この大会は2023/12/9 2:30(JST)~2023/12/11 7:00(JST)に開催されました。
今回もチームで参戦。結果は650点で517チーム中75位でした。
自分で解けた問題をWriteupとして書いておきます。
inside-bear (misc)
$ binwalk look-inside DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 ELF, 64-bit LSB shared object, AMD x86-64, version 1 (SYSV) 15968 0x3E60 Zip archive data, at least v2.0 to extract, compressed size: 177574, uncompressed size: 338732, name: inside/CAPTURED_TRANSMISSION.wav 193604 0x2F444 Zip archive data, at least v2.0 to extract, compressed size: 325736, uncompressed size: 327800, name: inside/static.ogg 519387 0x7ECDB Zip archive data, at least v2.0 to extract, compressed size: 791646, uncompressed size: 795282, name: inside/you-died.gif 1311288 0x140238 End of Zip archive, footer length: 22 $ foremost look-inside Processing: look-inside |foundat=inside/CAPTURED_TRANSMISSION.wav��{9+���n3&�p�����'ff�0M▒f΄m'vb���"��y��g��s�t5�Z*�TҺ�S�έ�7/V�=▒uo6|ܔ"V foundat=inside/static.ogg��uTT��8: J(�H��Н�t =C�Jw�4� ��C�tK#�tw#��|~��{k�X��w��{�9{����s����� ��uJ��)��D�Dqwp6�ry�@y������Y���0�]3Q���:4^����z��" $\��ђ]�ق���X�o/�57'� �PJ�DE��|��s�������s�u���].�0�/��7����ѣF�h�▒�����▒���ݢ�%"" *| $ ls output/zip 00000031.zip $ unzip output/zip/00000031.zip Archive: output/zip/00000031.zip inflating: inside/CAPTURED_TRANSMISSION.wav inflating: inside/static.ogg inflating: inside/you-died.gif
AudacityでCAPTURED_TRANSMISSION.wavを開き、スペクトログラムを見ると、以下の文字が見える。
cGluZ3tJX2Fsd2F5JF9jMG1lX2JAY2t9
$ echo cGluZ3tJX2Fsd2F5JF9jMG1lX2JAY2t9 | base64 -d ping{I_alway$_c0me_b@ck}
ping{I_alway$_c0me_b@ck}
wow (misc)
5回程度勝負を行い、その中で得たランダム値からseedのブルートフォースでseedを求める。あとは以降のランダム値がわかるので、負ける場合は1だけbet、勝つ場合は全額bet(ただし最大でも相手の持っている額)をかける。これで目標額を超えれば。フラグが表示される。
#!/usr/bin/env python3 import socket import random def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) def roll(n: int): return random.randint(1, n) def roll_number(n: int, user: str = "user"): if user == "user": user = "opponent" else: user = "user" if n == 1: return user else: number = roll(n) #print(f"{user} rolls {number}") return roll_number(number, user) TRY_COUNT = 5 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('wow.knping.pl', 20001)) data = recvuntil(s, b': ') print(data + 'y') s.sendall(b'y\n') rand_nums = [] for _ in range(TRY_COUNT): data = recvuntil(s, b'? ') print(data + '1') s.sendall(b'1\n') data = recvuntil(s, b'!\n').rstrip() print(data) nums = data.splitlines()[:-1] rand_num = [] for n in nums: rand_num.append(int(n.split(' ')[-1])) rand_nums.append(rand_num) for seed in range(10_000_001): random.seed(seed) error = False for i in range(TRY_COUNT): nums = rand_nums[i] n = 100 for num in nums: n = roll(n) if n != num: error = True break if error: break if not error: break while True: data = recvuntil(s, b'\n').rstrip() print(data) user_balance = int(data.split('=')[1]) data = recvuntil(s, b'\n').rstrip() print(data) opponent_balance = int(data.split('=')[1]) winner = roll_number(100) if winner == 'user': bet = user_balance if bet > opponent_balance: bet = opponent_balance user_balance += bet else: bet = 1 user_balance -= bet data = recvuntil(s, b'? ') print(data + str(bet)) s.sendall(str(bet).encode() +b'\n') data = recvuntil(s, b'!\n').rstrip() print(data) if user_balance > 10_000_000: break data = recvuntil(s, b'\n').rstrip() print(data)
実行結果は以下の通り。
welcome to the death roll! it is a game that is common in WoW game on chat to risk or double your gold! short example on how it works: ---------------------------------------------------------------- you have 50 gold you can bet 1-50 gold First roll is random number from 1 to 100 when you roll 47 then the opponent rolls from 1 to 47 when opponent roll 20 then you roll from 1 to 20 the person who gets to roll 1 loses the money Do you want to start? (y/n): y user_balance=50 opponent_balance=10000000 ---------------------------------------------------------------- How much do you want to bet? 1 opponent rolls 55 user rolls 42 opponent rolls 36 user rolls 22 opponent rolls 2 user rolls 2 opponent rolls 2 user rolls 2 opponent rolls 1 You won! user_balance=51 opponent_balance=9999999 ---------------------------------------------------------------- How much do you want to bet? 1 opponent rolls 18 user rolls 10 opponent rolls 2 user rolls 1 You lost! user_balance=50 opponent_balance=10000000 ---------------------------------------------------------------- How much do you want to bet? 1 opponent rolls 13 user rolls 3 opponent rolls 2 user rolls 2 opponent rolls 2 user rolls 2 opponent rolls 1 You won! user_balance=51 opponent_balance=9999999 ---------------------------------------------------------------- How much do you want to bet? 1 opponent rolls 4 user rolls 1 You lost! user_balance=50 opponent_balance=10000000 ---------------------------------------------------------------- How much do you want to bet? 1 opponent rolls 76 user rolls 69 opponent rolls 40 user rolls 5 opponent rolls 3 user rolls 3 opponent rolls 1 You won! user_balance=51 opponent_balance=9999999 ---------------------------------------------------------------- How much do you want to bet? 51 opponent rolls 47 user rolls 5 opponent rolls 1 You won! user_balance=102 opponent_balance=9999948 ---------------------------------------------------------------- How much do you want to bet? 1 opponent rolls 45 user rolls 10 opponent rolls 6 user rolls 6 opponent rolls 3 user rolls 1 You lost! user_balance=101 opponent_balance=9999949 ---------------------------------------------------------------- How much do you want to bet? 101 opponent rolls 46 user rolls 38 opponent rolls 3 user rolls 2 opponent rolls 1 You won! : : user_balance=3259960 opponent_balance=6740090 ---------------------------------------------------------------- How much do you want to bet? 3259960 opponent rolls 78 user rolls 8 opponent rolls 1 You won! user_balance=6519920 opponent_balance=3480130 ---------------------------------------------------------------- How much do you want to bet? 1 opponent rolls 52 user rolls 33 opponent rolls 9 user rolls 2 opponent rolls 2 user rolls 2 opponent rolls 2 user rolls 1 You lost! user_balance=6519919 opponent_balance=3480131 ---------------------------------------------------------------- How much do you want to bet? 3480131 opponent rolls 54 user rolls 9 opponent rolls 9 user rolls 6 opponent rolls 3 user rolls 3 opponent rolls 1 You won! FLAG='ping{l3ts_pl4y_s0m3_w0w_:)))}'
ping{l3ts_pl4y_s0m3_w0w_:)))}
