この大会は2023/4/16 0:00(JST)~2023/4/17 7:00(JST)に開催されました。
今回もチームで参戦。結果は3060点で234チーム中10位でした。
自分で解けた問題をWriteupとして書いておきます。
Flag Format (Tutorial 0)
問題にフラグが書いてあった。
texsaw{y0uG0tM3}
Join our Discord (Tutorial 10)
Discordに入り、#challenge-listチャネルのメッセージを見ると、フラグが書いてあった。
Tutorials - Flag Format (@FatAJ#1029) - Join our Discord (texsaw{w0w_oK_tRy_H@rD})
texsaw{w0w_oK_tRy_H@rD}
Get Docxed (Misc 150)
docxファイルをzip解凍すると、c_r_a_z_y.zipが展開されるが、パスワードがかかっている。John the Ripperでクラックする。
$ zip2john c_r_a_z_y.zip > hash.txt ver 81.9 c_r_a_z_y.zip/flag.txt is not encrypted, or stored with non-handled compression type $ john --wordlist=dict/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status xwekl12569 (c_r_a_z_y.zip/flag.txt) 1g 0:00:00:44 DONE (2023-04-16 11:54) 0.02239g/s 59614p/s 59614c/s 59614C/s xxbones..xtian329 Use the "--show" option to display all of the cracked passwords reliably Session completed
このパスワード「xwekl12569」で解凍する。
$ 7z x c_r_a_z_y.zip 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=ja_JP.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz (A0655),ASM,AES-NI) Scanning the drive for archives: 1 file, 218 bytes (1 KiB) Extracting archive: c_r_a_z_y.zip -- Path = c_r_a_z_y.zip Type = zip Physical Size = 218 Enter password (will not be echoed): Everything is Ok Size: 26 Compressed: 218 $ cat flag.txt texsaw{lM@0_oK_y0u_sM@rT}
texsaw{lM@0_oK_y0u_sM@rT}
Leaking Secrets? (Misc 150)
Commitの一覧を見てみる。その中でBug fixesを見るとフラグが書いてあった。
texsaw{r3fre5h_yOur_crEdeNt14l5}
A Go Odyssey (RE/Pwn 50)
$ strings odyssey | grep texsaw ...(snip)... libcallstartlockedm: locked to metexsaw{no_null_terminator}unknown ABI ...(snip)...
texsaw{no_null_terminator}
The Path to Victory (Web 50)
http://18.216.238.24:1003/webpage/files/にアクセスすると、インデックスが見える。
親ディディレクトを見てみると、session_keys.txt があることがわかる。
http://18.216.238.24:1003/webpage/session_keys.txtにアクセスすると、フラグが表示された。
texsaw{Th3_B3s7_Cru574c34n}
Console Scrabble (Web 50)
リンクされているhttp://18.216.238.24:1005/challenge.jsに、以下のように書いてある。
var hi='w';var sx='j';var mi='v';var qa='A';var ws='G';var yu='s';var ik='f';var di='l';var sn='g';var ed='1';var rf='F';var tg='y';var bi='t';var tm='3';var ki='m';var lo='n';var im='i';var h2='h';var bo='4';var yh='k';var uj='b';var az='z';var ji='e';var ko='r';var sc='O';var sv='x';var fz='a';var fx='w';var mo='_';var qz="{";var wx='}';var gar=ed.concat(lo,ws);var kar=mo.concat(bo,mo);var qar=ik.concat(di);var war=fz.concat(sn,wx);var far=bi.concat(ji,sv);var nar=rf.concat(di,qa);var ear=bo.concat(sn);var aar=qz.concat(hi,h2);var mar=tm.concat(mi,ji);var zar=yu.concat(fz,fx);var car=h2.concat(bo,bi);var tar=ko.concat(mo,ki);var xar=tg.concat(bo,yh);var bar=uj.concat(ji,az);var har=bo.concat(lo,mo);var jar=im.concat(bi,yu);var yar=sx.concat(qa,ki);var vat=bar.concat(sc,yu);var sat=tar.concat(har,jar);var gat=yar.concat(gar,mo);var nat=xar.concat(car,mar);var tat=nar.concat(ws,mo);var pat=far.concat(zar);var bat=hi.concat(car,mar);var jat=aar.concat(mo,war);var hat=kar.concat(qar,ear);var pin=qz.concat(bat);var ain=vat.concat(tat);var fin=nat.concat(wx);var gin=sat.concat(hat);var lin=pat.concat(wx);var jin=pat.concat(yar);var win=gat.concat(pat,nat);var qin=jat.concat(hat);var ban=pat.concat(pin);var han=ain.concat(ain,gin);var qan=qin.concat(pin);var tan=fin.concat(lin,yar);var pan=nat.concat(win);var wan=jin.concat(pin);var fan=gin.concat(wx);var wem=wan.concat(tan);var rem=qan.concat(fin);var lem=ban.concat(fan);var qem=pan.concat(qan);var hem=han.concat(fan);var tun=wem.concat(qem);var