この大会は2023/2/17 21:00(JST)~2023/2/18 21:00(JST)に開催されました。
今回もチームで参戦。結果は3335点で340チーム中13位でした。
自分で解けた問題をWriteupとして書いておきます。
Welcome (Misc)
Discordに入り、#rulesチャネルのトピックを見ると、フラグが書いてあった。
0xL4ugh{W3LC0ME_T0_0UR_C7F_FREE_PALESTINE}
Detected (Misc)
普通に指定のURLにアクセスしたら、フラグが表示された。
0xL4ugh{Youuu_R_a_real_Haqqqqqqeer}
Bruh (Basic) (Web)
以下で認証できるが、username="admin"の場合、$_SERVER['REMOTE_ADDR']==="127.0.0.1"である必要がある。
username: "admin" password: "admin"
スペースを入れて、すり抜ける。以下のURLでアクセスする。
http://20.121.121.120:8080/bruh/?username=admin%20&password=admin
0xL4ugh{oH_mY_BruuoohH_pLAEStine_iN_our_Hearts}
ATT IP (Forensics)
トロイの木馬が通信しているC2のIPアドレスとポート番号を答える問題。通信が多いものの通信先がC2の可能性が高い。
IPアドレスは91.243.59.76、ポート番号は23927の通信が極端に多い。
0xL4ugh{91.243.59.76_23927}
PVE 1 (Forensics)
メモリダンプのOSとカーネルバージョンを答える問題。
$ python3 vol.py -f PVE.vmem banners Volatility 3 Framework 2.3.0 Progress: 100.00 PDB scanning finished Offset Banner 0x1a00180 Linux version 4.4.0-186-generic (buildd@lcy01-amd64-002) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) ) #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 (Ubuntu 4.4.0-186.216-generic 4.4.228) 0x211e6a4 Linux version 4.4.0-186-generic (buildd@lcy01-amd64-002) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) ) #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 (Ubuntu 4.4.0-186.216-generic 4.4.228) 0x1aaf7338 Linux version 4.4.0-186-generic (buildd@lcy01-amd64-002) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) ) #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 (Ubuntu 4.4.0-186.216-generic 4.4.228) 0x1fde00a8 Linux version 4.4.0-186-generic (buildd@lcy01-amd64-002) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) ) #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 (Ubuntu 4.4.0-186.216-generic 4.4.228)
OSはUbuntu、カーネルバージョンは4.4.0-186-genericであることがわかる。
0xL4ugh{Ubuntu_4.4.0-186-generic}
PVE 2 (Forensics)
Apacheサーバのバージョンを答える問題。
メモリイメージはLinuxのものなので、該当するカーネルのシンボルテーブルを作成する必要がある。
https://launchpad.net/ubuntu/xenial/amd64/linux-image-unsigned-4.4.0-186-generic-dbgsym/4.4.0-186.216からhttp://launchpadlibrarian.net/486669078/linux-image-unsigned-4.4.0-186-generic-dbgsym_4.4.0-186.216_amd64.ddebをダウンロードする。
$ ar x linux-image-unsigned-4.4.0-186-generic-dbgsym_4.4.0-186.216_amd64.ddeb $ tar -xf data.tar.xz $ ls usr/lib/debug/boot/vmlinux-4.4.0-186-generic usr/lib/debug/boot/vmlinux-4.4.0-186-generic
シンボルテーブルを作成する。
$ git clone https://github.com/volatilityfoundation/dwarf2json $ cd dwarf2json/ $ go build go: downloading github.com/spf13/pflag v1.0.5 $ ./dwarf2json linux --elf ../usr/lib/debug/boot/vmlinux-4.4.0-186-generic > vmlinux-4.4.0-186-generic.json $ mv vmlinux-4.4.0-186-generic.json ../volatility3/volatility3/symbols/ $ cd ../volatility3/
コマンド入力一覧を取得する。
