この大会は2021/4/3 15:30(JST)~2021/4/5 3:30(JST)に開催されました。
今回もチームで参戦。結果は1115点で452チーム中54位でした。
自分で解けた問題をWriteupとして書いておきます。
Sanity Check (Misc 10)
Discordに入り、#readmeチャネルで:thumbsup:の反応をしたら、たくさんのチャネルが現れた。その中にある#rulesチャネルの13番目の項目で黒塗りされている部分をクリックしたら、フラグが見えた。
shaktictf{G00d_t0_r34d_th3_rUl3s!}
pillow (Misc 100)
1~3000.jpgのタイルを縦方向に並べる。タイルは縦50、横60。
from PIL import Image WIDTH_NUM = 60 HEIGHT_NUM = 50 UNIT_SIZE = 10 WIDTH = UNIT_SIZE * WIDTH_NUM HEIGHT = UNIT_SIZE * HEIGHT_NUM IFILE_FORMAT = './60x50/%d.jpg' output_img = Image.new('RGB', (WIDTH, HEIGHT), (255, 255, 255)) x = 0 y = 0 for i in range(WIDTH_NUM * HEIGHT_NUM): filename = IFILE_FORMAT % (i + 1) input_img = Image.open(filename).convert('RGB') if y == HEIGHT_NUM: x += 1 y = 0 output_img.paste(input_img, ((x * UNIT_SIZE), (y * UNIT_SIZE))) y += 1 output_img.save('flag.jpg')
shaktictf{pill0w_l1k3_a_g00d_c0nscience}
hack (Reversing 50)
Ghidraでデコンパイルする。
undefined8 main(void) { size_t sVar1; long in_FS_OFFSET; int local_30; int local_2c; char local_28 [24]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); printf("Enter the string: "); __isoc99_scanf(&DAT_001009a7,local_28); local_30 = 1; sVar1 = strlen(local_28); if (sVar1 != 0x10) { puts("I dont think so XD"); /* WARNING: Subroutine does not return */ exit(0); } local_2c = 0; while (local_28[local_2c] != '\0') { if (local_28[local_2c] != (char)*(undefined4 *)(v2 + (long)(local_2c + 3) * 4)) { puts("Nope"); /* WARNING: Subroutine does not return */ exit(0); } local_30 = local_30 + 1; local_2c = local_2c + 1; } if (local_30 == 0x11) { printf("Your Flag: shaktictf{%s}\n",local_28); } if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return 0; } v2 XREF[3]: Entry Point(*), main:0010088c(*), main:00100893(R) 00301020 59 00 00 undefine 00 33 00 00 00 73 00301020 59 undefined159h [0] XREF[3]: Entry Point(*), main:0010088c(*), main:00100893(R) 00301021 00 undefined100h [1] 00301022 00 undefined100h [2] 00301023 00 undefined100h [3] 00301024 33 undefined133h [4] 00301025 00 undefined100h [5] 00301026 00 undefined100h [6] 00301027 00 undefined100h [7] 00301028 73 undefined173h [8] 00301029 00 undefined100h [9] 0030102a 00 undefined100h [10] 0030102b 00 undefined100h [11] 0030102c 5f undefined15Fh [12] 0030102d 00 undefined100h [13] 0030102e 00 undefined100h [14] 0030102f 00 undefined100h [15] 00301030 5f undefined15Fh [16] 00301031 00 undefined100h [17] 00301032 00 undefined100h [18] 00301033 00 undefined100h [19] 00301034 48 undefined148h [20] 00301035 00 undefined100h [21] 00301036 00 undefined100h [22] 00301037 00 undefined100h [23] 00301038 34 undefined134h [24] 00301039 00 undefined100h [25] 0030103a 00 undefined100h [26] 0030103b 00 undefined100h [27] 0030103c 63 undefined163h [28] 0030103d 00 undefined100h [29] 0030103e 00 undefined100h [30] 0030103f 00 undefined100h [31] 00301040 4b undefined14Bh [32] 00301041 00 undefined100h [33] 00301042 00 undefined100h [34] 00301043 00 undefined100h [35] 00301044 5f undefined15Fh [36] 00301045 00 undefined100h [37] 00301046 00 undefined100h [38] 00301047 00 undefined100h [39] 00301048 74 undefined174h [40] 00301049 00 undefined100h [41] 0030104a 00 undefined100h [42] 0030104b 00 undefined100h [43] 0030104c 48 undefined148h [44] 0030104d 00 undefined100h [45] 0030104e 00 undefined100h [46] 0030104f 00 undefined100h [47] 00301050 33 undefined133h [48] 00301051 00 undefined100h [49] 00301052 00 undefined100h [50] 00301053 00 undefined100h [51] 00301054 5f undefined15Fh [52] 00301055 00 undefined100h [53] 00301056 00 undefined100h [54] 00301057 00 undefined100h [55] 00301058 4d undefined14Dh [56] 00301059 00 undefined100h [57] 0030105a 00 undefined100h [58] 0030105b 00 undefined100h [59] 0030105c 30 undefined130h [60] 0030105d 00 undefined100h [61] 0030105e 00 undefined100h [62] 0030105f 00 undefined100h [63] 00301060 30 undefined130h [64] 00301061 00 undefined100h [65] 00301062 00 undefined100h [66] 00301063 00 undefined100h [67] 00301064 6e undefined16Eh [68] 00301065 00 undefined100h [69] 00301066 00 undefined100h [70] 00301067 00 undefined100h [71] 00301068 5f undefined15Fh [72] 00301069 00 undefined100h [73] 0030106a 00 undefined100h [74] 0030106b 00 undefined100h [75] 0030106c 5f undefined15Fh [76] 0030106d 00 undefined100h [77] 0030106e 00 undefined100h [78] 0030106f 00 undefined100h [79] 00301070 21 undefined121h [80] 00301071 00 undefined100h [81] 00301072 00 undefined100h [82] 00301073 00 undefined100h [83] 00301074 21 undefined121h [84] 00301075 00 undefined100h [85] 00301076 00 undefined100h [86] 00301077 00 undefined100h [87] 00301078 5f undefined15Fh [88] 00301079 00 undefined100h [89] 0030107a 00 undefined100h [90] 0030107b 00 undefined100h [91] 0030107c 48 undefined148h [92] 0030107d 00 undefined100h [93] 0030107e 00 undefined100h [94] 0030107f 00 undefined100h [95] 00301080 00 undefined100h [96] 00301081 00 undefined100h [97] 00301082 00 undefined100h [98] 00301083 00 undefined100h [99] 00301084 00 undefined100h [100] 00301085 00 undefined100h [101] 00301086 00 undefined100h [102] 00301087 00 undefined100h [103] 00301088 00 undefined100h [104] 00301089 00 undefined100h [105] 0030108a 00 undefined100h [106] 0030108b 00 undefined100h [107] 0030108c 00 undefined100h [108] 0030108d 00 undefined100h [109] 0030108e 00 undefined100h [110] 0030108f 00 undefined100h [111] 00301090 00 undefined100h [112] 00301091 00 undefined100h [113] 00301092 00 undefined100h [114] 00301093 00 undefined100h [115] 00301094 00 undefined100h [116] 00301095 00 undefined100h [117] 00301096 00 undefined100h [118] 00301097 00 undefined100h [119]
このことから以下がわかるので、比較している値を確認していく。
・フラグの長さは16バイト ・vの値と比較(index:12から3バイト飛ばし)
>>> chr(0x5f) '_' >>> chr(0x5f) '_' >>> chr(0x48) 'H' >>> chr(0x34) '4' >>> chr(0x63) 'c' >>> chr(0x4b) 'K' >>> chr(0x5f) '_' >>> chr(0x74) 't' >>> chr(0x48) 'H' >>> chr(0x33) '3' >>> chr(0x5f) '_' >>> chr(0x4d) 'M' >>> chr(0x30) '0' >>> chr(0x30) '0' >>> chr(0x6e) 'n' >>> chr(0x5f) '_'
連結すると、以下のようになる。
__H4cK_tH3_M00n_
実行中のパラメータに指定してみる。
$ ./hack Enter the string: __H4cK_tH3_M00n_ Your Flag: shaktictf{__H4cK_tH3_M00n_}
shaktictf{__H4cK_tH3_M00n_}
fusk (Reversing 100)
Ghidraでデコンパイルする。
undefined8 FUN_0010124e(void) { uint uVar1; int iVar2; size_t sVar3; long in_FS_OFFSET; int local_d0; int local_cc; uint local_c8 [32]; char local_48 [40]; long local_20; local_20 = *(long *)(in_FS_OFFSET + 0x28); local_d0 = 3; fgets(local_48,0x20,stdin); local_cc = 0; while( true ) { sVar3 = strlen(local_48); if (sVar3 <= (ulong)(long)local_cc) break; uVar1 = FUN_001011a9(local_d0); local_c8[local_cc] = (int)local_48[local_cc] ^ uVar1; local_cc = local_cc + 1; local_d0 = local_d0 + 1; } iVar2 = FUN_001011e9(local_c8); if (iVar2 == 0) { puts("Try