lun=hem.concat(rem);var fun=tun.concat(lun);function chall(){alert(ban);}function time(){alert(jat);}function clock(){alert(kar);}function chair(){alert(vat);}function panda(){alert(bar);}function chill(){alert(qan);}function whoareyou(){alert(qem);}function whereareyou(){alert(win);}function when(){alert(hat);}function pizza(){alert(aar);}function sushi(){alert(wan);}function shirts(){alert(hem);}function hats(){alert(tun);}function shoes(){alert(fan);}function nuts(){alert(jin);}function sandwich(){alert(zar);}function pants(){alert(lem);}function flag(){alert(fun);}function notit(){alert(lun);}function well(){alert(wem);}
整形する。
var hi = 'w'; var sx = 'j'; var mi = 'v'; var qa = 'A'; var ws = 'G'; var yu = 's'; var ik = 'f'; var di = 'l'; var sn = 'g'; var ed = '1'; var rf = 'F'; var tg = 'y'; var bi = 't'; var tm = '3'; var ki = 'm'; var lo = 'n'; var im = 'i'; var h2 = 'h'; var bo = '4'; var yh = 'k'; var uj = 'b'; var az = 'z'; var ji = 'e'; var ko = 'r'; var sc = 'O'; var sv = 'x'; var fz = 'a'; var fx = 'w'; var mo = '_'; var qz = "{"; var wx = '}'; var gar = ed.concat(lo, ws); var kar = mo.concat(bo, mo); var qar = ik.concat(di); var war = fz.concat(sn, wx); var far = bi.concat(ji, sv); var nar = rf.concat(di, qa); var ear = bo.concat(sn); var aar = qz.concat(hi, h2); var mar = tm.concat(mi, ji); var zar = yu.concat(fz, fx); var car = h2.concat(bo, bi); var tar = ko.concat(mo, ki); var xar = tg.concat(bo, yh); var bar = uj.concat(ji, az); var har = bo.concat(lo, mo); var jar = im.concat(bi, yu); var yar = sx.concat(qa, ki); var vat = bar.concat(sc, yu); var sat = tar.concat(har, jar); var gat = yar.concat(gar, mo); var nat = xar.concat(car, mar); var tat = nar.concat(ws, mo); var pat = far.concat(zar); var bat = hi.concat(car, mar); var jat = aar.concat(mo, war); var hat = kar.concat(qar, ear); var pin = qz.concat(bat); var ain = vat.concat(tat); var fin = nat.concat(wx); var gin = sat.concat(hat); var lin = pat.concat(wx); var jin = pat.concat(yar); var win = gat.concat(pat, nat); var qin = jat.concat(hat); var ban = pat.concat(pin); var han = ain.concat(ain, gin); var qan = qin.concat(pin); var tan = fin.concat(lin, yar); var pan = nat.concat(win); var wan = jin.concat(pin); var fan = gin.concat(wx); var wem = wan.concat(tan); var rem = qan.concat(fin); var lem = ban.concat(fan); var qem = pan.concat(qan); var hem = han.concat(fan); var tun = wem.concat(qem); var lun = hem.concat(rem); var fun = tun.concat(lun); function chall() { alert(ban); } function time() { alert(jat); } function clock() { alert(kar); } function chair() { alert(vat); } function panda() { alert(bar); } function chill() { alert(qan); } function whoareyou() { alert(qem); } function whereareyou() { alert(win); } function when() { alert(hat); } function pizza() { alert(aar); } function sushi() { alert(wan); } function shirts() { alert(hem); } function hats() { alert(tun); } function shoes() { alert(fan); } function nuts() { alert(jin); } function sandwich() { alert(zar); } function pants() { alert(lem); } function flag() { alert(fun); } function notit() { alert(lun); } function well() { alert(wem); }
デベロッパーツールのConsoleで実行した後、funの内容を見てみる。
> fun; < 'texsawjAm{wh4t3vey4kh4t3ve}texsaw}jAmy4kh4t3vejAm1nG_texsawy4kh4t3ve{wh_ag}_4_fl4g{wh4t3vebezOsFlAG_bezOsFlAG_r_m4n_its_4_fl4gr_m4n_its_4_fl4g}{wh_ag}_4_fl4g{wh4t3vey4kh4t3ve}'
フラグではないっぽい。関数で表示させている変数の値を見ていく。
> wem < 'texsawjAm{wh4t3vey4kh4t3ve}texsaw}jAm' > lun < 'bezOsFlAG_bezOsFlAG_r_m4n_its_4_fl4gr_m4n_its_4_fl4g}{wh_ag}_4_fl4g{wh4t3vey4kh4t3ve}' > lem < 'texsaw{wh4t3ver_m4n_its_4_fl4g}'
