この大会は2023/2/4 15:30(JST)~2023/2/5 15:30(JST)に開催されました。
今回もチームで参戦。結果は6066点で248チーム中6位でした。
自分で解けた問題をWriteupとして書いておきます。
Welcome To BBCTF
Discordに入り、#rulesチャネルでリアクションすると、たくさんのチャネルが現れた。
#bbctfチャネルのトピックを見ると、フラグが書いてあった。
flag{s4N1ty_ChkS_ar3_100_ComM0n}
Improper Error Handling (Web)
パスワードに"a"を入れて、Submitすると以下のメッセージが表示された。
Error: Length too short
1文字ずつパスワード長を増やして、試していく。パスワードに"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"を入れたときに、フラグが表示された。
BBCTF{tHis_i5_1t_Y0u_CraCk3D_iT}
Random Requests (Forensics)
httpフィルタリングすると、以下の3パターンでアクセスしていることがわかる。
・GET /flag=0 HTTP/1.1 ・GET /flag=1 HTTP/1.1 ・GET /flag=%20 HTTP/1.1
0, 1が2進数ASCIIコードを表し、%20で1文字ずつ区切られている。先頭の方をまず見てみる。
GET /flag=0 HTTP/1.1 GET /flag=1 HTTP/1.1 GET /flag=0 HTTP/1.1 GET /flag=1 HTTP/1.1 GET /flag=1 HTTP/1.1 GET /flag=0 HTTP/1.1 GET /flag=1 HTTP/1.1 GET /flag=0 HTTP/1.1 GET /flag=%20 HTTP/1.1 GET /flag=0 HTTP/1.1
>>> chr(int('01011010', 2)) 'Z'
Zから始まるので、おそらく"flag"から始まるフラグがbase64エンコードされている。コード部分を抽出後、2進数をデコードし、base64デコードする。
#!/usr/bin/env python3 from scapy.all import * from base64 import * packets = rdpcap('random_requests.pcapng') b_flag = '' for p in packets: if p[IP].dst == '142.250.67.132' and p.haslayer(Raw): b_flag += p[Raw].load.split(b' ')[1].decode().split('=')[1] codes = b_flag.split('%20') b64_flag = '' for code in codes: b64_flag += chr(int(code, 2)) flag = b64decode(b64_flag).decode() print(flag)
flag{nOT_So_r4ndom_h77p_r3qu35ts}
Memory Dump (Forensics)
$ python3 vol.py -f Memdump.raw windows.info Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished Variable Value Kernel Base 0xf8025ea03000 DTB 0x1aa000 Symbols file:///home/ctf/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A583-1.json.xz Is64Bit True IsPAE False layer_name 0 WindowsIntel32e memory_layer 1 FileLayer KdVersionBlock 0xf8025f612398 Major/Minor 15.19041 MachineType 34404 KeNumberProcessors 1 SystemTime 2022-12-16 10:41:11 NtSystemRoot C:\Windows NtProductType NtProductWinNt NtMajorVersion 10 NtMinorVersion 0 PE MajorOperatingSystemVersion 10 PE MinorOperatingSystemVersion 0 PE Machine 34404 PE TimeDateStamp Wed Jun 28 04:14:26 1995 $ python3 vol.py -f Memdump.raw windows.pstree Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime 4 0 System 0xc88f1cc79080 102 - N/A False 2022-12-16 10:16:22.000000 N/A * 72 4 Registry 0xc88f1cdaa040 4 - N/A False 2022-12-16 10:16:20.000000 N/A * 1304 4 MemCompression 0xc88f1cc83280 22 - N/A False 2022-12-16 10:16:29.000000 N/A * 328 4 smss.exe 0xc88f1e749040 2 - N/A False 2022-12-16 10:16:22.000000 N/A 416 408 csrss.exe 0xc88f21cfb140 9 - 0 False 2022-12-16 10:16:27.000000 N/A 484 408 wininit.exe 0xc88f2204d080 1 - 0 False 2022-12-16 10:16:27.000000 N/A * 576 484 services.exe 0xc88f1e76e080 6 - 0 False 2022-12-16 10:16:27.000000 N/A ** 1152 576 MsMpEng.exe 0xc88f230f2080 26 - 0 False 2022-12-16 10:16:31.000000 N/A ** 1540 576 svchost.exe 0xc88f22f942c0 3 - 0 False 2022-12-16 10:16:29.000000 N/A ** 1416 576 svchost.exe 0xc88f1cc69080 11 - 0 False 2022-12-16 10:16:29.000000 N/A *** 4812 1416 audiodg.exe 0xc88f242ac080 4 - 0 False 2022-12-16 