この大会は2021/4/10 1:00(JST)~2021/4/12 13:00(JST)に開催されました。
今回もチームで参戦。結果は5491点で720チーム中29位でした。
自分で解けた問題をWriteupとして書いておきます。
Join the Discord (101)
Discordに入り、#rulesチャネルのトピックを見ると、フラグが書いてあった。
RS{D1SC0RD_RU1ES_G0_BRR}
Sessions (WEB)
HTMLソースを見ると、以下のコメントがある。
<!--#remove comment later: login iroh:iroh-->
このユーザでログインしてみる。クッキーのsessiontokenに以下が設定されている。
UlN7MG5seV9PbmVfczNzc2lvbl90b2szbn0=
$ echo UlN7MG5seV9PbmVfczNzc2lvbl90b2szbn0= | base64 -d RS{0nly_One_s3ssion_tok3n}
RS{0nly_One_s3ssion_tok3n}
1597 (Forensics)
gitの問題。
$ git clone http://git.ritsec.club:7000/1597.git Cloning into '1597'... $ cd 1597 $ ls -la 合計 9 drwxrwxrwx 1 root root 0 4月 10 06:56 . drwxrwxrwx 1 root root 4096 4月 10 06:56 .. drwxrwxrwx 1 root root 4096 4月 10 06:56 .git -rwxrwxrwx 1 root root 44 4月 10 06:56 README.md -rwxrwxrwx 1 root root 1 4月 10 06:56 flag.txt $ cd .git $ xxd -g 1 index 00000000: 44 49 52 43 00 00 00 02 00 00 00 02 60 70 cd 85 DIRC........`p.. 00000010: 00 00 00 00 60 70 cd 85 00 00 00 00 00 00 00 2d ....`p.........- 00000020: 00 00 e4 b3 00 00 81 a4 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 2c 0f f8 4f 37 f6 46 7e 28 35 97 83 e4 ...,..O7.F~(5... 00000040: 6e 5e 3a 34 ed 92 5c 5f 00 09 52 45 41 44 4d 45 n^:4..\_..README 00000050: 2e 6d 64 00 60 70 cd 85 00 00 00 00 60 70 cd 85 .md.`p......`p.. 00000060: 00 00 00 00 00 00 00 2d 00 00 e4 b4 00 00 81 a4 .......-........ 00000070: 00 00 00 00 00 00 00 00 00 00 00 01 8b 13 78 91 ..............x. 00000080: 79 1f e9 69 27 ad 78 e6 4b 0a ad 7b de d0 8b dc y..i'.x.K..{.... 00000090: 00 08 66 6c 61 67 2e 74 78 74 00 00 54 52 45 45 ..flag.txt..TREE 000000a0: 00 00 00 19 00 32 20 30 0a 28 48 85 31 c9 da b0 .....2 0.(H.1... 000000b0: 7d 79 c4 f7 76 d5 a6 12 ee 07 ee 39 19 5a 54 30 }y..v......9.ZT0 000000c0: ec 07 aa 00 0c 30 b3 a5 de 1d 6d b9 db 40 58 d0 .....0....m..@X. 000000d0: 10 . $ python -c 'import zlib; print zlib.decompress(open("objects/8b/137891791fe96927ad78e64b0aad7bded08bdc").read())' blob 1 $ cat config [core] repositoryformatversion = 0 filemode = false bare = false logallrefupdates = true symlinks = false ignorecase = true [remote "origin"] url = http://git.ritsec.club:7000/1597.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master $ cat refs/heads/master dcc402050827e92dbcf2578e24f2cba76f34229c $ python -c 'import zlib; print zlib.decompress(open("objects/dc/c402050827e92dbcf2578e24f2cba76f34229c").read())' commit 217tree 28488531c9dab07d79c4f776d5a612ee07ee3919 parent bb7917f300dd7ba1e5b45055dc802a8e4e3f19e5 author knif3 <knif3@mail.rit.edu> 1617947340 +0000 committer knif3 <knif3@mail.rit.edu> 1617947340 +0000 Updated the flag $ python -c 'import zlib; print zlib.decompress(open("objects/28/488531c9dab07d79c4f776d5a612ee07ee3919").read())' | xxd -g 1 00000000: 74 72 65 65 20 37 33 00 31 30 30 36 34 34 20 52 tree 73.100644 R 00000010: 45 41 44 4d 45 2e 6d 64 00 0f f8 4f 37 f6 46 7e EADME.md...O7.F~ 00000020: 28 35 97 83 e4 6e 5e 3a 34 ed 92 5c 5f 31 30 30 (5...n^:4..\_100 00000030: 36 34 34 20 66 6c 61 67 2e 74 78 74 00 8b 13 78 644 flag.txt...x 00000040: 91 79 1f e9 69 27 ad 78 e6 4b 0a ad 7b de d0 8b .y..i'.x.K..{... 00000050: dc 0a .. $ python -c 'import zlib; print zlib.decompress(open("objects/bb/7917f300dd7ba1e5b45055dc802a8e4e3f19e5").read())' commit 167tree 7f609205d0a20bed8248564bbf85b5f3663286ae author knif3 <knif3@mail.rit.edu> 1617947340 +0000 committer knif3 <knif3@mail.rit.edu> 1617947340 +0000 Initial Commit $ python -c 'import zlib; print zlib.decompress(open("objects/7f/609205d0a20bed8248564bbf85b5f3663286ae").read())' | xxd -g 1 00000000: 74 72 65 65 20 37 33 00 31 30 30 36 34 34 20 52 tree 73.100644 R 00000010: 45 41 44 4d 45 2e 6d 64 00 0f f8 4f 37 f6 46 7e EADME.md...O7.F~ 00000020: 28 35 97 83 e4 6e 5e 3a 34 ed 92 5c 5f 31 30 30 (5...n^:4..\_100 00000030: 36 34 34 20 66 6c 61 67 2e 74 78 74 00 a2 4c ab 644 flag.txt..L. 00000040: 45 00 3b 97 e5 f5 fd 3d 91 03 2f 72 e1 f5 26 56 E.;....=../r..&V 00000050: b3 0a .. $ python -c 'import zlib; print zlib.decompress(open("objects/a2/4cab45003b97e5f5fd3d91032f72e1f52656b3").read())' blob 35Your princess is in another castle
