satto1237’s diary

s4tt01237’s diary

ラーメンとかCTFとかセキュリティとか

peaCTF 2019 Round 1 Write-up

はじめに

2019/07/22 ~ 2019/07/28に開催されたpeaCTF Round 1に個人で参加しました.

成績

150位(540チーム中)でした.

f:id:satto1237:20190801022045p:plain

General Skills

Worth - Points: 50

This problem is worth 0o1454 points.

アプローチ:Octal to Decimal

flag{peactf_812}

Hide and Seek - Points: 100

Try to find to the flag file located somewhere in the folders located in: /problems/hide-and-seek_28_e5e549870631c4a82efc93c0630570bf

アプローチ:grep

指定されたフォルダを覗いてみると多数のフォルダが存在していることが分かるのでgrepflagを探します.

satto1237@peactf-2019-shell-1:/problems/hide-and-seek_28_e5e549870631c4a82efc93c0630570bf$ ls
00ef4680df9a09b9377b8bc4911f023c  6a607e806de3a71f198d0a5289777b1f  c9fe31d8b0acfd94ed33171a0a5dc2ff
0256e6db0ed0c52181d2b5aebb926ca4  72fa69a14478147c0e7072f0da6022aa  cccdf9025e805f3dc4c142d6381703f9
0406278c5efdb169c5ee6039fbf4d5ae  75a736c898dfe0b64f72d3559473020a  d029da976887fa3ac47aea412b6a77f4
0bf553aaf44527d74074ed7231f5244b  78e6723e7dbbf03ce74d54191827f72a  d16cafd2033bc29c22b941ed82a1143d
0c016d7eaf9b7308492db63bfb1abc31  7a801ff27ab8e667746dc0179f4a1ce2  d6705198476c85fdc0c7685ac7a2f80e
0dd0453f32c0ebf7daf98e2359788af8  7c4e713381579bd9903ebd94a2ec1581  d7a373b7b05197d349c623d43da627ca
0e9ef8e2015ed4c9f53fa1780408e44e  7d45526b8fba594307a8a2e5b4464b2b  d7ca477c142000738976440516230a0e
0fd396bf5aab7dcb688b5484629f6ba8  83a25df132f835cb7ef3e384229655a6  dad3db94141109304b14c74e6171f7ab
15960169b784e48392d75587d87c2d63  83fee6b9c2fda47a050575071648f80b  dc30b7b52bc225d4b5273b4003a94e06
254ab5d75a8f09eaaaef016e0e583114  90b3b954693a878d1b1bc94dc4fd6a91  dd306d2db6d7854d4b7bf7be8a8f1d9e
2909a9c58d591e93021cd92a2d45c474  91443f0e7a5138cd0615e52ae4d89eb9  dd83aa9de84b5c8c8f0c0154dd8f18d5
2b25601046d1933091792dbff4236c42  9852f47d4c8f59c449f634c2de28976a  dd86f67181f61d14a7b43df0dc6f9229
2ed1d0e8640b9ed69d7fe0147068336e  9b625797a48b1deb8c2c2c7900c7e408  df19ef43cb627647ba062a4595b2a02b
35b3e6a103a2f515e189a29a2b227dea  a59cd36eb28c32e3fcdb509a90a6cceb  e1cccc142e54daa1b9c944e5b2a880c2
39c2946318f9884d714e74b6d64d450b  ac61d7f5e1c299c3b66053b52edb809e  e37372a1c26223c1a6d18cf5a1c9f8fe
415610d493e787945ad043eed69d3465  ac97be330db79788553b0e2b8cc3fbdc  ec9645d1bd751b57060f898b17257f96
43160c0249b4c011c15c1672562f58fc  af5f662b9069469491f2debb2d1b61bf  edd55758a50a426d9475e44b2a978987
44e49f811c02977719558b1503ce14d7  b0a0feb496e970cce94a254ed92444e0  ee7550d9294ac336eee66dd7f56d93df
4724ab2b151532286824d17166538e9f  b3c3c9f7659fe6341b9ba444bda6bcc9  ef5a0bb515d66c33481769dac6a42b7a
536a4861fb7801ee2b607fdbfe84bf5d  baacfcb9759ff86d548c70882bbb3fc8  f1bcf77f7d06c3acfc816ef7532010f8
5b03c379589439356689e18a5b4c6ce7  c2646431e0c6f5bbb0d9f99ad97467b9  f28f001ac87becef906218f6fcd3c6bc
6036e1656c0b0b36adc414f7f4367235  c47187be680f4e3347ca2c87cc97f0a9  f3ed13c57a1903313d8f29efb678fcc5
61d1e7d000523d81101d745ac04c6e4a  c5a46882b4620e5f9139b0209779908f  f9836b210710ed0525abb626e99da3a2