10:39:06.000000 N/A ** 1672 576 spoolsv.exe 0xc88f22fd9200 6 - 0 False 2022-12-16 10:16:29.000000 N/A ** 3592 576 svchost.exe 0xc88f23e45080 8 - 0 False 2022-12-16 10:18:31.000000 N/A ** 6024 576 svchost.exe 0xc88f23e47080 8 - 0 False 2022-12-16 10:18:32.000000 N/A ** 1548 576 svchost.exe 0xc88f22f95080 4 - 0 False 2022-12-16 10:16:29.000000 N/A ** 5004 576 SecurityHealth 0xc88f22e3a2c0 10 - 0 False 2022-12-16 10:16:52.000000 N/A ** 3484 576 SgrmBroker.exe 0xc88f2460d080 7 - 0 False 2022-12-16 10:18:31.000000 N/A ** 800 576 svchost.exe 0xc88f21cec280 10 - 0 False 2022-12-16 10:16:28.000000 N/A ** 1444 576 svchost.exe 0xc88f22ed92c0 8 - 0 False 2022-12-16 10:16:29.000000 N/A ** 3368 576 SearchIndexer. 0xc88f238d6240 17 - 0 False 2022-12-16 10:16:38.000000 N/A ** 1580 576 svchost.exe 0xc88f22f9e200 5 - 0 False 2022-12-16 10:16:29.000000 N/A ** 1708 576 svchost.exe 0xc88f2302c2c0 3 - 0 False 2022-12-16 10:16:30.000000 N/A ** 3116 576 svchost.exe 0xc88f23838280 9 - 1 False 2022-12-16 10:16:37.000000 N/A ** 2356 576 svchost.exe 0xc88f2426a300 5 - 0 False 2022-12-16 10:40:56.000000 N/A ** 960 576 svchost.exe 0xc88f21f9b2c0 20 - 0 False 2022-12-16 10:16:28.000000 N/A ** 1984 576 svchost.exe 0xc88f230e9080 8 - 0 False 2022-12-16 10:16:31.000000 N/A ** 4428 576 NisSrv.exe 0xc88f2451b080 5 - 0 False 2022-12-16 10:41:09.000000 N/A ** 720 576 svchost.exe 0xc88f220f6200 16 - 0 False 2022-12-16 10:16:28.000000 N/A *** 3584 720 RuntimeBroker. 0xc88f23a29080 1 - 1 False 2022-12-16 10:16:39.000000 N/A *** 3616 720 TextInputHost. 0xc88f2415d080 11 - 1 False 2022-12-16 10:20:25.000000 N/A *** 2776 720 smartscreen.ex 0xc88f23a10080 8 - 1 False 2022-12-16 10:16:52.000000 N/A *** 3824 720 RuntimeBroker. 0xc88f23a9b2c0 9 - 1 False 2022-12-16 10:16:40.000000 N/A *** 4848 720 RuntimeBroker. 0xc88f24151280 4 - 1 False 2022-12-16 10:16:45.000000 N/A *** 5912 720 ApplicationFra 0xc88f23a09080 6 - 1 False 2022-12-16 10:17:26.000000 N/A *** 3292 720 dllhost.exe 0xc88f23883340 5 - 1 False 2022-12-16 10:16:38.000000 N/A *** 4016 720 RuntimeBroker. 0xc88f23168080 7 - 1 False 2022-12-16 10:40:56.000000 N/A *** 3672 720 SearchApp.exe 0xc88f23a93080 47 - 1 False 2022-12-16 10:16:39.000000 N/A *** 4120 720 ShellExperienc 0xc88f23e67080 8 - 1 False 2022-12-16 10:16:41.000000 N/A *** 3516 720 StartMenuExper 0xc88f238d2080 9 - 1 False 2022-12-16 10:16:39.000000 N/A *** 5724 720 dllhost.exe 0xc88f23e60080 7 - 1 False 2022-12-16 10:17:06.000000 N/A ** 976 576 svchost.exe 0xc88f21f1a200 54 - 0 False 2022-12-16 10:16:28.000000 N/A *** 2792 976 taskhostw.exe 0xc88f236c02c0 6 - 1 False 2022-12-16 10:16:36.000000 N/A *** 2652 976 sihost.exe 0xc88f23679240 15 - 1 False 2022-12-16 10:16:35.000000 N/A *** 6120 976 taskhostw.exe 0xc88f240d7080 3 - 1 False 2022-12-16 10:19:28.000000 N/A ** 2516 576 svchost.exe 0xc88f235c82c0 5 - 0 False 2022-12-16 10:16:35.000000 N/A ** 1636 576 svchost.exe 0xc88f23f490c0 2 - 0 False 2022-12-16 10:18:23.000000 N/A ** 3940 576 svchost.exe 0xc88f23c40340 2 - 0 False 2022-12-16 10:31:32.000000 N/A ** 1000 576 svchost.exe 