もふもふ

くんかくんか

Qiwi-Infosec 2016

PWN 100_4

dirとかが通るのでpythonのevalのループだと予想

f:id:b_tya_nya:20161121213619p:plain

Reverse 100_2

pycが降ってくるのでuncompyle2でもどすとこうなる

# 2016.11.18 01:09:33 JST
#Embedded file name: task.py
import marshal
src = 'YwAAAAADAAAAGAAAAEMAAABz7wAAAGQBAGoAAGcAAGQCAGQDAGQEAGQFAGQGAGQHAGQIAGQJAGQKAGQLAGQMAGQNAGQOAGQPAGQMAGcPAERdHAB9AAB0AQB0AgB8AACDAQBkEAAXgwEAXgIAcToAgwEAfQEAdAMAZBEAgwEAfQIAfAIAfAEAawIAcuYAZAEAagAAZwAAZBIAZBMAZBQAZBUAZBYAZBcAZBgAZBkAZBoAZBsAZBwAZB0AZB4AZAsAZBwAZB8AZAMAZB0AZAgAZB4AZCAAZCEAZxYARF0VAH0AAHwAAGoEAGQiAIMBAF4CAHHGAIMBAEdIbgUAZCMAR0hkAABTKCQAAABOdAAAAAB0AQAAAF50AQAAADR0AQAAAEt0AQAAAGl0AQAAAC50AQAAAC90AQAAAE50AQAAAGp0AQAAAFB0AQAAAG90AQAAAD90AQAAAGx0AQAAADJ0AQAAAFRpAwAAAHMJAAAAWW91IHBhc3M6dAEAAABzdAEAAAB5dAEAAABudAEAAAB0dAEAAAA6dAEAAAB7dAEAAAB3dAEAAABxdAEAAABFdAEAAAA2dAEAAABmdAEAAABYdAEAAAB1dAEAAABhdAEAAAAxdAEAAAB9dAUAAABST1QxM3MFAAAATm8gOigoBQAAAHQEAAAAam9pbnQDAAAAY2hydAMAAABvcmR0CQAAAHJhd19pbnB1dHQGAAAAZGVjb2RlKAMAAAB0AQAAAGV0AwAAAHRtcHQGAAAAcGFzc3dkKAAAAAAoAAAAAHMHAAAAdGFzay5weVIcAAAAAgAAAHMKAAAAAAFfAQwBDAFvAQ=='.decode('base64')
code = marshal.loads(src)
#import pdb; pdb.set_trace()
exec code
# decompiled 1 files: 1 okay, 0 failed, 0 verify failed
# 2016.11.18 01:09:33 JST

exec前でpdbで止めて

import sys; import uncompyle2; uncompyle2.uncompyle(2.7, code, out=sys.stdout, showasm=1, showast=1)

とすると

tmp = ''.join([ chr(ord(e) + 3) for e in ['^', '4', 'K', 'i', '.', '/', 'N', 'j', 'P', 'o', '?', 'l', '2', 'T', '?'] ])
passwd = raw_input('You pass:')
if passwd == tmp:
    print ''.join([ e.decode('ROT13') for e in ['s', 'y', 'n', 't', ':', '{', 'w', 'q', 'E', '6', 'f', 'X', 'u', 'o', 'f', 'a', '4', 'X', 'N', 'u', '1', '}'] ])
else:
    print 'No :('

な感じになるので読むだけ

>>> print ''.join([ e.decode('ROT13') for e in ['s', 'y', 'n', 't', ':', '{', 'w', 'q', 'E', '6', 'f', 'X', 'u', 'o', 'f', 'a', '4', 'X', 'N', 'u', '1', '}'] ])
flag:{jdR6sKhbsn4KAh1}

