この大会は2022/11/26 3:00(JST)~2022/11/27 3:00(JST)に開催されました。
今回もチームで参戦。結果は50点で293チーム中228位でした。
自分で解けた問題をWriteupとして書いておきます。
CryptoShop (Crypto)
サーバの処理概要は以下の通り。
・key = RSA.generate(1024) ・user: 入力 ・user_shop_state = ShopState(user, priv_key=key) ・user_shop_state.name = user ・user_shop_state.balance = 5 ・user_shop_state.priv_key=key ・nを表示 ・以下繰り返し ・action: メニュー選択 ・actionが1の場合 ・SHOP_ITEMのリストを表示 ・actionが2の場合 ・ret_val = buy_menu(user_shop_state) ・SHOP_ITEMのリストを表示 ・item_name: 入力(SHOP_ITEMのリストから選択) ・shop_transaction = user_shop_state.buy(item_name) ・price = SHOP_ITEMS[name] ・user_shop_state.balance -= price ・nameが"CTF-Flag"の場合、フラグを表示 ・actionが3の場合 ・refund_menu(user_shop_state) ・refund_code: 数値入力 ・refund_amount: 数値入力 ・ret_val = shop_state.refund_item(refund_amount, refund_code) ・reference_code = pow(refund_amount, priv_key.d, priv_key.n) ・refund_codeとreference_codeが一致していなかったら、エラー ・self.balance += refund_amount
refund_codeを適当に決めれば、refund_amountは計算できる。balanceをいくつ増やせるかわからないが、"3. Refund Item"でお金を増やしてから"CTF-Flag"を購入すればよい。
#!/usr/bin/env python3 import socket def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('pwn.glacierctf.com', 13370)) name = 'hoge' data = recvuntil(s, b'Name: ') print(data + name) s.sendall(name.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) n = int(data.split(' ')[-1]) e = 65537 refund_code = 123 refund_amount = pow(refund_code, e, n) data = recvuntil(s, b'> ') print(data + '3') s.sendall(b'3\n') data = recvuntil(s, b'> ') print(data + str(refund_code)) s.sendall(str(refund_code).encode() + b'\n') data = recvuntil(s, b'> ') print(data + str(refund_amount)) s.sendall(str(refund_amount).encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) name = 'CTF-Flag' data = recvuntil(s, b'> ') print(data + '2') s.sendall(b'2\n') data = recvuntil(s, b'> ') print(data + name) s.sendall(name.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data)
実行結果は以下の通り。
Welcome to the PWN-Store. Please authenticate: Your Name: hoge Welcome back hoge! Customernumber: 7119721955343994183071926664728781069068259341041962068678026711320632265515328667825548834086402718937206499370165240435106462931401311426817541407394864931964914449993155272219102668079956928713964345093493990223803472192032745331126530815885131855451784184488615697798547817851039593573136752861093826898410784306797981998338207012141328656314133530507195522013331834575215399377349318775598158104520534533323355277030405297034933722514046393086894084789991753796092241591544779576734104012720135162455447401549676796159824422836857182136259358314574596700050458496328999928487581277472975819180410658160779145329271 Accountname: hoge (Balance: 5€) 1. List Items 2. Buy Item 3. Refund Item 4. Exit > 3 What do you want to refund? Please provide the refundcode > 123 Please provide the price > 2352813905034380768739326772644101336213320691336953895260595710490803047368364690810476725973946740537713893457921344990539821538266773148636467368537535684808228026390702608533660688949344950546652277870802796095301569468119294744479769451101548049119315431746736743587823714475418372912332080712226230694386860795778002435508057291454297876524341486838382148622641835964117225361468881383743005049132917527997338008399214700083224579493541253520390600052347889934774983798319310654016210253931720049134778274053188765666593027187877238291246827829413350668928520165852974362964062036713893826193875481430795607845158 Successfully refunded Accountname: hoge (Balance: 2352813905034380768739326772644101336213320691336953895260595710490803047368364690810476725973946740537713893457921344990539821538266773148636467368537535684808228026390702608533660688949344950546652277870802796095301569468119294744479769451101548049119315431746736743587823714475418372912332080712226230694386860795778002435508057291454297876524341486838382148622641835964117225361468881383743005049132917527997338008399214700083224579493541253520390600052347889934774983798319310654016210253931720049134778274053188765666593027187877238291246827829413350668928520165852974362964062036713893826193875481430795607845163€) 1. List Items 2. Buy Item 3. Refund Item 4. Exit > 2 What item do you want to bye? 0. USB Rubber Ducky 1. Malduino 2. WIFI Deauther 3. Bluetooth Jammer 4. GSM Jammer 5. Bad USB 6. CTF-Flag > CTF-Flag Take this: glacierctf{RsA_S1gnAtuRe_1ssu3}
glacierctf{RsA_S1gnAtuRe_1ssu3}