å¸¸è¨CTFã®ksnctfã«ãƒãƒ£ãƒ¬ãƒ³ã‚¸ã—ã¾ã™ï¼ˆã‚¯ãƒªã‚¢çŠ¶æ³ã¯éšæ™‚æ›´æ–°ã—ã¾ã™ï¼‰

å‰å›ž ã‹ã‚‰ã€setodaNote CTF Exhibition ã‚’é–‹å§‹ã—ã¾ã—ãŸã€‚CTF ã«ã¯è¤‡æ•°ã®ã‚«ãƒ†ã‚´ãƒªãŒã‚ã‚Šã¾ã™ãŒã€ãƒªãƒãƒ¼ã‚¹ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ã€Pwn ã‚’å„ªå…ˆçš„ã«å–ã‚Šçµ„ã¿ãŸã„ã¨æ€ã£ã¦ã„ã¾ã™ã€‚ã“ã‚Œã‚‰ãŒã ã„ãŸã„çµ‚ã‚ã£ãŸã®ã§ã€æ¬¡ã¯ã€ksnctf ã‚‚ä¸¦è¡Œã—ã¦é€²ã‚ã‚ˆã†ã¨æ€ã„ã¾ã™ã€‚

ksnctf ã‚‚ã€å›½å†…ã®å¸¸è¨ã® CTF ã§ã™ã€‚

ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚

ã¯ã˜ã‚ã«

ã€Œã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã€ã®è¨˜äº‹ä¸€è¦§ã§ã™ã€‚è‰¯ã‹ã£ãŸã‚‰å‚è€ƒã«ã—ã¦ãã ã•ã„ã€‚

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã®è¨˜äº‹ä¸€è¦§

ksnctf ã®å…¬å¼ã‚µã‚¤ãƒˆã¯ä»¥ä¸‹ã§ã™ã€‚

ksnctf.sweetduet.info

ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚

ksnctfã«ç™»éŒ²ã™ã‚‹

ä¸Šã® URL ã«ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã€å³ä¸Šã® Login ã‚’ã‚¯ãƒªãƒƒã‚¯ã™ã‚‹ã¨ã€with Twitter ã¨å‡ºã‚‹ã®ã§ã€ã‚¯ãƒªãƒƒã‚¯ã—ã¾ã™ã€‚

ã‚¢ã‚¯ã‚»ã‚¹ã‚’è¨±å¯ã™ã‚‹ã‹ã‚’èžã‹ã‚Œã‚‹ã®ã§ã€ã€Œé€£æºã‚¢ãƒ—ãƒªã‚’èªè¨¼ã€ã‚’ã‚¯ãƒªãƒƒã‚¯ã—ã¾ã™ã€‚

ãƒã‚°ã‚¤ãƒ³ã§ãã¾ã—ãŸã€‚ç™»éŒ²ã®æ‰‹é †ã¯ä»¥ä¸Šã¨ãªã‚Šã¾ã™ã€‚

å•é¡Œä¸€è¦§

å•é¡Œæ•°ã¯ 41å•ã§ã€å…¨ã¦ã®ãƒã‚¤ãƒ³ãƒˆã‚’ç²å¾—ã™ã‚‹ã¨ 5161ãƒã‚¤ãƒ³ãƒˆã«ãªã‚‹ã¨æ€ã„ã¾ã™ã€‚Ranking ã‚’è¦‹ã‚‹ã¨ã€10,232åä¸ã€6åãŒ 5161ãƒã‚¤ãƒ³ãƒˆã§ã—ãŸã€‚å‚åŠ äººæ•°ãŒå¤šã„ã§ã™ãã€‚

ã“ã® CTF ã¯ã€Writeup ã®è¨˜äº‹ã‚’æ›¸ãã“ã¨ã¯å•é¡Œãªã„ã¨ã®ã“ã¨ã§ã™ãŒã€ãƒ•ãƒ©ã‚°ã®æ–‡å—åˆ—ã¯å…¬é–‹ã—ã¦ã¯ã„ã‘ãªã„ã¨ã®ã“ã¨ã§ã™ã€‚

å…¬å¼ã‚µã‚¤ãƒˆã§ã¯ã€å„å•é¡Œã«ã¤ã„ã¦ã€ã‚«ãƒ†ã‚´ãƒªã¯æ›¸ã‹ã‚Œã¦ã„ã¾ã›ã‚“ãŒã€å‚è€ƒã¾ã§ã«ã€ç§ãŒå‹æ‰‹ã«æƒ³åƒã—ãŸã‚«ãƒ†ã‚´ãƒªã‚’æ›¸ã„ã¦ãŠãã¾ã™ã€‚

No.	ã‚«ãƒ†ã‚´ãƒª	å•é¡Œå	ãƒã‚¤ãƒ³ãƒˆ	çŠ¶æ³
1	Misc	Test Problem	1	Complete
2	Crypto	Easy Cipher	50	Complete
3	Crypto	Crawling Chaos	100	Complete
4	Pwn	Villager A	300	0%
5	Crypto	Onion	70	0%
6		Login	120	0%
7		Programming	110	0%
8		Basic is secure?	50	0%
9		Digest is secure!	150	0%
10	Misc	#!	20	Complete
11		Riddle	200	0%
12		Hypertext Preprocessor	70	0%
13		Proverb	70	0%
14		John	60	0%
15		Jewel	250	0%
16		Math I	150	0%
17		Math II	50	0%
18		USB flash drive	80	0%
19		ZIP de kure	150	0%
20		G00913	30	0%
21		Perfect Cipher	200	0%
22		Square Cipher	60	0%
23		Villager B	450	0%
24		Rights out	100	0%
25		Reserved	30	0%
26		Sherlock Holmes	70	0%
27		Lives out	150	0%
28		Lo-Tech Cipher	60	0%
29		Double Blind	50	0%
30		Alpha Mixed Cipher	80	0%
31		KanGacha	130	0%
32	Web	Simple Auth	50	Complete
33		HTTPS is secure.	180	0%
34		Are you human?	220	0%
35	Web	Simple Auth II	20	0%
36		Are you ESPer?	120	0%
37		Competitive Programming	600	0%
38		Canned Can Opener	80	0%
39		Unknown Plaintext Attack	250	0%
40		Deep Flag Network	100	0%
41		Private BBS	80	0%

Misc

æœ€åˆã®å•é¡Œã¯ã€Test Problem ã¨ã„ã†ã“ã¨ãªã®ã§ã€ãŠãã‚‰ã Miscï¼ˆãƒŸã‚¹ã‚¯ï¼‰ã§ã™ã€‚

Test Problem

Problems ã‹ã‚‰ã€Test Problem ã‚’ã‚¯ãƒªãƒƒã‚¯ã—ã¾ã™ã€‚

1ãƒã‚¤ãƒ³ãƒˆç²å¾—ã—ã¦ã€10,232åä¸ã€7,679ä½ã«ãªã‚Šã¾ã—ãŸï¼

0ãƒã‚¤ãƒ³ãƒˆã®ã¾ã¾ã®æ–¹ã‚‚ã„ã¾ã—ãŸã—ã€åŒã˜ãƒã‚¤ãƒ³ãƒˆã®å ´åˆã¯ã€å¾Œã‹ã‚‰ãã®ãƒã‚¤ãƒ³ãƒˆã«ãªã£ãŸäººãŒã€ä¸Šã®é †ä½ã«ãªã‚‹ã‚ˆã†ã§ã™ã€‚

#!

å•é¡ŒåãŒè¨˜å·ã ã‘ã§ã™ã€‚

20ãƒã‚¤ãƒ³ãƒˆç²å¾—ã—ã¦ã€è¨ˆ21ãƒã‚¤ãƒ³ãƒˆã§ã€10,232åä¸ã€7,550ä½ã«ãªã‚Šã¾ã—ãŸï¼

Crypto

Easy Cipher

ã‚·ãƒ¼ã‚¶ãƒ¼æš—å·ã£ã½ã„ã§ã™ã€‚

ã‚ã‚Šã¨é«˜ã„é »åº¦ã§å‡ºã¦ãã‚‹ã®ã§ã€Python ã§æ›¸ã„ã¦ãŠãã¾ã™ã€‚

def str2int( ss, offset=0 ):
    