noodle-nightmare (rev)
noodleNightmare.cppでincludeしているファイルの内容を連結する。
#!/usr/bin/env python3 with open('noodleNightmare.cpp', 'r') as f: lines = f.read().splitlines() code = '' for line in lines: if '"' in line: fname = line.replace('#include "', '').replace('"', '') with open(fname, 'r') as f: data = f.read() code += data else: code += line print(code)
実行結果は以下の通り。
#include<iostream> using namespace std ;int main() { string _ = "Code that overuses }{ GOTO statements ratherzx than_structured programminjg constructqs, resulting in convoluted and unmaintainable programs, is often called spaghetti code. Such code has a complex and tangled control structure, resulting in a program flow that is conceptually like a bowl of spaghetti, twisted and tangled."; cout << "People always say that my code is spaghetti, but I don't see it. Can you help me find the flag?" << endl ;string ____ ;cin >> ____ ;string __ = ""; for ( int ______ = 0 ;______ < 55 ;++______) { __ += "a"; } __[ 0 ] = _[ 63 ] ;__[ 1 ] = _[ 71 ] ;__[ 2 ] = _[ 34 ] ;__[ 3 ] = _[ 66 ] ;__[ 4 ] = _[ 20 ] ;__[ 5 ] = _[ 71 ] ;__[ 6 ] = _[ 5 ] ;__[ 7 ] = _[ 51 ] ;__[ 8 ] = _[ 71 ] ;__[ 9 ] = _[ 15 ] ;__[ 10 ] = _[ 51 ] ;__[ 11 ] = _[ 128 ] ;__[ 12 ] = _[ 7 ] ;__[ 13 ] = _[ 2 ] ;__[ 14 ] = _[ 51 ] ;__[ 15 ] = _[ 255 ] ;__[ 16 ] = _[ 6 ] ;__[ 17 ] = _[ 3 ] ;__[ 18 ] = _[ 34 ] ;__[ 19 ] = _[ 51 ] ;__[ 20 ] = _[ 56 ] ;__[ 21 ] = _[ 1 ] ;__[ 22 ] = _[ 2 ] ;__[ 23 ] = _[ 3 ] ;__[ 24 ] = _[ 51 ] ;__[ 25 ] = _[ 71 ] ;__[ 26 ] = _[ 15 ] ;__[ 27 ] = _[ 51 ] ;__[ 28 ] = _[ 3 ] ;__[ 29 ] = _[ 7 ] ;__[ 30 ] = _[ 15 ] ;__[ 31 ] = _[ 71 ] ;__[ 32 ] = _[ 3 ] ;__[ 33 ] = _[ 13 ] ;__[ 34 ] = _[ 51 ] ;__[ 35 ] = _[ 5 ] ;__[ 36 ] = _[ 1 ] ;__[ 37 ] = _[ 51 ] ;__[ 38 ] = _[ 13 ] ;__[ 39 ] = _[ 3 ] ;__[ 40 ] = _[ 7 ] ;__[ 41 ] = _[ 2 ] ;__[ 42 ] = _[ 51 ] ;__[ 43 ] = _[ 71 ] ;__[ 44 ] = _[ 34 ] ;__[ 45 ] = _[ 51 ] ;__[ 46 ] = _[ 7 ] ;__[ 47 ] = _[ 15 ] ;__[ 48 ] = _[ 15 ] ;__[ 49 ] = _[ 3 ] ;__[ 50 ] = _[ 32 ] ;__[ 51 ] = _[ 128 ] ;__[ 52 ] = _[ 93 ] ;__[ 53 ] = _[ 276 ] ;__[ 54 ] = _[ 19 ] ;if ( ____ == __ ) { cout << "Congratulations, you have untangled this spaghetti!" << endl ;} else { cout << "Not this time!" << endl ;} }
整形する。
#include<iostream> using namespace std ; int main() { string _ = "Code that overuses }{ GOTO statements ratherzx than_structured programminjg constructqs, resulting in convoluted and unmaintainable programs, is often called spaghetti code. Such code has a complex and tangled control structure, resulting in a program flow that is conceptually like a bowl of spaghetti, twisted and tangled."; cout << "People always say that my code is spaghetti, but I don't see it. Can you help me find the flag?" << endl ; string ____ ;cin >> ____ ;string __ = ""; for ( int ______ = 0 ;______ < 55 ;++______) { __ += "a"; } __[ 0 ] = _[ 63 ] ; __[ 1 ] = _[ 71 ] ; __[ 2 ] = _[ 34 ] ; __[ 3 ] = _[ 66 ] ; __[ 4 ] = _[ 20 ] ; __[ 5 ] = _[ 71 ] ; __[ 6 ] = _[ 5 ] ; __[ 7 ] = _[ 51 ] ; __[ 8 ] = _[ 71 ] ; __[ 9 ] = _[ 15 ] ; __[ 10 ] = _[ 51 ] ; __[ 11 ] = _[ 128 ] ; __[ 12 ] = _[ 7 ] ; __[ 13 ] = _[ 2 ] ; __[ 14 ] = _[ 51 ] ; __[ 15 ] = _[ 255 ] ; __[ 16 ] = _[ 6 ] ; __[ 17 ] = _[ 3 ] ; __[ 18 ] = _[ 34 ] ; __[ 19 ] = _[ 51 ] ; __[ 20 ] = _[ 56 ] ; __[ 21 ] = _[ 1 ] ; __[ 22 ] = _[ 2 ] ; __[ 23 ] = _[ 3 ] ; __[ 24 ] = _[ 51 ] ; __[ 25 ] = _[ 71 ] ; __[ 26 ] = _[ 15 ] ; __[ 27 ] = _[ 51 ] ; __[ 28 ] = _[ 3 ] ; __[ 29 ] = _[ 7 ] ; __[ 30 ] = _[ 15 ] ; __[ 31 ] = _[ 71 ] ; __[ 32 ] = _[ 3 ] ; __[ 33 ] = _[ 13 ] ; __[ 34 ] = _[ 51 ] ; __[ 35 ] = _[ 5 ] ; __[ 36 ] = _[ 1 ] ; __[ 37 ] = _[ 51 ] ; __[ 38 ] = _[ 13 ] ; __[ 39 ] = _[ 3 ] ; __[ 40 ] = _[ 7 ] ; __[ 41 ] = _[ 2 ] ; __[ 42 ] = _[ 51 ] ; __[ 43 ] = _[ 71 ] ; __[ 44 ] = _[ 34 ] ; __[ 45 ] = _[ 51 ] ; __[ 46 ] = _[ 7 ] ; __[ 47 ] = _[ 15 ] ; __[ 48 ] = _[ 15 ] ; __[ 49 ] = _[ 3 ] ; __[ 50 ] = _[ 32 ] ; __[ 51 ] = _[ 128 ] ; __[ 52 ] = _[ 93 ] ; __[ 53 ] = _[ 276 ] ; __[ 54 ] = _[ 19 ] ; if ( ____ == __ ) { cout << "Congratulations, you have untangled this spaghetti!" << endl ; } else { cout << "Not this time!" << endl ; } }
string _の文字列から、順に指定されているインデックスの文字を取り出す。
#!/usr/bin/env python3 s = "Code that overuses }{ GOTO statements ratherzx than_structured programminjg constructqs, resulting in convoluted and unmaintainable programs, is often called spaghetti code. Such code has a complex and tangled control structure, resulting in a program flow that is conceptually like a bowl of spaghetti, twisted and tangled." indexes = [63, 71, 34, 66, 20, 71, 5, 51, 71, 15, 51, 128, 7, 2, 51, 255, 6, 3, 34, 51, 56, 1, 2, 3, 51, 71, 15, 51, 3, 7, 15, 71, 3, 13, 51, 5, 1, 51, 13, 3, 7, 2, 51, 71, 34, 51, 7, 15, 15, 3, 32, 128, 93, 276, 19] flag = '' for index in indexes: flag += s[index] print(flag)
ping{it_is_bad_when_code_is_easier_to_read_in_assembly}
ziggarettes (rev)
Ghidraでデコンパイルする。
void FUN_0020215e(void) { char cVar1; long lVar2; undefined8 uVar3; short sVar4; int **ppiVar5; int **ppiVar6; long lVar7; ulong uVar8; int *piVar9; int *piVar10; undefined8 *extraout_RDX; undefined8 *puVar11; undefined8 uVar12; undefined *puVar13; long lVar14; int *piVar15; char *pcVar16; int *piVar17; int *piVar18; ulong *puVar19; bool bVar20; undefined4 local_78 [2]; undefined4 local_70 [2]; long *local_68; int **local_60; undefined8 local_58; ulong uStack_50; lVar2 = *DAT_00204000; local_60 = (int **)(DAT_00204000 + lVar2 + 2); local_68 = DAT_00204000 + 1; lVar14 = -1; _DAT_00204008 = local_60; do { ppiVar6 = _DAT_00204008; lVar14 = lVar14 + 1; _DAT_00204008 = ppiVar6 + 1; } while (*ppiVar6 != (int *)0x0); piVar18 = (int *)0x0; piVar17 = (int *)0x0; do { while( true ) { while( true ) { ppiVar5 = ppiVar6 + 2; piVar9 = ppiVar6[1]; ppiVar6 = ppiVar5; if (piVar9 != (int *)0x3) break; piVar18 = *ppiVar5; } if (piVar9 != (int *)0x5) break; piVar17 = *ppiVar5; } } while (piVar9 != (int *)0x0); lVar7 = 0; piVar9 = (int *)0x0; piVar10 = piVar17; piVar15 = piVar18; while (bVar20 = piVar10 != (int *)0x0, piVar10 = (int *)((long)piVar10 + -1), bVar20) { if (*piVar15 == 6) { lVar7 = (long)piVar18 - *(long *)(piVar15 + 4); } else if (*piVar15 == 7) { piVar9 = piVar15; } piVar15 = piVar15 + 0xe; } if (piVar9 == (int *)0x0) { DAT_00204048 = 8; DAT_00204030 = -0x5555555555555556; lVar7 = -1; DAT_00204038 = 0; } else { DAT_00204030 = lVar7 + *(long *)(piVar9 + 4); DAT_00204048 = *(ulong *)(piVar9 + 0xc); DAT_00204038 = *(undefined8 *)(piVar9 + 8); lVar7 = *(long *)(piVar9 + 