0xc88f21f222c0 15 - 0 False 2022-12-16 10:16:28.000000 N/A ** 2668 576 svchost.exe 0xc88f2367b280 8 - 1 False 2022-12-16 10:16:36.000000 N/A ** 1776 576 svchost.exe 0xc88f2306a2c0 13 - 0 False 2022-12-16 10:16:30.000000 N/A ** 1012 576 svchost.exe 0xc88f21f342c0 13 - 0 False 2022-12-16 10:16:28.000000 N/A ** 372 576 svchost.exe 0xc88f21f58240 15 - 0 False 2022-12-16 10:16:28.000000 N/A *** 1932 372 dasHost.exe 0xc88f230e7280 3 - 0 False 2022-12-16 10:16:30.000000 N/A *** 2892 372 ctfmon.exe 0xc88f236f5240 10 - 1 False 2022-12-16 10:16:36.000000 N/A ** 1144 576 svchost.exe 0xc88f21fee340 19 - 0 False 2022-12-16 10:16:29.000000 N/A * 588 484 lsass.exe 0xc88f21c3e080 8 - 0 False 2022-12-16 10:16:27.000000 N/A * 712 484 fontdrvhost.ex 0xc88f220f4080 5 - 0 False 2022-12-16 10:16:28.000000 N/A 492 476 csrss.exe 0xc88f22051140 12 - 1 False 2022-12-16 10:16:27.000000 N/A 552 476 winlogon.exe 0xc88f22077080 7 - 1 False 2022-12-16 10:16:27.000000 N/A * 704 552 fontdrvhost.ex 0xc88f220f2140 5 - 1 False 2022-12-16 10:16:28.000000 N/A * 3036 552 userinit.exe 0xc88f237a1300 0 - 1 False 2022-12-16 10:16:36.000000 2022-12-16 10:17:00.000000 ** 2104 3036 explorer.exe 0xc88f237a4300 84 - 1 False 2022-12-16 10:16:37.000000 N/A *** 4872 2104 SecurityHealth 0xc88f2367e080 3 - 1 False 2022-12-16 10:16:52.000000 N/A *** 4716 2104 msedge.exe 0xc88f23f20080 0 - 1 False 2022-12-16 10:16:53.000000 2022-12-16 10:26:29.000000 **** 3016 4716 msedge.exe 0xc88f236c1080 0 - 1 False 2022-12-16 10:26:28.000000 2022-12-16 10:40:57.000000 ***** 3528 3016 msedge.exe 0xc88f242ab080 55 - 1 False 2022-12-16 10:40:54.000000 N/A ****** 4072 3528 msedge.exe 0xc88f240db080 13 - 1 False 2022-12-16 10:40:55.000000 N/A ****** 4012 3528 msedge.exe 0xc88f244e2080 9 - 1 False 2022-12-16 10:40:55.000000 N/A ****** 5844 3528 msedge.exe 0xc88f23f4c080 18 - 1 False 2022-12-16 10:40:55.000000 N/A ****** 3764 3528 msedge.exe 0xc88f21d42080 9 - 1 False 2022-12-16 10:40:55.000000 N/A ***** 1980 3016 msedge.exe 0xc88f24286340 0 - 1 False 2022-12-16 10:26:28.000000 2022-12-16 10:40:52.000000 *** 1324 2104 powershell.exe 0xc88f237da080 9 - 1 False 2022-12-16 10:36:27.000000 N/A **** 6084 1324 conhost.exe 0xc88f244460c0 4 - 1 False 2022-12-16 10:36:27.000000 N/A *** 2400 2104 DumpIt.exe 0xc88f24090080 2 - 1 True 2022-12-16 10:41:09.000000 N/A **** 4924 2400 conhost.exe 0xc88f23f9e080 5 - 1 False 2022-12-16 10:41:09.000000 N/A * 888 552 dwm.exe 0xc88f221be080 16 - 1 False 2022-12-16 10:16:28.000000 N/A
PowerShellのプロセスのPIDは1324であることがわかる。次にコマンドラインを見てみる。
$ python3 vol.py -f Memdump.raw windows.cmdline Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID Process Args 4 System Required memory at 0x20 is not valid (process exited?) 72 Registry Required memory at 0x20 is not valid (process exited?) 328 smss.exe Required memory at 0xefc2d40020 is not valid (process exited?) 