README.mdの方を追ってみる。
$ python -c 'import zlib; print zlib.decompress(open("objects/0f/f84f37f6467e28359783e46e5e3a34ed925c5f").read())' blob 44# 1597 A git challenge series? Sounds fun.
まだわからない。確認していないオブジェクトを確認していく。
$ python -c 'import zlib; print zlib.decompress(open("objects/0e/62cb7761a37139d11cefab222ac9a22c191231").read())' | xxd -g 1 00000000: 74 72 65 65 20 37 33 00 31 30 30 36 34 34 20 52 tree 73.100644 R 00000010: 45 41 44 4d 45 2e 6d 64 00 99 dd fa 85 06 ca 48 EADME.md.......H 00000020: 89 29 77 c7 62 39 76 a1 05 46 9a 04 27 31 30 30 .)w.b9v..F..'100 00000030: 36 34 34 20 66 6c 61 67 2e 74 78 74 00 01 3a 6d 644 flag.txt..:m 00000040: dd d6 00 1f 94 01 06 1e 56 11 8f e4 17 01 5d 1b ........V.....]. 00000050: 4c 0a L. $ python -c 'import zlib; print zlib.decompress(open("objects/01/3a6dddd6001f9401061e56118fe417015d1b4c").read())' blob 45RS{git_is_just_a_tre3_with_lots_of_branches}
RS{git_is_just_a_tre3_with_lots_of_branches}
BIRDTHIEF: FYSA (Forensics)
$ foremost BIRDTHIEF_FYSA.pdf Processing: BIRDTHIEF_FYSA.pdf |*|
JPGがたくさん抽出され、その中にフラグが書いてある画像があった。
RS{Make_sure_t0_read_the_briefing}
Blob (Forensics)
再びgitの問題。
$ git clone http://git.ritsec.club:7000/blob.git Cloning into 'blob'... $ cd blob $ ls -la 合計 9 drwxrwxrwx 1 root root 0 4月 10 10:09 . drwxrwxrwx 1 root root 4096 4月 10 10:09 .. drwxrwxrwx 1 root root 4096 4月 10 10:09 .git -rwxrwxrwx 1 root root 59 4月 10 10:09 README.md -rwxrwxrwx 1 root root 43 4月 10 10:09 flag.txt $ cd .git $ xxd -g -1 index 00000000: 4449 5243 0000 0002 0000 0002 6070 fab5 DIRC........`p.. 00000010: 0000 0000 6070 fab5 0000 0000 0000 002d ....`p.........- 00000020: 0000 e545 0000 81a4 0000 0000 0000 0000 ...E............ 00000030: 0000 003b e597 cc86 a088 1ab3 028d ba09 ...;............ 00000040: 0f88 c1cb d33a d9a4 0009 5245 4144 4d45 .....:....README 00000050: 2e6d 6400 6070 fab5 0000 0000 6070 fab5 .md.`p......`p.. 00000060: 0000 0000 0000 002d 0000 e546 0000 81a4 .......-...F.... 00000070: 0000 0000 0000 0000 0000 002b df57 6e13 ...........+.Wn. 00000080: e1ca 1c43 10d3 260f 63be f4db 4121 8ba0 ...C..&.c...A!.. 00000090: 0008 666c 6167 2e74 7874 0000 5452 4545 ..flag.txt..TREE 000000a0: 0000 0019 0032 2030 0ab9 d675 3be8 0df8 .....2 0...u;... 000000b0: 63c3 656a a638 9418 d321 3c96 f291 5e34 c.ej.8...!<...^4 000000c0: ceb3 5218 c172 93f7 1e1c 0cfd 9651 8e96 ..R..r.......Q.. 000000d0: 07 . $ python -c 'import zlib; print zlib.decompress(open("objects/df/576e13e1ca1c4310d3260f63bef4db41218ba0").read())' blob 43these aren't the droids you're looking for $ cat config [core] repositoryformatversion = 0 filemode = false bare = false logallrefupdates = true symlinks = false ignorecase = true [remote "origin"] url = http://git.ritsec.club:7000/blob.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master $ cat refs/heads/master a69cb6306e8b75b6762d6aa1b0279244cacf3f3b $ python -c 'import zlib; print zlib.decompress(open("objects/a6/9cb6306e8b75b6762d6aa1b0279244cacf3f3b").read())' commit 167tree b9d6753be80df863c3656aa6389418d3213c96f2 author knif3 <knif3@mail.rit.edu> 1617947351 +0000 committer knif3 <knif3@mail.rit.edu> 1617947351 +0000 Initial Commit $ python -c 'import zlib; print zlib.decompress(open("objects/b9/d6753be80df863c3656aa6389418d3213c96f2").read())' | xxd -g 1 00000000: 74 72 65 65 20 37 33 00 31 30 30 36 34 34 20 52 tree 73.100644 R 00000010: 45 41 44 4d 45 2e 6d 64 00 e5 97 cc 86 a0 88 1a EADME.md........ 00000020: b3 02 8d ba 09 0f 88 c1 cb d3 3a d9 a4 31 30 30 ..........:..100 00000030: 36 34 34 20 66 6c 61 67 2e 74 78 74 00 df 57 6e 644 flag.txt..Wn 00000040: 13 e1 ca 1c 43 10 d3 26 0f 63 be f4 db 41 21 8b ....C..&.c...A!. 00000050: a0 0a ..
