この大会は2022/5/28 1:00(JST)~2022/5/29 13:00(JST)に開催されました。
今回もチームで参戦。結果は1356点で435チーム中106位でした。
自分で解けた問題をWriteupとして書いておきます。
Sanity Check (Miscellaneous)
Discordに入り、#rulesチャネルでリアクションすると、たくさんのチャネルが現れる。#quotesチャネルのトピックにフラグが書いてあった。
"If only the sanity check flag were byuctf{l3t_th3_g4m3s_b3g1n!}....." - Legoclones
byuctf{l3t_th3_g4m3s_b3g1n!}
Reconstruct (Miscellaneous)
フラグがマスクされているが、見えている部分から推測する。
byuctf{even_w1th_the_l1ttlest_of_1nfo_1_can_reconstruct_1t}
Oh The Vanity (OSINT)
画像検索し、検索キーワード「mask phishing campaigns 」を追加すると、以下のページが見つかった。
https://www.darkreading.com/cloud/vanity-urls-could-be-spoofed-for-social-engineering-attacks
公開日付はMay 11, 2022
byuctf{05-11-2022}
Fun Fact (Reverse Engineering)
実行しているコードをbase64デコードする。
#!/usr/bin/env python3 import base64 string = "aW1wb3J0IHJhbmRvbSwgc3RyaW5nCiAgICAKZGVmIG9wdGlvbl9vbmUoKToKICAgIHByaW50KCJcbkp1c3Qga2lkZGluZywgaXQncyBub3QgdGhhdCBlYXN5XG4iKQogICAgbWFpbigpCiAgICAKZGVmIG9wdGlvbl90d28oKToKICAgIHJhbmRvbV9mYWN0cyA9IFsiRWFjaCBhcm0gb2YgYW4gb2N0b3B1cyBoYXMgaXRzIG93biBuZXJ2b3VzIHN5c3RlbSIsICJDb21iIGplbGxpZXMgYXJlIHRyYW5zcGFyZW50LCBiaW9sdW1pbmVzY2VudCwgYW5kIGxpdmUgaW4gdGhlIHR3aWxpZ2h0IHpvbmUiLCAiU3RhciBmaXNoIGFyZSBlY2hpbm9kZXJtcyBhbmQgZG9uJ3QgaGF2ZSBicmFpbnMiLCAiR3JlZW5sYW5kIHNoYXJrcyBhcmUgdGhlIHNsb3dlc3Qgc2hhcmtzIGFuZCBkZXZlbG9wIHBhcmFzaXRlcyBpbiB0aGVpciBleWVzIiwgIldoYWxlIHNoYXJrcyBhcmUgdGhlIGxhcmdlc3Qgc2hhcmtzLCB3aXRoIG1vdXRocyB1cCB0byAxNSBmZWV0IHdpZGUgYnV0IGFyZSBvbmx5IGZpbHRlciBmZWVkZXJzIiwgIkJhc2tpbmcgc2hhcmtzIGFyZSBhbHNvIHNoYXJrcyB3aXRoIHdpZGUgbW91dGhzIHRoYXQgYXJlIG9ubHkgZmlsdGVyIGZlZWRlcnMiLCAiVGhlcmUgYXJlIGVsZWN0cmljIHN0aW5ncmF5cyB0aGF0IGFyZSBhYmxlIHRvIHNlbmQgZWxlY3RyaWMgc2hvY2tzIHRvIHByZWRhdG9ycyBpbiBvcmRlciB0byBzdHVuIHRoZW0gYW5kIGVzY2FwZSIsICJUaGUgcGFjZmljIG9jdG9wdXMgaXMgdGhlIGxhcmdlc3Qgb2N0b3B1cyIsICJUaGVyZSBhcmUgOCBzcGVjaWVzIG9mIHNlYSB0dXJ0bGVzLCBhbHRob3VnaCBpdCBpcyBkZWJhdGVkIHRoYXQgdGhlcmUgYXJlIG9ubHkgICBMZWF0aGVyYmFjayAgT2xpdmUgUmlkZGxleSAgS2VtcCBSaWRkbGV5ICBIYXdrc2JpbGwgIExvZ2dlcmhlYWQgIEZsYXRiYWNrICBHcmVlbiAgQmxhY2sgKGFsdG91Z2ggZGViYXRlZCB0byBiZSB0aGUgc2FtZSBzcGVjaWVzIGFzIEdyZWVuKSIsICJUaGUgbGVhdGhlcmJhY2sgc2VhIHR1cnRsZSBpcyB0aGUgbGFyZ2VzdCBzcGVjaWVzIG9mIHNlYSB0dXJ0bGUsIGdyb3dpbmcgdXAgdG8gOSBmZWV0IGxvbmciLCAiVGhlIGdlbmRlciBvZiBzZWEgdHVydGxlcyBpcyBkZXBlbmRlbnQgb24gdGhlIHRlbXBlcmF0dXJlIHdoZXJlIHRoZSBlZ2dzIHdlcmUgbGFpZCIsICJTZWEgdHVydGxlcyBhcmUgTk9UIHN0cmljdGx5IGhlcmJpdm9yZXMgYnV0IGFsc28gZWF0IGplbGx5ZmlzaCIsICJTZWEgdHVydGxlcyBuZWVkIHRvIGJyZWF0aCBhaXIuIElmIHRoZXkgYXJlIHNjYXJlZCBvZmYgdGhlIGJlYWNoIGJ5IGh1bWFucyB0aGV5IGNvdWxkIHBvdGVudGlhbGx5IHN3aW0gb3V0IHRvbyBmYXIgYW5kIHRoZW4gZHJvd24gYmVmb3JlIG1ha2luZyBpdCBiYWNrIHRvIGxhbmQiLCAiSGF3a3NiaWxsIHNlYSB0dXJ0bGVzIGFyZSBodW50ZWQgZG93biBmb3IgdGhlaXIgc2hlbGxzIiwgIkJybyBob3cgYXJlIGplbGx5ZmlzaCBhbmltYWxzPz8gVGhleSBoYXZlIG5vIGJyYWlucyEgU2FtZSB3aXRoIHNlYSBzdGFycyIsICJTZWEgc3RhcnMgd2lsbCBraWxsIHRoZWlyIHByYXkgd2l0aCBhY2lkIGFuZCB0aGVuIHR1cm4gdGhlaXIgc3RvbWFjaHMgaW5zaWRlIG91dCB0byBlYXQiLCAiU2hhcmtzIGNhbiBhbHNvIHR1cm4gdGhlaXIgc3RvbWFjaHMgaW5zaWRlIG91dCB0byByZWdlcmdpdGF0ZSBmb29kIiwgIlRpZ2VyIHNoYXJrcyBoYXZlIGluY3JlZGlibHkgc2hhcnAgdGVldGggdGhhdCBjYW4gYml0ZSB0aHJvdWdoIG1ldGFsIiwgIlRpZ2VyIHNoYXJrcyBhcmUgY2FsbGVkIHRoZSBnYXJiYWdlIGd1dCBvZiB0aGUgc2VhIGFuZCB0aGVyZSBhcmUgYmVlbiBsaWNlbnNlIHBsYWNlcywgdGlyZXMsIGFuZCBvdGhlciB3ZWlyZCB0aGluZ3MgZm91bmQgaW4gdGhlaXIgc3RvbWFjaHMiLCAiU29tZSBzaGFya3MgZG9uJ3QgaGF2ZSB0byBiZSBjb25zdGFudGx5IG1vdmluZyBpbiBvcmRlciB0byBicmVhdGguIEJ1Y2NhbCBwdW1waW5nIHZzIG9ibGlnYXRlIHJhbSB2ZW50aWxhdGlvbiIsICJUaGUgb25seSBib25lcyBzaGFya3MgaGF2ZSBhcmUgdGhlaXIgamF3cy4gVGhlaXIgc2tlbGV0YWwgc3RydWN0dXJlIGlzIG1hZGUgb3V0IG9mIGNhcnRpbGFnZSIsICJUaGUgb25seSBib25lcyBhbiBvY3RvcHVzIGhhcyBpcyB0aGVpciBiZWFrLCB3aGljaCBpcyBpbiB0aGUgY2VudGVyIG9mIHRoZWlyIGFybXMiLCAiQW4gb2N0b3B1cyBjYW4gZml0IHRocm91Z2ggYW55dGhpbmcgdGhhdCB0aGVpciBiZWFrIGNhbiBmaXQgdGhyb3VnaCIsICJIYWdmaXNoIGFyZSBzbyB3ZWlyZCBndXlzLiBUaGV5IHByb2R1Y2UgYSBsb3Qgb2Ygc2xpbWUiLCAiT2N0b3B1c2VzIGFyZSBrbm93biB0byBiZSB2ZXJ5IHNtYXJ0IGFuZCB2ZXJ5IGN1cmlvdXMgY3JlYXR1cmVzLiBUaGV5IHdpbGwgaW52ZXN0aWdhdGUgYW5kIHBsYXkgd2l0aCBzY3ViYSBkaXZlcnMiLCAiVGhlIHNtYWxsZXN0IHNoYXJrIGlzIHNvbWUgdHlwZSBvZiBsYW50ZXJuIHNoYXJrIChmb3Jnb3QgdGhlIGV4YWN0IG5hbWUpIiwgIkxlbW9uIHNoYXJrcyBhcmUgbmFtZWQgc3VjaCBiZWNhdXNlIHRoZWlyIHNraW4gZmVlbHMgbGlrZSBsZW1vbiByaW5kcyIsICJDb29raWUgY3V0dGVyIHNoYXJrcyBhcmUgbmFtZWQgc3VjaCBiZWNhdXNlIHRoZWlyIHRlZXRoIHRha2Ugb3V0IHNtYWxsLCBjaXJjdWxhciBjaHVua3MsIGtpbmQgb2YgbGlrZSBhIGNvb2tpZSBjdXR0ZXIiLCAiRGVlcCBzZWEgYW5nbGVyIGZpc2g6IHRoZSBmZW1hbGUgaXMgbXVjaCwgbXVjaCBsYXJnZXIgdGhhbiB0aGUgbWFsZSIsICJJbiB0aGUgcGFzdCwgcGVvcGxlIGhhdmUgdHJpZWQgdG8gYWRkIGdyZWF0IHdoaXRlIHNoYXJrcyBpbnRvIGFxdWFyaXVtcy4gSG93ZXZlciwgdGhlIGdyZWF0IHdoaXRlcyB3b3VsZCBqdXN0IGRpZSBpZiB0aGV5IHdlcmUgcmVzdHJpY3RlZCB0byBzdWNoIGEgc21hbGwgc3BhY2UiLCAiVGhlIGxhcmdlc3QgamVsbHlmaXNoIGlzIGNhbGxlZCB0aGUgbGlvbnMgbWFuZSIsICJNb3N0IHZlbm9tb3VzIGplbGx5ZmlzaCBpcyB0aGUgYm94amVsbHlmaXNoIiwgIk1vc3QgdmVub21vdXMgb2N0b3B1cyBpcyB0aGUgYmx1ZS1yaW5nZWQgb2N0b3B1cyIsICJNb3N0IHZlbmVtb3VzIHNlYSBzbmFpbCBpcyB0aGUgY29uZSBzbmFpbCIsICJTYW5kIGRvbGxhcnMgYXJlIGFjdHVhbGx5IHNlYSB1cmNoaW5zIiwgIlRoZSBjcm93biBvZiB0aG9ybnMgaXMgYW4gZXh0cmVtZWx5IGludmFzaXZlIHNwZWNpZXMgb2Ygc2VhIHN0YXIiLCAiVGhlIHNldmVyZWQgbGltYnMgb2Ygc2VhIHN0YXJzIHdpbGwgZ3JvdyBpbnRvIGFub3RoZXIgc2VhIHN0YXIiLCAiUGVvcGxlIHdvdWxkIHRyeSB0byBraWxsIHRoZSBjcm93biBvZiB0aG9ybnMgYnkgc21hc2hpbmcgdGhlbSwgYnV0IHRoYXQgYmFja2ZpcmVkIGJlY2F1c2UgdGhlIHNldmVyZWQgbGltYnMganVzdCBiZWNhbWUgYW5vdGhlciBzZWEgc3RhciIsICJBcmNoZXIgZmlzaCB3aWxsIHNwaXQgb3V0IHdhdGVyIHRvIGtub2NrIGJ1Z3Mgb2ZmIG9mIHBsYW50cyBzbyB0aGF0IHRoZXkgY2FuIGVhdCB0aGVtIiwgIkJhYnkgc2hhcmtzIGFyZSBjYWxsZWQgcHVwcyIsICJaZWJyYSBzaGFya3MgYXJlIG1vcmUgY29tbW9ubHkga25vd24gYXMgbGVvcGFyZCBzaGFya3MgaW4gYW5kIGFyb3VuZCB0aGUgQW5kYW1hbiBTZWEsIGJ1dCB0aGlzIGlzIGNvbmZ1c2luZyBhcyB0aGVyZSBpcyBhbm90aGVyIHNwZWNpZXMgb2Ygc2hhcmsgY2FsbGVkIHRoZSBsZW9wYXJkIHNoYXJrIiwgIk9yY2FzIGFyZSB0aGUgbGFyZ2VzdCBtZW1iZXJzIG9mIHRoZSBkb2xwaGluIGZhbWlseSIsICJLaWxsZXIgd2hhbGVzIGFyZSB0aGUgbW9zdCB3aWRlbHkgZGlzdHJpYnV0ZWQgbWFtbWFscywgb3RoZXIgdGhhbiBodW1hbnMgYW5kIHBvc3NpYmx5IGJyb3duIHJhdHMsIGFjY29yZGluZyB0byBTZWFXb3JsZC4gVGhleSBsaXZlIGluIGV2ZXJ5IG9jZWFuIGFyb3VuZCB0aGUgd29ybGQgYW5kIGhhdmUgYWRhcHRlZCB0byBkaWZmZXJlbnQgY2xpbWF0ZXMsIGZyb20gdGhlIHdhcm0gd2F0ZXJzIG5lYXIgdGhlIGVxdWF0b3IgdG8gdGhlIGljeSB3YXRlcnMgb2YgdGhlIE5vcnRoIGFuZCBTb3V0aCBQb2xlIHJlZ2lvbnMiXQogICAgcmFuZG9tX251bWJlciA9IHJhbmRvbS5yYW5kaW50KDAsIDQyKQogICAgcHJpbnQoIlxuIiwgcmFuZG9tX2ZhY3RzW3JhbmRvbV9udW1iZXJdLCAiXG4iKQogICAgbWFpbigpCgpkZWYgb3B0aW9uX3RocmVlKCk6CiAgICB1c2VyX2lucHV0ID0gaW5wdXQoIlxuRmxhZz4gIikKICAKICAgIHJhbmRvbV9hcnJheSA9IHhvcigiU25vd2ZsYWtlIGVlbHMgaGF2ZSB0d28gc2V0cyBvZiBqYXdzIiwgInByZXR0eSBjcmF6eSwgaHVoPyIpIAogICAgb3RoZXJfcmFuZG9tX2FycmF5ID0gbGlzdChzdHJpbmcucHJpbnRhYmxlKQogICAga2V5ID0gb3RoZXJfcmFuZG9tX2FycmF5W3JhbmRvbV9hcnJheVswXSArIHJhbmRvbV9hcnJheVs4XV0KICAgIAogICAgZW5jcnlwdGVkID0gIiIuam9pbihbY2hyKG9yZCh4KSBeIG9yZChrZXkpKSBmb3IgeCBpbiB1c2VyX2lucHV0XSkKICAgIHByaW50KCJlbmNyeXB0ZWQ6ICIsIGVuY3J5cHRlZCkKCiAgICBpZihlbmNyeXB0ZWQgPT0gJ2clNGMkemMlZHo0Z2c7Jyk6CiAgICAgICAgcHJpbnQoIlN1Y2Nlc3MhIikKICAgIGVsc2U6CiAgICAgICAgcHJpbnQoIlxuVHJ5IGFnYWluIikKICAgICAgICBvcHRpb25fdGhyZWUoKQoKZGVmIHhvcihhLCBiKToKICAgIGtleSA9IFtdCiAgICBpID0gMAogICAgd2hpbGUgaSA8IGxlbihhKToKICAgICAgICBrZXkuYXBwZW5kKG9yZChhW2kgJSBsZW4oYSldKSBeIG9yZCgoYltpICUgbGVuKGIpXSkpKQogICAgICAgIGkgPSBpKzEKICAgIHJldHVybiBrZXkKCmRlZiBtYWluKCk6CiAgICBwcmludCgiRW50ZXIgMSB0byBwcmludCB0aGUgZmxhZyIpCiAgICBwcmludCgiRW50ZXIgMiBmb3IgYSBmdW4gZmFjdCBhYm91dCBvY2VhbiBjcmVhdHVyZXMiKQogICAgcHJpbnQoIkVudGVyIDMgdG8gY29udGludWUiKQoKICAgIHVzZXJfaW5wdXQgPSBpbnB1dCgiSW5wdXQ+ICIpCiAgICAKICAgIGlmKHVzZXJfaW5wdXQgPT0gJzEnKToKICAgICAgICBvcHRpb25fb25lKCkKICAgIGVsaWYodXNlcl9pbnB1dCA9PSAnMicpOgogICAgICAgIG9wdGlvbl90d28oKQogICAgZWxpZih1c2VyX2lucHV0ID09ICczJyk6CiAgICAgICAgb3B0aW9uX3RocmVlKCkKICAgIGVsc2U6CiAgICAgICAgcHJpbnQoIkludmFsaWQgb3B0aW9uIikKICAgICAgICAKbWFpbigp" print(base64.b64decode(string).decode())
base64デコードした結果は以下の通り。
import random, string def option_one(): print("\nJust kidding, it's not that easy\n") main() def option_two(): random_facts = ["Each arm of an octopus has its own nervous system", "Comb jellies are transparent, bioluminescent, and live in the twilight zone", "Star fish are echinoderms and don't have brains", "Greenland sharks are the slowest sharks and develop parasites in their eyes", "Whale sharks are the largest sharks, with mouths up to 15 feet wide but are only filter feeders", "Basking sharks are also sharks with wide mouths that are only filter feeders", "There are electric stingrays that are able to send electric shocks to predators in order to stun them and escape", "The pacfic octopus is the largest octopus", "There are 8 species of sea turtles, although it is debated that there are only Leatherback Olive Riddley Kemp Riddley Hawksbill Loggerhead Flatback Green Black (altough debated to be the same species as Green)", "The leatherback sea turtle is the largest species of sea turtle, growing up to 9 feet long", "The gender of sea turtles is dependent on the temperature where the eggs were laid", "Sea turtles are NOT strictly herbivores but also eat jellyfish", "Sea turtles need to breath air. If they are scared off the beach by humans they could potentially swim out too far and then drown before making it back to land", "Hawksbill sea turtles are hunted down for their shells", "Bro how are jellyfish animals?? They have no brains! Same with sea stars", "Sea stars will kill their pray with acid and then turn their stomachs inside out to eat", "Sharks can also turn their stomachs inside out to regergitate food", "Tiger sharks have incredibly sharp teeth that can bite through metal", "Tiger sharks are called the garbage gut of the sea and there are been license places, tires, and other weird things found in their stomachs", "Some sharks don't have to be constantly moving in order to breath. Buccal pumping vs obligate ram ventilation", "The only bones sharks have are their jaws. Their skeletal structure is made out of cartilage", "The only bones an octopus has is their beak, which is in the center of their arms", "An