この大会は2022/6/10 2:00(JST)~2022/6/14 2:00(JST)に開催されました。
今回もチームで参戦。結果は1400点で1356チーム中191位でした。
自分で解けた問題をWriteupとして書いておきます。
CTF Basics (z_Introduction 100)
問題にフラグが書いてあった。
flag{thanks_4_joining_us}
Discord Support (z_Introduction 100)
Discordに入り、#welcomeチャネルでMEE6ボットにリアクションすると、たくさんのチャネルが現れた。現れた#generalチャネルのトピックを見ると、フラグが書いてあった。
flag{disc0rd_fl4g}
Babby Web 1 (Web 100)
HTMLソースを見ると、コメントにフラグが書いてあった。
flag{never_gonna_l3t_you_down}
Babby Web 2 (Web 100)
証明書を見ると、発行者にフラグが設定されていた。
flag{n3v3r_g0nna_giv3_y0u_up}
Babby Web 3 (Web 100)
https://104.43.161.131/robots.txtにアクセスすると、フラグが書かれていた。
flag{never_gonna_tell_a_l13}
Babby Web 4 (Web 100)
$ curl -k https://104.43.161.131/ -v * Trying 104.43.161.131... * TCP_NODELAY set * Connected to 104.43.161.131 (104.43.161.131) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Unknown (8): * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Client hello (1): * TLSv1.3 (OUT), TLS Unknown, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: C=US; ST=flag{n3v3r_g0nna_giv3_y0u_up}; O=Internet Widgits Pty Ltd * start date: May 31 14:53:21 2022 GMT * expire date: May 31 14:53:21 2023 GMT * issuer: C=US; ST=flag{n3v3r_g0nna_giv3_y0u_up}; O=Internet Widgits Pty Ltd * SSL certificate verify result: self signed certificate (18), continuing anyway. * TLSv1.3 (OUT), TLS Unknown, Unknown (23): > GET / HTTP/1.1 > Host: 104.43.161.131 > User-Agent: curl/7.58.0 > Accept: */* > * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS Unknown, Unknown (23): < HTTP/1.1 200 OK < Date: Sat, 11 Jun 2022 22:59:16 GMT < Server: Apache/2.4.41 (Ubuntu) < Last-Modified: Tue, 31 May 2022 15:06:51 GMT < ETag: "3e-5e0501f5922c5" < Accept-Ranges: bytes < Content-Length: 62 < ctf: flag{nev3r_gonn4_say_g00dbye} < Content-Type: text/html < <html> sup? </html> <!-- flag{never_gonna_l3t_you_down} --> * Connection #0 to host 104.43.161.131 left intact
レスポンスヘッダのctfにフラグが設定されていた。
flag{nev3r_gonn4_say_g00dbye}
Top Secret (Forensics 100)
PDFを開くと、マスクされている箇所がある。「編集を有効にする」にして、「3件の注釈」の「スタンプを適用」を選択すると、マスクがはずれフラグが見える。
flag{rememb3r_t0_flatt3n_ur_PDF5}
Strange Packets (Forensics 100)
Modbus/TCPのパケットで、Unknown functionでASCIIコードが指定されているようだ。デコードして連結すると、メッセージが復元でき、フラグが含まれていた。
#!/usr/bin/env python3 from scapy.all import * packets = rdpcap('strange_packets.pcapng') msg = '' for p in packets: if p[IP].dst == '10.10.50.7' and p.haslayer(Raw): load = p[Raw].load for i in range(0, len(load), 12): msg += chr(load[i+7]) print(msg)
The flag for this challenge is flag{m0dbu5_is_4_simpl3_ProtOcol}.
flag{m0dbu5_is_4_simpl3_ProtOcol}
The One with a Lot of Cats (Forensics 200)
Autospyで開くと、削除されたファイルがあり、そのうちjpgファイルにフラグが書いてあった。
flag{m30w}
Data Exfil (Forensics 200)
ICMPの通信の中にDATAが含まれている。その中でNo.191のパケットからPNG形式のデータが見えるので、抽出し結合する。
#!/usr/bin/env python3 from scapy.all import * packets = rdpcap('dataexfil.pcapng') png = b'' i = 1 for p in packets: if p.haslayer(ICMP) and p[ICMP].type == 0 \ and p[IP].dst == '10.211.55.3' \ and p.haslayer(Raw) and len(p[Raw].load) > 48: png += p[Raw].load i += 1 with open('flag.png', 'wb') as f: f.write(png)
結合した画像にフラグが書いてあった。
flag{d4t4_over_1cmp}
DIY Crypto (Crypto 100)
暗号化の処理概要は以下の通り。
・plaintext: 平文 ・plaintext_padded: '\x00'でpadding ・randome_key: ランダム16バイトバイト文字列 ・block_count: 平文のブロック数 ・cur_key = random_key ・crypted = b"" ・ブロック数だけ以下の処理を実行 ・block: plaintext_paddedの各ブロック ・crypt_block(block, cur_key) ・16回各バイトとkeyでXORしたものをインデックスとして、sboxの値を連結する。 →連結したものをcryptedに連結する。 ・cur_keyを左に1バイトシフトする。一番左のバイトは一番右に来る。 ・cryptedをcrypted.txtに書き込み。
暗号化は1バイト単位で閉じており、同じキーではインデックスで以下のような関連がある。
・0 -> 31 -> 46 -> 61 -> 76 -> ...
