この大会は2021/10/9 7:00(JST)~2021/10/11 7:00(JST)に開催されました。
今回もチームで参戦。結果は4736点で511チーム中14位でした。
自分で解けた問題をWriteupとして書いておきます。
Hash 4 (Hash Cracking 100)
いろいろ試した結果、GOSTハッシュとしてクラックできた。
>hashcat.exe -m 6900 hash.txt rockyou.txt hashcat (v6.2.4) starting OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation] ============================================================= * Device #1: Intel(R) UHD Graphics 630, 3200/6484 MB (1621 MB allocatable), 24MCU ./OpenCL/m06900_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 32 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Optimized-Kernel * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 1475 MB Dictionary cache hit: * Filename..: rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384 451716a045ca5ec7f25e191ab5244c61aaeeb008c4753a2065e276f1baba4723:happyfamily Session..........: hashcat Status...........: Cracked Hash.Mode........: 6900 (GOST R 34.11-94) Hash.Target......: 451716a045ca5ec7f25e191ab5244c61aaeeb008c4753a2065e...ba4723 Time.Started.....: Sun Oct 10 08:04:54 2021 (1 sec) Time.Estimated...: Sun Oct 10 08:04:55 2021 (0 secs) Kernel.Feature...: Optimized Kernel Guess.Base.......: File (rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 32423 H/s (6.74ms) @ Accel:4 Loops:1 Thr:64 Vec:4 Recovered........: 1/1 (100.00%) Digests Progress.........: 36865/14344384 (0.26%) Rejected.........: 1/36865 (0.00%) Restore.Point....: 30721/14344384 (0.21%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: zippy1 -> hockey5 Started: Sun Oct 10 08:02:33 2021 Stopped: Sun Oct 10 08:04:57 2021
DO{happyfamily}
Hash 5 (Hash Cracking 100)
形式から推測すると、bcryptハッシュ。passwordファイルとshadowファイルを結合した形式で、ハッシュを埋め込み、johnでクラックする。
$ cat hash.txt ctf:$2a$10$QlR/ZlXgQPWfx9JmRffMZutcL3o3w6JAiRbfvGda4u09lrfOvgcH6:1000:1000:ctf,,,:/home/ctf:/bin/bash $ john --wordlist=dict/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status cowabunga (ctf) 1g 0:01:14:30 DONE (2021-10-10 10:04) 0.000223g/s 11.75p/s 11.75c/s 11.75C/s cowboys08..cleaner Use the "--show" option to display all of the cracked passwords reliably Session completed
DO{cowabunga}
Hash 6 (Hash Cracking 100)
passwordファイルとshadowファイルを結合した形式で、ハッシュを埋め込み、johnでクラックする。
$ cat hash.txt ctf:$1$veryrand$QetWu27IoJ2FFSG30xKAQ.:1000:1000:ctf,,,:/home/ctf:/bin/bash $ john --wordlist=dict/rockyou.txt hash.txt Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status scottiebanks (ctf) 1g 0:00:05:59 DONE (2021-10-10 08:33) 0.002779g/s 10830p/s 10830c/s 10830C/s scottishdance..scotticus1 Use the "--show" option to display all of the cracked passwords reliably Session completed
DO{scottiebanks}
Hash 7 (Hash Cracking 100)
sha512crypt $6$, SHA512 (Unix) としてクラックする。
>hashcat.exe -m 1800 hash.txt rockyou.txt hashcat (v6.2.4) starting OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation] ============================================================= * Device #1: Intel(R) UHD Graphics 630, 3200/6484 MB (1621 MB allocatable), 24MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Single-Hash * Single-Salt * Uses-64-Bit ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 268 MB Dictionary cache hit: * Filename..: rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384 $6$veryrandomsalt$t8EIWEiDpWYzeC1c44q7f6ZENOuO2wagnrJBPs4d/PptWxAxlnH7qRcf0xnKagaOEHBN9dGBV5Y1syJSB3s6H1:igetmoney Session..........: hashcat Status...........: Cracked Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix)) Hash.Target......: $6$veryrandomsalt$t8EIWEiDpWYzeC1c44q7f6ZENOuO2wagn...B3s6H1 Time.Started.....: Sun Oct 10 08:43:30 2021 (32 secs) Time.Estimated...: Sun Oct 10 08:44:02 2021 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 1032 H/s (6.01ms) @ Accel:16 Loops:16 Thr:128 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 32768/14344384 (0.23%) Rejected.........: 0/32768 (0.00%) Restore.Point....: 30720/14344384 (0.21%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000 Candidate.Engine.: Device Generator Candidates.#1....: zombies -> dyesebel Started: Sun Oct 10 08:42:43 2021 Stopped: Sun Oct 10 08:44:04 2021
DO{igetmoney}
Dyms, Syms, and Tabs (Reverse 100)
バイナリのソースコードのファイル名を拡張子抜きで答える問題。
$ strings chall | grep "\.c" .so.cachH3P .so.cachH3J ../csu/libc-start.c cxa_atexit.c vfprintf-internal.c wfileops.c iofwide.c strops.c malloc.c arena.c ../sysdeps/x86/cacheinfo.c wcrtomb.c wcsrtombs.c mbsrtowcs_l.c ../sysdeps/unix/sysv/linux/getcwd.c ../sysdeps/unix/sysv/linux/getpagesize.c ../sysdeps/unix/sysv/linux/getsysstats.c ../elf/dl-tls.c glibc.cpu.x86_shstk glibc.cpu.hwcap_mask glibc.cpu.x86_ibt glibc.cpu.hwcaps glibc.cpu.x86_data_cache_size glibc.malloc.check glibc.cpu.x86_shared_cache_size glibc.cpu.x86_non_temporal_threshold gconv.c gconv_db.c gconv_conf.c gconv_builtin.c ../iconv/skeleton.c gconv_simple.c ../iconv/loop.c /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache gconv_dl.c findlocale.c loadlocale.c loadarchive.c ../stdio-common/printf_fphex.c dl-load.c dl-lookup.c dl-hwcaps.c dl-misc.c ../sysdeps/unix/sysv/linux/dl-origin.c /etc/ld.so.cache glibc-ld.so.cache1.1 dl-cache.c ../elf/dl-runtime.c dl-open.c dl-close.c dl-deps.c dl-version.c __assert_fail_base.cold _nl_load_domain.cold _IO_new_fclose.cold _IO_fflush.cold _IO_puts.cold _IO_wfile_underflow.cold _IO_new_file_underflow.cold __printf_fp_l.cold __printf_fphex.cold _IO_fputs.cold _IO_fwrite.cold _IO_getdelim.cold uw_install_context_1.cold read_encoded_value.cold execute_stack_op.cold uw_update_context_1.cold execute_cfa_program.cold uw_frame_state_for.cold uw_init_context_1.cold _Unwind_RaiseException_Phase2.cold _Unwind_ForcedUnwind_Phase2.cold _Unwind_GetGR.cold _Unwind_SetGR.cold _Unwind_RaiseException.cold _Unwind_Resume.cold _Unwind_Resume_or_Rethrow.cold _Unwind_Backtrace.cold read_encoded_value_with_base.cold classify_object_over_fdes.cold fde_single_encoding_compare.cold fde_mixed_encoding_compare.cold add_fdes.cold linear_search_fdes.cold _Unwind_IteratePhdrCallback.cold search_object.cold _Unwind_Find_FDE.cold base_of_encoded_value.cold __gcc_personality_v0.cold intel_check_word.constprop.0 handle_intel.constprop.0 crtstuff.c u_f0unD_dA_f1a4y4Y.c★ get_common_indices.constprop.0 get_extended_indices.constprop.0 systrim.constprop.0 unlink_chunk.constprop.0 add_module.constprop.0 find_module.constprop.0 lose.constprop.0 open_verify.constprop.0 add_path.constprop.0.isra.0 _dl_map_object_from_fd.constprop.0 .comment