README.mdの方を追ってみる。
$ python -c 'import zlib; print zlib.decompress(open("objects/e5/97cc86a0881ab3028dba090f88c1cbd33ad9a4").read())' blob 59# Blob That pesky flag should be around here somewhere...
まだわからない。確認していないオブジェクトを確認していく。
$ python -c 'import zlib; print zlib.decompress(open("objects/d0/644363aa853a17c9672cefff587580a43cf45e").read())' blob 27RS{refs_can_b3_secret_too}
RS{refs_can_b3_secret_too}
PleaseClickAlltheThings 1: BegineersRITSEC.html (Forensics)
メールの添付ファイルからHTMLをエクスポートする。中にはscriptの記載があり、URLエンコードの長い文字列があるので、デコードする。
<html> <body> <!DOCTYPE html> <html> <head> <title>Its just another friendly file from you're local CTF</title> <style type="text/css"> html { height: 100%; width: 100%; } #feature { width: 980px; margin: 95px auto 0 auto; overflow: auto; } #content { font-family: "Segoe UI"; font-weight: normal; font-size: 22px; color: #ffffff; float: left; width: 460px; margin-top: 68px; margin-left: 0px; vertical-align: middle; } #content h1 { font-family: "Segoe UI Light"; color: #ffffff; font-weight: normal; font-size: 60px; line-height: 48pt; width: 980px; } p a, p a:visited, p a:active, p a:hover { color: #ffffff; } #content a.button { background: #0DBCF2; border: 1px solid #FFFFFF; color: #FFFFFF; display: inline-block; font-family: Segoe UI; font-size: 24px; line-height: 46px; margin-top: 10px; padding: 0 15px 3px; text-decoration: none; } #content a.button img { float: right; padding: 10px 0 0 15px; } #content a.button:hover { background: #1C75BC; } /* loading dots */ .loading:after { content: '.'; animation: dots 1s steps(5, end) infinite} @keyframes dots { 0%, 20% { color: rgba(0,0,0,0); text-shadow: .25em 0 0 rgba(0,0,0,0), .5em 0 0 rgba(0,0,0,0);} 40% { color: white; text-shadow: .25em 0 0 rgba(0,0,0,0), .5em 0 0 rgba(0,0,0,0);} 60% { text-shadow: .25em 0 0 white, .5em 0 0 rgba(0,0,0,0);} 80%, 100% { text-shadow: .25em 0 0 white, .5em 0 0 white;}} </style> </head> <body bgcolor="#00abec"> <div id="feature"> <div id="content"> <h1 id="unavailable" class="loading">Try Harder</h1> <p id="tryAgain" class="loading">The Defender That Could</p> </div> </div> </body> <head> <flag="UklUU0VDe0gzcjMhdCEkfQ=="> </body> </html>
$ echo UklUU0VDe0gzcjMhdCEkfQ== | base64 -d RITSEC{H3r3!t!$}
RITSEC{H3r3!t!$}
PleaseClickAlltheThings 2: GandCrab_Ursnif (Forensics)
メールの添付ファイルからGandCrab_Ursnif_RITSEC.docmをエクスポートする。
$ olevba GandCrab_Ursnif_RITSEC.docm olevba 0.56.1 on Python 2.7.17 - http://decalage.info/python/oletools =============================================================================== FILE: GandCrab_Ursnif_RITSEC.docm Type: OpenXML WARNING For now, VBA stomping cannot be detected for files in memory ------------------------------------------------------------------------------- VBA MACRO ThisDocument.cls in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO Module4.bas in file: word/vbaProject.bin - OLE stream: u'VBA/Module4' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Function TheDarkSide() On Error Resume Next CTF = Array(ElonMusk, StarWars, HelloWorld, Interaction.Shell(CleanString(Chewbacca.TextBox1), 43 - 43), Mars) Select Case Research Case 235003991 CompetitorSkillz = That_of_a_Storm_Troopers_Aim_Research_Pending Flag = RITSEC{M@CROS} PendingResearch = Oct(Date + CStr(TimeStamp + Log(241371097) - PewPew / Hex(13775121))) End Select End Function ------------------------------------------------------------------------------- VBA MACRO Module1.bas in file: word/vbaProject.bin - OLE stream: u'VBA/Module1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub autoopen() TheDarkSide End Sub +----------+--------------------+---------------------------------------------+ |Type |Keyword |Description | +----------+--------------------+---------------------------------------------+ |AutoExec |autoopen |Runs when the Word document is opened | |Suspicious|Shell |May run an executable file or a system | | | |command | |Suspicious|Hex Strings |Hex-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | +----------+--------------------+---------------------------------------------+