・1 -> 16 -> 47 -> 62 -> 77 -> ...
・2 -> 17 -> 32 -> 63 -> 78 -> ...
:16バイトの各バイトについて、256パターンをブルートフォースして、printableなものを探す。
#!/usr/bin/env python3 sbox = ( 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 ) def decrypt_byte(c, key): index = sbox.index(c) return bytes([index ^ key]) def is_printable(s, allows=[10]): for c in s: if c < 32 or c > 126: if c not in allows: return False return True with open('crypted.txt', 'rb') as f: crypted = f.read() msg = [b''] * len(crypted) for i in range(16): for key in range(256): j = i block = 0 found = True while True: p = decrypt_byte(crypted[j], key) msg[j] = p if j < len(crypted) - 16 and not is_printable(p): found = False break elif j < len(crypted) and not is_printable(p, allows=[0, 10]): found = False break j += 15 if j // 16 == block: j += 16 block += 1 if j >= len(crypted): break if found: break msg = b''.join(msg).rstrip(b'\x00').decode() print(msg)
復号結果は以下の通り。
From fairest creatures we desire increase,
That thereby beauty's rose might never die,
But as the riper should by time decease,
His tender heir might bear his memory:
But thou contracted to thine own bright eyes,
Feed'st thy light's flame with self-substantial fuel,
Making a famine where abundance lies,
Thy self thy foe, to thy sweet self too cruel:
Thou that art now the world's fresh ornament,
And only herald to the gaudy spring,
Within thine own bud buriest thy content,
And tender churl mak'st waste in niggarding:
Pity the world, or else this glutton be,
To eat the world's due, by the grave and thee.
When forty winters shall besiege thy brow,
And dig deep trenches in thy beauty's field,
Thy youth's proud livery so gazed on now,
Will be a tattered weed of small worth held:
Then being asked, where all thy beauty lies,
Where all the treasure of thy lusty days;
To say within thine own deep sunken eyes,
Were an all-eating shame, and thriftless praise.
How much more praise deserved thy beauty's use,
If thou couldst answer 'This fair child of mine
Shall sum my count, and make my old excuse'
Proving his beauty by succession thine.
This were to be new made when thou art old,
And see thy blood warm when thou feel'st it cold.
Look in thy glass and tell the face thou viewest,
Now is the time that face should form another,
Whose fresh repair if now thou not renewest,
Thou dost beguile the world, unbless some mother.
For where is she so fair whose uneared womb
Disdains the tillage of thy husbandry?
Or who is he so fond will be the tomb,
Of his self-love to stop posterity?
Thou art thy mother's glass and she in thee
Calls back the lovely April of her prime,
So thou through windows of thine age shalt see,
Despite of wrinkles this thy golden time.
But if thou live remembered not to be,
Die single and thine image dies with thee.
Unthrifty loveliness why dost thou spend,
Upon thy self thy beauty's legacy?
Nature's bequest gives nothing but doth lend,
And being frank she lends to those are free:
Then beauteous niggard why dost thou abuse,
The bounteous largess given thee to give?
Profitless usurer why dost thou use
So great a sum of sums yet canst not live?
For having traffic with thy self alone,
Thou of thy self thy sweet self dost deceive,
Then how when nature calls thee to be gone,
What acceptable audit canst thou leave?
Thy unused beauty must be tombed with thee,
Which used lives th' executor to be.
Those hours that with gentle work did frame
The lovely gaze where every eye doth dwell
Will play the tyrants to the very same,
And that unfair which fairly doth excel:
For never-resting time leads summer on
To hideous winter and confounds him there,
Sap checked with frost and lusty leaves quite gone,
Beauty o'er-snowed and bareness every where:
Then were not summer's distillation left
A liquid prisoner pent in walls of glass,
Beauty's effect with beauty were bereft,
Nor it nor no remembrance what it was.
But flowers distilled though they with winter meet,
Leese but their show, their substance still lives sweet.
Then let not winter's ragged hand deface,
In thee thy summer ere thou be distilled:
Make sweet some vial; treasure thou some place,
With beauty's treasure ere it be self-killed:
That use is not forbidden usury,
Which happies those that pay the willing loan;
That's for thy self to breed another thee,
Or ten times happier be it ten for one,
Ten times thy self were happier than thou art,
If ten of thine ten times refigured thee:
Then what could death do if thou shouldst depart,
Leaving thee living in posterity?
Be not self-willed for thou art much too fair,
To be death's conquest and make worms thine heir.
Lo in the orient when the gracious light
Lifts up his burning head, each under eye
Doth homage to his new-appearing sight,
Serving with looks his sacred majesty,
And having climbed the steep-up heavenly hill,
Resembling strong youth in his middle age,
Yet mortal looks adore his beauty still,
Attending on his golden pilgrimage:
But when from highmost pitch with weary car,
Like feeble age he reeleth from the day,
The eyes (fore duteous) now converted are
From his low tract and look another way:
So thou, thy self out-going in thy noon:
Unlooked on diest unless thou get a son.