怪しい文字列のソースコード発見。
DO{u_f0unD_dA_f1a4y4Y}
Setup: Files (Cloud Forensics 1)
問題にフラグが書いてあった。
DO{1_C4N_H4Z_CL0UD}
A door by any other name (Steganography 100)
Steganographyのページに「The cake is a lie」と書いてあるが、コピーすると、空白文字が入っていることがわかる。ASCII文字の間の空白文字の数をASCIIコードとしてデコードする。
with open('enc', 'rb') as f: data = f.read() codes = [] count = 0 i = 0 while True: if data[i] == '\xe2': if data[i:i+3] == '\xe2\x80\x8b': count += 1 i += 3 else: codes.append(count) count = 0 i += 1 if i == len(data): break flag = '' for code in codes[1:]: flag += chr(code) print flag
DO{1$_1NV1$1BL3}
A cornucopia of numbers (Steganography 75)
二進数コードが並んでいるので、デコードする。base64文字列になるのでデコードすると、フラグになった。
with open('Bin.txt', 'r') as f: codes = f.read().split(' ') b64 = '' for code in codes: b64 += chr(int(code, 2)) flag = b64.decode('base64') print flag
DO{C0nVeR510n_m4Dn355}
Queen's gambit (Steganography 100)
$ exiftool Freddie_Mercury.png ExifTool Version Number : 10.80 File Name : Freddie_Mercury.png Directory : . File Size : 457 kB File Modification Date/Time : 2021:10:09 11:02:37+09:00 File Access Date/Time : 2021:10:09 11:04:51+09:00 File Inode Change Date/Time : 2021:10:09 11:02:37+09:00 File Permissions : rwxrwxrwx File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 562 Image Height : 787 Bit Depth : 8 Color Type : RGB Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced Author : RE97VzNfYVIzX3RoM19DaDRtUDEwblN9 Image Size : 562x787 Megapixels : 0.442
Authorにbase64文字列らしきものがあるので、デコードする。
$ echo RE97VzNfYVIzX3RoM19DaDRtUDEwblN9 | base64 -d DO{W3_aR3_th3_Ch4mP10nS}
DO{W3_aR3_th3_Ch4mP10nS}
The Detective(Steganography 75)
$ strings Pika.jpeg | grep DO{ DO{H1d1nG_iN_Pl41n_SiGhT}
DO{H1d1nG_iN_Pl41n_SiGhT}
Not exactly Nestene's Autons (125)
Stegsolveで開き、Red plane 0を見たら、フラグが現れた。
DO{B1t5_0n_4_p14N3}
Phreak File (Steganography 100)
$ file phreak_file.bmp phreak_file.bmp: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz $ mv phreak_file.bmp phreak_file.wav
Audacityで開くと、DTMFトーンが入っていることがわかる。
https://unframework.github.io/dtmf-detect/で番号を取得する。
2 222 222 33 7777 7777 6 9999 333 444 555 33 7777
ACCESSMZFILES
DO{ACCESSMZFILES}
All around the word (Cryptography 75)
国旗が並んでいるので、該当する国名を調べてみる。
1: Grenada 2: Eswatini 3: Oman 4: Grenada 5: Rwanda 6: Antigua and Barbuda 7: Palau 8: HOLY SEE 9: Yemen
この国名の頭文字を並べればよい。
DO{GEOGRAPHY}
Constant Primes (Cryptography 75)
#!/usr/bin/python3 from Crypto.PublicKey import RSA with open('id_rsa', 'r') as f: priv_data = f.read() c = 0x2085f3d3573cd709fad84bed9fe8dde419fb7c8e96aa95ec4651a3bc07b5552f321e03404943744d931a4a51a817cf190880a5efbf94aa828c45da5b31dcdefc privkey = RSA.importKey(priv_data) n = privkey.n d = privkey.d m = pow(c, d, n) flag = m.to_bytes(m.bit_length() // 8 + 1, 'little').decode() print(flag)
DO{RSA_1s_n0t_that_hard}
Rook to E4 (Cryptography 150)
各行でチェスの駒の位置を表しているようだ。https://lichess.org/analysis/standardで1行目を入力する。
駒で"D"の文字を表している。同じように2行目以降を入力して文字を見ていく。
DO{CHESSISCOOL}
Carousel (Cryptography 50)
シーザー暗号。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。するとROT47で復号できた。
DO{r07473_m3}
Simply Cipher (Cryptography 60)
Vigenere暗号。https://www.guballa.de/vigenere-solverで復号する。
Today's flag is going to be CIPHER_AGAIN!
DO{CIPHER_AGAIN!}