BCACTF I 忘備録

f:id:Yunolay:20190609155559p:plain

welcome

hello-world

Input your first ever flag! The flag is bcactf{hello!}
FLAG : bcactf{hello!}

net-cat

Some problems in this CTF will require you to use netcat to access server-side problems.

For this problem netcat in to our server by using

nc challenges.ctfd.io 30126

$ nc challenges.ctfd.io 30126
bcactf{5urf1n_7h3_n37c47_c2VydmVyc2lkZQ}

FLAG : bcactf{5urf1n_7h3_n37c47_c2VydmVyc2lkZQ}

wuphf

Social media is so fractured today. I mean, there's Discord, Twitter, Instagram... Don't you wish there was just one platform that could send things to every platform? Sadly that's not the case, so to find the flag you will have to collect flag-ments from all of our platforms.

FLAG1 : Discord

f:id:Yunolay:20190609160640p:plain

FLAG2 : Twitter

f:id:Yunolay:20190609160659p:plain

FLAG3 : Instagram

f:id:Yunolay:20190609160736p:plain

FLAG : bcactf{h17_u5_uP_d3VwaGYuY29t}

crypto

basic-numbers

We have a raw flag here, but what do we do with it?
01100010 00110001 01101110 01100001 01110010 01111001 01011111 01110011 00110000 01101100 01110110 00110011 01100100 01011111 01100111 00110000 00110000 01100100 01011111 01110111 00110000 01110010 01101011
The answer should be in the format bcactf{answer}.

binary to asciiする。

CyberChef

f:id:Yunolay:20190609162359p:plain

FLAG : bcactf{b1nary_s0lv3d_g00d_w0rk}

cracking-the-cipher

Hackers work in the most unlikely of places. We have recently discovered one working in a grocery store (weird), and he was able to print out receipts to pass on information to certain customers. We have obtained one of the receipts, but we cannot tell what it says.

Grocery Store Receipt
Item Unit Price Quant. Overall Price
Caesar Salad Dressing 5.99 4 23.96
Vinegar 6.99 1 6.99
Apples (Honey Crisp) 2.79 5 13.95
Roast Chicken 7.59 1 7.59
Tomatoes 1.59 4 6.36
Subtotal 58.85
Paper Bag Fee 0.10
Taxes (9.00%) 0.00
Total 58.95
vjg rcuuyqtf ku ngctpkpi_ecguct_ekrjgtu_ku_hwp!

Can you crack the code and tell us the information within? The answer should be in the format bcactf{answer}.

Vinegarかと思って時間使ったら普通にcaesarだった・・ 時間使いました。

Online calculator: Caesar cipher

ROT24    the password is learning_caesar_ciphers_is_fun!

FLAG : bcactf{learning_caesar_ciphers_is_fun!}

a-major-problem

A mysterious figure named Major Mnemonic has sent you the following set of words. Figure out what they mean!

"Pave Pop Poke Pop Dutch Dozen Denim Deism Loot Thatch Pal Atheism Rough Ditch Tonal"

ぶっちゃけ何を言ってるかわかんなかった。

Hint

The words translate to numbers, which then translate to the flag.

Demimalになおしてlengthで割ってASCIIにしてみたけど駄目だった。
Major Mnemonicでググった。

Major System mnemonic technique database, list and generator

暗号の方式は知らないけどwordをnumberに出来るらしい。
一個ずつやってたけど面倒なのでDecoderを探した。

Numzi - Remember Numbers

f:id:Yunolay:20190614034011p:plain

気をつけるのは16じゃなくて116なこと。 Major System databaseで知った。
後はASCIIに直す。

n = [98, 99, 97, 99, 116, 102, 123, 103, 51, 116, 95, 103, 48, 116, 125]


for c in n:
    print(chr(c), end='')

実行結果

bcactf{g3t_g0t}

FLAG : bcactf{g3t_g0t}

binary-exploitation

executable

It's in there somewhere. Good luck!

executable-mac
executable-ubuntu

$ file executable-ubuntu 
executable-ubuntu: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=2d69b145cafba5b1850ed1677373b4058b19a78e, not stripped

$ chmod +x executable-ubuntu

$ ./executable-ubuntu 
Welcome to the lottery!
So now we're going to pick a ginormous number!
If it's 1, you win!
Your number is 1804289383!
Try again next time!

$ strings executable-ubuntu 
/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
__stack_chk_fail
printf
rand
__libc_start_main
__gmon_start__
GLIBC_2.4
GLIBC_2.2.5
UH-P
AWAVA
AUATL
[]A\A]A^A_
Welcome to the lottery!
So now we're going to pick a ginormous number!
If it's 1, you win!
Your number is %d!
Congratulations, you're our lucky winner!
Try again next time!
--[----->+<]>----.+.--.++.-[--->+<]>--.+++[->+++<]>+.+[----->+<]>.>-[----->+<]>.+[--->++<]>.[++>---<]>-.-[->++<]>-.-[--->+<]>-.-.>-[----->+<]>+.---[->++<]>.++++++++++.[-->+<]>---.--[--->++<]>---.++[->+++<]>.[--->+<]>---.+++[->+++<]>.+++++++.-[--->+<]>--.-------.---------------.+[-->+<]>+.+.++.+[->++<]>.--.---.+++++++++++++.--[->+++++<]>.++++++++.+.-------.++.+.>--[-->+++<]>.
;*3$"
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
crtstuff.c

(snip)

普通にBrainfuckの文字列ある

--[----->+<]>----.+.--.++.-[--->+<]>--.+++[->+++<]>+.+[----->+<]>.>-[----->+<]>.+[--->++<]>.[++>---<]>-.-[->++<]>-.-[--->+<]>-.-.>-[----->+<]>+.---[->++<]>.++++++++++.[-->+<]>---.--[--->++<]>---.++[->+++<]>.[--->+<]>---.+++[->+++<]>.+++++++.-[--->+<]>--.-------.---------------.+[-->+<]>+.+.++.+[->++<]>.--.---.+++++++++++++.--[->+++++<]>.++++++++.+.-------.++.+.>--[-->+++<]>.

El Brainfuck

f:id:Yunolay:20190613232506p:plain

FLAG : bcactf{3x3cut4bl3s_r_fun_124jher089245}

executable-2

It's in here somewhere. Good luck... again.

(Now you actually have to try.)

executable-ubuntu

$ file executable-ubuntu
executable-ubuntu: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=3639d66db2a5e66741845e5138ef36b088612428, not stripped

$ ./executable-ubuntu 
Welcome to the lottery!
So now we're going to pick a ginormous number!
If it's 1, you win!
Your number is 1804289383!
Try again next time!

$ ./executable-ubuntu 
Welcome to the lottery!
So now we're going to pick a ginormous number!
If it's 1, you win!
Your number is 1804289383!
Try again next time!

$ ./executable-ubuntu a
Welcome to the lottery!
So now we're going to pick a ginormous number!
If it's 1, you win!
Your number is 1804289383!
Try again next time!

If it's 1, you win!
Your number is 1804289383!

