この大会は2024/3/24 1:00(JST)~2024/3/25 1:00(JST)に開催されました。
今回もチームで参戦。結果は992点で520チーム中228位でした。
自分で解けた問題をWriteupとして書いておきます。
Rules for JerseyCTF IV (Required)
PDFの最下部にフラグが書いてあった。
jctf{i_agree_to_the_rules}
internal-tensions (misc)
Internet Archiveで2/15のものを見てみる。HTMLソースを見ると、コメントにフラグが書いてあった。
jctf{th3_1nt3rn3t_n3v3r_f0rg3t5_y0ur_b1und3r5}
data-divergence-discovery (misc)
添付のファイルの差分を見てみる。
$ diff neon-echoes-1.txt neon-echoes-2.txt 4c4 < moved with purpose through the cyberpunk metropolis. His cybernetic eyes scanned the surroundings, searching for the entrance to the --- > moved with purpose through the cyberpunk metropolis. His cybernetic eyes scanned the surroundinqs, searching for the entrance to the 9c9 < savior. The city's underbelly was a maze of flickering screens, each one a gateway to a world of secrets. Jack, the ghost in the --- > savior. The city's underbelly was a maze of flickering screens, each one a gateway to a world of secrets. Jack, the ghoust in the 15c15 < the binary betrayal—a truth too dangerous to share. As he delved deeper, the lines between reality and virtuality blurred, and he --- > the binary betrayal—a truth too dangerous to share. 4s he delved deeper, the lines between reality and virtuality blurred, and he 20c20 < reverberated through the digital alleyways. The megacorporations, guardians of the fabricated reality, dispatched their cybernetic --- > reverberated through the digital alleyways. The megancorporations, guardians of the fabricated reality, dispatched their cybernetic 25c25 < pavement, a symphony of pursuit echoing through the night. Neon signs flickered in panic as Jack ducked into alleys, his cybernetic --- > pavement, a symphony of pursuit echoing through the night. Neton signs flickered in panic as Jack ducked into alleys, his cybernetic 29c29 < Through the electric pulse of the city, Jack reached out to the rebels. The encrypted evidence needed to be broadcasted before the --- > Through the electruic pulse of the city, Jack reached out to the rebels. The encrypted evidence needed to be broadcasted before the 34c34 < In a final showdown amid the neon-soaked cityscape, Jack faced the enforcers. The rebels rallied behind him, their augmented reality --- > In a final showdown ammid the neon-soaked cityscape, Jack faced the enforcers. The rebels rallied behind him, their augmented reality 38c38 < As the rebels dismantled the fabricated reality, the city shuddered with the birth pains of a new era. The neon lights flickered, --- > As the rebels dismantled the fabricated reality, the city shuddered with the birth pains of a new era. The neon lights_flickered, 48c48 < rogue, a master of code navigating the dazzling but treacherous streets. Her cybernetic optics scanned the metropolis, seeking the --- > rogue, a master of code navigating the dazzling but treacherous streets. Her cybernetic opticcs scanned the metropolis, seeking the 51c51 < Descending into the depths, Cipher encountered a subversive network of rebels—faces hidden behind holographic disguises. They were --- > Descending into the depths, C1pher encountered a subversive network of rebels—faces hidden behind holographic disguises. They were 55c55 < Part 2: Binary Serendipity --- > Part 2: Bipnary Serendipity 63c63 < the megacorps blurred, forcing her to confront the question of whether she was a pawn or a player in this electrified chessboard. --- > the megacorps blurred, forcing her to confront the question of whhether she was a pawn or a player in this electrified chessboard. 67c67 < through alleys, each corner a dance of evasion against the mechanical pursuers. The city itself seemed alive, aiding the enforcers with --- > through alleys, each corner a dance of 3vasion against the mechanical pursuers. The city itself seemed alive, aiding the enforcers with 70c70 < Desperate, she reached out to the rebels in the digital underground. The encrypted evidence had to be broadcasted before the enforcers --- > Desperate, she reached out to the rebels in the digital underground. The encrrypted evidence had to be broadcasted before the enforcers 74c74 < Part 4: Neon Reckoning --- > Part 4: Neon Reckoning5
差分のある文字を書き出す。
qu4ntum_c1ph3r5
jctf{qu4ntum_c1ph3r5}
this-is-not-the-flag-you-are-looking-for (osint)
手旗信号になっているので、解読する。
FIREPOWER FOR FREE DOM
「FIREPOWER FOR FREEDOM ship type」で調べると、以下のページが見つかる。
https://www.squadronposters.com/product/uss-new-jersey-bb-62-firepower-for-freedom/#:~:text=USS%20New%20Jersey%20(BB%2D62)%20Firepower%20for%20Freedom%20poster,US%20state%20of%20New%20Jersey.