octopus can fit through anything that their beak can fit through", "Hagfish are so weird guys. They produce a lot of slime", "Octopuses are known to be very smart and very curious creatures. They will investigate and play with scuba divers", "The smallest shark is some type of lantern shark (forgot the exact name)", "Lemon sharks are named such because their skin feels like lemon rinds", "Cookie cutter sharks are named such because their teeth take out small, circular chunks, kind of like a cookie cutter", "Deep sea angler fish: the female is much, much larger than the male", "In the past, people have tried to add great white sharks into aquariums. However, the great whites would just die if they were restricted to such a small space", "The largest jellyfish is called the lions mane", "Most venomous jellyfish is the boxjellyfish", "Most venomous octopus is the blue-ringed octopus", "Most venemous sea snail is the cone snail", "Sand dollars are actually sea urchins", "The crown of thorns is an extremely invasive species of sea star", "The severed limbs of sea stars will grow into another sea star", "People would try to kill the crown of thorns by smashing them, but that backfired because the severed limbs just became another sea star", "Archer fish will spit out water to knock bugs off of plants so that they can eat them", "Baby sharks are called pups", "Zebra sharks are more commonly known as leopard sharks in and around the Andaman Sea, but this is confusing as there is another species of shark called the leopard shark", "Orcas are the largest members of the dolphin family", "Killer whales are the most widely distributed mammals, other than humans and possibly brown rats, according to SeaWorld. They live in every ocean around the world and have adapted to different climates, from the warm waters near the equator to the icy waters of the North and South Pole regions"] random_number = random.randint(0, 42) print("\n", random_facts[random_number], "\n") main() def option_three(): user_input = input("\nFlag> ") random_array = xor("Snowflake eels have two sets of jaws", "pretty crazy, huh?") other_random_array = list(string.printable) key = other_random_array[random_array[0] + random_array[8]] encrypted = "".join([chr(ord(x) ^ ord(key)) for x in user_input]) print("encrypted: ", encrypted) if(encrypted == 'g%4c$zc%dz4gg;'): print("Success!") else: print("\nTry again") option_three() def xor(a, b): key = [] i = 0 while i < len(a): key.append(ord(a[i % len(a)]) ^ ord((b[i % len(b)]))) i = i+1 return key def main(): print("Enter 1 to print the flag") print("Enter 2 for a fun fact about ocean creatures") print("Enter 3 to continue") user_input = input("Input> ") if(user_input == '1'): option_one() elif(user_input == '2'): option_two() elif(user_input == '3'): option_three() else: print("Invalid option") main()
option_three()のコードを読む。keyを算出し、'g%4c$zc%dz4gg;'とXORすればよい。
#!/usr/bin/env python3 import string def xor(a, b): key = [] i = 0 while i < len(a): key.append(ord(a[i % len(a)]) ^ ord((b[i % len(b)]))) i = i+1 return key encrypted = 'g%4c$zc%dz4gg;' random_array = xor("Snowflake eels have two sets of jaws", "pretty crazy, huh?") other_random_array = list(string.printable) key = other_random_array[random_array[0] + random_array[8]] message = "".join([chr(ord(x) ^ ord(key)) for x in encrypted]) flag = 'byuctf{%s}' % message print(flag)
byuctf{0rc4s-4r3-c00l}
Basic Rev (Reverse Engineering)
Ghidraでデコンパイルする。
undefined8 main(void) { int local_c; local_c = 0; std::operator<<((basic_ostream *)std::cout,"Enter an integer: "); std::basic_istream<char,std::char_traits<char>>::operator>> ((basic_istream<char,std::char_traits<char>> *)std::cin,&local_c); constructFlag(local_c); return 0; } void constructFlag(int param_1) { basic_ostream *pbVar1; basic_string<char,std::char_traits<char>,std::allocator<char>> local_128 [47]; allocator local_f9; basic_string local_f8 [8]; basic_string local_d8 [8]; basic_string local_b8 [8]; basic_string local_98 [8]; basic_string local_78 [8]; basic_string local_58 [8]; basic_string local_38 [10]; std::allocator<char>::allocator(); /* try { // try from 001023d5 to 001023d9 has its CatchHandler @ 00102735 */ std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>:: basic_string<std::allocator<char>>(local_128,"",&local_f9); std::allocator<char>::~allocator((allocator<char> *)&local_f9); if (param_1 == 0x121) { /* try { // try from 0010240d to 00102535 has its CatchHandler @ 00102766 */ std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator= (local_128,"ctf"); std::operator+((char *)local_f8,(basic_string *)&DAT_0010300d); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator= (local_128,local_f8); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_f8); std::operator+((basic_string.conflict *)local_d8,(char *)local_128); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator= (local_128,local_d8); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_d8); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,"t3"); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,'5'); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,'t'); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,'_'); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,"fl"); std::__cxx11::to_string((__cxx11 *)local_b8,4); /* try { // try from 0010254a to 0010254e has its CatchHandler @ 00102752 */ std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,local_b8); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_b8); /* try { // try from 00102572 to 00102723 has its CatchHandler @ 00102766 */ std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,"g"); std::operator+((basic_string.conflict *)local_98,(char *)local_128); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator= (local_128,local_98); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_98); std::operator+((basic_string.conflict *)local_78,(char *)local_128); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator= (local_128,local_78); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_78); std::operator+((basic_string.conflict *)local_58,(char *)local_128); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator= (local_128,local_58); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_58); std::operator+((basic_string.conflict *)local_38,(char *)local_128); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator= (local_128,local_38); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_38); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,"n0"); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,'r'); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,"3"); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+= (local_128,"}"); pbVar1 = std::operator<<((basic_ostream *)std::cout,"Finished processing flag!"); std::operator<<(pbVar1,"\n"); } else { std::operator<<((basic_ostream *)std::cout,"Wrong number!"); } std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string (local_128); return; }
入力で0x121(=289)を指定する。
$ ./basic_rev
Enter an integer: 289
Finished processing flag!
フラグは途中経過を見ないとわからなさそう。
$ gdb -q ./basic_rev BFD: warning: /mnt/hgfs/Shared/basic_rev: unsupported GNU_PROPERTY_TYPE (5) type: 0xc0008002 Reading symbols from ./basic_rev...(no debugging symbols found)...done. gdb-peda$ start [----------------------------------registers-----------------------------------] RAX: 0x555555556789 (<main>: push rbp) RBX: 0x0 RCX: 0xa0 RDX: 0x7fffffffdee8 --> 0x7fffffffe245 ("CLUTTER_IM_MODULE=xim") RSI: 0x7fffffffded8 --> 0x7fffffffe22a ("/mnt/hgfs/Shared/basic_rev") RDI: 0x1 RBP: 0x7fffffffddf0 --> 0x555555556f90 (<__libc_csu_init>: push r15) RSP: 0x7fffffffddf0 --> 0x555555556f90 (<__libc_csu_init>: push r15) RIP: 0x55555555678d (<main+4>: sub rsp,0x10) R8 : 0x7ffff782dd80 --> 0x0 R9 : 0x0 R10: 0x6 R11: 0x7ffff7484420 (<__GI___cxa_atexit>: push r13) R12: 0x5555555562b0 (<_start>: xor ebp,ebp) R13: 0x7fffffffded0 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x555555556788 <_Z13constructFlagi+1007>: ret 0x555555556789 <main>: push rbp 0x55555555678a <main+1>: mov rbp,rsp => 0x55555555678d <main+4>: sub rsp,0x10 0x555555556791 <main+8>: mov DWORD PTR [rbp-0x4],0x0 0x555555556798 <main+15>: lea rax,[rip+0x8bb] # 0x55555555705a 0x55555555679f <main+22>: mov rsi,rax 0x5555555567a2 <main+25>: lea rax,[rip+0x29d7] # 0x555555559180 <_ZSt4cout@GLIBCXX_3.4> [------------------------------------stack-------------------------------------] 0000| 0x7fffffffddf0 --> 0x555555556f90 (<__libc_csu_init>: push r15) 0008| 0x7fffffffddf8 --> 0x7ffff7462c87 (<__libc_start_main+231>: mov edi,eax) 0016| 0x7fffffffde00 --> 0xffffffffffffff90 0024| 0x7fffffffde08 --> 0x7fffffffded8 --> 0x7fffffffe22a ("/mnt/hgfs/Shared/basic_rev") 0032| 0x7fffffffde10 --> 0x1ffffff90 0040| 0x7fffffffde18 --> 0x555555556789 (<main>: push rbp) 0048| 0x7fffffffde20 --> 0x0 0056| 0x7fffffffde28 --> 0x33e06f8faa63850a [------------------------------------------------------------------------------] Legend: code, data, rodata, value Temporary breakpoint 1, 0x000055555555678d in main () gdb-peda$ disas constructFlag Dump of assembler code for function _Z13constructFlagi: 0x0000555555556399 <+0>: push rbp 0x000055555555639a <+1>: mov rbp,rsp 0x000055555555639d <+4>: push rbx 0x000055555555639e <+5>: sub rsp,0x128 0x00005555555563a5 <+12>: mov DWORD PTR [rbp-0x124],edi 0x00005555555563ab <+18>: lea rax,[rbp-0xf1] 0x00005555555563b2 <+25>: mov rdi,rax 0x00005555555563b5 <+28>: call 0x555555556240 <_ZNSaIcEC1Ev@plt> 0x00005555555563ba <+33>: lea rdx,[rbp-0xf1] 0x00005555555563c1 <+40>: lea rax,[rbp-0x120] 0x00005555555563c8 <+47>: lea rcx,[rip+0xc39] # 0x555555557008 0x00005555555563cf <+54>: mov rsi,rcx 0x00005555555563d2 <+57>: mov rdi,rax 0x00005555555563d5 <+60>: call 0x555555556c26 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC2IS3_EEPKcRKS3_> 0x00005555555563da <+65>: lea rax,[rbp-0xf1] 0x00005555555563e1 <+72>: mov rdi,rax 0x00005555555563e4 <+75>: call 0x555555556160 <_ZNSaIcED1Ev@plt> 0x00005555555563e9 <+80>: cmp DWORD PTR [rbp-0x124],0x121 0x00005555555563f3 <+90>: jne 0x55555555670b <_Z13constructFlagi+882> 0x00005555555563f9 <+96>: lea rax,[rbp-0x120] 0x0000555555556400 <+103>: lea rdx,[rip+0xc02] # 0x555555557009 0x0000555555556407 <+110>: mov rsi,rdx 0x000055555555640a <+113>: mov rdi,rax 0x000055555555640d <+116>: call 0x5555555561d0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEPKc@plt> 0x0000555555556412 <+121>: lea rax,[rbp-0xf0] 0x0000555555556419 <+128>: lea rdx,[rbp-0x120] 0x0000555555556420 <+135>: lea rcx,[rip+0xbe6] # 0x55555555700d 0x0000555555556427 <+142>: mov rsi,rcx 0x000055555555642a <+145>: mov rdi,rax 0x000055555555642d <+148>: call 0x555555556cbe <_ZStplIcSt11char_traitsIcESaIcEENSt7__cxx1112basic_stringIT_T0_T1_EEPKS5_RKS8_> 0x0000555555556432 <+153>: lea rdx,[rbp-0xf0] 0x0000555555556439 <+160>: lea rax,[rbp-0x120] 0x0000555555556440 <+167>: mov rsi,rdx 0x0000555555556443 <+170>: mov rdi,rax 0x0000555555556446 <+173>: call 0x5555555561a0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@plt> 0x000055555555644b <+178>: lea rax,[rbp-0xf0] 0x0000555555556452 <+185>: mov rdi,rax 0x0000555555556455 <+188>: call 0x5555555560b0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@plt> 0x000055555555645a <+193>: lea rax,[rbp-0xd0] 0x0000555555556461 <+200>: lea rcx,[rbp-0x120] 0x0000555555556468 <+207>: lea rdx,[rip+0xba2] # 0x555555557011 0x000055555555646f <+214>: mov rsi,rcx 0x0000555555556472 <+217>: mov rdi,rax 0x0000555555556475 <+220>: call 0x555555556bc4 <_ZStplIcSt11char_traitsIcESaIcEENSt7__cxx1112basic_stringIT_T0_T1_EERKS8_PKS5_> 0x000055555555647a <+225>: lea rdx,[rbp-0xd0] 0x0000555555556481 <+232>: lea rax,[rbp-0x120] 0x0000555555556488 <+239>: mov rsi,rdx 0x000055555555648b <+242>: mov rdi,rax 0x000055555555648e <+245>: call 0x5555555561a0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@plt> 0x0000555555556493 <+250>: lea rax,[rbp-0xd0] 0x000055555555649a <+257>: mov rdi,rax 0x000055555555649d <+260>: call 0x5555555560b0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@plt> 0x00005555555564a2 <+265>: lea rax,[rbp-0x120] 0x00005555555564a9 <+272>: lea rdx,[rip+0xb63] # 0x555555557013 0x00005555555564b0 <+279>: mov rsi,rdx 0x00005555555564b3 <+282>: mov rdi,rax 0x00005555555564b6 <+285>: call 0x555555556130 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc@plt> 0x00005555555564bb <+290>: mov eax,DWORD PTR [rbp-0x124] 0x00005555555564c1 <+296>: add eax,0x14 0x00005555555564c4 <+299>: movsx edx,al 0x00005555555564c7 <+302>: lea rax,[rbp-0x120] 0x00005555555564ce <+309>: mov esi,edx 0x00005555555564d0 <+311>: mov rdi,rax 0x00005555555564d3 <+314>: call 0x5555555560c0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEc@plt> 0x00005555555564d8 <+319>: mov eax,DWORD PTR [rbp-0x124] 0x00005555555564de <+325>: add eax,0x53 0x00005555555564e1 <+328>: movsx edx,al 0x00005555555564e4 <+331>: lea rax,[rbp-0x120] 0x00005555555564eb <+338>: mov esi,edx 0x00005555555564ed <+340>: mov rdi,rax 0x00005555555564f0 <+343>: call 0x5555555560c0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEc@plt> 0x00005555555564f5 <+348>: lea rax,[rbp-0x120] 0x00005555555564fc <+355>: mov esi,0x5f 0x0000555555556501 <+360>: mov rdi,rax 0x0000555555556504 <+363>: call 0x5555555560c0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEc@plt> 0x0000555555556509 <+368>: lea rax,[rbp-0x120] 0x0000555555556510 <+375>: lea rdx,[rip+0xaff] # 0x555555557016 0x0000555555556517 <+382>: mov rsi,rdx 0x000055555555651a <+385>: mov rdi,rax 0x000055555555651d <+388>: call 0x555555556130 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc@plt> 0x0000555555556522 <+393>: lea rax,[rbp-0xb0] 0x0000555555556529 <+400>: mov esi,0x4 0x000055555555652e <+405>: mov rdi,rax 0x0000555555556531 <+408>: call 0x555555556879 <_ZNSt7__cxx119to_stringEi> 0x0000555555556536 <+413>: lea rdx,[rbp-0xb0] 0x000055555555653d <+420>: lea rax,[rbp-0x120] 0x0000555555556544 <+427>: mov rsi,rdx 0x0000555555556547 <+430>: mov rdi,rax 0x000055555555654a <+433>: call 0x5555555561c0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLERKS4_@plt> 0x000055555555654f <+438>: lea rax,[rbp-0xb0] 0x0000555555556556 <+445>: mov rdi,rax 0x0000555555556559 <+448>: call 0x5555555560b0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@plt> 0x000055555555655e <+453>: lea rax,[rbp-0x120] 0x0000555555556565 <+460>: lea rdx,[rip+0xaad] # 0x555555557019 0x000055555555656c <+467>: mov rsi,rdx 0x000055555555656f <+470>: mov rdi,rax 0x0000555555556572 <+473>: call 0x555555556130 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc@plt> 0x0000555555556577 <+478>: lea rax,[rbp-0x90] 0x000055555555657e <+485>: lea rcx,[rbp-0x120] 0x0000555555556585 <+492>: lea rdx,[rip+0xa8f] # 0x55555555701b 0x000055555555658c <+499>: mov rsi,rcx 0x000055555555658f <+502>: mov rdi,rax 0x0000555555556592 <+505>: call 0x555555556bc4 <_ZStplIcSt11char_traitsIcESaIcEENSt7__cxx1112basic_stringIT_T0_T1_EERKS8_PKS5_> 0x0000555555556597 <+510>: lea rdx,[rbp-0x90] 0x000055555555659e <+517>: lea rax,[rbp-0x120] 0x00005555555565a5 <+524>: mov rsi,rdx 0x00005555555565a8 <+527>: mov rdi,rax 0x00005555555565ab <+530>: call 0x5555555561a0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@plt> 0x00005555555565b0 <+535>: lea rax,[rbp-0x90] 0x00005555555565b7 <+542>: mov rdi,rax 0x00005555555565ba <+545>: call 0x5555555560b0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@plt> 0x00005555555565bf <+550>: lea rax,[rbp-0x70] 0x00005555555565c3 <+554>: lea rcx,[rbp-0x120] 0x00005555555565ca <+561>: lea rdx,[rip+0xa4d] # 0x55555555701e 0x00005555555565d1 <+568>: mov rsi,rcx 0x00005555555565d4 <+571>: mov rdi,rax 0x00005555555565d7 <+574>: call 0x555555556bc4 <_ZStplIcSt11char_traitsIcESaIcEENSt7__cxx1112basic_stringIT_T0_T1_EERKS8_PKS5_> 0x00005555555565dc <+579>: lea rdx,[rbp-0x70] 0x00005555555565e0 <+583>: lea rax,[rbp-0x120] 0x00005555555565e7 <+590>: mov rsi,rdx 0x00005555555565ea <+593>: mov rdi,rax 0x00005555555565ed <+596>: call 0x5555555561a0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@plt> 0x00005555555565f2 <+601>: lea rax,[rbp-0x70] 0x00005555555565f6 <+605>: mov rdi,rax 0x00005555555565f9 <+608>: call 0x5555555560b0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@plt> 0x00005555555565fe <+613>: lea rax,[rbp-0x50] 0x0000555555556602 <+617>: lea rcx,[rbp-0x120] 0x0000555555556609 <+624>: lea rdx,[rip+0xa14] # 0x555555557024 0x0000555555556610 <+631>: mov rsi,rcx 0x0000555555556613 <+634>: mov rdi,rax 0x0000555555556616 <+637>: call 0x555555556bc4 <_ZStplIcSt11char_traitsIcESaIcEENSt7__cxx1112basic_stringIT_T0_T1_EERKS8_PKS5_> 0x000055555555661b <+642>: lea rdx,[rbp-0x50] 0x000055555555661f <+646>: lea rax,[rbp-0x120] 0x0000555555556626 <+653>: mov rsi,rdx 0x0000555555556629 <+656>: mov rdi,rax 0x000055555555662c <+659>: call 0x5555555561a0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@plt> 0x0000555555556631 <+664>: lea rax,[rbp-0x50] 0x0000555555556635 <+668>: mov rdi,rax 0x0000555555556638 <+671>: call 0x5555555560b0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@plt> 0x000055555555663d <+676>: lea rax,[rbp-0x30] 0x0000555555556641 <+680>: lea rcx,[rbp-0x120] 0x0000555555556648 <+687>: lea rdx,[rip+0x9d7] # 0x555555557026 0x000055555555664f <+694>: mov rsi,rcx 0x0000555555556652 <+697>: mov rdi,rax 0x0000555555556655 <+700>: call 0x555555556bc4 <_ZStplIcSt11char_traitsIcESaIcEENSt7__cxx1112basic_stringIT_T0_T1_EERKS8_PKS5_> 0x000055555555665a <+705>: lea rdx,[rbp-0x30] 0x000055555555665e <+709>: lea rax,[rbp-0x120] 0x0000555555556665 <+716>: mov rsi,rdx 0x0000555555556668 <+719>: mov rdi,rax 0x000055555555666b <+722>: call 0x5555555561a0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@plt> 0x0000555555556670 <+727>: lea rax,[rbp-0x30] 0x0000555555556674 <+731>: mov rdi,rax 0x0000555555556677 <+734>: call 0x5555555560b0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@plt> 0x000055555555667c <+739>: lea rax,[rbp-0x120] 0x0000555555556683 <+746>: lea rdx,[rip+0x99f] # 0x555555557029 0x000055555555668a <+753>: mov rsi,rdx 0x000055555555668d <+756>: mov rdi,rax 0x0000555555556690 <+759>: call 0x555555556130 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc@plt> 0x0000555555556695 <+764>: lea rax,[rbp-0x120] 0x000055555555669c <+771>: mov esi,0x72 0x00005555555566a1 <+776>: mov rdi,rax 0x00005555555566a4 <+779>: call 0x5555555560c0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEc@plt> 0x00005555555566a9 <+784>: lea rax,[rbp-0x120] 0x00005555555566b0 <+791>: lea rdx,[rip+0x975] # 0x55555555702c 0x00005555555566b7 <+798>: mov rsi,rdx 0x00005555555566ba <+801>: mov rdi,rax 0x00005555555566bd <+804>: call 0x555555556130 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc@plt> 0x00005555555566c2 <+809>: lea rax,[rbp-0x120] 0x00005555555566c9 <+816>: lea rdx,[rip+0x95e] # 0x55555555702e 0x00005555555566d0 <+823>: mov rsi,rdx 0x00005555555566d3 <+826>: mov rdi,rax 0x00005555555566d6 <+829>: call 0x555555556130 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc@plt> 0x00005555555566db <+834>: lea rax,[rip+0x94e] # 0x555555557030 0x00005555555566e2 <+841>: mov rsi,rax 0x00005555555566e5 <+844>: lea rax,[rip+0x2a94] # 0x555555559180 <_ZSt4cout@GLIBCXX_3.4> 0x00005555555566ec <+851>: mov rdi,rax 0x00005555555566ef <+854>: call 0x555555556140 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt> 0x00005555555566f4 <+859>: mov rdx,rax 0x00005555555566f7 <+862>: lea rax,[rip+0x94c] # 0x55555555704a 0x00005555555566fe <+869>: mov rsi,rax 0x0000555555556701 <+872>: mov rdi,rdx 0x0000555555556704 <+875>: call 0x555555556140 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt> 0x0000555555556709 <+880>: jmp 0x555555556724 <_Z13constructFlagi+907> 0x000055555555670b <+882>: lea rax,[rip+0x93a] # 0x55555555704c 0x0000555555556712 <+889>: mov rsi,rax 0x0000555555556715 <+892>: lea rax,[rip+0x2a64] # 0x555555559180 <_ZSt4cout@GLIBCXX_3.4> 0x000055555555671c <+899>: mov rdi,rax 0x000055555555671f <+902>: call 0x555555556140 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt> 0x0000555555556724 <+907>: lea rax,[rbp-0x120] 0x000055555555672b <+914>: mov rdi,rax 0x000055555555672e <+917>: call 0x5555555560b0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@plt> 0x0000555555556733 <+922>: jmp 0x555555556783 <_Z13constructFlagi+1002> 0x0000555555556735 <+924>: mov rbx,rax 0x0000555555556738 <+927>: lea rax,[rbp-0xf1] 0x000055555555673f <+934>: mov rdi,rax 0x0000555555556742 <+937>: call 0x555555556160 <_ZNSaIcED1Ev@plt> 0x0000555555556747 <+942>: mov rax,rbx 0x000055555555674a <+945>: mov rdi,rax 0x000055555555674d <+948>: call 0x555555556230 <_Unwind_Resume@plt> 0x0000555555556752 <+953>: mov rbx,rax 0x0000555555556755 <+956>: lea rax,[rbp-0xb0] 0x000055555555675c <+963>: mov rdi,rax 0x000055555555675f <+966>: call 0x5555555560b0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@plt> 0x0000555555556764 <+971>: jmp 0x555555556769 <_Z13constructFlagi+976> 0x0000555555556766 <+973>: mov rbx,rax 0x0000555555556769 <+976>: lea rax,[rbp-0x120] 0x0000555555556770 <+983>: mov rdi,rax 0x0000555555556773 <+986>: call 0x5555555560b0 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@plt> 0x0000555555556778 <+991>: mov rax,rbx 0x000055555555677b <+994>: mov rdi,rax 0x000055555555677e <+997>: call 0x555555556230 <_Unwind_Resume@plt> 0x0000555555556783 <+1002>: mov rbx,QWORD PTR [rbp-0x8] 0x0000555555556787 <+1006>: leave 0x0000555555556788 <+1007>: ret End of assembler dump. gdb-peda$ b *0x00005555555566d6 Breakpoint 2 at 0x5555555566d6 gdb-peda$ r Starting program: /mnt/hgfs/Shared/basic_rev Enter an integer: 289 [----------------------------------registers-----------------------------------] RAX: 0x7fffffffdcb0 --> 0x55555556c750 ("byuctf{t35t_fl4g_pl3453_ign0r3") RBX: 0x0 RCX: 0x7fffffffffffffe2 RDX: 0x55555555702e --> 0x6873696e6946007d ('}') RSI: 0x55555555702e --> 0x6873696e6946007d ('}') RDI: 0x7fffffffdcb0 --> 0x55555556c750 ("byuctf{t35t_fl4g_pl3453_ign0r3") RBP: 0x7fffffffddd0 --> 0x7fffffffddf0 --> 0x555555556f90 (<__libc_csu_init>: push r15) RSP: 0x7fffffffdca0 --> 0x0 RIP: 0x5555555566d6 (<_Z13constructFlagi+829>: ) R8 : 0x30 ('0') R9 : 0x0 R10: 0x55555555a010 --> 0x10201 R11: 0x0 R12: 0x5555555562b0 (<_start>: xor ebp,ebp) R13: 0x7fffffffded0 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x5555555566c9 <_Z13constructFlagi+816>: lea rdx,[rip+0x95e] # 0x55555555702e 0x5555555566d0 <_Z13constructFlagi+823>: mov rsi,rdx 0x5555555566d3 <_Z13constructFlagi+826>: mov rdi,rax => 0x5555555566d6 <_Z13constructFlagi+829>: call 0x555555556130 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc@plt> 0x5555555566db <_Z13constructFlagi+834>: lea rax,[rip+0x94e] # 0x555555557030 0x5555555566e2 <_Z13constructFlagi+841>: mov rsi,rax 0x5555555566e5 <_Z13constructFlagi+844>: lea rax,[rip+0x2a94] # 0x555555559180 <_ZSt4cout@GLIBCXX_3.4> 0x5555555566ec <_Z13constructFlagi+851>: mov rdi,rax Guessed arguments: arg[0]: 0x7fffffffdcb0 --> 0x55555556c750 ("byuctf{t35t_fl4g_pl3453_ign0r3") arg[1]: 0x55555555702e --> 0x6873696e6946007d ('}') arg[2]: 0x55555555702e --> 0x6873696e6946007d ('}') [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdca0 --> 0x0 0008| 0x7fffffffdca8 --> 0x12100000000 0016| 0x7fffffffdcb0 --> 0x55555556c750 ("byuctf{t35t_fl4g_pl3453_ign0r3") 0024| 0x7fffffffdcb8 --> 0x1e 0032| 0x7fffffffdcc0 --> 0x30 ('0') 0040| 0x7fffffffdcc8 --> 0x346c665f743533 ('35t_fl4') 0048| 0x7fffffffdcd0 --> 0xa ('\n') 0056| 0x7fffffffdcd8 --> 0x7fffffffffffffff [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 2, 0x00005555555566d6 in constructFlag(int) () gdb-peda$ n [----------------------------------registers-----------------------------------] RAX: 0x7fffffffdcb0 --> 0x55555556c750 ("byuctf{t35t_fl4g_pl3453_ign0r3}") RBX: 0x0 RCX: 0x7fffffffffffffe1 RDX: 0x1 RSI: 0x55555555702e --> 0x6873696e6946007d ('}') RDI: 0x55555556c750 ("byuctf{t35t_fl4g_pl3453_ign0r3}") RBP: 0x7fffffffddd0 --> 0x7fffffffddf0 --> 0x555555556f90 (<__libc_csu_init>: push r15) RSP: 0x7fffffffdca0 --> 0x0 RIP: 0x5555555566db (<_Z13constructFlagi+834>: ) R8 : 0x30 ('0') R9 : 0x0 R10: 0x55555555a010 --> 0x10201 R11: 0x0 R12: 0x5555555562b0 (<_start>: xor ebp,ebp) R13: 0x7fffffffded0 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x5555555566d0 <_Z13constructFlagi+823>: mov rsi,rdx 0x5555555566d3 <_Z13constructFlagi+826>: mov rdi,rax 0x5555555566d6 <_Z13constructFlagi+829>: call 0x555555556130 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc@plt> => 0x5555555566db <_Z13constructFlagi+834>: lea rax,[rip+0x94e] # 0x555555557030 0x5555555566e2 <_Z13constructFlagi+841>: mov rsi,rax 0x5555555566e5 <_Z13constructFlagi+844>: lea rax,[rip+0x2a94] # 0x555555559180 <_ZSt4cout@GLIBCXX_3.4> 0x5555555566ec <_Z13constructFlagi+851>: mov rdi,rax 0x5555555566ef <_Z13constructFlagi+854>: call 0x555555556140 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt> [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdca0 --> 0x0 0008| 0x7fffffffdca8 --> 0x12100000000 0016| 0x7fffffffdcb0 --> 0x55555556c750 ("byuctf{t35t_fl4g_pl3453_ign0r3}") 0024| 0x7fffffffdcb8 --> 0x1f 0032| 0x7fffffffdcc0 --> 0x30 ('0') 0040| 0x7fffffffdcc8 --> 0x346c665f743533 ('35t_fl4') 0048| 0x7fffffffdcd0 --> 0xa ('\n') 0056| 0x7fffffffdcd8 --> 0x7fffffffffffffff [------------------------------------------------------------------------------] Legend: code, data, rodata, value 0x00005555555566db in constructFlag(int) ()
