tkbctf3 Write-up - kusano-kâ€™s blog

3ä½ã ã£ãŸã€‚

Misc 100 Real World TeX

ã“ã‚“ãªæ„Ÿã˜ã®è¬Žã®texãƒ•ã‚¡ã‚¤ãƒ«ã€‚16é€²æ•°ã‚’æ–‡å—ã«ç›´ã—ã€^^ã‚„KKã‚’å‰Šé™¤ã—ã€ZVHNã‚’ãã‚Œãžã‚Œ\ã‚¹ãƒšãƒ¼ã‚¹{}ã«ç½®æ›ã¨ã™ã‚‹ã¨texã£ã½ããªã‚‹ã‘ã©ã€Iã‚„Gã‚’ã©ã†å‡¦ç†ã—ã¦è‰¯ã„ã®ã‹åˆ†ã‹ã‚‰ãªã‹ã£ãŸã€‚

^^5c^^66^^75^^74^^75^^72^^65^^6c^^65^^74^^7e ^^5c^^63^^61^^74^^63^^6f^^64^^65^^60K7
KK5cKK65KK6eKK64KK6cKK69KK6eKK65KK63KK68KK61KK72- KK5cKK73KK74KK72KK69KK6eKK67KK60
KK7eKK60I13KK7eKK60G10KK5cKK6cKK65KK74 IKK7eI86G10I83G7I72G1I90V0I78V2I80G6I82G5

Network 100 Our Future

IPv6ã§ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã¨ã‚ãƒ¼ãŒè¡¨ç¤ºã•ã‚Œã‚‹ã€‚æˆ‘ãŒå®¶ã¯IPv4ãªã®ã§ã€â†“ã®ã‚µã‚¤ãƒˆã‚’ä½¿ã£ãŸã€‚

http://www.ipv6proxy.net/

InexhaustibleEnergy

Crypto 200 The Deal

520.421.926.48.56.914.402.585.81.824.826.115.515.472.522.397.116.789.415.525.â€¦

ã“ã‚“ãªæ„Ÿã˜ã®æš—å·åˆ†ã¨ã€æš—å·åŒ–ã™ã‚‹ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆãŒä¸Žãˆã‚‰ã‚Œã‚‹ã€‚æš—å·åŒ–ã™ã‚‹ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã§è‰²ã€…è©¦ã™ã¨ã€å¹³æ–‡ã®å„æ–‡å—ã®æ–‡å—ã‚³ãƒ¼ãƒ‰ã«éµã‹ã‚‰ç®—å‡ºã•ã‚Œã‚‹å€¤ã‚’è¶³ã—ã¦ã€941 â†’ 520.421ã®ã‚ˆã†ã«2å€‹ã®å€¤ã«åˆ†ã‘ã‚‹æš—å·åŒ–ã ã¨åˆ†ã‹ã‚‹ã€‚

2å€‹ãšã¤è¶³ã—åˆã‚ã›ã¦ã€

520.421.926.48.56.914.402.585.81.824.826.115.515.472.522.397.116.789.415.525.â€¦

â†“

941.974.970.987.905.941.987.919.905.940.â€¦

ã‚ã¨ã¯ã€Œéµã‹ã‚‰ç®—å‡ºã•ã‚Œã‚‹å€¤ã€ã‚’å…¨æŽ¢ç´¢ã™ã‚Œã°è‰¯ã„ã€‚873ã ã£ãŸã€‚
â†“

Dear Dr. Câ€¦

FreePizza!ComeAndGetIt

Forensics 350 Is the order a FAT?

FAT12ã®ã‚¤ãƒ¡ãƒ¼ã‚¸ã€å®Ÿã¯exFATã‚‰ã—ã„ã€‚è§£ã‘ãªã‹ã£ãŸã€‚

Binary 300 Penalty

ãƒ–ãƒ¼ãƒˆã‚»ã‚¯ã‚¿ã€‚ãƒ–ãƒ¼ãƒˆã‚»ã‚¯ã‚¿ã®ã‚¤ãƒ¡ãƒ¼ã‚¸ã¯0x7c00ã«èªã¿è¾¼ã¾ã‚Œã‚‹ã€‚ã¾ãŸãƒ—ãƒã‚°ãƒ©ãƒ ãŒINTnã‚’å®Ÿè¡Œã—ãŸã¨ãã¯ã€4nç•ªåœ°ã®é–¢æ•°ãŒã€ã‚¹ã‚¿ãƒƒã‚¯ã«INTnã®æ¬¡ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒç©ã¾ã‚ŒãŸçŠ¶æ…‹ã§å‘¼ã³å‡ºã•ã‚Œã‚‹ã€‚ã“ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã¯ã€0x000cã‚’0x88ã«æ›¸ãæ›ãˆã€INT3ã‚’ä½¿ã£ã¦é›£èªåŒ–ã‚’ã—ã¦ã„ã‚‹ã€‚