10) + -1; } DAT_00204050 = -DAT_00204048 & lVar7 + DAT_00204048; DAT_00204058 = DAT_00204050 + 0x17 & 0xfffffffffffffff8; DAT_00204040 = DAT_00204058 + 0x10; if ((0x1000 < DAT_00204048) || (puVar13 = &DAT_00205000, 0x20f0 < DAT_00204058)) { syscall(); puVar13 = (undefined *)(-DAT_00204048 & DAT_00204048 + 8); } FUN_00202f7b(puVar13,0,DAT_00204040); uVar8 = DAT_00204058; *(undefined8 *)(puVar13 + DAT_00204058) = 1; *(undefined **)(puVar13 + uVar8 + 8) = puVar13; *(undefined **)(puVar13 + DAT_00204050) = puVar13 + DAT_00204050; FUN_00202f5b(puVar13,DAT_00204030,DAT_00204038); syscall(); puVar19 = (ulong *)(piVar18 + 10); while (bVar20 = piVar17 != (int *)0x0, piVar17 = (int *)((long)piVar17 + -1), puVar11 = extraout_RDX, bVar20) { if (*(int *)(puVar19 + -5) == 0x6474e551) { puVar11 = (undefined8 *)0x0; syscall(); uVar8 = *puVar19; if (uStack_50 <= *puVar19) { uVar8 = uStack_50; } if (local_58 < uVar8) { puVar11 = &local_58; syscall(); local_58 = uVar8; } break; } puVar19 = puVar19 + 7; } _DAT_00204010 = local_68; _DAT_00204020 = local_60; _DAT_00204018 = lVar2; _DAT_00204028 = lVar14; sVar4 = FUN_0020269a(0xd,&PTR_FUN_002003f0,puVar11); if (sVar4 != 0) { local_58 = *(ulong *)(&DAT_002006c8 + (long)sVar4 * 0x10); uStack_50 = *(ulong *)(&DAT_002006d0 + (long)sVar4 * 0x10); FUN_00202cc2(); } local_78[0] = 1; sVar4 = FUN_00202714(local_78,"Do you know the flag?\n",0x16); if (sVar4 != 0) goto LAB_002025e0; syscall(); uVar8 = 0; do { if (uVar8 == 0x23) goto LAB_00202664; if (uVar8 < 0x23) { cVar1 = *(char *)((long)&local_58 + uVar8); switch(uVar8) { case 0: case 0x20: if (cVar1 != 'p') goto LAB_00202677; break; case 1: if (cVar1 != 'i') { LAB_00202677: uVar12 = 7; pcVar16 = "Wrong!\n"; do { local_78[0] = 1; sVar4 = FUN_00202714(local_78,pcVar16,uVar12); if (sVar4 != 0) { LAB_002025e0: uVar12 = *(undefined8 *)(&DAT_002006c8 + (long)sVar4 * 0x10); uVar3 = *(undefined8 *)(&DAT_002006d0 + (long)sVar4 * 0x10); local_70[0] = 2; FUN_0020284a(&DAT_00207104); local_78[0] = 2; sVar4 = FUN_00202714(local_78,"error: {s}\n",7); if ((sVar4 == 0) && (sVar4 = FUN_0020291a(uVar12,uVar3,&DAT_002006a0,local_70), sVar4 == 0)) { local_58 = CONCAT44(local_58._4_4_,2); FUN_00202714(&local_58,"\n",1); } FUN_00202888(&DAT_00207104); } syscall(); LAB_00202664: uVar12 = 9; pcVar16 = "Correct!\n"; } while( true ); } break; case 2: if (cVar1 != 'n') goto LAB_00202677; break; case 3: if (cVar1 != 'g') goto LAB_00202677; break; case 4: if (cVar1 != '{') goto LAB_00202677; break; case 5: if (cVar1 != 'z') goto LAB_00202677; break; case 6: case 9: if (cVar1 != '1') goto LAB_00202677; break; case 7: if (cVar1 != 'G') goto LAB_00202677; break; default: if (cVar1 != '_') goto LAB_00202677; break; case 10: if (cVar1 != 'S') goto LAB_00202677; break; case 0xc: if (cVar1 != 'v') goto LAB_00202677; break; case 0xd: case 0x17: if (cVar1 != '3') goto LAB_00202677; break; case 0xe: if (cVar1 != 'R') goto LAB_00202677; break; case 0xf: if (cVar1 != 'Y') goto LAB_00202677; break; case 0x11: if (cVar1 != 'C') goto LAB_00202677; break; case 0x12: if (cVar1 != '0') goto LAB_00202677; break; case 0x13: case 0x1e: if (cVar1 != 'O') goto LAB_00202677; break; case 0x14: case 0x21: if (cVar1 != 'l') goto LAB_00202677; break; case 0x16: case 0x1f: if (cVar1 != '2') goto LAB_00202677; break; case 0x18: if (cVar1 != '4') goto LAB_00202677; break; case 0x19: if (cVar1 != 'm') goto LAB_00202677; break; case 0x1a: case 0x1c: if (cVar1 != 'K') goto LAB_00202677; break; case 0x1b: case 0x1d: if (cVar1 != 'I') goto LAB_00202677; break; case 0x22: if (cVar1 != '}') goto LAB_00202677; } } uVar8 = uVar8 + 1; } while( true ); }
各インデックスで文字と比較しているので、該当するインデックスに文字を並べていく。
1111111111111111222 0123456789abcdef0123456789abcdef012 ping{z1G_1S_v3RY_C0Ol_234mKIKIO2pl}
ping{z1G_1S_v3RY_C0Ol_234mKIKIO2pl}
internet-explorer (web)
問題文にLinux上でIEを動作できるかという旨の内容が書かれているので、UserAgentに該当するものを指定してアクセスしてみる。
$ curl -A "Mozilla/5.0 (compatible; MSIE 10.0; Linux)" https://internet-explorer.knping.pl/ Flag = <b>ping{ping{the_best_browser_ever_made111}}</b>
ping{ping{the_best_browser_ever_made111}}
youtube-trailer (web)
指定のYouTubeのページのHTMLソースを検索すると、キーワードとしてフラグが設定されていた。
<meta name="keywords" content="ping, ctf, ping{hello_welcome_to_ping_ctf}">
ping{hello_welcome_to_ping_ctf}
path-traversal-101 (web)
UserAgentがrobotである必要がある。初めに、以下のURLにアクセスすると、セッションが作成され、クッキーのtokenにセッションIDが設定される。
https://path-traversal-101.knping.pl/%F0%9F%A4%96
$ curl -A 'robot' https://path-traversal-101.knping.pl/%F0%9F%A4%96 -c cookie.txt <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title>Path traversal 101</title> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bulma@0.9.4/css/bulma.min.css" /> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.3.0/css/font-awesome.css" rel="stylesheet" type="text/css" /> <link rel="stylesheet" href="https://unpkg.com/@highlightjs/cdn-assets@11.9.0/styles/default.min.css" /> <script src="https://unpkg.com/@highlightjs/cdn-assets@11.9.0/highlight.min.js"></script> </head> <body> <section class="hero"> <div class="hero-body"> <p class="title"> 01001000 01100101 01101100 01101100 01101111 00100000 01100100 01100101 01100001 01110010 00100000 01110010 01101111 01100010 01101111 00101101 01100110 01110010 01101001 01100101 01101110 01100100 00100001 00100000 01001000 01100101 01110010 01100101 00100000 01101001 01110011 00100000 01110100 01101000 01100101 00100000 01100110 01101001 01110010 01110011 01110100 00100000 01110100 01100001 01110011 01101011 00100000 01100110 01101111 01110010 00100000 01111001 01101111 01110101 00100000 00111010 00101001 </p> <p class="subtitle"></p> <pre><code class="language-javascript">if (!solution.startsWith("/robot") || solution.endsWith("/flag")) { throw new Error( "You cannot access the flag!!! You are UNAUTHORIZED!!! 🤖🤖🤖🤖🤖" ); } const solutionPath = path.join("/", solution); return solutionPath === "/flag";</code></pre> <form class="form" action="/🤖" method="POST"> <div class="field"> <label class="label">Can you get the /flag?</label> <div class="control"> <input class="input" name="solution" type="text" placeholder="/flag" /> </div> <br /> <div class="control"> <input type="submit" class="button is-primary" value="Submit" /> </div> </div> </form> <p>11110000 10011111 10100100 10010110</p> </div> </section> </body> <script> hljs.highlightAll(); </script> </html>
task1は以下の条件を満たして、/flagを取得できる必要がある。
・/robotで始まり、/flagで終わらない。
例えば、以下のパスで取得できる。
/robot/../flag/a/..
