この大会は2021/2/6 13:30(JST)~2021/2/7 1:30(JST)に開催されました。
今回もチームで参戦。結果は4156点で355チーム中16位でした。
自分で解けた問題をWriteupとして書いておきます。
Sanity Check (Misc)
問題にフラグが書いてあった。
Trollcat{Y0u_ar3_s4ne}
Discord (Misc)
Discordに入り、#miscチャネルのトピックを見ると、フラグが書いてあった。
Trollcat{L3t's_B3g1n_Th3_G4m3}
Social Challenge (Misc)
いろんなチャネルのトピックにこう書いてある。
search @cscodershub on Youtube, Twitter, Instagram and Linkedin to follow us
Youtubeで検索してみると以下のページが見つかった。
https://www.youtube.com/channel/UCboUwuCmX4d313yhtxfgBjQ
このページの概要タブにフラグが書いてあった。
Trollcat{c5c0d3rshub_y0utub3_Ch4nn3l}
Rich Orphan (Misc)
passwdとshadowの情報が入っているので、クラックする。
$ awk 'NR==3' RichOrphan.txt > passwd $ awk 'NR==2' RichOrphan.txt > shadow $ unshadow passwd shadow > passwd_shadow $ john --wordlist=dict/rockyou.txt passwd_shadow Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-opencl" Use the "--format=md5crypt-opencl" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status batman (sys) 1g 0:00:00:00 DONE (2021-02-06 21:07) 2.941g/s 847.0p/s 847.0c/s 847.0C/s alyssa..brenda Use the "--show" option to display all of the cracked passwords reliably Session completed
Trollcat{batman}
Forbidden (FORENSICS)
$ binwalk trollcats.car DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 50 0x32 bzip2 compressed data, block size = 900k $ dd if=trollcats.car of=trollcats.bz2 bs=1 skip=50 255+0 レコード入力 255+0 レコード出力 255 bytes copied, 0.214606 s, 1.2 kB/s $ bzip2 -d trollcats.bz2 bzip2: trollcats.bz2: trailing garbage after EOF ignored $ cat trollcats Trollcat{M0zilla_Archive_maaaarls}
Trollcat{M0zilla_Archive_maaaarls}
the_sus_agent (FORENSICS)
No.1613のパケットでsecret.jpgをPOSTしているので、エクスポートする。
$ file secret.jpg
secret.jpg: ASCII text
$ cat secret.jpg
aWhvcGV5b3VkaWRub3R0cmllZHRvYnJ1dGVmb3JjZWl0
$ cat secret.jpg | base64 -d
ihopeyoudidnottriedtobruteforceit
これをパスワードとして、No.447のパケットでPOSTしているwelcome.jpgをエクスポートして、steghideで隠した情報を抽出する。
$ steghide extract -sf welcome.jpg -p ihopeyoudidnottriedtobruteforceit wrote extracted data to "foryou". $ cat foryou Trollcat{this_challenge_was_easy_right???}
Trollcat{this_challenge_was_easy_right???}
Mr_evilpepo_1 (FORENSICS)
$ volatility -f evilpepo.vmem imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (C:\CTF\work\evilpepo.vmem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002a3f0a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002a40d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2021-01-12 13:22:41 UTC+0000 Image local date and time : 2021-01-12 18:52:41 +0530 $ volatility -f evilpepo.vmem --profile=Win7SP1x64 consoles Volatility Foundation Volatility Framework 2.6 ************************************************** ConsoleProcess: conhost.exe Pid: 992 Console: 0xff346200 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: Command Prompt Title: Command Prompt AttachedProcess: cmd.exe Pid: 1492 Handle: 0x60 ---- CommandHistory: 0x39eb60 Application: cmd.exe Flags: Allocated, Reset CommandCount: 37 LastAdded: 36 LastDisplayed: 36 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 at 0x37e550: helo Cmd #1 at 0x37e570: troollll Cmd #2 at 0x37e590: caaat Cmd #3 at 0x37e5b0: yooooo Cmd #4 at 0x39de90: T Cmd #5 at 0x39dcd0: r Cmd #6 at 0x3a2f00: o Cmd #7 at 0x3a2f20: l Cmd #8 at 0x3a2f40: c Cmd #9 at 0x3a2f60: a Cmd #10 at 0x3a2fb0: t Cmd #11 at 0x3a2fc0: { Cmd #12 at 0x3a2fd0: c Cmd #13 at 0x3a2fe0: o Cmd #14 at 0x3a2ff0: m Cmd #15 at 0x3a3000: a Cmd #16 at 0x3a3010: n Cmd #17 at 0x3a3020: d Cmd #18 at 0x3a3030: s Cmd #19 at 0x3a3040: _ Cmd #20 at 0x3a3050: 4 Cmd #21 at 0x3a3060: r Cmd #22 at 0x3a3070: 3 Cmd #23 at 0x3a3080: _ Cmd #24 at 0x3a3090: i Cmd #25 at 0x3a30a0: m Cmd #26 at 0x3a30b0: p Cmd #27 at 0x3a30c0: o Cmd #28 at 0x3a30d0: r Cmd #29 at 0x3a30e0: t Cmd #30 at 0x3a30f0: a Cmd #31 at 0x3a3100: n Cmd #32 at 0x3a3110: t Cmd #33 at 0x3a3120: } Cmd #34 at 0x3a33b0: hope you got it Cmd #35 at 0x377860: "are you trying to run strings?" Cmd #36 at 0x3a33e0: lolololololol ---- Screen 0x381120 X:80 Y:300 Dump: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\WhiteWolf>helo 