$ python3 vol.py -f PVE.vmem linux.bash Volatility 3 Framework 2.3.0 Progress: 100.00 Stacking attempts finished PID Process CommandTime Command 1034 bash 2023-02-15 16:33:22.000000 hello 1034 bash 2023-02-15 16:33:22.000000 are you ready ? 1034 bash 2023-02-15 16:33:22.000000 clear 1034 bash 2023-02-15 16:33:22.000000 ls 1034 bash 2023-02-15 16:33:22.000000 sudo apt install apache=2.4.51-1+ubuntu16.04.7+deb.sury.org+1 1034 bash 2023-02-15 16:33:22.000000 sudo apt install apache=2.4.51-1+ubuntu20.04.1+deb.sury.org+1 1034 bash 2023-02-15 16:33:22.000000 sudo apt-get install apache2=2.2.14-5ubuntu8.7 1034 bash 2023-02-15 16:33:22.000000 sudo apt-get install apache2=2.2.14-5ubuntu16.04.7 1034 bash 2023-02-15 16:33:22.000000 sudo apt-get install apache=2.2.14-5ubuntu16.04.7 1034 bash 2023-02-15 16:33:22.000000 sudo apt-get install apache 1034 bash 2023-02-15 16:33:22.000000 sudo apt-get install apache2 1034 bash 2023-02-15 16:33:22.000000 apache2 --version 1034 bash 2023-02-15 16:33:22.000000 echo "0xL4ugh{S4D_Y0U_G07_M3}" > flag.txt 1034 bash 2023-02-15 16:33:22.000000 ls 1034 bash 2023-02-15 16:33:22.000000 sudo echo "0xL4ugh{S4D_Y0U_G07_M3}" > flag.txt 1034 bash 2023-02-15 16:33:22.000000 sudo su 1034 bash 2023-02-15 16:33:22.000000 sudo apt-get install apache=2.2.14-5ubuntu16.04.7 1034 bash 2023-02-15 16:33:22.000000 pwd 1034 bash 2023-02-15 16:33:22.000000 clear 1034 bash 2023-02-15 16:33:22.000000 apache2 -version 1034 bash 2023-02-15 16:33:22.000000 ls 1034 bash 2023-02-15 16:33:22.000000 ls 1034 bash 2023-02-15 16:33:22.000000 cd .. 1034 bash 2023-02-15 16:33:22.000000 sudo su 1034 bash 2023-02-15 16:33:22.000000 su 1034 bash 2023-02-15 16:33:22.000000 ls -lah 1034 bash 2023-02-15 16:33:22.000000 cat flag.txt 1034 bash 2023-02-15 16:33:25.000000 history 1034 bash 2023-02-15 16:33:38.000000 ls 1034 bash 2023-02-15 16:33:40.000000 ls-lah 1034 bash 2023-02-15 16:33:42.000000 cd .. 1034 bash 2023-02-15 16:33:43.000000 ls 1034 bash 2023-02-15 16:33:48.000000 ls 1034 bash 2023-02-15 16:33:48.000000 cd media 1034 bash 2023-02-15 16:33:54.000000 ls 1034 bash 2023-02-15 16:33:54.000000 cd floppy 1034 bash 2023-02-15 16:33:57.000000 ls -lah 1034 bash 2023-02-15 16:33:59.000000 cd .. 1034 bash 2023-02-15 16:34:05.000000 cd floppy0 1034 bash 2023-02-15 16:34:06.000000 ls 1034 bash 2023-02-15 16:34:07.000000 cd .. 1034 bash 2023-02-15 16:34:11.000000 l 1034 bash 2023-02-15 16:34:11.000000 cd cdrom 1034 bash 2023-02-15 16:34:12.000000 ls 1034 bash 2023-02-15 16:34:15.000000 ls -lah 1034 bash 2023-02-15 16:34:17.000000 cd .. 1034 bash 2023-02-15 16:34:19.000000 ls 1034 bash 2023-02-15 16:34:28.000000 cd mnt 1034 bash 2023-02-15 16:34:29.000000 l 1034 bash 2023-02-15 16:34:30.000000 ls 1034 bash 2023-02-15 16:34:33.000000 cd .. 1034 bash 2023-02-15 16:34:36.000000 cd dev 1034 bash 2023-02-15 16:34:36.000000 ls 1034 bash 2023-02-15 16:34:40.000000 cd .. 1034 bash 2023-02-15 16:34:42.000000 cd dev 1034 bash 2023-02-15 16:34:44.000000 cd cdrom 1034 bash 2023-02-15 16:34:45.000000 l 1034 bash 2023-02-15 16:34:46.000000 ls 1034 bash 2023-02-15 16:34:49.000000 ls -la 1034 bash 2023-02-15 16:34:56.000000 clear 1034 bash 2023-02-15 16:34:58.000000 cd .. 