416 csrss.exe Required memory at 0x1898a2033ec is inaccessible (swapped) 484 wininit.exe wininit.exe 492 csrss.exe Required memory at 0x20a136033ec is inaccessible (swapped) 552 winlogon.exe winlogon.exe 576 services.exe C:\Windows\system32\services.exe 588 lsass.exe C:\Windows\system32\lsass.exe 704 fontdrvhost.ex Required memory at 0x1f00f581a18 is inaccessible (swapped) 712 fontdrvhost.ex Required memory at 0x3b9b461020 is inaccessible (swapped) 720 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p 800 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS -p 888 dwm.exe "dwm.exe" 976 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p 1000 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p 1012 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p 372 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p 960 svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p 1144 svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p 1304 MemCompression Required memory at 0x20 is not valid (process exited?) 1416 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p 1444 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p 1540 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p 1548 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p 1580 svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p 1672 spoolsv.exe Required memory at 0x1431ac8 is inaccessible (swapped) 1708 svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p 1776 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p 1932 dasHost.exe dashost.exe {20d623f9-dc40-49de-ae950243b425e414} 1984 svchost.exe C:\Windows\System32\svchost.exe -k utcsvc -p 1152 MsMpEng.exe "C:\Program Files\Windows Defender\MsMpEng.exe" 2516 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted 2652 sihost.exe sihost.exe 2668 svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup 2792 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} 2892 ctfmon.exe "ctfmon.exe" 3036 userinit.exe Required memory at 0x9706148020 is not valid (process exited?) 2104 explorer.exe C:\Windows\Explorer.EXE 3116 svchost.exe C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p 3292 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} 3368 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding 3516 StartMenuExper "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca 3584 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding 3672 SearchApp.exe Required memory at 0x2f4b57e020 is inaccessible (swapped) 3824 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding 4120 ShellExperienc "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca 4848 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding 2776 smartscreen.ex C:\Windows\System32\smartscreen.exe -Embedding 4872 SecurityHealth "C:\Windows\System32\SecurityHealthSystray.exe" 5004 SecurityHealth C:\Windows\system32\SecurityHealthService.exe 4716 msedge.exe Required memory at 0xf330fa5020 is not valid (process exited?) 