'helo' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>troollll 'troollll' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>caaat 'caaat' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>yooooo 'yooooo' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>T 'T' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>r 'r' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>o 'o' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>l 'l' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>l 'l' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>c 'c' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>a 'a' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>t 't' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>{ '{' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>c 'c' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>o 'o' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>m 'm' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>m 'm' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>a 'a' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>n 'n' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>d 'd' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>s 's' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>_ '_' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>4 '4' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>r 'r' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>3 '3' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>_ '_' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>i 'i' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>m 'm' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>p 'p' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>o 'o' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>r 'r' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>t 't' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>a 'a' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>n 'n' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>t 't' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>} '}' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>hope you got it 'hope' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>"are you trying to run strings?" '"are you trying to run strings?"' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>lolololololol 'lolololololol' is not recognized as an internal or external command, operable program or batch file. C:\Users\WhiteWolf>
コマンドとして認識しなくてもフラグをコマンド入力している。
Trolcat{comands_4r3_important}
FREE WIFI (NETWORKING)
$ aircrack-ng -w dict/rockyou.txt hack1-01.cap Opening hack1-01.cap Read 23892 packets. # BSSID ESSID Encryption 1 3A:22:DC:05:71:6B OnePlus 7 Pro WPA (1 handshake) Choosing first network as target. Opening hack1-01.cap Reading packets, please wait... Aircrack-ng 1.2 rc4 [00:12:07] 714692/9822769 keys tested (1109.22 k/s) Time left: 2 hours, 16 minutes, 52 seconds 7.28% KEY FOUND! [ no1caredformelikejesus ] Master Key : 4B F5 BE 98 7B B1 67 23 A9 CB 68 1C 88 50 76 9D 7D CB 07 21 23 3F 2A 86 AD 26 D9 17 76 D2 16 E0 Transient Key : 2C A2 38 92 7D 8C 6F 53 41 22 80 C8 5D A6 7B 23 AC 05 EF 82 4D 59 79 53 6A 2D 93 E9 DC 3B 56 BC 24 A5 E8 2F 29 27 1A FE E0 42 57 A4 FB C4 56 65 63 79 22 B8 8B 22 FF 18 E8 24 EB 86 BC D3 45 10 EAPOL HMAC : C2 19 FE 8E 23 EA 7C 58 31 AE 90 B6 6A 33 D4 99
Trollcat{no1caredformelikejesus}
Change my mind (Steganography)
$ zsteg trolllll.png b1,rgb,lsb,xy .. text: "Trollcat{I_L0v3_Tr011C4t}" b2,g,msb,xy .. text: "PQDTAEDP" b3,abgr,msb,xy .. text: "h_pL_piW" b4,r,msb,xy .. text: "gf'sr`P531Ue" b4,g,msb,xy .. text: " e5EcBCw6@uarP3da" b4,b,msb,xy .. text: "wW32 RWd" b4,rgb,msb,xy .. text: "sv bqG@f" b4,bgr,msb,xy .. text: "&v#paBwF" b4,abgr,msb,xy .. text: "_xOaof/f?w"
Trollcat{I_L0v3_Tr011C4t}
Aliens Message (Steganography)
Audacityで開くと、真ん中あたりにモールス信号らしきものがある。
- .-. --- .-.. .-.. -.-. .- - -.-. - ..-. -... .-. --- ..- --. .... - - --- -.-- --- ..- -... -.-- -.-. ... -.-. --- -.. . .-. ... .... ..- -...