1034 bash 2023-02-15 16:34:58.000000 ls 1034 bash 2023-02-15 16:35:06.000000 cd opt 1034 bash 2023-02-15 16:35:07.000000 ls 1034 bash 2023-02-15 16:35:10.000000 cd .. 1034 bash 2023-02-15 16:35:23.000000 ls 1034 bash 2023-02-15 16:35:24.000000 cd home 1034 bash 2023-02-15 16:35:26.000000 ls 1034 bash 2023-02-15 16:35:33.000000 rm memory.raw 1034 bash 2023-02-15 16:35:42.000000 sudo rm memeory.raw 1034 bash 2023-02-15 16:35:45.000000 ls 1034 bash 2023-02-15 16:35:53.000000 sudo su 1080 bash 2023-02-15 16:35:53.000000 rm flag.txt 1080 bash 2023-02-15 16:35:53.000000 passwd xElessaway 1080 bash 2023-02-15 16:35:53.000000 memdump 1080 bash 2023-02-15 16:35:53.000000 sudo apt-get install memdump 1080 bash 2023-02-15 16:35:53.000000 useradd xElessaway 1080 bash 2023-02-15 16:35:53.000000 memdump 1080 bash 2023-02-15 16:35:53.000000 clear 1080 bash 2023-02-15 16:35:53.000000 memdump > memory.raw 1080 bash 2023-02-15 16:35:53.000000 echo "0xL4ugh{S4D_Y0U_G07_M3}" > flag.txt 1080 bash 2023-02-15 16:35:53.000000 ls 1080 bash 2023-02-15 16:35:53.000000 su mrx 1080 bash 2023-02-15 16:35:58.000000 rm memory.raw 1080 bash 2023-02-15 16:35:58.000000 ls 1080 bash 2023-02-15 16:36:01.000000 cd mrx 1080 bash 2023-02-15 16:36:01.000000 ls 1080 bash 2023-02-15 16:36:49.000000 memdump > memory.raw 1080 bash 2023-02-15 16:39:14.000000 ls 1080 bash 2023-02-15 16:39:18.000000 rm memory.raw 1080 bash 2023-02-16 14:17:58.000000 mkdir /mnt/f 1080 bash 2023-02-16 14:18:22.000000 sudo vmhfs-fuse .host:/grad /mnt/f -o allow_other -o uid=1000 1080 bash 2023-02-16 14:18:31.000000 sudo vmhgfs-fuse .host:/grad /mnt/f -o allow_other -o uid=1000 1080 bash 2023-02-16 14:19:13.000000 ls /etc 1080 bash 2023-02-16 14:21:02.000000 cd .. 1080 bash 2023-02-16 14:21:04.000000 ls 1080 bash 2023-02-16 14:21:06.000000 history 1080 bash 2023-02-16 14:21:10.000000 ls 1080 bash 2023-02-16 14:21:18.000000 cd etc 1080 bash 2023-02-16 14:21:19.000000 ls 1080 bash 2023-02-16 14:21:30.000000 cd .. 1080 bash 2023-02-16 14:21:41.000000 ls 1080 bash 2023-02-16 14:21:44.000000 cd /home 1080 bash 2023-02-16 14:21:44.000000 ls 1080 bash 2023-02-16 14:21:46.000000 cd mrx 1080 bash 2023-02-16 14:21:49.000000 ls -lah 1080 bash 2023-02-16 14:22:00.000000 nano .bash_history 1080 bash 2023-02-16 14:24:33.000000 changepasswd 1080 bash 2023-02-16 14:24:51.000000 su mrx 1606 bash 2023-02-16 14:24:51.000000 hello 1606 bash 2023-02-16 14:24:51.000000 are you ready ? 