読者です 読者をやめる 読者になる 読者になる

もふもふ

くんかくんか

SharifCTF 7

SCrack(Reverse150)

ptraceによるアンチデバッグなelf64が降ってくる。

nopで埋めてgdbでちまちま読む。

該当箇所

   0x0000000000400ad4 <+135>:   cmp    al,0x38
   0x0000000000400ad6 <+137>:   jne    0x400e98 <main+1099>
   0x0000000000400adc <+143>:   movzx  eax,BYTE PTR [rbp-0x4f]
   0x0000000000400ae0 <+147>:   cmp    al,0x37
   0x0000000000400ae2 <+149>:   jne    0x400e98 <main+1099>
   0x0000000000400ae8 <+155>:   movzx  eax,BYTE PTR [rbp-0x4e]
   0x0000000000400aec <+159>:   cmp    al,0x34
   0x0000000000400aee <+161>:   jne    0x400e98 <main+1099>
   0x0000000000400af4 <+167>:   movzx  eax,BYTE PTR [rbp-0x4d]
   0x0000000000400af8 <+171>:   cmp    al,0x30
   0x0000000000400afa <+173>:   jne    0x400e98 <main+1099>
   0x0000000000400b00 <+179>:   movzx  eax,BYTE PTR [rbp-0x4c]
   0x0000000000400b04 <+183>:   cmp    al,0x33
   0x0000000000400b06 <+185>:   jne    0x400e98 <main+1099>
   0x0000000000400b0c <+191>:   movzx  eax,BYTE PTR [rbp-0x4b]
   0x0000000000400b10 <+195>:   cmp    al,0x38
   0x0000000000400b12 <+197>:   jne    0x400e98 <main+1099>
   0x0000000000400b18 <+203>:   movzx  eax,BYTE PTR [rbp-0x4a]
   0x0000000000400b1c <+207>:   cmp    al,0x65
   0x0000000000400b1e <+209>:   jne    0x400e98 <main+1099>
   0x0000000000400b24 <+215>:   movzx  eax,BYTE PTR [rbp-0x49]
   0x0000000000400b28 <+219>:   cmp    al,0x34
   0x0000000000400b2a <+221>:   jne    0x400e98 <main+1099>
   0x0000000000400b30 <+227>:   movzx  eax,BYTE PTR [rbp-0x48]
   0x0000000000400b34 <+231>:   cmp    al,0x62
   0x0000000000400b36 <+233>:   jne    0x400e98 <main+1099>
   0x0000000000400b3c <+239>:   movzx  eax,BYTE PTR [rbp-0x47]
   0x0000000000400b40 <+243>:   cmp    al,0x36
   0x0000000000400b42 <+245>:   jne    0x400e98 <main+1099>
   0x0000000000400b48 <+251>:   movzx  eax,BYTE PTR [rbp-0x46]
   0x0000000000400b4c <+255>:   cmp    al,0x65
   0x0000000000400b4e <+257>:   jne    0x400e98 <main+1099>
   0x0000000000400b54 <+263>:   movzx  eax,BYTE PTR [rbp-0x45]
   0x0000000000400b58 <+267>:   cmp    al,0x32
   0x0000000000400b5a <+269>:   jne    0x400e98 <main+1099>
   0x0000000000400b60 <+275>:   movzx  eax,BYTE PTR [rbp-0x44]
   0x0000000000400b64 <+279>:   cmp    al,0x39
   0x0000000000400b66 <+281>:   jne    0x400e98 <main+1099>
   0x0000000000400b6c <+287>:   movzx  eax,BYTE PTR [rbp-0x43]
   0x0000000000400b70 <+291>:   cmp    al,0x62
   0x0000000000400b72 <+293>:   jne    0x400e98 <main+1099>
   0x0000000000400b78 <+299>:   movzx  eax,BYTE PTR [rbp-0x42]
   0x0000000000400b7c <+303>:   cmp    al,0x66
   0x0000000000400b7e <+305>:   jne    0x400e98 <main+1099>
   0x0000000000400b84 <+311>:   movzx  eax,BYTE PTR [rbp-0x41]
   0x0000000000400b88 <+315>:   cmp    al,0x30