    lst = []
    for cc in ss:
        
        if cc == ' ':
            lst.append( ord(cc) )
        
        elif '0' <= cc <= '9':
            mm = (ord(cc) - ord('0') + offset) % (ord('9') - ord('0') + 1)
            lst.append( mm + ord('0') )
        
        elif 'A' <= cc <= 'Z':
            mm = (ord(cc) - ord('A') + offset) % (ord('Z') - ord('A') + 1)
            lst.append( mm + ord('A') )
        
        elif 'a' <= cc <= 'z':
            mm = (ord(cc) - ord('a') + offset) % (ord('z') - ord('a') + 1)
            lst.append( mm + ord('a') )
        
        else:
            
            lst.append( ord(cc) + offset )
    
    print( f"str2int={lst}" )
    
    return lst

def int2chr( lst ):
    
    ss = ""
    lst_ret = []
    for ii in lst:
        ss += chr(ii)
        lst_ret.append( chr(ii) )
    
    #print( lst_ret )
    print( f"int2chr={ss}" )
    
    return lst_ret

ss = "EBG KVVV vf n fvzcyr yrggre fhofgvghgvba pvcure gung ercynprf n yrggre jvgu gur yrggre KVVV yrggref nsgre vg va gur nycunorg. EBG KVVV vf na rknzcyr bs gur Pnrfne pvcure, qrirybcrq va napvrag Ebzr. Synt vf SYNTFjmtkOWFNZdjkkNH. Vafreg na haqrefpber vzzrqvngryl nsgre SYNT"

lst = str2int( ss, -13 )

lst_ret = int2chr( lst )

å®Ÿè¡Œã—ã¦ã¿ã¾ã™ã€‚ãƒ‡ãƒãƒƒã‚°çš„ãªã¨ã“ã‚ã¯çœç•¥ã—ã¦è²¼ã‚Šã¾ã™ã€‚

$ python tmp.py
int2chr=ROT XIII is a simple letter substitution cipher that replaces a letter with the letter XIII letters after it in the alphabet! ROT XIII is an example of the Caesar cipher developed in ancient Rome! Flag is FLAGSwzgxBJSAMqwxxAU! Insert an underscore immediately after FLAG

ç©ºç™½ã ã‘ã§ã¯ãªãã€è¨˜å·ãªã©ã‚‚ã€ãã®ã¾ã¾å‡ºåŠ›ã™ã‚‹ã‚ˆã†ã«ã—ãŸæ–¹ãŒè‰¯ã‹ã£ãŸã§ã™ãã€‚

50ãƒã‚¤ãƒ³ãƒˆç²å¾—ã—ã¦ã€è¨ˆ71ãƒã‚¤ãƒ³ãƒˆã§ã€10,232åä¸ã€5,561ä½ã«ãªã‚Šã¾ã—ãŸï¼

Crawling Chaos

ãƒªãƒ³ã‚¯ãŒ 1ã¤ã‚ã‚‹ã ã‘ã§ã™ã€‚ã“ã®ãƒªãƒ³ã‚¯ã‚’ã‚¯ãƒªãƒƒã‚¯ã™ã‚‹ã¨ã€å…¥åŠ›ãƒ•ã‚©ãƒ¼ãƒ ãŒ 1ã¤ã¨ã€é€ä¿¡ãƒœã‚¿ãƒ³ãŒã‚ã‚‹ã ã‘ã§ã™ã€‚æœ€åˆã¯ Web ã‹ãªã€ã¨æ€ã„ã¾ã—ãŸãŒã€Crypto ã«ã—ã¦ãŠãã¾ã™ã€‚

