SharifCTF 7
SCrack(Reverse150)
ptraceによるアンチデバッグなelf64が降ってくる。
nopで埋めてgdbでちまちま読む。
該当箇所
0x0000000000400ad4 <+135>: cmp al,0x38 0x0000000000400ad6 <+137>: jne 0x400e98 <main+1099> 0x0000000000400adc <+143>: movzx eax,BYTE PTR [rbp-0x4f] 0x0000000000400ae0 <+147>: cmp al,0x37 0x0000000000400ae2 <+149>: jne 0x400e98 <main+1099> 0x0000000000400ae8 <+155>: movzx eax,BYTE PTR [rbp-0x4e] 0x0000000000400aec <+159>: cmp al,0x34 0x0000000000400aee <+161>: jne 0x400e98 <main+1099> 0x0000000000400af4 <+167>: movzx eax,BYTE PTR [rbp-0x4d] 0x0000000000400af8 <+171>: cmp al,0x30 0x0000000000400afa <+173>: jne 0x400e98 <main+1099> 0x0000000000400b00 <+179>: movzx eax,BYTE PTR [rbp-0x4c] 0x0000000000400b04 <+183>: cmp al,0x33 0x0000000000400b06 <+185>: jne 0x400e98 <main+1099> 0x0000000000400b0c <+191>: movzx eax,BYTE PTR [rbp-0x4b] 0x0000000000400b10 <+195>: cmp al,0x38 0x0000000000400b12 <+197>: jne 0x400e98 <main+1099> 0x0000000000400b18 <+203>: movzx eax,BYTE PTR [rbp-0x4a] 0x0000000000400b1c <+207>: cmp al,0x65 0x0000000000400b1e <+209>: jne 0x400e98 <main+1099> 0x0000000000400b24 <+215>: movzx eax,BYTE PTR [rbp-0x49] 0x0000000000400b28 <+219>: cmp al,0x34 0x0000000000400b2a <+221>: jne 0x400e98 <main+1099> 0x0000000000400b30 <+227>: movzx eax,BYTE PTR [rbp-0x48] 0x0000000000400b34 <+231>: cmp al,0x62 0x0000000000400b36 <+233>: jne 0x400e98 <main+1099> 0x0000000000400b3c <+239>: movzx eax,BYTE PTR [rbp-0x47] 0x0000000000400b40 <+243>: cmp al,0x36 0x0000000000400b42 <+245>: jne 0x400e98 <main+1099> 0x0000000000400b48 <+251>: movzx eax,BYTE PTR [rbp-0x46] 0x0000000000400b4c <+255>: cmp al,0x65 0x0000000000400b4e <+257>: jne 0x400e98 <main+1099> 0x0000000000400b54 <+263>: movzx eax,BYTE PTR [rbp-0x45] 0x0000000000400b58 <+267>: cmp al,0x32 0x0000000000400b5a <+269>: jne 0x400e98 <main+1099> 0x0000000000400b60 <+275>: movzx eax,BYTE PTR [rbp-0x44] 0x0000000000400b64 <+279>: cmp al,0x39 0x0000000000400b66 <+281>: jne 0x400e98 <main+1099> 0x0000000000400b6c <+287>: movzx eax,BYTE PTR [rbp-0x43] 0x0000000000400b70 <+291>: cmp al,0x62 0x0000000000400b72 <+293>: jne 0x400e98 <main+1099> 0x0000000000400b78 <+299>: movzx eax,BYTE PTR [rbp-0x42] 0x0000000000400b7c <+303>: cmp al,0x66 0x0000000000400b7e <+305>: jne 0x400e98 <main+1099> 0x0000000000400b84 <+311>: movzx eax,BYTE PTR [rbp-0x41] 0x0000000000400b88 <+315>: cmp al,0x30 0x0000000000400b8a <+317>: jne 0x400e98 <main+1099> 0x0000000000400b90 <+323>: movzx eax,BYTE PTR [rbp-0x40] 0x0000000000400b94 <+327>: cmp al,0x38 0x0000000000400b96 <+329>: jne 0x400e98 <main+1099> 0x0000000000400b9c <+335>: movzx eax,BYTE PTR [rbp-0x3f] 0x0000000000400ba0 <+339>: cmp al,0x39 0x0000000000400ba2 <+341>: jne 0x400e98 <main+1099> 0x0000000000400ba8 <+347>: movzx eax,BYTE PTR [rbp-0x3e] 0x0000000000400bac <+351>: cmp al,0x38 0x0000000000400bae <+353>: jne 0x400e98 <main+1099> 0x0000000000400bb4 <+359>: movzx eax,BYTE PTR [rbp-0x3d] 0x0000000000400bb8 <+363>: cmp al,0x62 0x0000000000400bba <+365>: jne 0x400e98 <main+1099> 0x0000000000400bc0 <+371>: movzx eax,BYTE PTR [rbp-0x3c] 0x0000000000400bc4 <+375>: cmp al,0x67 0x0000000000400bc6 <+377>: jne 0x400e98 <main+1099> 0x0000000000400bcc <+383>: movzx eax,BYTE PTR [rbp-0x3b] 0x0000000000400bd0 <+387>: cmp al,0x34 0x0000000000400bd2 <+389>: jne 0x400e98 <main+1099> 0x0000000000400bd8 <+395>: movzx eax,BYTE PTR [rbp-0x3a] 0x0000000000400bdc <+399>: cmp al,0x66 0x0000000000400bde <+401>: jne 0x400e98 <main+1099> 0x0000000000400be4 <+407>: movzx eax,BYTE PTR [rbp-0x39] 0x0000000000400be8 <+411>: cmp al,0x30 0x0000000000400bea <+413>: jne 0x400e98 <main+1099> 0x0000000000400bf0 <+419>: movzx eax,BYTE PTR [rbp-0x38] 0x0000000000400bf4 <+423>: cmp al,0x32 0x0000000000400bf6 <+425>: jne 0x400e98 <main+1099> 0x0000000000400bfc <+431>: movzx eax,BYTE PTR [rbp-0x37] 0x0000000000400c00 <+435>: cmp al,0x32 0x0000000000400c02 <+437>: jne 0x400e98 <main+1099> 0x0000000000400c08 <+443>: movzx eax,BYTE PTR [rbp-0x36] 0x0000000000400c0c <+447>: cmp al,0x35 0x0000000000400c0e <+449>: jne 0x400e98 <main+1099> 0x0000000000400c14 <+455>: movzx eax,BYTE PTR [rbp-0x35] 0x0000000000400c18 <+459>: cmp al,0x39 0x0000000000400c1a <+461>: jne 0x400e98 <main+1099> 0x0000000000400c20 <+467>: movzx eax,BYTE PTR [rbp-0x34] 0x0000000000400c24 <+471>: cmp al,0x33 0x0000000000400c26 <+473>: jne 0x400e98 <main+1099> 0x0000000000400c2c <+479>: movzx eax,BYTE PTR [rbp-0x33] 0x0000000000400c30 <+483>: cmp al,0x35 0x0000000000400c32 <+485>: jne 0x400e98 <main+1099> 0x0000000000400c38 <+491>: movzx eax,BYTE PTR [rbp-0x32] 0x0000000000400c3c <+495>: cmp al,0x63 0x0000000000400c3e <+497>: jne 0x400e98 <main+1099> 0x0000000000400c44 <+503>: movzx eax,BYTE PTR [rbp-0x31] 0x0000000000400c48 <+507>: cmp al,0x30 0x0000000000400c4a <+509>: jne 0x400e98 <main+1099>
pythonで復元
>>> [i[-2:] for i in b] ['38', '37', '34', '30', '33', '38', '65', '34', '62', '36', '65', '32', '39', '62', '66', '30', '38', '39', '38', '62', '67', '34', '66', '30', '32', '32', '35', '39', '33', '35', '63', '30', ''] >>> c = [i[-2:] for i in b] >>> c[:-1] ['38', '37', '34', '30', '33', '38', '65', '34', '62', '36', '65', '32', '39', '62', '66', '30', '38', '39', '38', '62', '67', '34', '66', '30', '32', '32', '35', '39', '33', '35', '63', '30'] >>> c = c[:-1] >>> [chr(int(i, 16)) for i in c] ['8', '7', '4', '0', '3', '8', 'e', '4', 'b', '6', 'e', '2', '9', 'b', 'f', '0', '8', '9', '8', 'b', 'g', '4', 'f', '0', '2', '2', '5', '9', '3', '5', 'c', '0'] >>> "".join([chr(int(i, 16)) for i in c]) '874038e4b6e29bf0898bg4f0225935c0' >>>