numberを1にすればいいらしいが

gdb-peda$ pdisass main
Dump of assembler code for function main:
   0x0000000000400626 <+0>:   push   rbp
   0x0000000000400627 <+1>:   mov    rbp,rsp
   0x000000000040062a <+4>:   push   rbx
   0x000000000040062b <+5>:   sub    rsp,0x11f8
   0x0000000000400632 <+12>:  mov    rax,QWORD PTR fs:0x28
   0x000000000040063b <+21>:  mov    QWORD PTR [rbp-0x18],rax
   0x000000000040063f <+25>:  xor    eax,eax
   0x0000000000400641 <+27>:  lea    rax,[rbp-0x11f0]
   0x0000000000400648 <+34>:  mov    esi,0x4008e0
   0x000000000040064d <+39>:  mov    edx,0x17b
   0x0000000000400652 <+44>:  mov    rdi,rax
   0x0000000000400655 <+47>:  mov    rcx,rdx
   0x0000000000400658 <+50>:  rep movs QWORD PTR es:[rdi],QWORD PTR ds:[rsi]
   0x000000000040065b <+53>:  mov    edi,0x400820
   0x0000000000400660 <+58>:  call   0x4004d0 <puts@plt>
   0x0000000000400665 <+63>:  mov    edi,0x400838
   0x000000000040066a <+68>:  call   0x4004d0 <puts@plt>
   0x000000000040066f <+73>:  mov    edi,0x400867
   0x0000000000400674 <+78>:  call   0x4004d0 <puts@plt>
   0x0000000000400679 <+83>:  call   0x400510 <rand@plt>
   0x000000000040067e <+88>:  mov    ebx,eax
   0x0000000000400680 <+90>:  mov    esi,ebx
   0x0000000000400682 <+92>:  mov    edi,0x40087b
   0x0000000000400687 <+97>:  mov    eax,0x0
   0x000000000040068c <+102>: call   0x4004f0 <printf@plt>
   0x0000000000400691 <+107>: cmp    ebx,0x1
   0x0000000000400694 <+110>: jne    0x400744 <main+286>
   0x000000000040069a <+116>: mov    edi,0x400890
   0x000000000040069f <+121>: call   0x4004d0 <puts@plt>
   0x00000000004006a4 <+126>: call   0x400510 <rand@plt>
   0x00000000004006a9 <+131>: mov    BYTE PTR [rbp-0x610],al
   0x00000000004006af <+137>: mov    DWORD PTR [rbp-0x11f4],0x0
   0x00000000004006b9 <+147>: jmp    0x400712 <main+236>
   0x00000000004006bb <+149>: mov    eax,DWORD PTR [rbp-0x11f4]
   0x00000000004006c1 <+155>: add    eax,eax
   0x00000000004006c3 <+157>: lea    esi,[rax+0x1]
   0x00000000004006c6 <+160>: mov    eax,DWORD PTR [rbp-0x11f4]
   0x00000000004006cc <+166>: cdqe   
   0x00000000004006ce <+168>: mov    ecx,DWORD PTR [rbp+rax*4-0x11f0]
   0x00000000004006d5 <+175>: mov    edx,0x51eb851f
   0x00000000004006da <+180>: mov    eax,ecx
   0x00000000004006dc <+182>: imul   edx
   0x00000000004006de <+184>: sar    edx,0x5
   0x00000000004006e1 <+187>: mov    eax,ecx
   0x00000000004006e3 <+189>: sar    eax,0x1f
   0x00000000004006e6 <+192>: sub    edx,eax
   0x00000000004006e8 <+194>: mov    eax,edx
   0x00000000004006ea <+196>: mov    edx,eax
   0x00000000004006ec <+198>: movsxd rax,esi
   0x00000000004006ef <+201>: mov    BYTE PTR [rbp+rax*1-0x610],dl
   0x00000000004006f6 <+208>: mov    eax,DWORD PTR [rbp-0x11f4]
   0x00000000004006fc <+214>: add    eax,0x1
   0x00000000004006ff <+217>: add    eax,eax
   0x0000000000400701 <+219>: cdqe   
   0x0000000000400703 <+221>: mov    BYTE PTR [rbp+rax*1-0x610],0xa
   0x000000000040070b <+229>: add    DWORD PTR [rbp-0x11f4],0x1
   0x0000000000400712 <+236>: cmp    DWORD PTR [rbp-0x11f4],0x2f5
   0x000000000040071c <+246>: jle    0x4006bb <main+149>
   0x000000000040071e <+248>: mov    BYTE PTR [rbp-0x23],0x0
   0x0000000000400722 <+252>: call   0x400510 <rand@plt>
   0x0000000000400727 <+257>: mov    BYTE PTR [rbp-0x22],al
   0x000000000040072a <+260>: lea    rax,[rbp-0x610]
   0x0000000000400731 <+267>: add    rax,0x1
   0x0000000000400735 <+271>: mov    rdi,rax
   0x0000000000400738 <+274>: mov    eax,0x0
   0x000000000040073d <+279>: call   0x4004f0 <printf@plt>
   0x0000000000400742 <+284>: jmp    0x40074e <main+296>
   0x0000000000400744 <+286>: mov    edi,0x4008ba
   0x0000000000400749 <+291>: call   0x4004d0 <puts@plt>
   0x000000000040074e <+296>: mov    eax,0x0
   0x0000000000400753 <+301>: mov    rbx,QWORD PTR [rbp-0x18]
   0x0000000000400757 <+305>: xor    rbx,QWORD PTR fs:0x28
   0x0000000000400760 <+314>: je     0x400767 <main+321>
   0x0000000000400762 <+316>: call   0x4004e0 <__stack_chk_fail@plt>
   0x0000000000400767 <+321>: add    rsp,0x11f8
   0x000000000040076e <+328>: pop    rbx
   0x000000000040076f <+329>: pop    rbp
   0x0000000000400770 <+330>: ret    
End of assembler dump.

rand()の戻り値をcmp ebx,0x1してる。

   0x0000000000400679 <+83>:   call   0x400510 <rand@plt>

(snip)

   0x000000000040068c <+102>: call   0x4004f0 <printf@plt>
   0x0000000000400691 <+107>: cmp    ebx,0x1
   0x0000000000400694 <+110>: jne    0x400744 <main+286>

IDAで見る。 f:id:Yunolay:20190614195850p:plain

jnzを突破すれば勝ちっぽい。

gdb-peda$ b *main+110
Breakpoint 2 at 0x400694
gdb-peda$ r

f:id:Yunolay:20190614200033p:plain

gdb-peda$ set $rip=0x40069a
gdb-peda$ n

f:id:Yunolay:20190614200132p:plain

Good.
puts("Congratulations, you're our lucky winner!")

gdb-peda$ c
Continuing.
Congratulations, you're our lucky winner!
+
[
-
-
-
-
-
-
-
-
-

(snip)

とりあえず改行削除

$ cat bf | tr -d '\n' > result

$ cat result 
+[--------->++<]>.+.--.++.---------.++++++++++++.+++++.+[-->+<]>+++.--[----->+<]>-.-------------.+++++++++.++++++.+[->+++<]>.++++++.[--->+<]>+.-[->+++<]>.--.-[--->+<]>-.-.+[->+++<]>++.+.++++++++++.-------.[--->+<]>----.++[->+++<]>.+++++++.-[--->+<]>--.-------.[------>+<]>++.+[-->+++<]>-.[--->+++++<]>.[----->+++<]>.[--->+<]>-.------------.+.+++++.---.------------.[--->+<]>--.----.+[----->++<]>-.[--->+<]>--.+++[->+++<]>++.+++++++.-----.++++.--.+++++++++.--------.-[--->+<]>-.[->+++<]>.[--->+<]>--.---.+++++++.[->+++<]>--.++++++++.++++.++.[->+++<]>.+++++++++++++.+++[->+++<]>++.+++++++++.+[--->+<]>+.[->+++<]>.-----------.-[--->+<]>++.--[->+++<]>.[--->+<]>.[->+++<]>-.++++++++.-.+++++++++.--------.-[--->+<]>-.--.++[->+++<]>.[--->+<]>++.-------.+++++++++++.

またbrain fuck

f:id:Yunolay:20190614200510p:plain

rsqsjv{Arent_executables_fun?_I_think_so_sdkfjhqiweuryiquwerajzncxbvaihqiwueyr}

rsqsjv is caesar cipher

ROT10    bcactf{Kboxd_ohomedklvoc_pex?_S_drsxu_cy_cnuptrasgoebisaegobktjxmhlfksrasgeoib}

FLAG : bcactf{Kboxd_ohomedklvoc_pex?_S_drsxu_cy_cnuptrasgoebisaegobktjxmhlfksrasgeoib}

追記

cmp edx, 1をpatchしてjnzを突破してみる。

f:id:Yunolay:20190616190406p:plain

余った部分はnopで埋める。

xor edx, edx
nop

xor edx, edxでZFが0になるのでloc_400744にjmpしなくなる。

f:id:Yunolay:20190616190538p:plain

forensics

split-the-red-sea

Moses used a staff to split the Red Sea. What will you use?
f:id:Yunolay:20190609165107p:plain

stegsolveとかで赤1ビット抽出する

f:id:Yunolay:20190609165214p:plain

FLAG : bcactf{7w0_r3d5_sdf3wqa}

bca-craft

Yo I made a sic Minecraft adventure MAP! Try it out it's kewler than ur Fortnite gamez!