è©¦ã—ã«ã€aaa ã¨é€ã‚‹ã¨ã€ä½•ã‚‚ãªã‹ã£ãŸã‹ã®ã‚ˆã†ã«ã€ãƒ•ã‚©ãƒ¼ãƒ ã«å…¥åŠ›ã—ãŸæ–‡å—åˆ—ãŒæ¶ˆãˆã‚‹ã ã‘ã§ã™ã€‚å•é¡Œã®ã‚¿ã‚¤ãƒˆãƒ«ã® Crawling Chaos ã¨ã¯ã€ã€Œã‚«ã‚ªã‚¹ã‚’é€™ã†ã€ã¨ã„ã†æ„å‘³ã®ã‚ˆã†ã§ã™ã€‚

ã“ã†ã„ã†å•é¡Œã®å ´åˆã€æ”»æ’ƒã«ãªã‚Šãã†ãªã€ã‚ˆãã‚ã‚‹æ–‡å—åˆ—ã‚’ã²ãŸã™ã‚‰å…¥åŠ›ã—ã¦ã„ãã®ãŒæ£ã—ã„ã‚„ã‚Šæ–¹ãªã‚“ã§ã—ã‚‡ã†ã‹ã€‚æ™®é€šã®ãƒ–ãƒ©ã‚¦ã‚¶ã§è©¦ã™ã¨ã€ã„ã‚ã„ã‚è¦‹ãˆãªã„ã‚‚ã®ãŒå¤šã„ã®ã§ã€Burp Suite ãªã©ã‚’ä½¿ã£ã¦ã€HTTP ã®ãƒ˜ãƒƒãƒ€ã‚‚è¦‹ã¦ã„ãæ–¹ãŒã„ã„ã¨æ€ã„ã¾ã™ã€‚

Burp Suite ã‚’ä½¿ã£ã¦è¦‹ã¦ã¿ã‚‹ã¨ã€ãƒ¬ã‚¹ãƒãƒ³ã‚¹ã«ã€å¤§é‡ã®å¤‰ãªæ–‡å—ãŒè¿”ã£ã¦ãã¦ã„ã¾ã™ã€‚ä»¥ä¸‹ã®ã‚ˆã†ãªæ–‡å—åˆ—ã§ã€ã¾ã ã¾ã å¤§é‡ã«ç¶šãã¾ã™ã€‚

(á’§á†žÏ‰á†ž)=(/á†žÏ‰á†ž/),(á’§á†žÏ‰á†ž).á’§ã†ãƒ¼=-!!(/á†žÏ‰á†ž/).ã«ã‚ƒãƒ¼,(ã€³á†žÏ‰á†ž)=(á’§á†žÏ‰á†ž),(ã€³á†žÏ‰á†ž).ã€³ã«ã‚ƒãƒ¼=- -!(á’§á†žÏ‰á†ž).á’§ã†ãƒ¼,(á’§á†žÏ‰á†ž).á’§ã†ãƒ¼ï½°=(ã€³á†žÏ‰á†ž).ã€³ã«ã‚ƒãƒ¼- -!(á’§á†žÏ‰á†ž).á’§ã†ãƒ¼,(ã€³á†žÏ‰á†ž).ã€³ã«ã‚ƒãƒ¼ï½°=(á’§á†žÏ‰á†ž).á’§ã†ãƒ¼ï½°- -(ã€³á†žÏ‰á†ž).ã€³ã«ã‚ƒãƒ¼,(á’§á†žÏ‰á†ž).á’§ã†ãƒ¼ãƒ¼=(ã€³á†žÏ‰á†ž).ã€³ã«ã‚ƒãƒ¼ï½°- -!(á’§á†žÏ‰á†ž)

ã“ã®å¤§é‡ã®æ–‡å—åˆ—ã®ä¸ã«ã€ãƒ•ãƒ©ã‚°ãŒéš ã‚Œã¦ã‚‹ã¨æŽ¨æ¸¬ã•ã‚Œã¾ã™ã€‚URL ãŒ unya.html ã¨ã„ã†ã“ã¨ã§ã€ã€Œã†ã€ã¨ã€Œã«ã‚ƒã€ãŒé–¢ä¿‚ã—ãã†ã§ã™ã€‚ã•ã™ãŒã«é¡”æ–‡å—ã¯é–¢ä¿‚ãªã„ã‹ãªã€ã¨æ€ã„ã¾ã™ã€‚

