この大会は2022/9/30 18:00(JST)~2022/10/2 0:00(JST)に開催されました。
今回もチームで参戦。結果は1257点で258チーム中61位でした。
自分で解けた問題をWriteupとして書いておきます。
fast-proof (Misc, Programming)
$ nc 34.107.45.207 30499 Incoming work proof!!! q29ln19jpz9iMw0mMwNlrzMbZmOxL2IbMUAmBGp0qmSzZKZjnTt2pmVjLGSwZwR0MKp4MJVlMwOzq3quMKA3MTL3pmu6MKIxBTLmnQq3AGWyLGqxMTWbqmAyAaAbnTuxMGt0nTIyZQAuMGM3MTZj Insert work proof containing the decoded header:
rot13をしてから、base64デコードすればよい。
#!/usr/bin/env python3 import socket import codecs import base64 def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('34.107.45.207', 30499)) for i in range(499): print('Round %d' % (i + 1)) data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) enc = data data = recvuntil(s, b'\n').rstrip() print(data) work_proof = base64.b64decode(codecs.decode(enc, 'rot-13')).decode() print(work_proof) s.sendall(work_proof.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data)
実行結果は以下の通り。
Round 1
Incoming work proof!!!
q29ln19jpz9iMw13MGH5ZwSxLJEbBJSbZTHlMaSuBGVlBGObMzuxMGExqJuxMQybnQAmM2ubATHjMaZ4pJp4LGx5MQxmq3RjLJEbMQE3ZGxlq2VmMGV1MzAcMGIbnTMknUR5qmR5MTLjMacmMGx5
Insert work proof containing the decoded header:
work_proof=we5921dadh9ah0e2fqa92290hfhde4duhdd9hh3sghh4e0fs8qg8a99d93wq0adhd4w192wb3e25fcie5hhfqhq9w19df0fzse99
Round 2
Incoming work proof!!!
q29ln19jpz9iMw1cLJuunUqwnTuuMKpmLGubLJxlBGZ2ZJSzBTMuLmZ4nQt3BJu6MGZ5MGS1MQWyMKqaLJMypJyzZ3p0MKp0AzD4BJt4ZTDkZmNlMTH4nQt2MUAbnTDlAzuwBTuvqmIwBJtlnUcc
Insert work proof containing the decoded header:
work_proof=iahahwchhaew3a8hai29361af8fac38h879hze39e1ud2eewgafeqif3w4ew46d89h80d1302de8h86dshhd26hc8hbw5c9h2hzi
Round 3
Incoming work proof!!!
q29ln19jpz9iMw1xMmZ3nUqurzp2ZzMuqJIxZzLlnTyunQx4AQZ0LJSzMGyuMJE3ATuuZmIyMQZlBQubZ3quBKHjZaSunUAuqmpmZGH5BJyxnTMzZzWuMJZmp2MuMaS3BTH0ZJA3q3IkZTtmp3Ay
Insert work proof containing the decoded header:
work_proof=dg37hwazg62faued2f2hiah98434aafe9aedw4ha35ed3288h3wa9u02qahsaw731599idhff2baec3sfafqw8e41cwwuq0h3sse
:
:
Round 497
Incoming work proof!!!
q29ln19jpz9iMw1aZQAwL3qkZ2IzLKqynTyxpJIcL3R1LKpjrwL4nTM3M2t0nTuyMwqyZzH1qmEbLwWuMzubMTt3MzuyqGVlBJM1BGymnTIbBKqznQyznTD5p2AbBTuzMKAuMzHmqmObMTL4MTMu
Insert work proof containing the decoded header:
work_proof=g03ccwq3efawehidqeicq5aw0z68hfwgh4hhef7e2e5w4hb2afhhdh7fheu229fu99sheh9wfh9fhd9sch8hfesafe3w0hdf8dfa
Round 498
Incoming work proof!!!