マクロコードの中にフラグが含まれていた。
RITSEC{M@CROS}
Please Click All the Things 3: IceID (Forensics)
メールの添付ファイルからIceID_Bokbot_RITSEC.docm をエクスポートする。
$ olevba IceID_Bokbot_RITSEC.docm olevba 0.56.1 on Python 2.7.17 - http://decalage.info/python/oletools =============================================================================== FILE: IceID_Bokbot_RITSEC.docm Type: OpenXML WARNING For now, VBA stomping cannot be detected for files in memory ------------------------------------------------------------------------------- VBA MACRO ThisDocument.cls in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO NewMacros.bas in file: word/vbaProject.bin - OLE stream: u'VBA/NewMacros' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub AutoOpen() Function aRXKz() aRXKz = frm.txt.Text End Function Public Function aTwLcg(alRUYI) aTwLcg = Replace(alRUYI, a7sVN, "") End Function Sub AutoOpen() main End Sub Public Sub a8hv3(ai295) End Sub End Sub ------------------------------------------------------------------------------- VBA MACRO Module1.bas in file: word/vbaProject.bin - OLE stream: u'VBA/Module1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public Const aHVWt As String = "p_:_\_j_v_a_q_b_j_f_\_f_l_f_g_r_z_3_2_\_z_f_u_g_n__r_k_r_" Public Const aqv6tf As String = "EVGFRP{E0GG1ATZ@YP0Q3}" Public Const a7sVN As String = "_" Public Const asXlUN As Integer = -954 + 967 Public Function aENoBO(aHu95, avuEG8) FileNumber = FreeFile Open aHu95 For Output As #FileNumber Print #FileNumber, Spc(-413 + 456) Print #FileNumber, avuEG8 Print #FileNumber, Spc(-413 + 456) Close #FileNumber End Function Sub aUoaN(adDgz, at09Aq) FileCopy adDgz, at09Aq End Sub Function anPr56(aCl8i) anPr56 = Len(aCl8i) End Function Function a79yA(aO0h5k) a79yA = aO0h5k + 12324 / 474 End Function Function aHScDO(aoza8) As String Dim alc6yS As Long Dim a9uRX As Integer Dim agyvb As Integer For alc6yS = 1 To anPr56(aoza8) agyvb = 0 aFxdHY = VBA.Mid$(aoza8, alc6yS, 1) a9uRX = Asc(aFxdHY) If (a9uRX > 64 And a9uRX < 91) Or (a9uRX > 96 And a9uRX < 123) Then agyvb = asXlUN a9uRX = a9uRX - agyvb If a9uRX < 97 And a9uRX > 83 Then a9uRX = a79yA(a9uRX) ElseIf a9uRX < 65 Then a9uRX = a79yA(a9uRX) End If End If Mid$(aoza8, alc6yS, 1) = VBA.Chr$(a9uRX) Next aHScDO = aoza8 End Function ------------------------------------------------------------------------------- VBA MACRO Module2.bas in file: word/vbaProject.bin - OLE stream: u'VBA/Module2' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub main() auIPjp = aHScDO(aTwLcg(aHVWt)) aZuadn = aHScDO(aTwLcg(aqv6tf)) a9ANR = aHScDO(aTwLcg(aE0yGK)) aUoaN auIPjp, aZuadn aENoBO a9ANR, aHScDO(aRXKz) Shell aZuadn & " " & a9ANR End Sub ------------------------------------------------------------------------------- VBA MACRO UserForm1.frm in file: word/vbaProject.bin - OLE stream: u'VBA/UserForm1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Private Sub TextBox1_Change() End Sub ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'UserForm1/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <!QBPGLCR ugzy> ------------------------------------------------------------------------------- VBA FORM Variable "TextBox1" IN 'word/vbaProject.bin' - OLE stream: u'UserForm1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <!QBPGLCR ugzy> +----------+--------------------+---------------------------------------------+ |Type |Keyword |Description | +----------+--------------------+---------------------------------------------+ |AutoExec |AutoOpen |Runs when the Word document is opened | |AutoExec |TextBox1_Change |Runs when the file is opened and ActiveX | | | |objects trigger events | |Suspicious|Shell |May run an executable file or a system | | | |command | |Suspicious|Open |May open a file | |Suspicious|Output |May write to a file (if combined with Open) | |Suspicious|Print # |May write to a file (if combined with Open) | |Suspicious|FileCopy |May copy a file | |Suspicious|Chr |May attempt to obfuscate specific strings | | | |(use option --deobf to deobfuscate) | |Suspicious|Hex Strings |Hex-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | +----------+--------------------+---------------------------------------------+
整形する。
Public Const a7sVN As String = "_"
Public Const asXlUN As Integer = -954 + 967
Sub AutoOpen()
Function aRXKz()
aRXKz = frm.txt.Text
End Function
Public Function aTwLcg(alRUYI)
aTwLcg = Replace(alRUYI, a7sVN, "")
End Function
Sub AutoOpen()
main
End Sub
Public Sub a8hv3(ai295)
End Sub
End Sub
Public Function aENoBO(aHu95, avuEG8)
FileNumber = FreeFile
Open aHu95 For Output As #FileNumber
Print #FileNumber, Spc(-413 + 456)
Print #FileNumber, avuEG8
Print #FileNumber, Spc(-413 + 456)
Close #FileNumber
End Function
Sub aUoaN(adDgz, at09Aq)
FileCopy adDgz, at09Aq
End Sub
Function anPr56(aCl8i)
anPr56 = Len(aCl8i)
End Function
Function a79yA(aO0h5k)
a79yA = aO0h5k + 12324 / 474
End Function
Function aHScDO(aoza8) As String
Dim alc6yS As Long
Dim a9uRX As Integer
Dim agyvb As Integer
For alc6yS = 1 To anPr56(aoza8)
agyvb = 0
aFxdHY = VBA.Mid$(aoza8, alc6yS, 1)
a9uRX = Asc(aFxdHY)
If (a9uRX > 64 And a9uRX < 91) Or (a9uRX > 96 And a9uRX < 123) Then
agyvb = asXlUN
a9uRX = a9uRX - agyvb
If a9uRX < 97 And a9uRX > 83 Then
a9uRX = a79yA(a9uRX)
ElseIf a9uRX < 65 Then
a9uRX = a79yA(a9uRX)
End If
End If
Mid$(aoza8, alc6yS, 1) = VBA.Chr$(a9uRX)
Next
aHScDO = aoza8
End Functionフラグに関係しそうな箇所を書き出す。
■aZuadn = aHScDO(aTwLcg(aqv6tf))
・aqv6tf = "EVGFRP{E0GG1ATZ@YP0Q3}"
・aTwLcg(aqv6tf) = "EVGFRP{E0GG1ATZ@YP0Q3}"aHScDOはrot13を行っている。EVGFRP{E0GG1ATZ@YP0Q3}をrot13すると、フラグになる。
RITSEC{R0TT1NGM@LC0D3}
Inception CTF: Dream 1 (Forensics)
Reality.7zを解凍すると、以下のファイルが展開される。
・Subconscious.txt ・VanChase.7z
Subconscious.txtにはこう書いてある。
Wait a minute, whose subconscious are we going into, exactly? {dnalmaerD}CESTIR逆にすればフラグになる。
RITSEC{Dreamland}
Inception CTF: Dream 2 (Forensics)
Dream 1の続き。VanChase.7zをパスワード「Dreamland」で解凍すると、以下のファイルが展開される。
・Kicks.ps1 ・TheHotel.7z
Kicks.ps1の内容は以下の通り。
set-alias laylow "$env:ProgramFiles\7-Zip\7z.exe" $7zf = "TheHotel.7z" $7zp = "" # <---- Enter Password inbetween the Double Qoutes $7zo = "-aoa" laylow x $7zf "-p$7zp" $7zo Start-Sleep -s 3 New-Item -Path $env:userprofile\Desktop\InceptionCTF\Reality\VanChase\ -Name TheHotel -ItemType "directory" Start-Sleep -s 3 Move-Item -Path $env:userprofile\Desktop\InceptionCTF\Reality\VanChase\ThePointMan.txt -Destination $env:userprofile\Desktop\InceptionCTF\Reality\VanChase\TheHotel\ThePointMan.txt Move-Item -Path $env:userprofile\Desktop\InceptionCTF\Reality\VanChase\? -Destination $env:userprofile\Desktop\InceptionCTF\Reality\VanChase\TheHotel\? Move-Item -Path $env:userprofile\Desktop\InceptionCTF\Reality\VanChase\SnowFortress.7z -Destination $env:userprofile\Desktop\InceptionCTF\Reality\VanChase\TheHotel\SnowFortress.7z Start-Sleep -s 3 cd $env:userprofile\Desktop\InceptionCTF\Reality\VanChase\TheHotel\ | cmd.exe --% /c type ? > ThePointMan.txt:? Remove-Item -Path $env:userprofile\Desktop\InceptionCTF\Reality\VanChase\TheHotel\?
