この大会は2024/3/24 0:00(JST)~2024/3/25 7:00(JST)に開催されました。
今回もチームで参戦。結果は1910点で410チーム中26位でした。
自分で解けた問題をWriteupとして書いておきます。
Join our Discord (Tutorial 10)
Discordに入り、#challenge-listのTutorialsを見ると、以下のようにフラグが書いてあった。
Tutorials
- Join our Discord (texsaw{welcome_to_texsaw_2024_have_fun})
texsaw{welcome_to_texsaw_2024_have_fun}
PS2 games (Miscellaneous 50)
sqlファイルを元に、2000 年代 (2000 ~ 2009 年を含む) にプレイステーション用にリリースされたゲームの数を答える問題。
初めにmysqlにsqlを取り込む。
$ sudo mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 33 Server version: 10.11.2-MariaDB-1 Debian n/a Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> source db.sql : : Query OK, 1 row affected (0.001 sec) Query OK, 1 row affected (0.001 sec)
platformが'PlayStation'で、リリース日が'2000-01-01'以降、'2010-01-01'より前のGameの数を出力したい。
Platformsテーブルでplatform_nameが'PlayStation'のIDを確認する。
MariaDB [gamestore]> select platform_id from Platforms where platform_name = 'PlayStation'; +-------------+ | platform_id | +-------------+ | 2 | +-------------+ 1 row in set (0.000 sec)
GamesテーブルとGamePlatformsテーブルをgame_idで結合し、release_dateが'2000-01-01'以降、'2010-01-01'より前で、platform_idが2の数を出力する。
MariaDB [gamestore]> select count(*) from Games join GamePlatforms on Games.game_id = GamePlatforms.game_id where platform_id = 2 and release_date >= '2000-01-01' and release_date < '2010-01-01'; +----------+ | count(*) | +----------+ | 42 | +----------+ 1 row in set (0.001 sec)
texsaw{42}
Ultron Encodes (RE/Pwn 50)
$ strings ul7r0n3nc0desStrings !!!!!!Hint maybe check for utf16LE??? NB) B)|.B)znB)x B)s.B)qNB)onB)m B)KnB)INB)G.B)D :
32ビットのワイド文字列として抽出する。
$ strings ul7r0n3nc0desStrings --encoding=L flag{y0u4r34llpupp3tsTan6l3d1nStrings
flag{y0u4r34llpupp3tsTan6l3d1nStrings}
Out of Bounds (Web 50)
指定のURLにアクセスすると、http://3.23.56.243:9004/post/0/にリダイレクトされる。「Show Me The Posts!!」をクリックすると、http://3.23.56.243:9004/post/1/に遷移する。/post/2以降に遷移でき、/post/5以降はコンテンツがない。
http://3.23.56.243:9004/post/-1/にアクセスしてみると、フラグが表示された。
texsaw{aw4y_fr0m_the_b0und4rie5_4cd1efa8}
Crazy Cookie (Web 50)
クッキーのroleに"user"と設定されている。これを"admin"に変更し、リロードすると、フラグが表示された。
texsaw{cR@zy_c00Ki3}
Over 9000 (Web 50)
http://3.23.56.243:9005/9000.jsを見ると、以下のようになっている。
let currentEnergy = 0; function gatheringEnergy(){ currentEnergy++; $("#energycount").html(`${currentEnergy}`); if(currentEnergy == 10) { alert("out of energy try again :(") currentEnergy = 0; $("#energycount").html(0); } else if (currentEnergy > 9000) { $.ajax({ type:"POST", url:"kamehameha.php", data:{energy: currentEnergy}, success: function(flag){ alert(`${flag}`); }, error: function(responseText,status, error){ console.log(`Tell the infrastructure team to fix this: Status = ${status} ; Error = ${error}`); } }) } }
currentEnergyが9000より大きくなった場合のPOSTの処理を実行する。
$ curl http://3.23.56.243:9005/kamehameha.php -d "energy=9001" texsaw{y0u_th0ught_th1s_w4s_4_fl4g_but_1t_w4s_m3_d10}
texsaw{y0u_th0ught_th1s_w4s_4_fl4g_but_1t_w4s_m3_d10}
Malicious Threat (Forensics 50)
添付されているログを確認すると、以下の怪しいログがある。