   0x0000000000400b8a <+317>:   jne    0x400e98 <main+1099>
   0x0000000000400b90 <+323>:   movzx  eax,BYTE PTR [rbp-0x40]
   0x0000000000400b94 <+327>:   cmp    al,0x38
   0x0000000000400b96 <+329>:   jne    0x400e98 <main+1099>
   0x0000000000400b9c <+335>:   movzx  eax,BYTE PTR [rbp-0x3f]
   0x0000000000400ba0 <+339>:   cmp    al,0x39
   0x0000000000400ba2 <+341>:   jne    0x400e98 <main+1099>
   0x0000000000400ba8 <+347>:   movzx  eax,BYTE PTR [rbp-0x3e]
   0x0000000000400bac <+351>:   cmp    al,0x38
   0x0000000000400bae <+353>:   jne    0x400e98 <main+1099>
   0x0000000000400bb4 <+359>:   movzx  eax,BYTE PTR [rbp-0x3d]
   0x0000000000400bb8 <+363>:   cmp    al,0x62
   0x0000000000400bba <+365>:   jne    0x400e98 <main+1099>
   0x0000000000400bc0 <+371>:   movzx  eax,BYTE PTR [rbp-0x3c]
   0x0000000000400bc4 <+375>:   cmp    al,0x67
   0x0000000000400bc6 <+377>:   jne    0x400e98 <main+1099>
   0x0000000000400bcc <+383>:   movzx  eax,BYTE PTR [rbp-0x3b]
   0x0000000000400bd0 <+387>:   cmp    al,0x34
   0x0000000000400bd2 <+389>:   jne    0x400e98 <main+1099>
   0x0000000000400bd8 <+395>:   movzx  eax,BYTE PTR [rbp-0x3a]
   0x0000000000400bdc <+399>:   cmp    al,0x66
   0x0000000000400bde <+401>:   jne    0x400e98 <main+1099>
   0x0000000000400be4 <+407>:   movzx  eax,BYTE PTR [rbp-0x39]
   0x0000000000400be8 <+411>:   cmp    al,0x30
   0x0000000000400bea <+413>:   jne    0x400e98 <main+1099>
   0x0000000000400bf0 <+419>:   movzx  eax,BYTE PTR [rbp-0x38]
   0x0000000000400bf4 <+423>:   cmp    al,0x32
   0x0000000000400bf6 <+425>:   jne    0x400e98 <main+1099>
   0x0000000000400bfc <+431>:   movzx  eax,BYTE PTR [rbp-0x37]
   0x0000000000400c00 <+435>:   cmp    al,0x32
   0x0000000000400c02 <+437>:   jne    0x400e98 <main+1099>
   0x0000000000400c08 <+443>:   movzx  eax,BYTE PTR [rbp-0x36]
   0x0000000000400c0c <+447>:   cmp    al,0x35
   0x0000000000400c0e <+449>:   jne    0x400e98 <main+1099>
   0x0000000000400c14 <+455>:   movzx  eax,BYTE PTR [rbp-0x35]
   0x0000000000400c18 <+459>:   cmp    al,0x39
   0x0000000000400c1a <+461>:   jne    0x400e98 <main+1099>
   0x0000000000400c20 <+467>:   movzx  eax,BYTE PTR [rbp-0x34]
   0x0000000000400c24 <+471>:   cmp    al,0x33
   0x0000000000400c26 <+473>:   jne    0x400e98 <main+1099>
   0x0000000000400c2c <+479>:   movzx  eax,BYTE PTR [rbp-0x33]
   0x0000000000400c30 <+483>:   cmp    al,0x35
   0x0000000000400c32 <+485>:   jne    0x400e98 <main+1099>
   0x0000000000400c38 <+491>:   movzx  eax,BYTE PTR [rbp-0x32]
   0x0000000000400c3c <+495>:   cmp    al,0x63
   0x0000000000400c3e <+497>:   jne    0x400e98 <main+1099>
   0x0000000000400c44 <+503>:   movzx  eax,BYTE PTR [rbp-0x31]
   0x0000000000400c48 <+507>:   cmp    al,0x30
   0x0000000000400c4a <+509>:   jne    0x400e98 <main+1099>