ã€Œã†ã€ã¨ã€Œã«ã‚ƒã€ã«ç¶šãã€å…¨è§’ã®ãƒã‚¤ãƒ•ãƒ³ã¨åŠè§’ã®ãƒã‚¤ãƒ•ãƒ³ã¯ã€ãƒ¢ãƒ¼ãƒ«ã‚¹ä¿¡å·ã®ã‚ˆã†ã«è¦‹ãˆã¾ã™ã€‚ãƒ¢ãƒ¼ãƒ«ã‚¹ä¿¡å·ã¨è¨€ãˆã°ã€ã€Œã†ã€ã¨ã€Œã«ã‚ƒã€ã§ã€ãƒ¢ãƒ¼ãƒ«ã‚¹ä¿¡å·ã®ã‚ˆã†ã«ã‚‚è¦‹ãˆã¾ã™ï¼ˆç¬‘ï¼‰ã€‚æ˜Žç¢ºãªåŒºåˆ‡ã‚Šæ–‡å—ãŒåˆ†ã‹ã‚Šã¾ã›ã‚“ã€‚

è¦‹æ–¹ã‚’å¤‰ãˆã¦ã€ã€Œã†ã€ãŒ 0 ã§ã€ã€Œã«ã‚ƒã€ãŒ 1 ã§ã€2é€²æ•°ã¨è¦‹ã¦ã€ASCIIã‚³ãƒ¼ãƒ‰ã«ãªã‚‹ã¨ã‹ã¯ã€ã©ã†ã§ã—ã‚‡ã†ã‹ã€‚ã†ãƒ¼ã‚“ã€é•ã†æ°—ãŒã™ã‚‹ã€‚

ã€Œã†ãƒ¼ã€ã€Œã«ã‚ƒãƒ¼ã€ã§æ¤œç´¢ã—ãŸã‚‰ã€ãƒ‡ã‚³ãƒ¼ãƒ‰ã¨ã‹å‡ºã¦ãã¾ã—ãŸã€‚ãªã‚‹ã»ã©ã€ãã†ã„ã†ã“ã¨ã§ã™ãã€‚

æœ¬æ¥ãªã‚‰ã€å…¥åŠ›ãƒ•ã‚©ãƒ¼ãƒ ã«ä½•ã‹å…¥åŠ›ã™ã‚‹ã¨ã€JavaScript ã®ãƒãƒƒãƒ—ã‚¢ãƒƒãƒ—ãŒå‡ºã‚‹ä»•æ§˜ã¿ãŸã„ã§ã™ã€‚ç¾åœ¨ã¯ã€jquery ãŒã†ã¾ãèªã‚ãªã„ã‚ˆã†ã§ã™ã€‚è©¦ã—ã«ã€jquery ã‚’ãƒãƒ¼ã‚«ãƒ«ã«ç½®ã„ãŸçŠ¶æ…‹ã§ã€unya.html ã‚’å‹•ã‹ã—ã¦ã¿ã¾ã—ãŸã€‚

ä»¥ä¸‹ã®ã‚ˆã†ã«ã€ä½•ã‹æ–‡å—ã‚’å…¥ã‚Œã‚‹ã¨ã€ãƒãƒƒãƒ—ã‚¢ãƒƒãƒ—ãŒå‡ºã¾ã™ã€‚ã—ã‹ã—ã€ã‚½ãƒ¼ã‚¹ã‚’è¦‹ã¦ã‚‚ã€ã“ã‚“ãªãƒãƒƒãƒ—ã‚¢ãƒƒãƒ—ãŒå‡ºã‚‹ã‚ˆã†ãªã‚½ãƒ¼ã‚¹ã¯ç„¡ãã€ã€Œã†ãƒ¼ã€ã¨ã€Œã«ã‚ƒãƒ¼ã€ã ã‘ã«è¦‹ãˆã¾ã™ã€‚

unya.htmlの本来の挙動 — unya.htmlã®æœ¬æ¥ã®æŒ™å‹•

JavaScript ã¯ã€å¤‰æ•°åã«å…¨è§’æ–‡å—ãŒä½¿ãˆã‚‹ã¨ã„ã†ã“ã¨ã§ã€ã“ã‚Œã¯æ£ã—ã„ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã¨ã„ã†ã“ã¨ã§ã™ã€‚ã“ã®ã¾ã¾ã§ã¯èªã¿ã«ãã„ã®ã§ã€ã¨ã‚Šã‚ãˆãšã€console.log ã§å‡ºåŠ›ã—ã¦ã¿ã‚Œã°ã„ã„ã‚‰ã—ã„ã€‚ãã‚Œã‚’æ•´å½¢ã—ãŸã®ãŒä»¥ä¸‹ã§ã™ã€‚