192.168.0.8 - - [26/Feb/2024:08:46:37 -0500] "GET /admin/ufile.io/y8ls94tu HTTP 1.1" 401 2048
https://ufile.io/y8ls94tuにアクセスする。Admin.zipがダウンロードできるので、ダウンロードする。
ダウンロードしたzipファイルを解凍し、調べてみる。
$ unzip Admin.zip Archive: Admin.zip inflating: Admin/customers.csv inflating: Admin/employee.csv inflating: Admin/organizations.csv inflating: Admin/people.csv inflating: Admin/users.csv $ cd Admin $ grep -rl texsaw . ./users.csv $ cat users.csv | grep texsaw "2024-02-26 10:35:00 - Admin User 3 texsaw{g0tcha_fl@g_m1ne} - FAILED"
texsaw{g0tcha_fl@g_m1ne}
The Forked Cave (Forensics 50)
$ cd .git $ cat refs/heads/master fcc7c65ddcfa630ebe5c97cae9b014389957dbc7 $ python -c 'import zlib; print zlib.decompress(open("objects/fc/c7c65ddcfa630ebe5c97cae9b014389957dbc7").read())' commit 245tree cb0c253c9d670bf57f98427112127ac568e55400 parent 9c6d7b5d77ba2f73fca83d026de1fe7904ce6e0b author Chris Wang <chriswang444@gmail.com> 1539982910 -0500 committer Chris Wang <chriswang444@gmail.com> 1539982910 -0500 Something went very wrong. $ python -c 'import zlib; print zlib.decompress(open("objects/cb/0c253c9d670bf57f98427112127ac568e55400").read())' | xxd -g 1 00000000: 74 72 65 65 20 31 32 30 00 31 30 30 36 34 34 20 tree 120.100644 00000010: 6b 6e 69 67 68 74 2e 74 78 74 00 6c 92 65 ef 6d knight.txt.l.e.m 00000020: 95 58 52 46 77 6b 2d 78 53 56 3d 10 f3 ba ed 31 .XRFwk-xSV=....1 00000030: 30 30 36 34 34 20 70 61 72 74 79 66 6c 61 67 2e 00644 partyflag. 00000040: 74 78 74 00 bd 10 ad af ee 89 ee fe 0e cd 48 e2 txt...........H. 00000050: 96 88 bb cf 71 31 8e 1c 31 30 30 36 34 34 20 70 ....q1..100644 p 00000060: 72 69 65 73 74 65 73 73 2e 74 78 74 00 09 c9 09 riestess.txt.... 00000070: ac 51 ad 7b 0f ef 4f 27 4f f2 1b 58 f9 38 73 e0 .Q.{..O'O..X.8s. 00000080: 76 0a v. $ python -c 'import zlib; print zlib.decompress(open("objects/bd/10adafee89eefe0ecd48e29688bbcf71318e1c").read())' blob 30texsaw{git_r3set_f_htb_qwltf}
これはフラグとして通らなかったので、引き続きオブジェクトを見てみる。
$ python -c 'import zlib; print zlib.decompress(open("objects/9c/6d7b5d77ba2f73fca83d026de1fe7904ce6e0b").read())' commit 237tree 20ee707c020242ed3d3eae5b983b130060d8160d parent 02589c89210a9718a03992eec1a7da85e15c7c7d author Chris Wang <chriswang444@gmail.com> 1539982872 -0500 committer Chris Wang <chriswang444@gmail.com> 1539982872 -0500 The battle begins! $ python -c 'import zlib; print zlib.decompress(open("objects/20/ee707c020242ed3d3eae5b983b130060d8160d").read())' | xxd -g 1 00000000: 74 72 65 65 20 33 31 31 00 31 30 30 36 34 34 20 tree 311.100644 00000010: 62 72 61 77 6c 65 72 2e 74 78 74 00 c7 10 56 79 brawler.txt...Vy 00000020: 84 9c 66 d7 39 e6 a4 f2 b4 36 70 a9 05 9a 0d 3e ..f.9....6p....> 00000030: 31 30 30 36 34 34 20 63 72 65 65 70 65 72 2e 74 100644 creeper.t 00000040: 78 74 00 27 01 57 b1 21 c6 d4 3e 23 28 49 66 ae xt.'.W.!..>#(If. 00000050: fa 73 08 2b ab b1 4d 31 30 30 36 34 34 20 64 65 .s.