pythonで復元

>>> [i[-2:] for i in b]
['38', '37', '34', '30', '33', '38', '65', '34', '62', '36', '65', '32', '39', '62', '66', '30', '38', '39', '38', '62', '67', '34', '66', '30', '32', '32', '35', '39', '33', '35', '63', '30', '']
>>> c = [i[-2:] for i in b]
>>> c[:-1]
['38', '37', '34', '30', '33', '38', '65', '34', '62', '36', '65', '32', '39', '62', '66', '30', '38', '39', '38', '62', '67', '34', '66', '30', '32', '32', '35', '39', '33', '35', '63', '30']
>>> c = c[:-1]
>>> [chr(int(i, 16)) for i in c]
['8', '7', '4', '0', '3', '8', 'e', '4', 'b', '6', 'e', '2', '9', 'b', 'f', '0', '8', '9', '8', 'b', 'g', '4', 'f', '0', '2', '2', '5', '9', '3', '5', 'c', '0']
>>> "".join([chr(int(i, 16)) for i in c])
'874038e4b6e29bf0898bg4f0225935c0'
>>> 
(gdb) c
Continuing.
Enter the valid key!
874038e4b6e29bf0898bg4f0225935c0
SharifCTF{ed97d286f356dadb5cde0902006c7deb}
[Inferior 1 (process 14982) exited normally]
(gdb) Quit

Camera Model(misc100)

画像が表示されるelfが降ってくる。

binwalkで中に埋め込まれてる画像を取り出してexiftoolで読むだけ。

ExifTool Version Number         : 10.10
File Name                       : 1538
Directory                       : .
File Size                       : 88 kB
File Modification Date/Time     : 2016:12:17 07:00:39+09:00
File Access Date/Time           : 2016:12:17 07:15:06+09:00
File Inode Change Date/Time     : 2016:12:17 07:00:39+09:00
File Permissions                : rw-rw-r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
Camera Model Name               : DSLR4781
Orientation                     : Horizontal (normal)
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Software                        : GIMP 2.8.16
Modify Date                     : 2016:12:02 11:38:04
Exif Version                    : 0221
Flashpix Version                : 0100
Color Space                     : Uncalibrated
Exif Image Width                : 355
Exif Image Height               : 382
Compression                     : JPEG (old-style)
Thumbnail Offset                : 358
Thumbnail Length                : 9487
Already Applied                 : True
Color Mode                      : RGB
Create Date                     : 2015:09:08 15:22:28+04:30
Metadata Date                   : 2015:10:04 23:17:15+03:30
Format                          : image/jpeg
Instance ID                     : xmp.iid:740FF2C8C66AE51197CDBA27CE0AC1AC
Document ID                     : xmp.did:730FF2C8C66AE51197CDBA27CE0AC1AC
Original Document ID            : xmp.did:730FF2C8C66AE51197CDBA27CE0AC1AC
Image Length                    : 768
Photometric Interpretation      : RGB
Samples Per Pixel               : 3
Date Time                       : 2015:10:04 23:17:15
Flash Pix Version               : FlashPix Version 1.0
Image Width                     : 355
Image Height                    : 382
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 355x382
Megapixels                      : 0.136
Thumbnail Image                 : (Binary data 9487 bytes, use -b option to extract)

flag: SharifCTF{ccb7ed56eea6576263abeca4cdb03f62}

Pretty Raw(for150)

fileコマンドでdataと表示されるのでバイナリエディタで眺める。

下のほうにpngがくっ付いてるので取り出すと、exiftoolした結果の画像が出てくる。

なんとなくpngの上のほうがビットマップっぽく見えるのでexiftoolで表示されてるピクセル分上から取り出して拡張子を.dataにして開くと解けた。

f:id:b_tya_nya:20161219000621p:plain

Getit(rev50)

/tmp/flag.txtにflagを書き込んでくれる実行ファイルが与えられる。 ただし最後にremoveしてたりfprintfで上書きしてたりするので該当箇所をnopで埋めてやると正しいflagが得られる。

SharifCTF{b70c59275fcfa8aebf2d5911223c6589}

Guess(pwn50)

フォーマットストリングバグがあるのでとりあえず%pで読み出しまくる。

なんかそれっぽい文字列がありそうなところがあったので読むとflagだった。

0x5443666972616853
0x3832346435617b46
0x6237636363323336
0x6136633735336466
0x3561383761383231
>>> def get_text(t):
...   t = t.replace("0x", "")
...   ts = [t[i:i+2] for i in range(0, len(t), 2)]
...   tss = [chr(int(i, 16)) for i in ts]
...   return reversed(tss)
... 
>>> l = []
>>> l += get_text("0x5443666972616853")
>>> l += get_text("0x3832346435617b46")
>>> l += get_text("0x6237636363323336")
>>> l += get_text("0x6136633735336466")
>>> l += get_text("0x3561383761383231")
>>> "".join(l)
'SharifCTF{a5d428632ccc7bfd357c6a128a78a5'
>>> 

感想

こいつやるだけ問題しか解けねえよな状態