texsaw{wh4t3ver_m4n_its_4_fl4g}
Swiftmaster (Web 50)
Download Clueをクリックしたら、unlock_4_key.jpgがダウンロードされた。EXIFを見てみる。
$ exiftool unlock_4_key.jpg ExifTool Version Number : 12.40 File Name : unlock_4_key.jpg Directory : . File Size : 849 KiB File Modification Date/Time : 2023:04:16 16:36:28+09:00 File Access Date/Time : 2023:04:16 16:41:38+09:00 File Inode Change Date/Time : 2023:04:16 16:36:28+09:00 File Permissions : -rwxrwxrwx File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Exif Byte Order : Big-endian (Motorola, MM) X Resolution : 72 Y Resolution : 72 Resolution Unit : inches Y Cb Cr Positioning : Centered Copyright : secret_key_is:'v3rY_5eKr33t' Profile CMM Type : Linotronic Profile Version : 2.1.0 Profile Class : Display Device Profile Color Space Data : RGB Profile Connection Space : XYZ Profile Date Time : 1998:02:09 06:49:00 Profile File Signature : acsp Primary Platform : Microsoft Corporation CMM Flags : Not Embedded, Independent Device Manufacturer : Hewlett-Packard Device Model : sRGB Device Attributes : Reflective, Glossy, Positive, Color Rendering Intent : Perceptual Connection Space Illuminant : 0.9642 1 0.82491 Profile Creator : Hewlett-Packard Profile ID : 0 Profile Copyright : Copyright (c) 1998 Hewlett-Packard Company Profile Description : sRGB IEC61966-2.1 Media White Point : 0.95045 1 1.08905 Media Black Point : 0 0 0 Red Matrix Column : 0.43607 0.22249 0.01392 Green Matrix Column : 0.38515 0.71687 0.09708 Blue Matrix Column : 0.14307 0.06061 0.7141 Device Mfg Desc : IEC http://www.iec.ch Device Model Desc : IEC 61966-2.1 Default RGB colour space - sRGB Viewing Cond Desc : Reference Viewing Condition in IEC61966-2.1 Viewing Cond Illuminant : 19.6445 20.3718 16.8089 Viewing Cond Surround : 3.92889 4.07439 3.36179 Viewing Cond Illuminant Type : D50 Luminance : 76.03647 80 87.12462 Measurement Observer : CIE 1931 Measurement Backing : 0 0 0 Measurement Geometry : Unknown Measurement Flare : 0.999% Measurement Illuminant : D65 Technology : Cathode Ray Tube Display Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Image Width : 3008 Image Height : 2000 Encoding Process : Progressive DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 3008x2000 Megapixels : 6.0
Copyrightに以下のように設定されていた。
secret_key_is:'v3rY_5eKr33t'
texsaw{v3rY_5eKr33t}
Mail (Web 100)
$ curl http://18.216.238.24:2020/flag <!doctype html> <html lang=en> <title>Redirecting...</title> <h1>Redirecting...</h1> <p>You should be redirected automatically to the target URL: <a href="https://www.royalmail.com/">https://www.royalmail.com/</a>. If not, click the link.
他のメソッドを試す。
$ curl http://18.216.238.24:2020/flag -d "a=1" texsaw{GET_it?_They_were_POSTal_services_haha}
texsaw{GET_it?_They_were_POSTal_services_haha}
Git er' done (Web 200)
http://18.216.238.24:1002/.git/にアクセスすると、gitのディレクトリ階層が見れる。objectsディレクトリ直下にはファイルがないので、以下のパスにあるpackファイルをダウンロードする。
http://18.216.238.24:1002/.git/objects/pack/
$ git init newrepo hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: of your new repositories, which will suppress this warning, call: hint: hint: git config --global init.defaultBranch <name> hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: hint: hint: git branch -m <name> Initialized empty Git repository in /XXX/XXX/XXX/newrepo/.git/ $ cd newrepo/.git $ git unpack-objects < ../../pack-342a62f0e6b974f2d45d1b12275be32e67d071a9.pack Unpacking objects: 100% (9/9), 5.44 KiB | 67.00 KiB/s, done.