byuctf{t35t_fl4g_pl3453_ign0r3}
Fetaverse (Web)
画像ファイルがimg/xxx.jpgというパスでリンクされている。http://fetaverse.byuctf.xyz/img/にアクセスすると、インデックスが見える。memes/ディレクトリがあることがわかるので、そこにアクセスする。meme1.png~meme7.pngがあるので、見ていくと、meme7.pngにフラグが書いてあった。
byuctf{welc0me_t0_the_fetaverse}
Alpine 1 (Forensics/Steg)
ovaファイルが添付されているので、VirtualBoxで起動し、rootユーザでログインする。パスワード変更後もSSHでログインできているようなので、証明書認証ができる状態か確認してみる。
localhost:~# cd /home/mjohnson/.ssh localhost:/home/mjohnson/.ssh# ls authorized_keys id_rsa id_rsa.pub
byuctf{/home/mjohnson/.ssh/authorized_keys}
Alpine 2 (Forensics/Steg)
攻撃者のIPアドレスを答える問題。ログを確認してみる。
localhost:/home/mjohnson/.ssh# cd /var/log localhost:/var/log# ls acpid.log chrony dmesg messages wtmp localhost:/var/log# ls localhost:/var/log# cat messages | grep sshd : Apr 28 14:17:30 localhost auth.info sshd[1940]: Accepted password for mjohnson from 10.37.184.245 :
byuctf{10.37.184.245}
Qool Raster (Forensics/Steg)
'\xe2\x80\x82'を黒、'\x20'を白と推測し、置換するとQRコードになる。
__________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________XXXXXXX_XXX_X_XXXX_X__XXXXXXX___________ __________X_____X_XXX__XX__X_X__X_____X___________ __________X_XXX_X_X_XX__XX_XX___X_XXX_X___________ __________X_XXX_X_XX_X_XXX__X___X_XXX_X___________ __________X_XXX_X_______XXX_____X_XXX_X___________ __________X_____X_X__XX_X___XX__X_____X___________ __________XXXXXXX_X_X_X_X_X_X_X_XXXXXXX___________ ___________________X__X_X_XXXXX___________________ __________XX__XXX____X____XX_____X_XXXX___________ _____________XXX___XX_XXXXX__X__XXXXX_X___________ __________X_X__XX_X__XXX_XX___X_X__XX_X___________ __________X_X_X_____XX_____X_X__XXXX__X___________ ___________X__X_X___X_X___X__X_X_X___X____________ __________XXXX____XX_____X_X___XXXX_XXX___________ __________XX_XX_XXX_X___XX__X_XXX_X___X___________ __________X_X__X___X__X_XX_XX_____XX__X___________ ____________XXXXXXX_XX_XX_XX__XX_XXX__X___________ __________X____X____X_X_XX__X__X_XX_XXX___________ _____________X__X____XXXXX____X___X_X_X___________ ____________X_X__XXXXX_X_XXXXXX__X_X_X____________ __________XXXXX_XXXX__XX__XX__XXXXX_______________ __________________X____XXXXXX_X___XX__X___________ __________XXXXXXX__X_____X__X_X_X_XXX_X___________ __________X_____X_XX__X_X__XXXX___XX_XX___________ __________X_XXX_X_XXXX_XXXXX_XXXXXX___X___________ __________X_XXX_X___X_X___X_XXXX_X_X__X___________ __________X_XXX_X__X_XXXXX_XXX_X___X_XX___________ __________X_____X_XX_X_X_X_X_XXX___X_XX___________ __________XXXXXXX_X_X_XX___X__XX_XXX_X____________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________
QRコード部分を切り取りデコードする。
$ cat qr.txt XXXXXXX_XXX_X_XXXX_X__XXXXXXX X_____X_XXX__XX__X_X__X_____X X_XXX_X_X_XX__XX_XX___X_XXX_X X_XXX_X_XX_X_XXX__X___X_XXX_X X_XXX_X_______XXX_____X_XXX_X X_____X_X__XX_X___XX__X_____X XXXXXXX_X_X_X_X_X_X_X_XXXXXXX _________X__X_X_XXXXX________ XX__XXX____X____XX_____X_XXXX ___XXX___XX_XXXXX__X__XXXXX_X X_X__XX_X__XXX_XX___X_X__XX_X X_X_X_____XX_____X_X__XXXX__X _X__X_X___X_X___X__X_X_X___X_ XXXX____XX_____X_X___XXXX_XXX XX_XX_XXX_X___XX__X_XXX_X___X X_X__X___X__X_XX_XX_____XX__X __XXXXXXX_XX_XX_XX__XX_XXX__X X____X____X_X_XX__X__X_XX_XXX ___X__X____XXXXX____X___X_X_X __X_X__XXXXX_X_XXXXXX__X_X_X_ XXXXX_XXXX__XX__XX__XXXXX____ ________X____XXXXXX_X___XX__X XXXXXXX__X_____X__X_X_X_XXX_X X_____X_XX__X_X__XXXX___XX_XX X_XXX_X_XXXX_XXXXX_XXXXXX___X X_XXX_X___X_X___X_XXXX_X_X__X X_XXX_X__X_XXXXX_XXX_X___X_XX X_____X_XX_X_X_X_X_XXX___X_XX XXXXXXX_X_X_XX___X__XX_XXX_X_ $ python sqrd.py qr.txt byuctf{yes_yes_it_is_a_qr_code_q56rtikb}
byuctf{yes_yes_it_is_a_qr_code_q56rtikb}
Sticky Key (Forensics/Steg)
https://lingojam.com/SymbolLanguageTranslatorでデコードする。
Subject: I think my keyboard is broken Subject: I think my keyboard is broken. i was planning to tell you this but iæm not sure how you will read it. hopefully you can find a way. byuctf”dont—leave—soda—by—your—keyboard’
byuctf{dont_leave_soda_by_your_keyboard}
Shifting Mindset (Cryptography)
USキーボードでShiftを押しながら入力されていると推測されるので、デコードしてみる。
( @) * ( !$ !! !# @% !( * ( ^ @) !! % @% ( !( !( @) @! # !! ↓ 9 20 8 9 14 11 13 25 19 8 9 6 20 11 5 25 9 19 19 20 21 3 11
今度はアルファベットのインデックスと推測し、デコードしてみる。
11111111112222222 12345678901234567890123456 abcdefghijklmnopqrstuvwxyz 9 20 8 9 14 11 13 25 19 8 9 6 20 11 5 25 9 19 19 20 21 3 11 ↓ i t h i n k m y s h i f t k e y i s s t u c k
byuctf{ithinkmyshiftkeyisstuck}
Feedback Survey (Miscellaneous)
アンケートに答えたら、フラグが表示された。
byuctf{th4nks_f0r_th3_gr3@t_t1m3}