å¤‰æ•° f ã‚’ã€false ã«ã—ãªã‘ã‚Œã°è‰¯ã•ãã†ã§ã™ãã€‚ãã®ãŸã‚ã«ã¯ã€if(t.charCodeAt(i) * (i + 1) != p[i]) ãŒå¸¸ã«æˆã‚Šç«‹ã¤ã‚ˆã†ã«ã€p ã«åˆã‚ã›ã¦å…¥åŠ›ã—ã¦ã‚„ã‚Œã°ã„ã„ã§ã™ã€‚

$(function(){
  $("form").submit(function(){
    var t = $('input[type="text"]').val();
    var p = Array(70,152,195,284,475,612,791,896,810,850,737,1332,1469,1120,1470,832,1785,2196,1520,1480,1449);
    var f = false;
    
    if(p.length == t.length){
      f = true;
      for(var i = 0; i < p.length; i++)
        if(t.charCodeAt(i) * (i + 1) != p[i])
          f = false;
      
      if(f)
        alert("(ã€ãƒ»Ï‰ãƒ»)ã€ã†ãƒ¼!(/ãƒ»Ï‰ãƒ»)/ã«ã‚ƒãƒ¼!");
    }
    if(!f)
      alert("No");
    
    return false;
  });
});

ã§ã¯ã€Python ã§è¨ˆç®—ã•ã›ã¾ã™ã€‚

lst = [70,152,195,284,475,612,791,896,810,850,737,1332,1469,1120,1470,832,1785,2196,1520,1480,1449]

for ii, pp in enumerate(lst):
    
    ret = int( pp / (ii + 1) )
    
    assert ret * (ii + 1) == pp, "fatal"
    
    print( chr(ret), end="" )

print()

å®Ÿè¡Œã™ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ãŒå‡ºåŠ›ã•ã‚Œã¾ã™ã€‚

100ãƒã‚¤ãƒ³ãƒˆç²å¾—ã—ã¦ã€è¨ˆ171ãƒã‚¤ãƒ³ãƒˆã§ã€10,232åä¸ã€4,150ä½ã«ãªã‚Šã¾ã—ãŸï¼

Onion

å¤§é‡ã®æ–‡å—ãŒã‚ã‚Šã¾ã™ã€‚base64 ã§ã—ã‚‡ã†ã‹ã€‚76æ–‡å—ã”ã¨ã«æ”¹è¡ŒãŒå…¥ã£ã¦ã„ã¾ã™ã€‚

base64 ã§ãƒ‡ã‚³ãƒ¼ãƒ‰ã—ã¦ã¿ã¾ã—ãŸãŒã€æ–‡å—åˆ—ã§ã¯ãªã•ãã†ã§ã™ã€‚

ã¡ã‚‡ã£ã¨åˆ†ã‹ã‚‰ãªã„ã®ã§ã€å¾Œå›žã—ã§ã™ã€‚

ã“ã‚Œã‚‚ã€Crypto ã«ã—ã¦ãŠãã¾ã™ã€‚

Web

Simple Auth

URL ãŒ 2ã¤ã‚ã‚Šã¾ã™ï¼ˆhttp ã¨ httpsï¼‰ãŒã€å®Ÿéš›ã«è¡Œã£ã¦ã¿ã‚‹ã¨ã€è¦‹ãŸç›®ã¯åŒã˜ã«è¦‹ãˆã¾ã™ã€‚

