この大会は2020/8/9 2:00(JST)~2020/8/10 2:00(JST)に開催されました。
今回もチームで参戦。結果は1651点で333チーム中33位でした。
自分で解けた問題をWriteupとして書いておきます。
Gallery (Forec)
Autopsyで開くと、画像がたくさん入っていることがわかる。Steghideフォルダがあることから、steghideでフラグが隠されていると推測できる。Wallpaper_HD_19756487Ef4.jpgをエクスポートする。
[$RECYCLE.BIN]-[S-1-5-....]-[$RK1ODPJ.txt]に適当な文字列のリストがある。これをパスワードリストとしてブルートフォースしてみる。https://github.com/Va5c0/Steghide-Brute-Force-Toolのツールを使う。$RK1ODPJ.txtをwordlist.txtにリネームして実行する。
$ python steg_brute.py -b -d wordlist.txt -f Wallpaper_HD_19756487Ef4.jpg [i] Searching... 6%|#### | wrote extracted data to "Wallpaper_HD_19756487Ef4_flag.txt". [+] Information obtained with password: fs6-K*Qa!qeG5Jv.URBx8)]Zu% Poseidon{uR3_4_G00D_AN4Ly5t}
Poseidon{uR3_4_G00D_AN4Ly5t}
sh_tty ransomware (Foren)
$ volatility -f ShittyRansom.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (C:\CTF\work\ShittyRansom.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800028070a0L Number of Processors : 4 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002808d00L KPCR for CPU 1 : 0xfffff880009eb000L KPCR for CPU 2 : 0xfffff880030a9000L KPCR for CPU 3 : 0xfffff8800311f000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2020-05-13 17:58:35 UTC+0000 Image local date and time : 2020-05-13 10:58:35 -0700 $ volatility -f ShittyRansom.raw --profile=Win7SP1x64 pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa8002221b30:explorer.exe 1732 1612 35 945 2020-05-13 17:56:50 UTC+0000 . 0xfffffa80021d0b30:notepad.exe 3456 1732 2 64 2020-05-13 17:57:20 UTC+0000 . 0xfffffa800224a060:notepad.exe 3136 1732 2 64 2020-05-13 17:58:16 UTC+0000 . 0xfffffa8002633b30:chrome.exe 2060 1732 32 737 2020-05-13 17:57:10 UTC+0000 .. 0xfffffa80025f0b30:chrome.exe 2196 2060 9 82 2020-05-13 17:57:11 UTC+0000 .. 0xfffffa800281f710:chrome.exe 3368 2060 15 218 2020-05-13 17:57:16 UTC+0000 .. 0xfffffa800273bb30:chrome.exe 2744 2060 17 313 2020-05-13 17:57:11 UTC+0000 .. 0xfffffa80026d56a0:chrome.exe 3252 2060 11 189 2020-05-13 17:57:13 UTC+0000 .. 0xfffffa80026552e0:chrome.exe 2044 2060 3 55 2020-05-13 17:57:11 UTC+0000 .. 0xfffffa8001e37b30:chrome.exe 3300 2060 15 219 2020-05-13 17:57:14 UTC+0000 . 0xfffffa80020c9a30:notepad.exe 3144 1732 2 64 2020-05-13 17:58:04 UTC+0000 . 0xfffffa80024402a0:notepad.exe 2424 1732 2 64 2020-05-13 17:58:08 UTC+0000 . 0xfffffa80021b8060:notepad.exe 3184 1732 2 64 2020-05-13 17:57:52 UTC+0000 . 0xfffffa80021df060:DumpIt.exe 1924 1732 2 51 2020-05-13 17:58:33 UTC+0000 . 0xfffffa8002730b30:notepad.exe 2752 1732 2 64 2020-05-13 17:57:58 UTC+0000 . 0xfffffa800230ab30:VBoxTray.exe 1788 1732 15 148 2020-05-13 17:56:51 UTC+0000 . 0xfffffa8001f1d060:notepad.exe 2948 1732 2 64 2020-05-13 17:58:02 UTC+0000 0xfffffa8000cc7460:csrss.exe 388 372 10 343 2020-05-14 01:56:43 UTC+0000 . 0xfffffa8000d59b30:conhost.exe 1432 388 2 55 2020-05-13 17:58:34 UTC+0000 0xfffffa8001d4b060:winlogon.exe 416 372 6 120 2020-05-14 01:56:44 UTC+0000 0xfffffa80014fcb30:csrss.exe 344 332 12 499 2020-05-14 01:56:43 UTC+0000 0xfffffa8000cc4860:wininit.exe 380 332 4 84 2020-05-14 01:56:43 UTC+0000 . 0xfffffa8001d9a910:services.exe 472 380 12 210 2020-05-14 01:56:44 UTC+0000 .. 0xfffffa80025519f0:svchost.exe 2664 472 10 356 2020-05-13 17:56:59 UTC+0000 .. 0xfffffa8002189060:svchost.exe 900 472 6 46 2020-05-13 17:58:05 UTC+0000 .. 0xfffffa8002386060:SearchIndexer. 2288 472 14 585 2020-05-13 17:56:57 UTC+0000 ... 0xfffffa80024b7300:SearchProtocol 2472 2288 8 285 2020-05-13 17:56:58 UTC+0000 ... 0xfffffa80024c2a10:SearchFilterHo 2492 2288 6 95 2020-05-13 17:56:58 UTC+0000 .. 0xfffffa800247c6d0:wmpnetwk.exe 2384 472 17 466 2020-05-13 17:56:58 UTC+0000 .. 0xfffffa8001ee2530:svchost.exe 820 472 23 524 2020-05-13 17:56:49 UTC+0000 ... 0xfffffa8001f51060:audiodg.exe 968 820 8 140 2020-05-13 17:56:49 UTC+0000 .. 0xfffffa8001e6b970:svchost.exe 592 472 13 373 2020-05-14 01:56:45 UTC+0000 ... 0xfffffa80025bb360:WmiPrvSE.exe 2860 592 9 123 2020-05-13 17:56:59 UTC+0000 ... 0xfffffa8001501220:WmiPrvSE.exe 3000 592 7 136 2020-05-13 17:57:12 UTC+0000 .. 0xfffffa8001ea1b30:svchost.exe 724 472 8 292 2020-05-13 17:56:49 UTC+0000 .. 0xfffffa8002025740:spoolsv.exe 1116 472 15 315 2020-05-13 17:56:49 UTC+0000 .. 0xfffffa8001ee4b30:svchost.exe 864 472 33 524 2020-05-13 17:56:49 UTC+0000 ... 