+..M100644 de 00000060: 6d 6f 6e 2e 74 78 74 00 83 a9 4f 99 39 46 d9 cd mon.txt...O.9F.. 00000070: cf e2 7f 64 d7 79 74 a9 5d 43 df 6c 31 30 30 36 ...d.yt.]C.l1006 00000080: 34 34 20 67 6f 62 6c 69 6e 2e 74 78 74 00 a5 d5 44 goblin.txt... 00000090: 7a 2b a6 ec 94 be 96 48 df 24 6e b7 6a e1 23 d8 z+.....H.$n.j.#. 000000a0: 1d af 31 30 30 36 34 34 20 70 72 69 65 73 74 65 ..100644 prieste 000000b0: 73 73 2e 74 78 74 00 d3 e3 6b 7f cf e0 98 09 c6 ss.txt...k...... 000000c0: 93 73 5b ab 04 79 de 6b e4 e3 f7 31 30 30 36 34 .s[..y.k...10064 000000d0: 34 20 73 6b 65 6c 65 74 6f 6e 2e 74 78 74 00 02 4 skeleton.txt.. 000000e0: 05 7f 08 c9 e3 6f 42 12 89 88 52 df 1d 73 e5 65 .....oB...R..s.e 000000f0: 8b b5 00 31 30 30 36 34 34 20 73 6f 6c 64 69 65 ...100644 soldie 00000100: 72 2e 74 78 74 00 74 9e 0b 54 fc 6b 97 18 0e f0 r.txt.t..T.k.... 00000110: 17 81 7a d3 c6 fd 7a 95 0a 0c 31 30 30 36 34 34 ..z...z...100644 00000120: 20 77 69 7a 61 72 64 2e 74 78 74 00 96 57 cf a2 wizard.txt..W.. 00000130: 01 7e c5 40 f5 6f ef 6f 8b 16 b1 05 ee 3e eb d3 .~.@.o.o.....>.. 00000140: 0a .
どこにフラグがあるかわからないので、オブジェクトを順に見ていく。
$ python -c 'import zlib; print zlib.decompress(open("objects/02/057f08c9e36f4212898852df1d73e5658bb500").read())' blob 50I'm Sans Undertale. Get ready to have a bad time. $ python -c 'import zlib; print zlib.decompress(open("objects/02/589c89210a9718a03992eec1a7da85e15c7c7d").read())' commit 197tree 7717189b1facf2db5f828de25662e25da50f89e7 author Chris Wang <chriswang444@gmail.com> 1539982828 -0500 committer Chris Wang <chriswang444@gmail.com> 1539982828 -0500 The party enters the cave. $ python -c 'import zlib; print zlib.decompress(open("objects/6c/9265ef6d95585246776b2d7853563d10f3baed").read())' blob 30We'll kill them one by one... $ python -c 'import zlib; print zlib.decompress(open("objects/09/c909ac51ad7b0fef4f274ff21b58f93873e076").read())' blob 37I've seen things I shouldn't have... $ python -c 'import zlib; print zlib.decompress(open("objects/27/0157b121c6d43e23284966aefa73082babb14d").read())' blob 9C3H5N3O9 $ python -c 'import zlib; print zlib.decompress(open("objects/74/9e0b54fc6b97180ef017817ad3c6fd7a950a0c").read())' blob 36My broadsword is too big for CQC... $ python -c 'import zlib; print zlib.decompress(open("objects/77/17189b1facf2db5f828de25662e25da50f89e7").read())' | xxd -g 1 00000000: 74 72 65 65 20 31 39 38 00 31 30 30 36 34 34 20 tree 198.100644 00000010: 62 72 61 77 6c 65 72 2e 74 78 74 00 c7 10 56 79 brawler.txt...Vy 00000020: 84 9c 66 d7 39 e6 a4 f2 b4 36 70 a9 05 9a 0d 3e ..f.9....6p....> 00000030: 31 30 30 36 34 34 20 70 61 72 74 79 66 6c 61 67 100644 partyflag 00000040: 2e 74 78 74 00 f3 9f 6b 24 a5 d1 33 47 11 ea 64 .txt...k$..3G..d 00000050: e2 69 ab 24 07 14 e8 17 f1 31 30 30 36 34 34 20 .i.$.....100644 00000060: 70 72 69 65 73 74 65 73 73 2e 74 78 74 00 d3 e3 priestess.txt... 00000070: 6b 7f cf e0 98 09 c6 93 73 5b ab 04 79 de 6b e4 k.......s[..y.k. 00000080: e3 f7 31 30 30 36 34 34 20 73 6f 6c 64 69 65 72 ..100644 soldier 00000090: 2e 74 78 74 00 74 9e 0b 54 fc 6b 97 18 0e f0 17 .txt.t..T.k..... 000000a0: 81 7a d3 c6 fd 7a 95 0a 0c 31 30 30 36 34 34 20 .z...z...100644 000000b0: 77 69 7a 61 72 64 2e 74 78 74 00 96 57 cf a2 01 wizard.txt..W... 000000c0: 7e c5 40 f5 6f ef 6f 8b 16 b1 05 ee 3e eb d3 0a ~.@.o.o.....>... $ python -c 'import zlib; print zlib.decompress(open("objects/f3/9f6b24a5d1334711ea64e269ab240714e817f1").read())' blob 30texsaw{git_g00d_or_git_d3ath}