Again..!"); } else { puts("You Win"); } if (local_20 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return 0; } int FUN_001011a9(int param_1) { int iVar1; if (1 < param_1) { iVar1 = FUN_001011a9(param_1 + -1); param_1 = FUN_001011a9(param_1 + -2); param_1 = param_1 + iVar1; } return param_1; } undefined4 FUN_001011e9(long param_1) { undefined4 local_10; uint local_c; local_10 = 1; local_c = 0; while (local_c < 0x1f) { if (*(int *)(&DAT_00102020 + (long)(int)local_c * 4) != *(int *)(param_1 + (long)(int)local_c * 4)) { local_10 = 0; } local_c = local_c + 1; } return local_10; } DAT_00102020 XREF[2]: FUN_001011e9:00101212(*), FUN_001011e9:00101219(R) 00102020 71 ?? 71h q 00102021 00 ?? 00h 00102022 00 ?? 00h 00102023 00 ?? 00h 00102024 6b ?? 6Bh k 00102025 00 ?? 00h 00102026 00 ?? 00h 00102027 00 ?? 00h 00102028 64 ?? 64h d 00102029 00 ?? 00h 0010202a 00 ?? 00h 0010202b 00 ?? 00h 0010202c 63 ?? 63h c 0010202d 00 ?? 00h 0010202e 00 ?? 00h 0010202f 00 ?? 00h 00102030 79 ?? 79h y 00102031 00 ?? 00h 00102032 00 ?? 00h 00102033 00 ?? 00h 00102034 7c ?? 7Ch | 00102035 00 ?? 00h 00102036 00 ?? 00h 00102037 00 ?? 00h 00102038 41 ?? 41h A 00102039 00 ?? 00h 0010203a 00 ?? 00h 0010203b 00 ?? 00h 0010203c 43 ?? 43h C 0010203d 00 ?? 00h 0010203e 00 ?? 00h 0010203f 00 ?? 00h 00102040 3f ?? 3Fh ? 00102041 00 ?? 00h 00102042 00 ?? 00h 00102043 00 ?? 00h 00102044 eb ?? EBh 00102045 00 ?? 00h 00102046 00 ?? 00h 00102047 00 ?? 00h 00102048 9a ?? 9Ah 00102049 00 ?? 00h 0010204a 00 ?? 00h 0010204b 00 ?? 00h 0010204c 48 ?? 48h H 0010204d 01 ?? 01h 0010204e 00 ?? 00h 0010204f 00 ?? 00h 00102050 0f ?? 0Fh 00102051 02 ?? 02h 00102052 00 ?? 00h 00102053 00 ?? 00h 00102054 ab ?? ABh 00102055 03 ?? 03h 00102056 00 ?? 00h 00102057 00 ?? 00h 00102058 51 ?? 51h Q 00102059 06 ?? 06h 0010205a 00 ?? 00h 0010205b 00 ?? 00h 0010205c 2b ?? 2Bh + 0010205d 0a ?? 0Ah 0010205e 00 ?? 00h 0010205f 00 ?? 00h 00102060 0a ?? 0Ah 00102061 10 ?? 10h 00102062 00 ?? 00h 00102063 00 ?? 00h 00102064 00 ?? 00h 00102065 1a ?? 1Ah 00102066 00 ?? 00h 00102067 00 ?? 00h 00102068 ad ?? ADh 00102069 2a ?? 2Ah * 0010206a 00 ?? 00h 0010206b 00 ?? 00h 0010206c 59 ?? 59h Y 0010206d 45 ?? 45h E 0010206e 00 ?? 00h 0010206f 00 ?? 00h 00102070 97 ?? 97h 00102071 6f ?? 6Fh o 00102072 00 ?? 00h 00102073 00 ?? 00h 00102074 55 ?? 55h U 00102075 b5 ?? B5h 00102076 00 ?? 00h 00102077 00 ?? 00h 00102078 24 ?? 24h $ 00102079 25 ?? 25h % 0010207a 01 ?? 01h 0010207b 00 ?? 00h 0010207c 52 ?? 52h R 0010207d da ?? DAh 0010207e 01 ?? 01h 0010207f 00 ?? 00h 00102080 23 ?? 23h # 00102081 ff ?? FFh 00102082 02 ?? 02h 00102083 00 ?? 00h 00102084 44 ?? 44h D 00102085 d9 ?? D9h 00102086 04 ?? 04h 00102087 00 ?? 00h 00102088 dc ?? DCh 00102089 d8 ?? D8h 0010208a 07 ?? 07h 0010208b 00 ?? 00h 0010208c 18 ?? 18h 0010208d b2 ?? B2h 0010208e 0c ?? 0Ch 0010208f 00 ?? 00h 00102090 b3 ?? B3h 00102091 8a ?? 8Ah 00102092 14 ?? 14h 00102093 00 ?? 00h 00102094 78 ?? 78h x 00102095 3d ?? 3Dh = 00102096 21 ?? 21h ! 00102097 00 ?? 00h 00102098 e8 ?? E8h 00102099 c7 ?? C7h 0010209a 35 ?? 35h 5 0010209b 00 ?? 00h
フラグに関係するところを読み取る。
・入力文字列の各文字をFUN_001011a9の結果とXORを取る。 ・この結果をDAT_00102020と比較する。
これを元にフラグを復元する。
