if found: break
noob{AliceSecurity1994}
Frequency (Crypto 250)
1209-770 4 1209-770 4 1477-697 3 1477-697 3 1336-770 5 1336-770 5 1336-770 5 1336-770 5 1336-770 5 1336-770 5 1477-770 6 1477-770 6 1477-770 6 1477-697 3 1336-852 8 1477-770 6 1477-697 3 1477-697 3 1477-697 3
HELLODTMF
noob{HELLODTMF}
Advance encryption? (Crypto 350)
nを素因数分解する。
$ python -m primefac 5213936838598025476406773600757883525776134995009803681465641880888029093835800233953718894138597565310162127551788614597742425271834718964513945747581899300290605379743433295672314493845697189625161255657818148643700724061436274982882278021569106212730254013026777063397622073627010492938330136855886111795773721 5213936838598025476406773600757883525776134995009803681465641880888029093835800233953718894138597565310162127551788614597742425271834718964513945747581899300290605379743433295672314493845697189625161255657818148643700724061436274982882278021569106212730254013026777063397622073627010492938330136855886111795773721: 37811 137894708910053303969923397973020642822885800296469378790977278593214384539837619580379225467154996305576740301811341001236212352803012852463937630519740268712559979364296984889908082141326523753012648585274606560093642698194606727748070085995321631608004390601327049361234087266324892040367357035145489719811
n = 37811 * 137894708910053303969923397973020642822885800296469378790977278593214384539837619580379225467154996305576740301811341001236212352803012852463937630519740268712559979364296984889908082141326523753012648585274606560093642698194606727748070085995321631608004390601327049361234087266324892040367357035145489719811
あとはそのまま復号する。
7A392A1577F7921D840A5DD8BC5C2C184DE17387E68D6168,b15bfdaa5c0e3a1ae9d2b435cdee81eba9e037d99bae6fb7f79bb00a6e1903fb
フラグにならなかったが、DESより強く、AESより弱い暗号の話をしていたので、,の前が鍵で、後ろが暗号文として3DESで復号する。
from Crypto.Util.number import * from Crypto.Cipher import DES3 def unpad(s): return s[:-ord(s[-1])] N = 5213936838598025476406773600757883525776134995009803681465641880888029093835800233953718894138597565310162127551788614597742425271834718964513945747581899300290605379743433295672314493845697189625161255657818148643700724061436274982882278021569106212730254013026777063397622073627010492938330136855886111795773721 e = 65537 ct = 1318662676012529027719356593897795240255894626324734057679095070946627050031960058953695686381615923039181791966536008755483122090144422057413223859758218760258478899092958126133112186690655374761969096836593572888239450083333192693873889204362146378414307476977579570911929579923802717779725077182959279149667910 p = 37811 q = 137894708910053303969923397973020642822885800296469378790977278593214384539837619580379225467154996305576740301811341001236212352803012852463937630519740268712559979364296984889908082141326523753012648585274606560093642698194606727748070085995321631608004390601327049361234087266324892040367357035145489719811 phi = (p - 1)* (q - 1) d = inverse(e, phi) m = pow(ct, d, N) pt = long_to_bytes(m) print pt key = pt.split(',')[0].decode('hex') enc = pt.split(',')[1].decode('hex') cipher = DES3.new(key, DES3.MODE_ECB) flag = unpad(cipher.decrypt(enc)) print flag
実行結果は以下の通り。
7A392A1577F7921D840A5DD8BC5C2C184DE17387E68D6168,b15bfdaa5c0e3a1ae9d2b435cdee81eba9e037d99bae6fb7f79bb00a6e1903fb noob{3des_1s_a_g00d_encrYpt1oN}
noob{3des_1s_a_g00d_encrYpt1oN}