Qiwi-Infosec 2016
PWN 100_4
dirとかが通るのでpythonのevalのループだと予想
Reverse 100_2
pycが降ってくるのでuncompyle2でもどすとこうなる
# 2016.11.18 01:09:33 JST #Embedded file name: task.py import marshal src = 'YwAAAAADAAAAGAAAAEMAAABz7wAAAGQBAGoAAGcAAGQCAGQDAGQEAGQFAGQGAGQHAGQIAGQJAGQKAGQLAGQMAGQNAGQOAGQPAGQMAGcPAERdHAB9AAB0AQB0AgB8AACDAQBkEAAXgwEAXgIAcToAgwEAfQEAdAMAZBEAgwEAfQIAfAIAfAEAawIAcuYAZAEAagAAZwAAZBIAZBMAZBQAZBUAZBYAZBcAZBgAZBkAZBoAZBsAZBwAZB0AZB4AZAsAZBwAZB8AZAMAZB0AZAgAZB4AZCAAZCEAZxYARF0VAH0AAHwAAGoEAGQiAIMBAF4CAHHGAIMBAEdIbgUAZCMAR0hkAABTKCQAAABOdAAAAAB0AQAAAF50AQAAADR0AQAAAEt0AQAAAGl0AQAAAC50AQAAAC90AQAAAE50AQAAAGp0AQAAAFB0AQAAAG90AQAAAD90AQAAAGx0AQAAADJ0AQAAAFRpAwAAAHMJAAAAWW91IHBhc3M6dAEAAABzdAEAAAB5dAEAAABudAEAAAB0dAEAAAA6dAEAAAB7dAEAAAB3dAEAAABxdAEAAABFdAEAAAA2dAEAAABmdAEAAABYdAEAAAB1dAEAAABhdAEAAAAxdAEAAAB9dAUAAABST1QxM3MFAAAATm8gOigoBQAAAHQEAAAAam9pbnQDAAAAY2hydAMAAABvcmR0CQAAAHJhd19pbnB1dHQGAAAAZGVjb2RlKAMAAAB0AQAAAGV0AwAAAHRtcHQGAAAAcGFzc3dkKAAAAAAoAAAAAHMHAAAAdGFzay5weVIcAAAAAgAAAHMKAAAAAAFfAQwBDAFvAQ=='.decode('base64') code = marshal.loads(src) #import pdb; pdb.set_trace() exec code # decompiled 1 files: 1 okay, 0 failed, 0 verify failed # 2016.11.18 01:09:33 JST
exec前でpdbで止めて
import sys; import uncompyle2; uncompyle2.uncompyle(2.7, code, out=sys.stdout, showasm=1, showast=1)
とすると
tmp = ''.join([ chr(ord(e) + 3) for e in ['^', '4', 'K', 'i', '.', '/', 'N', 'j', 'P', 'o', '?', 'l', '2', 'T', '?'] ]) passwd = raw_input('You pass:') if passwd == tmp: print ''.join([ e.decode('ROT13') for e in ['s', 'y', 'n', 't', ':', '{', 'w', 'q', 'E', '6', 'f', 'X', 'u', 'o', 'f', 'a', '4', 'X', 'N', 'u', '1', '}'] ]) else: print 'No :('
な感じになるので読むだけ
>>> print ''.join([ e.decode('ROT13') for e in ['s', 'y', 'n', 't', ':', '{', 'w', 'q', 'E', '6', 'f', 'X', 'u', 'o', 'f', 'a', '4', 'X', 'N', 'u', '1', '}'] ]) flag:{jdR6sKhbsn4KAh1}
Reverse 200_1
上の問題と同じ。
import marshal import uncompyle2 import sys src = "YwAAAAADAAAAJwAAAEMAAABzsAUAAHQAAGQBAIMBAH0AAGQCAGoBAGcAAHQCAGQDAGoDAGQEAIMBAHwAAIMCAERdKgB9AQB0BAB0BQB8AQBkBQAZgwEAdAUAfAEAZAYAGYMBAEGDAQBeAgBxKwCDAQBkAgBqAQBkBwCEAABkCABkCQBkCgBkCwBkDABkDQBkDgBkDwBkEABkEQBkCABkEgBkEwBkFABnDgBEgwEAgwEAawIAcqcFZAIAagEAZwAAdAYAZBUAgwEARF3oBH0CAGcAAGQCAGoBAGcAAGQWAGQXAGQYAGQZAGQWAGQaAGQbAGQcAGQbAGQPAGQdAGQeAGQfAGQgAGQPAGQRAGQhAGQiAGQdAGQjAGQkAGQXAGQlAGQlAGQkAGQmAGQnAGQMAGQPAGQfAGQoAGQpAGcgAERdFQB9AQB8AQBqAwBkKgCDAQBeAgBxKgGDAQBqAwBkBACDAQBkAABkAABkKwCFAwAZRF0cAH0BAHQEAHQFAHwBAIMBAGQsABeDAQBeAgBxXAF8AgAZZwAAZAIAagEAZwAAZBYAZBcAZBgAZBkAZBYAZBoAZBsAZBwAZBsAZA8AZB0AZB4AZB8AZCAAZA8AZBEAZCEAZCIAZB0AZCMAZCQAZBcAZCUAZCUAZCQAZCYAZCcAZAwAZA8AZB8AZCgAZCkAZyAARF0VAH0BAHwBAGoDAGQqAIMBAF4CAHHvAYMBAGoDAGQEAIMBAGQAAGQAAGQrAIUDABlEXRwAfQEAdAQAdAUAfAEAgwEAZCwAF4MBAF4CAHEhAnwCAGQVABcZF2cAAGQCAGoBAGcAAGQWAGQXAGQYAGQZAGQWAGQaAGQbAGQcAGQbAGQPAGQdAGQeAGQfAGQgAGQPAGQRAGQhAGQiAGQdAGQjAGQkAGQXAGQlAGQlAGQkAGQmAGQnAGQMAGQPAGQfAGQoAGQpAGcgAERdFQB9AQB8AQBqAwBkKgCDAQBeAgBxuQKDAQBqAwBkBACDAQBkAABkAABkKwCFAwAZRF0cAH0BAHQEAHQFAHwBAIMBAGQsABeDAQBeAgBx6wJ8AgBkFQAXZBUAFxkXZwAAZAIAagEAZwAAZBYAZBcAZBgAZBkAZBYAZBoAZBsAZBwAZBsAZA8AZB0AZB4AZB8AZCAAZA8AZBEAZCEAZCIAZB0AZCMAZCQAZBcAZCUAZCUAZCQAZCYAZCcAZAwAZA8AZB8AZCgAZCkAZyAARF0VAH0BAHwBAGoDAGQqAIMBAF4CAHGHA4MBAGoDAGQEAIMBAGQAAGQAAGQrAIUDABlEXRwAfQEAdAQAdAUAfAEAgwEAZCwAF4MBAF4CAHG5A3wCAGQVABdkFQAXZBUAFxkXZwAAZAIAagEAZwAAZBYAZBcAZBgAZBkAZBYAZBoAZBsAZBwAZBsAZA8AZB0AZB4AZB8AZCAAZA8AZBEAZCEAZCIAZB0AZCMAZCQAZBcAZCUAZCUAZCQAZCYAZCcAZAwAZA8AZB8AZCgAZCkAZyAARF0VAH0BAHwBAGoDAGQqAIMBAF4CAHFZBIMBAGoDAGQEAIMBAGQAAGQAAGQrAIUDABlEXRwAfQEAdAQAdAUAfAEAgwEAZCwAF4MBAF4CAHGLBHwCAGQVABdkFQAXZBUAF2QVABcZF2cAAGQCAGoBAGcAAGQWAGQXAGQYAGQZAGQWAGQaAGQbAGQcAGQbAGQPAGQdAGQeAGQfAGQgAGQPAGQRAGQhAGQiAGQdAGQjAGQkAGQXAGQlAGQlAGQkAGQmAGQnAGQMAGQPAGQfAGQoAGQpAGcgAERdFQB9AQB8AQBqAwBkKgCDAQBeAgBxLwWDAQBqAwBkBACDAQBkAABkAABkKwCFAwAZRF0cAH0BAHQEAHQFAHwBAIMBAGQsABeDAQBeAgBxYQV8AgBkFQAXZBUAF2QVABdkFQAXZBUAFxkXXgIAcbQAgwEAR0huBQBkLQBHSGQAAFMoLgAAAE5zCQAAAFlvdSBwYXNzOnQAAAAAcxQAAABQUTFPSmlSV0FpdEJKZzVRUDJBPXQGAAAAYmFzZTY0aQAAAABpAQAAAGMBAAAAAgAAAAMAAABzAAAAcx4AAAB8AABdFAB9AQB8AQBqAABkAACDAQBWAXEDAGQBAFMoAgAAAHQFAAAAUk9UMTNOKAEAAAB0BgAAAGRlY29kZSgCAAAAdAIAAAAuMHQBAAAAZSgAAAAAKAAAAABzCAAAAHRhc2sxLnB5cwkAAAA8Z2VuZXhwcj4HAAAAcwIAAAAGAHQBAAAAdHQBAAAAUHQBAAAAYXQBAAAAQnQBAAAASnQBAAAAaXQBAAAAYnQBAAAARXQBAAAAbnQBAAAAV3QBAAAANnQBAAAATXQBAAAATmkEAAAAdAEAAABLdAEAAABtdAEAAABMdAEAAABndAEAAABHdAEAAABBdAEAAABDdAEAAABrdAEAAABVdAEAAABGdAEAAABJdAEAAABTdAEAAABIdAEAAABwdAEAAABEdAEAAAB4dAEAAAAwdAEAAAA0dAEAAABxdAEAAABWUgIAAABp/////2keAAAAcwUAAABObyA6KCgHAAAAdAkAAAByYXdfaW5wdXR0BAAAAGpvaW50AwAAAHppcFIDAAAAdAMAAABjaHJ0AwAAAG9yZHQFAAAAcmFuZ2UoAwAAAHQGAAAAcGFzc3dkUgUAAABSCwAAACgAAAAAKAAAAABzCAAAAHRhc2sxLnB5UggAAAADAAAAcxIAAAAAAQwDlQD/AP8A/wD/AP8ACwE=".decode("base64") code = marshal.loads(src) exec(code) uncompyle2.uncompyle(2.7, code, out=sys.stdout, showasm=1, showast=1)