def FUN_001011a9(n): if n > 1: iVar1 = FUN_001011a9(n - 1) n = FUN_001011a9(n - 2) n = n + iVar1 return n local_d0 = 3 keys = [] for i in range(31): uVar1 = FUN_001011a9(local_d0) keys.append(uVar1 & 0xff) local_d0 += 1 data = [0x71, 0x6b, 0x64, 0x63, 0x79, 0x7c, 0x41, 0x43, 0x3f, 0xeb, 0x9a, 0x48, 0x0f, 0xab, 0x51, 0x2b, 0x0a, 0x00, 0xad, 0x59, 0x97, 0x55, 0x24, 0x52, 0x23, 0x44, 0xdc, 0x18, 0xb3, 0x78, 0xe8] flag = '' for i in range(31): flag += chr(data[i] ^ keys[i]) print flag
shaktictf{s1mpl3_movfu5ca7i0n}
Delete (Forensics 100)
先頭48バイト分はPNGヘッダのようになっているが、その後からまたPNGのフォーマットになっているので、先頭48バイト分を削除する。すると、画像にフラグが書いてあった。
shaktictf{Y0u_4R3_aM4z1nG!!!!}
Chunkies (Forensics 100)
PNGのチャンクが壊れているので、修正する。
PNG -> \x89PNG IADT -> IDAT INED -> IEND
import binascii import struct with open('file.png', 'rb') as f: data = f.read() data = data.replace('PNG', '\x89PNG') data = data.replace('IADT', 'IDAT') data = data.replace('INED', 'IEND') with open('file_fix.png', 'wb') as f: f.write(data)
あとIHDRチャンクにある高さの情報が違っているので、高さを変更し、データとして現れている部分まで伸ばす。
shaktictf{Y4YyyyY_y0u_g0t_1T}
Help Me (Forensics 400)
$ volatility -f Challenge.vmem imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/Challenge.vmem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002a100a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002a11d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2021-04-03 05:10:52 UTC+0000 Image local date and time : 2021-04-03 10:40:52 +0530 $ volatility -f Challenge.vmem --profile=Win7SP1x64 pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa8018da5040:System 4 0 83 512 2021-04-03 05:09:41 UTC+0000 . 0xfffffa8019cbe310:smss.exe 240 4 3 29 2021-04-03 05:09:41 UTC+0000 0xfffffa801a7d9b30:explorer.exe 1080 1052 43 1054 2021-04-03 05:09:48 UTC+0000 . 0xfffffa801ab60630:cmd.exe 1708 1080 1 19 2021-04-03 05:09:57 UTC+0000 . 0xfffffa8019cbc760:WinRAR.exe 2836 1080 12 406 2021-04-03 05:10:38 UTC+0000 0xfffffa801a4d4610:csrss.exe 316 308 8 472 2021-04-03 05:09:44 UTC+0000 0xfffffa8018daa060:wininit.exe 364 308 7 88 2021-04-03 05:09:45 UTC+0000 . 0xfffffa801a533910:lsass.exe 472 364 11 769 2021-04-03 05:09:45 UTC+0000 . 0xfffffa801a404b30:services.exe 464 364 24 222 2021-04-03 05:09:45 UTC+0000 .. 0xfffffa801aa7f060:SearchIndexer. 1912 464 14 599 2021-04-03 05:09:55 UTC+0000 ... 0xfffffa801ab3cb30:SearchProtocol 1272 1912 7 226 2021-04-03 05:09:56 UTC+0000 ... 0xfffffa801ab47b30:SearchFilterHo 1504 1912 5 78 2021-04-03 05:09:57 UTC+0000 .. 0xfffffa8018eb4690:svchost.exe 792 464 30 496 2021-04-03 05:09:46 UTC+0000 ... 0xfffffa801a7cfb30:dwm.exe 1060 792 6 84 2021-04-03 05:09:48 UTC+0000 .. 0xfffffa801a823b30:taskhost.exe 1184 464 9 187 2021-04-03 05:09:48 UTC+0000 .. 0xfffffa801a6b5b30:svchost.exe 684 464 25 534 2021-04-03 05:09:46 UTC+0000 ... 0xfffffa8019af9060:audiodg.exe 908 684 6 125 2021-04-03 05:09:47 UTC+0000 .. 0xfffffa801abadb30:svchost.exe 2100 464 11 350 2021-04-03 05:09:58 UTC+0000 .. 0xfffffa801a663410:svchost.exe 568 464 16 367 2021-04-03 05:09:46 UTC+0000 ... 0xfffffa801a7bfb30:dllhost.exe 1344 568 12 242 2021-04-03 05:10:47 UTC+0000 ... 0xfffffa8019a1f970:iexplore.exe 2980 568 17 361 2021-04-03 05:10:45 UTC+0000 .... 0xfffffa801a729720:iexplore.exe 1092 2980 16 327 2021-04-03 05:10:46 UTC+0000 ... 0xfffffa801ac306e0:WmiPrvSE.exe 2356 568 8 114 2021-04-03 05:10:00 UTC+0000 .. 0xfffffa801ab189e0:svchost.exe 1220 464 34 367 2021-04-03 05:09:56 UTC+0000 .. 0xfffffa801a728b30:svchost.exe 984 464 41 559 2021-04-03 05:09:47 UTC+0000 .. 