(This map runs in Minecraft 1.13.2 and above)

BCACraft.zip

zipを解凍するとこんな感じ

f:id:Yunolay:20190609173030p:plain

level.datとか見たことあるなって思ったらMinecraftのマップだった。(問題文にも書いてある) 適当に見てたらフラグがあった。

datapacks\bcacraft\data\bca\functions\flag.mcfunction

tellraw @a ["Hello ", {"selector": "@p", "color": "yellow"}, "! The flag is: ", "b", "c", "a", "c", "t", "f", "{", {"text": "m1n3cr4f7_b347s_f0rtn1t3", "color": "blue", "bold": true, "obfuscated": true, "hoverEvent": {"action": "show_text", "value": {"text": "Good luck! ", "extra": [{"text": "Hint: Where does Minecraft store its worlds?", "color": "dark_gray", "italic": true}]}}}, "}"]

FLAG : bcactf{m1n3cr4f7_b347s_f0rtn1t3}

せっかくなのでAdventure worldに入ってみた。

f:id:Yunolay:20190612204005p:plain

f:id:Yunolay:20190612204011p:plain

コマンドブロックが合って中から見れないかなって思ったけど無理だった。

f:id:Yunolay:20190612204028p:plain

コマンドブロックからはflag.mcfunctionを呼んでいる。
Java版ver.1.12から導入された機能らしい。

f:id:Yunolay:20190612204107p:plain

file-head

It looks like the PNG file that holds our flag has been corrupted. My computer isn't able to recognize the file type, maybe it has something to do with how the file type is recognized...

flag.png

flag.pngが与えられるが開けない。 問題名からheaderになにかあるかと思ってバイナリエディタで見る。

f:id:Yunolay:20190609181259p:plain

pngのfile signatureの89 50 4E 47 0D 0A 1A 0Aが41 41 41 41 41 41 41 41に書き換えられている。 List of file signatures - Wikipedia

f:id:Yunolay:20190609181501p:plain

直したら開けた。

f:id:Yunolay:20190609181515p:plain

FLAG : bcactf{f1l3_h3ad3rs_r_c001}

open-docs

Yay! I really enjoy using these free and open file standards. I love them so much, that I made a file expressing how much I like using them. Let's enjoy open standards together!

open.docx

open.docxが与えられる。 docxはzipなので拡張子をzipに変更して解凍する。

f:id:Yunolay:20190609181938p:plain

secrets.xmlとかあからさまなやつがある。

<?xml version="1.0" encoding="utf-8"?>
PHNlY3JldCBmbGFnPSJiY2FjdGZ7ME94TWxfMXNfNG00ejFOZ30iIC8+

base64デコードしてdone.

<secret flag="bcactf{0OxMl_1s_4m4z1Ng}" />

study-of-roofs

My friend has always gotten in to weird things, and his recent obsession is with roofs. He sent me this picture recently, and said he hid something special in it. Do you think you could help me find it?

f:id:Yunolay:20190609203946j:plain

jpgが与えられる。
なんか埋め込まれてそう。

f:id:Yunolay:20190609204258p:plain

foremost dem_shingles.jpg 
Processing: dem_shingles.jpg
|*|

$ ls
dem_shingles.jpg  output

$ cd output 
$ ls
audit.txt  jpg
$ cd jpg 
$ ls
00000000.jpg  00003052.jpg

f:id:Yunolay:20190609204524j:plain

FLAG : bcactf{r4i53_7h3_r00f_liz4rd}

wavey

My friend sent me his new mixtape, but honestly I don't think it's that good. Can you take a look at it and figure out what's going on?

straightfire.wav

wavが与えられる。
wavだし問題名的にスペクトラムを見る問題と判断した。
Audacityでみた。
Hzいじらないと見れないかと思ったけどそのまま見れたので楽だった。

f:id:Yunolay:20190609205745p:plain

FLAG : bcactf{f331in_7h3_vib3z}

the-flag-is

I have a flag! The flag is... wait... did my PDF editor not save the flag? OH NO! I remember typing it in, can you help me find it?

flag.pdf

与えられたpdfをとりあえず開いてみる。

f:id:Yunolay:20190609225905p:plain

読めないのでバイナリを見てみる。
EOFが2つあるからなんかあるのかな?(よく知らない)

f:id:Yunolay:20190609225924p:plain

foremost flag.pdf 
Processing: flag.pdf
|*|

f:id:Yunolay:20190609232002p:plain

FLAG : bcactf{d0n7_4g3t_4b0u7_1nCr3Men74l_uPd473s}

corrupt-psd

I wanted to use Photoshop to embiggen my head, but er... something happened. It looks like Photoshop isn't the signature image editing program it used to be.

Can you help fix this?

flag.psd

psdファイルが与えられる。

List of file signatures - Wikipedia

List_of_file_signaturesを見るとpsdのfile signatureは38 42 50 53となっているが、 与えられたpsdは4F 4F 50 53になっている。

f:id:Yunolay:20190610224829p:plain

f:id:Yunolay:20190610225012p:plain

4F 4F 50 53を38 42 50 53に書き換える。

f:id:Yunolay:20190610225033p:plain

後は適当にSketchBookとかで開いてFLAGが得られた。

f:id:Yunolay:20190610225102p:plain

FLAG : bcactf{corrupt3d_ph0705sh0p?_n0_pr0b5_1af4efb890}

of-course-rachel

Ugh, I had a really important file with the flag, but sadly it broke. My friend Rachel said that snapshots are good for backing up, and luckily I listened so here is my screenshot. Do you think you could help me put it back together?

snapshot.zip

prat1.png
f:id:Yunolay:20190612005613p:plain

part2.png
f:id:Yunolay:20190612022427p:plain

part3.png
f:id:Yunolay:20190612022516p:plain

part4.png
f:id:Yunolay:20190612022500p:plain

part5.png
f:id:Yunolay:20190612005652p:plain

hexdump?したようなやつやつが5枚pngで与えられる。
全部バイナリエディタで一つずつ入力する。
のは大変なのでOCRを使う。
問題名的にもOf-Course-Rachelかな?小文字なのがやらしい。

tesseractを使用する。

github.com

インストール方法とかについては下記ドキュメント

Home · tesseract-ocr/tesseract Wiki · GitHub

基本的にubuntuだから

sudo apt install tesseract-ocr
sudo apt install libtesseract-dev

パッケージが見つからなかったらソースリスト追加してくださいって。

sudo vi /etc/apt/sources.list

Copy the first line "deb http://archive.ubuntu.com/ubuntu bionic main" and paste it as shown below on the next line.
If you are using a different release of ubuntu, then replace bionic with the respective release name.

deb http://archive.ubuntu.com/ubuntu bionic universe

とりあえず一つずつ見ていこうかと思って分けたけど連結しても良かった。

$ tesseract part1.png out1.txt -l eng

$ tesseract part2.png out2.txt -l eng

$ tesseract part3.png out3.txt -l eng

$ tesseract part4.png out4.txt -l eng

$ tesseract part5.png out5.txt -l eng
$ cat out1.txt.txt 
696D706F 72742062 696E6173 6369690A 696D706F 72742072 616E646F 6DOAOAOA 636C6173 73205665
63746F72 286F626A 65637429 3AOA2020 20202222 220A2020 20202020 20205468 69732063 6C617373
20726570 72657365 6E747320 61207665 63746F72 206F6620 61726269 74726179 2073697A 652EOA20
20202020 20202059 6F75206E 65656420 746F2067 69766520 74686520 76656374 6F722063 6F6D706F
6E656E74 732E200A 0A202020 20202020 204F7665 72766965 77206162 6F757420 74686520 6D657468
6F64733A 0AOA2020 20202020 2020636F 6E737472 7563746F 7228636F 6D706F6E 656E7473

文字列化できてる。 全部つなげたものをASCII Converterに投げる。

Hex to ASCII Text converter

完璧とは行かないけどまあ読める範囲のものが返ってきた。

import binascii
import randomclass Vector(object):¢  """
        This class represents a vector of arbitray size.¢       You need to give the vector components. 