$ curl -A 'robot' https://path-traversal-101.knping.pl/%F0%9F%A4%96 -b cookie.txt -d "solution=/robot/../flag/a/.." <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title>Path traversal 101</title> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bulma@0.9.4/css/bulma.min.css" /> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.3.0/css/font-awesome.css" rel="stylesheet" type="text/css" /> <link rel="stylesheet" href="https://unpkg.com/@highlightjs/cdn-assets@11.9.0/styles/default.min.css" /> <script src="https://unpkg.com/@highlightjs/cdn-assets@11.9.0/highlight.min.js"></script> </head> <body> <section class="hero"> <div class="hero-body"> <p class="title"> 01001000 01100101 01101100 01101100 01101111 00100000 01100100 01100101 01100001 01110010 00100000 01110010 01101111 01100010 01101111 00101101 01100110 01110010 01101001 01100101 01101110 01100100 00100001 00100000 01001000 01100101 01110010 01100101 00100000 01101001 01110011 00100000 01110100 01101000 01100101 00100000 01100110 01101001 01110010 01110011 01110100 00100000 01110100 01100001 01110011 01101011 00100000 01100110 01101111 01110010 00100000 01111001 01101111 01110101 00100000 00111010 00101001 </p> <p class="subtitle"></p> <pre><code class="language-javascript">solution = solution.replaceAll("../", ""); if (solution === "/flag") { throw new Error( "You cannot ACCESS the flag!!! You are UNAUTHORIZED!!! 🤖🤖🤖🤖🤖" ); } const solutionPath = path.join("/", solution); return solutionPath === "/flag";</code></pre> <form class="form" action="/🤖" method="POST"> <div class="field"> <label class="label">Can you get the /flag?</label> <div class="control"> <input class="input" name="solution" type="text" placeholder="/flag" /> </div> <br /> <div class="control"> <input type="submit" class="button is-primary" value="Submit" /> </div> </div> </form> <p>11110000 10011111 10100100 10010110</p> </div> </section> </body> <script> hljs.highlightAll(); </script> </html>
task2は以下の条件を満たして、/flagを取得できる必要がある。
・"../"は削除される。 ・削除された後に"/flag"以外になる必要がある。
例えば、以下のパスで取得できる。
/a/....//flag
$ curl -A 'robot' https://path-traversal-101.knping.pl/%F0%9F%A4%96 -b cookie.txt -d "solution=/a/....//flag" <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title>Path traversal 101</title> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bulma@0.9.4/css/bulma.min.css" /> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.3.0/css/font-awesome.css" rel="stylesheet" type="text/css" /> <link rel="stylesheet" href="https://unpkg.com/@highlightjs/cdn-assets@11.9.0/styles/default.min.css" /> <script src="https://unpkg.com/@highlightjs/cdn-assets@11.9.0/highlight.min.js"></script> </head> <body> <section class="hero"> <div class="hero-body"> <p class="title"> 01001000 01100101 01101100 01101100 01101111 00100000 01100100 01100101 01100001 01110010 00100000 01110010 01101111 01100010 01101111 00101101 01100110 01110010 01101001 01100101 01101110 01100100 00100001 00100000 01001000 01100101 01110010 01100101 00100000 01101001 01110011 00100000 01110100 01101000 01100101 00100000 01100110 01101001 01110010 01110011 01110100 00100000 01110100 01100001 01110011 01101011 00100000 01100110 01101111 01110010 00100000 01111001 01101111 01110101 00100000 00111010 00101001 </p> <p class="subtitle"></p> <pre><code class="language-javascript">if (solution.includes("../") || solution === "/flag") { throw new Error( "You CANNOT ACCESS the flag!!! You are UNAUTHORIZED!!! 🤖🤖🤖🤖🤖" ); } const solutionPath = path.join("/", solution); return solutionPath === "/flag";</code></pre> <form class="form" action="/🤖" method="POST"> <div class="field"> <label class="label">Can you get the /flag?</label> <div class="control"> <input class="input" name="solution" type="text" placeholder="/flag" /> </div> <br /> <div class="control"> <input type="submit" class="button is-primary" value="Submit" /> </div> </div> </form> <p>11110000 10011111 10100100 10010110</p> </div> </section> </body> <script> hljs.highlightAll(); </script> </html>
task3は以下の条件を満たして、/flagを取得できる必要がある。
・"../"が含まれてはいけない。 ・"/flag"であってはいけない。
例えば、以下のパスで取得できる。
//flag
$ curl -A 'robot' https://path-traversal-101.knping.pl/%F0%9F%A4%96 -b cookie.txt -d "solution=//flag" <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title>Path traversal 101</title> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bulma@0.9.4/css/bulma.min.css" /> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.3.0/css/font-awesome.css" rel="stylesheet" type="text/css" /> <link rel="stylesheet" href="https://unpkg.com/@highlightjs/cdn-assets@11.9.0/styles/default.min.css" /> <script src="https://unpkg.com/@highlightjs/cdn-assets@11.9.0/highlight.min.js"></script> </head> <body> <section class="hero"> <div class="hero-body"> <p class="title"> 01001000 01100101 01101100 01101100 01101111 00100000 01100100 01100101 01100001 01110010 00100000 01110010 01101111 01100010 01101111 00101101 01100110 01110010 01101001 01100101 01101110 01100100 00100001 00100000 01001000 01100101 01110010 01100101 00100000 01101001 01110011 00100000 01110100 01101000 01100101 00100000 01100110 01101001 01110010 01110011 01110100 00100000 01110100 01100001 01110011 01101011 00100000 01100110 01101111 01110010 00100000 01111001 01101111 01110101 00100000 00111010 00101001 </p> <p class="subtitle"></p> <pre><code class="language-javascript">ping{p4th_tr4V3Rs4L_06c22f693acd46015891c98cb72f45e3}</code></pre>★ <form class="form" action="/🤖" method="POST"> <div class="field"> <label class="label">Can you get the /flag?</label> <div class="control"> <input class="input" name="solution" type="text" placeholder="/flag" /> </div> <br /> <div class="control"> <input type="submit" class="button is-primary" value="Submit" /> </div> </div> </form> <p>11110000 10011111 10100100 10010110</p> </div> </section> </body> <script> hljs.highlightAll(); </script> </html>