0xfffffa801a7f3b30:spoolsv.exe 1116 464 15 279 2021-04-03 05:09:48 UTC+0000 .. 0xfffffa8019a285c0:svchost.exe 848 464 51 817 2021-04-03 05:09:47 UTC+0000 .. 0xfffffa801ab85b30:wmpnetwk.exe 356 464 17 477 2021-04-03 05:09:58 UTC+0000 ... 0xfffffa801a4f4560:winlogon.exe 404 356 6 115 2021-04-03 05:09:45 UTC+0000 ... 0xfffffa8018daa630:csrss.exe 376 356 7 269 2021-04-03 05:09:45 UTC+0000 .... 0xfffffa801ab64060:conhost.exe 1144 376 2 51 2021-04-03 05:09:57 UTC+0000 .. 0xfffffa801a77eb30:svchost.exe 536 464 21 415 2021-04-03 05:09:47 UTC+0000 .. 0xfffffa801a68b060:svchost.exe 632 464 10 280 2021-04-03 05:09:46 UTC+0000 .. 0xfffffa801a820b30:svchost.exe 1176 464 24 326 2021-04-03 05:09:48 UTC+0000 .. 0xfffffa801a86eb30:svchost.exe 1788 464 5 72 2021-04-03 05:10:51 UTC+0000 ... 0xfffffa801aaa6b30:WerFault.exe 2536 1788 7 148 2021-04-03 05:10:51 UTC+0000 . 0xfffffa801a4b23c0:lsm.exe 480 364 11 147 2021-04-03 05:09:45 UTC+0000 $ volatility -f Challenge.vmem --profile=Win7SP1x64 cmdline Volatility Foundation Volatility Framework 2.6 ************************************************************************ System pid: 4 ************************************************************************ smss.exe pid: 240 Command line : \SystemRoot\System32\smss.exe ************************************************************************ csrss.exe pid: 316 Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 ************************************************************************ wininit.exe pid: 364 Command line : wininit.exe ************************************************************************ csrss.exe pid: 376 Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 ************************************************************************ winlogon.exe pid: 404 Command line : winlogon.exe ************************************************************************ services.exe pid: 464 Command line : C:\Windows\system32\services.exe ************************************************************************ lsass.exe pid: 472 Command line : C:\Windows\system32\lsass.exe ************************************************************************ lsm.exe pid: 480 Command line : C:\Windows\system32\lsm.exe ************************************************************************ svchost.exe pid: 568 Command line : C:\Windows\system32\svchost.exe -k DcomLaunch ************************************************************************ svchost.exe pid: 632 Command line : C:\Windows\system32\svchost.exe -k RPCSS ************************************************************************ svchost.exe pid: 684 Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted ************************************************************************ svchost.exe pid: 792 Command line : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted ************************************************************************ svchost.exe pid: 848 Command line : C:\Windows\system32\svchost.exe -k netsvcs ************************************************************************ audiodg.exe pid: 908 Command line : C:\Windows\system32\AUDIODG.EXE 0x2bc ************************************************************************ svchost.exe pid: 984 Command line : C:\Windows\system32\svchost.exe -k LocalService ************************************************************************ svchost.exe pid: 536 Command line : C:\Windows\system32\svchost.exe -k NetworkService ************************************************************************ dwm.exe pid: 1060 Command line : "C:\Windows\system32\Dwm.exe" ************************************************************************ explorer.exe pid: 1080 Command line : C:\Windows\Explorer.EXE ************************************************************************ spoolsv.exe pid: 1116 Command line : C:\Windows\System32\spoolsv.exe ************************************************************************ svchost.exe pid: 1176 Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork ************************************************************************ taskhost.exe pid: 1184 Command line : "taskhost.exe" ************************************************************************ SearchIndexer. pid: 1912 Command line : C:\Windows\system32\SearchIndexer.exe /Embedding ************************************************************************ svchost.exe pid: 1220 Command line : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation ************************************************************************ SearchProtocol pid: 1272 Command line : "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-343819191-2795698350-1660738378-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-343819191-2795698350-1660738378-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1" ************************************************************************ SearchFilterHo pid: 1504 Command line : "C:\Windows\system32\SearchFilterHost.exe" 0 504 508 516 65536 512 ************************************************************************ cmd.exe pid: 1708 Command line : "C:\Windows\system32\cmd.exe" ************************************************************************ conhost.exe pid: 1144 Command line : \??\C:\Windows\system32\conhost.exe ************************************************************************ wmpnetwk.exe pid: 356 Command line : "C:\Program Files\Windows Media Player\wmpnetwk.exe" ************************************************************************ svchost.exe pid: 2100 Command line : C:\Windows\System32\svchost.exe -k LocalServicePeerNet ************************************************************************ WmiPrvSE.exe pid: 2356 Command line : C:\Windows\system32\wbem\wmiprvse.exe ************************************************************************ WinRAR.exe pid: 2836 Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\alexander\Downloads\L4ST.py.zip" ************************************************************************ iexplore.exe pid: 2980 Command line : "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding ************************************************************************ iexplore.exe pid: 1092 Command line : "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2980 CREDAT:137473 ************************************************************************ dllhost.exe pid: 1344 Command line : C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} ************************************************************************ svchost.exe pid: 1788 Command line : C:\Windows\System32\svchost.exe -k WerSvcGroup ************************************************************************ WerFault.exe pid: 