Pwn2Win CTF 2017

Pwn2Win CTF 2017 writeup Great Cybernetic Revolution (Read first)

Great Cybernetic Revolution (Read first)

In the year 2037, the Great Cybernetic Revolution (GCR) occured, and we all saw it coming, due to the explosion of the so called IoT(Internet of Things) where everything is linked. Goverment has completely lost control over the population, along with it's authority, because people did not want any monitoring or limitations anymore. That was the spark that ignited the GCR. In this period, feeding on the spreading crisis, and thanks to popular demand, a referendum that aspired to give sovereignity to the Corporations was made. They would be self-sufficient and would not have any kind of goverment interference. With a victorious 'Yes', the constitutional amendment 42 came to life. Giving full power to any corporation in every sense of the word. The Power was theirs and now they made the rules. They offer us jobs, houses, healthcare, and satisfy every demand of their affiliated. Those who aren't under the protection of any Corps. are known as 'rem', acronym from remnants. They live outside the so called 'safezones' - secured and heavy monitored zones. The two biggest corporations are 'BloodSuckers Corp' (BSC) and 'Butcher Corp' (BC).

Paper money is no more in the safezones, every trade is made with the virtual coin named 'EpicCoin' or just 'epc'. Every individual born in the 'safezones' gets a virtual wallet to be used throughout their lives. Outside the safezones (in the place known as 'the limbo'), there is still physical money (called 'Brutos'), remaining from the time before the GCR, but it's really scarce. People bargain as usual offering trades and services.

There is a very active hacker group formed by 'rems', known as the 'Rebellious Fingers' (RF). Their main agenda is to take down the Corps., main reason being, just like all other 'rems', they feel excluded and betrayed because they expected more equality when they voted 'yes' in the referendum that would end up giving birth to Constitutional Amendment 42. This is how the C²O (Civil Cyberwar Offensive) came to be! Their motto is "all your functions return to us!".

Corporations have only become powerful because they detain knowledge, and knowledge is power! To protect their intellectual property only chipped individuals may join the Corps. One of the prerequisites to obtain a chip is having an internal indication. It is planted directly inside the brain, creating the so called 'Biobrains' (Bionic Brains). Everyone with one of these chips has access to the corporative network, each one of them with their own permissions reflected on their level inside the corporation. This level is defined by achievements, when they are able to create or do something that manages to catch their CP's (Main Council) eyes.

The 'achievement run' is one of the corporation's biggest internal problems. Many have started to genetically modify and enhance themselves in order to become more competitive. Upgrading their own chips isn't something very rare anymore. Some of their affiliates are walking the thin line between man and machine. There is a catch though - this type of enhancement can only be performed by the corporations' neglected hackers and scientists - Limbo people. To Visit the limbo is not illegal but opens room for dangerous questions. With the intensified dispute between the corps., the number of people kidnapped and tortured for their internal secrets have grown. Another very common practice is desertion. When it is proven, the corporation under which the affiliated lies may try to render their chip useless, taking that individual out of circulation. There is a backdoor installed straight out of factory but there are also ways to deactivate it before the NCSD(non-consensual shut-down) or roughly speaking - elimination.

Corporations have a counter-intelligence sector, connected to the security sector, responsable for avoiding intel leaks, spying, along other internal and external corporational related attacks. They have developed a method that scans their employees looking for gadgets that could exfiltrate data.

Everyday, everyone leaving the corporation must undergo this procedure. One of these mechanisms is called 'Spectrum', and it's graphene based, a material known for its ability to detect the spectrum of the terahertz radiation (T-Rays) at room temperature. They have also developed a neural helmet, allowing them to scan memories inside an individual's mind looking for relevant information that may solve some case falling strictly under the 'Omega Alert', in other words, investigations that seek resolution to betrayal, intellectual property robbery, murder or desertion cases. The use of such equipment has to be approved by the CP.

Two RF members, Case and Molly, managed after months of work to infiltrate Bloodsuckers and Butch Corp. They were helped by two individuals who refused to enhance themselves and were not happy with the achievement system. After reversing their brain chips the duo managed to create their own(free from backdoors, obviously). After that, with fake IDs that erased their limbo past, they were enlisted by the unidentified indivituals to get afilliated.

Based on this intel, we need your help in the C²O, aiming at reestructuring the rigged system that has taken place.