1606 bash 2023-02-16 14:24:51.000000 clear 1606 bash 2023-02-16 14:24:51.000000 ls 1606 bash 2023-02-16 14:24:51.000000 sudo apt install apache=2.4.51-1+ubuntu16.04.7+deb.sury.org+1 1606 bash 2023-02-16 14:24:51.000000 sudo apt install apache=2.4.51-1+ubuntu20.04.1+deb.sury.org+1 1606 bash 2023-02-16 14:24:51.000000 sudo apt-get install apache2=2.2.14-5ubuntu8.7 1606 bash 2023-02-16 14:24:51.000000 sudo apt-get install apache2=2.2.14-5ubuntu16.04.7 1606 bash 2023-02-16 14:24:51.000000 sudo apt-get install apache=2.2.14-5ubuntu16.04.7 1606 bash 2023-02-16 14:24:51.000000 sudo apt-get install apache 1606 bash 2023-02-16 14:24:51.000000 sudo apt-get install apache2 1606 bash 2023-02-16 14:24:51.000000 pwd 1606 bash 2023-02-16 14:24:51.000000 ls -lah 1606 bash 2023-02-16 14:24:51.000000 sudo echo "0xL4ugh{S4D_Y0U_G07_M3}" > flag.txt 1606 bash 2023-02-16 14:24:51.000000 cd .. 1606 bash 2023-02-16 14:24:51.000000 ls 1606 bash 2023-02-16 14:24:51.000000 clear 1606 bash 2023-02-16 14:24:51.000000 sudo su 1606 bash 2023-02-16 14:24:51.000000 su 1606 bash 2023-02-16 14:24:51.000000 cat flag.txt 1606 bash 2023-02-16 14:24:51.000000 apache2 --version 1606 bash 2023-02-16 14:24:51.000000 apache2 -version 1606 bash 2023-02-16 14:24:51.000000 ls 1606 bash 2023-02-16 14:24:51.000000 sudo su 1606 bash 2023-02-16 14:24:51.000000 ls 1606 bash 2023-02-16 14:24:51.000000 sudo apt-get install apache=2.2.14-5ubuntu16.04.7 1606 bash 2023-02-16 14:25:05.000000 passwd mrx 1606 bash 2023-02-16 14:26:26.000000 sudo su 1719 bash 2023-02-16 14:26:38.000000 rm flag.txt 1719 bash 2023-02-16 14:26:38.000000 passwd xElessaway 1719 bash 2023-02-16 14:26:38.000000 memdump 1719 bash 2023-02-16 14:26:38.000000 sudo apt-get install memdump 1719 bash 2023-02-16 14:26:38.000000 useradd xElessaway 1719 bash 2023-02-16 14:26:38.000000 memdump 1719 bash 2023-02-16 14:26:38.000000 clear 1719 bash 2023-02-16 14:26:38.000000 memdump > memory.raw 1719 bash 2023-02-16 14:26:38.000000 echo "0xL4ugh{S4D_Y0U_G07_M3}" > flag.txt 1719 bash 2023-02-16 14:26:38.000000 ls 1719 bash 2023-02-16 14:26:38.000000 su mrx 1719 bash 2023-02-16 14:26:46.000000 nano .bash_history 1719 bash 2023-02-16 14:26:55.000000 clear 1719 bash 2023-02-16 14:26:58.000000 history 1719 bash 2023-02-16 14:27:04.000000 clear 1719 bash 2023-02-16 14:27:25.000000 cat /etc/shadow 1719 bash 2023-02-16 14:27:35.000000 su mrx 1734 bash 2023-02-16 14:27:35.000000 hello 1734 bash 2023-02-16 14:27:35.000000 are you ready ? 1734 bash 2023-02-16 14:27:35.000000 clear 1734 bash 2023-02-16 14:27:35.000000 ls 1734 bash 2023-02-16 14:27:35.000000 sudo apt install apache=2.4.51-1+ubuntu16.04.7+deb.sury.org+1 1734 bash 2023-02-16 14:27:35.000000 sudo apt install apache=2.4.51-1+ubuntu20.04.1+deb.sury.org+1 1734 bash 2023-02-16 14:27:35.000000 sudo apt-get install apache2=2.2.14-5ubuntu8.7 1734 bash 2023-02-16 14:27:35.000000 sudo apt-get install apache2=2.2.14-5ubuntu16.04.7 1734 bash 2023-02-16 14:27:35.000000 sudo apt-get install apache=2.2.14-5ubuntu16.04.7 1734 bash 2023-02-16 14:27:35.000000 sudo apt-get install apache 1734 bash 2023-02-16 14:27:35.000000 sudo apt-get install apache2 1734 bash 2023-02-16 14:27:35.000000 pwd 1734 bash 2023-02-16 14:27:35.000000 ls -lah 1734 bash 2023-02-16 14:27:35.000000 sudo echo "0xL4ugh{S4D_Y0U_G07_M3}" > flag.txt 1734 bash 2023-02-16 14:27:35.000000 cd .. 