2536 Command line : C:\Windows\system32\WerFault.exe -u -p 2836 -s 1696 $ volatility -f Challenge.vmem --profile=Win7SP1x64 consoles Volatility Foundation Volatility Framework 2.6 ************************************************** ConsoleProcess: conhost.exe Pid: 1144 Console: 0xff716200 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: %SystemRoot%\system32\cmd.exe Title: C:\Windows\system32\cmd.exe AttachedProcess: cmd.exe Pid: 1708 Handle: 0x60 ---- CommandHistory: 0x26e9c0 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 at 0x2478b0: UGFydCAxlC0gc2hha3RpY3Rme0gwcDM= ---- Screen 0x250f70 X:80 Y:300 Dump: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\alexander>UGFydCAxlC0gc2hha3RpY3Rme0gwcDM= 'UGFydCAxlC0gc2hha3RpY3Rme0gwcDM' is not recognized as an internal or external c ommand, operable program or batch file. C:\Users\alexander>
"UGFydCAxlC0gc2hha3RpY3Rme0gwcDM="をbase64デコードすると、フラグの断片の1つ目がわかる。
"Part 1- shaktictf{H0p3"
pngファイルに何か情報がないか確認する。
$ volatility -f Challenge.vmem --profile=Win7SP1x64 filescan | grep png Volatility Foundation Volatility Framework 2.6 0x000000007de61680 16 0 R--r-- \Device\HarddiskVolume1\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png 0x000000007e269310 12 0 R--r-d \Device\HarddiskVolume1\Users\alexander\Documents\Part II.png 0x000000007f091970 12 0 R--r-d \Device\HarddiskVolume1\Windows\System32\pngfilt.dll $ volatility -f Challenge.vmem --profile=Win7SP1x64 dumpfiles -D . -Q 0x000000007e269310 Volatility Foundation Volatility Framework 2.6 DataSectionObject 0x7e269310 None \Device\HarddiskVolume1\Users\alexander\Documents\Part II.png $ mv file.None.0xfffffa801a8691b0.dat "Part II.png" $ zsteg "Part II.png" [?] 1289 bytes of extra data after image end (IEND), offset = 0x42af7 extradata:0 .. ["\x00" repeated 1289 times] b1,rgb,lsb,xy .. text: "Second part : _y0U_l1k3d_"★ b1,abgr,msb,xy .. file: PGP\011Secret Key - b2,r,msb,xy .. text: "}UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU" b2,g,msb,xy .. text: ["U" repeated 198 times] b2,b,msb,xy .. text: "_]UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU" b2,rgb,msb,xy .. text: ["U" repeated 206 times] b2,bgr,msb,xy .. text: "WUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU" b2,abgr,msb,xy .. text: ["W" repeated 189 times] b4,r,msb,xy .. text: ["w" repeated 222 times] b4,g,msb,xy .. text: ["w" repeated 222 times] b4,b,msb,xy .. text: ["w" repeated 223 times] b4,rgb,msb,xy .. text: ["w" repeated 156 times] b4,bgr,msb,xy .. text: ["w" repeated 155 times] b4,abgr,msb,xy .. file: RDI Acoustic Doppler Current Profiler (ADCP)
pngファイルのLSBにフラグの断片の2つ目が見つかった。他に怪しいpythonの圧縮ファイルがあったので、抽出して調べてみる。
$ volatility -f Challenge.vmem --profile=Win7SP1x64 filescan | grep L4ST.py.zip Volatility Foundation Volatility Framework 2.6 0x000000007ec2c970 2 0 R--r-- \Device\HarddiskVolume1\Users\alexander\Downloads\L4ST.py.zip $ volatility -f Challenge.vmem --profile=Win7SP1x64 dumpfiles -D . -Q 0x000000007ec2c970 Volatility Foundation Volatility Framework 2.6 DataSectionObject 0x7ec2c970 None \Device\HarddiskVolume1\Users\alexander\Downloads\L4ST.py.zip $ mv file.None.0xfffffa8019e2c600.dat L4ST.py.zip $ unzip L4ST.py.zip Archive: L4ST.py.zip inflating: L4ST.py.txt $ cat L4ST.py.txt s=4 y=[] Z=[] k=[] Q="uh27bio:uY<xrA." def yes(inp): st=[] for i in range (len(inp)): st.append(chr(ord(inp[i])-i+4)) print(''.join(st)+"}") def Checkin(inp): for i in range(len(inp)): if(len(inp)<=7): Z.append(chr(ord(inp[i])-1+i)) else: Z.append(chr(ord(inp[i])+4)) return(''.join(Z)) def tryin(text,s): result = "" for i in range(len(text)): char = text[i] if(char.isnumeric()): result+=(chr(ord(char)-1)) elif(char.isupper()): result += chr((ord(char) + s-65) % 26 + 65) else: result+=(chr(ord(char)^1)) return result X=input("Enter input: ") k=Checkin(tryin(X,s)) print(k) if(Q==k): print("Yoo.. looks like your flag is complete!!") yes(X) else: print("try again:/ ")
このスクリプトの処理概要は以下の通り。
・X: 入力 ・k=Checkin(tryin(X, 4)) ・tryin(X, 4) ・Xの各文字について以下のように変換して結合する。 ・数値の場合、ASCIIコードを1小さくした文字 ・英大文字の場合、4シフトした文字(英大文字の中でループ) ・その他の場合、ASCIIコードで1とのXORをした文字 ・Checkin(...) ・7文字以下の場合、各文字のASCIIコード-1+iをする。 ・その他の場合、各文字のASCIIコード+4をする。 ・Q=kとなればOK
逆算してXを割り出す。
def yes(inp): st=[] for i in range(len(inp)): st.append(chr(ord(inp[i]) - i + 4)) print(''.join(st) + '}') def rev_Checkin_L(inp): s = '' for i in range(len(inp)): s += chr(ord(inp[i]) - 4) return s def rev_tryin(text, s): result = '' for i in range(len(text)): char = text[i] if ord(char) + 1 >= ord('0') and ord(char) + 1 <= ord('9'): result += chr(ord(char) + 1) elif char.isupper(): result += chr((ord(char) - s - 65) % 26 + 65) else: result += chr(ord(char) ^ 1) return result Q = 'uh27bio:uY<xrA.' X = rev_tryin(rev_Checkin_L(Q), 4) yes(X)
この結果、フラグの断片の3つ目がわかった。
th15_ch4lL3ng3!}
すべて結合すると、フラグになる。
shaktictf{H0p3_y0U_l1k3d_th15_ch4lL3ng3!}
Classically Easy (Cryptography 50)
Vigenere暗号と推測し、https://www.guballa.de/vigenere-solverで復号する。
shaktictf{lets_start_with_something_classical!}
z3r000 (Cryptography 100)
flagに\x00を200バイトパディングしてRSA暗号化しているので、以下のようになる。
ct = pow(flag * 256**200, e, n) = pow(flag, e, n) * pow(256**200, e, n) pow(flag, e, n) = (ct * inverse(pow(256**200, e, n), n)) % n
flagがnに比べ、十分小さいことを前提にLow Public Exponent Attackで復号する。
import gmpy from Crypto.Util.number import * n = 21715343886495928351215193978711929756420132478733511337712828323191033721473249522742310880995705726364659155923831862520713609810234090293129894330795897314385036353796299339012807424848725536681375374406626571246675194305322084373494309780483230258395289370971774836794623911704539272083398677190964132595561342176374613443236001057127606148055300330917664419125803955455242203465159778064534281149697964754267795556384685979413144901477909683027731425979539827440413451284858488486792558571039442704074516658347717422970337132798573245689067635331499343815761456951640935339048955499678787141314816545395882094131 ct = 19258881721319838539457302108079805924007184173822525342017749987730421113475524675098820917522804638672433509736065357049144293036488371316019861512588425245150715231139464779572365549429694270196306310887787115617307657620629796823034717298229261451513996300641103453971960273159526614861159508208543734860681157877266608856017428170839087144791926229543722615522167842436520721255660377919759130818061138963229370323538021083594114722358233907874550197614395737551656382256624656798688943064922359100344464350636071751200925945768396168482676392175499672384759914433676349457259681832749703857971930447279797608485 e = 3 c = (ct * inverse(pow(256, e*200, n), n)) % n m = gmpy.root(c, e)[0] flag = long_to_bytes(m) print flag
shaktictf{YouHaveGotAGoodEyeInFindingBugsMoreWayToGo}