        Overview about the methods:
¢      constructor(components : list) : init the vector
        set(components : list) : changes the vector components.¢       __str__() : toString method
        component(i : int): gets the i-th component (start by 0)
        __len__() : gets the size of the vector (number of components)
        euclidLength() : returns the eulidean length of the vector.¢       operator + : vector addition        operator - : vector subtraction        operator * : scalar multiplication and dot product
        copy() : copies this vector and returns it.¢       changeComponent(pos,value) : changes the specified component.
        TODO: compare-operator
    """

    def __init__(self, components=[]):        """
            input: components or nothing
            simple constructor for init the vector
        """
        self.__components = list(components)
¢  def set(self, components):
        """
            input: new components
            changes the components of the vector.
            replace the components with newer one.        """
        if len(components) > 0:            self.__components = list(components)
        elseraise Exception("please give any vector")
¢  def __str__(self):
        """
            returns a string representation of the vector
        """
        return "(" + ",".join(map(str, self.__components)) + ")"

    def component(self, i):
        """
            input: index (start at 0)
            output: the i-th component of the vector.
        """
        if type(i) is int and -len(self.__components) <= i < len(self.__components):¢          return self.__components[i]¢      else:            raise Exception("index out of range")
¢   def __len__(self):¢      """
            returns the size of the vector
        """
        return len(self.__components)
    def eulidLength(self):¢       """
            returns the eulidean length of the vector
        """
        summe = 0
        for c in self.__components:¢           summe += c**2
        return math.sqrt(summe)
¢  def __add__(self, other):        """
            input: other vector
            assumes: other vector has the same size
            returns a new vector that represents the sum.¢      """
        size = len(self)
        if size == len(other):¢          result = [self.__components[i] +¢                     other.component(i) for i in range(size)]¢          return Vector(result)
        elseraise Exception("must have the same size")
¢  def __sub__(self, other):        """
            input: other vector
            assumes: other vector has the same size
            returns a new vector that represents the differenz.        """
        size = len(self)
        if size == len(other):            result = [self.__components[i] -
                      other.component(i) for i in range(size)]            return result
        else:  # error case
            raise Exception("must have the same size")
¢  def __mul__(self, other):        """
            mul implements the scalar multiplication 
            and the dot-product
        """
        if isinstance(other, float) or isinstance(other, int):
            ans = [c*other for c in self.__components]            return ans
        elif (isinstance(other, Vector) and (len(self) == len(other))):¢           size = len(self)
            summe = 0
            for i in range(size):                summe += self.__components[i] * other.component(i)
            return summe
        else:  # error case
            raise Exception("invalide operand!")
¢  def copy(self):¢      """
            copies this vector and returns it.
        """
        return Vector(self.__components)
¢   def changeComponent(self, pos, value):¢      """
            input: an index (pos) and a value
            changes the specified component (pos) with the
            'value'
        """
        # precondition¢      assert (-len(self.__components) <= pos < len(self.__components))
        self.__components[pos] = value
flag = 820921601166721424573282546345206805820898697321521913920196691573868657577500743744203737234698

¦Ff zeroVector(dimension):
   """
       returns a zero-vector of size 'dimension'
    """
    # precondition¢  assert(isinstance(dimension, int))
    return Vector([0]*dimension)
def main():    print(int_to_text(flag))
¦ef unitBasisVector(dimension, pos):    """
        returns a unit basis vector with a One 
        at index 'pos' (indexing at 0)
    """
    # precondition¢  assert(isinstance(dimension, int) and (isinstance(pos, int)))
    ans = [0]*dimension    ans[pos] = 1
    return Vector(ans)

¦Ff axpy(scalar, x, y):¢  """¢      input: a 'scalar' and two vectors 'x' and 'y'
        output: a vector
        computes the axpy operation
    """
    # precondition    assert(isinstance(x, Vector) and (isinstance(y, Vector))
           and (isinstance(scalar, int) or isinstance(scalar, float)))
    return (x*scalar + y)
def randomVector(N, a, b):¢   """
        input: size (N) of the vector.¢             random range (a,b)
        output: returns a random vector of sizeN, with 
                random integer components between 'a' and 'b'.    """
    random.seed(None)
    ans = [random.randint(a, b) for i in range(N)]
    return Vector(ans)

¦Ff text_to_int(inp):    hexed = binascii.hexlify(inp)
    return int(hexed,16)

¦Ff int_to_text(inp):    hexed = hex(inp)
    return bytearray.fromhex(hexed[2:]).decode()
class Matrix(object):¢  """
    class: Matrix
    This class represents a arbitrary matrix.¢   Overview about the methods:           __str__() : returns a string representation 
           operator * : implements the matrix vector multiplication                        implements the matrix-scalar multiplication.
           changeComponent(x,y,value) : changes the specified component.¢         component(x,y) : returns the specified component.¢          width() : returns the width of the matrix
           height() : returns the height of the matrix
           operator + : implements the matrix-addition.¢          operator - _ implements the matrix-subtraction
    """
¢  def __init__(self, matrix, w, h):        """
            simple constructor for initialzes 
            the matrix with components.¢       """
        self.__matrix = matrix
        self.__width = w
        self.__height = h
¢  def __str__(self):
        """
            returns a string representation of this
           matrix.
        """
        ans = ""
        for i in range(self.__height):¢         ans += "|"
            for j in range(self.__width):¢              if j < self.__width - 1:¢                   ans += str(self.__matrix[i][j]) + ","
                else:¢                   ans += str(self.__matrix[i][j]) + "|\n"
        return ans¢   def changeComponent(self, x, y, value):¢       """
            changes the x-y component of this matrix
        """
        if x >= 0 and x < self.__height and y >= 0 and y < self.__width:
            self.__matrix[x][y] = value
        elseraise Exception("changeComponent: indices out of bounds")
¢  def component(self, x, y):¢     """
           returns the specified (x,y) component
        """
       if x >= 0 and x < self.__height and y >= 0 and y < self.__width:            return self.__matrix[x][y]¢       else:
            raise Exception("changeComponent: indices out of bounds")
    def width(self):
        """
            getter for the width
       """
        return self.__width
¢   def height(self):
        """
            getter for the height
        """
        return self.__height
    def __mul__(self, other):¢       """
            implements the matrix-vector multiplication.            implements the matrix-scalar multiplication        """
        if isinstance(other, Vector):  # vector-matrix
            if (len(other) == self.__width):                ans = zeroVector(self.__height)
                for i in range(self.__height):¢                   summe = 0
                    for j in range(self.__width):¢                       summe += other.component(j) * self.__matrix[i][j]¢                 ans.changeComponent(i, summe)
                    summe = 0
                return ans
            elseraise Exception(
                    "vector must have the same size as the " + "number of columns of the matrix!")
        elif isinstance(other, int) or isinstance(other, float):  # matrix-scalar
            matrix = [[self.__matrix[i][j] *¢                    other for j in range(self.__width)] for i in range(self.__height)]¢           return Matrix(matrix, self.__width, self.__height)
¢   def __add__(self, other):¢     """¢         implements the matrix-addition.
        """¢     if (self.__width == other.width() and self.__height == other.height()):¢         matrix = []¢         for i in range(self.__height):                row = []¢             for j in range(self.__width):¢                   row.append(self.__matrix[i][j] + other.component(i, j))
                matrix.apend(row)¢          return Matrix(matrix, self.__width, self.__height)¢     elseraise Exception("matrix must have the same dimension!")
    def __sub__(self, other):¢      """¢          implements the matrix-subtraction.
        """
        if (self.__width == other.width() and self.__height == other.height()):
            matrix = []¢         for i in range(self.__height):                row = []
                for j in range(self.__width):¢                   row.append(self.__matrix[i][j] - other.component(i, j))
                matrix.append(row)
            return Matrix(matrix, self.__width, self.__height)
        elseraise Exception("matrix must have the same dimension!")

def squareZeroMatrix(N):¢  """
        returns a square zero-matrix of dimensionNxN    """
    ans = [[0]*N for i in range(N)]    return Matrix(ans, N, N)
¦ef randomMatrix(W, H, a, b):
    """
        returns a random matrix WxH with integer components¢     between 'a' and 'b'
    """
    random.seed(None)
    matrix = [[random.randint(a, b) for j in range(W)] for i in range(H)]¢ return Matrix(matrix, W, H)
¦ain()

ブログのsyntax highlightよりは多分見やすく見れてます。 f:id:Yunolay:20190612022718p:plain

flag = 820921601166721424573282546345206805820898697321521913920196691573868657577500743744203737234698を見た瞬間Demimal to ASCIIして勝ったって思ったけどそうは行かなかった。

デコードしたソースをよく見てみる。

def main():    print(int_to_text(flag))

¦Ff int_to_text(inp):    hexed = hex(inp)
    return bytearray.fromhex(hexed[2:]).decode()