q29ln19jpz9iMw05nQx5AQt5AJD1BGWyZwquAJt0nTtmMGybAmOxnTLlZ3quMzuxpmZlZTE3nQZ4MKq6MJuwBGEmMJuzMJWxnQEbMJpjqJMxnGyzrzH1ZzWmMzIbq2ubnQybATubBKquAJtlBQIb
Insert work proof containing the decoded header:
work_proof=9h994895d592e27a5h4hh3e9h70dhf23wafhds320dwh38ewzehc94sehfebdh4heg0ufdi9fze52bsfehwhhh9h4hh9wa5h285h
Round 499
Incoming work proof!!!
q29ln19jpz9iMw1bBJRlBGukLwyaLJtmBKZ5AJEuqJMzMwyzLJRmnTx5p2uzMKS3p3AmnJAap2MbZzEbnUIbA3AbL3ZkM2IuBJMbZKp5MQO3MKplMTq6AQIbMwD0BUAznQuuLJR0p2AzpmHmnJIz
Insert work proof containing the decoded header:
work_proof=h9a298qb9gah39s95daufff9faa3hi9shfeqwsssicgsfh2dhhuh7shcs1gea9fh1w9d0wew2dgz45hf448sfh8aaa4scfs53ief
Well done!
CTF{60d6fdfe76fed41685766be3631efcc80a4c90fe3a4bece6ffb23dd2aa72b2c4}
CTF{60d6fdfe76fed41685766be3631efcc80a4c90fe3a4bece6ffb23dd2aa72b2c4}
pure-cij (Misc)
$ nc 35.242.226.178 31986 /tmp/tmpewagzaua ls flag.txt server.py _,met$$$$$gg. ctf@dctf22-quals-pure-cij-65864bdfb5-vdfs2 ,g$$$$$$$$$$$$$$$P. ------------------------------------------ ,g$$P" """Y$$.". OS: Debian GNU/Linux 11 (bullseye) x86_64 ,$$P' `$$$. Host: Google Compute Engine ',$$P ,ggs. `$$b: Kernel: 5.10.127+ `d$$' ,$P"' . $$$ Uptime: 2 hours, 44 mins $$P d$' , $$P Packages: 278 (dpkg) $$: $$. - ,d$$' Shell: bash 5.1.4 $$; Y$b._ _,d$P' Terminal: socat Y$$. `.`"Y$$$$P"' CPU: Intel Xeon (4) @ 2.200GHz `$$b "-.__ Memory: 1389MiB / 15000MiB `Y$$ `Y$$. `$$b. `Y$$b. `"Y$b._ `"""
flag.txtがあるのがわかるので、再度接続し、内容を見てみる。
$ nc 35.242.226.178 31986 /tmp/tmprhpzlmiw cat flag.txt CTF{56c5ed0e0c3246493cc03801a05e4deb0328e31c7bfe75edee5c89553e58781a} _,met$$$$$gg. ctf@dctf22-quals-pure-cij-65864bdfb5-vdfs2 ,g$$$$$$$$$$$$$$$P. ------------------------------------------ ,g$$P" """Y$$.". OS: Debian GNU/Linux 11 (bullseye) x86_64 ,$$P' `$$$. Host: Google Compute Engine ',$$P ,ggs. `$$b: Kernel: 5.10.127+ `d$$' ,$P"' . $$$ Uptime: 2 hours, 44 mins $$P d$' , $$P Packages: 278 (dpkg) $$: $$. - ,d$$' Shell: bash 5.1.4 $$; Y$b._ _,d$P' Terminal: socat Y$$. `.`"Y$$$$P"' CPU: Intel Xeon (4) @ 2.200GHz `$$b "-.__ Memory: 1396MiB / 15000MiB `Y$$ `Y$$. `$$b. `Y$$b. `"Y$b._ `"""
CTF{56c5ed0e0c3246493cc03801a05e4deb0328e31c7bfe75edee5c89553e58781a}
getting-trolljs (Web)
Webページにフラグが書いてあるが、そのままコピーすると、異なる文字列がコピーされる。HTMLソースを見てみる。
<center>This chalange is here to see if you are active and you can copy and paste the flag!</br> <p>ctf{38ecb1b9c0373012508632ed7ae71288cc608782e7fb9a45552a782584116e1b}</p><img src="https://upload.wikimedia.org/wikipedia/en/9/9a/Trollface_non-free.png"></center> <script> document.addEventListener('copy', function(e){ console.log(e); e.clipboardData.setData('text/plain', 'ctf{38ecb1b9c0373012508632ed7ae71288cc608782e7fb9a45552a78258411631b}\r\n'); e.preventDefault(); // We want our data, not data from any selection, to be written to the clipboard }); </script>
