ã“ã®å¤§ä¼šã¯2024/10/26 16:00(JST)~2024/10/28 4:00(JST)ã«é–‹å‚¬ã•ã‚Œã¾ã—ãŸã€‚
ã“ã®å¤§ä¼šã¯å€‹äººæˆ¦ã€‚çµæžœã¯1900点ã§126人ä¸23ä½ã§ã—ãŸã€‚
éžå¸¸ã«æ®‹å¿µã€‚ã‚‚ã†å°‘ã—上ä½ã«è¡ŒããŸã‹ã£ãŸã€‚
スコアã®ã‚«ãƒ†ã‚´ãƒªã”ã¨ã®åˆ†å¸ƒã¯ã“ã‚“ãªæ„Ÿã˜ã€‚
1å•ã‚‚解ã‘ãªã‹ã£ãŸå•é¡Œã‚«ãƒ†ã‚´ãƒªã¯Reverse Engineeringã¨Web Security。
Reverse Engineeringã§ã‚‚ã†1å•ã¯è«–ç†çš„ã«ã¯åˆã£ã¦ã„ã‚‹ã¯ãšã§ã™ãŒã€printableãªæ–‡å—列ã«ãªã‚‰ãªã„ã®ã§ã€ã©ã“ã‹é–“é•ã£ã¦ã„ã‚‹ã®ã‹ã€‚。。解ãã“ã¨ãŒã§ããšæ®‹å¿µã§ã™ã€‚
自分ã®è§£ã‘ãŸå•é¡Œã‚’Writeupã¨ã—ã¦æ›¸ã„ã¦ãŠãã¾ã™ã€‚
Welcome to UrchinSec (Miscellaneous 100)
Discordã«å…¥ã‚Šã€#welcomeãƒãƒ£ãƒãƒ«ã®ãƒˆãƒ”ックを見るã¨ã€ãƒ•ãƒ©ã‚°ãŒæ›¸ã„ã¦ã‚ã£ãŸã€‚
urchinsec{welcome_to_UrCh1nSe(}
Follow Us (OSINT 100)
https://www.instagram.com/urchinsec_を見ã¦ã¿ã‚‹ã€‚2ã¤ç›®ã®ç”»åƒã«ã‚³ãƒ¡ãƒ³ãƒˆãŒã‚ã‚‹ã®ã§ã€è¦‹ã¦ã¿ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ãŒæ›¸ã„ã¦ã‚ã£ãŸã€‚
urchinsec{d0nt_f0rg3t_tO_f0ll0w_us}
Heart (Secure Code Reviewing 100)
コードã®è„†å¼±æ€§ã®ã‚ã‚‹è¡Œã¨ã€è„†å¼±æ€§ã®åå‰ã‚’ç”ãˆã‚‹å•é¡Œã€‚コードã¯ä»¥ä¸‹ã®é€šã‚Šã€‚
from flask import Flask, request, render_template_string app = Flask(__name__) @app.route('/name/<input_name>', methods=['GET']) def say_name(input_name): if request.method == 'GET': if input_name is not None: return render_template_string(f"Hello {input_name}") if __name__ == '__main__': app.run(host='127.0.0.1', port=5555)
9行目ã§å…¥åŠ›å€¤ãŒ{input_name}ã¨ã„ã†å½¢ã§æ¸¡ã•ã‚Œã¦ã„ã¦ã€SSTIã®è„†å¼±æ€§ãŒã‚る。
urchinsec{9_SSTI}
RedHand (Secure Code Reviewing 100)
コードã®è„†å¼±æ€§ã®åå‰ã‚’ç”ãˆã‚‹å•é¡Œã€‚コードã¯ä»¥ä¸‹ã®é€šã‚Šã€‚
<?=`$_GET[0]`?>
Web Shellã§OSコマンドを実行ã§ãã‚‹ã®ã§ã€Command Injectionã¨è¨€ãˆã‚‹ã€‚
urchinsec{command_injection}
Syringe (Secure Code Reviewing 100)
コードã®è„†å¼±æ€§ã®ã‚ã‚‹è¡Œã¨ã€è„†å¼±æ€§ã®åå‰ã‚’ç”ãˆã‚‹å•é¡Œã€‚コードã¯ä»¥ä¸‹ã®é€šã‚Šã€‚
const express = require('express'); const mysql = require('mysql'); const app = express(); const connection = mysql.createConnection({ host: 'localhost', user: 'root', password: 'Sup3rStr0ngP@ssw0rd!', database: 'syringe_hospital' }); app.get('/get-patients', (req, res) => { const patient_name = req.query.patient_name; const query = `SELECT * FROM patients WHERE patient_name = '${patient_name}'`; connection.query(query, (error, results) => { if (error) throw error; res.send(results); }); }); app.listen(3000, () => { console.log('Server running on http://localhost:3000'); });