直す。

import binascii

def int_to_text(inp):
    hexed = hex(inp)
    return bytearray.fromhex(hexed[2:]).decode()

flag = 820921601166721424573282546345206805820898697321521913920196691573868657577500743744203737234698

print(int_to_text(flag))

実行結果

$ python3 solve.py
bcactf{0p71c4lly_r3c0gn1z3d_ch4r4c73rs}

FLAG : bcactf{0p71c4lly_r3c0gn1z3d_ch4r4c73rs}

programming

1+1=window

hex+hex=hex

one.txt
two.txt

one.txtとtwo.txtが与えられる。

one.txt

0x23 0x49 0x16 0x46 0x45 0x16 0x3c 0x3c 0x45 0x64 0x16 0x37 0x3c 0x3c 0x3c 0x16 0x46 0x45 0x37 0x1e 0x49 0x16 0x46 0x49 0x16 0x1e 0x16 0x32 0x32 0x3c 0x32 0x49 0x3c 0x64 0x1e 0x32 0x3c 0x18 0x64 0x32 0x32 0x50 0x14 0x64 0x32 0x5a 0x45 0x32 0x32 0x55 0x50 0x49 0x3c 0x14 0x3c 0x5f

two.txt

0x26 0x2b 0x0a 0x23 0x2e 0x0a 0x29 0x25 0x2e 0x15 0x0a 0x37 0x25 0x25 0x2c 0x0a 0x23 0x2e 0x37 0x09 0x2b 0x0a 0x23 0x2b 0x0a 0x21 0x0a 0x30 0x31 0x25 0x31 0x2b 0x2a 0x17 0x13 0x2d 0x2c 0x18 0x0c 0x01 0x2d 0x29 0x1c 0x11 0x2d 0x1b 0x2e 0x01 0x2d 0x1b 0x29 0x2b 0x2c 0x1c 0x32 0x1e

問題文的に全部足せってことかな。 int(s, 16)で整数にして足したらchr()でASCII文字にする。

one = open('one.txt', 'r').read().split()
two = open('two.txt', 'r').read().split()

flag = ''

for i in range(len(one)):
    result = int(one[i],16) + int(two[i],16)
    flag += (chr(result))

print(flag)

実行結果

$ python solve.py
It is easy naah isn't it ? bcactf{1_h0p3_y0u_us3_pyth0n}

FLAG : bcactf{1_h0p3_y0u_us3_pyth0n}

public-library

Hidden in this mysterious public library is the flag. Can you get it?

PublicLibrary.class

classファイルが与えられる。
とりあえずでコンパイラーにかける。

Java decompiler online

デコンパイル結果
PublicLibrary.java

import kotlin.Metadata;

@Metadata(mv={1, 1, 13}, bv={1, 0, 3}, k=1, d1={"\000\024\n\002\030\002\n\002\020\000\n\002\b\002\n\002\020\016\n\002\b\002\030\0002\0020\001B\005¢\006\002\020\002J\006\020\005\032\0020\004R\016\020\003\032\0020\004XD¢\006\002\n\000¨\006\006"}, d2={"LPublicLibrary;", "", "()V", "flag", "", "getFlag", "public-library"})
public final class PublicLibrary { private final String flag = "bcactf{t4k3_4_j4v4_c7a55_789208694209642475}";
  
  @org.jetbrains.annotations.NotNull
  public final String getFlag() { return flag; }
  
  public PublicLibrary() {}
}

FLAG : bcactf{t4k3_4_j4v4_c7a55_789208694209642475}

reversing

basic-pass-1

Your company is testing out a new login software, and being one of the CompSec experts, they want you to test it. They say that they have hidden a key somewhere in the program, and want you to look for it. Find it, and they might even consider giving you a pay raise...
They have told you that there is a four digit pin on the program to unlock it.

basic-pass-1-linux
basic-pass-1-mac
basic-pass-1-win.exe

linux, mac, win用のバイナリを用意してくれている優しい世界。 俺はlinuxを選ぶぜ!

$ file basic-pass-1-linux 
basic-pass-1-linux: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=9cee815

$ chmod +x basic-pass-1-linux

$ ./basic-pass-1-linux 
Usage: ./basic-pass-1-linux <passcode>%

パスコードが必要らしい。以下問題文より4桁の。

They have told you that there is a four digit pin on the program to unlock it.

とりあえず1234かなって思ったら当たり引いてしまった・・・

./basic-pass-1-linux 1234
Congrats! The key is bcactf{hey_its_a_password}

申し訳ないからちゃんと見ようかなって思ったらstringsに普通にいた

$ strings basic-pass-1-linux | grep bcactf                            
Congrats! The key is bcactf{hey_its_a_password}

更に申し訳ないのでちゃんと見た。 radare2で解析した下に画像で用意してあるので読まないでどうぞ。

$ r2 basic-pass-1-linux 
 -- Hello Mr. Anderson
[0x00000610]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Enable constraint types analysis for variables
[0x00000610]> afl
0x00000000    2 25           loc.imp._ITM_deregisterTMCloneTable
0x000005a0    3 23           sym._init
0x000005d0    1 6            sym.imp.puts
0x000005e0    1 6            sym.imp.fprintf
0x000005f0    1 6            sym.imp.atoi
0x00000600    1 6            sym..plt.got
0x00000610    1 42           entry0
0x00000640    4 50   -> 40   sym.deregister_tm_clones
0x00000680    4 66   -> 57   sym.register_tm_clones
0x000006d0    5 58   -> 51   entry.fini0
0x00000710    1 10           entry.init0
0x0000071a    6 126          main
0x000007a0    4 101          sym.__libc_csu_init
0x00000810    1 2            sym.__libc_csu_fini
0x00000814    1 9            sym._fini
[0x00000610]> s main
[0x0000071a]> pdf
/ (fcn) main 126
|   int main (int argc, char **argv, char **envp);
|           ; var int32_t var_10h @ rbp-0x10
|           ; var int32_t var_4h @ rbp-0x4
|           ; arg int argc @ rdi
|           ; arg char **argv @ rsi
|           ; DATA XREF from entry0 (0x62d)
|           0x0000071a      55             push rbp
|           0x0000071b      4889e5         mov rbp, rsp
|           0x0000071e      4883ec10       sub rsp, 0x10
|           0x00000722      897dfc         mov dword [var_4h], edi     ; argc
|           0x00000725      488975f0       mov qword [var_10h], rsi    ; argv
|           0x00000729      837dfc02       cmp dword [var_4h], 2
|       ,=< 0x0000072d      7540           jne 0x76f
|       |   0x0000072f      488b45f0       mov rax, qword [var_10h]
|       |   0x00000733      4883c008       add rax, 8
|       |   0x00000737      488b00         mov rax, qword [rax]
|       |   0x0000073a      4889c7         mov rdi, rax
|       |   0x0000073d      e8aefeffff     call sym.imp.atoi           ; int atoi(const char *str)
|       |   0x00000742      3dd2040000     cmp eax, 0x4d2
|      ,==< 0x00000747      7513           jne 0x75c
|      ||   0x00000749      488d3dd80000.  lea rdi, str.Congrats__The_key_is_bcactf_hey_its_a_password ; 0x828 ; "Congrats! The key is bcactf{hey_its_a_password}"
|      ||   0x00000750      e87bfeffff     call sym.imp.puts           ; int puts(const char *s)
|      ||   0x00000755      b800000000     mov eax, 0
|     ,===< 0x0000075a      eb3a           jmp 0x796
|     |||   ; CODE XREF from main (0x747)
|     |`--> 0x0000075c      488d3df50000.  lea rdi, str.Incorrect_passcode. ; 0x858 ; "Incorrect passcode."
|     | |   0x00000763      e868feffff     call sym.imp.puts           ; int puts(const char *s)
|     | |   0x00000768      b801000000     mov eax, 1
|     |,==< 0x0000076d      eb27           jmp 0x796
|     |||   ; CODE XREF from main (0x72d)
|     ||`-> 0x0000076f      488b45f0       mov rax, qword [var_10h]
|     ||    0x00000773      488b10         mov rdx, qword [rax]
|     ||    0x00000776      488b05a30820.  mov rax, qword [obj.stderr] ; obj.stderr__GLIBC_2.2.5 ; [0x201020:8]=0
|     ||    0x0000077d      488d35e80000.  lea rsi, str.Usage:__s__passcode ; 0x86c ; "Usage: %s <passcode>"
|     ||    0x00000784      4889c7         mov rdi, rax
|     ||    0x00000787      b800000000     mov eax, 0
|     ||    0x0000078c      e84ffeffff     call sym.imp.fprintf        ; int fprintf(FILE *stream, const char *format,   ...)
|     ||    0x00000791      b801000000     mov eax, 1
|     ||    ; CODE XREFS from main (0x75a, 0x76d)
|     ``--> 0x00000796      c9             leave
\           0x00000797      c3             ret

f:id:Yunolay:20190609235047p:plain

|       |   0x0000073d      e8aefeffff     call sym.imp.atoi           ; int atoi(const char *str)
|       |   0x00000742      3dd2040000     cmp eax, 0x4d2

atoiでintにしたあとcmp eax, 0x4d2で比較している。

$ python
Python 3.7.3 (v3.7.3:ef4ec6ed12, Mar 25 2019, 22:22:05) [MSC v.1916 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> 0x4d2
1234