satto1237@peactf-2019-shell-1:/problems/hide-and-seek_28_e5e549870631c4a82efc93c0630570bf$ grep -r flag ./      
./c9fe31d8b0acfd94ed33171a0a5dc2ff/3361b9c2b222aa9f81186d5b36f82032/7ebd790c6e8eb1dbd1dcf1b244c589bf/5b073431762e613fe1a80b7fa479106a/31f3e448c58e17f225e21591b6170f88/flag.txt:flag{peactf_linux_is_fun_21e61d463e005e9bbc6aa1a208f74ed7}

flag{peactf_linux_is_fun_21e61d463e005e9bbc6aa1a208f74ed7}

Cryptography

Breakfast - Points: 50

Mmm I ate some nice bacon and eggs this morning. Find out what else I had for an easy flag. Don’t forget to capitalize CTF!

011100010000000000101001000101{00100001100011010100000000010100101010100010010001}

アプローチ:Baconian Cipher

www.dcode.fr

011100010000000000101001000101 -> PEACTF
00100001100011010100000000010100101010100010010001 -> EGGWAFFLES

Don’t forget to capitalize CTF!

peaCTF{eggwaffles}

Broken Keyboard - Points: 50

Help! My keyboard only types numbers!

112 101 97 67 84 70 123 52 115 99 49 49 105 115 99 48 48 108 125

アプローチ:Decimal to ASCII

#!/usr/bin/env python
# -*- coding: utf-8 -*-

enc = [112, 101, 97, 67, 84, 70, 123, 52, 115, 99, 49, 49, 105, 115, 99, 48, 48, 108, 125]
flag = ''.join(list(map(chr, enc)))
print(flag)

peaCTF{4sc11isc00l}

School - Points: 100

My regular teacher was out sick so we had a substitute today.

Alphabet: WCGPSUHRAQYKFDLZOJNXMVEBTI
zswGXU{ljwdhsqmags}

アプローチ:換字式暗号

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import string

upp = string.ascii_uppercase
low = string.ascii_lowercase
sub = 'WCGPSUHRAQYKFDLZOJNXMVEBTI'
enc = 'zswGXU{ljwdhsqmags}'
flag = ''

for x in enc:
    if x in upp:
        flag += upp[sub.find(x)]
    elif x in low:
        flag += low[sub.find(chr(ord(x) - 32))]
    else:
        flag += x

print(flag)

peaCTF{orangejuice}

Crack the Key - Points: 450

On one of my frequent walks through the woods, I stumbled upon this old French scroll with the title "le chiffre indéchiffrable." Remember to submit as peaCTF{plaintext_key}.