特にパスワードに関する情報はなさそう。
...\Desktop\InceptionCTF\Reality\VanChase>dir /AH
ドライブ C のボリューム ラベルは S3A8244D001 です
ボリューム シリアル番号は 50D2-38C8 です
...\Desktop\InceptionCTF\Reality\VanChase のディレクトリ
2021/02/25 02:42 137 Kidnap.txt
1 個のファイル 137 バイト
0 個のディレクトリ 311,802,327,040 バイトの空き領域隠しファイルのKidnap.txtがある。
...\Desktop\InceptionCTF\Reality\VanChase>type Kidnap.txt An idea is like a virus, resilient, highly contagious. 52 49 54 53 45 43 7b 57 61 74 65 72 55 6e 64 65 72 54 68 65 42 72 69 64 67 65 7d
この16進数をASCIIコードとしてデコードする。
$ echo "52 49 54 53 45 43 7b 57 61 74 65 72 55 6e 64 65 72 54 68 65 42 72 69 64 67 65 7d" | tr -d " " | xxd -r -p RITSEC{WaterUnderTheBridge}
RITSEC{WaterUnderTheBridge}
Inception CTF: Dream 3 (Forensics)
Dream 2の続き。TheHotel.7zをパスワード「WaterUnderTheBridge」で解凍すると、以下のファイルが展開される。
・(空ファイル名) ・SnowFortress.7z ・ThePointMan.txt
(空ファイル名)をファイル名を適当につけて、内容を見てみる。
You mean, a dream within a dream? NTIgNDkgNTQgNTMgNDUgNDMgN2IgNDYgNDAgMjEgMjEgNjkgNmUgNjcgNDUgNmMgNjUgNzYgNDAgNzQgNmYgNzIgN2Q=
$ echo NTIgNDkgNTQgNTMgNDUgNDMgN2IgNDYgNDAgMjEgMjEgNjkgNmUgNjcgNDUgNmMgNjUgNzYgNDAgNzQgNmYgNzIgN2Q= | base64 -d | tr -d " " | xxd -r -p RITSEC{F@!!ingElev@tor}
RITSEC{F@!!ingElev@tor}
InceptionCTF: Dream 4 (STEGO)
Dream 3の続き。SnowFortress.7zをパスワード「F@!!ingElev@tor」で解凍すると、以下のファイルが展開される。
・Limbo.7z ・PasswordPath.exe
PasswordPath.exeはファイル名にRLOが入っており、左からの順序にするとPasswordP exe.hta。ただし、ファイルの中身はexeになっている。このファイルの最後の方にscriptがあるのが見つかった。
<script language="javascript">document.write(unescape('3c%68%74%6d%6c%3e%0a%3c%62%6f%64%79%3e%0a%0a%3c%21%44%4f%43%54%59%50%45%20%68%74%6d%6c%3e%0a%3c%68%74%6d%6c%3e%0a%3c%68%65%61%64%3e%0a%20%20%20%20%3c%74%69%74%6c%65%3e%4e%6f%6e%2c%20%6a%65%20%6e%65%20%72%65%67%72%65%74%74%65%20%72%69%65%6e%3c%2f%74%69%74%6c%65%3e%0a%3c%48%54%41%3a%41%50%50%4c%49%43%41%54%49%4f%4e%0a%20%20%41%50%50%4c%49%43%41%54%49%4f%4e%4e%41%4d%45%3d%22%4e%6f%6e%2c%20%6a%65%20%6e%65%20%72%65%67%72%65%74%74%65%20%72%69%65%6e%22%0a%20%20%49%44%3d%22%49%6e%63%65%70%74%69%6f%6e%22%0a%20%20%56%45%52%53%49%4f%4e%3d%22%31%2e%30%22%0a%20%20%53%43%52%4f%4c%4c%3d%22%6e%6f%22%2f%3e%0a%20%0a%3c%73%74%79%6c%65%20%74%79%70%65%3d%22%74%65%78%74%2f%63%73%73%22%3e%0a%3c%2f%68%65%61%64%3e%0a%20%20%20%20%3c%64%69%76%20%69%64%3d%22%66%65%61%74%75%72%65%22%3e%0a%20%20%20%20%20%20%20%20%20%20%20%20%3c%64%69%76%20%69%64%3d%22%63%6f%6e%74%65%6e%74%0a%09%09%09%09%3c%2f%73%74%79%6c%65%3e%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3c%68%31%20%69%64%3d%22%75%6e%61%76%61%69%6c%61%62%6c%65%22%20%63%6c%61%73%73%3d%22%6c%6f%61%64%69%6e%67%22%3e%42%75%69%6c%64%69%6e%67%20%44%72%65%61%6d%73%2e%2e%2e%2e%3c%2f%68%31%3e%0a%09%09%09%09%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%22%20%6c%61%6e%67%75%61%67%65%3d%22%6a%61%76%61%73%63%72%69%70%74%22%3e%0a%09%09%09%09%09%66%75%6e%63%74%69%6f%6e%20%