FLAG : bcactf{hey_its_a_password}

basic-pass-2

Your company is testing out its new employee portal. After your previous shot, they made the password a bit more secure, so you can't brute force it anymore. Rise up to the occasion and demonstrate why a local machine is a bad idea, and having the account credentials on a remote server is a better idea.

basic-pass-2-linux basic-pass-2-mac

ハブられたWindows

$ file basic-pass-2-linux 
basic-pass-2-linux: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=385e506faa05107abbd000ac2e9b1b23a15aeb86, not stripped

$ chmod +x basic-pass-2-linux

$ ./basic-pass-2-linux 
Usage: ./basic-pass-2-linux <password>

引数にパスワードを取るやつですな。

$ ./basic-pass-2-linux 1234
Incorrect passcode.

だめだった。

$ r2 basic-pass-2-linux 
 -- what happens in #radare, stays in #radare
[0x00000680]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Enable constraint types analysis for variables
[0x00000680]> afl
0x00000000   12 459  -> 507  loc.imp._ITM_deregisterTMCloneTable
0x00000600    3 23           sym._init
0x00000630    1 6            sym.imp.puts
0x00000640    1 6            sym.imp.__stack_chk_fail
0x00000650    1 6            sym.imp.strcmp
0x00000660    1 6            sym.imp.fprintf
0x00000670    1 6            sym..plt.got
0x00000680    1 42           entry0
0x000006b0    4 50   -> 40   sym.deregister_tm_clones
0x000006f0    4 66   -> 57   sym.register_tm_clones
0x00000740    5 58   -> 51   entry.fini0
0x00000780    1 10           entry.init0
0x0000078a    8 250          main
0x00000890    4 101          sym.__libc_csu_init
0x00000900    1 2            sym.__libc_csu_fini
0x00000904    1 9            sym._fini
[0x00000680]> s main
[0x0000078a]> pdf
/ (fcn) main 250
|   int main (int argc, char **argv, char **envp);
|           ; var int32_t var_50h @ rbp-0x50
|           ; var int32_t var_44h @ rbp-0x44
|           ; var int32_t var_40h @ rbp-0x40
|           ; var int32_t var_38h @ rbp-0x38
|           ; var int32_t var_30h @ rbp-0x30
|           ; var int32_t var_28h @ rbp-0x28
|           ; var int32_t var_20h @ rbp-0x20
|           ; var int32_t var_18h @ rbp-0x18
|           ; var int32_t var_14h @ rbp-0x14
|           ; var int32_t var_8h @ rbp-0x8
|           ; arg int argc @ rdi
|           ; arg char **argv @ rsi
|           ; DATA XREF from entry0 (0x69d)
|           0x0000078a      55             push rbp
|           0x0000078b      4889e5         mov rbp, rsp
|           0x0000078e      4883ec50       sub rsp, 0x50               ; 'P'
|           0x00000792      897dbc         mov dword [var_44h], edi    ; argc
|           0x00000795      488975b0       mov qword [var_50h], rsi    ; argv
|           0x00000799      64488b042528.  mov rax, qword fs:[0x28]    ; [0x28:8]=0x19e8 ; '('
|           0x000007a2      488945f8       mov qword [var_8h], rax
|           0x000007a6      31c0           xor eax, eax
|           0x000007a8      837dbc02       cmp dword [var_44h], 2
|       ,=< 0x000007ac      0f8595000000   jne 0x847
|       |   0x000007b2      48b874686973.  movabs rax, 0x2073692073696874 ; 'this is '
|       |   0x000007bc      48ba61206d75.  movabs rdx, 0x6d206863756d2061 ; 'a much m'
|       |   0x000007c6      488945c0       mov qword [var_40h], rax
|       |   0x000007ca      488955c8       mov qword [var_38h], rdx
|       |   0x000007ce      48b86f726520.  movabs rax, 0x756365732065726f ; 'ore secu'
|       |   0x000007d8      48ba72652070.  movabs rdx, 0x7773736170206572 ; 're passw'
|       |   0x000007e2      488945d0       mov qword [var_30h], rax
|       |   0x000007e6      488955d8       mov qword [var_28h], rdx
|       |   0x000007ea      48b86f72642c.  movabs rax, 0x742069202c64726f ; 'ord, i t'
|       |   0x000007f4      488945e0       mov qword [var_20h], rax
|       |   0x000007f8      c745e868696e.  mov dword [var_18h], 0x6b6e6968 ; 'hink'
|       |   0x000007ff      c645ec00       mov byte [var_14h], 0
|       |   0x00000803      488b45b0       mov rax, qword [var_50h]
|       |   0x00000807      4883c008       add rax, 8
|       |   0x0000080b      488b00         mov rax, qword [rax]
|       |   0x0000080e      488d55c0       lea rdx, [var_40h]
|       |   0x00000812      4889d6         mov rsi, rdx
|       |   0x00000815      4889c7         mov rdi, rax
|       |   0x00000818      e833feffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)
|       |   0x0000081d      85c0           test eax, eax
|      ,==< 0x0000081f      7513           jne 0x834
|      ||   0x00000821      488d3df00000.  lea rdi, str.Congrats__The_key_is_bcactf_its_another_password ; 0x918 ; "Congrats! The key is bcactf{its_another_password}"
|      ||   0x00000828      e803feffff     call sym.imp.puts           ; int puts(const char *s)
|      ||   0x0000082d      b800000000     mov eax, 0
|     ,===< 0x00000832      eb3a           jmp 0x86e
|     |||   ; CODE XREF from main (0x81f)
|     |`--> 0x00000834      488d3d0f0100.  lea rdi, str.Incorrect_passcode. ; 0x94a ; "Incorrect passcode."
|     | |   0x0000083b      e8f0fdffff     call sym.imp.puts           ; int puts(const char *s)
|     | |   0x00000840      b801000000     mov eax, 1
|     |,==< 0x00000845      eb27           jmp 0x86e
|     |||   ; CODE XREF from main (0x7ac)
|     ||`-> 0x00000847      488b45b0       mov rax, qword [var_50h]
|     ||    0x0000084b      488b10         mov rdx, qword [rax]
|     ||    0x0000084e      488b05cb0720.  mov rax, qword [obj.stderr] ; obj.stderr__GLIBC_2.2.5 ; [0x201020:8]=0
|     ||    0x00000855      488d35020100.  lea rsi, str.Usage:__s__password ; 0x95e ; "Usage: %s <password>"
|     ||    0x0000085c      4889c7         mov rdi, rax
|     ||    0x0000085f      b800000000     mov eax, 0
|     ||    0x00000864      e8f7fdffff     call sym.imp.fprintf        ; int fprintf(FILE *stream, const char *format,   ...)
|     ||    0x00000869      b801000000     mov eax, 1
|     ||    ; CODE XREFS from main (0x832, 0x845)
|     ``--> 0x0000086e      488b4df8       mov rcx, qword [var_8h]
|           0x00000872      6448330c2528.  xor rcx, qword fs:[0x28]
|       ,=< 0x0000087b      7405           je 0x882
|       |   0x0000087d      e8befdffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|       |   ; CODE XREF from main (0x87b)
|       `-> 0x00000882      c9             leave
\           0x00000883      c3             ret

それどころかStringsにいた。

$ strings basic-pass-2-linux | grep bcactf
Congrats! The key is bcactf{its_another_password}