texsaw{git_g00d_or_git_d3ath}
MFMFT (Forensics 100)
MFTファイルが添付されている。あとは問題文中のパスワードに関する以下のヒントからパスワードを取得し、フラグ形式にして答えればよいらしい。
Oh, this might help: [0, 10, 17, 18, 5, 6, 15, 13, 9, 16, 12, 5, 11, 1, 14, 5, 7, 6, 7, 3, 2, 2, 10, 8, 4, 7]
>MFTECmd.exe -f TheMFT --csv .
MFTECmd version 1.2.2.1
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd
Command line: -f TheMFT --csv .
File type: Mft
Processed TheMFT in 0.0153 seconds
TheMFT: FILE records found: 0 (Free records: 30) File size: 30KB
CSV output will be saved to .\20240324123516_MFTECmd_$MFT_Output.csv出力されたログは以下のようになっている。
EntryNumber,SequenceNumber,InUse,ParentEntryNumber,ParentSequenceNumber,ParentPath,FileName,Extension,FileSize,ReferenceCount,ReparseTarget,IsDirectory,HasAds,IsAds,SI<FN,uSecZeros,Copied,SiFlags,NameType,Created0x10,Created0x30,LastModified0x10,LastModified0x30,LastRecordChange0x10,LastRecordChange0x30,LastAccess0x10,LastAccess0x30,UpdateSequenceNumber,LogfileSequenceNumber,SecurityId,ObjectIdFileDroid,LoggedUtilStream,ZoneIdContents 64,3,False,85,2,.Trash-1001\ ,3,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5982428,,2024-03-04 03:53:06.5984984,,2024-03-04 04:02:58.4373758,2024-03-04 03:53:06.5984984,2024-03-04 03:53:08.7541090,,0,0,0,,, 65,3,False,85,2,.Trash-1001\ ,F,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5985849,,2024-03-04 03:53:06.5987176,,2024-03-04 04:02:58.4559919,2024-03-04 03:53:06.5987176,2024-03-04 03:53:08.7553057,,0,0,0,,, 66,3,False,85,2,.Trash-1001\ ,2,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5987856,,2024-03-04 03:53:06.5999261,,2024-03-04 04:02:58.4344358,2024-03-04 03:53:06.5999261,2024-03-04 03:53:08.7554917,,0,0,0,,, 67,3,False,85,2,.Trash-1001\ ,f,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5989500,,2024-03-04 03:53:06.5990127,,2024-03-04 04:02:58.4538910,2024-03-04 03:53:06.5990127,2024-03-04 03:53:08.7556665,,0,0,0,,, 68,3,False,85,2,.Trash-1001\ ,8,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5990638,,2024-03-04 03:53:06.5991274,,2024-03-04 04:02:58.4456464,2024-03-04 03:53:06.5991274,2024-03-04 03:53:08.7558601,,0,0,0,,, 69,3,False,85,2,.Trash-1001\ ,_,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5991804,,2024-03-04 03:53:06.6009016,,2024-03-04 04:02:58.4317408,2024-03-04 03:53:06.6009016,2024-03-04 03:53:08.7560750,,0,0,0,,, 70,3,False,85,2,.Trash-1001\ ,b,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5992970,,2024-03-04 03:53:06.6003470,,2024-03-04 04:02:58.4477256,2024-03-04 03:53:06.6003470,2024-03-04 03:53:08.7562797,,0,0,0,,, 71,3,False,85,2,.Trash-1001\ ,7,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5994119,,2024-03-04 03:53:06.6004484,,2024-03-04 04:02:58.4437273,2024-03-04 03:53:06.6004484,2024-03-04 03:53:08.7564516,,0,0,0,,, 72,3,False,85,2,.Trash-1001\ ,5,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5995273,,2024-03-04 03:53:06.5995903,,2024-03-04 04:02:58.4417241,2024-03-04 03:53:06.5995903,2024-03-04 03:53:08.7566222,,0,0,0,,, 73,3,False,85,2,.Trash-1001\ ,e,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5996409,,2024-03-04 03:53:06.5997045,,2024-03-04 04:02:58.4497348,2024-03-04 03:53:06.5997045,2024-03-04 03:53:08.7567934,,0,0,0,,, 74,3,False,85,2,.Trash-1001\ ,4,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5997584,,2024-03-04 03:53:06.6013519,,2024-03-04 04:02:58.4397756,2024-03-04 03:53:06.6013519,2024-03-04 03:53:08.7569632,,0,0,0,,, 75,3,False,85,2,.Trash-1001\ ,M,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.5999791,,2024-03-04 03:53:06.6000419,,2024-03-04 04:02:58.4579075,2024-03-04 03:53:06.6000419,2024-03-04 03:53:08.7571342,,0,0,0,,, 76,3,False,85,2,.Trash-1001\ ,Y,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.6005016,,2024-03-04 03:53:06.6005653,,2024-03-04 04:02:58.4674893,2024-03-04 03:53:06.6005653,2024-03-04 03:53:08.7573038,,0,0,0,,, 77,3,False,85,2,.Trash-1001\ ,E,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.6006191,,2024-03-04 03:53:06.6006828,,2024-03-04 04:02:58.4517453,2024-03-04 03:53:06.6006828,2024-03-04 03:53:08.7574742,,0,0,0,,, 78,3,False,85,2,.Trash-1001\ ,T,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.6007363,,2024-03-04 03:53:06.6007997,,2024-03-04 04:02:58.4637358,2024-03-04 03:53:06.6007997,2024-03-04 03:53:08.7576692,,0,0,0,,, 79,3,False,85,2,.Trash-1001\ ,r,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.6009555,,2024-03-04 03:53:06.6010189,,2024-03-04 04:02:58.4598378,2024-03-04 03:53:06.6010189,2024-03-04 03:53:08.7578745,,0,0,0,,, 80,3,False,85,2,.Trash-1001\ ,z,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.6010703,,2024-03-04 03:53:06.6011340,,2024-03-04 04:02:58.4694044,2024-03-04 03:53:06.6011340,2024-03-04 03:53:08.7580854,,0,0,0,,, 81,3,False,85,2,.Trash-1001\ ,s,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.6011869,,2024-03-04 03:53:06.6012500,,2024-03-04 04:02:58.4617396,2024-03-04 03:53:06.6012500,2024-03-04 03:53:08.7582727,,0,0,0,,, 82,3,False,85,2,.Trash-1001\ ,y,,32,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 03:53:06.6014054,,2024-03-04 03:53:06.6014684,,2024-03-04 04:02:58.4655793,2024-03-04 03:53:06.6014684,2024-03-04 03:53:08.7584517,,0,0,0,,, 83,3,False,5,5,,.Trash-1001,,0,1,,True,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4309354,,2024-03-04 04:03:02.5524727,2024-03-04 04:02:58.4309354,2024-03-04 04:03:02.5524727,2024-03-04 04:02:58.4309354,2024-03-04 04:02:58.4364638,2024-03-04 04:02:58.4309354,0,0,0,,, 84,3,False,83,2,.Trash-1001, ,,0,1,,True,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4310661,,2024-03-04 04:03:02.5249755,2024-03-04 