Answer with 'CTF-BR{mission_accepted}' if you wish to help us!

Id: great_cybernetic_revolution

Total solves: 185

Score: 55

Categories: Story

問題文の最後にフラグが記載されています。
フラグは、
'CTF-BR{mission_accepted}'
です。



Pwn2Win CTF 2017 writeup g00d b0y

g00d b0y

Now prove you were a good kid and show you learned the most basic lesson in CTFs!!

Id: g00d_b0y

Total solves: 142

Score: 84

Categories: Bonus

Rulesページ下部にフラグが記載されています。

1

フラグは、
CTF-BR{RTFM_1s_4_g00d_3xpr3ss10n_v3.0}
です。



Pwn2Win CTF 2017 writeup Differential Privacy

Differential Privacy

Is it possible to have privacy on these days? The Rebelious Fingers do not think so. Get the flag.

Server: nc 200.136.213.143 9999


Id: differential_privacy

Total solves: 54

Score: 191

Categories: Crypto

ncコマンドで提示されたサーバに接続します。接続するとメニューが表示されます。1と2が選択できます。3を入力すると切断されます。1を選択するとなにやら情報が表示されます。2を選択するとASCIIコードらしき数値が表示されますが、ASCIIコードの範囲である127を超えた数値も表示されていますので、そのままASCIIコードになっている訳ではないようです。
$ nc 200.136.213.143 9999
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
1
You can query the flag, but the characters are private (indistinguishable).
Differential privacy mechanism: Laplace
Sensitivity: ||125 - 45|| = 80
Epsilon: 6.5

Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
2
[81, 90, 59, 47, 106, 63, 125, 71, 78, 104, 96, 101, 101, 124, 106, 118, 80, 100, 103, 118, 101, 62, 109, 110, 103, 132, 98, 147, 97, 130, 94, 120, 69, 52, 117, 120, 116]
もう一度サーバに接続してみます。1を選択したときに表示される情報は同じようです。2を選択したときに表示される内容は数値の個数は同じですが、数値は異なるようです。
$ nc 200.136.213.143 9999
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
1
You can query the flag, but the characters are private (indistinguishable).
Differential privacy mechanism: Laplace
Sensitivity: ||125 - 45|| = 80
Epsilon: 6.5

Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
2
[62, 62, 79, 56, 57, 89, 124, 75, 100, 90, 127, 95, 96, 118, 140, 142, 106, 67, 123, 103, 112, 93, 119, 78, 107, 86, 142, 114, 110, 115, 89, 110, 132, 106, 108, 112, 119]
ここで、Differential privacy mechanism: Laplaceについてググってみます。差分プライバシーといって、個人情報にラプラス分布に基づいたノイズを加算することで個人情報を保護しつつデータ分析に活用するための技術のようです。
https://en.wikipedia.org/wiki/Differential_privacy
https://www.slideshare.net/kentarominami39/ss-64088396
したがって、サーバに何度も接続しデータを大量に集めることで、各数値データのノイズが平均化され最終的にフラグの文字列に収束していくと思われます。Pythonプログラムを書いて自動化します。
# -*- coding:utf-8 -*-
# Server connection example file for Python 2
import socket
import sys

###########################
def solve(l, n):
    for i in range(len(l)):
        sum[i] = sum[i] + int(l[i])
    c0  = round(sum[0] *1.0/n - ord('C'))
    c1  = round(sum[1] *1.0/n - ord('T'))
    c2  = round(sum[2] *1.0/n - ord('F'))
    c3  = round(sum[3] *1.0/n - ord('-'))
    c4  = round(sum[4] *1.0/n - ord('B'))
    c5  = round(sum[5] *1.0/n - ord('R'))
    c6  = round(sum[6] *1.0/n - ord('{'))
    c36 = round(sum[36]*1.0/n - ord('}'))
    ave = int(round((c0 + c1 + c2 + c3 + c4 + c5 + c6 + c36) / 8))
    f = sum
    f = map(lambda c:chr(int(round(c*1.0/n)-ave)), f)
    a = ''.join(f)
    print(a)
    if a.startswith('CTF-BR{'):
        return a
    return ''