申し訳ないのでちゃんとみた。 f:id:Yunolay:20190610022319p:plain

./basic-pass-2-linux "this is a much more secure password, i think"
Congrats! The key is bcactf{its_another_password}

FLAG : bcactf{its_another_password}

basic-pass-3

Ok, the sysadmin finally admits that maybe authentication should happen on a server. Can you just check everything really quick to make sure there aren't any problems now? He put some readouts for people who forget their passwords.

nc challenges.ctfd.io 30133

接続するとEnter the passwordでパスワードの入力が求められる。
適当に入力すると00000000000000000000000000000000000000が返ってきた。
aaaaを入力したところ00100000000000000000000000000000000000が返ってきたため、FLAGと同じ文字列を入力した場合、全て1で返ってくると推測出来る。

$ nc challenges.ctfd.io 30133
welcome to the login portal.
Enter the password.
a
00000000000000000000000000000000000000
Enter the password.
aaaa
00100000000000000000000000000000000000
Enter the password.
bcactf
11111100000000000000000000000000000000
Enter the password.

solve.py

from pwn import *

r = remote('challenges.ctfd.io', 30133)

check = '00000000000000000000000000000000000000'
characters = '{}_@#$!%^&*()-+=0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
flag = ''
check_i = 0

print r.recvuntil('welcome to the login portal.')

while check != '11111111111111111111111111111111111111':
    for i in range(len(characters)):
        print r.recvuntil('Enter the password.\n')
        r.sendline(flag + characters[i])
        print '[*]Sending : ' + flag + characters[i]
        check = r.recvline().rstrip()
        print check
        if check[check_i] == '1':
            flag += characters[i]
            check_i += 1
            print '[*]Found! : ' + flag

print flag

実行結果

$ python solve.py 
[*] Checking for new versions of pwntools
    To disable this functionality, set the contents of /home/user/.pwntools-cache/update to 'never'.
[*] You have the latest version of Pwntools (3.12.2)
[+] Opening connection to challenges.ctfd.io on port 30133: Done
welcome to the login portal.

Enter the password.

[*]Sending : {
00000000000000000000000000000000000000
Enter the password.

[*]Sending : }
00000000000000000000000000000000000000
Enter the password.

[*]Sending : _
00000000000000000000000000000000000000
Enter the password.

[*]Sending : @
00000000000000000000000000000000000000
Enter the password.


(snip)


[*]Sending : a
00000000000000000000000000000000000000
Enter the password.

[*]Sending : b
10000000000000000000000000000000000000
[*]Found! : b
Enter the password.

[*]Sending : bc
11000000000000000000000000000000000000
[*]Found! : bc
Enter the password.

[*]Sending : bcd
11000000000000000000000000000000000000
Enter the password.

[*]Sending : bce
11000000000000000000000000000000000000
Enter the password.

[*]Sending : bcf
11000000000000000000000000000000000000
Enter the password.

[*]Sending : bcg
11000000000000000000000000000000000000
Enter the password.

[*]Sending : bch
11000000000000000000000000000000000000
Enter the password.


(snip)


[*]Sending : bcactf{y0u_4r3_4_m4573rm1nD!_Ym9vbGluU
11111111111111111111111111111111111110
Enter the password.

[*]Sending : bcactf{y0u_4r3_4_m4573rm1nD!_Ym9vbGluV
11111111111111111111111111111111111110
Enter the password.

[*]Sending : bcactf{y0u_4r3_4_m4573rm1nD!_Ym9vbGluW
11111111111111111111111111111111111110
Enter the password.

[*]Sending : bcactf{y0u_4r3_4_m4573rm1nD!_Ym9vbGluX
11111111111111111111111111111111111110
Enter the password.

[*]Sending : bcactf{y0u_4r3_4_m4573rm1nD!_Ym9vbGluY
11111111111111111111111111111111111110
Enter the password.

[*]Sending : bcactf{y0u_4r3_4_m4573rm1nD!_Ym9vbGluZ
11111111111111111111111111111111111110
Enter the password.

[*]Sending : bcactf{y0u_4r3_4_m4573rm1nD!_Ym9vbGlu{
11111111111111111111111111111111111110
Enter the password.

[*]Sending : bcactf{y0u_4r3_4_m4573rm1nD!_Ym9vbGlu}
Correct!

FLAG : bcactf{y0u_4r3_4_m4573rm1nD!_Ym9vbGlu}

scratch-that

I made a Guess the Flag game! It's in Scratch, what could be easier? Click here to access the game.

https://scratch.mit.edu/projects/276674047/

リンクをクリックすると次のページに飛ぶ

f:id:Yunolay:20190611171224p:plain

旗をクリックすると猫がFLAGを聞いてくる。

f:id:Yunolay:20190611171231p:plain

中を見るからソースが見れる。
genelate flagでは次のことをしていた。

f:id:Yunolay:20190611171420p:plain

最初の方針としてpythonで同じコードを書いてFLAGを表示させようとしていた。
だけどFLAGが合わない。

d3hct4rcsをずらすのもいい。
whyをフランス語に翻訳するのもGoogle翻訳先生に頼んだらPourquoiって言ってた。
背景の名前はemptyかな。
var3は0を掛けてるから乱数関係なし。
問題はvar4で(12341234 / 1234) + (23412342453425 * (1000 % 3))はいいとして+25と6って何って思った。
31足したりstringsとして256を足したりしたが、答えが合わなくて諦めていた。

方針を変えてソースをいじって猫にFLAGを表示させてみる。
check flagを消してその前にgenelate flagを入れてflagを発言させる。

f:id:Yunolay:20190611172115p:plain

f:id:Yunolay:20190611172535p:plain

FLAGが得られたわけだけどなんで計算が合わなかったか試してみた。 +25と6は+256なら計算が合ってた。

flag = 'bcactf{'

var1 = 'd3hct4rcs'
var2 = len(var1)


while var2 >= 1:
    flag += var1[var2-1]
    var2 = var2 -1

flag += '_'
flag += 'Pourquoi'
flag += '_'
flag += 'empty'
flag += '_'

var3 = (12341234 / 1234) + (23412342453425 * (1000 % 3))+(256)
flag += str(var3)
flag += '}'

print(flag)
$ python solve.py 
bcactf{scr4tch3d_Pourquoi_empty_23412342463682}

FLAG : bcactf{scr4tch3d_Pourquoi_empty_23412342463682}

f:id:Yunolay:20190611172438p:plain

compression

A stranger on the internet is giving away his passwords. They claim they are encrypted, but you quickly realize that it is only compressed. You have to get hold of their passwords so that you can prove them wrong.

999

999というファイルが与えられる。 bzip2なので解凍する。

$ file 999
999: bzip2 compressed data, block size = 900k

$ bunzip2 999
bunzip2: Can't guess original name for 999 -- using 999.out

$ file 999.out 
999.out: gzip compressed data, last modified: Thu Jan 10 00:13:40 2019, from Unix

$ mv 999.out 999.gz

$ gunzip 999.gz

$ file 999
999: POSIX tar archive (GNU)

$ tar -xvf 999
871

解凍できた871でも同じことを繰り返す。

(snip)
$ tar -xvf 871.out 
123

$ file 123
123: ASCII text

ただのテキストファイルが降ってきた。 HintにもあるがどうやらHexdumpのようだ。

Hint

123 and 240 are hexdumps (not necessarily compression)
$ strings 123 
00000000: 1f8b 0808 348e 365c 0003 3531 3100 019d  ....4.6\..511...
00000010: 0762 f842 5a68 3931 4159 2653 59f7 ed65  .b.BZh91AY&SY..e
00000020: dd00 006d 7fff ffff ffff ffff ffff ffff  ...m............
00000030: ffff ffff 7fff ffff ffff ffff ffff 7fff  ................
00000040: ffff ffff ffff d004 1ef7 79a5 af7b 65d7  ..........y..{e.
00000050: b9ce 6578 6453 d264 0f50 6991 ea3c 88f2  ..exdS.d.Pi..<..
00000060: 9ea1 a0f4 8d34 c434 643c 93d4 d0d3 ca3d  .....4.4d<.....=
(snip)

linux - Hexdump command reverse - Stack Overflow

Hexdump fileはxxd file | xxd -r file > outputでReverse出来る。

$ xxd 123 | xxd -r 123 > output
$ file output 
output: gzip compressed data, was "511", last modified: Thu Jan 10 00:13:40 2019, from Unix

後は解凍を繰り返す。

$ cat 000
bcactf{A_l0t_0f_c0mPr3s510n}

FLAG : bcactf{A_l0t_0f_c0mPr3s510n}

web

wite-out

Wait, where's the flag?

f:id:Yunolay:20190609221513p:plain

ここになんかある・・ コピペしてdone.