centerタグのすぐ後ろのフラグが本当のフラグ。
ctf{38ecb1b9c0373012508632ed7ae71288cc608782e7fb9a45552a782584116e1b}
multi-encode (Misc, Cryptography)
base64デコードすると、gzファイルになる。それを解凍すると、base64エンコード文字列になる。何重にもbase64エンコードされているようなので、繰り返しデコードしていく。
#!/usr/bin/env python3 from base64 import * import gzip enc = 'H4sIAIpTM2MA/xWPQXObMBBG/1LWaQ+5urbkKgOdLOhbSTcBnVEiUWihA/avD7nv2+89jLQx2d26JKJ36/MwifJbuLBwme8orKMyS38r0rm3zcsee6r/9yqlyp3vAsSGgmtycJ2anS/DVJfwz+YhIM9P9rQKxGj5c0bn+NnmEBvNWvKLxAd+ovRkT2ppCt65GPGy6opmyKhaJnODpqUdr7u4Wfg5JXyoOKh6QanfcUpewK+W3vb+iub471qE+LvkDa1KyN/1sZ9xMrpXjJjD4+CzYFY1uKnG5EDDt46u97YMHzyyw+EHFdbqgl+d3r/6BZmunJNUMJeDf62L+XvcN+zOFYQeFYKEG6fDb2qRfgzF7zKupUPQrU2Th1njTaFT5uGfgvSEJaj66PUk7XlqCIKCmvXy8glk8nKrkAEAAA==' dec = b64decode(enc) with open('flag.gz', 'wb') as f: f.write(dec) with gzip.open('flag.gz', 'rb') as fr: dec = fr.read() while True: try: dec = b64decode(dec) except: break flag = dec.decode() print(flag)
ctf{a7e0c5ea8025205088cc47948d54fe74a66d45ec56728824a163e795f30b3e42}
deleted-paste (OSINT)
https://0paste.com/396387にアクセスしてもページはない。Internet Archiveでhttps://0paste.com/396387を調べると、9/29のスナップショットがある。見てみると、フラグが書いてあった。
ctf{a008d827a22649ace8b667ae287783d3dfe0a31ab3e53f35e965d82e4eba4959}
malware-station (Forensics)
メモリフォレンジックの問題。全部で5問ある。
1問目はマルウェア感染した端末のOSを"
$ volatility -f malware.vmem imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/malware.vmem) PAE type : PAE DTB : 0x319000L KDBG : 0x80544ce0L Number of Processors : 1 Image Type (Service Pack) : 2 KPCR for CPU 0 : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2011-10-10 17:06:54 UTC+0000 Image local date and time : 2011-10-10 13:06:54 -0400
このことからOSはわかる。
Windows-XP
2問目は攻撃者が標的とのネットワーク接続に使うために作られたプロセスを"
$ volatility -f malware.vmem --profile=WinXPSP2x86 pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0x819cc830:System 4 0 55 162 1970-01-01 00:00:00 UTC+0000 . 0x81945020:smss.exe 536 4 3 21 2011-10-10 17:03:56 UTC+0000 .. 0x816c6020:csrss.exe 608 536 11 355 2011-10-10 17:03:58 UTC+0000 .. 0x813a9020:winlogon.exe 632 536 24 533 2011-10-10 17:03:58 UTC+0000 ... 0x816da020:services.exe 676 632 16 261 2011-10-10 17:03:58 UTC+0000 .... 0x817757f0:svchost.exe 916 676 9 217 2011-10-10 17:03:59 UTC+0000 .... 0x81772ca8:vmacthlp.exe 832 676 1 24 2011-10-10 17:03:59 UTC+0000 .... 