出てきたコードの中でフラッグ書いてる所
print ''.join([ [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i] + [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i + 4] + [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i + 4 + 4] + [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i + 4 + 4 + 4] + [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i + 4 + 4 + 4 + 4] + [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i + 4 + 4 + 4 + 4 + 4] for i in range(4) ])
flag:{EazrSKcBjgmT4W3eQ}
感想
平日やめて。
uncompyle2はpython2.7用なので良いとされてる他のものも見ておきたい
GitHub - gstarnberger/uncompyle: Python decompiler
GitHub - zrax/pycdc: C++ python bytecode disassembler and decompiler
あとpythonのevalのshellはpicoctf2013のやつが参考になった。
ekoctf
writeups
Misc50
背景の画像にフラッグが書いてる。 目を凝らせば降ってくる。
flag : EKO{th3_fl4g}
web25
robots.txtを見るとurl転がってる。それを叩くとフラッグが転がってる。
flag: EKO{robot_is_following_us}
web50
$ curl -LI ctf.ekoparty.org HTTP/1.1 301 Moved Permanently Server: EKO{this_is_my_great_server} Date: Thu, 27 Oct 2016 16:36:14 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Location: https://ctf.ekoparty.org/ HTTP/1.1 200 OK Server: EKO{this_is_my_great_server} Date: Thu, 27 Oct 2016 16:36:15 GMT Content-Type: text/html; charset=utf-8 Content-Length: 4518 Connection: keep-alive Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=63072000; preload
FBI50
tor browserでurlにアクセスすると拒まれるので詳細を見るとなんかbase64ぽいテキストが降ってきてる。
https://silkroadzpvwzxxv.onion/ Peer's Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- MIIGezCCBGOgAwIBAgIJAMwj5f0QisI6MA0GCSqGSIb3DQEBCwUAMIHTMQswCQYD VQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3Mg QWlyZXMxETAPBgNVBAoMCEVLT1BBUlZMT4wPAYDVQQLDDU1MCAtIEVLT3tpc190 aGlzX2p1c3RfcmVhbF9saWZlX2lzX3RoaXNfanVzdF9mYW50YXN5fTEfMB0GA1UE AwwWc2lsa3JvYWR6cHZ3enh4di5vbmlvbjEiMCAGCSqGSIb3DQEJARYTc3RhZmZA bnVsbC1saWZlLmNvbTAeFw0xNjEwMjMwNTA3NDNaFw0xNzEwMjMwNTA3NDNaMIHT MQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxC dWVub3MgQWlyZXMxETAPBgNVBAoMCEVLT1BBUlRZMT4wPAYDVQQLDDU1MCAtIEVL T3tpc190aGlzX2p1c3RfcmVhbF9saWZlX2lzX3RoaXNfanVzdF9mYW50YXN5fTEf MB0GA1UEAwwWc2lsa3JvYWR6cHZ3enh4di5vbmlvbjEiMCAGCSqGSIb3DQEJARYT c3RhZmZAbnVsbC1saWZlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC ggIBAL4ba3WHH2Fcv2lIhosWZFO8ya3dnEIMtDxzh7pDffCVd2Vlch7ov8M4M+9x xm278Clmn2nD21T3pnzPPeOcCFaDJ5v/K6idhBgYLlnzBzQrCS9VAwoH9zW+8gkW 0p74xNc8ARyvioEY4NbsET0KjUpBUn9Yx/FaHNNKqbObHG1btLqZzsYR30xTaVin 9/9SPGJ3s6vszhVocYNBJ1UQR64qn1XdV5n3ctLSByj727Bi/TLZVSv94cSBZhxV BGklPF2CQDL5vO2UyqFH4OGVCdRLkYwcoHfCVbRUOGRxqn6+Y7wtoNWIIAZnlRSH IPN+MVo76vpKjFtCCHgKyxzUkxhcqvOgi5tm+AYoC9cUe4X6cdCMbZis52dx3oJu sIpdGLZnzgZdtB48qmRzY+6MWw+URaHsXv6HtKcgZVoYTex+7hza55+xU61vejsB LkBZ/iQjl2fCu94jDMvTNg2cl3JOxXVNaa7tAKQiz7vzhxKPYTv10cFPUGGroYye PQxOES42WXOqk32OUUWRGys+Rn8q0Xm5OSt2e7UUInstBNvbaqkwPII1ucgny1K1 +rbcQZD4suLsR/cM1S9jh2vzE67xXLT8k9AVOg7BEeXweNx8ERXkr4m2qCzJWcYI ustW2cLM9Nme6We6VJNlp5sRqvJt3ziwikWhyzIXvwKPWE/bAgMBAAGjUDBOMB0G A1UdDgQWBBTLUK1VpT8hwRGVOD5xWjKIHaMb4DAfBgNVHSMEGDAWgBTLUK1VpT8h wRGVOD5xWjKIHaMb4DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQB/ p8XQyV9sRmO5jttr9yXNH/6hgp0ICxnqjJM77MsQuTV4WSiVC2WsCr9llN6meXRy /f6nhV6HOIox77doW8v87bl0YzLIj/3MUS/8kHI7qxKUV/0sk/0E07BmJyvlyIcP ErDUbxDY0eHFBAha6rubQvvuV3jSiuhwmpMI7N28idgg6+u1nPmv7NMOueJoMw6f 0yVGukoJJ5XMBMUnnlL/55T3HGaCIL8yMPIdhVPWbgyaoni3hlsvkQRzOtYIPddl KRJkdXTQCuNHf38ZI6AX4/KxuXEaqcJ+KmS64X42AWvTNuuW0Y8fYQyw/7qGOAPd BmaN0MEZHSmQgbAGnQyf6LPrLUyhSI/K6+B52RzxgDsEgLpS+LATG2b39ks//QKj IbUcKJO8a8cp1v9FvBKNKuHTGL+jvXWQAYemYFy7ZIyslU7ETwKja7HQkqVTekwn dUI+KVWmEvsrNSsYh1bfBoP1NsrlqGg7v9HotJdw72tViIk7whsLWFCelbtV8HFb B/IbPlEwCdQbClgHtqGvbXREJhIbi26KPlwx0gxFlfC0gpJ4+/Ldj1HnEiT6hV+U xsM51S4pMBi/Q2fUBp12+un3Y+si2avEWpvf0DJH5dlR6eVR2nFl1XR7asdK7XKn K/XyPGm50rsgpjTs0AywX/ShCUhu65EfBM5tI36prg== -----END CERTIFICATE-----
これをデコードするとフラッグっぽい文字列があるのでそれを投げる(これFBI25だと思って投げまくってた)
flag: EKO{is_this_just_real_life_is_this_just_fantasy}
追記: ウェブページにアクセスしたら普通にSecurityのとこに EKO{is_this_just_real_life_is_this_just_fantasy} と書かれてた。 多分こっちが正攻法
rev25
zipが降ってきて中に.classが入ってるのでデコンパイルして読むだけ。
flagは忘れた。
rev50
zipの中にexeバイナリ。
dotPeekでデコンパイルしてC#コードをpaiz.ioあたりで実行して終わり。
flag: f#ck_this_sh#t
rev75
またもやzipの中に.netの実行ファイル。
デコンパイルして読んで終了。
flag: EKO{ooOOoo_sup3r_r3g3x_challenge_OOooOO}
FBI25
tor browserの設定変えたらアクセスできた。
ソース見るとflag書いてる。
flag: EKO{buy_me_some_b0ts}
rev100
.SAVFという謎拡張子が降ってくる。
調べると、AS/400のバックアップファイルのようである。
適当に調べてると、 https://groups.google.com/forum/#!topic/comp.sys.ibm.as400.misc/vhpOmy_Ttzgという記事がヒットし、
このソフトを使えばいいよってかいてるのでありがたく使う。
flag: EKO{0ld_t1m3s_n3v3r_c0m3_b4ck}
感想
すぐ終わる奴だけ。ぼっちつらい。