15行目ã§å…¥åŠ›å€¤ãŒ${patient_name}ã¨ã„ã†å½¢ã§æ¸¡ã•ã‚Œã¦ã„る。SQL Injectionã®è„†å¼±æ€§ãŒã‚る。
urchinsec{15_SQLi}
10 Round (Forensics 100)
RARファイルã¨æ€ã‚れるãŒã€å…ˆé 2~3ãƒã‚¤ãƒˆç›®ãŒå£Šã‚Œã¦ã„ã‚‹ã®ã§ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ä¿®å¾©ã™ã‚‹ã€‚
00 00 → 61 72
解å‡ã™ã‚‹ã¨ã€flagファイルãŒå±•é–‹ã•ã‚Œã‚‹ã€‚
$ file flag flag: ARJ archive data, v11, slash-switched, created 27 aug 1980+51, original name: flag.arj, os: Unix $ mv flag flag.arj
7.zipã§è§£å‡ã™ã‚‹ã¨ã€flagファイルãŒå±•é–‹ã•ã‚Œã‚‹ã€‚
$ file flag flag: Zstandard compressed data (v0.8+), Dictionary ID: None $ mv flag flag.zst $ zstd -d flag.zst flag.zst : 598 bytes $ file flag flag: LZMA compressed data, streamed $ mv flag flag.lzma $ xz --format=lzma --decompress flag.lzma xz: flag: Cannot set the file permissions: Value too large for defined data type $ file flag flag: 7-zip archive data, version 0.4 $ mv flag flag.7z $ 7z x flag.7z 7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20 64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024 Scanning the drive for archives: 1 file, 598 bytes (1 KiB) Extracting archive: flag.7z -- Path = flag.7z Type = 7z Physical Size = 598 Headers Size = 130 Method = LZMA2:12 Solid = - Blocks = 1 Everything is Ok Size: 464 Compressed: 598 $ file flag.tar.xz flag.tar.xz: XZ compressed data, checksum CRC64 $ tar Jxfv flag.tar.xz flag.zip $ unzip flag.zip Archive: flag.zip extracting: flag $ file flag flag: XZ compressed data, checksum CRC64 $ mv flag flag.xz $ unxz flag.xz unxz: flag: Cannot set the file permissions: Value too large for defined data type $ file flag flag: bzip2 compressed data, block size = 900k $ mv flag flag.bz2 $ bzip2 -d flag.bz2 $ file flag flag: gzip compressed data, was "flag", last modified: Fri Oct 25 05:27:03 2024, from Unix, original size modulo 2^32 47 $ mv flag flag.gz $ gzip -d flag.gz gzip: flag: Value too large for defined data type $ file flag flag: ASCII text $ cat flag urchinsec{d0ubl3_c0mpr3s51on_1s_c00l_1cf5d3a2}
urchinsec{d0ubl3_c0mpr3s51on_1s_c00l_1cf5d3a2}
Log-ical - Part 1 (Forensics 100)