jctf{USS_New_Jersey_BB_62}
PasswordManager (bin/rev)
Ghidraでデコンパイルする。
undefined8 main(int param_1,undefined8 *param_2) { int iVar1; undefined8 uVar2; long in_FS_OFFSET; int iStack_4c; undefined8 uStack_48; undefined8 uStack_40; undefined2 uStack_38; byte abStack_28 [19]; undefined uStack_15; long lStack_10; lStack_10 = *(long *)(in_FS_OFFSET + 0x28); uStack_48 = 0x164d525e4351464f; uStack_40 = 0x655c65487a561657; uStack_38 = 0x581a; if (param_1 == 2) { for (iStack_4c = 0; iStack_4c < 0x12; iStack_4c = iStack_4c + 1) { abStack_28[iStack_4c] = *(byte *)((long)&uStack_48 + (long)iStack_4c) ^ 0x25; } uStack_15 = 0; iVar1 = strncmp(abStack_28,param_2[1],0x12); if (iVar1 == 0) { puts(&UNK_00495018); uVar2 = 0; } else { puts(&UNK_0049502d); uVar2 = 1; } } else { printf(&UNK_00495004,*param_2); uVar2 = 1; } if (lStack_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return uVar2; }
uStack_48から1文字ずつ0x25とXORすれば正しい入力文字列を算出できる。
#!/usr/bin/env python3 enc = b'' enc += (0x164d525e4351464f).to_bytes(8, 'little') enc += (0x655c65487a561657).to_bytes(8, 'little') enc += (0x581a).to_bytes(2, 'little') flag = '' for c in enc: flag += chr(c ^ 0x25) print(flag)
jctf{wh3r3s_m@y@?}
substitute-detail-torrent (forensics)
$ strings Blob.wim | grep jctf This is a testHostUrl:jctf{https://www.NTFS/File/Metadata}
jctf{https://www.NTFS/File/Metadata}
Attn-Agents (crypto)
シーザー暗号と推測し、https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。
Rotation 3:
Attention JCTF agents! An unknown APT is hijacking networks to spread stealth malware using stolen source code. Your mission: track down the source of the leaks and stop the wide-spread attacks across our networks. Time is running out. The {fate-of-the-web} is in your hands!
jctf{fate-of-the-web}
adveRSAry (crypto)
n, e, qがわかっているので、通常通り復号する。
#!/usr/bin/env python3 from Crypto.Util.number import * with open('publicKeys', 'r') as f: params = f.read().splitlines() with open('intercepted', 'r') as f: c = bytes_to_long(eval(f.read())) n = int(params[1]) e = int(params[4]) q = int(params[7]) assert n % q == 0 assert c < n p = n // q phi = (p - 1) * (q - 1) d = inverse(e, phi) m = pow(c, d, n) msg = long_to_bytes(m) print(msg)
復号結果は以下の通り。
b'\x02\x13 \xf9=\x93\xd28uAP\x12U"\xf1\xc7\xd3R|b\xd2\x81\xe2\xd6~_\n\x14\xbb\x8e\xc4\x06\xab\t\n\xd8\x12L\xc4?\xd3\xe2\x82\xc3\x8b\xe9Kv:\x87J\xc2,j\xf6 \xfb4I=\xf8\n\xcf"\xa4\xef\xac=\xedM\xcei\t\xc4\xa6`\xc1\x9fZ\x0b\x90\xfe\x1b \xc3\x04\x15M\xdf\xce\xb26\xdf\xeeF>\xfd3\xban\xfa\xd53*\xd5\xbe\xea\x92_o\x00jctf{HAHAHA I knew you would intercept this transmission. You may have won this round, but there are many more challenges for me to best you at}'復号したデータにフラグが含まれていた。
jctf{HAHAHA I knew you would intercept this transmission. You may have won this round, but there are many more challenges for me to best you at}
JerseyCTF IV Feeback (Feedback)
アンケートに答えたら、フラグが表示された。
jctf{tH@nks_for_aTTending_P@RT4!!!}