Reverse 200_1

上の問題と同じ。

import marshal
import uncompyle2
import sys

src = "YwAAAAADAAAAJwAAAEMAAABzsAUAAHQAAGQBAIMBAH0AAGQCAGoBAGcAAHQCAGQDAGoDAGQEAIMBAHwAAIMCAERdKgB9AQB0BAB0BQB8AQBkBQAZgwEAdAUAfAEAZAYAGYMBAEGDAQBeAgBxKwCDAQBkAgBqAQBkBwCEAABkCABkCQBkCgBkCwBkDABkDQBkDgBkDwBkEABkEQBkCABkEgBkEwBkFABnDgBEgwEAgwEAawIAcqcFZAIAagEAZwAAdAYAZBUAgwEARF3oBH0CAGcAAGQCAGoBAGcAAGQWAGQXAGQYAGQZAGQWAGQaAGQbAGQcAGQbAGQPAGQdAGQeAGQfAGQgAGQPAGQRAGQhAGQiAGQdAGQjAGQkAGQXAGQlAGQlAGQkAGQmAGQnAGQMAGQPAGQfAGQoAGQpAGcgAERdFQB9AQB8AQBqAwBkKgCDAQBeAgBxKgGDAQBqAwBkBACDAQBkAABkAABkKwCFAwAZRF0cAH0BAHQEAHQFAHwBAIMBAGQsABeDAQBeAgBxXAF8AgAZZwAAZAIAagEAZwAAZBYAZBcAZBgAZBkAZBYAZBoAZBsAZBwAZBsAZA8AZB0AZB4AZB8AZCAAZA8AZBEAZCEAZCIAZB0AZCMAZCQAZBcAZCUAZCUAZCQAZCYAZCcAZAwAZA8AZB8AZCgAZCkAZyAARF0VAH0BAHwBAGoDAGQqAIMBAF4CAHHvAYMBAGoDAGQEAIMBAGQAAGQAAGQrAIUDABlEXRwAfQEAdAQAdAUAfAEAgwEAZCwAF4MBAF4CAHEhAnwCAGQVABcZF2cAAGQCAGoBAGcAAGQWAGQXAGQYAGQZAGQWAGQaAGQbAGQcAGQbAGQPAGQdAGQeAGQfAGQgAGQPAGQRAGQhAGQiAGQdAGQjAGQkAGQXAGQlAGQlAGQkAGQmAGQnAGQMAGQPAGQfAGQoAGQpAGcgAERdFQB9AQB8AQBqAwBkKgCDAQBeAgBxuQKDAQBqAwBkBACDAQBkAABkAABkKwCFAwAZRF0cAH0BAHQEAHQFAHwBAIMBAGQsABeDAQBeAgBx6wJ8AgBkFQAXZBUAFxkXZwAAZAIAagEAZwAAZBYAZBcAZBgAZBkAZBYAZBoAZBsAZBwAZBsAZA8AZB0AZB4AZB8AZCAAZA8AZBEAZCEAZCIAZB0AZCMAZCQAZBcAZCUAZCUAZCQAZCYAZCcAZAwAZA8AZB8AZCgAZCkAZyAARF0VAH0BAHwBAGoDAGQqAIMBAF4CAHGHA4MBAGoDAGQEAIMBAGQAAGQAAGQrAIUDABlEXRwAfQEAdAQAdAUAfAEAgwEAZCwAF4MBAF4CAHG5A3wCAGQVABdkFQAXZBUAFxkXZwAAZAIAagEAZwAAZBYAZBcAZBgAZBkAZBYAZBoAZBsAZBwAZBsAZA8AZB0AZB4AZB8AZCAAZA8AZBEAZCEAZCIAZB0AZCMAZCQAZBcAZCUAZCUAZCQAZCYAZCcAZAwAZA8AZB8AZCgAZCkAZyAARF0VAH0BAHwBAGoDAGQqAIMBAF4CAHFZBIMBAGoDAGQEAIMBAGQAAGQAAGQrAIUDABlEXRwAfQEAdAQAdAUAfAEAgwEAZCwAF4MBAF4CAHGLBHwCAGQVABdkFQAXZBUAF2QVABcZF2cAAGQCAGoBAGcAAGQWAGQXAGQYAGQZAGQWAGQaAGQbAGQcAGQbAGQPAGQdAGQeAGQfAGQgAGQPAGQRAGQhAGQiAGQdAGQjAGQkAGQXAGQlAGQlAGQkAGQmAGQnAGQMAGQPAGQfAGQoAGQpAGcgAERdFQB9AQB8AQBqAwBkKgCDAQBeAgBxLwWDAQBqAwBkBACDAQBkAABkAABkKwCFAwAZRF0cAH0BAHQEAHQFAHwBAIMBAGQsABeDAQBeAgBxYQV8AgBkFQAXZBUAF2QVABdkFQAXZBUAFxkXXgIAcbQAgwEAR0huBQBkLQBHSGQAAFMoLgAAAE5zCQAAAFlvdSBwYXNzOnQAAAAAcxQAAABQUTFPSmlSV0FpdEJKZzVRUDJBPXQGAAAAYmFzZTY0aQAAAABpAQAAAGMBAAAAAgAAAAMAAABzAAAAcx4AAAB8AABdFAB9AQB8AQBqAABkAACDAQBWAXEDAGQBAFMoAgAAAHQFAAAAUk9UMTNOKAEAAAB0BgAAAGRlY29kZSgCAAAAdAIAAAAuMHQBAAAAZSgAAAAAKAAAAABzCAAAAHRhc2sxLnB5cwkAAAA8Z2VuZXhwcj4HAAAAcwIAAAAGAHQBAAAAdHQBAAAAUHQBAAAAYXQBAAAAQnQBAAAASnQBAAAAaXQBAAAAYnQBAAAARXQBAAAAbnQBAAAAV3QBAAAANnQBAAAATXQBAAAATmkEAAAAdAEAAABLdAEAAABtdAEAAABMdAEAAABndAEAAABHdAEAAABBdAEAAABDdAEAAABrdAEAAABVdAEAAABGdAEAAABJdAEAAABTdAEAAABIdAEAAABwdAEAAABEdAEAAAB4dAEAAAAwdAEAAAA0dAEAAABxdAEAAABWUgIAAABp/////2keAAAAcwUAAABObyA6KCgHAAAAdAkAAAByYXdfaW5wdXR0BAAAAGpvaW50AwAAAHppcFIDAAAAdAMAAABjaHJ0AwAAAG9yZHQFAAAAcmFuZ2UoAwAAAHQGAAAAcGFzc3dkUgUAAABSCwAAACgAAAAAKAAAAABzCAAAAHRhc2sxLnB5UggAAAADAAAAcxIAAAAAAQwDlQD/AP8A/wD/AP8ACwE=".decode("base64")
code = marshal.loads(src)
exec(code)

