Hacktober CTF: Write up
SQLはまじでただのSQLだったので全部解いておきたかったけど気づいたら終わってた。
Linux
Talking to the Dead 1
luciafer@a4e8c21f2f51:/$ cd ~ luciafer@a4e8c21f2f51:~$ ls -al * Documents: total 20 drwxrwxr-x 1 luciafer luciafer 4096 Oct 6 08:36 . drwxr-xr-x 1 luciafer luciafer 4096 Oct 5 14:54 .. -rw-rw-r-- 1 luciafer luciafer 47 Oct 6 08:36 .flag2.txt -rw-rw-r-- 1 luciafer luciafer 47 Oct 5 14:55 flag1.txt Downloads: total 12 drwxrwxr-x 2 luciafer luciafer 4096 Oct 5 14:54 . drwxr-xr-x 1 luciafer luciafer 4096 Oct 5 14:54 .. Pictures: total 12 drwxrwxr-x 2 luciafer luciafer 4096 Oct 5 14:54 . drwxr-xr-x 1 luciafer luciafer 4096 Oct 5 14:54 .. Videos: total 12 drwxrwxr-x 2 luciafer luciafer 4096 Oct 5 14:54 . drwxr-xr-x 1 luciafer luciafer 4096 Oct 5 14:54 .. luciafer@a4e8c21f2f51:~$ cat ~/Documents/flag1.txt flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}
Talking to the Dead 2
luciafer@a4e8c21f2f51:~$ cat ~/Documents/.flag2.txt flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}
Talking to the Dead 3
luciafer@a4e8c21f2f51:/$ find / -perm -u=s -type f 2>/dev/null /usr/bin/umount /usr/bin/passwd /usr/bin/mount /usr/bin/gpasswd /usr/bin/su /usr/bin/chsh /usr/bin/newgrp /usr/bin/chfn /usr/local/bin/ouija /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper luciafer@a4e8c21f2f51:/$ /usr/local/bin/ouija ../home/spookyboi/Documents/flag3.txt flag{445b987b5b80e445c3147314dbfa71acd79c2b67}
Talking to the Dead 4
luciafer@a4e8c21f2f51:/$ /usr/local/bin/ouija flag4.txt flag{4781cbffd13df6622565d45e790b4aac2a4054dc}
SQL
Past Demons
sqlite> .tables passwd users sqlite> select * from passwd; 1|4E6C0DBCCA0E45C805CE753C5974B3F9|1 2|8D302A5C9E06C8A6A52778A09583FD2C|2 3|3AC0D175A50406327CBE0BA0C6675892|3 4|6D5A4277C1F826D5EAAF08F63AEC84C5|4 5|CDF78099FBBBB52BE1AAA086D60289BC|5 6|66E85956792A2BEE9AA95B6F2662297F|6 7|EF468A19E03DDFD6D91ACF6602F71AF9|7 8|59DEA36D05AACAA547DE42E9956678E7|8 9|EB62D05A31866DFF8EC4EF28BAEF9377|9 10|2E8FF4B113C64A3C4B3F9D53AB1F0C53|10 sqlite> select * from users; 1|manage.po1nt| 2|carriage_5enior241| 3|s7r3am5ilver708| 4|MAL1A.PURS3LL| 5|monarch.kne3| 6|d1sp1ay.5hrink1484| 7|f1awed4unt1274| 8|spookyboi| 9|ankle_r3vive| 10|5ay_crosswalk1719|
59DEA36D05AACAA547DE42E9956678E7
はmd5でハッシュ化されてるので適当なサイトで復号するだけ
Body Count
def main(): data = //mysqlをdumpしたファイルに入ってたデータ d = data.split(',') for i in range(len(d)): if 'HAVRON' in d[i]: print(i) print(d[579:600]) if __name__ == "__main__": main()
(base) 0:11 ~/CTF $ python3 main.py 579 (base) 0:12 ~/CTF $ python3 main.py 579 ["'HAVRON'", "'R'", "'luc1afer.h4vr0n@shallowgraveu.com'", "'2991 Y Alley'", "'Broken Bow'", '38', "'27856'", "'f'", "'1987-12-13')", '(50', "'cast.pipe9065'", "'RICH'", "'KUCUK'", "'S'", "'cast.pipe9065@zellox.net'", "'664 Papaya Ln'", "'Charlestown'", '34', "'3603'", "'m'", "'1985-05-17')"]
Null and Void
$ mysql -u root -p testdb < ./shallowgraveu.sql
mysql> show columns from users; +----------+-------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------+-------------+------+-----+---------+----------------+ | user_id | int | NO | PRI | NULL | auto_increment | | username | varchar(52) | NO | UNI | NULL | | | first | varchar(52) | NO | | NULL | | | last | varchar(52) | NO | | NULL | | | middle | varchar(24) | YES | | NULL | | | email | varchar(52) | NO | UNI | NULL | | | street | varchar(52) | NO | | NULL | | | city | varchar(52) | NO | | NULL | | | state_id | int | NO | MUL | NULL | | | zip | varchar(10) | NO | | NULL | | | gender | varchar(8) | NO | | NULL | | | dob | date | NO | | NULL | | +----------+-------------+------+-----+---------+----------------+ 12 rows in set (0.01 sec)