Music to hear, why hear'st thou music sadly?
Sweets with sweets war not, joy delights in joy:
Why lov'st thou that which thou receiv'st not gladly,
Or else receiv'st with pleasure thine annoy?
If the true concord of well-tuned sounds,
By unions married do offend thine ear,
They do but sweetly chide thee, who confounds
flag{cRyt0_aNalys1s_101}
In singleness the parts that thou shouldst bear:
Mark how one string sweet husband to another,
Strikes each in each by mutual ordering;
Resembling sire, and child, and happy mother,
Who all in one, one pleasing note do sing:
Whose speechless song being many, seeming one,
Sings this to thee, 'Thou single wilt prove none'.
Is it for fear to wet a widow's eye,
That thou consum'st thy self in single life?
Ah, if thou issueless shalt hap to die,
The world will wail thee like a makeless wife,
The world will be thy widow and still weep,
That thou no form of thee hast left behind,
When every private widow well may keep,
By children's eyes, her husband's shape in mind:
Look what an unthrift in the world doth spend
Shifts but his place, for still the world enjoys it;
But beauty's waste hath in the world an end,
And kept unused the user so destroys it:
No love toward others in that bosom sits
That on himself such murd'rous shame commits.
For shame deny that thou bear'st love to any
Who for thy self art so unprovident.
Grant if thou wilt, thou art beloved of many,
But that thou none lov'st is most evident:
For thou art so possessed with murd'rous hate,
That 'gainst thy self thou stick'st not to conspire,
Seeking that beauteous roof to ruinate
Which to repair should be thy chief desire:
O change thy thought, that I may change my mind,
Shall hate be fairer lodged than gentle love?
Be as thy presence is gracious and kind,
Or to thy self at least kind-hearted prove,
Make thee another self for love of me,
That beauty still may live in thine or thee.
As fast as thou shalt wane so fast thou grow'st,
In one of thine, from that which thou departest,
And that fresh blood which youngly thou bestow'st,
Thou mayst call thine, when thou from youth convertest,
Herein lives wisdom, beauty, and increase,
Without this folly, age, and cold decay,
If all were minded so, the times should cease,
And threescore year would make the world away:
Let those whom nature hath not made for store,
Harsh, featureless, and rude, barrenly perish:
Look whom she best endowed, she gave thee more;
Which bounteous gift thou shouldst in bounty cherish:
She carved thee for her seal, and meant thereby,
Thou shouldst print more, not let that copy die.
When I do count the clock that tells the time,
And see the brave day sunk in hideous night,
When I behold the violet past prime,
And sable curls all silvered o'er with white:
When lofty trees I see barren of leaves,
Which erst from heat did canopy the herd
And summer's green all girded up in sheaves
Borne on the bier with white and bristly beard:
Then of thy beauty do I question make
That thou among the wastes of time must go,
Since sweets and beauties do themselves forsake,
And die as fast as they see others grow,
And nothing 'gainst Time's scythe can make defence
Save breed to brave him, when he takes thee hence.
O that you were your self, but love you are
No longer yours, than you your self here live,
Against this coming end you should prepare,
And your sweet semblance to some other give.
So should that beauty which you hold in lease
Find no determination, then you were
Your self again after your self's decease,
When your sweet issue your sweet form should bear.
Who lets so fair a house fall to decay,
Which husbandry in honour might uphold,
Against the stormy gusts of winter's day
And barren rage of death's eternal cold?
O none but unthrifts, dear my love you know,
You had a father, let your son say so.
Not from the stars do I my judgement pluck,
And yet methinks I have astronomy,
But not to tell of good, or evil luck,
Of plagues, of dearths, or seasons' quality,
Nor can I fortune to brief minutes tell;
Pointing to each his thunder, rain and wind,
Or say with princes if it shall go well
By oft predict that I in heaven find.
But from thine eyes my knowledge I derive,
And constant stars in them I read such art
As truth and beauty shall together thrive
If from thy self, to store thou wouldst convert:
Or else of thee this I prognosticate,
Thy end is truth's and beauty's doom and date.
When I consider every thing that grows
Holds in perfection but a little moment.
That this huge stage presenteth nought but shows
Whereon the stars in secret influence comment.
When I perceive that men as plants increase,
Cheered and checked even by the self-same sky:
Vaunt in their youthful sap, at height decrease,
And wear their brave state out of memory.
Then the conceit of this inconstant stay,
Sets you most rich in youth before my sight,
Where wasteful time debateth with decay
To change your day of youth to sullied night,
And all in war with Time for love of you,
As he takes from you, I engraft you new.復号した文章中にフラグが含まれていた。
flag{cRyt0_aNalys1s_101}
Hackerized (Crypto 100)
暗号は以下の通り。
∲↑Λç{⊥☐☐_↑33⊥_4_\☐ü}アルファベットに似ている文字で暗号を表しているようだ。
flag{too_l33t_4_you}