1734 bash 2023-02-16 14:27:35.000000 ls 1734 bash 2023-02-16 14:27:35.000000 clear 1734 bash 2023-02-16 14:27:35.000000 sudo su 1734 bash 2023-02-16 14:27:35.000000 su 1734 bash 2023-02-16 14:27:35.000000 cat flag.txt 1734 bash 2023-02-16 14:27:35.000000 apache2 --version 1734 bash 2023-02-16 14:27:35.000000 apache2 -version 1734 bash 2023-02-16 14:27:35.000000 ls 1734 bash 2023-02-16 14:27:35.000000 sudo su 1734 bash 2023-02-16 14:27:35.000000 ls 1734 bash 2023-02-16 14:27:35.000000 sudo apt-get install apache=2.2.14-5ubuntu16.04.7 1734 bash 2023-02-16 14:28:44.000000 echo "MMOX AND XELESSAWAY YATMNO LEKO CTF SA3EDA | MMOX AND XELESSAWAY HOPE ARE HAVING A GOOD TIME IN OUT CTF <3 HAPPY VALANTINE DAY BOIZ,GIRLS AND ALLIENS" 1734 bash 2023-02-16 14:29:18.000000 ./mnt/f/dontopenmeimvirus 1734 bash 2023-02-16 14:29:49.000000 ls /mnt/f/ 1734 bash 2023-02-16 14:30:12.000000 bash /mnt/f/dontopenmenimvirus 1734 bash 2023-02-16 14:30:32.000000 sudo apt install gcc 1734 bash 2023-02-16 14:31:14.000000 nano .bash_history 1734 bash 2023-02-16 14:31:24.000000 su 1734 bash 2023-02-16 14:31:56.000000 sudo nano .bash_history 1734 bash 2023-02-16 14:33:54.000000 gcc /mnt/f/dontopenmenimvirus.c -o DontRunMeImVirus 1734 bash 2023-02-16 14:34:24.000000 ./mnt/f/DontRunMeImVirus 1734 bash 2023-02-16 14:34:33.000000 bash /mnt/f/DontRunMeImVirus 1734 bash 2023-02-16 14:34:39.000000 cd /mnt/f 1734 bash 2023-02-16 14:34:52.000000 ls 1734 bash 2023-02-16 14:35:00.000000 ls hone 1734 bash 2023-02-16 14:35:02.000000 ls home 1734 bash 2023-02-16 14:35:05.000000 ls /home 1734 bash 2023-02-16 14:35:08.000000 ls /home/mrx 1734 bash 2023-02-16 14:35:17.000000 cd /home/mrx 1734 bash 2023-02-16 14:35:21.000000 ./DontRunMeImVirus
インストールしているApacheのバージョンは2.2.14であることがわかる。
0xL4ugh{2.2.14}
PVE 3 (Forensics)
あやしいプロセスからフラグを取得する問題。
プロセス一覧を引数付きで取得する。
$ python3 vol.py -f PVE.vmem linux.psaux Volatility 3 Framework 2.3.0 Progress: 100.00 Stacking attempts finished PID PPID COMM ARGS 1 0 systemd - 2 0 kthreadd [kthreadd] 3 2 ksoftirqd/0 [ksoftirqd/0] 5 2 kworker/0:0H [kworker/0:0H] 7 2 rcu_sched [rcu_sched] 8 2 rcu_bh [rcu_bh] 9 2 migration/0 [migration/0] 10 2 watchdog/0 [watchdog/0] 11 2 watchdog/1 [watchdog/1] 12 2 migration/1 [migration/1] 13 2 ksoftirqd/1 [ksoftirqd/1] 15 2 kworker/1:0H [kworker/1:0H] 16 2 kdevtmpfs [kdevtmpfs] 17 2 netns [netns] 18 2 perf [perf] 19 2 khungtaskd [khungtaskd] 20 2 writeback [writeback] 21 2 ksmd [ksmd] 22 2 crypto [crypto] 23 2 kintegrityd [kintegrityd] 24 2 bioset [bioset] 25 2 kblockd [kblockd] 26 2 ata_sff [ata_sff] 27 2 md [md] 28 2 devfreq_wq [devfreq_wq] 33 2 kswapd0 [kswapd0] 34 2 vmstat [vmstat] 35 2 fsnotify_mark [fsnotify_mark] 36 2 ecryptfs-kthrea [ecryptfs-kthrea] 52 2 kthrotld [kthrotld] 53 2 acpi_thermal_pm [acpi_thermal_pm] 54 2 bioset [bioset] 55 2 bioset [bioset] 56 2 bioset [bioset] 57 2 bioset [bioset] 58 2 bioset [bioset] 59 2 bioset [bioset] 60 2 bioset [bioset] 61 2 bioset [bioset] 62 2 scsi_eh_0 [scsi_eh_0] 63 2 scsi_tmf_0 [scsi_tmf_0] 64 2 scsi_eh_1 [scsi_eh_1] 65 2 scsi_tmf_1 [scsi_tmf_1] 71 2 ipv6_addrconf [ipv6_addrconf] 84 2 deferwq [deferwq] 85 2 charger_manager [charger_manager] 122 2 kworker/0:2 [kworker/0:2] 136 2 mpt_poll_0 [mpt_poll_0] 137 2 mpt/0 [mpt/0] 138 2 kpsmoused [kpsmoused] 139 2 scsi_eh_2 [scsi_eh_2] 140 2 scsi_tmf_2 [scsi_tmf_2] 141 2 scsi_eh_3 [scsi_eh_3] 142 2 scsi_tmf_3 [scsi_tmf_3] 143 2 scsi_eh_4 [scsi_eh_4] 144 2 scsi_tmf_4 [scsi_tmf_4] 145 2 scsi_eh_5 [scsi_eh_5] 146 2 scsi_tmf_5 [scsi_tmf_5] 147 2 scsi_eh_6 [scsi_eh_6] 148 2 scsi_tmf_6 [scsi_tmf_6] 149 2 scsi_eh_7 [scsi_eh_7] 150 2 scsi_tmf_7 [scsi_tmf_7] 151 2 scsi_eh_8 [scsi_eh_8] 152 2 scsi_tmf_8 [scsi_tmf_8] 153 2 scsi_eh_9 [scsi_eh_9] 154 2 scsi_tmf_9 [scsi_tmf_9] 155 2 scsi_eh_10 [scsi_eh_10] 156 2 scsi_tmf_10 [scsi_tmf_10] 157 2 scsi_eh_11 [scsi_eh_11] 158 2 scsi_tmf_11 [scsi_tmf_11] 159 2 scsi_eh_12 [scsi_eh_12] 160 2 scsi_tmf_12 [scsi_tmf_12] 161 2 scsi_eh_13 [scsi_eh_13] 162 2 scsi_tmf_13 [scsi_tmf_13] 163 2 scsi_eh_14 [scsi_eh_14] 164 2 scsi_tmf_14 [scsi_tmf_14] 165 2 scsi_eh_15 [scsi_eh_15] 166 2 scsi_tmf_15 [scsi_tmf_15] 167 2 scsi_eh_16 [scsi_eh_16] 168 2 scsi_tmf_16 [scsi_tmf_16] 169 2 scsi_eh_17 [scsi_eh_17] 170 2 scsi_tmf_17 [scsi_tmf_17] 171 2 scsi_eh_18 [scsi_eh_18] 172 2 scsi_tmf_18 [scsi_tmf_18] 173 2 scsi_eh_19 [scsi_eh_19] 174 2 scsi_tmf_19 [scsi_tmf_19] 175 2 scsi_eh_20 [scsi_eh_20] 176 2 scsi_tmf_20 [scsi_tmf_20] 177 2 scsi_eh_21 [scsi_eh_21] 178 2 scsi_tmf_21 [scsi_tmf_21] 179 2 scsi_eh_22 [scsi_eh_22] 180 2 scsi_tmf_22 [scsi_tmf_22] 181 2 scsi_eh_23 [scsi_eh_23] 182 2 scsi_tmf_23 [scsi_tmf_23] 183 2 scsi_eh_24 [scsi_eh_24] 184 2 scsi_tmf_24 [scsi_tmf_24] 185 2 scsi_eh_25 [scsi_eh_25] 186 2 scsi_tmf_25 [scsi_tmf_25] 187 2 scsi_eh_26 [scsi_eh_26] 188 2 scsi_tmf_26 [scsi_tmf_26] 189 2 scsi_eh_27 [scsi_eh_27] 190 2 scsi_tmf_27 [scsi_tmf_27] 191 2 scsi_eh_28 [scsi_eh_28] 192 2 scsi_tmf_28 [scsi_tmf_28] 193 2 scsi_eh_29 [scsi_eh_29] 194 2 scsi_tmf_29 [scsi_tmf_29] 195 2 scsi_eh_30 [scsi_eh_30] 196 2 scsi_tmf_30 [scsi_tmf_30] 197 2 scsi_eh_31 [scsi_eh_31] 198 2 scsi_tmf_31 [scsi_tmf_31] 223 2 kworker/u256:29 [kworker/u256:29] 226 2 scsi_eh_32 [scsi_eh_32] 227 2 scsi_tmf_32 [scsi_tmf_32] 228 2 bioset [bioset] 229 2 bioset [bioset] 230 2 ttm_swap [ttm_swap] 248 2 kworker/0:1H [kworker/0:1H] 271 2 jbd2/sda1-8 [jbd2/sda1-8] 272 2 ext4-rsv-conver [ext4-rsv-conver] 303 2 kworker/1:2 [kworker/1:2] 311 2 kworker/1:1H [kworker/1:1H] 320 1 systemd-journal - 325 2 kauditd [kauditd] 363 1 systemd-udevd /lib/systemd/systemd-udevd 392 1 vmware-vmblock- vmware-vmblock-fuse /run/vmblock-fuse -o rw,subtype=vmware-vmblock,default_permissions,allow_other,dev,suid 393 1 vmtoolsd /usr/bin/vmtoolsd 407 1 systemd-timesyn /lib/systemd/systemd-timesyncd 634 1 dbus-daemon /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation 644 1 VGAuthService /usr/bin/VGAuthService 647 1 systemd-logind /lib/systemd/systemd-logind 649 1 cron /usr/sbin/cron -f 650 1 accounts-daemon /usr/lib/accountsservice/accounts-daemon 653 1 rsyslogd /usr/sbin/rsyslogd -n 678 1 login /bin/login -- 695 1 irqbalance /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid 785 1 dhclient /sbin/dhclient -1 -v -pf /run/dhclient.ens33.pid -lf /var/lib/dhcp/dhclient.ens33.leases -I -df /var/lib/dhcp/dhclient6.ens33.leases ens33 861 1 apache2 /usr/sbin/apache2 -k start 864 861 apache2 /usr/sbin/apache2 -k start 865 861 apache2 /usr/sbin/apache2 -k start 1027 1 systemd /lib/systemd/systemd --user 1029 1027 (sd-pam) (sd-pam) 1034 678 bash -bash 1078 1034 sudo sudo su 1079 1078 su su 1080 1079 bash bash 1182 1 systemd-network /lib/systemd/systemd-networkd 1402 1 vmhgfs-fuse vmhgfs-fuse .host:/grad /mnt/f -o allow_other -o uid=1000 1411 2 kworker/1:0 [kworker/1:0] 1605 1080 su su mrx 1606 1605 bash bash 1713 1606 sudo sudo su 1717 2 kworker/0:1 [kworker/0:1] 1718 1713 su su 1719 1718 bash bash 1729 1719 nano nano .bash_history 1733 1719 su su mrx 1734 1733 bash bash 1787 2 kworker/u256:1 [kworker/u256:1] 5729 1734 nano nano .bash_history 5808 1734 DontRunMeImViru ./DontRunMeImVirus
一番下のプロセスが怪しい。
以下のPVE 2で実行した結果からCのソースコードがメモリ上にあると推測できる。
$ python3 vol.py -f PVE.vmem linux.bash : 1734 bash 2023-02-16 14:33:54.000000 gcc /mnt/f/dontopenmenimvirus.c -o DontRunMeImVirus :
PVE.vmemをテキストで#includeを含む箇所を中心に見ていくと、以下の箇所があった。
#include <unistd.h> int main(void){ char flag[] = "0xL4ugh{H1DD3N_1N_PR0CE$$}"; sleep(696969); return 0; }
コードにフラグが含まれていた。
0xL4ugh{H1DD3N_1N_PR0CE$$}
PVE 4 (Forensics)
何か隠されているので、それを答える問題。
PVE 2で実行した結果からフラグがわかる。
$ python3 vol.py -f PVE.vmem linux.bash Volatility 3 Framework 2.3.0 Progress: 100.00 Stacking attempts finished PID Process CommandTime Command : 1034 bash 2023-02-15 16:33:22.000000 echo "0xL4ugh{S4D_Y0U_G07_M3}" > flag.txt :
0xL4ugh{S4D_Y0U_G07_M3}
PVE 5 (Forensics)
ユーザのパスワードを答える問題。
mrxアカウントの/etc/passwdと/etc/shadowの情報を取得する。
$ strings PVE.vmem | grep mrx: mrx:$6$AkhWkiSy$MV4YekoydUoqhdnoJYWTHFpSWSsSTe53cTvuGNJLrE7FVMrKgDIEyyQio3ZPtnEX6524nSCenk2fYYV8mxwkL0:19404:0:99999:7::: for mrx: Feb 16 06:31:42 192 su[5730]: - /dev/tty1 mrx:root Feb 15 08:23:09 192 su[5628]: - /dev/tty1 mrx:root mrx:x:1000:1000:Super Mario,,,:/home/mrx:/bin/bash MESSAGE=- /dev/tty1 mrx:root mrx:x:1000: mrx:x:1000:1000:Super Mario,,,:/home/mrx:/bin/bash
passwdファイルに以下を記載する。
mrx:x:1000:1000:Super Mario,,,:/home/mrx:/bin/bash
shadowファイルに以下を記載する。
mrx:$6$AkhWkiSy$MV4YekoydUoqhdnoJYWTHFpSWSsSTe53cTvuGNJLrE7FVMrKgDIEyyQio3ZPtnEX6524nSCenk2fYYV8mxwkL0:19404:0:99999:7:::
