omakase として参加した。最終的に獲得できたポイントは 1010 点でチーム順位は 52 位 (参加 654 チーム中) だった。
の 9 問を解いた。
flag: 0ctf{enjoyyourgame}
x1,y1,z1;x2,y2,z2;x3,y3,z3\n みたいな感じの文字列が延々と続く<!doctype html>
<title>x-y-z</title>
<h1>x-y-z</h1>
<script src="three.min.js"></script>
<script>
function main(t) {
var w = 640, h = 480;
var camera = new THREE.PerspectiveCamera(75, w / h, 1, 50);
camera.position.set(4.13, -7.75, 2.91);
camera.rotation.set(1.28, 0.56, 0.05);
var scene = new THREE.Scene();
t = t.split('\n');
var material = new THREE.MeshBasicMaterial({ color: 0xffffff });
for (var i = 0; i < t.length; i++) {
var s = t[i].split(';');
var geometry = new THREE.Geometry();
s.forEach(function (p) {
p = p.split(',').map(function (n) {
return Number(n);
});
geometry.vertices.push(new THREE.Vector3(p[0], p[1], p[2]));
});
geometry.faces.push(new THREE.Face3(0, 1, 2));
scene.add(new THREE.Mesh(geometry, material));
}
var renderer = new THREE.WebGLRenderer();
renderer.setSize(w, h);
document.body.appendChild(renderer.domElement);
renderer.render(scene, camera);
}
var xhr = new XMLHttpRequest();
xhr.open('GET', 'x-y-z.txt');
xhr.addEventListener('readystatechange', function () {
if (xhr.readyState !== xhr.DONE) return;
if (xhr.status !== 200) return;
main(xhr.responseText);
});
xhr.send();
</script>
flag: 0ctf{0ur_Flag_L00ks_Great_in_Three_D}
flag: 0ctf{Rec0ver_Me_Piece_by_Piece}
import socket
s = socket.create_connection(('202.112.26.114', 12321), 3)
s.settimeout(3)
print('[+]', s.recv(1024))
s.send(b'\0')
print('[+]', s.recv(1024))
print('[+]', s.recv(1024))
print('[+]', s.recv(1024))
s.close()
flag: 0ctf{The very moment of raising beginner's mind is the accomplishment of true awakening itself}
<input type="button" onclick='javascript:post("/modify",{"password":encrypt(document.getElementById("password").value)})' value="Modify"> という部分があるので encrypt = function (s) { return s; }; で encrypt() を潰す', email = (select flag from flag) || ' でフラッグを出すflag: 0CTF{R0t_?_S8rRy_1_doNt_N}
flag: 0CTF{eNj0y_geography_l0v3_7hE_w0lRd}
// com/ctf/vezel/MainActivity.class
private String getCrc() {
String s;
s = String.valueOf((new ZipFile(getApplicationContext().getPackageCodePath())).getEntry("classes.dex").getCrc());
return s;
}
private int getSig(String s) {
PackageManager packagemanager = getPackageManager();
int i;
i = packagemanager.getPackageInfo(s, 64).signatures[0].toCharsString().hashCode();
return i;
}
public void confirm(View view) {
String s = String.valueOf(getSig(getPackageName()));
String s1 = getCrc();
if((new StringBuilder()).append("0CTF{").append(s).append(s1).append("}").toString().equals(et.getText().toString())) {
…
}
}
int String getCrc() の方を Python で求めてみるfrom zipfile import ZipFile
print('[+] CRC:', ZipFile('vezel.apk').getinfo('classes.dex').CRC) # [+] CRC: 1189242199
int getSig(String s) の方も求めてみるcerts[i].hashCode() を String.valueOf(toChars(certs[i].getEncoded())).hashCode() に置き換えておく$ java Main vezel.apk
...
Hash code: -183971537
...
flag: 0CTF{-1839715371189242199}
strings ... | grep 0ctf{ でフラッグが出てくるflag: 0ctf{It's_More_Than_Meets_The_Eye!}
nslookup -type=aaaa treasure.ctf.0ops.sjtu.cn すると treasure.ctf.0ops.sjtu.cn has AAAA address 2001:470:d:b28::40:1traceroute6 -m 100 2001:470:d:b28::40:1 する、しばらく待つと QR コードっぽい名前が出てくるので読み込むflag: 0CTF{Reverse DNS is so FUN!}