途ä¸ã‹ã‚‰ä»¥ä¸‹ã®UserAgentã§ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã„ã‚‹ãƒã‚°ãŒã‚る。
Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
ã“ã‚Œã¯nmapã§åµå¯Ÿã—ã¦ã„ã‚‹ã¨æ€ã‚れる。攻撃元IPアドレスã¯10.0.100.13ã«ãªã£ã¦ã„る。ã¾ãŸãƒªãƒ•ã‚¡ãƒ©ã«10.0.100.2ãŒå«ã¾ã‚Œã¦ã„ã‚‹ãƒã‚°ãŒã‚ã‚‹ã®ã§ã€ã“ã‚ŒãŒã‚¿ãƒ¼ã‚²ãƒƒãƒˆã®IPアドレスã¨è€ƒãˆã‚‰ã‚Œã‚‹ã€‚
urchinsec{10.0.100.13_10.0.100.2}
Open Letter (Forensics 300)
解å‡ã—ã€word\settings.xmlを見るã¨ã€XMLデータã®ä¸ã«ä»¥ä¸‹ãŒå«ã¾ã‚Œã¦ã„ãŸã€‚
Here is the Admin password: urchinsec{w0rd2z1p_zip2w0rd_c9f2d3a0}
urchinsec{w0rd2z1p_zip2w0rd_c9f2d3a0}
Box (Cryptography 100)
スã‚ュタレー暗å·ã¨æŽ¨æ¸¬ã—ã€4æ–‡å—ã”ã¨ã«æ”¹è¡Œã—縦ã«èªã‚€ã€‚
b__o oltx xio⣠_k_⣠iebâ£
box_i_like_to_box
urchinsec{box_i_like_to_box}
Destination (Cryptography 100)
ASCIIコードをマイナス1ã—ã¦ã€ãƒ‡ã‚³ãƒ¼ãƒ‰ã™ã‚‹ã€‚
>>> s = '118 115 100 105 106 111 116 102 100 124 66 84 68 74 74 96 117 115 53 111 116 103 49 115 110 96 50 99 105 57 102 54 126'
>>> ''.join([chr(int(c) - 1) for c in s.split(' ')])
'urchinsec{ASCII_tr4nsf0rm_1bh8e5}'
urchinsec{ASCII_tr4nsf0rm_1bh8e5}
Shifty Business (Cryptography 100)
æš—å·ã®å„値をå³ã‚·ãƒ•ãƒˆã§nã®å„値ã®å’Œã ã‘シフトã™ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ã®å„æ–‡å—ã®ASCIIコードを2ä¹—ã—ãŸã‚‚ã®ã«ãªã‚‹ã€‚ã“ã®ã“ã¨ã‚’使ã£ã¦å¾©å·ã™ã‚‹ã€‚
#!/usr/bin/env python3 from gmpy2 import iroot with open('output.txt', 'r') as f: enc = eval(f.read()) flag = '' for c in enc: v = c >> (16 + 32 + 64 + 128) code, success = iroot(v, 2) assert success flag += chr(code) print(flag)
urchinsec{1t's_4all_ab0u+_e45y_3ncRyPT10N_e4c8a1}
Tr3ppl3 Stuffs (Cryptography 300)
n1ã¨n2ã®GCDã¯pãªã®ã§ã€q, rも算出ã™ã‚‹ã“ã¨ãŒã§ãる。ã‚ã¨ã¯n3, n2, n1をモジュãƒã¨ã—ãŸRSAæš—å·ã®å¾©å·ã‚’é †ã«è¡Œã£ã¦ã„ã‘ã°ãƒ•ãƒ©ã‚°ã«ãªã‚‹ã€‚
#!/usr/bin/env python3 from Crypto.Util.number import * with open('public-key.txt', 'r') as f: params = f.read().splitlines() n1 = int(params[0].split(' ')[1]) n2 = int(params[1].split(' ')[1]) n3 = int(params[2].split(' ')[1]) e = int(params[3].split(' ')[1]) c = int(params[4].split(' ')[1]) p = GCD(n1, n2) q = n1 // p r = n2 // p assert q * r == n3 ns = [n1, n2, n3] phis = [(p - 1) * (q - 1), (p - 1) * (r - 1), (q - 1) * (r - 1)] for i in range(len(ns)): d = inverse(e, phis[2 - i]) c = pow(c, d, ns[2 - i]) flag = long_to_bytes(c).decode() print(flag)