DVMDVRWOUISIERRRGNNVMWPOPGTOHSBUIHTCSSMJIVUWEXHTCTKZKFXIENWTDDOVMEOWDZRQEBQPVLFWKJBGL
EEDALGCIVLQGLTWTCMFXSIAQTLTUGZQZZWOPVGIRCSLRUZRJUZBQSXSPXGJMGTPRPUGRSIVRGUDAFXHTNLVVBMF
ZMQSFUWTWTFSWHIGXHTQLGCUSRGLEIWWXXWWCJDAIFXGAPDWGWFHTZSVOBISITRVUTTVRTWTDGMCPHGGNRDB
POIZZWZPGHTTDQPHOYIUTUEWJDCPWORWDAZREDNHYSJZRJPAFSOCPDXZVPLVPGMNIWPFWUVRDUJINIDFXLYIUTE
NWAHITVJZRJPVQEFAJEXWIMQVIYPTWGZYYYXKTNNVMQJTPVZRJHEBVDWPOKGEIUDCAHDJGTRYKLHSILXHPIZPVDE
MDZGLEEGTDWDMGSTRAHXIPFGRVKPLUEDPHEVSEKHSZREMDCELWGVHKQBYSCXRLLRRGLQFLESIZGGDQXCQPETT
XEXGKLHDBUIRPCTQSCWLIPNHBTTYEYIIHSBUETIWPCKYSXALNPLBTPXAEXKTJVKBPGYEKJSRCIFQRYDYIKNEVHISILN
DFXGWXKTENCOASXEBFVVDPRAAHPWASPWFPTYIDIWZYYYXKTVNQEJCOIJNLLRPUIHPSMIWEIAWQOMTTSHEKNMOAQ
AKDDCMISLXBLIFWOWXRLDPVHVIEHESDYXZVJDGUGLAITGIJPSQTENWQJXEIJVEGNBBPOHTLRZFYUHAYIEEXYSJUIUI
WUIAGLSELYIKPLGSSPNLXGEIHCLBJTWTMMYSEUCWAESDGESXIELHMQTLPIQSJDQDYWEAAHPWVWRHBTVFGOCRPH
GELLHJRHOUHEVSNYQSMEELPCEIJEAKXKULUCVQVGDEETIZLELPDXOVPYTGRERHDWHSEHKPLYETTAJKJFAQGIGLEG
HESMKFXIPRAAHHEMDCEPPRRWTXRWSGBMQVXVKWXISEOZWHPVQFECTGSDVRWPXCIAGPYGWZRVEQGIOUISIXRG
WIPNXHXHEYKYIVWIQREKTCFWVRFJBOIFDGPPGEKWWMBXHTGLRADEOHJRKACIZEJIMYTIAHMPZPXZVQVTTIISRDXJGI
XDQTREFITCXZVMUSQSJEGTYXXRWKXWAWFXGDXURQHIPRXHGTPHGXWEACRFEAAUIKJMHPVQTICRSIJRRGIPRRTWT
AMYJAKDARXTATOHGNRLCBUISIGLAADQHSQNXEANTRXISQIWSXHTEWELWSUBBUIHTCDTWIGKTLGLEBHPPNVWRCBU
IWXCOSOJMOAAGLEEXRIGEWIACGXEGTOYHKSWWMEEFITCWLYIVWMRTACSNSOJPDNLBANQTSMFUXKTXVKSPCOFW
XEQIWPLELISIULHWWMGAORPCXZFVVTAOSXTGLRVTPRKMEGABTTRLFKHIPRVWPAVMFXZHGGFPOLAJEFUWHIBVRGS
DHRLYILGDNWTWPTVQYSRUAJMTWVCISKGDGMYISIISIJVWKDCYHBTHZQWJQDATNRIBPWGGEGHPTRHICISIKKVDLKYS
VTGHEKRWWDCGQOIWPVDPQDGMNTPGDLGZZRJBQQHLTATJWNLRWIQREKTCUMZXHVWGLEGUTKMIIEPKXEFITCLWIJ
RJZGLFDPWFGOIULIFENTCZVEFYVQMNWTCTLVDPILVPGIECWLRVJLLVPNRDPHDXJFRJPANRYILZSJUMQPZLLOGHPWH
LXWDORXHTGLAZZXHHBEMPTSZAFYMVCWFIGPKPLADEVDURAHPIDXMGMGPXCIAGPYGWRRGXVSECIWPASJRRIWSJI
GHEVSKILCBRPLXVPRUVFXIPRAAHJYMNVVVPTYCRTHAIUKIGUWELIHHEISUMQTAFSFRWLVSTXHGIAHTGTXIFUSXHXBA
EGHZJOFVNPNGIRIWPLGIWHHKNQEBJCMWCXKTEUMTTVZELRRGQMANABXYXZVHRCSRCBTCUEEZRZPAGLEDAOIKKE
QXUNPOCISIXRVPPVQXHTLZVKKXHBXRVESWPWWCHRBBNPKTSLRVNLHCPRHISXEASJYVJIYPYIDXECVWRBMPCNXRL
PJVQDGSSSRXCDXSEGHWMJSUASDEQKLDIOBHHPSRMNVRKXUNXAXAESCVISIPRJLXTDSXWFXIBUETWTHSMCHVDWA
IRWPGIZRHQDBNMLPCORGWPLTANPOCTLQGEKWWMNRIBPWWGEXKTNNVMWTYINVVOPCTLESXQEKBIGLPLLELDFPVJ
EBIPNXHTHLAFFXKXVTXOAPFKZRXQTDRVTWTWIKJALIPBYTDEPRDPEGBQGXICVTXZVADHLRZOITOXGSSATZGLEILZSX
KLHBCFYAAAJWHVRWIPRMRHJYHSPWWDORXHTGTRLYIVBIYPPPSOSUBFHNWAHTWTZVUYEUSOEEZXCRWAUIENAVH
EPCORWMIUHXREKXCR