52%75%6e%46%69%6c%65%28%29%20%7b%0a%09%09%09%09%09%57%73%68%53%68%65%6c%6c%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62%6a%65%63%74%28%22%57%53%63%72%69%70%74%2e%53%68%65%6c%6c%22%29%3b%0a%09%09%09%09%09%57%73%68%53%68%65%6c%6c%2e%52%75%6e%28%22%6e%6f%74%65%70%61%64%20%25%55%53%45%52%50%52%4f%46%49%4c%45%25%2f%44%65%73%6b%74%6f%70%2f%49%6e%63%65%70%74%69%6f%6e%43%54%46%2f%52%65%61%6c%69%74%79%2f%56%61%6e%43%68%61%73%65%2f%54%68%65%48%6f%74%65%6c%2f%54%68%65%50%6f%69%6e%74%4d%61%6e%2e%74%78%74%22%2c%20%31%2c%20%66%61%6c%73%65%29%3b%0a%09%09%09%09%09%7d%0a%09%09%09%09%3c%2f%73%63%72%69%70%74%3e%0a%20%20%20%20%20%20%20%20%3c%2f%64%69%76%3e%0a%20%20%20%20%3c%2f%64%69%76%3e%0a%3c%62%6f%64%79%3e%0a%09%3c%69%6e%70%75%74%20%74%79%70%65%3d%22%62%75%74%74%6f%6e%22%20%76%61%6c%75%65%3d%22%49%6d%70%6c%61%6e%74%20%49%6e%63%65%70%74%69%6f%6e%20%48%65%72%65%22%20%6f%6e%63%6c%69%63%6b%3d%22%52%75%6e%46%69%6c%65%28%29%3b%22%2f%3e%0a%09%3c%70%20%73%74%79%6c%65%3d%22%63%6f%6c%6f%72%3a%77%68%69%74%65%3b%22%3e%0a%2d%2e%2e%20%2e%2d%2e%20%2e%20%2e%2d%20%2d%2d%20%2e%2e%2e%0a%2e%2e%2d%2e%20%2e%20%2e%20%2e%2d%2e%2e%0a%2e%2d%2e%20%2e%20%2e%2d%20%2e%2d%2e%2e%0a%2e%2d%2d%20%2e%2e%2e%2e%20%2e%20%2d%2e%0a%2e%2d%2d%20%2e%20%2e%2d%2d%2d%2d%2e%20%2e%2d%2e%20%2e%0a%2e%2e%20%2d%2e%0a%2d%20%2e%2e%2e%2e%20%2e%20%2d%2d%20%2e%2d%2e%2d%2e%2d%0a%2e%2e%20%2d%20%2e%2d%2d%2d%2d%2e%20%2e%2e%2e%0a%2d%2d%2d%20%2d%2e%20%2e%2d%2e%2e%20%2d%2e%2d%2d%0a%2e%2d%2d%20%2e%2e%2e%2e%20%2e%20%2d%2e%0a%2e%2d%2d%20%2e%0a%2e%2d%2d%20%2e%2d%20%2d%2e%2d%20%2e%0a%2e%2e%2d%20%2e%2d%2d%2e%0a%2d%20%2e%2e%2e%2e%20%2e%2d%20%2d%0a%2e%2d%2d%20%2e%0a%2e%2d%2e%20%2e%20%2e%2d%20%2e%2d%2e%2e%20%2e%2e%20%2d%2d%2e%2e%20%2e%0a%2e%2e%2e%20%2d%2d%2d%20%2d%2d%20%2e%20%2d%20%2e%2e%2e%2e%20%2e%2e%20%2d%2e%20%2d%2d%2e%0a%2e%2d%2d%20%2e%2d%20%2e%2e%2e%0a%2e%2d%20%2d%2e%2d%2e%20%2d%20%2e%2e%2d%20%2e%2d%20%2e%2d%2e%2e%20%2e%2d%2e%2e%20%2d%2e%2d%2d%0a%2e%2e%2e%20%2d%20%2e%2d%2e%20%2e%2d%20%2d%2e%20%2d%2d%2e%20%2e%20%2e%2d%2e%2d%2e%2d%0a%2e%2d%2e%20%2e%2e%20%2d%20%2e%2e%2e%20%2e%20%2d%2e%2d%2e%20%2d%2e%2e%2e%2d%20%2d%2e%2e%20%2e%2e%20%2e%2e%2e%2d%20%2e%20%2e%2d%2e%20%2e%2e%2e%20%2e%2e%20%2d%2d%2d%20%2d%2e%20%0a%3c%2f%70%3e%0a%3c%2f%62%6f%64%79%3e%0a%3c%2f%62%6f%64%79%3e%0a%20%20%3c%2f%68%74%6d%6c%3e'));</script>
URLエンコード部分を先頭に%を付けて、デコードする。
<html> <body> <!DOCTYPE html> <html> <head> <title>Non, je ne regrette rien</title> <HTA:APPLICATION APPLICATIONNAME="Non, je ne regrette rien" ID="Inception" VERSION="1.0" SCROLL="no"/> <style type="text/css"> </head> <div id="feature"> <div id="content </style> <h1 id="unavailable" class="loading">Building Dreams....