ping{p4th_tr4V3Rs4L_06c22f693acd46015891c98cb72f45e3}
ancient-genius (crypto)
13世紀後半の数学者で、この墓に描かれている図形から、該当する数学者はフィボナッチと推測できる。とりあえず、墓石に刻まれている数値を書き出す。
114059301025943970552219 3928413764606871165730 43566776258854844738105 1500520536206896083277 22698374052006863956975682 781774079430987230203437 573147844013817084101 483162952612010163284885 781774079430987230203437 70492524767089125814114 3311648143516982017180081 83621143489848422977 31940434634990099905 927372692193078999176 16641027750620563662096 83621143489848422977 1500520536206896083277 83621143489848422977 59425114757512643212875125
フィボナッチ数列の何番目かにあるかで、ASCIIコードとしてデコードする。
#!/usr/bin/env python3 seq = [0, 1] for i in range(2, 128): v = seq[i - 2] + seq[i - 1] seq.append(v) enc = [114059301025943970552219, 3928413764606871165730, 43566776258854844738105, 1500520536206896083277, 22698374052006863956975682, 781774079430987230203437, 573147844013817084101, 483162952612010163284885, 781774079430987230203437, 70492524767089125814114, 3311648143516982017180081, 83621143489848422977, 31940434634990099905, 927372692193078999176, 16641027750620563662096, 83621143489848422977, 1500520536206896083277, 83621143489848422977, 59425114757512643212875125] flag = '' for c in enc: flag += chr(seq.index(c)) print(flag)
ping{testowa_flaga}
private-conversation (crypto)
小文字を"0"、大文字を"1"としてデコードする。
#!/usr/bin/env python3 ct = 'xdXdxdXDxDXdXdxDxDXdXDXdxDXdxdXDxDXdXDxdxDXDxDxDxDXdxDxdxDXdxDxDxdXdxdxdxdXDXDxdxDXDxdXDxDXDxDxdxDXdxDxdxDXdXdxDxDXdXDXDxdXdXDXdxDXdXdxdxdXDXDXdxdxdXdXdxDXdXdxDxDXdXDXdxDXDxDxdxdXdxdxdxDXdXDxDxDXdxdxDxDXdXdxDxDXdXDXdxdXdXdxdxdXdXdxDxdXdxdxdxDXDXdXDxdXdxdxdxDXdXdxDxDXdXDXdxDXDxDxdxdXdxdxdxDXdXDXDxDxDXDXDxdXDXdxDxdXDXdxdxdXDxdXDxDXdxdxDxDXdxDxdxDXdxDxdxdXDxdxdxDXdxDxDxDXdxDxdxdXDXdxDxdXDXdxdxDXdxdXdxdXDxDxDxdXDxDxDxdXDxDXdxDXdxDxdxdXDXdxdxdXDxDxDxDXdxDxDxDXdxDXdxdXDxdxDxdXDxdxDxdXDXdxdxdXDxdxDxdXDXdxdxdXDxdXDxDXdxdXdxdXDxdXdxdXDxdXdxdXDXdxDxDXdxDxdxDXdxdXDxDxDXdXDxDxDXDxDxdXdxdxdxdXDXDxDxdXdxdxdxDXDXdXDxdXdxdxdxdXDxdxDxdXDxdxDxdXDxdXdxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxdxdXDxDxDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxDxdXDxdxdxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxdxdXDxdXDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdXdxdXDxdXDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxDxdXDXdxDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxdxdXDxDxdxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdXdxdXDxdxDxdXdXDxdxdXdxdxdxdXDXdxDxdXDxDxDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxDxdXDxDxDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxDxdXDxdxDxdXdXDxdxdXdxdxdxdXDXdxDxdXDxDxDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxDxdXDxDxDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxdxdXDxdxDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxDxdXDxDxdxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxdxdXDxDxDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxDxdXDxdxDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxDxdXDxDXDxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdxDxdXDxDxDxdXdXDxdxdXdxdxdxdXDXdxDxdXDxDxDxdXdXDxdxdXdxdxdxdXDXdxdxdXDXdxdxdXdXDxdxdXdxdxdxdXDxDXdxdXDXdxdxdXdXDxdxdXdxdxdxdXDxdxDxdXDxdXdxdXDxDxDxdXdxdxdxDXDXDxDxdXDXdXDxdXdxdxdxDXdxdXDxDXdXDXDxDXdXDXdxDXDxdXDxDXDxDxdxdXdxdxdxDXdXdxDxDXdXDXdxDXDxDxdxdXdxdxdxDXdXDXDxDxDXDXDxdXDxdxDxDXdxdXDxdXDxdxDxDXdxdxDxdXDxdXDxdXDXdxdxdXDxDXDxDXdxdXdxDXdxDxdxdXDxdXdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxDxdxDXdxdXDxDXdxDxDxdXDxdxdxdXDxdxDxdXDXdxDxDXdxDXdxDXdxdXDxDXdxDxdxDXdxdXDxDXdxDxDxdXDXdxdxDXdxdXdxDXdxdXDxdXDxdxdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxdXDxdXdxdxdxdXDXDxDxdXdxdxdxDXDxdXDxDXdXdxDxDXDXdXdxDXdxDxDxDXdXDXDxDXdxDXdxdXdXdxdxdXdXdxdxDXdXDXDxDxDXDXDxdXDXdxDxdXDXdxdxdXDxdXDxDXdxdxDxDXdxDxdxDXdxDxdxdXDxdxdxDXdxDxDxDXdxDxdxdXDXdxDxdXDXdxdxDXdxdXdxdXDxDxDxdXDxDxDxdXDxDXdxDXdxDxdxdXDXdxdxdXDxDxDxDXdxDxDxDXdxDXdxdXDxdxDxdXDxdxDxdXDXdxdxdXDxdxDxdXDXdxdxdXDxdXDxDXdxdXdxdXDxdXdxdXDxdXdxdXDXdxDxDXdxDxdxDXdxdXDxdXdXdxDxdXdXdxDxdXdxdxdxdXdXDXDxdXdxdxdxDXDxdXDxDXdXdxDxDXDXdXdxDXdxDxDxDXdXDXDxDXdxDXdxdXdXdxdxdXdXdxdxDXdXDXDxDxDXDXDxdXDXdxDxdXDXdxdxdXDxdXDxDXdxdxDxDXdxDxdxDXdxDxdxdXDxdxdxDXdxDxDxDXdxDxdxdXDXdxDxdXDXdxdxDXdxdXdxdXDxDxDxdXDxDxDxdXDxDXdxDXdxDxdxdXDXdxdxdXDxDxDxDXdxDxDxDXdxDXdxdXDxdxDxdXDxdxDxdXDXdxdxdXDxdxDxdXDXdxdxdXDxdXDxDXdxdXdxdXDxdXdxdXDxdXdxdXDXdxDxDXdxDxdxDXdxdXDxDxDXdXDxdXdXdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXdXDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdXdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXdXDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDXdxdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXDxDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxDxdxdxDxdXDxdxdxdXDxdxdxdXdXdxDxDxDXDxDxdXdXdxDxdXdXdxDxdXDXdXDxdXdxdxdxDXdxdXDxDXdXdxdxDXdxdxDxDXDxdXdxdXdxdxdxDXdXDXDxDxDXDXDxdXDxDXDxdXDxDXdxdXDxDxdxdXDxDxDxDXdxDXdxdXDXdxDxDXdxDxDxdXDxDxdxDXdxdxDxdXDXdxdxdXDxDxdxDXdxdxDxdXDxDXDxDXdxDxDxdXDXdxDxDXdxDXdxdXDxdxdxdXDxDXDxdXDxDxdxdXDXdxdxDXdxdXDxdXDxDXdxdXDxdxdxdXDxdxdxdXDxdxdxDXdxdxDxdXDxdxdxdXDxDxdxdXDxdxDxdXDXdxDxdXDXdxdxdXDxdxdxDxDXdXDxDXdXDXDxDxDXDXDxdXDxdxDxDXdxdXDxdXDxdxDxDXdxdxDxdXDxdXDxdXDXdxdxdXDxDXDxDXdxdXdxDXdxDxdxdXDxdXdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxDxdxDXdxdXDxDXdxDxDxdXDxdxdxdXDxdxDxdXDXdxDxDXdxDXdxDXdxdXDxDXdxDxdxDXdxdXDxDXdxDxDxdXDXdxdxDXdxdXdxDXdxdXDxdXDxdxdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxdXDxDxDXDxDxdXDXdXDxdXdxdxdxDXdxDXdxDXdXDXDxDXDxdXdxdXdxdxdxdXdXdxdxDXdXdxDxDXdXDXdxDXDxDxdxdXdxdxdxDXdXDXDxDxDXDXDxDXdxDXdxdXDXdxdxDXdxdXDxDXdxDxdxdXDxDxdxdXDXdxDxdXDxdXDxDXdxdxDxdXDXdxdxdXDXdxDxDXdxDXdxdXDXdxDxdXDxDxdxDXdxdxDxdXDXdxdxDXdxdXdxdXDxdxDxDXdxDxDxdXDxdXdxDXdxDxDxdXDxdXdxdXDxdxDxdXDxdxDxdXDXdxdxdXDxDxdxdXDxdXdxDXdxdXdxdXDxDxdxDXdxdXDxdXDXdxdxDXdxDxDxDXdxdXDxdXdxdxdxdXDXDxDxdXdxdxdxdXdXdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXdXDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdXdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXdXDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDXdxdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXDxDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxDxdxdxDxdXDxdxdxdXDxdxdxdXdXdxDxdXDXdXDxdXdxdxdxdXdXdxdxDXdXDXDxDxDXDXDxDXdxDXdxdXDXdxdxDXdxdXDxDXdxDxdxdXDxDxdxdXDXdxDxdXDxdXDxDXdxdxDxdXDXdxdxdXDXdxDxDXdxDXdxdXDXdxDxdXDxDxdxDXdxdxDxdXDXdxdxDXdxdXdxdXDxdxDxDXdxDxDxdXDxdXdxDXdxDxDxdXDxdXdxdXDxdxDxdXDxdxDxdXDXdxdxdXDxDxdxdXDxdXdxDXdxdXdxdXDxDxdxDXdxdXDxdXDXdxdxDXdxDxDxDXdxdXDxdXdxdxdxdXDXDxdxdXdxdxdxDXdXDXDxDxDXDXDxdXDxdxDxDXdxdXDxdXDxdxDxDXdxdxDxdXDxdXDxdXDXdxdxdXDxDXDxDXdxdXdxDXdxDxdxdXDxdXdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxDxdxDXdxdXDxDXdxDxDxdXDxdxdxdXDxdxDxdXDXdxDxDXdxDXdxDXdxdXDxDXdxDxdxDXdxdXDxDXdxDxDxdXDXdxdxDXdxdXdxDXdxdXDxdXDxdxdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxdXDxdXdXdxDxdXdxdxdxdXdxDXdxdXdxdxdxdXdxdxDxdXdxdxDxdXdXdxdxDXdXDXDxDxDXDXDxDXdxDXdxdXDXdxdxDXdxdXDxDXdxDxdxdXDxDxdxdXDXdxDxdXDxdXDxDXdxdxDxdXDXdxdxdXDXdxDxDXdxDXdxdXDXdxDxdXDxDxdxDXdxdxDxdXDXdxdxDXdxdXdxdXDxdxDxDXdxDxDxdXDxdXdxDXdxDxDxdXDxdXdxdXDxdxDxdXDxdxDxdXDXdxdxdXDxDxdxdXDxdXdxDXdxdXdxdXDxDxdxDXdxdXDxdXDXdxdxDXdxDxDxDXdxdXDxdXdxdxdxdXDXDxdxdXdxdxdxDXdXDXDxDxDXDXDxdXDxdxDxDXdxdXDxdXDxdxDxDXdxdxDxdXDxdXDxdXDXdxdxdXDxDXDxDXdxdXdxDXdxDxdxdXDxdXdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxDxdxDXdxdXDxDXdxDxDxdXDxdxdxdXDxdxDxdXDXdxDxDXdxDXdxDXdxdXDxDXdxDxdxDXdxdXDxDXdxDxDxdXDXdxdxDXdxdXdxDXdxdXDxdXDxdxdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxdXDxdXdXdxDxdXDXdXDxdXdxdxdxdXdXdXDxdXdXdXDxDXdXDXDxDxDXDXDxDXdxDXdxdXDXdxdxDXdxdXDxDXdxDxdxdXDxDxdxdXDXdxDxdXDxdXDxDXdxdxDxdXDXdxdxdXDXdxDxDXdxDXdxdXDXdxDxdXDxDxdxDXdxdxDxdXDXdxdxDXdxdXdxdXDxdxDxDXdxDxDxdXDxdXdxDXdxDxDxdXDxdXdxdXDxdxDxdXDxdxDxdXDXdxdxdXDxDxdxdXDxdXdxDXdxdXdxdXDxDxdxDXdxdXDxdXDXdxdxDXdxDxDxDXdxdXDxdXdXdxDxdXdxdxdxDXDXdXDxdXdxdxdxDXdXDXDxDxDXDXDxdXDxDXDxdXDxDXdxdXDxDxdxdXDxDxDxDXdxDXdxdXDXdxDxDXdxDxDxdXDxDxdxDXdxdxDxdXDXdxdxdXDxDxdxDXdxdxDxdXDxDXDxDXdxDxDxdXDXdxDxDXdxDXdxdXDxdxdxdXDxDXDxdXDxDxdxdXDXdxdxDXdxdXDxdXDxDXdxdXDxdxdxdXDxdxdxdXDxdxdxDXdxdxDxdXDxdxdxdXDxDxdxdXDxdxDxdXDXdxDxdXDXdxdxdXDxdxdxDxDXdXDxDXdXDXDxDxDXDXDxDXdxDXdxdXDXdxdxDXdxdXDxDXdxDxdxdXDxDxdxdXDXdxDxdXDxdXDxDXdxdxDxdXDXdxdxdXDXdxDxDXdxDXdxdXDXdxDxdXDxDxdxDXdxdxDxdXDXdxdxDXdxdXdxdXDxdxDxDXdxDxDxdXDxdXdxDXdxDxDxdXDxdXdxdXDxdxDxdXDxdxDxdXDXdxdxdXDxDxdxdXDxdXdxDXdxdXdxdXDxDxdxDXdxdXDxdXDXdxdxDXdxDxDxDXdxdXDxDxDXDxDxdXdxdxdxdXDXDxDxdXdxdxdxdXdXdxdxDXdxdXDxDXdXdxdxDXdxdxDxDXDxdXdxdXdXdxDxdXdXdxdxDXdXDXDxDxDXDXDxdXDXdxDxdXDXdxdxdXDxdXDxDXdxdxDxDXdxDxdxDXdxDxdxdXDxdxdxDXdxDxDxDXdxDxdxdXDXdxDxdXDXdxdxDXdxdXdxdXDxDxDxdXDxDxDxdXDxDXdxDXdxDxdxdXDXdxdxdXDxDxDxDXdxDxDxDXdxDXdxdXDxdxDxdXDxdxDxdXDXdxdxdXDxdxDxdXDXdxdxdXDxdXDxDXdxdXdxdXDxdXdxdXDxdXdxdXDXdxDxDXdxDxdxDXdxdXDxDxDXdXDxDXdXDXDxDxDXDXDxDXdxDXdxdXDXdxdxDXdxdXDxDXdxDxdxdXDxDxdxdXDXdxDxdXDxdXDxDXdxdxDxdXDXdxdxdXDXdxDxDXdxDXdxdXDXdxDxdXDxDxdxDXdxdxDxdXDXdxdxDXdxdXdxdXDxdxDxDXdxDxDxdXDxdXdxDXdxDxDxdXDxdXdxdXDxdxDxdXDxdxDxdXDXdxdxdXDxDxdxdXDxdXdxDXdxdXdxdXDxDxdxDXdxdXDxdXDXdxdxDXdxDxDxDXdxdXDxDxDXDxDxdXdXdxDxdXDXdXDxdXdxdxdxDXDXDxDxdXDXdXDxdXdxdxdxDXdxDXdxDXdXDXDxDXDxdXdxdXdxdxdxdXdXdxdxDXdXdxDxDXdXDXdxDXDxDxdxdXdxdxdxDXdXDXDxDxDXDXDxdXDxDxDxdXDxDxdxdXDxdXDxdXDxdxDxdXDxDxdxDXdxDxDxdXDxdxdxdXDxdXdxdXDxDXdxdXDxdxdxdXDxDXDxDXdxDxdxdXDxdXdxDXdxdXdxDXdxdXDxDXdxdxDxdXDxDXDxDXdxDXdxdXDxdXdxDXdxdxDxDXdxDxdxDXdxDXdxdXDxDXdxdXDxDxdxdXDxDxdxDXdxDxDxDXdxdxDxDXdxDxDxdXDxDxDxdXDxDxdxDXdxdXDxDXdxDXdxdXdxdxdxdXDXDxDxdXdxdxdxdXdXdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXdXDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdXdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXdXDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDXdxdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXDxDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxDxdxdxDxdXDxdxdxdXDxdxdxdXdXdxDxdXDXdXDxdXdxdxdxdXdXdxdxDXdXDXDxDxDXDXDxdXDxDxDxdXDxDxdxdXDxdXDxdXDxdxDxdXDxDxdxDXdxDxDxdXDxdxdxdXDxdXdxdXDxDXdxdXDxdxdxdXDxDXDxDXdxDxdxdXDxdXdxDXdxdXdxDXdxdXDxDXdxdxDxdXDxDXDxDXdxDXdxdXDxdXdxDXdxdxDxDXdxDxdxDXdxDXdxdXDxDXdxdXDxDxdxdXDxDxdxDXdxDxDxDXdxdxDxDXdxDxDxdXDxDxDxdXDxDxdxDXdxdXDxDXdxDXdxdXdxdxdxdXDXDxdxdXdxdxdxDXdXDXDxDxDXDXDxdXDxdxDxDXdxdXDxdXDxdxDxDXdxdxDxdXDxdXDxdXDXdxdxdXDxDXDxDXdxdXdxDXdxDxdxdXDxdXdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxDxdxDXdxdXDxDXdxDxDxdXDxdxdxdXDxdxDxdXDXdxDxDXdxDXdxDXdxdXDxDXdxDxdxDXdxdXDxDXdxDxDxdXDXdxdxDXdxdXdxDXdxdXDxdXDxdxdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxdXDxdXdXdxDxdXdxdxdxdXdxDXdxdXdxdxdxdXdxdxDxdXdxdxDxdXdXdxdxDXdXDXDxDxDXDXDxdXDxDxDxdXDxDxdxdXDxdXDxdXDxdxDxdXDxDxdxDXdxDxDxdXDxdxdxdXDxdXdxdXDxDXdxdXDxdxdxdXDxDXDxDXdxDxdxdXDxdXdxDXdxdXdxDXdxdXDxDXdxdxDxdXDxDXDxDXdxDXdxdXDxdXdxDXdxdxDxDXdxDxdxDXdxDXdxdXDxDXdxdXDxDxdxdXDxDxdxDXdxDxDxDXdxdxDxDXdxDxDxdXDxDxDxdXDxDxdxDXdxdXDxDXdxDXdxdXdxdxdxdXDXDxdxdXdxdxdxDXdXDXDxDxDXDXDxdXDxdxDxDXdxdXDxdXDxdxDxDXdxdxDxdXDxdXDxdXDXdxdxdXDxDXDxDXdxdXdxDXdxDxdxdXDxdXdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxDxdxDXdxdXDxDXdxDxDxdXDxdxdxdXDxdxDxdXDXdxDxDXdxDXdxDXdxdXDxDXdxDxdxDXdxdXDxDXdxDxDxdXDXdxdxDXdxdXdxDXdxdXDxdXDxdxdxdXDXdxdxDXdxDxDxdXDXdxDxdXDxdXDxdXdXdxDxdXDXdXDxdXdxdxdxdXdXdXDxdXdXdXDxDXdXDXDxDxDXDXDxdXDxDxDxdXDxDxdxdXDxdXDxdXDxdxDxdXDxDxdxDXdxDxDxdXDxdxdxdXDxdXdxdXDxDXdxdXDxdxdxdXDxDXDxDXdxDxdxdXDxdXdxDXdxdXdxDXdxdXDxDXdxdxDxdXDxDXDxDXdxDXdxdXDxdXdxDXdxdxDxDXdxDxdxDXdxDXdxdXDxDXdxdXDxDxdxdXDxDxdxDXdxDxDxDXdxdxDxDXdxDxDxdXDxDxDxdXDxDxdxDXdxdXDxDXdxDXdxdXdXdxDxdXdxdxdxDXDXdXDxdXdxdxdxDXDxdxdxDXDxDxDxDXDxDxdxDXdxdXDxDXdXdxdxDXdxdxDxDXDxdXdxdXdXdxdxDXdXDXDxDxDXDXDxdXDxDXDxdXDxDXdxdXDxDxdxdXDxDxDxDXdxDXdxdXDXdxDxDXdxDxDxdXDxDxdxDXdxdxDxdXDXdxdxdXDxDxdxDXdxdxDxdXDxDXDxDXdxDxDxdXDXdxDxDXdxDXdxdXDxdxdxdXDxDXDxdXDxDxdxdXDXdxdxDXdxdXDxdXDxDXdxdXDxdxdxdXDxdxdxdXDxdxdxDXdxdxDxdXDxdxdxdXDxDxdxdXDxdxDxdXDXdxDxdXDXdxdxdXDxdxdxDxDXdXDxDXdXDXDxDxDXDXDxdXDxDxDxdXDxDxdxdXDxdXDxdXDxdxDxdXDxDxdxDXdxDxDxdXDxdxdxdXDxdXdxdXDxDXdxdXDxdxdxdXDxDXDxDXdxDxdxdXDxdXdxDXdxdXdxDXdxdXDxDXdxdxDxdXDxDXDxDXdxDXdxdXDxdXdxDXdxdxDxDXdxDxdxDXdxDXdxdXDxDXdxdXDxDxdxdXDxDxdxDXdxDxDxDXdxdxDxDXdxDxDxdXDxDxDxdXDxDxdxDXdxdXDxDXdxDXdxDxDXDxDxdXdXdxDxdXDXdXDxdXdxdxdxDXDXDxDxdXDXdXDxdXdxdxdxDXDxdxdxDXDxDxDxDXDxDxdxDXdxdXDxDXdXdxdxDXdxdxDxDXDxdXdxdXdXdxdxdXdxDXDxDxDXDxdxDXdXDXdxdXdxDXDxdXdXdxDxdXDXdXDxdXdxdxdxDXDxdXdxDXdxDxDxDXDxDxdxDXDxDxDxDXDxdXdxDXdXDXdxdXdxdxdxdXdXdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXdXDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdXdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXdXDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDXdxdxdXDxdxdxdXDxdxdxdXdxdxdxdXdXDxDxdXdxdxdxdXDxdxdxDXDXdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxdXDxdxdxDxdxdxDxdXDxdxdxdXDxdxdxdXdXdxDxdXDXdXDxdXdxdxdxDXDXDxDxdXDXdXD' ct = ct.replace('x', '0').replace('d', '0') ct = ct.replace('X', '1').replace('D', '1') msg = '' for i in range(0, len(ct), 8): msg += chr(int(ct[i:i+8], 2)) print(msg)
デコード結果は以下の通り。
#include <stdio.h> int main() { int o_983add0ed98b556d85ef118183b229dc[] = { 112, 105, 110, 103, 123, 119, 104, 121, 95, 115, 111, 95, 115, 101, 114, 105, 111, 117, 115, 95, 88, 68, 125 }; const int o_1c1a387bd28e94ce019fcdce8bc08e93 = sizeof((o_983add0ed98b556d85ef118183b229dc)) / sizeof((o_983add0ed98b556d85ef118183b229dc[(0x0000000000000000 + 0x0000000000000200 + 0x0000000000000800 - 0x0000000000000A00)])); char o_7645f9e4a84a7e9f0748c6000a041980[o_1c1a387bd28e94ce019fcdce8bc08e93]; for (int o_f8cd493a89f94a8b1e2e211842b4c8ec = (0x0000000000000000 + 0x0000000000000200 + 0x0000000000000800 - 0x0000000000000A00); (o_f8cd493a89f94a8b1e2e211842b4c8ec < o_1c1a387bd28e94ce019fcdce8bc08e93) & !!(o_f8cd493a89f94a8b1e2e211842b4c8ec < o_1c1a387bd28e94ce019fcdce8bc08e93); ++o_f8cd493a89f94a8b1e2e211842b4c8ec) { o_7645f9e4a84a7e9f0748c6000a041980[o_f8cd493a89f94a8b1e2e211842b4c8ec] = (char)(o_983add0ed98b556d85ef118183b229dc[o_f8cd493a89f94a8b1e2e211842b4c8ec]); }; for (int o_54314e02607d2bca7f2adf644eae54cf = (0x0000000000000000 + 0x0000000000000200 + 0x0000000000000800 - 0x0000000000000A00); (o_54314e02607d2bca7f2adf644eae54cf < o_1c1a387bd28e94ce019fcdce8bc08e93) & !!(o_54314e02607d2bca7f2adf644eae54cf < o_1c1a387bd28e94ce019fcdce8bc08e93); ++o_54314e02607d2bca7f2adf644eae54cf) { putchar(o_7645f9e4a84a7e9f0748c6000a041980[o_54314e02607d2bca7f2adf644eae54cf]); }; putchar('\n'); return (0x0000000000000000 + 0x0000000000000200 + 0x0000000000000800 - 0x0000000000000A00); };
数値の配列をデコードする。
>>> nums = [112, 105, 110, 103, 123, 119, 104, 121, 95, 115, 111, 95, 115, 101, 114, 105, 111, 117, 115, 95, 88, 68, 125] >>> ''.join([chr(c) for c in nums]) 'ping{why_so_serious_XD}'
ping{why_so_serious_XD}
hard-work (crypto)
以下の順にデコードすると、フラグになった。
・16進数デコード ・8進数デコード ・2進数デコード ・16進数デコード ・base64デコード
#!/usr/bin/env python3 from base64 import * with open('task.txt', 'r') as f: msg = f.read() enc = msg.split(' ') msg = '' for c in enc: msg += chr(int(c, 16)) print('[+] msg:', msg) enc = msg.split(' ') msg = '' for c in enc: msg += chr(int(c, 8)) print('[+] msg:', msg) enc = msg.split(' ') msg = '' for c in enc: msg += chr(int(c, 2)) print('[+] msg:', msg) enc = msg.split(' ') msg = '' for c in enc: msg += chr(int(c, 16)) print('[+] msg:', msg) flag = b64decode(msg).decode() print('[+] flag:', flag)
実行結果は以下の通り。