00000088  5D                pop bp
00000089  4D                dec bp
0000008A  837600AA          xor word [bp+0x0],byte -0x56
0000008E  55                push bp
0000008F  CF                iretw

INT3ã¨æ¬¡ã®å‘½ä»¤ã‚’ãã‚Œãžã‚Œ0xaaã¨0xffã§xorã—ã¦ã„ã‚‹ã€‚æ¬¡ã®å‘½ä»¤ãŒxor 0xffã•ã‚Œã‚‹ã“ã¨ã«æ°—ãŒä»˜ã‹ãšã€æ™‚é–“ãŒæŽ›ã‹ã£ãŸã€‚å…¥åŠ›ã•ã‚ŒãŸæ–‡å—åˆ—ã‚’ecxã«èªã¿è¾¼ã¿ã€ãƒã‚§ãƒƒã‚¯ã—ã¦ã„ã‚‹ã®ã§ã€ecxã‚’å…¨æŽ¢ç´¢ã™ã‚‹ã€‚

#include <stdio.h>

unsigned int rol(unsigned int n, unsigned int s){return n<<s|n>>(32-s);}

bool check(unsigned int ecx)
{
    unsigned int esi, edi, edx, ebx, eax;
    esi=0xd76aa478;
    edi=0xfffa3942;
    edx=ecx;
    edx=rol(edx,16);

    //  11c
    edi^=esi;

    //  120
    ebx=edi;
    ebx+=ecx;
    eax=ebx;
    ebx=rol(ebx,1);
    ebx+=eax;
    ebx-=1;
    eax=ebx;
    ebx=rol(ebx,4);
    ebx^=eax;
    esi^=ebx;

    //  141
    ebx=esi;
    ebx+=edx;
    eax=ebx;
    ebx=rol(ebx,2);
    ebx+=eax;
    ebx+=1;
    eax=ebx;
    ebx=rol(ebx,8);
    ebx^=eax;
    ebx+=ecx;
    eax=ebx;
    ebx=rol(ebx,1);
    ebx-=eax;
    eax=ebx;
    eax|=esi;
    ebx=rol(ebx,16);
    ebx^=eax;
    edi^=ebx;

    //  17c
    ebx=edi;
    ebx+=edx;
    eax+=ebx;
    ebx=rol(ebx,2);
    ebx+=eax;
    ebx+=1;
    esi^=ebx;

    //return esi==0x639fd029 && edi==0x2a5891ff;
    return esi==0x639fd029 || edi==0x2a5891ff;
}

int main()
{
    for (unsigned int i=0; i<0xffffffff; i++)
        if (check(i))
            printf("%08x\n", i);
}

checkã®æœ€å¾Œã®æ¡ä»¶ã¯ANDã ãŒã€ã©ã“ã‹ã§å†™ã—é–“é•ãˆãŸã®ã‹esiãŒæ£ã—ã„å€¤ã«ãªã‚‰ãªã‹ã£ãŸã€‚ORã§ã‚‚ç”ãˆã¯1å€‹ã—ã‹å‡ºã¦ã“ãªã„ã€‚ecx=0x3108202dã§ãƒã‚§ãƒƒã‚¯ãŒé€šã‚‹ã“ã¨ãŒåˆ†ã‹ã‚‹ã€‚0x31, 0x08, 0x20, 0x2dã‚’キーボードのスキャンコードã‹ã‚‰æŽ¢ã™ã€‚

N7DX

Web 103 From the Northern Country

æŒ‡å®šã•ã‚ŒãŸãƒšãƒ¼ã‚¸ã«åŒ—æœé®®ã‹ã‚‰ã‚¢ã‚¯ã‚»ã‚¹ã—ã‚ã¨ã„ã†å•é¡Œã€‚åŒ—æœé®®ã®ãƒ—ãƒã‚ã‚·ãªã‚“ã¦è¦‹ã¤ã‹ã‚‰ãªã‹ã£ãŸã‘ã©ã€é€†ã§åŒ—æœé®®ã®äººãŒç§ã‚’çµŒç”±ã—ã¦ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã„ã‚‹ã¨è£…ãˆã°è‰¯ã„ã€‚X-Forwarded-Forãƒ˜ãƒƒãƒ€ã€‚

nc north.tkbctf.info 80
GET / HTTP/1.1
Host: north.tkbctf.info
X-Forwarded-For: 175.45.176.0

HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sun, 04 May 2014 09:06:12 GMT
Content-Type: text/plain
Content-Length: 21
Last-Modified: Sat, 03 May 2014 22:13:55 GMT
Connection: keep-alive
ETag: "53656a23-15"
Accept-Ranges: bytes

KEY{&#44277;&#44201;&#51204;&#51060;&#45796;}

ã‚ãƒ¼ãŒå®Ÿä½“å‚ç…§ã«ãªã£ã¦ã„ã‚‹ã®ã¯ã€ã¯ã¦ãªã®ã‚¹ãƒ¼ãƒ‘ãƒ¼preè¨˜æ³•ã®ã›ã„ã€‚åŒ—æœé®®ã®æ›²åã‚‰ã—ã„ã€‚
攻撃戦だ - Wikipedia

공격전이다

Misc 250 15-Puzzle

15ãƒ‘ã‚ºãƒ«ã‚’è§£ãã€‚Stage nã§ã¯nå•å‡ºé¡Œã•ã‚Œã‚‹ã€‚çœŸé¢ç›®ã«ã‚½ãƒ«ãƒãƒ¼ã‚’æ›¸ã“ã†ã¨ã™ã‚‹ã¨é¢å€’ãªã®ã§ã€ここã§å…¬é–‹ã•ã‚Œã¦ã„ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ ã‚’ã¡ã‚‡ã£ã¨å¼„ã£ã¦ã€å¼•æ•°ã§ç›¤é¢ã‚’å—ã‘å–ã‚Šã€æ¨™æº–å‡ºåŠ›ã«ç”ãˆã‚’å‡ºã™ã‚ˆã†ã«ã—ãŸã€‚ã‚ã¨ã¯Pythonã§ã€‚

import socket
import subprocess
import time

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("203.178.132.117", 3939))

print s.recv(0x10000) #15-Puzzle ~

for i in range(100):
    for j in range(i+1):
        time.sleep(1)
        B = s.recv(0x10000)
        print "<",B,">"

        if len(B.split()[-16:])!=16:
            print "Error"
            exit(-1)

        cmd = "solve.exe "+" ".join(B.split()[-16:])
        print "cmd:",cmd
        p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
        ans = p.stdout.read()
        print "ans:",ans
        s.send(ans+"\n")

    print s.recv(0x10000) # Stage n cleared.

ä½•æ•…ã‹é–“é•ã£ã¦ã„ã‚‹ã¨è¨€ã‚ã‚Œã‚‹ã“ã¨ãŒã‚ã‚‹ã‘ã©ã€ä½•å›žã‹è©¦ã—ãŸã‚‰ãƒ•ãƒ©ã‚°ãŒæ‰‹ã«å…¥ã£ãŸã€‚

Welcome. We are the fafrotskies.
Your answers must be terminated by an empty line, don't forget!

===== 15-Puzzle =====
Solve 15-Puzzle!
The four lines make one set of input.
Zero denotes the missing tile.
If the input puzzle is solvable then print the number of the shortest steps to s
olve the puzzle.
If the puzzle is not solvable then print the line "NO".



< Stage #1
Enjoy!
#1
1 2 4 0
5 10 3 8
9 7 6 12
13 14 11 15
>
cmd: solve.exe 1 2 4 0 5 10 3 8 9 7 6 12 13 14 11 15
ans: 9

Stage 1 cleared.

< Stage #2
The 2nd stage!
#1
1 2 7 3
ã€€ã€€ï¼š
ã€€ã€€ï¼š
9 11 12 8
13 14 7 15
>
cmd: solve.exe 5 0 3 10 2 1 4 6 9 11 12 8 13 14 7 15
ans: 29

Complete! Flag is FLAG{N0_R4M3N_N0_L1F3!!}

<  >
Error

N0_R4M3N_N0_L1F3!!