</h1> <script type="text/javascript" language="javascript"> function RunFile() { WshShell = new ActiveXObject("WScript.Shell"); WshShell.Run("notepad %USERPROFILE%/Desktop/InceptionCTF/Reality/VanChase/TheHotel/ThePointMan.txt", 1, false); } </script> </div> </div> <body> <input type="button" value="Implant Inception Here" onclick="RunFile();"/> <p style="color:white;"> -.. .-. . .- -- ... ..-. . . .-.. .-. . .- .-.. .-- .... . -. .-- . .----. .-. . .. -. - .... . -- .-.-.- .. - .----. ... --- -. .-.. -.-- .-- .... . -. .-- . .-- .- -.- . ..- .--. - .... .- - .-- . .-. . .- .-.. .. --.. . ... --- -- . - .... .. -. --. .-- .- ... .- -.-. - ..- .- .-.. .-.. -.-- ... - .-. .- -. --. . .-.-.- .-. .. - ... . -.-. -...- -.. .. ...- . .-. ... .. --- -. </p> </body> </body> </html>
モールス信号をデコードする。
DREAMS FEEL REAL WHEN WE'RE IN THEM. IT'S ONLY WHEN WE WAKE UP THAT WE REALIZE SOMETHING WAS ACTUALLY STRANGE. RITSEC=DIVERSION
RITSEC{DIVERSION}
InceptionCTF: Dream 5 (STEGO)
Dream 4の続き。Limbo.7zをパスワード「DIVERSION」で解凍すると、以下のファイルが展開される。
・Inception.jpg
$ strings Inception.jpg JFIF !1-1)+..0 385.7(-.7 ++-+-+++-+--+++-2+--77-+++-+-+---+-7+7-+7+++++7+++ #23B $4Db !12AQ "m<( /#Wq dn<?B> /#FX At^C Et^C =,%8 ,WY| WfA-Fwm h|2; g[eJ R'l *sv)(j RUDx/ FaJ" ERcR,U P@&v ;a=U @HU"T Ll%Hb ~ MN ME{k)b $md{G wI=S= f?nv/ mQ>[ ]9xw ,HXjUgJ 6 UklUU0VDezUyODQ5MX0g }c$F O{x3 ^&<Z F?iU 4gg$ *&gT N!F"< !(ua %2SM4 A9Jr em[fT QbEp +mBS cUXuVMz #joI U&iY %y-1u
$ echo UklUU0VDezUyODQ5MX0g | base64 -d RITSEC{528491}
RITSEC{528491}
lorem ipsum (CRYPTO)
「Incompraehensibilis Conseruator.」で検索したら、Trithemius Ave Maria Cipher というのがあるのがわかった。https://www.dcode.fr/trithemius-ave-mariaで復号する。
RSTHISISTRITHEMIUS
しかし、"RS{THISISTRITHEMIUS}"はフラグとして通らない。case sensitiveらしいので、注意して色々見てみる。単語の頭文字が大文字かどうかで判断して、復号してみる。
Incompraehensibilis Conseruator. Redemptor optimus Iudex omnipotens Sapientissimus omnipotens Redemptor fabricator Iudex redemptor Optimus magnus Aeternus iudex Auctor omnipotens.
問題文は上のようになっているので、それに対応するように大文字小文字を割り当てていく。
RSThIsIsTrItHeMiUs
RS{ThIsIsTrItHeMiUs}
RITSEC Hash (CRYPTO)
PDFに記載のアルゴリズムのハッシュをプログラムにし、rockyou.txtのワードでブルートフォースする。
def convert_unit(h, x, r): out = [-1] * 6 cef = (h[2] ^ h[4]) & h[5] b5 = (h[1] >> 5) & 0xff d2 = (h[3] << 2) & 0xff out[0] = (cef + h[1] + d2 + x + r) & 0xff out[1] = h[0] out[2] = d2 out[3] = b5 out[4] = h[0] + h[5] out[5] = h[3] return out def convert_rount_13(h, x): out = h for r in range(13): out = convert_unit(out, x, r) return out def str_to_array(s): out = [] for c in s: out.append(ord(c)) return out def array_to_hash(a): h = '' for e in a: h += hex(e)[2:].zfill(2) return h def get_hash(s): h = str_to_array('RITSEC') codes = str_to_array(s) for code in codes: h = convert_rount_13(h, code) hash = array_to_hash(h) return hash with open('dict/rockyou.txt', 'r') as f: words = f.read().split('\n') for word in words: h = get_hash(word) if h == '435818055906': flag = 'RS{%s}' % word print flag break
RS{invaderzim}