uncompyle2.uncompyle(2.7, code, out=sys.stdout, showasm=1, showast=1)

出てきたコードの中でフラッグ書いてる所

print ''.join([ [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i] + [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i + 4] + [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i + 4 + 4] + [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i + 4 + 4 + 4] + [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i + 4 + 4 + 4 + 4] + [ chr(ord(e) + 30) for e in ''.join([ e.decode('ROT13') for e in ['K', 'm', 'L', 'g', 'K', 'G', 'A', 'C', 'A', 'E', 'k', 'U', 'F', 'I', 'E', 'W', 'S', 'H', 'k', 'p', 'D', 'm', 'x', 'x', 'D', '0', '4', 'J', 'E', 'F', 'q', 'V'] ]).decode('base64')[::-1] ][i + 4 + 4 + 4 + 4 + 4] for i in range(4) ])

flag:{EazrSKcBjgmT4W3eQ}

感想

平日やめて。

uncompyle2はpython2.7用なので良いとされてる他のものも見ておきたい

GitHub - gstarnberger/uncompyle: Python decompiler

GitHub - zrax/pycdc: C++ python bytecode disassembler and decompiler

あとpythonのevalのshellはpicoctf2013のやつが参考になった。

Python eval

ekoctf

writeups

Misc50

背景の画像にフラッグが書いてる。 目を凝らせば降ってくる。

flag : EKO{th3_fl4g}

web25

robots.txtを見るとurl転がってる。それを叩くとフラッグが転がってる。

flag: EKO{robot_is_following_us}

web50

 $ curl -LI ctf.ekoparty.org  
HTTP/1.1 301 Moved Permanently
Server: EKO{this_is_my_great_server}
Date: Thu, 27 Oct 2016 16:36:14 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://ctf.ekoparty.org/

HTTP/1.1 200 OK
Server: EKO{this_is_my_great_server}
Date: Thu, 27 Oct 2016 16:36:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4518
Connection: keep-alive
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; preload