アプローチ:Vigenere Cipher

Vigenere Solverを使ってkeyを探索します.

f:id:satto1237:20190801025146p:plain

peaCTF{redpineapples}

RSA - Points: 500

Can you help Bob retrieve the two messages for a flag?

Encrypted channel:
n = 165481207658568424313022356820498512502867488746572300093793
e = 65537
c = 150635433712900935381157860417761227624682377134647578768653
Authenticated (unhashed) channel:
n = 59883006898206291499785811163190956754007806709157091648869
e = 65537
c = 23731413167627600089782741107678182917228038671345300608183

アプローチ:公開鍵による暗号化 + 秘密鍵による暗号化

enc_channelは公開鍵による暗号化を行っており(通常のRSA暗号),auth_channel秘密鍵による暗号化を行っています(電子署名). そのため,enc_channel秘密鍵による復号を行い,auth_channelは公開鍵による復号を行います.

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from Crypto.Util.number import *

e = 0x10001

# enc_channel
p_1 = 404796306518120759733507156677
q_1 = 408801179738927870766525808109
n_1 = p_1 * q_1
c_1 = 150635433712900935381157860417761227624682377134647578768653
phi_1 = (p_1 - 1) * (q_1 - 1)
d_1 = inverse(e, phi_1)
m_1 = pow(c_1, d_1, n_1)
print(long_to_bytes(m_1))


# auth_channel
n_2 = 59883006898206291499785811163190956754007806709157091648869
c_2 = 23731413167627600089782741107678182917228038671345300608183
m_2 = pow(c_2, e, n_2)
print(long_to_bytes(m_2))

# flag
print(long_to_bytes(m_1) + long_to_bytes(m_2))
> python solve.py
b'peaCTF{f4ct0r'
b'1ng1sfun}'
b'peaCTF{f4ct0r1ng1sfun}'

peaCTF{f4ct0r1ng1sfun}

Forensics

Choose your Pokemon - Points: 150

Just a simple type of recursive function.

アプローチ:rar -> zip -> pdf -> rtf

> file master-ball
master-ball: RAR archive data, v5
> file roshambo
roshambo: Zip archive data, at least v2.0 to extract

f:id:satto1237:20190801032653p:plain

pastebin.com

f:id:satto1237:20190801032758p:plain

{wild_type}

We are E.xtr - Points: 350

E.xtr

アプローチ:ファイルシグネチャを書き換える

> file E.xtr
E.xtr: data
89 58 54 52 -> 89 50 4E 47

f:id:satto1237:20190801034053p:plain

f:id:satto1237:20190801034107p:plain

f:id:satto1237:20190801034324p:plain

{read_banned_it}

The Wonderful Wizard - Points: 750

TheWonderfulWizard.png

f:id:satto1237:20190801034626p:plain

アプローチ:stegsolve

f:id:satto1237:20190801034901p:plain

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from Crypto.Util.number import *

msg = 0x666c61677b7065616374665f77686572655f7468655f77696e645f626c6f77737d
print(long_to_bytes(msg))
> python solve.py
b'flag{peactf_where_the_wind_blows}'

Reversing

Coffee Time - Points: 250

Run this jar executable in a virtual machine and see what happens.

> file coffeetime.jar
coffeetime.jar: Java archive data (JAR)

アプローチ:decompile

JD-GUIでdecompileします.

f:id:satto1237:20190801035500p:plain

peaCTF{nice_cup_of_coffee}

まとめ

  • 全完してるチームが結構いたのに3問解けず辛くなった…
  • Web解けなかったので勉強します (毎回言っている)
  • 難しすぎず簡単すぎないCrypto問が解きたいナ〜〜