デコードする。
TROLLCATCTFBROUGHTTOYOUBYCSCODERSHUB
Trollcat{TROLLCATCTFBROUGHTTOYOUBYCSCODERSHUB}
Deal Breaking (Cryptography)
シーザー暗号。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。
Rotation 13: paracetamolforheadache
Trollcat{paracetamolforheadache}
Lost In Forest (Cryptography)
$ echo TWVyY3VyeVZlbnVzRWFydGhNYXJzSnVwaXRlclNhdHVyblVyYW51c05lcHR1bmU= | base64 -d MercuryVenusEarthMarsJupiterSaturnUranusNeptune
Trollcat{MercuryVenusEarthMarsJupiterSaturnUranusNeptune}
Show your Dedication (Cryptography)
Vigenere暗号。鍵をRACEにして、https://www.dcode.fr/vigenere-cipherで復号する。
your flag is HELLOwORLD
Trollcat{HELLOwORLD}
Radio Station Apocalypse (Cryptography)
p - q = A -> q = p - A n = p * q = p * (p - A) p**2 - A*p - n = 0
この二次方程式を解けば、pがわかる。あとはそのまま復号すればよい。
from sympy import * from Crypto.Util.number import * ct = 15927954374690152068700390298074593196253864077169207071831999310211243220084198633824761313226756137217716813832139827281860280786151119392571330914043785795154126460993477079312886238477507766509831010644388998659565303441719615131661670116956449101956505931748018171190878765731317846254607404813297135537090043417404895660853320127812799010027005785901634939020872408881201149711968120809368691413105318444873712717786940780346214959475833457688794871749017822337860503424073668090333543027469770960756536095503271163592383252371337847620140632398753943463160733918860277382675572411402618882039992721158705125550 e = 65537 n = 25368447768323504911600571988774494107818159082103458909402378375896888147122503938518591402940401613482043710928629612450119548224453500663121617535722112844472859040198762641907836363229969155712075958868854330020410559684508712810222293531147857306199021834554435068975911739307607540505629883798642466233546635096780559373979170475222394473493457660803818950607714830510840577490628849303933022437114380092662378432401109413796410640006146844170094240232072224662551989418393330140325743682017287713705780111627575953826016488999945470058220771848171583260999599619753854835899967952821690531655365651736970047327 A = 13850705243110859039354321081017038361100285164728565071420492338985283998938739255457649493117185659009054998475484599174052182163568940357425209817392780314915968465598416149706099257132486744034100104272832634714470968608095808094711578599330447351992808756520378741868674695777659183569180981300608614286 p = Symbol('p') eq = Eq(p**2 - A*p - n) ans = solve(eq) if ans[0] < 0: p = int(ans[1]) else: p = int(ans[0]) q = n // p assert p * q == n phi = (p - 1) * (q - 1) d = inverse(e, phi) m = pow(ct, d, n) flag = long_to_bytes(m) print flag
Trollcat{R5A_1s_n0t_Th4t_ezzz!}