FBI50

tor browserでurlにアクセスすると拒まれるので詳細を見るとなんかbase64ぽいテキストが降ってきてる。

https://silkroadzpvwzxxv.onion/ Peer's Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- MIIGezCCBGOgAwIBAgIJAMwj5f0QisI6MA0GCSqGSIb3DQEBCwUAMIHTMQswCQYD VQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3Mg QWlyZXMxETAPBgNVBAoMCEVLT1BBUlZMT4wPAYDVQQLDDU1MCAtIEVLT3tpc190 aGlzX2p1c3RfcmVhbF9saWZlX2lzX3RoaXNfanVzdF9mYW50YXN5fTEfMB0GA1UE AwwWc2lsa3JvYWR6cHZ3enh4di5vbmlvbjEiMCAGCSqGSIb3DQEJARYTc3RhZmZA bnVsbC1saWZlLmNvbTAeFw0xNjEwMjMwNTA3NDNaFw0xNzEwMjMwNTA3NDNaMIHT MQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxC dWVub3MgQWlyZXMxETAPBgNVBAoMCEVLT1BBUlRZMT4wPAYDVQQLDDU1MCAtIEVL T3tpc190aGlzX2p1c3RfcmVhbF9saWZlX2lzX3RoaXNfanVzdF9mYW50YXN5fTEf MB0GA1UEAwwWc2lsa3JvYWR6cHZ3enh4di5vbmlvbjEiMCAGCSqGSIb3DQEJARYT c3RhZmZAbnVsbC1saWZlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC ggIBAL4ba3WHH2Fcv2lIhosWZFO8ya3dnEIMtDxzh7pDffCVd2Vlch7ov8M4M+9x xm278Clmn2nD21T3pnzPPeOcCFaDJ5v/K6idhBgYLlnzBzQrCS9VAwoH9zW+8gkW 0p74xNc8ARyvioEY4NbsET0KjUpBUn9Yx/FaHNNKqbObHG1btLqZzsYR30xTaVin 9/9SPGJ3s6vszhVocYNBJ1UQR64qn1XdV5n3ctLSByj727Bi/TLZVSv94cSBZhxV BGklPF2CQDL5vO2UyqFH4OGVCdRLkYwcoHfCVbRUOGRxqn6+Y7wtoNWIIAZnlRSH IPN+MVo76vpKjFtCCHgKyxzUkxhcqvOgi5tm+AYoC9cUe4X6cdCMbZis52dx3oJu sIpdGLZnzgZdtB48qmRzY+6MWw+URaHsXv6HtKcgZVoYTex+7hza55+xU61vejsB LkBZ/iQjl2fCu94jDMvTNg2cl3JOxXVNaa7tAKQiz7vzhxKPYTv10cFPUGGroYye PQxOES42WXOqk32OUUWRGys+Rn8q0Xm5OSt2e7UUInstBNvbaqkwPII1ucgny1K1 +rbcQZD4suLsR/cM1S9jh2vzE67xXLT8k9AVOg7BEeXweNx8ERXkr4m2qCzJWcYI ustW2cLM9Nme6We6VJNlp5sRqvJt3ziwikWhyzIXvwKPWE/bAgMBAAGjUDBOMB0G A1UdDgQWBBTLUK1VpT8hwRGVOD5xWjKIHaMb4DAfBgNVHSMEGDAWgBTLUK1VpT8h wRGVOD5xWjKIHaMb4DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQB/ p8XQyV9sRmO5jttr9yXNH/6hgp0ICxnqjJM77MsQuTV4WSiVC2WsCr9llN6meXRy /f6nhV6HOIox77doW8v87bl0YzLIj/3MUS/8kHI7qxKUV/0sk/0E07BmJyvlyIcP ErDUbxDY0eHFBAha6rubQvvuV3jSiuhwmpMI7N28idgg6+u1nPmv7NMOueJoMw6f 0yVGukoJJ5XMBMUnnlL/55T3HGaCIL8yMPIdhVPWbgyaoni3hlsvkQRzOtYIPddl KRJkdXTQCuNHf38ZI6AX4/KxuXEaqcJ+KmS64X42AWvTNuuW0Y8fYQyw/7qGOAPd BmaN0MEZHSmQgbAGnQyf6LPrLUyhSI/K6+B52RzxgDsEgLpS+LATG2b39ks//QKj IbUcKJO8a8cp1v9FvBKNKuHTGL+jvXWQAYemYFy7ZIyslU7ETwKja7HQkqVTekwn dUI+KVWmEvsrNSsYh1bfBoP1NsrlqGg7v9HotJdw72tViIk7whsLWFCelbtV8HFb B/IbPlEwCdQbClgHtqGvbXREJhIbi26KPlwx0gxFlfC0gpJ4+/Ldj1HnEiT6hV+U xsM51S4pMBi/Q2fUBp12+un3Y+si2avEWpvf0DJH5dlR6eVR2nFl1XR7asdK7XKn K/XyPGm50rsgpjTs0AywX/ShCUhu65EfBM5tI36prg== -----END CERTIFICATE-----

これをデコードするとフラッグっぽい文字列があるのでそれを投げる(これFBI25だと思って投げまくってた)

flag: EKO{is_this_just_real_life_is_this_just_fantasy}

追記: ウェブページにアクセスしたら普通にSecurityのとこに EKO{is_this_just_real_life_is_this_just_fantasy} と書かれてた。 多分こっちが正攻法

rev25

zipが降ってきて中に.classが入ってるのでデコンパイルして読むだけ。

flagは忘れた。

rev50

zipの中にexeバイナリ。

dotPeekでデコンパイルしてC#コードをpaiz.ioあたりで実行して終わり。

flag: f#ck_this_sh#t

rev75

またもやzipの中に.netの実行ファイル。

デコンパイルして読んで終了。

flag: EKO{ooOOoo_sup3r_r3g3x_challenge_OOooOO}

FBI25

tor browserの設定変えたらアクセスできた。

ソース見るとflag書いてる。

flag: EKO{buy_me_some_b0ts}

rev100

.SAVFという謎拡張子が降ってくる。

調べると、AS/400のバックアップファイルのようである。

適当に調べてると、 https://groups.google.com/forum/#!topic/comp.sys.ibm.as400.misc/vhpOmy_Ttzgという記事がヒットし、

このソフトを使えばいいよってかいてるのでありがたく使う。

http://www.juliansoft.com/

flag: EKO{0ld_t1m3s_n3v3r_c0m3_b4ck}

感想

すぐ終わる奴だけ。ぼっちつらい。