オブジェクトの数もそれほど多くないので、順にオブジェクトを見ていく。
$ python -c 'import zlib; print zlib.decompress(open("objects/2a/b46e2e8c147836855368455b56a602345a6ad0").read())' | xxd -g 1 00000000: 74 72 65 65 20 31 34 37 00 31 30 30 36 34 34 20 tree 147.100644 00000010: 66 6c 61 67 2e 74 78 74 00 f6 9f 88 16 46 2b 66 flag.txt.....F+f 00000020: 95 64 12 62 dd da f1 fc 99 df 3b c7 57 31 30 30 .d.b......;.W100 00000030: 36 34 34 20 69 6e 64 65 78 2e 68 74 6d 6c 00 8e 644 index.html.. 00000040: c5 cb 23 71 41 71 5c d0 02 7b 42 df 9f a4 19 fb ..#qAq\..{B..... 00000050: a8 c9 b1 31 30 30 36 34 34 20 6f 6e 65 6b 6f 2e ...100644 oneko. 00000060: 67 69 66 00 a0 09 c2 cc 19 c9 6b 00 1a c7 6e 96 gif.......k...n. 00000070: f2 7e 5f a1 a9 e5 65 77 31 30 30 36 34 34 20 6f .~_...ew100644 o 00000080: 6e 65 6b 6f 2e 6a 73 00 3c 84 6f f4 6a 8a 18 2d neko.js.<.o.j..- 00000090: 0e 66 de 45 78 e1 0c d9 e0 29 1d f6 0a .f.Ex....)... $ python -c 'import zlib; print zlib.decompress(open("objects/f6/9f8816462b6695641262dddaf1fc99df3bc757").read())' blob 32texsaw{0h_n0_my_g1t_15_3xp053d!}
texsaw{0h_n0_my_g1t_15_3xp053d!}
Lazy Admin (Forensics 50)
httpでフィルタリングする。No.58のPOSTで送信しているpasswordがフラグになっていた。
texsaw{w3@kpa$$worD}
Not Obvious (Forensics 50)
EXIFを見てみる。
$ exiftool Temoc.jpg ExifTool Version Number : 12.40 File Name : Temoc.jpg Directory : . File Size : 17 KiB File Modification Date/Time : 2023:04:16 10:49:13+09:00 File Access Date/Time : 2023:04:16 10:51:01+09:00 File Inode Change Date/Time : 2023:04:16 10:49:13+09:00 File Permissions : -rwxrwxrwx File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 1 Y Resolution : 1 XMP Toolkit : Image::ExifTool 12.57 Author : dGV4c2F3e1kwdUYwdW5kMXR9 Profile CMM Type : Little CMS Profile Version : 4.3.0 Profile Class : Display Device Profile Color Space Data : RGB Profile Connection Space : XYZ Profile Date Time : 0000:00:00 00:00:00 Profile File Signature : acsp Primary Platform : Apple Computer Inc. CMM Flags : Not Embedded, Independent Device Manufacturer : Device Model : Device Attributes : Reflective, Glossy, Positive, Color Rendering Intent : Perceptual Connection Space Illuminant : 0.9642 1 0.82491 Profile Creator : Little CMS Profile ID : 0 Profile Description : sRGB built-in Profile Copyright : No copyright, use freely Media White Point : 0.9642 1 0.82491 Chromatic Adaptation : 1.048 0.02299 -0.05014 0.02971 0.99034 -0.01706 -0.00923 0.01501 0.75226 Red Matrix Column : 0.43585 0.22238 0.01392 Blue Matrix Column : 0.14302 0.06059 0.71384 Green Matrix Column : 0.38533 0.71704 0.09714 Red Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract) Green Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract) Blue Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract) Chromaticity Channels : 3 Chromaticity Colorant : Unknown (0) Chromaticity Channel 1 : 0.64 0.33 Chromaticity Channel 2 : 0.3 0.60001 Chromaticity Channel 3 : 0.14999 0.06 Comment : {N0tTh3flag} Image Width : 400 Image Height : 400 Encoding Process : Progressive DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 400x400 Megapixels : 0.160
Authorにbase64文字列らしきものがあるので、デコードする。
$ echo dGV4c2F3e1kwdUYwdW5kMXR9 | base64 -d texsaw{Y0uF0und1t}
texsaw{Y0uF0und1t}
What is there to hide? (Cryptography 100)
$ nc 18.216.238.24 1013 Mission Background: Your mission is to decrypt this message to solve the challenge. Bob was able to steal the key, but still isn't able to decipher the text. Is the key encoded? Key: YXRES3JqUE9qZXVNSXR1Z1VFWWtZSFlKUVJT We know a one time pad cipher was used Ciphertext: Cx qlbc ceek hpkf lrw orbwp Decrypted message:
FreeのHintを見ると、暗号処理のコードが書かれている。
これから逆算し、復号する。
#!/usr/bin/env python3 import socket from base64 import * def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) def decrypt_char(char, key): c = ord(char) k = ord(key) if c in range(65, 91): d = (c - 65 - (k - 65)) % 26 + 65 elif c in range(97, 123): d = (c - 97 - (k - 97)) % 26 + 97 else: d = c return chr(d) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('18.216.238.24', 1013)) data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) key = data.split(' ')[-1] data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) ct = data.split(': ')[1] key = b64decode(key).decode() pt = ''.join([decrypt_char(ct[i], key[i]) for i in range(len(ct))]) data = recvuntil(s, b': ') print(data + pt) s.sendall(pt.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data)