John the Ripperでパスワードをクラックする。
$ unshadow passwd shadow > passwd_shadow $ cat passwd_shadow mrx:$6$AkhWkiSy$MV4YekoydUoqhdnoJYWTHFpSWSsSTe53cTvuGNJLrE7FVMrKgDIEyyQio3ZPtnEX6524nSCenk2fYYV8mxwkL0:1000:1000:Super Mario,,,:/home/mrx:/bin/bash $ john --wordlist=dict/rockyou.txt passwd_shadow Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 08041632890804163289 (mrx) 1g 0:00:56:20 DONE (2023-02-18 17:51) 0.000295g/s 4103p/s 4103c/s 4103C/s 0804166889..0804061305 Use the "--show" option to display all of the cracked passwords reliably Session completed
パスワードは 08041632890804163289 であることがわかった。
0xL4ugh{08041632890804163289}
Wanna 1 (Forensics)
メモリイメージのsha256とプロファイルを答える問題。
$ sha256sum Wanna-MEM.vmem 7f7c94e941d39f7b6217e98295c761c90d215eea0fe988327984d8f57bf86205 Wanna-MEM.vmem
$ python3 vol.py -f Wanna-MEM.vmem windows.info : Progress: 100.00 PDB scanning finished Variable Value Kernel Base 0xf8025e605000 DTB 0x1ad000 Symbols file:///home/ctf/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/E2BA44E0E506968538EA272B1E5030C5-1.json.xz Is64Bit True IsPAE False layer_name 0 WindowsIntel32e memory_layer 1 FileLayer KdVersionBlock 0xf8025f214388 Major/Minor 15.19041 MachineType 34404 KeNumberProcessors 2 SystemTime 2023-02-15 16:23:06 NtSystemRoot C:\Windows NtProductType NtProductWinNt NtMajorVersion 10 NtMinorVersion 0 PE MajorOperatingSystemVersion 10 PE MinorOperatingSystemVersion 0 PE Machine 34404 PE TimeDateStamp Fri Jul 11 07:43:16 1997
Windows10の64bit版。マイナーバージョンは19041であることがわかる。つまりプロファイルとしては、Win10x64_19041になる。
0xL4ugh{7f7c94e941d39f7b6217e98295c761c90d215eea0fe988327984d8f57bf86205_Win10x64_19041}
Colorful (Steganography)
hexahue。https://www.dcode.fr/hexahue-cipherでデコードする。
0XL4UGH TH1S 15 H3X4HU3 C0D3
0xL4ugh{TH1S_15_H3X4HU3_C0D3}
Crypto 1 (Crypto)
数値配列の暗号になっている。蓄積しながら加算してみる。
0 + 0 = 0 NG 0 + 1 = 1 OK 1 + 1 = 2 OK 2 + 2 = 4 NG 4 + 5 = 9 NG 9 + 10 = 19 NG 19 + 20 = 39 NG 39 + 40 = 79 OK
>>> chr(int('01001111',2)) 'O'
この計算で、復号できそう。前のインデックスまでの合計値と次のインデックスの値が一致している場合は0、そうでない場合は1としてデコードする。
#!/usr/bin/env python3 with open('message.txt', 'r') as f: ct = eval(f.read().rstrip().split(' = ')[1]) bin_flag = '0' sum_ct = 0 for i in range(1, len(ct)): sum_ct += ct[i - 1] if ct[i] == sum_ct: bin_flag += '0' else: bin_flag += '1' flag = '' for i in range(0, len(bin_flag), 8): flag += chr(int(bin_flag[i:i+8], 2)) print(flag)
OSC{SUP3r!NCr3451NG_53QU3NC3}
Crypto 2 (Crypto)
1つ目のn, e, cでcにnをプラスしながらe乗根を取り、復号する。
#!/usr/bin/env python3 from Crypto.Util.number import * import gmpy2 with open('output.txt', 'r') as f: params = f.read().splitlines() n = int(params[0].split(' ')[-1]) e = int(params[1].split(' ')[-1]) c = int(params[2].split(' ')[-1]) for i in range(2**20): m, success = gmpy2.iroot(c + n * i, e) if success: break flag = long_to_bytes(m).decode() print(flag)
OSC{C0N6r47U14710N5!_Y0U_UND3r574ND_H0W_70_U53_H4574D5_8r04DC457_4774CK_______0xL4ugh}