5724 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F} 5912 ApplicationFra C:\Windows\system32\ApplicationFrameHost.exe -Embedding 1636 svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p 3592 svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p 3484 SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe 6024 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p 6120 taskhostw.exe taskhostw.exe 3616 TextInputHost. "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca 3016 msedge.exe Required memory at 0x66a00fb020 is not valid (process exited?) 1980 msedge.exe Required memory at 0xbdb20d8020 is not valid (process exited?) 3940 svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p 1324 powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 6084 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4 4812 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x314 3528 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:5 3764 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\bbctf\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\bbctf\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=108.0.5359.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=108.0.1462.46 --initial-client-data=0x100,0x104,0x108,0xdc,0x1b4,0x7fffe39bf2e8,0x7fffe39bf2f8,0x7fffe39bf308 4072 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1944 --field-trial-handle=1876,i,9027228444479177529,14247593766453517981,131072 /prefetch:2 5844 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1876,i,9027228444479177529,14247593766453517981,131072 /prefetch:3 4012 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2468 --field-trial-handle=1876,i,9027228444479177529,14247593766453517981,131072 /prefetch:8 2356 svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p 4016 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding 2400 DumpIt.exe "C:\Users\bbctf\Downloads\DumpIt.exe" 4428 NisSrv.exe "C:\Program Files\Windows Defender\NisSrv.exe" 4924 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
コマンドラインのpowershell.exeも単独のプロセスしかわからない。当該プロセスのメモリダンプを取得する。
$ python3 vol.py -f Memdump.raw -o . windows.memmap --dump --pid 1324 :
pid.1324.dmpをバイナリエディタで解析する。フラグに関係がありそうなコードを見つけた。該当コードは以下の通り。
$xorkey = "bbctf" $aescipherkey = "ByteBandits-CTF Jan 2023" $encrypted_flag = "m74/XKCNkHmzJHEPAOHvegV96AOubRnSUQBpJnG4tHg="
$aescipherkeyを鍵として、フラグをAES暗号化した結果が$encrypted_flagと推測できるので、復号してみる。
#!/usr/bin/env python3 from Crypto.Cipher import AES from Crypto.Util.Padding import unpad from base64 import * key = b"ByteBandits-CTF Jan 2023" encrypted_flag = b"m74/XKCNkHmzJHEPAOHvegV96AOubRnSUQBpJnG4tHg=" aes = AES.new(key, AES.MODE_ECB) flag = unpad(aes.decrypt(b64decode(encrypted_flag)), 16).decode() print(flag)
flag{V0L@tiLiTy_4_da_w1N}
Crypto Masquerade (Crypto)
サーバの処理概要は以下の通り。
・BIT_L = 2**8 ・FLAG: フラグ ・p, g, a, b = generate_secrets() ・p: 256ビット素数 ・g: 256ビット素数 ・h = (p - 1) * (g - 1) ・a = 0 ・GCD(a, h)が1でない間以下を実行 ・a: ランダム3以上h未満整数 ・b = pow(a, -1, h) ・p * g, g, a, bを返却 ・A = pow(g, a, p) ・B = pow(g, b, p) ・key = pow(A, b, p) ・p, g, A, B, keyを表示 ・password: keyの文字列化 ・key: passwordから抽出 ・Fernet暗号でFLAGを暗号化 →表示
keyがわかっているので、そのままFLAGを復号する。