実行結果は以下の通り。
Mission Background: Your mission is to decrypt this message to solve the challenge. Bob was able to steal the key, but still isn't able to decipher the text. Is the key encoded? Key: RUN2cHlXVnVqcENCY05mWVJsQmVibUp1T0x5 We know a one time pad cipher was used Ciphertext: Aa bsii cpgz vawc olf zizqb Decrypted message: We must take over the world Congratulations! You have decrypted the message. Here's your flag: texsaw{gR8@t_j@B}
texsaw{gR8@t_j@B}
Crack the crime (Cryptography 100)
暗号問題が出題されるので、CyberChefを使いながら復号して回答していく。暗号の種類はbase64、rot13、XOR(鍵は0x2a)だった。
$ nc 18.216.238.24 1012 Mission Background: You are given a set of encrypted messages that were intercepted from a cyber criminal. The challenge is to decrypt the messages and uncover the criminal's plans. Ciphertext: TWVldCBpbiBkdWJhaSBvbiBUdWVzZGF5 Decrypted message: Meet in dubai on Tuesday Ciphertext: Pncgher gur cevaprff Decrypted message: Capture the princess Ciphertext: kYA LEX XKDYEG Decrypted message: Ask for ransom Congratulations! You have decrypted all messages. Here's your flag: texsaw{0mg_y0u_got_1t}
texsaw{0mg_y0u_got_1t}
Ancient Methods (Cryptography 150)
換字式暗号のようなので、quipqiupで復号する。
neuroscientists have known since the th century that corresponding regions of the left and right hemispheres of the brain dont always perform the same functions imaging studies have more recently documented this lateralization in the context of chronic pain specifically in the amygdala where emotional processing also occursa team of researchers led by dr benedict kolber associate professor of neuroscience in the school of behavioral and brain sciences at the university of texas at dallas has demonstrated in mice that a single neuropeptide has opposite effects on chronic bladder pain when the molecule is active in matching regions of opposite hemispheres of the brain the research was published in the feb print issue of the journal biological psychiatrythis finding is particularly striking its flip sides of the same coin said kolber who is corresponding author of the study and is affiliated with the center for advanced pain studies at utd its bizarre it speaks to the flexibility of natural systems while in many cases theres redundancy there can also be specialization that evolveskolbers team conducted its study on a mouse model of bladder pain when the researchers introduced the protein calcitonin generelated peptide cgrp to the animals amygdalae they found that cgrp administered in the right side increased behavioral signs of bladder pain but when administered in the left side it decreased painlike behavior in the bladderthere are other examples in the amygdala of situations in which one side has a specialized receptor that increases pain and the other side doesnt do anything but none with counteractive effects like this kolber said cgrp is driving pain on the right side and reducing pain on the leftlead author dr heather allen a ut dallas visiting scholar and a postdoctoral associate at new york university said that lateralization is often ignored in pain researchhere we demonstrate that bladder pain visceral pain in a centrally located organ is processed differently on the left and right sides of the brain she said if we had focused on only one side of the amygdala we would have completely missed out on discovering these divergent functionskolbers area of expertise is urologic chronic pelvic pain syndrome an umbrella term for varieties of pain that affect an estimated million people in the us each year primarily middleaged womenits a huge area of clinical need and we dont know how to treat it he said so while this is a broader story about lateralization were also seeking specific answers the patient is the priority i want to understand this disease so it can be treated in humanstexsaw{youdidagreatjob}
文末にフラグが書いてあった。
texsaw{youdidagreatjob}