04:02:58.4310661,2024-03-04 04:03:02.5249755,2024-03-04 04:02:58.4310661,2024-03-04 04:03:02.4995365,2024-03-04 04:02:58.4310661,0,0,0,,, 85,3,False,83,2,.Trash-1001, ,,0,1,,True,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4311379,,2024-03-04 04:03:02.5512914,2024-03-04 04:02:58.4311379,2024-03-04 04:03:02.5512914,2024-03-04 04:02:58.4311379,2024-03-04 04:03:02.4985102,2024-03-04 04:02:58.4311379,0,0,0,,, 86,11,False,84,2,.Trash-1001\ ,z. 000000039,. 000000039,0,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4689668,,2024-03-04 04:02:58.4689668,,2024-03-04 04:02:58.4692604,2024-03-04 04:02:58.4689668,2024-03-04 04:02:58.4689668,,0,0,0,,, 87,3,False,84,2,.Trash-1001\ ,_. ,. ,53,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4313758,,2024-03-04 04:02:58.4314335,,2024-03-04 04:02:58.4316200,2024-03-04 04:02:58.4314335,2024-03-04 04:02:58.4319003,2024-03-04 04:02:58.4313758,0,0,0,,, 88,5,False,84,2,.Trash-1001\ ,8.trashinfo,.trashinfo,53,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4452771,,2024-03-04 04:02:58.4453303,,2024-03-04 04:02:58.4455187,2024-03-04 04:02:58.4453303,2024-03-04 04:02:58.4457853,2024-03-04 04:02:58.4452771,0,0,0,,, 89,3,False,84,2,.Trash-1001\ ,2. ,. ,53,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4340525,,2024-03-04 04:02:58.4341177,,2024-03-04 04:02:58.4343058,2024-03-04 04:02:58.4341177,2024-03-04 04:02:58.4346275,2024-03-04 04:02:58.4340525,0,0,0,,, 90,5,False,84,2,.Trash-1001\ ,M. ,. ,53,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4575833,,2024-03-04 04:02:58.4576289,,2024-03-04 04:02:58.4577964,2024-03-04 04:02:58.4576289,2024-03-04 04:02:58.4580561,2024-03-04 04:02:58.4575833,0,0,0,,, 91,3,False,84,2,.Trash-1001\ ,b. ,. ,53,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4473670,,2024-03-04 04:02:58.4474178,,2024-03-04 04:02:58.4475986,2024-03-04 04:02:58.4474178,2024-03-04 04:02:58.4478765,2024-03-04 04:02:58.4473670,0,0,0,,, 92,5,False,84,2,.Trash-1001\ ,z. ,. ,53,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4690767,,2024-03-04 04:02:58.4691226,,2024-03-04 04:02:58.4692923,2024-03-04 04:02:58.4691226,2024-03-04 04:02:58.4695342,2024-03-04 04:02:58.4690767,0,0,0,,, 93,3,False,84,2,.Trash-1001\ ,r. ,. ,53,1,,False,False,False,False,False,False,Archive,Posix,2024-03-04 04:02:58.4594638,,2024-03-04 04:02:58.4595174,,2024-03-04 04:02:58.4597089,2024-03-04 04:02:58.4595174,2024-03-04 04:02:58.4599829,2024-03-04 04:02:58.4594638,0,0,0,,,
64をインデックス0として対応するFileNameを当てはめていく。
[0, 10, 17, 18, 5, 6, 15, 13, 9, 16, 12, 5, 11, 1, 14, 5, 7, 6, 7, 3, 2, 2, 10, 8, 4, 7] 3 4 s y _ b r E e z Y _ M F T _ 7 b 7 f 2 2 4 5 8 7
パスワードは以下のようになる。
34sy_brEezY_MFT_7b7f224587
texsaw{34sy_brEezY_MFT_7b7f224587}
MalWhere? (Forensics 200)
$ file hwvidmigplugin.exe hwvidmigplugin.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
dnSpyで開き、Resourcesを確認すると、hwvidmigplugin.ps1があり、以下のように書いてある。
