kanyewest CTF

勉強したことをメモしています。

Hacktober CTF: Write up

SQLはまじでただのSQLだったので全部解いておきたかったけど気づいたら終わってた。

Linux

Talking to the Dead 1

luciafer@a4e8c21f2f51:/$ cd ~
luciafer@a4e8c21f2f51:~$ ls -al *
Documents:
total 20
drwxrwxr-x 1 luciafer luciafer 4096 Oct  6 08:36 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct  5 14:54 ..
-rw-rw-r-- 1 luciafer luciafer   47 Oct  6 08:36 .flag2.txt
-rw-rw-r-- 1 luciafer luciafer   47 Oct  5 14:55 flag1.txt

Downloads:
total 12
drwxrwxr-x 2 luciafer luciafer 4096 Oct  5 14:54 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct  5 14:54 ..

Pictures:
total 12
drwxrwxr-x 2 luciafer luciafer 4096 Oct  5 14:54 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct  5 14:54 ..

Videos:
total 12
drwxrwxr-x 2 luciafer luciafer 4096 Oct  5 14:54 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct  5 14:54 ..
luciafer@a4e8c21f2f51:~$ cat ~/Documents/flag1.txt
flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}

Talking to the Dead 2

luciafer@a4e8c21f2f51:~$ cat ~/Documents/.flag2.txt
flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}

Talking to the Dead 3

luciafer@a4e8c21f2f51:/$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/umount
/usr/bin/passwd
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/local/bin/ouija
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
luciafer@a4e8c21f2f51:/$ /usr/local/bin/ouija ../home/spookyboi/Documents/flag3.txt
flag{445b987b5b80e445c3147314dbfa71acd79c2b67}

Talking to the Dead 4

luciafer@a4e8c21f2f51:/$ /usr/local/bin/ouija flag4.txt
flag{4781cbffd13df6622565d45e790b4aac2a4054dc}

SQL

Past Demons

sqlite> .tables
passwd  users
sqlite> select * from passwd;
1|4E6C0DBCCA0E45C805CE753C5974B3F9|1
2|8D302A5C9E06C8A6A52778A09583FD2C|2
3|3AC0D175A50406327CBE0BA0C6675892|3
4|6D5A4277C1F826D5EAAF08F63AEC84C5|4
5|CDF78099FBBBB52BE1AAA086D60289BC|5
6|66E85956792A2BEE9AA95B6F2662297F|6
7|EF468A19E03DDFD6D91ACF6602F71AF9|7
8|59DEA36D05AACAA547DE42E9956678E7|8
9|EB62D05A31866DFF8EC4EF28BAEF9377|9
10|2E8FF4B113C64A3C4B3F9D53AB1F0C53|10
sqlite> select * from users;
1|manage.po1nt|
2|carriage_5enior241|
3|s7r3am5ilver708|
4|MAL1A.PURS3LL|
5|monarch.kne3|
6|d1sp1ay.5hrink1484|
7|f1awed4unt1274|
8|spookyboi|
9|ankle_r3vive|
10|5ay_crosswalk1719|

59DEA36D05AACAA547DE42E9956678E7md5でハッシュ化されてるので適当なサイトで復号するだけ

Body Count

def main():
    data = //mysqlをdumpしたファイルに入ってたデータ
    d = data.split(',')
    for i in range(len(d)):
        if 'HAVRON' in d[i]:
            print(i)
    print(d[579:600])

if __name__ == "__main__":
    main()
(base) 0:11 ~/CTF $ python3 main.py
579
(base) 0:12 ~/CTF $ python3 main.py
579
["'HAVRON'", "'R'", "'luc1afer.h4vr0n@shallowgraveu.com'", "'2991 Y Alley'", "'Broken Bow'", '38', "'27856'", "'f'", "'1987-12-13')", '(50', "'cast.pipe9065'", "'RICH'", "'KUCUK'", "'S'", "'cast.pipe9065@zellox.net'", "'664 Papaya Ln'", "'Charlestown'", '34', "'3603'", "'m'", "'1985-05-17')"]

Null and Void

$ mysql -u root -p testdb < ./shallowgraveu.sql
mysql> show columns from users;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| user_id  | int         | NO   | PRI | NULL    | auto_increment |
| username | varchar(52) | NO   | UNI | NULL    |                |
| first    | varchar(52) | NO   |     | NULL    |                |
| last     | varchar(52) | NO   |     | NULL    |                |
| middle   | varchar(24) | YES  |     | NULL    |                |
| email    | varchar(52) | NO   | UNI | NULL    |                |
| street   | varchar(52) | NO   |     | NULL    |                |
| city     | varchar(52) | NO   |     | NULL    |                |
| state_id | int         | NO   | MUL | NULL    |                |
| zip      | varchar(10) | NO   |     | NULL    |                |
| gender   | varchar(8)  | NO   |     | NULL    |                |
| dob      | date        | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+
12 rows in set (0.01 sec)