[+] msg: 60 60 61 61 60 61 61 60 40 60 60 61 61 60 60 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 60 40 60 61 61 60 60 60 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 61 60 61 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 61 61 60 60 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 60 60 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 61 60 61 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 61 60 61 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 61 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 61 60 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 60 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 61 60 60 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 61 61 60 60 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 61 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 60 61 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 60 40 60 61 61 60 60 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 61 61 60 60 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 61 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 61 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 61 60 60 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 60 40 60 60 61 61 60 60 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 60 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 61 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 60 60 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 60 40 60 60 61 61 60 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 61 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 60 40 60 60 61 61 60 61 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 60 40 60 60 61 61 60 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 60 60 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 61 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 60 61 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 61 60 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 60 60 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 60 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 61 60 61 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 61 60 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 60 60 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 60 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 61 61 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 61 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 61 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 60 61 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 61 61 60 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 60 40 60 60 61 61 60 61 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 61 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 60 40 60 61 61 60 60 60 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 61 40 60 60 61 61 60 60 61 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 60 40 60 60 61 61 60 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 61 60 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 60 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 60 61 61 60 61 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 61 60 40 60 60 61 61 60 61 61 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 61 60 61 40 60 60 61 61 60 60 60 61 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 61 61 60 60 61 60 60 40 60 60 61 60 60 60 60 60 40 60 60 61 61 60 60 61 61 40 60 61 61 60 60 61 60 60 [+] msg: 00110110 00110011 00100000 00110100 00110111 00100000 00110110 01100011 00100000 00110111 00110101 00100000 00110101 01100001 00100000 00110011 00110011 00100000 00110111 00110100 00100000 00110111 00110111 00100000 00110101 00111001 00100000 00110101 00111000 00100000 00110101 00110010 00100000 00110111 00110000 00100000 00110101 01100001 00100000 00110101 00110111 00100000 00110011 00110101 00100000 00110110 01100001 00100000 00110101 01100001 00100000 00110101 00110110 00100000 00110011 00111001 00100000 00110111 00110000 00100000 00110110 00110011 00100000 00110011 00110001 00100000 00110011 00111001 00100000 00110011 00110000 00100000 00110110 00110001 00100000 00110100 00110111 00100000 00110101 00110110 00100000 00110110 00110110 00100000 00110110 00110001 00100000 00110011 00110010 00100000 00110101 00110110 00100000 00110011 00110101 00100000 00110101 00111000 00100000 00110011 00110011 00100000 00110101 00110010 00100000 00110111 00110110 00100000 00110101 00111000 00100000 00110011 00110011 00100000 00110101 00110010 00100000 00110111 00111001 00100000 00110101 00111001 00100000 00110101 00110111 00100000 00110011 00110101 00100000 00110111 00111000 00100000 00110110 00110100 00100000 00110101 00110111 00100000 00110110 01100011 00100000 00110111 00110011 00100000 00110110 00110001 00100000 00110101 00111000 00100000 00110101 00110010 00100000 00110011 00110101 00100000 00110110 00110110 00100000 00110101 00110001 00100000 00110011 01100100 00100000 00110011 01100100 [+] msg: 63 47 6c 75 5a 33 74 77 59 58 52 70 5a 57 35 6a 5a 56 39 70 63 31 39 30 61 47 56 66 61 32 56 35 58 33 52 76 58 33 52 79 59 57 35 78 64 57 6c 73 61 58 52 35 66 51 3d 3d [+] msg: cGluZ3twYXRpZW5jZV9pc190aGVfa2V5X3RvX3RyYW5xdWlsaXR5fQ== [+] flag: ping{patience_is_the_key_to_tranquility}
ping{patience_is_the_key_to_tranquility}
lame-lame-loser (crypto)
aとbのgcdが1で、x*a + y*b == 0 (xがマイナス) の場合、gをxとyのgcdとすると、以下のようになる。
a = y // g b = - x // g
あとはその情報を元に鍵を生成し、復号する。
#!/usr/bin/env python3 from hashlib import sha256 from math import gcd from Crypto.Cipher import AES from Crypto.Util.Padding import unpad with open('out.txt', 'r') as f: params = f.read().splitlines() x = int(params[0].split(' = ')[1]) y = int(params[1].split(' = ')[1]) ct = eval(params[2].split(' = ')[1]) g = gcd(x, y) a = y // g b = - x // g assert x*a + y*b == 0 assert gcd(a, b) == 1 aes = AES.new(sha256(f'{a}||{b}'.encode()).digest(), AES.MODE_CBC, iv=bytes(16)) pt = aes.decrypt(ct) FLAG = unpad(pt, 16).decode() print(FLAG)
ping{135str4_135str4_107v4sz_41g0r1thm_r0cks_sc41ing}