0x816c6da0:svchost.exe 964 676 63 1058 2011-10-10 17:03:59 UTC+0000 ..... 0x815c4da0:wscntfy.exe 1920 964 1 27 2011-10-10 17:04:39 UTC+0000 ..... 0x815e7be0:wuauclt.exe 400 964 8 173 2011-10-10 17:04:46 UTC+0000 .... 0x8167e9d0:svchost.exe 848 676 20 194 2011-10-10 17:03:59 UTC+0000 .... 0x81754990:VMwareService.e 1444 676 3 145 2011-10-10 17:04:00 UTC+0000 .... 0x8136c5a0:alg.exe 1616 676 7 99 2011-10-10 17:04:01 UTC+0000 .... 0x813aeda0:svchost.exe 1148 676 12 187 2011-10-10 17:04:00 UTC+0000 .... 0x817937e0:spoolsv.exe 1260 676 13 140 2011-10-10 17:04:00 UTC+0000 .... 0x815daca8:svchost.exe 1020 676 5 58 2011-10-10 17:03:59 UTC+0000 ... 0x813c4020:lsass.exe 688 632 23 336 2011-10-10 17:03:58 UTC+0000 0x813bcda0:explorer.exe 1956 1884 18 322 2011-10-10 17:04:39 UTC+0000 . 0x8180b478:VMwareUser.exe 192 1956 6 83 2011-10-10 17:04:41 UTC+0000 . 0x817a34b0:cmd.exe 544 1956 1 30 2011-10-10 17:06:42 UTC+0000 . 0x816d63d0:VMwareTray.exe 184 1956 1 28 2011-10-10 17:04:41 UTC+0000 . 0x818233c8:reader_sl.exe 228 1956 2 26 2011-10-10 17:04:41 UTC+0000 $ volatility -f malware.vmem --profile=WinXPSP2x86 consoles Volatility Foundation Volatility Framework 2.6 ************************************************** ConsoleProcess: csrss.exe Pid: 608 Console: 0x4e2370 CommandHistorySize: 50 HistoryBufferCount: 2 HistoryBufferMax: 4 OriginalTitle: %SystemRoot%\system32\cmd.exe Title: C:\WINDOWS\system32\cmd.exe AttachedProcess: cmd.exe Pid: 544 Handle: 0x4c4 ---- CommandHistory: 0x1113498 Application: sc.exe Flags: CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x0 ---- CommandHistory: 0x11132d8 Application: cmd.exe Flags: Allocated, Reset CommandCount: 2 LastAdded: 1 LastDisplayed: 1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x4c4 Cmd #0 at 0x4e1eb8: sc query malwar Cmd #1 at 0x11135e8: sc query malware ---- Screen 0x4e2a70 X:80 Y:300 Dump: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrator>sc query malwar [SC] EnumQueryServicesStatus:OpenService FAILED 1060: The specified service does not exist as an installed service. C:\Documents and Settings\Administrator>sc query malware SERVICE_NAME: malware TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Documents and Settings\Administrator> $ volatility -f malware.vmem --profile=WinXPSP2x86 connscan Volatility Foundation Volatility Framework 2.6 Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x01a25a50 0.0.0.0:1026 172.16.98.1:6666 1956
PIDが1956のプロセスはexplorer.exe。これが2問目の答え。
explorer.exe
3問目の問題はネットワーク接続先を"
172.16.98.1:6666
4問目の問題はマルウェア実行のプロセスダンプをする対象のプロセスを"
cmd.exe
5問目の問題はマルウェアのタイプを答える問題。
Trojan