ã‚½ãƒ¼ã‚¹ãŒã‚ã‚‹ã®ã§ã€è¦‹ã¦ã¿ã¾ã™ã€‚FLAG_???????????????? ã‚’å…¥ã‚Œã‚‹ã¨ã€è‰¯ã•ãã†ã§ã™ãŒã€ã“ã‚ŒãŒã€ãã®ã¾ã¾ãƒ•ãƒ©ã‚°ã«ãªã‚‹ã¨ã„ã†ã“ã¨ã§ã—ã‚‡ã†ã‹ã€‚

<!DOCTYPE html>
<html>
  <head>
    <title>Simple Auth</title>
  </head>
  <body>
    <div>
<?php
$password = 'FLAG_????????????????';
if (isset($_POST['password']))
    if (strcasecmp($_POST['password'], $password) == 0)
        echo "Congratulations! The flag is $password";
    else
        echo "incorrect...";
?>
    </div>
    <form method="POST">
      <input type="password" name="password">
      <input type="submit">
    </form>
  </body>
</html>

ã“ã®ã‚½ãƒ¼ã‚¹ã‚’ã€Webã‚µãƒ¼ãƒã«ã‚¢ãƒƒãƒ—ã—ã¦ã€ã‚„ã£ã¦ã¿ã¾ã™ã€‚ã‚„ã£ã±ã‚Šã“ã‚Œã§ã„ã„ã§ã™ã‚ˆãã€‚ã¨ã„ã†ã“ã¨ã¯ã€ã“ã®ã‚½ãƒ¼ã‚¹ã¯ã€å®Ÿéš›ã«ä½¿ã‚ã‚Œã¦ã‚‹ã‚½ãƒ¼ã‚¹ã¨ã¯é•ã†ã£ã¦ã“ã¨ã§ã™ã‹ãã€‚???? ã‚’è€ƒãˆã‚‹å•é¡Œã¨ã„ã†ã“ã¨ã§ã—ã‚‡ã†ã‹ã€‚

自分のサーバでやってみた — è‡ªåˆ†ã®ã‚µãƒ¼ãƒã§ã‚„ã£ã¦ã¿ãŸ

ã†ãƒ¼ã‚“ã€å¾Œå›žã—ã«ã—ã¾ã™ã€‚

Simple Auth II

Simple Auth ã«ç¶šã„ã¦ã€Simple Auth II ã§ã™ã€‚ãªãœã‹ â…¡ ã®æ–¹ãŒãƒã‚¤ãƒ³ãƒˆãŒä½Žã„ã§ã™ã€‚

ã“ã¡ã‚‰ã‚‚ã€URL ãŒ 2ã¤ã‚ã‚Šã¾ã™ï¼ˆhttp ã¨ httpsï¼‰ãŒã€å®Ÿéš›ã«è¡Œã£ã¦ã¿ã‚‹ã¨ã€è¦‹ãŸç›®ã¯åŒã˜ã«è¦‹ãˆã¾ã™ã€‚ã‚½ãƒ¼ã‚¹ãŒã‚ã‚‹ã®ã§ã€è¦‹ã¦ã¿ã¾ã™ã€‚

ã“ã¡ã‚‰ã‚‚å¾Œå›žã—ã«ã—ã¾ã™ã€‚

Pwn

Villager A

300ãƒã‚¤ãƒ³ãƒˆã®å•é¡Œã§ã™ã€‚SSH ã§ãƒã‚°ã‚¤ãƒ³ã§ãã‚‹ã¨ã„ã†ã“ã¨ã§ã—ã‚‡ã†ã‹ã€‚

è©¦ã—ã«ã€ãƒã‚°ã‚¤ãƒ³ã—ã¦ã¿ã¾ã™ã€‚å…¥ã‚Œã¾ã—ãŸã€‚ãƒ•ãƒ©ã‚°ãŒã‚ã‚Šã¾ã™ï¼ã—ã‹ã—ã€æ¨©é™ãŒãªã„ã§ã™ã€‚q4 ã¨ã„ã†ãƒ—ãƒã‚°ãƒ©ãƒ ãŒç½®ã„ã¦ã‚ã‚Šã¾ã™ãã€‚ã‚ã€SGID ã®ãƒ“ãƒƒãƒˆãŒç«‹ã£ã¦ã¾ã™ãã€ã“ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã‚’å®Ÿè¡Œã—ã¦ã‚‹ã¨ãã«ãƒ•ãƒ©ã‚°ãŒèªã‚ã‚‹ã¨ã„ã†ã“ã¨ã§ã—ã‚‡ã†ã‹ã€‚