FLAG : bcactf{17s_r1gh7_h3r3_1n_wh1t3_1397856}

dig-dug

I found this super sketchy website called hole.sketchy.dev. Can you help me dig up some of its secrets?

Oh, and someone told me that the secrets are TXT. I don't know what this means, so good luck!

hole.sketchy.devのTXTレコードを見ればいいらしい。

# dig hole.sketchy.dev TXT

; <<>> DiG 9.10.3-P4-Ubuntu <<>> hole.sketchy.dev TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27244
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0005 , udp: 4096
;; QUESTION SECTION:
;hole.sketchy.dev.        IN  TXT

;; ANSWER SECTION:
hole.sketchy.dev. 5   IN  TXT "bcactf{d1g-f0r-h073s-w/-dns-8044323}"

;; AUTHORITY SECTION:
sketchy.dev.      5   IN  NS  greg.ns.cloudflare.com.
sketchy.dev.      5   IN  NS  molly.ns.cloudflare.com.

;; ADDITIONAL SECTION:
greg.ns.cloudflare.com.   5   IN  AAAA    2400:cb00:2049:1::adf5:3b73
molly.ns.cloudflare.com. 5    IN  AAAA    2400:cb00:2049:1::adf5:3acd
greg.ns.cloudflare.com.   5   IN  A   173.245.59.115
molly.ns.cloudflare.com. 5    IN  A   173.245.58.205

;; Query time: 26 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sun Jun 09 06:10:09 PDT 2019
;; MSG SIZE  rcvd: 238

FLAG : bcactf{d1g-f0r-h073s-w/-dns-8044323}

My friend built a cookie clicker. How do I beat it?

http://35.225.2.44:5001/

クリックするとクッキーが増える例のあれ。

f:id:Yunolay:20190609222623p:plain

下のshop押すと何故かタブが閉じたのでソースみて/shopがあったので直接リンクでshopを見た。

f:id:Yunolay:20190609222804p:plain

100000000000000000000 Cookieでフラグが買えるらしい。
自動クリックツールで放置ですな。

Developer toolで確認するとcookieに所持しているcookieがあるので書き換える。
って思ったがうまく行かなかった。

f:id:Yunolay:20190609223027p:plain

Cookie Editを使用して書き換えようとしたけどうまく行かなかった。

f:id:Yunolay:20190609223957p:plain

方針を変えてBurp SuiteでInterceptしてリクエストを書き換える。
shopでflagを購入するときのリクエス

f:id:Yunolay:20190609224005p:plain

レスポンス

f:id:Yunolay:20190609224114p:plain

FLAG : cbactf{c00k13s_c71ck3d_34_a2344d}

Quest

copypasta

See discord (#copypasta).

pinned.

f:id:Yunolay:20190612014045p:plain

FLAG : bcactf{c0pYp4st4s_Ar3_c00l}

you-wanted-it

Make it print the number 1.

f:id:Yunolay:20190610215535p:plain

f:id:Yunolay:20190610215559p:plain

f:id:Yunolay:20190610215612p:plain

🤔
done.

free-real-estate

Choose "A" or "B", the choice is yours. It's free real estate!

https://www.youtube.com/watch?v=yNxPVj0hejg

f:id:Yunolay:20190610191825p:plain

俺はBを選ぶぜ!!!!

・・・

-1 pointでした。

FLAG : B?

for-the-night-is-dark-1

Hello, traveler. Welcome to your quest. You must walk the Red Lord's shining path, guided by his shining stars. Here is a picture of those stars. A map if you will. May the Lord of Light give you wisdom.

NOTE: As more heroes complete each stage of the quest, fewer points will be available to future teams.

starmap.bmp

f:id:Yunolay:20190610205744j:plain

拡大したやつ

f:id:Yunolay:20190610205836p:plain

Hint

One per row, top to bottom.

上から下らしい。
赤のビットを抽出してみる。 一見http;//に見える。

00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 :             h    
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 00 :                t 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 74 00 00 70 :              t  p
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 3A 00 00 00 :              :   
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 2F 00 00 00 00 00 00 00 00 00 :        /         
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :                  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 2F 00 :                / 

(snip)

f:id:Yunolay:20190610211119p:plain

00 (" ")を削除すると次のようなURLになる。

http://rhllor.xyz/7h3fir31n0urh3ar75_d2VsY29tZSB0byBzdGVwIG9uZQ

アクセスすると次のページ

f:id:Yunolay:20190610215314p:plain

Stage 1
Good job on your first quest, hero of light.

I will reward your efforts with a flag, as I hear those are what your kind hunt for.

bcactf{gu1d3d_8y_574r5_QmVnaW5uaW5ncw}
But your journey does not end here, dear hero. The Heart of Fire has more that must be done.

Task 2: Trial by Fire
The Lord of Light always knows the truth. A true hero of the light would always be able to tell the truth as well. Prove yourself a true hero here and you will recieve your second flag.

The portal to truth lies ahead.

FLAG : bcactf{gu1d3d_8y_574r5_QmVnaW5uaW5ncw}

for-the-night-is-dark-2

This task can be found through solving the prior quest tasks.

Task 2: Trial by Fire
The Lord of Light always knows the truth. A true hero of the light would always be able to tell the truth as well. Prove yourself a true hero here and you will recieve your second flag.

The portal to truth lies ahead.

stage2のリンクがある。
Stage 2

リンクにアクセスするとフォームがあるだけ。 もちろん定番のSQLiは通らなかった。

f:id:Yunolay:20190610222114p:plain

ソースを確認するとjavascriptで認証している。 md5で比較しているのでCrackStationに投げたら通った。

f:id:Yunolay:20190610222223p:plain

$("#target").submit(function( event ) {
  var hash = md5($("#secret").val())
  if (hash == "3758002ab24653af8d550c0c50473098") {
    var encode = "ÐßϽ榠ÐÞÙ֩û¤× ÃºªîÈ©¼×ÐÖËÕ§£¢Íç«ÖÉ̱ÈÕÒßÊÕÅ"
    var newstr = ""
    var key = $("#secret").val()
    for (var i = 0; i < encode.length; i++) {
        newstr += String.fromCharCode(encode.charCodeAt(i) - key.charCodeAt(i%key.length))
    }
    window.location = "/f" + newstr
  }

  $("#secret").val("")
  event.preventDefault();
});

f:id:Yunolay:20190610222254p:plain

darknight

done.

f:id:Yunolay:20190610222408p:plain

Stage 3
I see you can discern truth, soldier. Maybe you could be the storied one after all.

Take another flag to aid you on your journey.

bcactf{7h37ru7h15411w3h4v3_dGhlIGxpZ2h0IGluIG91ciBleWVz}
Now, on to your next trial.

Task 3:

FLAG : bcactf{7h37ru7h15411w3h4v3_dGhlIGxpZ2h0IGluIG91ciBleWVz}

for-the-night-is-dark-3

Keep on going

増えてた。

f:id:Yunolay:20190614170746p:plain

Stage 3
I see you can discern truth, soldier. Maybe you could be the storied one after all.

Take another flag to aid you on your journey.

bcactf{7h37ru7h15411w3h4v3_dGhlIGxpZ2h0IGluIG91ciBleWVz}
Now, on to your next trial.

Task 3:
The flag is here, and was here. I hear the master of whisperers has spiders who are crawling to help...

フラグはここにあった的な。

internet archiveで見てみる。 Internet Archive: Wayback Machine

キャプチャーあった。 f:id:Yunolay:20190614171010p:plain

f:id:Yunolay:20190614171033p:plain

Stage 3
I see you can discern truth, soldier. Maybe you could be the storied one after all.

Take another flag to aid you on your journey.

bcactf{7h37ru7h15411w3h4v3_dGhlIGxpZ2h0IGluIG91ciBleWVz}
Now, on to your next trial.

Task 3:
I'll just give you this one: bcactf{p33r1ng_1n70_7h3_p457_Ymxlc3NlZHZpZXc}

FLAG : bcactf{p33r1ng_1n70_7h3_p457_Ymxlc3NlZHZpZXc}