#!/usr/bin/env python3 import socket import base64 from cryptography.fernet import Fernet from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('crypto.bbctf.fluxus.co.in', 3001)) data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) key = int(data.split(' ')[-1]) data = recvuntil(s, b'\n').rstrip() print(data) token = data.split(' ')[-1] password = key.to_bytes((key.bit_length() + 7) // 8, "big") kdf = PBKDF2HMAC( algorithm=hashes.SHA256, length=32, salt=b"\x00" * 8, iterations=100000, backend=default_backend(), ) key = base64.urlsafe_b64encode(kdf.derive(password)) f = Fernet(key) flag = f.decrypt(token).decode() print(flag)
実行結果は以下の通り。
p : 5961689061065791938635401296089849510105616704238149828187342101935511517517150537052294760754947654984055567767140365715583626414891153889046478946376127 g : 59833225402458123394492645974670985762530467188033360577751553737167670382669 A : 3669010159106941777939673938644722721735138046608729134266146999470250850252420494149195697863591969422697511933276681392693666474888553551174001392987734 B : 3734244478303409522632357907487442687062517140078256930277119133711649716377858161474969078411258416516682552764607350986762590829029618337562450931963282 key : 59833225402458123394492645974670985762530467188033360577751553737167670382669 message : gAAAAABj3hadKGQgCqVln671gwW0uH7GjsGtw2QL0e2v9VAlKB5g-jdjPJQajiY1JWpBUsml3AXJIFXCJLga-5zfEAFz2MPHTMf8WKwLkNLGPvuv1AtCJGV4DcW_Fof3CVY3YIr62XaL flag{wA17_1tS_all_rs4?_Alw4ys_H4S_b33N}
flag{wA17_1tS_all_rs4?_Alw4ys_H4S_b33N}
Visionary Cipher (Crypto)
サーバの処理概要は以下の通り。
・FLAG: フラグ ・alphabets: 英小文字+数字+"_{}" ・key: alphabetsから10個の文字を選択し、連結 ・encrypt(FLAG, key)を表示 ・k: keyの長さ ・n: FLAGの長さ ・l: alphabetsの長さ ・FLAGの各文字についてkeyの該当するalphabetインデックス分シフトする。 ・FLAGのmd5のダイジェストを16進数表記で表示
$ nc crypto.bbctf.fluxus.co.in 3002 c : s5gxz{05ulk19o1nnp{myfd35c6oegb09452j7 hash : 17382b1a9caad37bd127f2a7984ccbb9
FLAGは"flag{"で始まり、鍵の長さは10バイトであることから、推測しながら復号する。
#!/usr/bin/env python3 from string import ascii_lowercase, digits from hashlib import md5 alphabets = ascii_lowercase + digits + "_{}" enc = 's5gxz{05ulk19o1nnp{myfd35c6oegb09452j7' flag_head = 'flag{' def pos(ch): return alphabets.find(ch) l = len(alphabets) key = '' for i in range(len(flag_head)): key += alphabets[(pos(enc[i]) - pos(flag_head[i])) % l] flag = '' for i in range(len(enc)): if i % 10 < 5: flag += alphabets[(pos(enc[i]) - pos(key[i % 10])) % l] else: flag += '*' print('[+] flag:', flag) key7 = alphabets[(pos(enc[-1]) - pos('}')) % l] flag = '' for i in range(len(enc)): if i % 10 < 5: flag += alphabets[(pos(enc[i]) - pos(key[i % 10])) % l] elif i % 10 == 7: flag += alphabets[(pos(enc[i]) - pos(key7)) % l] else: flag += '*' print('[+] flag:', flag) #### guess #### pt = 'r3}' for i in range(35, 38): key += alphabets[(pos(enc[i]) - pos(pt[i - 35])) % l] pt = '_v' for i in range(28, 30): key += alphabets[(pos(enc[i]) - pos(pt[i - 28])) % l] flag = '' for i in range(len(enc)): flag += alphabets[(pos(enc[i]) - pos(key[i % 10])) % l] print('[+] flag:', flag)
実行結果は以下の通り。
[+] flag: flag{*****_h3_a*****ly_me*****1g3ne*** [+] flag: flag{**_**_h3_a**u**ly_me**t**1g3ne**} [+] flag: flag{0h_n0_h3_ac7u41ly_me4nt_v1g3ner3}
flag{0h_n0_h3_ac7u41ly_me4nt_v1g3ner3}