Steganography 200 Haiku

16x16ã®ãƒ¢ãƒŽã‚¯ãƒã®ãƒ“ãƒƒãƒˆãƒžãƒƒãƒ—ãŒä¸Žãˆã‚‰ã‚Œã‚‹ã€‚ç™½ã‚’1ã€é»’ã‚’0ã¨ã—ã¦ã€Shift-JISã¨ã—ã¦èªã‚€ã¨ä¿³å¥ãŒå‡ºã¦ãã‚‹ã€‚

ã‚„ã‚Œæ‰“ã¤ãªã¯ãˆãŒæ‰‹ã‚’ã™ã‚‹è¶³ã‚’ã™ã‚‹

Binary 500 game

SSHã®IDã¨ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ãŒä¸Žãˆã‚‰ã‚Œã¦ã€ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã¨suidã•ã‚ŒãŸã‚²ãƒ¼ãƒ ãŒç½®ã„ã¦ã‚ã‚‹ã€‚ã‚¯ã‚¤ã‚ºã¨ç¥žçµŒè¡°å¼±ã€‚ã‚¯ã‚¤ã‚ºã®æœ€å¾Œã«ãƒ•ãƒ©ã‚°ãŒãƒ¡ãƒ¢ãƒªä¸Šã«èªã¿è¾¼ã¾ã‚Œã‚‹ã€‚ç¥žçµŒè¡°å¼±ã¯0<=x<13 && 0<=y<4ã¨ãƒã‚§ãƒƒã‚¯ã™ã¹ãã¨ã“ã‚ã€0<=x<13 && 0<=y<13ã¨ãƒã‚§ãƒƒã‚¯ã—ã¦ã„ã‚‹ã®ã§ã€ç¯„å›²å¤–ã®ãƒ¡ãƒ¢ãƒªãŒã¡ã‚‡ã£ã¨èªã‚ã‚‹ã€‚ã†ã¾ã„ã“ã¨ãƒ¡ãƒ¢ãƒªã®ãƒ¬ã‚¤ã‚¢ã‚¦ãƒˆã‚’èª¿ç¯€ã™ã‚‹ã‚‰ã—ã„ã‘ã©ã€è§£ã‘ãªã‹ã£ãŸã€‚
ã‚¯ã‚¤ã‚ºã®å›žç”ã€‚

HAL sang this song
Daisy Bell

'To be or not to be, that is the question'
Hamlet

Appolo 11 landed in this site
????????????????

Trinity set this as root password
Z1ON0101

The name of this city is used as the codename of Windows 95
Chicago

The first 10 digits of pi (X in 3.XXXXXXXXXX)
1415926535

The most accurate mass in the following for LD50 of caffeine in humans per kilogram of body mass; 50mg, 200mg, 300mg, 500mg and 700mg
200mg

One definition of this is entering a private place with the intent of listeningsecretly to private conversation
eavesdropping

With much "Gravity", this young fellow of Trinity became the Lucasian Professorof Mathematics in 1669
Isaac Newton

It's New Zealand's second-largest city
Christchurch

ã‚¢ãƒãƒ11å·ã®å•é¡Œã¯ç”ãˆãŒåˆ†ã‹ã‚‰ãªã‹ã£ãŸã€‚é™ã‹ã®æµ·ã ã¨æ€ã†ã‘ã©ã€Tranquillitatisã§ã¯1æ–‡å—è¶³ã‚Šãªã„ã€‚è„†å¼±æ€§ã§ç”ãˆãŒç›—ã‚ãŸå•é¡Œã‚‚ã‚ã‚‹ã‘ã©ã€ã‚¢ãƒãƒ11å·ã¯å‡ºã¦ã“ãªã‹ã£ãŸ(Â´ï½¥Ï‰ï½¥ï½€)

Web 250 miocat

æŒ‡å®šã•ã‚ŒãŸã‚µã‚¤ãƒˆã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã¨ã€URLã‚’å…¥åŠ›ã™ã‚‹ãƒ•ã‚©ãƒ¼ãƒ ãŒã‚ã£ãŸã€‚ä½•ã‹ã‚µãƒ¼ãƒãƒ¼ãŒå¤–ã«ã‚¢ã‚¯ã‚»ã‚¹ã§ããªã„ã‚ˆã†ãªæŒ™å‹•ã‚’ã—ã¦ã„ã¦ã€å¾Œå›žã—ã«ã—ã¦ã„ãŸã‚‰ã€çš†è§£ã„ã¦ã„ãŸã€‚

http://../../../etc/passwd

ã§ã€/etc/passwdãŒèªã‚ã‚‹ã€‚

ã€€ï¼š
syslog:x:102:105::/home/syslog:/bin/false
miocat:x:1001:1001:Miocat,,,Read /home/miocat/flag:/home/miocat:/bin/bash
chris:x:1000:1000::/home/chris:/bin/bash

http://../flag

ElizabethDoesntSayLazy