URCHINSEC{Wh00ps_tr1ppl3_RS4_15_N0t_3v3n_h4rd_s0met1mes}
WarmUp (Cryptography 300)
æš—å·å‡¦ç†ã®æ¦‚è¦ã¯ä»¥ä¸‹ã®é€šã‚Šã€‚
・message: 未知 ・knapsack = generate_knapsack()  ・knapsack = [1, 2]  ・以下6回繰り返㗠  ・knapsackã«knapsackã®å’Œã«ãƒ—ラス1ã—ãŸå€¤ã‚’è¿½åŠ ã€€ãƒ»knapsackã‚’è¿”å´ ãƒ»m = 257 ・n: -1000以上1000以下ランダム整数 ・ciphertext = encrypt_message(message, knapsack, m, n)  ・bits = convert_to_bits(message)   ・bits: messageã‚’1æ–‡å—ãšã¤8æ¡ã®2進数文å—列ã«ã—ã€1ビットãšã¤ã«ã—ãŸã‚‚ã®ã®é…列   ・bitsã‚’è¿”å´ ã€€ãƒ»chunk_size: knapsackã®é•·ã•  ・chunks: bitsã‚’chunk_sizeã®é•·ã•ã”ã¨ã«ã—ãŸé…列  ・ciphertext = []  ・chunksã®å„chunkã«ã¤ã„ã¦ä»¥ä¸‹ã‚’実行   ・chunkã®é•·ã•ãŒchunk_sizeよりå°ã•ã„å ´åˆ ã€€ã€€ã€€ãƒ»chunkã«[0]をパディング   ・c_value: knapsackã¨chunkã®å„値ã®æŽ›ã‘ç®—ã®å’Œ   ・encrypted_value = (c_value * n) % m   ・ciphertextã«encrypted_valueã‚’è¿½åŠ ã€€ãƒ»ciphertextã‚’è¿”å´ ãƒ»ciphertextを出力
フラグãŒ"urchinsec{"ã‹ã‚‰å§‹ã¾ã‚‹ã“ã¨ã‚’å‰æã«nを割り出ã™ã€‚ã‚ã¨ã¯ãƒ•ãƒ©ã‚°ã®å„æ–‡å—ã§ãƒ–ルートフォースã§æš—å·ãŒä¸€è‡´ã™ã‚‹ã‚‚ã®ã‚’割り出ã—ã€å¾©å·ã™ã‚‹ã€‚
#!/usr/bin/env python3 from Crypto.Util.number import * def generate_knapsack(): knapsack = [1, 2] for i in range(6): knapsack.append(sum(knapsack) + 1) return knapsack def convert_to_bits(message): bits = [] for char in message: char_bits = bin(ord(char))[2:].zfill(8) bits.extend([int(b) for b in char_bits]) return bits knapsack = generate_knapsack() m = 257 with open('out.txt', 'r') as f: ciphertext = eval(f.read().split(': ')[1]) flag_head = 'urchinsec{' bits = convert_to_bits(flag_head) chunk_size = len(knapsack) chunks = [bits[i:i + chunk_size] for i in range(0, len(bits), chunk_size)] c_value = sum(k * b for k, b in zip(knapsack, chunks[0])) n = ciphertext[0] * inverse(c_value, m) % m for i in range(1, len(chunks)): c_value = sum(k * b for k, b in zip(knapsack, chunks[i])) tmp_n = ciphertext[i] * inverse(c_value, m) % m assert tmp_n == n flag = '' for i in range(len(ciphertext)): for code in range(32, 127): bit = bin(code)[2:].zfill(8) chunk = [int(c) for c in list(bit)] c_value = sum(k * b for k, b in zip(knapsack, chunk)) encrypted_value = (c_value * n) % m if encrypted_value == ciphertext[i]: flag += chr(code) break print(flag)
urchinsec{w000oow!!!_M4st3r_H0w_d1d_y0u_g3t_it????}