powershell.exe -nop -w hidden -noni -c;$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe';$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAC3yPWUA/21ST+saMRT8KjlsUEkDef/yp7JQWvhBoVAvPYmHtQhaRIvY0kM/vC9bTDz0sodhMjNvZofrTzOa7ffjdNvudh+W29PlvltKIAshOYbVu39IIlREfAOIi0UsLjyBktlmCR5Kp4BFFtdFAlrJ2ckTYFRVjj49gaw2MaHn3GVBjdFDeyQqCxIcNg7KzHGITaewTYA+dk6oHHrRiaQXcPDcXlFOFkCVe8CElhg9toSQajWl30AhWsigRazWw236T5uJ2EIE13xq3hK6hLDWoL7U4mtRxNo2txqYbIbXdlHUV3JfBClboOBiU0HSEsQ32aI+qFF7kKDJArnug6XWFPpm80Q6a1NlrY0wuxYENFpCx+0cVbSS+p+RlIA6RjOJmkOEXB+5/l2RO4OK3sK61tzq+TaaWq3/cT1dzGKxHqY/Y/1zO7Afh8Pl9/vNt49fPn8yzuibyjJ/zddfd/92Oh/M/N1M96MZ9usHQYmIpvgCAAA=''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);base64部分をデコードし、ファイル保存する。
#!/usr/bin/env python3 from base64 import * enc = 'H4sIAC3yPWUA/21ST+saMRT8KjlsUEkDef/yp7JQWvhBoVAvPYmHtQhaRIvY0kM/vC9bTDz0sodhMjNvZofrTzOa7ffjdNvudh+W29PlvltKIAshOYbVu39IIlREfAOIi0UsLjyBktlmCR5Kp4BFFtdFAlrJ2ckTYFRVjj49gaw2MaHn3GVBjdFDeyQqCxIcNg7KzHGITaewTYA+dk6oHHrRiaQXcPDcXlFOFkCVe8CElhg9toSQajWl30AhWsigRazWw236T5uJ2EIE13xq3hK6hLDWoL7U4mtRxNo2txqYbIbXdlHUV3JfBClboOBiU0HSEsQ32aI+qFF7kKDJArnug6XWFPpm80Q6a1NlrY0wuxYENFpCx+0cVbSS+p+RlIA6RjOJmkOEXB+5/l2RO4OK3sK61tzq+TaaWq3/cT1dzGKxHqY/Y/1zO7Afh8Pl9/vNt49fPn8yzuibyjJ/zddfd/92Oh/M/N1M96MZ9usHQYmIpvgCAAA=' dec = b64decode(enc) with open('flag.gz', 'wb') as f: f.write(dec)
$ file flag.gz flag.gz: gzip compressed data, last modified: Sun Oct 29 05:48:29 2023, original size modulo 2^32 760
gzファイルであることがわかるので、解凍する。
$ gzip -d flag.gz $ cat flag $op = [char[]]@([int](503%107+41),[int](732%105-1),[int](349%229+0),[int](984%850-19),[int](341%245+1),[int](702%588+5),[int](422%146-7),[int](832%672-48),[int](981%102-15),[int](541%150+28),[int](251%102+22),[int](894%712-68),[int](201%103-15),[int](639%240-42),[int](387%110+25),[int](472%342-27),[int](173%109+5),[int](306%181+0));$ra = [char[]]@([int](734%161+2),[int](251%90+5),[int](542%110+3),[int](802%345-14),[int](943%810-19),[int](256%158-1),[int](238%130+6),[int](823%715-3),[int](942%281+2),[int](204%103+14),[int](291%100+1),[int](422%150-6),[int](439%328+9),[int](143%72+45),[int](103%57+0),[int](743%212-4),[int](642%553+8),[int](932%164-4),[int](398%143-10));$lr= $ra -join '';$ax=$op -join '';$b=$env:PUBLIC + $lr;$ax | Out-File -FilePath $b;
「[int](
#!/usr/bin/env python3 codes = '[int](503%107+41),[int](732%105-1),[int](349%229+0),[int](984%850-19),[int](341%245+1),[int](702%588+5),[int](422%146-7),[int](832%672-48),[int](981%102-15),[int](541%150+28),[int](251%102+22),[int](894%712-68),[int](201%103-15),[int](639%240-42),[int](387%110+25),[int](472%342-27),[int](173%109+5),[int](306%181+0)' codes = codes.replace('[int](', '').replace(')', '') codes = codes.split(',') flag = '' for code in codes: flag += chr(eval(code)) print(flag)
texsaw{p0wErSuRgE}
Crypto Trail (Cryptography 50)
以下の順でデコードする。
・2進数 ・16進数 ・base64 ・シーザー暗号