sum = [0 for i in range(37)]
n = 0

while True:
    host = '200.136.213.143'
    if len(sys.argv) > 1:
        host = sys.argv[1]
    port = 9999
    if len(sys.argv) > 2:
        host = int(sys.argv[2])
    client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    client.connect((host, port))

    client_file = client.makefile('b')

    while True:
        s = client_file.readline().strip()
        print(s)
        if '[3] Quit' in s:
            break
    n = n + 1
    client_file.write("2\n")
    client_file.flush()
    s = client_file.readline().strip()
    print(s)
    l = s[1:-1].split(',')
    ans = solve(l, n)
    while True:
        s = client_file.readline().strip()
        print(s)
        if '[3] Quit' in s:
            break
    client_file.write("3\n")
    client_file.flush()
    if ans != "":
        break

print(ans)
上記のPythonプログラムを実行すると、かなり時間はかかりますが徐々にフラグに収束していく様子がわかります。
$ python aaa.py
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
[66, 91, 45, 49, 53, 91, 119, 106, 102, 83, 68, 97, 100, 109, 135, 92, 109, 61, 107, 101, 132, 96, 121, 108, 102, 101, 100, 108, 93, 113, 92, 61, 119, 108, 101, 82, 99]
Ha37;a}plYJgjs?bsCqk?frlkjrcwbC}rkXi
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
[68, 84, 56, 46, 50, 74, 141, 79, 107, 100, 109, 88, 108, 118, 117, 103, 89, 100, 76, 109, 166, 69, 104, 106, 135, 105, 84, 113, 102, 120, 100, 124, 109, 125, 123, 103, 153]
EZ526U?_k^[_jt?deS^k?Usmyi^qdwb_twr_?
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
[69, 71, 57, 45, 55, 105, 95, 70, 97, 110, 119, 114, 103, 137, 108, 109, 90, 101, 96, 122, 130, 107, 101, 109, 97, 129, 98, 114, 120, 106, 77, 113, 109, 124, 114, 69, 146]
FT717\xWhdefj{zgbY_q?]onqr`rks\erysW?
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
[60, 92, 57, 52, 64, 74, 170, 57, 119, 119, 139, 114, 103, 87, 139, 91, 72, 109, 81, 127, 127, 98, 111, 98, 94, 130, 117, 117, 92, 110, 100, 113, 113, 85, 102, 102, 111]
CV719W?Okhnhir~d[^[t?^njluergq]hrpoZ?
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
[63, 91, 77, 45, 85, 85, 128, 91, 98, 107, 114, 81, 112, 129, 119, 95, 97, 104, 126, 108, 130, 103, 115, 99, 129, 106, 98, 116, 116, 126, 101, 110, 125, 106, 107, 107, 126]
AV:/=V?Qihncit|b[_aq?_nhorcris^hsnm]
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
[64, 82, 86, 35, 57, 72, 111, 64, 83, 112, 103, 109, 101, 133, 121, 141, 96, 96, 104, 108, 137, 79, 121, 95, 93, 119, 94, 139, 98, 115, 62, 105, 120, 58, 130, 94, 112]
BV@.>U?Ofjnfjx|j]`cr?]qhmtdwitZiufr^~
(略)
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
[92, 67, 75, 51, 58, 119, 121, 116, 138, 58, 93, 80, 86, 120, 116, 116, 89, 103, 105, 104, 96, 104, 109, 113, 112, 118, 96, 135, 124, 86, 114, 100, 100, 104, 119, 116, 123]
CTF-BR{I_am_just_filtering_uhe_noise}
Hello, chose an option:
[1] Info
[2] Query the flag (in ASCII)
[3] Quit
CTF-BR{I_am_just_filtering_uhe_noise}
ややおかしな単語がありますがuheはtheでしょう。
フラグは、
CTF-BR{I_am_just_filtering_the_noise}
です。



記事検索
ギャラリー
  • TetCTF 2023 NewYearBot
  • UUT CTF writeup Find The Password
  • UUT CTF writeup The Puzzle
  • Hack Zone Tunisia 2019 writeup Microscope
  • Hack Zone Tunisia 2019 writeup Welcome
  • SwampCTF 2019 writeup Brokerboard
  • SwampCTF 2019 writeup Leap of Faith
  • SwampCTF 2019 writeup Last Transmission
  • CBM CTF 2019 writeup Long road
カテゴリー