(gdb) c Continuing. Enter the valid key! 874038e4b6e29bf0898bg4f0225935c0 SharifCTF{ed97d286f356dadb5cde0902006c7deb} [Inferior 1 (process 14982) exited normally] (gdb) Quit
Camera Model(misc100)
画像が表示されるelfが降ってくる。
binwalkで中に埋め込まれてる画像を取り出してexiftoolで読むだけ。
ExifTool Version Number : 10.10 File Name : 1538 Directory : . File Size : 88 kB File Modification Date/Time : 2016:12:17 07:00:39+09:00 File Access Date/Time : 2016:12:17 07:15:06+09:00 File Inode Change Date/Time : 2016:12:17 07:00:39+09:00 File Permissions : rw-rw-r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Exif Byte Order : Big-endian (Motorola, MM) Camera Model Name : DSLR4781 Orientation : Horizontal (normal) X Resolution : 72 Y Resolution : 72 Resolution Unit : inches Software : GIMP 2.8.16 Modify Date : 2016:12:02 11:38:04 Exif Version : 0221 Flashpix Version : 0100 Color Space : Uncalibrated Exif Image Width : 355 Exif Image Height : 382 Compression : JPEG (old-style) Thumbnail Offset : 358 Thumbnail Length : 9487 Already Applied : True Color Mode : RGB Create Date : 2015:09:08 15:22:28+04:30 Metadata Date : 2015:10:04 23:17:15+03:30 Format : image/jpeg Instance ID : xmp.iid:740FF2C8C66AE51197CDBA27CE0AC1AC Document ID : xmp.did:730FF2C8C66AE51197CDBA27CE0AC1AC Original Document ID : xmp.did:730FF2C8C66AE51197CDBA27CE0AC1AC Image Length : 768 Photometric Interpretation : RGB Samples Per Pixel : 3 Date Time : 2015:10:04 23:17:15 Flash Pix Version : FlashPix Version 1.0 Image Width : 355 Image Height : 382 Encoding Process : Progressive DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 355x382 Megapixels : 0.136 Thumbnail Image : (Binary data 9487 bytes, use -b option to extract)
flag: SharifCTF{ccb7ed56eea6576263abeca4cdb03f62}
Pretty Raw(for150)
fileコマンドでdataと表示されるのでバイナリエディタで眺める。
下のほうにpngがくっ付いてるので取り出すと、exiftoolした結果の画像が出てくる。
なんとなくpngの上のほうがビットマップっぽく見えるのでexiftoolで表示されてるピクセル分上から取り出して拡張子を.dataにして開くと解けた。
Getit(rev50)
/tmp/flag.txtにflagを書き込んでくれる実行ファイルが与えられる。 ただし最後にremoveしてたりfprintfで上書きしてたりするので該当箇所をnopで埋めてやると正しいflagが得られる。
SharifCTF{b70c59275fcfa8aebf2d5911223c6589}
Guess(pwn50)
フォーマットストリングバグがあるのでとりあえず%pで読み出しまくる。
なんかそれっぽい文字列がありそうなところがあったので読むとflagだった。
0x5443666972616853 0x3832346435617b46 0x6237636363323336 0x6136633735336466 0x3561383761383231
>>> def get_text(t): ... t = t.replace("0x", "") ... ts = [t[i:i+2] for i in range(0, len(t), 2)] ... tss = [chr(int(i, 16)) for i in ts] ... return reversed(tss) ... >>> l = [] >>> l += get_text("0x5443666972616853") >>> l += get_text("0x3832346435617b46") >>> l += get_text("0x6237636363323336") >>> l += get_text("0x6136633735336466") >>> l += get_text("0x3561383761383231") >>> "".join(l) 'SharifCTF{a5d428632ccc7bfd357c6a128a78a5' >>>
感想
こいつやるだけ問題しか解けねえよな状態