0xfffffa80021fbb30:dwm.exe 1656 864 6 87 2020-05-13 17:56:50 UTC+0000 .. 0xfffffa8001e88b30:VBoxService.ex 656 472 14 142 2020-05-14 01:56:46 UTC+0000 .. 0xfffffa80021a89e0:taskhost.exe 1508 472 12 187 2020-05-13 17:56:50 UTC+0000 .. 0xfffffa8001f29b30:svchost.exe 892 472 52 924 2020-05-13 17:56:49 UTC+0000 ... 0xfffffa80021c9b30:taskeng.exe 1580 892 8 89 2020-05-13 17:56:50 UTC+0000 .. 0xfffffa8001f7ab30:svchost.exe 236 472 21 552 2020-05-13 17:56:49 UTC+0000 .. 0xfffffa80020d8b30:svchost.exe 1256 472 26 367 2020-05-13 17:56:50 UTC+0000 .. 0xfffffa8001fa2b30:svchost.exe 760 472 19 392 2020-05-13 17:56:49 UTC+0000 .. 0xfffffa800204d5f0:svchost.exe 1148 472 21 329 2020-05-13 17:56:49 UTC+0000 . 0xfffffa8001dabb30:lsass.exe 488 380 10 725 2020-05-14 01:56:44 UTC+0000 . 0xfffffa8001dac370:lsm.exe 496 380 10 152 2020-05-14 01:56:44 UTC+0000 0xfffffa8000cbc040:System 4 0 95 546 2020-05-14 01:56:41 UTC+0000 . 0xfffffa800158f720:smss.exe 272 4 2 32 2020-05-14 01:56:41 UTC+0000 0xfffffa800215ab30:GoogleCrashHan 2200 1856 6 106 2020-05-13 17:56:55 UTC+0000 0xfffffa80023e1b30:GoogleCrashHan 2212 1856 6 99 2020-05-13 17:56:56 UTC+0000 $ volatility -f ShittyRansom.raw --profile=Win7SP1x64 cmdline Volatility Foundation Volatility Framework 2.6 ************************************************************************ System pid: 4 ************************************************************************ smss.exe pid: 272 Command line : \SystemRoot\System32\smss.exe ************************************************************************ csrss.exe pid: 344 Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 ************************************************************************ wininit.exe pid: 380 Command line : wininit.exe ************************************************************************ csrss.exe pid: 388 Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 ************************************************************************ winlogon.exe pid: 416 Command line : winlogon.exe ************************************************************************ services.exe pid: 472 Command line : C:\Windows\system32\services.exe ************************************************************************ lsass.exe pid: 488 Command line : C:\Windows\system32\lsass.exe ************************************************************************ lsm.exe pid: 496 Command line : C:\Windows\system32\lsm.exe ************************************************************************ svchost.exe pid: 592 Command line : C:\Windows\system32\svchost.exe -k DcomLaunch ************************************************************************ VBoxService.ex pid: 656 Command line : C:\Windows\System32\VBoxService.exe ************************************************************************ svchost.exe pid: 724 Command line : C:\Windows\system32\svchost.exe -k RPCSS ************************************************************************ svchost.exe pid: 820 Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted ************************************************************************ svchost.exe pid: 864 Command line : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted ************************************************************************ svchost.exe pid: 892 Command line : C:\Windows\system32\svchost.exe -k netsvcs ************************************************************************ audiodg.exe pid: 968 Command line : C:\Windows\system32\AUDIODG.EXE 0x2cc ************************************************************************ svchost.exe pid: 236 Command line : C:\Windows\system32\svchost.exe -k LocalService ************************************************************************ svchost.exe pid: 760 Command line : C:\Windows\system32\svchost.exe -k NetworkService ************************************************************************ spoolsv.exe pid: 1116 Command line : C:\Windows\System32\spoolsv.exe ************************************************************************ svchost.exe pid: 1148 Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork ************************************************************************ svchost.exe pid: 1256 Command line : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation ************************************************************************ taskhost.exe pid: 1508 Command line : "taskhost.exe" ************************************************************************ taskeng.exe pid: 1580 Command line : taskeng.exe {0597A842-F8F4-49DC-AC5F-37624EB57D95} ************************************************************************ dwm.exe pid: 1656 Command line : "C:\Windows\system32\Dwm.exe" ************************************************************************ explorer.exe pid: 1732 Command line : C:\Windows\Explorer.EXE ************************************************************************ VBoxTray.exe pid: 1788 Command line : "C:\Windows\System32\VBoxTray.exe" ************************************************************************ GoogleCrashHan pid: 2200 Command line : "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe" ************************************************************************ GoogleCrashHan pid: 2212 Command line : "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe" ************************************************************************ SearchIndexer. pid: 2288 Command line : C:\Windows\system32\SearchIndexer.exe /Embedding ************************************************************************ wmpnetwk.exe pid: 2384 Command line : "C:\Program Files\Windows Media Player\wmpnetwk.exe" ************************************************************************ SearchProtocol pid: 2472 Command line : "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" ************************************************************************ SearchFilterHo pid: 2492 Command line : "C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528 ************************************************************************ svchost.exe pid: 2664 Command line : C:\Windows\System32\svchost.exe -k LocalServicePeerNet ************************************************************************ WmiPrvSE.exe pid: 2860 Command line : C:\Windows\system32\wbem\wmiprvse.exe ************************************************************************ chrome.exe pid: 2060 Command line : "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" ************************************************************************ chrome.exe pid: 2196 Command line : ************************************************************************ chrome.exe pid: 2044 Command line : "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1676 --on-initialized-event-handle=356 --parent-handle=360 /prefetch:6 ************************************************************************ chrome.exe pid: 2744 Command line : "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1072,15270778693027294801,9745975019180023779,131072 --lang=fr --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1364 /prefetch:8 ************************************************************************ WmiPrvSE.exe pid: 3000 Command line : C:\Windows\system32\wbem\wmiprvse.exe ************************************************************************ chrome.exe pid: 3252 Command line : "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1072,15270778693027294801,9745975019180023779,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2660 --ignored=" --type=renderer " /prefetch:2 ************************************************************************ chrome.exe pid: 3300 Command line : "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,15270778693027294801,9745975019180023779,131072 --disable-gpu-compositing --lang=fr --enable-auto-reload --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1212 /prefetch:1 ************************************************************************ chrome.exe pid: 3368 Command line : "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,15270778693027294801,9745975019180023779,131072 --disable-gpu-compositing --lang=fr --enable-auto-reload --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1 ************************************************************************ notepad.exe pid: 3456 Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\PoseidonCTF\Desktop\New Text Document.txt ************************************************************************ notepad.exe pid: 3184 Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\PoseidonCTF\myfiles\SomeText.txt.trident ************************************************************************ notepad.exe pid: 2752 Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\PoseidonCTF\myfiles\back.jpg.trident ************************************************************************ notepad.exe pid: 2948 Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\PoseidonCTF\myfiles\fag.png.trident ************************************************************************ notepad.exe pid: 3144 Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\PoseidonCTF\myfiles\interesting.txt.trident ************************************************************************ svchost.exe pid: 900 Command line : C:\Windows\System32\svchost.exe -k WerSvcGroup ************************************************************************ notepad.exe pid: 2424 Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\PoseidonCTF\myfiles\Official Song.mp4.trident ************************************************************************ notepad.exe pid: 3136 Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\PoseidonCTF\myfiles\trident.png.trident ************************************************************************ DumpIt.exe pid: 1924 Command line : "\\VBoxSvr\files\DumpIt.exe" ************************************************************************ conhost.exe pid: 1432 Command line : \??\C:\Windows\system32\conhost.exe $ volatility --plugins=../plugins -f ShittyRansom.raw --profile=Win7SP1x64 chromehistory Volatility Foundation Volatility Framework 2.6 Index URL Title Visits Typed Last Visit Time Hidden Favicon ID ------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ---------- 10 https://drive.google.com/file/d/1eamcX0OtJ8h3mZNjlDmtGXJOyEcG2jbY/view Pro Evolution Soccer 2010.zip - Google Drive 1 0 2020-05-13 07:21:54.527242 N/A 8 https://drive.google.com/open?id=1eamcX0OtJ8h3mZNjlDmtGXJOyEcG2jbY Pro Evolution Soccer 2010.zip - Google Drive 1 0 2020-05-13 07:21:54.237811 N/A 9 https://drive.google.com/file/d/1eamcX0...NjlDmtGXJOyEcG2jbY/view?usp=drive_open Pro Evolution Soccer 2010.zip - Google Drive 1 0 2020-05-13 07:21:54.237811 N/A 7 https://pastebin.com/fmpBzj2C pro10 light version - Pastebin.com 1 0 2020-05-13 07:21:45.381857 N/A 4 https://www.google.com/search?q=pro+evo...33l7.9999j0j7&sourceid=chrome&ie=UTF-8 pro evolution soccer 2010 light download - Recherche Google 2 0 2020-05-13 07:18:17.625930 N/A 3 https://www.youtube.com/watch?v=A3MgzlsCeVo PES 2010 PC Gameplay HD - YouTube 1 0 2020-05-13 07:17:59.207101 N/A 2 https://www.google.com/search?q=pro+evo...57j0.9560j0j7&sourceid=chrome&ie=UTF-8 pro evolution soccer 2010 gameplay - Recherche Google 2 0 2020-05-13 07:17:55.711970 N/A 1 http://sousse.love/ 1 1 2020-05-13 05:22:53.510016 N/A 1 http://sous��/Z*��� 1 1 1601-01-01 00:00:00 N/A
Chromeで気になるアクセスをしている。https://drive.google.com/open?id=1eamcX0OtJ8h3mZNjlDmtGXJOyEcG2jbYからPro Evolution Soccer 2010.zipをダウンロードする。https://pastebin.com/fmpBzj2C を見ると、このzipのパスワードが"pes10"であることがわかる。このパスワードでPro Evolution Soccer 2010.zipを展開し、Malware.exeを実行して、Wiresharkでパケットをキャプチャする。
キャプチャしたパケットを見ると、http://23.97.198.147:32841/kitty?hostname=3c09d32e6d7824ef2ef266dda2c5e1b8にアクセスしていることがわかる。http://23.97.198.147:32841/にアクセスすると、フラグが表示された。
Poseidon{HUh_u'R3_G0OD_4t_D1gG1nG}
Triplet Bits Encryption (Crypto)
暗号化処理は以下の通り。
・key1~3: 32バイトランダムデータ ・以下256回繰り返し ・flagbin: flagの2進数 ・flagbinの長さだけ以下繰り返し ・key1~3:key1~3のsha256 ・keybit1~3: key1~3の2進数の最下位ビット ・mixkeybit(keybit1, keybit2, keybit3) ^ int(flagbin[i])を算出 →暗号化文字列として結合
mixkeybitのkeybitの組み合わせによる結果は以下の通り。
123 000 -> 0 001 -> 1 010 -> 0 011 -> 0 100 -> 1 101 -> 1 110 -> 1 111 -> 1
わずかながら1の可能性が高い。flagの各ビットとXORしているので、256回で数が少ない方がflagbinの可能性が高い。以上からフラグを復号する。
from Crypto.Util.number import long_to_bytes with open('output.txt', 'r') as f: lines = f.read().split('\n')[:-1] flagbin = '' for i in range(len(lines[0])): counts = [0, 0] for j in range(256): if lines[j][i] == '0': counts[0] += 1 else: counts[1] += 1 if counts[0] < counts[1]: flagbin += '0' else: flagbin += '1' flag = long_to_bytes(int(flagbin, 2)) print flag
Poseidon{7h3_u53_0f_pr0b4b1l17y_15_57r0n6}