#!/usr/bin/env python3 from base64 import * import string def caesar(s, key): d = '' for c in s: code = ord(c) if c in string.ascii_uppercase: code = code - key if code < ord('A'): code += 26 elif c in string.ascii_lowercase: code = code - key if code < ord('a'): code += 26 d += chr(code) return d codes = '00110101 01100001 00100000 00110011 00110011 00100000 00110100 01100001 00100000 00110111 00110010 00100000 00110101 01100001 00100000 00110110 01100100 00100000 00110011 00110101 00100000 00110111 00110001 00100000 00110110 00110101 00100000 00110011 00110010 00100000 00110110 00110100 00100000 00110100 00110110 00100000 00110110 00110010 00100000 00110110 01100001 00100000 00110100 00110110 00100000 00110101 01100001 00100000 00110101 01100001 00100000 00110110 01100011 00100000 00110011 00111001 00100000 00110110 01100011 00100000 00110101 00110011 00100000 00110100 00110111 00100000 00110100 00110110 00100000 00110110 00110110 00100000 00110110 00110011 00100000 00110100 00110100 00100000 00110100 00110010 00100000 00110101 01100001 00100000 00110101 00110101 00100000 00110101 00111000 00100000 00110011 00110000 00100000 00110011 01100100' codes = codes.split(' ') msg = '' for code in codes: msg += chr(int(code, 2)) print('[+]', msg) codes = msg.split(' ') msg = '' for code in codes: msg += chr(int(code, 16)) print('[+]', msg) msg = b64decode(msg).decode() print('[+]', msg) msg = caesar(msg, 13) print('[*]', msg)
実行結果は以下の通り。
[+] 5a 33 4a 72 5a 6d 35 71 65 32 64 46 62 6a 46 5a 5a 6c 39 6c 53 47 46 66 63 44 42 5a 55 58 30 3d
[+] Z3JrZm5qe2dFbjFZZl9lSGFfcDBZUX0=
[+] grkfnj{gEn1Yf_eHa_p0YQ}
[*] texsaw{tRa1Ls_rUn_c0LD}
texsaw{tRa1Ls_rUn_c0LD}
Freaky Flags (Cryptography 50)
縦に縞々になっている画像ファイルが添付されている。上から順にRGBの値を文字にしていく。
#!/usr/bin/env python3 from PIL import Image img = Image.open('freakyFlags.png').convert('RGB') w, h = img.size flag = '' for y in [30, 100, 190, 310, 450, 560, 660]: r, g, b = img.getpixel((0, y)) flag += chr(r) flag += chr(g) flag += chr(b) print(flag)
the_flag_is_the_flag!
texsaw{the_flag_is_the_flag!}
Ironcrypt (Cryptography 300)
サーバの処理概要は以下の通り。
・one = "----------------"(不明という意味か) ・two = "----------------"(不明という意味か) ・maxlen = 256 ・message: 入力 ・msglen: messageの長さ ・msglenは0の場合、終了 ・msglenがmaxlenより大きい場合 ・messageをmaxlenで切る。 ・msglenが16の倍数でない場合 ・messageに"0"を16 - msglen % 16個パディング ・encrypted = encrypt(message, one) ・AES OFBモードでoneをkeyにしてtwoをivにしてmessageを暗号化 ・messageを表示 ・messageを16進数表記で表示 ・encryptedを16進数表記で表示
$ nc 3.23.56.243 9013 Give me a message to encrypt: 123 Encryption Key: texsaw{gl0ry_to_ Original Message: 1230000000000000 Message in Hex: 31323330303030303030303030303030 Encrypted Message: 3ac480e66ae6101e7d59484d0bcd5ad2
実際は鍵だけわかっている。OFBモードの性質から、以下のようにIVを求めることができる。
平文1ブロック目 ^ 暗号文1ブロック目 --(AES ECBモード復号)--> IV
#!/usr/bin/env python3 from Crypto.Cipher import AES from Crypto.Util.strxor import strxor key = b'texsaw{gl0ry_to_' pt = b'1230000000000000' ct = bytes.fromhex('3ac480e66ae6101e7d59484d0bcd5ad2') aes = AES.new(key, AES.MODE_ECB) iv = aes.decrypt(strxor(pt, ct)) flag = (key + iv).decode() print(flag)
texsaw{gl0ry_to_th3_4zur_$kIes!}