$ ssh [email protected] -p 10004
The authenticity of host '[ctfq.u1tramarine.blue]:10004 ([160.16.127.224]:10004)' can't be established.
RSA key fingerprint is SHA256:LBqdPUUa6DGkF6+BSQfNrILUDplXcgxzAUIiW/DeFQ8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[ctfq.u1tramarine.blue]:10004' (RSA) to the list of known hosts.
[email protected]'s password:

[q4@eceec62b961b ~]$ ls
flag.txt  q4

[q4@eceec62b961b ~]$ cat flag.txt
cat: flag.txt: Permission denied

[q4@eceec62b961b ~]$ ls -alF
total 32
dr-xr-xr-x 1 root root 4096 Feb 27  2021 ./
drwxr-xr-x 1 root root 4096 Feb 27  2021 ../
-rw-r--r-- 1 root root   18 Jul 21  2020 .bash_logout
-rw-r--r-- 1 root root  141 Jul 21  2020 .bash_profile
-rw-r--r-- 1 root root  456 Feb 27  2021 .bashrc
-r--r----- 1 root q4a    22 Feb 26  2021 flag.txt
-r-xr-sr-x 1 root q4a  5857 Feb 26  2021 q4*

[q4@eceec62b961b ~]$ file q4
q4: setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=526c75e7f0f34744808eb1b09a5a91880562efc8, not stripped

[q4@eceec62b961b ~]$ ./q4
What's your name?
aa
Hi, aa

Do you want the flag?
bb
Do you want the flag?
^C
[q4@eceec62b961b ~]$

300ãƒã‚¤ãƒ³ãƒˆãªã®ã§ã€ç°¡å˜ã§ã¯ãªã•ãã†ã§ã™ã€‚å¾Œå›žã—ã«ã—ã¾ã™ã€‚

ãŠã‚ã‚Šã«

ä»Šå›žã¯ã€ksnctf ã®ãƒãƒ£ãƒ¬ãƒ³ã‚¸ã‚’é–‹å§‹ã—ã¾ã—ãŸã€‚

å°‘ã—ã‚„ã£ã¦ã¿ãŸæ„Ÿæƒ³ã§ã™ãŒã€ã‚«ãƒ†ã‚´ãƒªãŒåˆ†ã‹ã‚‰ãªã„ã®ã¨ã€å•é¡Œã®ãƒ¬ãƒ™ãƒ«ãŒåˆ†ã‹ã‚‰ãªã„ã®ã¯ã€åˆå¿ƒè€…ã«ã¯å°‘ã—åŽ³ã—ã‹ã£ãŸã§ã™ã€‚ã©ã‚“ãªã‚«ãƒ†ã‚´ãƒªã§ã‚‚ã€ã‚ã‚‹ç¨‹åº¦é€²ã‚ã‚‰ã‚Œã‚‹ CTFä¸ç´šè€…ä»¥ä¸Šã®æ–¹ãŒå¯¾è±¡ãªæ°—ãŒã—ã¾ã™ã€‚

ã‚ã¨ã€ãƒ¡ãƒ³ãƒ†ãƒŠãƒ³ã‚¹ãŒã•ã‚Œã¦ã„ãªã„ã‚ˆã†ãªã®ã§ã€åˆå¿ƒè€…ã¯ã€å¤‰ãªã¨ã“ã‚ã«ãƒãƒžã‚‹ã¨ã“ã‚ã‚‚ã‚ã‚Šã¾ã—ãŸã€‚åˆ¥ã®å•é¡Œã§ã€ãƒ¬ãƒ™ãƒ«ã‚’ä¸Šã’ã¦ã‹ã‚‰ã€å†æŒ‘æˆ¦ã—ãŸã„ã¨æ€ã„ã¾ã™ã€‚